lxccontainer: remove pointless string duplication

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: kill old chown_mapped_root()

It's now a wrapper around userns_exec_mapped_root() which allows us to avoid
fork() + exec() lxc-usernsexec makes things way nicer to test with ASAN etc.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: add some more logging to userns_exec_mapped_root()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: always use target_fd in userns_exec_mapped_root()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: remove faulty flags

If we set O_RDWR we won't be able to open directories and if we set O_PATH we
won't be able to chown.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3444 from brauner/2020-06-10/fixes

cgroups: initialize lxc.pivot cpuset

cgroups: initialize lxc.pivot cpuset

Closes: #3443.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3442 from tomponline/tp-veth-vlan-coverity

Coverity fixes for veth vlan

network: Adds calls to free_ovs_veth_vlan_args in setup_veth_ovs_bridge_vlan

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Fix int type in log message

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds free_ovs_veth_vlan_args and allows trunks field to be freed

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Removes unused ip_proxy_args

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Fix coverity issue, dont initialise string pointers in setup_veth_ovs_bridge_vlan

This is needed by lxc_ovs_setup_bridge_vlan_exec.

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Fix coverity issue, leaking data in lxc_ovs_setup_bridge_vlan_exec

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile: Fix coverity issue, missing return in get_config_net_veth_vlan_tagged_id

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3439 from tomponline/tp-nic-veth-vlan-ovs

NIC: Veth OVS bridge VLAN support

network: Updates instantiate_veth to support OVS VLAN setup

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds OVS VLAN setup functions

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Updates netlink_open handling in lxc_ipvlan_create

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

doc: Adds documentation for veth vlan bridge options

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Updates instantiate_veth to set bridge vlan settings

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds bridge vlan management functions

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

tests: Adds test for lxc.net.0.veth.vlan.tagged.id config key

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

tests: Adds test for bridge vlan "none" value

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

tests: Adds test for lxc.net.0.veth.vlan.id config key

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile/utils: Adds freeing of priv.veth_attr.vlan_tagged_ids

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile/utils: Adds veth vlan tagged ID tracing to lxc_log_configured_netdevs

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile/utils: Adds veth mode and vlan ID tracing to lxc_log_configured_netdevs

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile: Adds validation for lxc.net.veth.vlan.tagged.id

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile: Adds validation for lxc.net.veth.vlan.id

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds veth vlan_id, vlan_id_set and vlan_tagged_ids

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds BRIDGE_VLAN_ID_MAX constant

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds constant for BRIDGE_VLAN_NONE mode

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds bridge VLAN constants

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

api/extensions: Adds network_bridge_vlan API extension

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds check for bridge link interface existence in instantiate_veth

To avoid misleading errors about openvswitch when non-existent bridge link interface specified.

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds UINT_TO_PTR and PTR_TO_USHORT helpers

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3434 from tomponline/tp-copying

.gitignore: Ignores COPYING file created by make

.gitignore: Ignores COPYING file created by make

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3432 from smoser/fix/lxc-usernsexec-test-do-create-user

lxc-test-usernsexec: If user is root, then create and use non-root user.

lxc-test-usernsexec: If user is root, then create and use non-root user.

Previously if the user was root, then the test would just skip
running (and exit 0).  The lxc test environment is run as root.
So, instead of never doing anything there, we create a user,
make sure it is in /etc/sub{ug}id and then execute the test as that
user.

If user is already non-root, then just execute the tests as before.

Signed-off-by: Scott Moser <smoser@brickies.net>

Merge pull request #3428 from smoser/test/add-usernsexec-test

Add test of lxc-usernsexec

Add test of lxc-usernsexec

The test executes lxc-usernsexec to create some files and chmod them.
Then makes assertions on the uid and gid of those files from outside.

Signed-off-by: Scott Moser <smoser@brickies.net>

Merge pull request #3424 from brauner/2020-05-25/fixes

api_extensions: add "pidfd"

api_extensions: add "pidfd"

Somehow it's documented but wasn't ever added.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

travis: Restrict coverity to gcc on bionic on amd64

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3422 from brauner/2020-05-20/usernsexec_fixes

lxc-usernsexec: improvements

lxc-usernsexec: don't fail on setgroups()

We can fail to setgroups() when "deny" has been set which we need to set when
we are a fully unprivileged user.

Closes: 3420.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-usernsexec: dumb down from error to warning message

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3419 from brauner/2020-05-19/network_phys_fixes

network: use __instantiate_ns_common() in instantiate_ns_phys() too

network: use __instantiate_ns_common() in instantiate_ns_phys() too

Fixes: https://lists.linuxcontainers.org/pipermail/lxc-users/2020-May/015245.html
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3418 from brauner/2020-05-18/android_fixes

bionic: s/lxc_raw_execveat()/execveat()/g

bionic: s/lxc_raw_execveat()/execveat()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3417 from brauner/2020-05-15/fixes

network: fix {mac,ip,v}lan device creation

network: fix {mac,ip,v}lan device creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3415 from brauner/2020-05-15/fixes

network: restore old behavior

network: restore old behavior

I introduced a regression: when users didn't specify a specific name via
lxc.net.<idx>.name then the device would retain the random name it received
when we created it. Before we would use the "eth%d" syntax to get the kernel to
assign a fixed name. Restore that behavior.

Closes: #3407.
Fixes: 8bf64b77ac8a ("network: rework network device creation")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3412 from brauner/2020-05-15/clone3

clone3: add infrastructure and switch container creation to it

Merge pull request #3414 from Blub/get-cgroup-path-compat

improve LXC_CMD_GET_CGROUP compatibility

improve LXC_CMD_GET_CGROUP compatibility

When a newer lxc library communicates with an older one
(such as running an lxc 4.0 lxc-freeze on a longer running
container which was started while lxc was still at version
3), the LXC_CMD_GET_LIMITING_CGROUP command is not
available, causing the remote to just close the socket.
Catch this and try the previous command instead.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

cgroups: be less alarming when creating cgroups

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

process_utils: make lxc use clone3() whenever possible

No more weird api quirks between architectures and cool new features.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3413 from Blub/dont-busy-loop-on-freeze

Don't busy loop on freeze with cgroupv2

cgfsng: use EPOLLPRI when polling cgroup.events

EPOLLIN will always be true and therefore end up
busy-looping

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

cgfsng: deduplicate freeze code

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

mainloop: add lxc_mainloop_add_handler_events

in order to be able to listen for EPOLLPRI

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

process_utils: add clone3() support

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

process_utils: introduce new process_utils.{c,h}

This will be the central place for all process management helpers. This also
removes raw_syscalls.{c,h}.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscall_numbers: add clone3()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscall_numbers: handle ia64 syscall numbers correctly

They are offset by 1024.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3411 from brauner/master

console: only create detached mount when a console is requested

console: only create detached mount when a console is requested

otherwise weird things might happen.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3410 from brauner/2020-05-13/fixes

reboot fixes

log: cleanup syslog handling

Disable and enable syslog around lxc_check_inherited().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: cleanup file descriptor inheritance

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix container reboot

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: use close_prot_errno_disarm() on state_socket_pair

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: remove unused lxc_zero_handler()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: small cleanup to lxc_check_inherited() calls

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3408 from brauner/2020-05-11/fixes

network: fix key ordering independence

confile: fix order independence of network keys

We need to make sure we don't overwrite values when they have already been set.

Closes: #3405.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools/lxc-ls: shut up lgtm more

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3403 from brauner/2020-05-07/fixes

fixes

tools/lxc-ls: shutup lgtm

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

yum: remove unused module

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: this is all rather TODO than FIXME

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3399 from brauner/2020-05-09/compiler_hardening

compiler: more hardening

compiler: support new access attributes

which will allow us to catch more oob accesses.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

gcc: add -Warray-bounds, -Wrestrict, -Wreturn-local-addr, -Wstringop-overflow

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3398 from brauner/2020-05-04/fixes

terminal: remove unneeded if condition

terminal: remove unneeded if condition

Fixes: Coverity 1461742.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3397 from brauner/2020-05-03/fixes

conf: introduce userns_exec_mapped_root()

conf: support console setup on containers without rootfs

This depends on the new mount api.

Closes #3164.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: introduce userns_exec_mapped_root()

to avoid the overhead of calling to lxc-usernsexec whenever we can.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3396 from brauner/2020-05-03/fixes

cgroup: fixes

cgroups: premount cgroups on cgroup2-only systems

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

common.conf: add cgroup2 default device limits

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ignore cgroup2 limits on non-cgroup2 layouts

Mixing cgroup2 and legacy cgroup systems such that some controllers are enabled
in legacy cgroup hierarchies and other controllers in the unified hierarchies
is simply not something we're supporting. Even systemd's hybrid layout (crazy)
doesn't bind controllers to the unified cgroup hierarchy.

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3392 from tomponline/tp-ipvlan-netlink

src/lxc/network: Fixes netlink attribute type 1 has an invalid length message

src/lxc/network: Fixes netlink attribute type 1 has an invalid length message

Fixes #3386

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>