git.proxmox.com Git - mirror

confile: don't leak memory when overwriting lxc.rootfs.options

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32473
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: be stricter in config helpers

We never call these helper without an initialized config afaict but
since we're now exposing these two functions to oss-fuzz directly in a
way we never do to users so let's be stricter about it.

Inspired-by: #3733
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3732 from brauner/2021-03-26/fixes

log: dont create log file for fuzz builds

log: handle empty log name

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32491
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: don't create directories for fuzz builds

Fixes: #3730
Fixes: https://github.com/google/oss-fuzz/issues/5509
Suggested-by: Evgeny Vereshchagin <evvers@ya.ru>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: dont create log file for fuzz builds

Fixes: #3730
Fixes: https://github.com/google/oss-fuzz/issues/5509
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3729 from brauner/2021-03-25/fixes_3

oss-fuzz: fixes

conf: use lxc_list_new() everywhere

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: use lxc_list_new() everywhere

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

list: add lxc_list_new() helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile_utils: delete netdev from list

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32478
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: reinitialize sysctl list after clearing it

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32474
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: fix set_config_sysctl()

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32487
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3726 from evverx/cifuzz

ci: turn on CIFuzz

Merge pull request #3725 from evverx/se_keyring_context_memory_leak

conf: fix a memory leak

Merge pull request #3724 from brauner/2021-03-25/fixes

confile_utils: don't free netdev twice

ci: turn on CIFuzz

Now that lxc has been integrated into OSS-Fuzz it should be
possible to start using https://google.github.io/oss-fuzz/getting-started/continuous-integration/
(mostly to make sure that the project is buildable there).

It should help to keep the integration in more or less good shape.

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

conf: fix a memory leak

It was triggered by passing "lxc.selinux.context.keyring=xroot" to the
fuzz target introduced in https://github.com/google/oss-fuzz/pull/5498
```
=================================================================
==22==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 6 byte(s) in 1 object(s) allocated from:
    #0 0x538ca4 in __strdup /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:468:3
    #1 0x5c40e8 in set_config_string_item /src/lxc/src/lxc/confile_utils.c:635:14
    #2 0x44394e in set_config_selinux_context_keyring /src/lxc/src/lxc/confile.c:1596:9
    #3 0x5af955 in parse_line /src/lxc/src/lxc/confile.c:2953:9
    #4 0x4475cd in lxc_file_for_each_line_mmap /src/lxc/src/lxc/parse.c:125:9
    #5 0x5af24f in lxc_config_read /src/lxc/src/lxc/confile.c:3024:9
    #6 0x580b04 in LLVMFuzzerTestOneInput /src/fuzz-lxc-config-read.c:36:2
    #7 0x483643 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
    #8 0x46d4a2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
    #9 0x4732ea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
    #10 0x49f022 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7f16d09b883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
```

This is a follow-up to https://github.com/lxc/lxc/commit/4fef78bc332a2d186dca6f

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

confile_utils: don't free netdev twice

lxc_free_netdev() will already free the list element.

Fixes: https://github.com/google/oss-fuzz/pull/5498
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3720 from brauner/2021-03-23/fixes

strchrnul: fix copy-paste braino

strchrnul: fix copy-paste braino

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3719 from brauner/2021-03-22/fixes

strchrnul: ignore increased required alignment warning

strchrnul: ignore increased required alignment warning

Fixes: https://jenkins.linuxcontainers.org/view/LXC/job/lxc-build-android/7949/console
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3718 from brauner/2021-03-21/fixes_2

configure: fix strchrnul conditiona compilation

configure: fix strchrnul conditiona compilation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3717 from brauner/2021-03-21/fixes

include: fix typo

include: fix typo

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3716 from brauner/2021-03-19/fixes

string_utils: provide a version of strchrnul() in case it's not avail…

string_utils: provide a version of strchrnul() in case it's not available

This should only happen on Android.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3715 from brauner/2021-03-18/fixes

rexec: don't close stderr

rexec: don't close stderr

Otherwise we'll fail to attach to containers later on.

Fixes: https://discuss.linuxcontainers.org/t/error-failed-to-retrieve-pid-of-executing-child-process
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3712 from stgraber/master

github: Fix invalid syntax for coverity

github: Fix invalid syntax for coverity

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3711 from stgraber/master

Switch to Github actions

Switch to Github actions

Travis-CI has been a disaster lately with us running out of credits or
their system thinking we're out of credit anyway...

So with Jenkins now covering arm64, let's move the rest of the CI to
Github Actions instead.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3710 from brauner/2021-03-17/fixes

macro: define __aligned_u64 to handle kernels without such support

macro: define __aligned_u64 to handle kernels without such support

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3708 from brauner/2021-03-17/fixes

cgroups: ignore unused controllers

cgroups: ignore unused controllers

Someone might have created a name=<controller> controller after the
container has started and so the container doesn't make use of this
controller.

Link: https://github.com/lxc/lxd/issues/8577
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3707 from brauner/2021-03-09/fixes

conf: automount fixes

conf: add missing newline in lxc_mount_auto_mounts()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: simplify logging in lxc_mount_auto_mounts()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: cleanup automounting

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: ensure that procfs and sysfs are unmounted

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: simplify dependent mount logic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: tweak comment about transient procfs mount

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3706 from brauner/2021-03-05/fix_aarch64

start: handle CLONE_PIDFD on arm64

start: handle CLONE_PIDFD on arm64

Reported-by: Ondrej Kubik <ondrej.kubik@canonical.com>
Cc: stable-4.0
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3705 from brauner/fixes

attach_options: header improvements

attach_options: add explicit defines for all enums

This makes it easier to detect support for various features at compile
time.

Enables: https://github.com/lxc/go-lxc/pull/149
Fixes: https://launchpadlibrarian.net/526273274/buildlog_snap_ubuntu_bionic_i386_lxd-4.0-edge_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach_options: fix whitespace error in LXC_ATTACH_NO_NEW_PRIVS

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach_options: explicitly number enums

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3704 from tych0/drop-empty-cgroup-check

cgroup: do not fail if there are no writable heirarchies

cgroup: do not fail if there are no writable heirarchies

This is a spiritual revert of 5c7b81439cecfbd885b3c10f9edfefdc1ac7c45b (it
doesn't add back any of the logs, just removes the bad check).

Not having writable hierarchies is not actually a problem:

1. if I remove this check, things work just fine; below is a successful log
   of a run where there are no writable hierarchies

2. I believe the test for writability is slightly incorrect.
   unified_hierarchy_delegated() and legacy_hierarchy_delegated() both test
   the writability of $current_hierarchy/cgroup.procs. On my system, I
   have:

~ cat /proc/self/cgroup
12:hugetlb:/
11:pids:/user.slice/user-1000.slice/session-c38.scope
10:memory:/user.slice/user-1000.slice/session-c38.scope
9:freezer:/user/tycho/0
8:cpuset:/
7:net_cls,net_prio:/
6:blkio:/user.slice
5:devices:/user.slice
4:rdma:/
3:cpu,cpuacct:/user.slice
2:perf_event:/
1:name=systemd:/user.slice/user-1000.slice/session-c38.scope
0::/user.slice/user-1000.slice/session-c38.scope
~ ls -al /sys/fs/cgroup/freezer/user/tycho/0/
total 0
drwxr-xr-x 2 tycho tycho 0 Feb 22 09:17 ./
drwxr-xr-x 3 root  root  0 Mar  2 14:07 ../
-rw-r--r-- 1 root  root  0 Mar  2 14:07 cgroup.clone_children
-rw-r--r-- 1 root  root  0 Mar  2 14:09 cgroup.procs
-r--r--r-- 1 root  root  0 Mar  2 14:07 freezer.parent_freezing
-r--r--r-- 1 root  root  0 Mar  2 14:07 freezer.self_freezing
-rw-r--r-- 1 root  root  0 Mar  2 14:07 freezer.state
-rw-r--r-- 1 root  root  0 Mar  2 14:07 notify_on_release
-rw-r--r-- 1 root  root  0 Mar  2 14:07 tasks

i.e. the cgroup.procs is not writable by me. but since the directory is
owned by me, it is actually usable in the way LXC would use it. When I
start an unprivileged container, it could make a subdirectory in whatever
current hierarchy I happen to be before applying rules.

In any case, let's just revert the bad check for now.

lxc 20210302210944.785 INFO     confile - confile.c:set_config_idmaps:2151 - Read uid map: type u nsid 0 hostid 1000 range 1
lxc 20210302210944.785 INFO     confile - confile.c:set_config_idmaps:2151 - Read uid map: type u nsid 1 hostid 100001 range 65535
lxc 20210302210944.785 INFO     confile - confile.c:set_config_idmaps:2151 - Read uid map: type g nsid 0 hostid 1000 range 1
lxc 20210302210944.785 INFO     confile - confile.c:set_config_idmaps:2151 - Read uid map: type g nsid 1 hostid 100001 range 65535
lxc 20210302210944.786 INFO     conf - conf.c:userns_exec_mapped_root:4644 - Container root id is mapped to our uid
lxc 20210302210944.799 TRACE    commands - commands.c:lxc_cmd:510 - Connection refused - Command "get_init_pid" failed to connect command socket
lxc base 20210302210944.801 TRACE    commands - commands.c:lxc_server_init:2065 - Created abstract unix socket "lxc/9beb6bd65573affd/command"
lxc base 20210302210944.801 TRACE    start - start.c:lxc_init_handler:726 - Unix domain socket 3 for command server is ready
lxc base 20210302210944.801 TRACE    execute - execute.c:lxc_execute:97 - Doing lxc_execute
lxc base 20210302210944.801 WARN     apparmor - lsm/apparmor.c:lsm_apparmor_ops_init:1268 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc base 20210302210944.801 INFO     lsm - lsm/lsm.c:lsm_init_static:40 - Initialized LSM security driver AppArmor
lxc base 20210302210944.801 TRACE    start - start.c:lxc_init:750 - Initialized LSM
lxc base 20210302210944.801 TRACE    start - start.c:lxc_serve_state_clients:448 - Set container state to STARTING
lxc base 20210302210944.801 TRACE    start - start.c:lxc_serve_state_clients:451 - No state clients registered
lxc base 20210302210944.801 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc base 20210302210944.801 TRACE    start - start.c:lxc_init:756 - Set container state to "STARTING"
lxc base 20210302210944.801 TRACE    start - start.c:lxc_init:812 - Set environment variables
lxc base 20210302210944.801 TRACE    start - start.c:lxc_init:817 - Ran pre-start hooks
lxc base 20210302210944.801 TRACE    start - start.c:setup_signal_fd:341 - Created signal file descriptor 6
lxc base 20210302210944.801 TRACE    start - start.c:lxc_init:826 - Set up signal fd
lxc base 20210302210944.803 INFO     conf - conf.c:userns_exec_mapped_root:4644 - Container root id is mapped to our uid
lxc base 20210302210944.803 TRACE    terminal - terminal.c:lxc_terminal_map_ids:859 - Chowned terminal 8((null))
lxc base 20210302210944.803 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:665 - No such device - The process does not have a controlling terminal
lxc base 20210302210944.803 TRACE    start - start.c:lxc_init:834 - Created console
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:legacy_hierarchy_delegated:3076 - Permission denied - The cgroup.procs file is not writable, skipping legacy hierarchy
lxc base 20210302210944.803 INFO     cgfsng - cgroups/cgfsng.c:unified_hierarchy_delegated:3066 - Permission denied - The cgroup.threads file is not writable, skipping unified hierarchy
lxc base 20210302210944.803 TRACE    cgroup - cgroups/cgroup.c:cgroup_init:49 - Initialized cgroup driver cgfsng
lxc base 20210302210944.803 WARN     cgroup - cgroups/cgroup.c:cgroup_init:58 - Unsupported cgroup layout
lxc base 20210302210944.803 TRACE    start - start.c:lxc_init:841 - Initialized cgroup driver
lxc base 20210302210944.803 TRACE    start - start.c:lxc_init:846 - Read seccomp policy
lxc base 20210302210944.803 TRACE    start - start.c:lxc_init:853 - Initialized LSM
lxc base 20210302210944.803 INFO     start - start.c:lxc_init:855 - Container "base" is initialized
lxc base 20210302210944.803 TRACE    sync - sync.c:lxc_sync_init:141 - Initialized synchronization infrastructure
lxc base 20210302210944.803 TRACE    conf - conf.c:lxc_rootfs_prepare:511 - Not pinning because container runs in user namespace
lxc base 20210302210944.804 TRACE    start - start.c:lxc_spawn:1732 - Cloned child process 923788
lxc base 20210302210944.804 TRACE    utils - utils.c:lxc_can_use_pidfd:1799 - Kernel supports pidfds
lxc base 20210302210944.804 INFO     start - start.c:lxc_spawn:1748 - Cloned CLONE_NEWUSER
lxc base 20210302210944.804 INFO     start - start.c:lxc_spawn:1748 - Cloned CLONE_NEWNS
lxc base 20210302210944.804 INFO     start - start.c:lxc_spawn:1748 - Cloned CLONE_NEWPID
lxc base 20210302210944.804 INFO     start - start.c:lxc_spawn:1748 - Cloned CLONE_NEWUTS
lxc base 20210302210944.804 INFO     start - start.c:lxc_spawn:1748 - Cloned CLONE_NEWIPC
lxc base 20210302210944.804 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved user namespace via fd 15 and stashed path as user:/proc/923785/fd/15
lxc base 20210302210944.804 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved mnt namespace via fd 16 and stashed path as mnt:/proc/923785/fd/16
lxc base 20210302210944.804 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved pid namespace via fd 17 and stashed path as pid:/proc/923785/fd/17
lxc base 20210302210944.804 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved uts namespace via fd 18 and stashed path as uts:/proc/923785/fd/18
lxc base 20210302210944.804 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved ipc namespace via fd 19 and stashed path as ipc:/proc/923785/fd/19
lxc base 20210302210944.804 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc base 20210302210944.804 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc base 20210302210944.804 DEBUG    conf - conf.c:lxc_map_ids:2866 - Functional newuidmap and newgidmap binary found
lxc base 20210302210944.813 TRACE    sync - sync.c:lxc_sync_wait_parent:112 - Parent waiting for child with sequence startup
lxc base 20210302210944.825 TRACE    conf - conf.c:lxc_map_ids:2936 - newuidmap wrote mapping "newuidmap 923788 0 1000 1 1 100001 65535"
lxc base 20210302210944.834 TRACE    conf - conf.c:lxc_map_ids:2936 - newgidmap wrote mapping "newgidmap 923788 0 1000 1 1 100001 65535"
lxc base 20210302210944.834 TRACE    sync - sync.c:lxc_sync_wake_child:124 - Child waking parent with sequence startup
lxc base 20210302210944.834 TRACE    sync - sync.c:lxc_sync_wait_child:118 - Child waiting for parent with sequence configure
lxc base 20210302210944.834 TRACE    sync - sync.c:lxc_sync_barrier_parent:92 - Child waking parent with sequence configure and waiting for sequence post-configure
lxc base 20210302210944.834 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved net namespace via fd 4 and stashed path as net:/proc/923785/fd/4
lxc base 20210302210944.834 WARN     start - start.c:lxc_spawn:1821 - Operation not permitted - Failed to allocate new network namespace id
lxc base 20210302210944.834 TRACE    sync - sync.c:lxc_sync_barrier_child:99 - Parent waking child with sequence post-configure and waiting with sequence cgroup
lxc base 20210302210944.834 NOTICE   utils - utils.c:lxc_drop_groups:1345 - Dropped supplimentary groups
lxc base 20210302210944.834 NOTICE   utils - utils.c:lxc_switch_uid_gid:1321 - Switched to gid 0
lxc base 20210302210944.834 NOTICE   utils - utils.c:lxc_switch_uid_gid:1330 - Switched to uid 0
lxc base 20210302210944.834 TRACE    sync - sync.c:lxc_sync_barrier_parent:92 - Child waking parent with sequence cgroup and waiting for sequence cgroup-unshare
lxc base 20210302210944.834 TRACE    sync - sync.c:lxc_sync_barrier_child:99 - Parent waking child with sequence cgroup-unshare and waiting with sequence cgroup-limits
lxc base 20210302210944.834 INFO     start - start.c:do_start:1196 - Unshared CLONE_NEWCGROUP
lxc base 20210302210944.834 TRACE    conf - conf.c:turn_into_dependent_mounts:3192 - Turned all mount table entries into dependent mount
lxc base 20210302210944.834 DEBUG    storage - storage/storage.c:get_storage_by_name:211 - Detected rootfs type "dir"
lxc base 20210302210944.835 TRACE    dir - storage/dir.c:dir_mount:166 - Mounted "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/roots/base/rootfs" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot" with options "(null)", mount flags "0", and propagation flags "0"
lxc base 20210302210944.835 DEBUG    conf - conf.c:lxc_mount_rootfs:1289 - Mounted rootfs "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/roots/base/rootfs" onto "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot" with options "(null)"
lxc base 20210302210944.835 INFO     conf - conf.c:setup_utsname:732 - Set hostname to "base"
lxc base 20210302210944.835 INFO     conf - conf.c:mount_autodev:1068 - Preparing "/dev"
lxc base 20210302210944.835 TRACE    mount_utils - mount_utils.c:can_use_mount_api:486 - Kernel supports mount api
lxc base 20210302210944.835 TRACE    mount_utils - mount_utils.c:__fs_prepare:158 - Finished initializing new tmpfs filesystem context 16
lxc base 20210302210944.835 TRACE    mount_utils - mount_utils.c:fs_set_property:196 - Set "mode" to "0755" on filesystem context 16
lxc base 20210302210944.835 TRACE    mount_utils - mount_utils.c:fs_set_property:196 - Set "size" to "500000" on filesystem context 16
lxc base 20210302210944.835 TRACE    mount_utils - mount_utils.c:fs_attach:235 - Mounted 18 onto 17
lxc base 20210302210944.835 INFO     conf - conf.c:mount_autodev:1128 - Prepared "/dev"
lxc base 20210302210944.835 DEBUG    conf - conf.c:mount_entry:2077 - Mounted "none" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot/dev/shm" with filesystem type "tmpfs"
lxc base 20210302210944.835 DEBUG    conf - conf.c:mount_entry:2014 - Remounting "/sys" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot/sys" to respect bind or remount options
lxc base 20210302210944.835 DEBUG    conf - conf.c:mount_entry:2033 - Flags for "/sys" were 4110, required extra flags are 14
lxc base 20210302210944.835 DEBUG    conf - conf.c:mount_entry:2077 - Mounted "/sys" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot/sys" with filesystem type "none"
lxc base 20210302210944.835 DEBUG    conf - conf.c:mount_entry:2014 - Remounting "/etc/resolv.conf" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot/etc/resolv.conf" to respect bind or remount options
lxc base 20210302210944.835 DEBUG    conf - conf.c:mount_entry:2033 - Flags for "/etc/resolv.conf" were 4110, required extra flags are 14
lxc base 20210302210944.835 DEBUG    conf - conf.c:mount_entry:2077 - Mounted "/etc/resolv.conf" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot/etc/resolv.conf" with filesystem type "none"
lxc base 20210302210944.836 DEBUG    conf - conf.c:mount_entry:2014 - Remounting "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/imports/base" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot/stacker" to respect bind or remount options
lxc base 20210302210944.836 DEBUG    conf - conf.c:mount_entry:2033 - Flags for "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/imports/base" were 4096, required extra flags are 0
lxc base 20210302210944.836 DEBUG    conf - conf.c:mount_entry:2077 - Mounted "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/imports/base" on "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot/stacker" with filesystem type "none"
lxc base 20210302210944.836 INFO     conf - conf.c:lxc_fill_autodev:1165 - Populating "/dev"
lxc base 20210302210944.836 TRACE    mount_utils - mount_utils.c:fd_bind_mount:289 - Attach detached mount 19 to filesystem at 20
lxc base 20210302210944.836 DEBUG    conf - conf.c:lxc_fill_autodev:1245 - Bind mounted host device 14(dev/full) to 16(full)
lxc base 20210302210944.836 TRACE    mount_utils - mount_utils.c:fd_bind_mount:289 - Attach detached mount 19 to filesystem at 20
lxc base 20210302210944.836 DEBUG    conf - conf.c:lxc_fill_autodev:1245 - Bind mounted host device 14(dev/null) to 16(null)
lxc base 20210302210944.836 TRACE    mount_utils - mount_utils.c:fd_bind_mount:289 - Attach detached mount 19 to filesystem at 20
lxc base 20210302210944.836 DEBUG    conf - conf.c:lxc_fill_autodev:1245 - Bind mounted host device 14(dev/random) to 16(random)
lxc base 20210302210944.836 TRACE    mount_utils - mount_utils.c:fd_bind_mount:289 - Attach detached mount 19 to filesystem at 20
lxc base 20210302210944.836 DEBUG    conf - conf.c:lxc_fill_autodev:1245 - Bind mounted host device 14(dev/tty) to 16(tty)
lxc base 20210302210944.836 TRACE    mount_utils - mount_utils.c:fd_bind_mount:289 - Attach detached mount 19 to filesystem at 20
lxc base 20210302210944.836 DEBUG    conf - conf.c:lxc_fill_autodev:1245 - Bind mounted host device 14(dev/urandom) to 16(urandom)
lxc base 20210302210944.836 TRACE    mount_utils - mount_utils.c:fd_bind_mount:289 - Attach detached mount 19 to filesystem at 20
lxc base 20210302210944.836 DEBUG    conf - conf.c:lxc_fill_autodev:1245 - Bind mounted host device 14(dev/zero) to 16(zero)
lxc base 20210302210944.836 INFO     conf - conf.c:lxc_fill_autodev:1249 - Populated "/dev"
lxc base 20210302210944.836 INFO     conf - conf.c:lxc_transient_proc:3044 - Caller's PID is 1; /proc/self points to 1
lxc base 20210302210944.836 TRACE    conf - conf.c:lxc_transient_proc:3052 - Correct procfs instance mounted
lxc base 20210302210944.836 TRACE    mount_utils - mount_utils.c:fd_bind_mount:289 - Attach detached mount 19 to filesystem at 20
lxc base 20210302210944.836 DEBUG    conf - conf.c:lxc_setup_dev_console:1734 - Mounted pty device 8(/dev/pts/11) onto "/dev/console"
lxc base 20210302210944.839 TRACE    conf - conf.c:lxc_pivot_root:1459 - Changed into new rootfs "/home/tycho/packages/stacker/stackertest-test_stacker_switching_privilege_modes_fails.Og4LqB/.stacker/rootfsPivot"
lxc base 20210302210944.839 DEBUG    conf - conf.c:lxc_setup_devpts_child:1574 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024"
lxc base 20210302210944.839 TRACE    conf - conf.c:lxc_setup_devpts_child:1587 - Sent devpts file descriptor 8 to parent
lxc base 20210302210944.839 DEBUG    conf - conf.c:lxc_setup_devpts_child:1602 - Created dummy "/dev/ptmx" file as bind mount target
lxc base 20210302210944.839 DEBUG    conf - conf.c:lxc_setup_devpts_child:1607 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
lxc base 20210302210944.839 DEBUG    conf - conf.c:setup_caps:2487 - Capabilities have been setup
lxc base 20210302210944.839 NOTICE   conf - conf.c:lxc_setup:3576 - The container "base" is set up
lxc base 20210302210944.839 TRACE    apparmor - lsm/apparmor.c:__apparmor_process_label_open:405 - On-exec not supported with AppArmor
lxc base 20210302210944.839 TRACE    apparmor - lsm/apparmor.c:apparmor_process_label_set_at:1166 - Changing AppArmor profile on exec not supported
lxc base 20210302210944.839 INFO     apparmor - lsm/apparmor.c:apparmor_process_label_set_at:1179 - Set AppArmor label to "lxc-container-default-cgns"
lxc base 20210302210944.839 INFO     apparmor - lsm/apparmor.c:apparmor_process_label_set:1224 - Changed AppArmor profile to lxc-container-default-cgns
lxc base 20210302210944.842 TRACE    sync - sync.c:lxc_sync_barrier_parent:92 - Child waking parent with sequence cgroup-limits and waiting for sequence ready-start
lxc base 20210302210944.842 TRACE    start - start.c:lxc_spawn:1872 - Set up legacy device cgroup controller limits
lxc base 20210302210944.842 TRACE    start - start.c:lxc_spawn:1878 - Set up cgroup2 device controller limits
lxc base 20210302210944.842 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved cgroup namespace via fd 10 and stashed path as cgroup:/proc/923785/fd/10
lxc base 20210302210944.842 TRACE    start - start.c:lxc_spawn:1892 - Finished setting up cgroups
lxc base 20210302210944.842 TRACE    sync - sync.c:lxc_sync_barrier_child:99 - Parent waking child with sequence ready-start and waiting with sequence restart
lxc base 20210302210944.842 NOTICE   execute - execute.c:execute_start:66 - Exec'ing "/stacker/.stacker-run.sh"
lxc base 20210302210944.842 TRACE    conf - conf.c:lxc_setup_devpts_parent:1519 - Received devpts file descriptor 20 from child
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:244 - index: 0
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:245 - ifindex: 0
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:311 - type: none
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:319 - flags: none
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:344 - ipv4 gateway auto: false
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:347 - ipv4 gateway dev: false
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:363 - ipv6 gateway auto: false
lxc base 20210302210944.842 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:366 - ipv6 gateway dev: false
lxc base 20210302210944.842 NOTICE   execute - execute.c:execute_post_start:82 - '/stacker/.stacker-run.sh' started with pid '923788'
lxc base 20210302210944.842 TRACE    start - start.c:lxc_serve_state_clients:448 - Set container state to RUNNING
lxc base 20210302210944.842 TRACE    start - start.c:lxc_serve_state_clients:451 - No state clients registered
lxc base 20210302210944.842 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc base 20210302210944.842 TRACE    start - start.c:lxc_poll:602 - Mainloop is ready
lxc base 20210302210944.842 NOTICE   start - start.c:signal_handler:414 - Received 17 from pid 923789 instead of container init 923788
lxc base 20210302210944.862 DEBUG    start - start.c:signal_handler:432 - Container init process 923788 exited
lxc base 20210302210944.862 TRACE    start - start.c:lxc_poll:615 - Closed console mainloop
lxc base 20210302210944.862 TRACE    start - start.c:lxc_poll:620 - Closed mainloop
lxc base 20210302210944.862 TRACE    start - start.c:lxc_poll:623 - Closed signal file descriptor 6
lxc base 20210302210944.862 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc base 20210302210944.862 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_USER_NS=/proc/923785/fd/15
lxc base 20210302210944.862 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_MNT_NS=/proc/923785/fd/16
lxc base 20210302210944.862 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_PID_NS=/proc/923785/fd/17
lxc base 20210302210944.862 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_UTS_NS=/proc/923785/fd/18
lxc base 20210302210944.862 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_IPC_NS=/proc/923785/fd/19
lxc base 20210302210944.862 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_NET_NS=/proc/923785/fd/4
lxc base 20210302210944.862 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_CGROUP_NS=/proc/923785/fd/10
lxc base 20210302210944.862 DEBUG    network - network.c:lxc_delete_network:4167 - Deleted network devices
lxc base 20210302210944.862 TRACE    start - start.c:lxc_serve_state_clients:448 - Set container state to STOPPING
lxc base 20210302210944.862 TRACE    start - start.c:lxc_serve_state_clients:451 - No state clients registered
lxc base 20210302210944.862 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc base 20210302210944.862 TRACE    start - start.c:lxc_end:940 - Closed command socket
lxc base 20210302210944.862 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc base 20210302210944.862 TRACE    start - start.c:lxc_end:951 - Set container state to "STOPPED"

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>

Merge pull request #3700 from brauner/2021-02-26/fixes_2

small fixes

start: fix whitespace error

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

af_unix: vet all parameters

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3699 from brauner/2021-02-26/network

network: fix networks with switched names

network: use two passes through networks

Consider the following network layout:

lxc.net.0.type = phys
lxc.net.0.link = eth2
lxc.net.0.name = eth%d

lxc.net.1.type = phys
lxc.net.1.link = eth1
lxc.net.1.name = eth0

If we simply follow this order and create the first network first the kernel
will allocate eth0 for the first network but the second network requests
that eth1 be renamed to eth0 in the container's network namespace which
would lead to a clash.

Note, we don't handle cases like:

lxc.net.0.type = phys
lxc.net.0.link = eth2
lxc.net.0.name = eth0

lxc.net.1.type = phys
lxc.net.1.link = eth1
lxc.net.1.name = eth0

That'll brutally fail of course but there's nothing we can do about it. But
this can happen when e.g. a has the following LXD configuration:

devices:
  eth2:
    name: eth0
    nictype: physical
    parent: eth2
    type: nic
  eth3:
    name: eth0
    nictype: physical
    parent: eth3
    type: nic

in the container's config and the default profile has:

devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: handle name collisions when renaming network devices

LXC moves network devices into the target namespace based on their created
name. The created name can either be randomly generated for e.g. veth
devices or it can be the name of the existing device in the server's
namespaces. This is e.g. the case when moving physical devices. However this
can lead to weird clashes. Consider we have a network namespace that has the
following devices:

4: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
   link/ether 00:16:3e:91:d3:ae brd ff:ff:ff:ff:ff:ff permaddr 00:16:3e:e7:5d:10
   altname enp7s0
5: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
   link/ether 00:16:3e:e7:5d:10 brd ff:ff:ff:ff:ff:ff permaddr 00:16:3e:91:d3:ae
   altname enp8s0

and the user generates the following network config for their container:

lxc.net.0.type = phys
lxc.net.0.name = eth1
lxc.net.0.link = eth2

lxc.net.1.type = phys
lxc.net.1.name = eth2
lxc.net.1.link = eth1

This would cause LXC to move the devices eth1 and eth2 from the server's
network namespace into the container's network namespace:

24: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:16:3e:91:d3:ae brd ff:ff:ff:ff:ff:ff permaddr 00:16:3e:e7:5d:10
    altname enp7s0
25: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:16:3e:e7:5d:10 brd ff:ff:ff:ff:ff:ff permaddr 00:16:3e:91:d3:ae
     altname enp8s0

According to the network config above we now need to rename the network
devices in the container's network namespace. Let's say we start with
renaming eth2 to eth1. This would immediately lead to a clash since the
container's network namespace already contains a network device with that
name. Renaming the other device would have the same problem.

There are multiple ways to fix this but I'm concerned with keeping the logic
somewhat reasonable which is why we simply start creating transient device
names that are unique which we'll use to move and rename the network device
in the container's network namespace at the same time. And then we rename
based on those random devices names to the target name.

Fixes: #3696
Reported-by: Sam Boyles <sam.boyles@alliedtelesis.co.nz>
Reported-by: Blair Steven <blair.steven@alliedtelesis.co.nz>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: add lxc_network_info struct

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: fix grammar

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile_utils: ensure memory is zeroed

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: fix coding style in lxc_create_network_unpriv_exec()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: make callback naming consistent and understandable

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3698 from brauner/2021-02-25/fixes

tree-wide: some more logging fixes

tree-wide: replace old-style sysinfo logging return helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: replace old systrace logging helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: use new logging helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: mark logging helpers to use

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: replace remaining instances of syserrno() with syserror_ret()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: start replacing instances of syserrno() with syserror()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/syerrno_set()/syserror_set()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: unify fd retrieval commands

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: fix indentation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: rsp_one_fd_{reap,keep}() and rsp_many_fds_reap()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: cleanup error handling and variable naming

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3697 from brauner/2021-02-25/fixes

commands: improvements and fixes

commands: port misnamed functions to general style

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: use debug logging

It is fine to fail these commands when a new client talks to an old server or
the kernel doesn't support the necessary features.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: add some more log and return helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: add logging to lxc-test-lxc-attach

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: improve lxc_cmd_get_tty_fd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: rework lxc_cmd_rsp_recv() to make it more obvious

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

af_unix: allow caller and callee to negotiate expectations and reality

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

macro: add hweight*() helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: let lxc_cmd() return ssize_t to indicate that it returns not just 0 on success

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_get_limit_cgroup2_fd() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_get_cgroup2_fd() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_get_limit_cgroup_fd() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_get_cgroup_fd() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_unfreeze() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_freeze() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_seccomp_notify_add_listener() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_serve_state_clients() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_console_log() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_add_bpf_device_cgropu() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_add_state_client() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_get_lxcpath() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: port lxc_cmd_get_name() to new helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>