lxc-test-usernsexec: If user is root, then create and use non-root user.

Previously if the user was root, then the test would just skip
running (and exit 0).  The lxc test environment is run as root.
So, instead of never doing anything there, we create a user,
make sure it is in /etc/sub{ug}id and then execute the test as that
user.

If user is already non-root, then just execute the tests as before.

Signed-off-by: Scott Moser <smoser@brickies.net>

Merge pull request #3428 from smoser/test/add-usernsexec-test

Add test of lxc-usernsexec

Add test of lxc-usernsexec

The test executes lxc-usernsexec to create some files and chmod them.
Then makes assertions on the uid and gid of those files from outside.

Signed-off-by: Scott Moser <smoser@brickies.net>

Merge pull request #3424 from brauner/2020-05-25/fixes

api_extensions: add "pidfd"

api_extensions: add "pidfd"

Somehow it's documented but wasn't ever added.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

travis: Restrict coverity to gcc on bionic on amd64

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3422 from brauner/2020-05-20/usernsexec_fixes

lxc-usernsexec: improvements

lxc-usernsexec: don't fail on setgroups()

We can fail to setgroups() when "deny" has been set which we need to set when
we are a fully unprivileged user.

Closes: 3420.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-usernsexec: dumb down from error to warning message

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3419 from brauner/2020-05-19/network_phys_fixes

network: use __instantiate_ns_common() in instantiate_ns_phys() too

network: use __instantiate_ns_common() in instantiate_ns_phys() too

Fixes: https://lists.linuxcontainers.org/pipermail/lxc-users/2020-May/015245.html
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3418 from brauner/2020-05-18/android_fixes

bionic: s/lxc_raw_execveat()/execveat()/g

bionic: s/lxc_raw_execveat()/execveat()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3417 from brauner/2020-05-15/fixes

network: fix {mac,ip,v}lan device creation

network: fix {mac,ip,v}lan device creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3415 from brauner/2020-05-15/fixes

network: restore old behavior

network: restore old behavior

I introduced a regression: when users didn't specify a specific name via
lxc.net.<idx>.name then the device would retain the random name it received
when we created it. Before we would use the "eth%d" syntax to get the kernel to
assign a fixed name. Restore that behavior.

Closes: #3407.
Fixes: 8bf64b77ac8a ("network: rework network device creation")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3412 from brauner/2020-05-15/clone3

clone3: add infrastructure and switch container creation to it

Merge pull request #3414 from Blub/get-cgroup-path-compat

improve LXC_CMD_GET_CGROUP compatibility

improve LXC_CMD_GET_CGROUP compatibility

When a newer lxc library communicates with an older one
(such as running an lxc 4.0 lxc-freeze on a longer running
container which was started while lxc was still at version
3), the LXC_CMD_GET_LIMITING_CGROUP command is not
available, causing the remote to just close the socket.
Catch this and try the previous command instead.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

cgroups: be less alarming when creating cgroups

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

process_utils: make lxc use clone3() whenever possible

No more weird api quirks between architectures and cool new features.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3413 from Blub/dont-busy-loop-on-freeze

Don't busy loop on freeze with cgroupv2

cgfsng: use EPOLLPRI when polling cgroup.events

EPOLLIN will always be true and therefore end up
busy-looping

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

cgfsng: deduplicate freeze code

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

mainloop: add lxc_mainloop_add_handler_events

in order to be able to listen for EPOLLPRI

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

process_utils: add clone3() support

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

process_utils: introduce new process_utils.{c,h}

This will be the central place for all process management helpers. This also
removes raw_syscalls.{c,h}.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscall_numbers: add clone3()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscall_numbers: handle ia64 syscall numbers correctly

They are offset by 1024.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3411 from brauner/master

console: only create detached mount when a console is requested

console: only create detached mount when a console is requested

otherwise weird things might happen.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3410 from brauner/2020-05-13/fixes

reboot fixes

log: cleanup syslog handling

Disable and enable syslog around lxc_check_inherited().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: cleanup file descriptor inheritance

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix container reboot

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: use close_prot_errno_disarm() on state_socket_pair

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: remove unused lxc_zero_handler()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: small cleanup to lxc_check_inherited() calls

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3408 from brauner/2020-05-11/fixes

network: fix key ordering independence

confile: fix order independence of network keys

We need to make sure we don't overwrite values when they have already been set.

Closes: #3405.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools/lxc-ls: shut up lgtm more

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3403 from brauner/2020-05-07/fixes

fixes

tools/lxc-ls: shutup lgtm

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

yum: remove unused module

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: this is all rather TODO than FIXME

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3399 from brauner/2020-05-09/compiler_hardening

compiler: more hardening

compiler: support new access attributes

which will allow us to catch more oob accesses.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

gcc: add -Warray-bounds, -Wrestrict, -Wreturn-local-addr, -Wstringop-overflow

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3398 from brauner/2020-05-04/fixes

terminal: remove unneeded if condition

terminal: remove unneeded if condition

Fixes: Coverity 1461742.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3397 from brauner/2020-05-03/fixes

conf: introduce userns_exec_mapped_root()

conf: support console setup on containers without rootfs

This depends on the new mount api.

Closes #3164.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: introduce userns_exec_mapped_root()

to avoid the overhead of calling to lxc-usernsexec whenever we can.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3396 from brauner/2020-05-03/fixes

cgroup: fixes

cgroups: premount cgroups on cgroup2-only systems

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

common.conf: add cgroup2 default device limits

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ignore cgroup2 limits on non-cgroup2 layouts

Mixing cgroup2 and legacy cgroup systems such that some controllers are enabled
in legacy cgroup hierarchies and other controllers in the unified hierarchies
is simply not something we're supporting. Even systemd's hybrid layout (crazy)
doesn't bind controllers to the unified cgroup hierarchy.

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3392 from tomponline/tp-ipvlan-netlink

src/lxc/network: Fixes netlink attribute type 1 has an invalid length message

src/lxc/network: Fixes netlink attribute type 1 has an invalid length message

Fixes #3386

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3391 from stgraber/master

apparmor: Allow boot_id

apparmor: Allow boot_id

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

configure: fix coverity builds

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3385 from brauner/2020-04-15/fixes

cgroups: fix cgroup limit braino

cgroups: fix cgroup limit braino

Fixes: https://discuss.linuxcontainers.org/t/memory-limits-no-longer-being-applied/7429/7
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3384 from brauner/master

travis: coverity gets confused about the %m printf extension in glibc

travis: coverity gets confused about the %m printf extension in glibc

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3383 from brauner/2020-04-15/fixes

log: set GNU_SOURCE as it might help coverity along

log: set GNU_SOURCE as it might help coverity along

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3382 from brauner/2020-04-15/fixes

conf: correctly cleanup memory in get_minimal_idmap()

conf: correctly cleanup memory in get_minimal_idmap()

Fixes: Coverity 1461760.
Fixes: Coverity 1461762.
Fixes: Coverity 1461763.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3381 from brauner/2020-04-15/fixes

fixes

rexec: free argv array on failure

Fixes: Coverity 1461736.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: move check for valid config earlier

Fixes: Coverity 1461735.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: restore non-local value

Fixes: Coverity 1461734.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: log warning on network deconfiguration failures

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: add additional check to lxc_cmd_sock_get_state()

to please Coverity.

Fixes: Coverity 1461732.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

zfs: fix resource leak

Fixes: Coverity 1461730.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

criu: make explicit that we're ignoring rmdir() return value

Fixes: Coverity 1461726.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: don't double free in get_minimal_idmap()

Fixes: Coverity 1461725.
Fixes: Coverity 1461727.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use correct NULL pointer check

Fixes: Coverity 1461722.
Fixes: Coverity 1461737.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

rexec: avoid double-close

Fixes: Coverity 1461721.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix cgroup2 devices

Fixes: Coverity 1461748.
Fixes: Coverity 1461746.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

uuid: close fd

Fixes: Coverity 1461751.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: do not pass NULL pointer

Fixes: Coverity 1461752.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3380 from brauner/2020-04-15/fixes

fixes

conf: fix tty cleanup

Fixes: Coverity 1461755.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

memory_utils: directly NULL ptr in free_disarm()

This should keep coverity happy.

Fixes: Coverity 1461757.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3379 from brauner/upstream/master

travis: add back coverity

travis: add back coverity

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3378 from brauner/2020-04-13/fixes

cgroups: adhere to boolean return

cgroups: adhere to boolean return

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3377 from lifeng68/fix_cgroup_exit

cgroup: fix wrong use of cgfd_con in cgroup_exit

cgroup: fix wrong use of cgfd_con in cgroup_exit

Signed-off-by: LiFeng <lifeng68@huawei.com>

Merge pull request #3376 from toddnni/lxc-oci-fix

Fix lxc-oci template with loop backingstore

Fix lxc-oci template with loop backingstore

Move the content of rootfs inside OCI package to rootfs instead of
replacing it, as the directory is used as the mountpoint.

Tested with directory and loop backingstore.

Signed-off-by: Toni Ylenius <toni.ylenius@iki.fi>

Merge pull request #3375 from brauner/2020-04-12/fixes

cgroups: ignore legacy limits on pure cgroup2 systems

Merge pull request #3374 from stgraber/master

tests/no-new-privs: Don't mess with /etc/lxc

cgroups: ignore legacy limits on pure cgroup2 systems

Link: https://github.com/lxc/lxc/issues/3183#issuecomment-612462322
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests/no-new-privs: Don't mess with /etc/lxc

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>