lxc-download: add LXC version/compat level to user-agent

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>

Merge pull request #3924 from brauner/2021-06-04.io_uring

mainloop: io_uring support

mainloop: add io_uring support

Users can choose to compile liblxc with io_uring support. This will
cause LXC to use io_uring instead of epoll.
We're using both, io_uring's one-shot and multi-shot poll mode depending
on the type of handler.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3927 from tomponline/tp-nic-address-broadcast

doc: Adds mention of ability to specify manual IPv4 broadcast address

doc: Adds mention of ability to specify manual IPv4 broadcast address

See also https://github.com/lxc/lxd/pull/9103

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

tree-wide: s/lxc_epoll_descr/lxc_async_descr/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: log session keyring failure on WARN level

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: log at warning instead of error level

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3926 from stgraber/master

doc/api-extensions: Grammar fix

doc/api-extensions: Grammar fix

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3925 from brauner/2021-08-09.fixes

lsm/apparmor: small fixes

lsm/apparmor: use cleanup macro

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lsm/apparmor: log failure to write AppArmor profile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3923 from brauner/2021-08-05.fixes

network: fix container with empty network namespaces

network: fix container with empty network namespaces

Fixes: #3922
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3921 from brauner/2021-08-03.fixes

conf: rootfs mount option fixes

tests: add test for rootfs mount options

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: allow mount options for rootfs when using new mount api

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mount_utils: make some mount helpers static inline

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: let parse_vfs_attr() handle legacy mount flags as well

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: log failure to create tty mountpoint

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3920 from brauner/2021-08-02.fixes

mount_utils: introduce mount_at()

conf: refactor lxc_recv_ttys_from_child()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: fix logging in lxc_idmapped_mounts_child()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mount_utils: introduce mount_at()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3919 from brauner/2021-07-31.devpts

terminal: handle kernel without TIOCGPTPEER

terminal: fail on unknown error during TIOCGPTPEER

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: move native terminal allocation from error logging to info

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: handle kernels without TIOCGPTPEER

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3918 from brauner/2021-07-30.devpts

conf: rework console setup

start: allow containers to use a native console

After all of the previous rework we can make it possible for a container
to use a console allocated from the container's devpts instance.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: remove unused argument from lxc_devpts_terminal()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: rework console setup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

file_utils: add open_at_same()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use mount_fd() during console mounting

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use mount_fd() in lxc_setup_dev_console()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use mount_fd() helper when mounting ttys

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mount_utils: add mount_fd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: stash pty_nr in struct lxc_terminal

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3916 from brauner/2021-07-29.fixes

conf: move remaining setup before pivot root

conf: move lxc_create_ttys() before pivot root

This is the last setup step that occured after pivot root.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: split out lxc_devpts_terminal() helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3915 from brauner/2021-07-29.fixes

string_utils: cast __s64 to long long signed int

string_utils: cast __s64 to long long signed int

Link: https://launchpadlibrarian.net/550723147/buildlog_snap_ubuntu_focal_ppc64el_lxd-latest-edge_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3914 from brauner/2021-07-29.devpts

devpts: move setup before pivot root

conf: merge devpts setup and move before pivot root

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: don't use ttyname_r() for native terminal allocation

Since we can call that function from another mount namespace we need to
do this manually.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: add and use mount_beneath_fd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: update comment

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use a relative path in symlinkat()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: s/lxc_setup_devpts_parent/lxc_recv_devpts_from_child/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: attach devpts mount directly when new mount api can be used

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: set source property for devpts

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: surface failures to setup console

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3912 from brauner/2021-07-28.devpts

conf: devpts rework

Merge pull request #3913 from stgraber/master

Fix typos

Fix typos

This fixes all typos identified by lintian.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

conf: ensure devpts_fd is set to -EBADF

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: ttyname_r() returns an error number on failure

In other words, how inconsistent can an API be?

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use new mount api for devpts setup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3910 from petris/tty_enxio

lxc_setup_ttys: Handle existing ttyN file without underlying device

Merge pull request #3909 from petris/bpf_enosys_warn

bpf: simplify detection if BPF is supported

Merge pull request #3911 from siv0/fix_legacy_cgroup_devices

Fix legacy cgroup devices

bpf: bpf_devices_cgroup_supported() should check if bpf() is available

bpf_devices_cgroup_supported() tries to load a simple BPF program to
test if BPF works. This is problematic because the function used to load
the program - bpf_program_load_kernel() - emits an error to the log if
BPF is not enabled in the kernel although device controller is not
requested in the configuration. Users could interpret that as a problem.

Make bpf_devices_cgroup_supported() check if the BPF syscall is available
before calling bpf_program_load_kernel(). We can do it by passing a NULL
pointer instead of the syscall argument as the kernel returns either
ENOSYS, when the syscall is not implemented or EFAULT, when it is
implemented.

Signed-off-by: Petr Malat <oss@malat.biz>

lxc_setup_ttys: Handle existing ttyN file without underlying device

If a device file is opened and there isn't the underlying device,
the open call fails with ENXIO, but the path can be opened with
O_PATH, which is enough for mounting over the device file.

Generalize this idea and use O_PATH for all cases when the file
is there. One still must check for both ENXIO and EEXIST as it's
unspecified what error is reported if multiple error conditions
occur at the same time.

Signed-off-by: Petr Malat <oss@malat.biz>

cgroups: remove unneeded variables from cgroup_tree_create

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

cgroups: populate hierarchy for device cgroup

With the changes introduced in:
b7b1e3a34ce28b01206c48227930ff83d399e7b6
the hierarchy-struct did not have the path_lim set anymore, which is
needed by setup_limits_legacy (->cg_legacy_set_data->lxc_write_openat)
to actually access the cgroup directory.

The issue can be reproduced with a container config having
```
lxc.cgroup.devices.deny = a
```
(or any lxc.cgroup.devices entry) set on a system booted with
systemd.unified_cgroup_hierarchy=0.

This affects all privileged containers on PVE (due to the default
devices.deny entry).

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

Merge pull request #3908 from brauner/2021-07-15.fixes.4

terminal: fix error handling

terminal: fix error handling

Fixes: f382bcc6d820 ("terminal: log TIOCGPTPEER failure less alarmingly")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3907 from brauner/2021-07-15.fixes.3

terminal: log TIOCGPTPEER failure less alarmingly

Merge pull request #3906 from brauner/2021-07-15.fixes.2

grammar fixes

af_unix: report error when no fd is to be sent

Fixes: #3624
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: log TIOCGPTPEER failure less alarmingly

This is not a fatal error and the fallback codepath is equally safe.
When we use TIOCGPTPEER we're using a stashed fd to the container's
devpts mount's ptmx device and allocating a new fd non-path based
through this ioctl. If this ioctl can't be used we're falling back to
allocating a pts device from the host's devpts mount's ptmx device which
is path-based but is not under control of the container and so that's
safe. The difference is just that the first method gets you a nice
native terminal with all the pleasantries of having tty and friends
working whereas the latter method does not.

Fixes: #3625
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

sync: fix log message

Fixes: #3875
Suggested-by: Hank.shi <shk242673@163.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix logging message

Fixes: #3875
Suggested-by: Hank.shi <shk242673@163.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3905 from brauner/2021-07-15.fixes

initutils: include pthread.h

initutils: include pthread.h

Otherwise we might end up with implicit function declaration warnings.

Link: https://jenkins.linuxcontainers.org/job/lxc-build-android/8915/console
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3904 from hallyn/2021-07-14/mantypo

doc/common_options: add trace and alert loglevels

doc/common_options: add trace and alert loglevels

Signed-off-by: Serge Hallyn <serge@hallyn.com>

Merge pull request #3900 from brauner/2021-07-08.fixes

file_utils: surface ENOENT when falling back to openat()

file_utils: surface ENOENT when falling back to openat()

Link: https://discuss.linuxcontainers.org/t/error-failed-to-retrieve-pid-of-executing-child-process
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3896 from Blub/include-userns-config-dir

RFC: conf: userns.conf: include userns.conf.d

Merge pull request #3897 from brauner/2021-07-05.fixes

lxc-unshare: fixes

lxc_unshare: fix network device handling

We were passing the wrong PID. Fix this!

Link: https://discuss.linuxcontainers.org/t/problem-with-moving-interface-new-network-namespace-in-lxc-unshare
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc_unshare: make mount table private

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: allow including nonexisting directories

If an include directive ends with a trailing slash, we now
always assume it is a directory and do not treat the
non-existence as an error.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

conf: userns.conf: include userns.conf.d

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Merge pull request #3895 from tenforward/japanese

Update Japanese lxc.container.conf(5)

doc: Fix typo in English lxc.container.conf(5)

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

doc: Add new idmap= option to Japanese lxc.container.conf(5)

Update for commit 1852be904823e3532af38efc5ef55d3fb931e616

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

doc: Append description of net type field

Update for commit 320061b34fea7d7f280b0a421dddeac7dac7f1bf

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

doc: Add eBPF-based device controller semantics to Japanese man page

Update for commit 5025f3a69053bbddbe6c76ffb55b4bbd5759dcc8

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Merge pull request #3891 from brauner/2021-07-01.fixes

cgroups: handle funky cgroup layouts

Merge pull request #3892 from brauner/2021-07-01.fixes.2

terminal: ensure newlines are turned into newlines+carriage return fo…

Merge pull request #3893 from brauner/2021-07-01.fixes.3

cmd/lxc-checkconfig: list cgroup namespaces and rename confusing ns_c…

cmd/lxc-checkconfig: list cgroup namespaces and rename confusing ns_cgroup entry

Link: https://discuss.linuxcontainers.org/t/cgroup-namespace-required-in-lxc-checkconfig-and-config-cgroup-ns
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: ensure newlines are turned into newlines+carriage return for terminal output

Fixes: #3879
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: handle funky cgroup layouts

Old versions of Docker emulate a cgroup namespace by bind-mounting the
container's cgroup over the corresponding controller:

/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime master:11 - cgroup cgroup rw,xattr,name=systemd
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime master:15 - cgroup cgroup rw,net_cls,net_prio
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime master:16 - cgroup cgroup rw,cpu,cpuacct
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime master:17 - cgroup cgroup rw,memory
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime master:18 - cgroup cgroup rw,devices
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime master:19 - cgroup cgroup rw,hugetlb
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime master:20 - cgroup cgroup rw,perf_event
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime master:21 - cgroup cgroup rw,cpuset
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime master:22 - cgroup cgroup rw,blkio
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime master:23 - cgroup cgroup rw,pids
/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod7d4424e6_bb13_42f4_a47a_45a4828bf54d.slice/docker-d0b3604b67ac7930dd34ba3a796627e3e4717d12309e90a4afe3f38b6816ac98.scope /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime master:24 - cgroup cgroup rw,freezer

New versions of LXC always stash a file descriptor for the root of the
cgroup mount at /sys/fs/cgroup and then resolve the current cgroup
parsed from /proc/{1,self}/cgroup relative to that file descriptor. This
doesn't work when the caller's cgroup is mouned over the controllers.
Older versions of LXC simply counted such layouts as having no cgroups
available for delegation at all and moved on provided no cgroup limits
were requested. But mainline LXC would fail such layouts. While I would
argue that failing such layouts is the semantically clean approach we
shouldn't regress users so make mainline LXC treat such cgroup layouts
as having no cgroups available for delegation.

Fixes: #3890
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3888 from brauner/2021-06-30.fixes

Improve read-only /sys with read-write /sys/devices/virtual/net

tests: add tests for read-only /sys with read-write /sys/devices/virtual/net

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>