terminal: ensure newlines are turned into newlines+carriage return for terminal output

Fixes: #3879
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: handle funky cgroup layouts

Old versions of Docker emulate a cgroup namespace by bind-mounting the
container's cgroup over the corresponding controller:

/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime master:11 - cgroup cgroup rw,xattr,name=systemd
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime master:15 - cgroup cgroup rw,net_cls,net_prio
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime master:16 - cgroup cgroup rw,cpu,cpuacct
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime master:17 - cgroup cgroup rw,memory
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime master:18 - cgroup cgroup rw,devices
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime master:19 - cgroup cgroup rw,hugetlb
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime master:20 - cgroup cgroup rw,perf_event
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime master:21 - cgroup cgroup rw,cpuset
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime master:22 - cgroup cgroup rw,blkio
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime master:23 - cgroup cgroup rw,pids
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime master:24 - cgroup cgroup rw,freezer

New versions of LXC always stash a file descriptor for the root of the
cgroup mount at /sys/fs/cgroup and then resolve the current cgroup
parsed from /proc/{1,self}/cgroup relative to that file descriptor. This
doesn't work when the caller's cgroup is mouned over the controllers.
Older versions of LXC simply counted such layouts as having no cgroups
available for delegation at all and moved on provided no cgroup limits
were requested. But mainline LXC would fail such layouts. While I would
argue that failing such layouts is the semantically clean approach we
shouldn't regress users so make mainline LXC treat such cgroup layouts
as having no cgroups available for delegation.

Fixes: #3890
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: add tests for read-only /sys with read-write /sys/devices/virtual/net

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: improve read-only /sys with read-write /sys/devices/virtual/net

Some tools require /sys/devices/virtual/net to be read-write. At the
same time we want all other parts of /sys to be read-only. To do this we
created a layout where we hade a read-only instance of sysfs mounted on
top of a read-write instance of sysfs:

`-/sys                                  sysfs                                                        sysfs      rw,nosuid,nodev,noexec,relatime
  `-/sys                                sysfs                                                        sysfs      ro,nosuid,nodev,noexec,relatime
    |-/sys/devices/virtual/net          sysfs                                                        sysfs      rw,relatime
    | `-/sys/devices/virtual/net        sysfs[/devices/virtual/net]                                  sysfs      rw,nosuid,nodev,noexec,relatime

This causes issues for systemd services that create a separate mount
namespace as they get confused to what mount options need to be
respected.

Simplify our mounting logic so we end up with a single read-only mount
of sysfs on /sys and a read-write bind-mount of /sys/devices/virtual/net:

├─/sys                                sysfs                                                                                  sysfs         ro,nosuid,nodev,noexec,relatime
│ ├─/sys/devices/virtual/net          sysfs[/devices/virtual/net]                                                            sysfs         rw,nosuid,nodev,noexec,relatime

Link: systemd/systemd#20032
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

initutils: close dirfd in error path

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>

execute: ensure parent is notified about child exec and close all unneeded fds

lxc_container_init() creates the container payload process as it's child
so lxc_container_init() itself never really exits and thus the parent
isn't notified about the child exec'ing since the sync file descriptor
is never closed. Make sure it's closed to notify the parent about the
child's exec.

In addition we're currently leaking all file descriptors associated with
the handler into the stub init. Make sure that all file descriptors
other than stderr are closed.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: log network devices while sending

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

initutils: use vfork() in lxc_container_init()

We can let the child finish calling exec before continuing in the
parent.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

execute: don't exec init, call it

Instead of having a statically linked init that we put on the host fs
somewhere via packaging, have to either bind mount in or detect fexecve()
functionality, let's just call it as a library function. This way we don't
have to do any of that.

This also fixes up a bunch of conditions from:

if (quiet)
    fprintf(stderr, "log message");

to

if (!quiet)
    fprintf(stderr, "log message");

:)

and it drops all the code for fexecve() detection and bind mounting our
init in, since we no longer need any of that.

A couple other thoughts:

* I left the lxc-init binary in since we ship it, so someone could be using
  it outside of the internal uses.
* There are lots of unused arguments to lxc-init (including presumably
  --quiet, since nobody noticed the above); those may be part of the API
  though and so we don't want to drop them.

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>

When an item is added to an array, then the array is realloc()ed (to size+1),
and the item is copied (strdup()) to the array.
Thus, when an item is removed from an array, memory allocated for that item
should be freed, successive items should be left-shifted and the array
realloc()ed again (size-1).

Additional changes:
- If strdup() fails in add_to_array(), then an array should be
  realloc()ed again to original size.
- Initialize an array in list_all_containers().

Signed-off-by: Tomasz Blaszczak <tomasz.blaszczak@consult.red>

cgroups: verify that hierarchies are non-empty

Fixes: #3881
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-download: Switch GPG server

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Resize array in remove_from_array() and fix a crash

When an item is added to an array, then the array is realloc()ed (to size+1),
and the item is copied (strdup()) to the array.
Thus, when an item is removed from an array, allocated memory pointed by
the item (not the item itself) should be freed, successive items should
be left-shifted and the array realloc()ed again (size-1).

Additional changes:
- Initialize an array in list_all_containers().

Signed-off-by: Tomasz Blaszczak <tomasz.blaszczak@consult.red>

When an item is added to an array, then the array is realloc()ed (to size+1),
and the item is copied (strdup()) to the array.
Thus, when an item is removed from an array, memory allocated for that item
should be freed, successive items should be left-shifted and the array
realloc()ed again (size-1).

Additional changes:
- If strdup() fails in add_to_array(), then an array should be
  realloc()ed again to original size.
- Initialize an array in list_all_containers().

Signed-off-by: Tomasz Blaszczak <tomasz.blaszczak@consult.red>

cgroups: use stable ordering for co-mounted v1 controllers

Fixes: #3703
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: replace problematic terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: replace problematic terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: replace problematic terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: remove problematic terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: replace problematic terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

common.conf: replace problematic terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Add support for LISTEN_FDS environment variable.

The LISTEN_FDS environment variable defines the number of
file descriptors that should be inherited by the container,
in addition to stdio.
The LISTEN_FDS environment variable is defined in the OCI spec
and used to support socket activation.

Refs #3845

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

string utils: Make sure don't return uninitialized memory.

The function lxc_string_split_quoted and lxc_string_split_and_trim use
realloc to reduce the memory. But the result may be NULL, the the
returned memory will be uninitialized

Signed-off-by: LiFeng <lifeng68@huawei.com>

confile: backport lxc.init.groups config key

This is needed for lxcri.

Fixes: #3862
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

api_extensions: introduce idmapped_mounts_v2 api extension

This indicates that LXC supports idmapping the rootfs and
idmapped lxc.mount.entry entries.

Link: https://github.com/lxc/lxd/issues/8870
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools/lxc_autostart: fix failed count

Don't include skipped containers in the failed count.

Fixes: #3857
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lsm/apparmor: actually report an error when we fail to wire AppArmor profile

Link: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1931064
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc: add lpthread to lxc.pc

Fixes: #3853
Suggested-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Update lxc-net to support nftables

Closes #3093
Closes #3602

Add support for nftables firewall rules if `nft` command line
interface is available in the system

Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>

network: please broken compilers

Some users report that compilation fails because of reports that this
variable can be used uninitialized. Initialize it to silence the
compiler.

Fixes: https://github.com/lxc/lxc/issues/3850
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

README: Update IRC

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

start: simplify startup synchronization

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: reorder START_SYNC_POST_CONFIGURE

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: use barrier instead of wake/wait pair

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use explicit signage in bit field

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: move file descriptor synchronization with parent into single function

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: move file descriptor synchronization with child into single function

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework check whether legacy hierarchy is writable

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: fix mount option parsing

Fixes: Coverity 1484906
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: free mount data

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: add sequence when setting up idmapped mounts

Make sure we catch any weird behavior.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: support idmapped lxc.mount.entry entries

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Skip rootfs pinning for read-only file system.

Signed-off-by: Wei Mingzhi <weimingzhi@baidu.com>

conf: rename struct mount_opt flag member s/flag/legacy_flag/

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/parse_mntopts/parse_mntopts_legacy/

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: move idmapped mount setup later

At the prior location we we're placed between sending and receiving
networking information over the data socket causing the startup to fail.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: tweak rootfs handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: don't unmount procfs and sysfs

Fixes: #3838
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: allow xdev when setting up /dev

Fixes: #3838
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: clean up cgroup_ops on initialization error

Fixes: #3836
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

oss-fuzz: add basic cgroup_init()/cgroup_exit() fuzzing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3835 from brauner/2021-05-10.fixes.apparmor.stable-4.0

confile: convert AppArmor and SELinux confile parsing from errors to …

confile: convert AppArmor and SELinux confile parsing from errors to warnings

Fixes: https://github.com/lxc/lxc/issues/3765#issuecomment-836792820
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: fix lxc-test-arch-parse for make dist

Fixes: https://jenkins.linuxcontainers.org/job/lxc-build-tarballs/2762/console
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: add tests for supported architectures

Ensure that we detect all supported architectures and don't regress
recognizing them.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: re-add aarch64 architecture

Apparenty we dropped this when we cleaned up architecture handling.

Fixes: #3832
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Reflow ZFS check to follow the style of the overlayfs return.

Per https://github.com/lxc/lxc/pull/3831#discussion_r628865713

Signed-off-by: Jeff Cook <jeff@jeffcook.io>

Skip rootfs pinning for ZFS roots.

Signed-off-by: Jeff Cook <jeff@jeffcook.io>

doc: document new idmap= option for lxc.rootfs.options

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: handle kernels with CAP_SETFCAP

LXC is being very clever and sometimes maps the caller's uid into the
child userns. This means that the caller can technically write fscaps
that are valid in the ancestor userns (which can be a security issue in
some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
newuidmap/newgidmap are updated to account for this simply write the
mapping directly in this case.

Cc: stable-4.0
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Release LXC 4.0.9

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

attach: introduce explicit personality macro

Introduce LXC_ATTACH_DETECT_PERSONALITY to make it explicit what is
happening instead of using -1.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: add personality_t

Catch errors in personality handling better.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach_options: unbreak header

In a moment of idioticity I switch -1 with 0xffffffff in the header
definition but we use -1 to autodetect.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: rework lxc_config_parse_arch()

Fix architecture parsing. So far we couldn't really differ between "want
default architecture" and "failed to parse requested architecture"
because the -1 return value means both. Fix this by using the return
value only to indicate success or failure and return the parsed
personality in a return argument.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: tweak setup_personality()

Use the dedicated LXC_ARCH_UNCHANGED macro everywhere instead of relying
on -1 being correct.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: make personality codepaths unconditional

Now that we have the infra to make personality handling unconitional
remove the ifndefs everywhere.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscalls: wrap personality syscall if undefined

There's no need to making personality handling conditional as it has
been around for such a long time that only weird systems wouldn't have
support for it. And especially if the user requested a specific
personality to be set but the system doesn't support the personality
syscall we should loudly fail instead of moving on.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: log at debug not info level when receiving file descriptors

Don't spam the logs because we do receive a lot of file descriptors.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: make per_name struct static

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

string_utils: get around GCC-11 false positives

by getting rid of stpncpy

Tested with gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1)

Closes https://github.com/lxc/lxc/issues/3752

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

github: also pass the j option to make

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

github: remove the dh-* packages

We don't build any packages there so it seems we don't need
those packages any more. Apart from that, it should make the
script work on Ubuntu Hirsute where dh-systemd was merged into
debhelper and is no longer available.

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

github: Run apt-get update in sanitizer test

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

conf: fix console chmod error log messages

Signed-off-by: Aaron Thompson <dev@aaront.org>

oss-fuzz: always turn off logging on OSS-Fuzz

Apparently /proc/self/cmd can't be used (reliably) on OSS-Fuzz to figure out
whether the code is run inside the fuzz targets, which causes the
fuzz targets to fill the filesystem with log files.

Related: https://github.com/google/oss-fuzz/issues/5509
Should address https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33835

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

Release LXC 4.0.8

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

cgroups: fix fallback attach codepath

When we attach to an old server the server can return ENOSYS instead of
ENOCGROUP2 which causes LXC to abort the attach unnecessary. Fix this!

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage: fix dup_cloexec() call

Fixes: Coverity 1477399
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Release LXC 4.0.7

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

api-extensions: add entry for idmapped_mounts

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage/dir: cleanup mount code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage/dir: remove error handling down

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage/dir: source can't be empty

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage/dir: use "source" and "target" as terms

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage/dir: retrieve proper source path later

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage/dir: use clear error messages

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage/dir: bdev->dest can't be empty

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

dir: use mnt_opts->data instead of mntdata

Fixes: https://launchpadlibrarian.net/535845165/buildlog_ubuntu-focal-s390x.lxc_1%3A4.0.6+master~20210427-2321-0ubuntu1~focal_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

build-system: turn off lto=thin when building the fuzzers

With lto=thin the fuzzers fail as soon as they start with
```
ERROR: The size of coverage PC tables does not match the
number of instrumented PCs. This might be a compiler bug,
please contact the libFuzzer developers.
Also check https://bugs.llvm.org/show_bug.cgi?id=34636
for possible workarounds (tl;dr: don't use the old GNU ld)
```

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

tests: run the fuzzers along with the other tests

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

log: create log files in "fuzzing" mode if it's called outside fuzz targets

to make it possible to run the fuzzers along with the other tests

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

ci: switch to --enable-fuzzers

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

build-system: add --enable-fuzzers

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

conf: improve idmapped mounts support

Setting up a detached idmapped mount is a privileged operation, mounting
it doesn't have to be.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: s/lxc_rootfs_prepare/lxc_rootfs_init/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: move all mount options into struct lxc_mount_options

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: stash lxc_storage into lxc_rootfs and bind to its lifetime

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

configure: fix function detection

Fixes: #3809
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

dir: fix rootfs mounting

We need to be able to lookup symlinks and allow xdev.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>