lxc-alpine: Add support for ppc64le

Starting at version 3.6, Alpine Linux has support for ppc64le
architecture. Adding the new keys also.

Signed-off-by: Breno Leitao <breno.leitao@gmail.com>

Merge pull request #1588 from brauner/2017-05-26/update_opensuse_template

lxc-opensuse: add Tumbleweed as supported release

Merge pull request #1578 from 0x0916/export-seccomp-filter-to-log

seccomp: export the seccomp filter after load it into kernel successful

seccomp: export the seccomp filter after load it into kernel successful

when the log level is TRACE, this patch export the seccomp
filter to log file.

the ouput of `seccomp_export_pfc()` is human readable and this feature
is useful for user to make sure their `seccomp configuration file` is
right.

Output for he default ubuntu container's seccomp filter is the
following:

```
      lxc-start ubuntu 20170520024159.412 INFO     lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-cgns
if ($arch == 3221225534)
  # filter for syscall "finit_module" (313) [priority: 65535]
  if ($syscall == 313)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (304) [priority: 65535]
  if ($syscall == 304)
    action ERRNO(1);
  # filter for syscall "kexec_load" (246) [priority: 65535]
  if ($syscall == 246)
    action ERRNO(1);
  # filter for syscall "delete_module" (176) [priority: 65535]
  if ($syscall == 176)
    action ERRNO(1);
  # filter for syscall "init_module" (175) [priority: 65535]
  if ($syscall == 175)
    action ERRNO(1);
  # filter for syscall "umount2" (166) [priority: 65533]
  if ($syscall == 166)
    if ($a1.hi32 & 0x00000000 == 0)
      if ($a1.lo32 & 0x00000001 == 1)
        action ERRNO(13);
  # default action
  action ALLOW;
if ($arch == 1073741827)
  # filter for syscall "finit_module" (350) [priority: 65535]
  if ($syscall == 350)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (342) [priority: 65535]
  if ($syscall == 342)
    action ERRNO(1);
  # filter for syscall "kexec_load" (283) [priority: 65535]
  if ($syscall == 283)
    action ERRNO(1);
  # filter for syscall "delete_module" (129) [priority: 65535]
  if ($syscall == 129)
    action ERRNO(1);
  # filter for syscall "init_module" (128) [priority: 65535]
  if ($syscall == 128)
    action ERRNO(1);
  # filter for syscall "umount2" (52) [priority: 65534]
  if ($syscall == 52)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
if ($arch == 3221225534)
  # filter for syscall "kexec_load" (1073742352) [priority: 65535]
  if ($syscall == 1073742352)
    action ERRNO(1);
  # filter for syscall "finit_module" (1073742137) [priority: 65535]
  if ($syscall == 1073742137)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (1073742128) [priority: 65535]
  if ($syscall == 1073742128)
    action ERRNO(1);
  # filter for syscall "delete_module" (1073742000) [priority: 65535]
  if ($syscall == 1073742000)
    action ERRNO(1);
  # filter for syscall "init_module" (1073741999) [priority: 65535]
  if ($syscall == 1073741999)
    action ERRNO(1);
  # filter for syscall "umount2" (1073741990) [priority: 65534]
  if ($syscall == 1073741990)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
action KILL;
      lxc-start ubuntu 20170520024159.412 NOTICE   lxc_start - start.c:start:1470 - Exec'ing "/sbin/init".
```

Signed-off-by: 0x0916 <w@laoqinren.net>

Merge pull request #1613 from brauner/2017-06-03/af_unix

abstract lxc_abstract_unix_{send,recv}_fd, bugfixes, and improvements

lxc-opensuse: add Tumbleweed as supported release

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #1611 from brauner/2017-06-02/enforce_config_item_method_implementation

tests: enforce all methods for config items being implemented

conf: fix bionic builds

bionic seems to lack a definition of __S_ISTYPE().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: improve lxc_map_ids()

Closes https://github.com/lxc/lxd/issues/3384.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: improve tty shifting function

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bdev: record output from mkfs.*

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bdev: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: tweak lxc.container.conf a little

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bdev: "detect" loop file

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: remove dead mount code

The removed codepath was non-functional for a long time now. All mounting is
handled through bdev.{c,h} and if that fails the other codepath would
necessarily fail as well. So let's remove them. This makes it way clearer what
is going on and simplifies things massively.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

af_unix: abstract lxc_abstract_unix_{send,recv}_fd

- Enable lxc_abstract_unix_{send,recv}_fd() to send and receive multiple fds at
  once.
- lxc_abstract_unix_{send,recv}_fd() -> lxc_abstract_unix_{send,recv}_fds()
- Send tty fds from child to parent all at once.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #1612 from brauner/2017-06-03/bugfixes

idmapping bugfixes

tree-wide: log function called in userns_exec_1()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: avoid double-frees in userns_exec_1()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: log sending and receiving of tty fds

This is a potentially security sensitive operation and I really want to keep an
eye on *when exactly* this is send. So add more logging on the TRACE() level.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #1609 from brauner/2017-06-01/unit_test_idmap_parser

unit test idmap parser + userns_exec_1() rework

Merge pull request #1608 from ss1h2a3tw/checkconfig

add probe status checking

conf: rework userns_exec_1()

This also fixes a bug where we caused a double mapping, when the {u,g}id for
the user was mapped to container root {g,u}id.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: add unit tests for idmap parser

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile_utils: add new file

This adds confile_utils.{c,h} which will contain a helpers to parse lxc
configuration files.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

add probe status checking

Signed-off-by: Shane Chen <ss1ha3tw@gmail.com>

tests: enforce all methods for config items

This adds a test that checks LXC's configuration jump table whether all methods
for a given configuration item are implemented. If it is not, we'll error out.
This should provide additional safety since a) the API can now be sure that
dereferencing the pointer for a given method in the config struct is safe and
b) when users implement new configuration keys and forget to implement a
required method we'll see it right away.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add dummy getter for lxc.include

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #1592 from brauner/2017-05-28/idmap_handling

idmap improvements

Merge pull request #1599 from brauner/2017-05-30/use_minimal_idmap_set

conf: use minimal {g,u}id map

conf: use minimal {g,u}id map

Afaict, userns_exec_1() is only used to operate based on privileges for the
user's own {g,u}id on the host and for the container root's unmapped {g,u}id.
This means we require only to establish a mapping from:
- the container root {g,u}id as seen from the host -> user's host {g,u}id
- the container root -> some sub{g,u}id

The former we add, if the user did not specifiy a mapping. The latter we
retrieve from the ontainer's configured {g,u}id mappings.

Closes #1598.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #1596 from brauner/2017-05-29/fix_parsing

confile: fix parsing

Merge pull request #1607 from ss1h2a3tw/master

adding warning for mtu ignoring

adding warning for mtu ignoring

Signed-off-by: Shane Chen <ss1ha3tw@gmail.com>

tests: comp retval to exp val whenever we can

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: performance tweaks

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #1605 from decomposite/systemd_unit_stop

Use lxc-stop to stop systemd service

Use lxc-stop to stop systemd service

Ever since 8eb62c2, systemd has not been able to cleanly stop lxc
containers (via lxc@) because it's still using SIGPWR for systemd-based
containers.

We should now use the nice logic in 330ae3d to stop the containers
instead.

Signed-off-by: JD Friedrikson <yours@decompo.site>

Merge pull request #1601 from brauner/2017-05-30/veth_fixes

network: don't delete net devs we didn't create

lxccontainer: switch api to new clearer callbacks

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.include

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.include

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.limit{.*}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.no_new_privs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.ephemeral

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.init_gid

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.init_uid

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.init_cmd

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.environment

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.group

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.monitor.unshare

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.syslog

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.start.*

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.stopsignal

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.rebootsignal

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.haltsignal

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.autodev

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.seccomp

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.console.logfile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.console

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.cap.keep

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.cap.drop

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.network

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.network.*

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.hook{.*}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.utsname

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add dummy clearer for lxc.pivotdir

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.rootfs.backend

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.rootfs.options

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.rootfs.mount

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.rootfs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.mount

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.mount.auto

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.mount.entry

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.logfile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.loglevel

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.id_map

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.cgroup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.se_context

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.lsm_aa_allow_incomplete

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.aa_profile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.kmsg

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.devttydir

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.tty

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.pts

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add clearer for lxc.personality

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: implement config item clear callback

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: final cleanups

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

test: add item clear and config file tests

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: dump lxc_get_config_item()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: switch api to new callback system

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: adapt layout of getter callback

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: switch api to new callback system

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add getter for lxc.limit{.*}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add getter for lxc.no_new_privs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add getter for lxc.ephemeral

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add getter for lxc.init_gid

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: add getter for lxc.init_uid

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>