cgroups: handle empty bpf log buffer

Link: https://launchpadlibrarian.net/487274879/buildlog_ubuntu-eoan-amd64.lxc_1:4.0.3+master~20200705-1541-0ubuntu1~eoan_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3475 from brauner/2020-07-05/fixes

cgroups: fix bpf device program generation

cgroups: fix bpf device program generation

Closes: #3473.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3474 from brauner/2020-07-03/fixes

api-extensions: add seccomp_allow_deny_syntax extension

api-extensions: add seccomp_allow_deny_syntax extension

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3472 from brauner/2020-07-03/fixes

fixes

cgroup2_devices: fix access rule parsing

Closes: #3473.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use empty {} to initialize struct

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: support allowlist/denylist in profiles

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: update terminology II

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: update terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3469 from johanneskastl/20200630_Kastl_fix_gpg_option

templates/lxc-download.in: use GPG option "--receive-keys"

templates/lxc-download.in: use GPG option --receive-keys instead of --recv-keys

Signed-off-by: Johannes Kastl <kastl@b1-systems.de>

Merge pull request #3468 from johanneskastl/20200630_Kastl_fix_shell_download_template

templates/lxc-download.in: fix wrong if-condition

templates/lxc-download.in: make shellcheck happy

Signed-off-by: Johannes Kastl <kastl@b1-systems.de>

templates/lxc-download.in: fix wrong if condition (use the result of the gpg command, not the result when executing the result of the gpg command)

Signed-off-by: Johannes Kastl <kastl@b1-systems.de>

Merge pull request #3466 from alivenets/fix-no-new-privs

attach: set no_new_privs flag after LSM label

attach: set no_new_privs flag after LSM label

In `start.c:1284`, no_new_privs flag is set after LSM label is set.
Also, in `lxc.container.conf` documentation it is written that:
```
Note that PR_SET_NO_NEW_PRIVS is applied after the container has
changed into its intended AppArmor profile or SElinux context.
```
This commit fixes the behavior of `lxc_attach` by moving
`PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured;

Closes #3393

Signed-off-by: Alexander Livenets <a.livenets@gmail.com>

Merge pull request #3465 from brauner/2020-06-19/clone_into_cgroup

clone_into_cgroup: fixes

start: use __aligned_u64

Closes: Coverity 1465044.
Closes: Coverity 1465046.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: initialize cgroup_fd

Fixes: Coverity 1465045.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3464 from brauner/2020-06-19/clone_into_cgroup

lxc: support CLONE_INTO_CGROUP

lxc: support CLONE_INTO_CGROUP

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3463 from brauner/2020-06-26/fixes

confile: handle overflow in lxc.time.offset.{boot,monotonic}

Merge pull request #3462 from tenforward/japanese

Update Japanese lxc.container.conf(5)

start: preserve time namespace

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: handle overflow in lxc.time.offset.{boot,monotonic}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: Add lxc.time.offset.* to Japanese lxc.container.conf(5)

and fix a type in English man page.
Update for commit 7fb5a8dfd2dcacd840921fcecdaad34cefad7a68

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

doc: Add veth vlan bridge options to Japanese lxc.container.conf(5)

Update for commit a789ca4c24190f903d80b077b3cae766e932b2ad

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Merge pull request #3461 from brauner/2020-06-25/time_namespace

time namespace support

doc: add lxc.time.offset.{boot,monotonic}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

api: add time_namespace extension

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc: add time namespace support

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3460 from brauner/2020-06-25/fixes

commands: don't flood logs

commands: don't flood logs

We're ignoring commands that we don't know about. They used to be fatal. Not
anymore.

Closes: #3459.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3458 from stgraber/master

lxc-net: Set broadcast

lxc-net: Set broadcast

Closes #3457

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3456 from brauner/2020-06-23/lxc_stop_fixes

lxccontainer: fix non-blocking container stop

lxccontainer: fix non-blocking container stop

Stopping a lxc container with without waiting on it was broken in master. This
patch fixes it.

Signed-off-by: Robert Vogelgesang <vogel@folz.de>

Merge pull request #3454 from brauner/master

tree-wide: variable naming update

test: update terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: update terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: adapt code example

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

openpty: adapt variable naming

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3453 from stgraber/master

network: Rename primary to master

network: Rename primary to master

The previous change made things confusing by impliying there may be a
secondary when VLAN/IPVLAN/bridge members can only have a single parent
device.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Revert "nl: fix memory leak"

This reverts commit 9d05339487f4e9c4e7f700f963c161a4d9977ae4.

This causes a double-free as the variable is already using __do_free.

Closes #3452

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

tree-wide: use "primary" in networking code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: wipe references to questionable apis from our public logs

We can't do anything about the established kernel API but we can at least not
propagate the terminology.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: use "ptmx" and "pts" as terminal terms

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3449 from gaurav1086/nl_fix_mem_leak

nl: fix memory leak

Merge pull request #3450 from gaurav1086/containertests_fix_null_ptr_deref

containertests: fix null pointer defereference

containertests: fix null pointer defereference

Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>

nl: fix memory leak

Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>

Merge pull request #3446 from brauner/2020-06-10/fixes_2

conf: kill old chown_mapped_root()

lxccontainer: remove pointless string duplication

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: kill old chown_mapped_root()

It's now a wrapper around userns_exec_mapped_root() which allows us to avoid
fork() + exec() lxc-usernsexec makes things way nicer to test with ASAN etc.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: add some more logging to userns_exec_mapped_root()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: always use target_fd in userns_exec_mapped_root()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: remove faulty flags

If we set O_RDWR we won't be able to open directories and if we set O_PATH we
won't be able to chown.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3444 from brauner/2020-06-10/fixes

cgroups: initialize lxc.pivot cpuset

cgroups: initialize lxc.pivot cpuset

Closes: #3443.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3442 from tomponline/tp-veth-vlan-coverity

Coverity fixes for veth vlan

network: Adds calls to free_ovs_veth_vlan_args in setup_veth_ovs_bridge_vlan

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Fix int type in log message

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds free_ovs_veth_vlan_args and allows trunks field to be freed

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Removes unused ip_proxy_args

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Fix coverity issue, dont initialise string pointers in setup_veth_ovs_bridge_vlan

This is needed by lxc_ovs_setup_bridge_vlan_exec.

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Fix coverity issue, leaking data in lxc_ovs_setup_bridge_vlan_exec

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile: Fix coverity issue, missing return in get_config_net_veth_vlan_tagged_id

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3439 from tomponline/tp-nic-veth-vlan-ovs

NIC: Veth OVS bridge VLAN support

network: Updates instantiate_veth to support OVS VLAN setup

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds OVS VLAN setup functions

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Updates netlink_open handling in lxc_ipvlan_create

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

doc: Adds documentation for veth vlan bridge options

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Updates instantiate_veth to set bridge vlan settings

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds bridge vlan management functions

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

tests: Adds test for lxc.net.0.veth.vlan.tagged.id config key

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

tests: Adds test for bridge vlan "none" value

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

tests: Adds test for lxc.net.0.veth.vlan.id config key

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile/utils: Adds freeing of priv.veth_attr.vlan_tagged_ids

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile/utils: Adds veth vlan tagged ID tracing to lxc_log_configured_netdevs

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile/utils: Adds veth mode and vlan ID tracing to lxc_log_configured_netdevs

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile: Adds validation for lxc.net.veth.vlan.tagged.id

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

confile: Adds validation for lxc.net.veth.vlan.id

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds veth vlan_id, vlan_id_set and vlan_tagged_ids

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds BRIDGE_VLAN_ID_MAX constant

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds constant for BRIDGE_VLAN_NONE mode

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds bridge VLAN constants

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

api/extensions: Adds network_bridge_vlan API extension

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: Adds check for bridge link interface existence in instantiate_veth

To avoid misleading errors about openvswitch when non-existent bridge link interface specified.

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

macro: Adds UINT_TO_PTR and PTR_TO_USHORT helpers

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3434 from tomponline/tp-copying

.gitignore: Ignores COPYING file created by make

.gitignore: Ignores COPYING file created by make

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3432 from smoser/fix/lxc-usernsexec-test-do-create-user

lxc-test-usernsexec: If user is root, then create and use non-root user.

lxc-test-usernsexec: If user is root, then create and use non-root user.

Previously if the user was root, then the test would just skip
running (and exit 0).  The lxc test environment is run as root.
So, instead of never doing anything there, we create a user,
make sure it is in /etc/sub{ug}id and then execute the test as that
user.

If user is already non-root, then just execute the tests as before.

Signed-off-by: Scott Moser <smoser@brickies.net>

Merge pull request #3428 from smoser/test/add-usernsexec-test

Add test of lxc-usernsexec

Add test of lxc-usernsexec

The test executes lxc-usernsexec to create some files and chmod them.
Then makes assertions on the uid and gid of those files from outside.

Signed-off-by: Scott Moser <smoser@brickies.net>

Merge pull request #3424 from brauner/2020-05-25/fixes

api_extensions: add "pidfd"

api_extensions: add "pidfd"

Somehow it's documented but wasn't ever added.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>