Use libtool for liblxc.so This should allow proper filtering of build flags for libraries and make it easier to use PIE/PIC. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

tests: add test for detect_ramfs_rootfs() Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

autotools: fix tests Signed-off-by: Christian Brauner <cbrauner@suse.de>

tests: add unit tests for lxc_string_in_array() Signed-off-by: Christian Brauner <cbrauner@suse.de>

tests: add unit tests for lxc_string_replace() Signed-off-by: Christian Brauner <cbrauner@suse.de>

tools, tests: reorganize repo - tools: move lxc commands to common subfolder - tests: adapt include search path Signed-off-by: Christian Brauner <cbrauner@suse.de>

implement lxc.mount.auto = cgroup for cgfsng Also add testcase for each of the cgroup{,-full}:{rw,ro,mixed} cases. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

tests: add lxc-test-attach-test Test if the various types of I/O redirection work with lxc-attach. Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

CVE-2015-1335: Protect container mounts against symlinks When a container starts up, lxc sets up the container's inital fstree by doing a bunch of mounting, guided by the container configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container. To prevent this, 1. do not allow mounts to paths containing symbolic links 2. do not allow bind mounts from relative paths containing symbolic links. Details: Define safe_mount which ensures that the container has not inserted any symbolic links into any mount targets for mounts to be done during container setup. The host's mount path may contain symbolic links. As it is under the control of the administrator, that's ok. So safe_mount begins the check for symbolic links after the rootfs->mount, by opening that directory. It opens each directory along the path using openat() relative to the parent directory using O_NOFOLLOW. When the target is reached, it mounts onto /proc/self/fd/<targetfd>. Use safe_mount() in mount_entry(), when mounting container proc, and when needed. In particular, safe_mount() need not be used in any case where: 1. the mount is done in the container's namespace 2. the mount is for the container's rootfs 3. the mount is relative to a tmpfs or proc/sysfs which we have just safe_mount()ed ourselves Since we were using proc/net as a temporary placeholder for /proc/sys/net during container startup, and proc/net is a symbolic link, use proc/tty instead. Update the lxc.container.conf manpage with details about the new restrictions. Finally, add a testcase to test some symbolic link possibilities. Reported-by: Roman Fiedler Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Add tests for snapshot clone dependencies Test edge cases (removing first and last entries in lxc_snapshots and the very last snapshot) and make sure original container isn't destroyed while there are snapshots, and is when there are none. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

update hwaddr to fill in xx at create time Commit 67702c21 regressed the case where lxc-create use a config file with 'xx:xx' in lxc.network.hwaddr, so that the 'xx' were preserved in the container's configuration file. Expand those in the unexpanded_config file whenever we are reading a config file which is not coming from a 'lxc.include'. The config file will have \n-terminated lines, so update rand_complete_hwaddr to also stop on \n. Add a test case to make sure xx gets expanded at lxc-create. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

tests: Fix unpriv test Don't use $TUSER as it's not defined. Also don't include lxc-test-usernic in extra_DIST. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: improve behavior when kernel lacks mount restrictions (v2) (Dwight, I took the liberty of adding your Ack but the code did change a bit to continue passing the char *label from attach. Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1" does attach you to the p2 profile) Apparmor policies require mount restrictions to fullfill many of their promises - for instance if proc can be mounted anywhere, then 'deny /proc/sysrq-trigger w' prevents only accidents, not malice. The mount restrictions are not available in the upstream kernel. We can detect their presence through /sys. In the past, when we detected it missing, we would not enable apparmor. But that prevents apparmor from helping to prevent accidents. At the same time, if the user accidentaly boots a kernel which has regressed, we do not want them starting the container thinking they are more protected than they are. This patch: 1. adds a lxc.aa_allow_incomplete = 1 container config flag. If not set, then any container which is not set to run unconfined will refuse to run. If set, then the container will run with apparmor protection. 2. to pass this flag to the apparmor driver, we pass the container configuration (lxc_conf) to the lsm_label_set hook. 3. add a testcase. To test the case were a kernel does not provide mount restrictions, we mount an empty directory over the /sys/kernel/security/apparmor/features/mount directory. In order to have that not be unmounted in a new namespace, we must test using unprivileged containers (who cannot remove bind mounts which hide existing mount contents). Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

config: fix the handling of lxc.hook and hwaddrs in unexpanded config And add a testcase. The code to update hwaddrs in a clone was walking through the container configuration and re-printing all network entries. However network entries from an include file which should not be printed out were being added to the unexpanded config. With this patch, at clone we simply update the hwaddr in-place in the unexpanded configuration file, making sure to make the same update to the expanded network configuration. The code to update out lxc.hook statements had the same problem. We also update it in-place in the unexpanded configuration, though we mirror the logic we use when updating the expanded configuration. (Perhaps that should be changed, to simplify future updates) This code isn't particularly easy to review, so testcases are added to make sure that (1) extra lxc.network entries are not added (or removed), even if they are present in an included file, (2) lxc.hook entries are not added, (3) hwaddr entries are updated, and (4) the lxc.hook entries are properly updated (only when they should be). Reported-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Fix build failure due to wrong test name Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Add support for checkpoint and restore via CRIU This patch adds support for checkpointing and restoring containers via CRIU. It adds two api calls, ->checkpoint and ->restore, which are wrappers around the CRIU CLI. CRIU has an RPC API, but reasons for preferring exec() are discussed in [1]. To checkpoint, users specify a directory to dump the container metadata (CRIU dump files, plus some additional information about veth pairs and which bridges they are attached to) into this directory. On restore, this information is read out of the directory, a CRIU command line is constructed, and CRIU is exec()d. CRIU uses the lxc-restore-net callback (which in turn inspects the image directory with the NIC data) to properly restore the network. This will only work with the current git master of CRIU; anything as of a152c843 should work. There is a known bug where containers which have been restored cannot be checkpointed [2]. [1]: http://lists.openvz.org/pipermail/criu/2014-July/015117.html [2]: http://lists.openvz.org/pipermail/criu/2014-August/015876.html v2: fixed some problems with the s/int/bool return code form api function v3: added a testcase, fixed up the man page synopsis v4: fix a small typo in lxc-test-checkpoint-restore v5: remove a reference to the old CRIU_PATH, and a bad error about the same Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: auto-generate the blacklist rules This uses the generate-apparmor-rules.py script I sent out some time ago to auto-generate apparmor rules based on a higher level set of block/allow rules. Add apparmor policy testcase to make sure that some of the paths we expect to be denied (and allowed) write access to are in fact in effect in the final policy. With this policy, libvirt in a container is able to start its default network, which previously it could not. v2: address feedback from stgraber put lxc-generate-aa-rules.py into EXTRA_DIST add lxc-test-apparmor, container-base and container-rules to .gitignore take lxc-test-apparmor out of EXTRA_DIST make lxc-generate-aa-rules.py pep8-compliant don't automatically generate apparmor rules This is only bc we can't be guaranteed that python3 will be available. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Fix build failure (broken makefile) Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

tests: Add lxc-test-autostart Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Add --with-runtime-path to configure This allows older distros to override /run with whatever their own path is, mostly useful for old RedHat and possibly Android. Reported-by: Robert Vogelgesang <vogel@users.sourceforge.net> Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

introduce a simple test for testing add_device_node and remove_device_node Signed-off-by: S.Çağlar Onur <caglar@10ur.org> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

introduce lxc-unpriv test It simply creates a test user and tries to create and start a container as that user. Tries to lxc-attach to that container to test network connectivity. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-user-nic: use common code from network.c This pulls a lot of common code out of lxc_user_nic.c. It also moves one function from conf.c that was duplicated in lxc_user_nic.c (It removes a DEBUG statement because (a) it doesn't seem actually useful and (b) DEBUG doesn't work in network.c). Also replace the old test of only parsing code with a skeleton for a full test. (Note - the test will need some work, it's just there as do-what-i-mean code example) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

support setting lsm label at exec or immediately - Add attach test cases - Moved setting of LSM label later to avoid failure of IPC between parent and child during attach Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

define list container api (v2) Two new commands are defined: list_defined_containers() and list_active_containers(). Both take an lxcpath (NULL means use the default lxcpath) and return the number of containers found. If a lxc_container ** is passed in, then an array of lxc_container's is returned, one for each container found. The caller must then lxc_container_put() each container and free the array, as shown in the new list testcase. If a char ** is passed in, then an array of container names is returned, after which the caller must free all the names and the name array, as showsn in the testcase. Changelog: Check for the container config file before trying to create an lxc_container *, to save some work. [ per stgraber comments] Add names ** argument to return only container names. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Add lxc-test-ubuntu to the dist tarball Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

add basic lxc-test-ubuntu (v3) Some features of lxc - networking and LSM configuration for instance - are generally configured by the distro packages. This program tests the Ubuntu configuration. changelog v2: Switch to lxc-info -i to detect ip address as stgraber suggested Don't look for 'expect' as I'm not using it yet. changelog v3: Make sure to only read one ip address from container. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

add reboot test It's really more of a kernel check, but worth having. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

add c->may_control This is an api function which will return false if the container is running, and the caller may not talk to its monitor over its command socket. Otherwise - if the container is not running, or the caller may access it - it returns true. We can use this in several tools early on to prevent the segvs etc which we currently get. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

tests: Introduce lxc-test-concurrent for testing basic actions concurrently Signed-off-by: S.Çağlar Onur <caglar@10ur.org> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

API support for container snapshots (v2) The api allows for creating, listing, and restoring of container snapshots. Snapshots are created as snapshot clones of the original container - i.e. btrfs and lvm will be done as snapshot, a directory-backed container will have overlayfs snapshots. A restore is a copy-clone, using the same backing store as the original container had. Changelog: . remove lxcapi_snap_open, which wasn't defined anyway. . rename get_comment to get_commentpath . if no newname is specified at restore, use c->name (as we meant to) rather than segving. . when choosing a snapshot index, use the correct path to check for. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

tests: Add lxc-test-usernic to the dist tarball Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

add lxc-user-nic It is meant to be run setuid-root to allow unprivileged users to tunnel veths from a host bridge to their containers. The program looks at /etc/lxc/lxc-usernet which has entries of the form user type bridge number The type currently must be veth. Whenver lxc-user-nic creates a nic for a user, it records it in /var/lib/lxc/nics (better location is needed). That way when a container dies lxc-user-nic can cull the dead nic from the list. The -DISTEST allows lxc-user-nic to be compiled so that it uses files under /tmp and doesn't actually create the nic, so that unprivileged users can compile and test the code. lxc-test-usernic is a script which runs a few tests using lxc-usernic-test, which is a version of lxc-user-nic compiled with -DISTEST. The next step, after issues with this code are raised and addressed, is to have lxc-start, when running unprivileged, call out to lxc-user-nic (will have to exec so that setuid-root is honored). On top of my previous unprivileged-creation patchset, that should allow unprivileged users to create and start useful containers. Also update .gitignore. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Define LXC_DEFAULT_CONFIG And use it in place of the various ways we were deducing /etc/lxc/default.conf. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

add console to lxc api Make lxc_cmd_console() return the fd from the socket connection to the caller. This fd keeps the tty slot allocated until the caller closes it. Returning the fd allows for a long lived process to close the fd and reuse consoles. Add API function for console allocation. Create test program for console API. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

implement backend drivers and container clone API (v3) 1. commonize waitpid users to use a single helper. We frequently want to run something in a clean namespace, or fork off a script. This lets us keep the function doing fork:(1)exec(2)waitpid simpler. 2. start a blockdev backend implementation. This will be used for mounting, copying, and snapshotting container filesystems. 3. implement btrfs, lvm, directory, and overlayfs backends. 4. For overlayfs, support a new lxc.rootfs format of 'bdevtype:<extra>'. This means you can now use overlayfs-based containers without using lxc-start-ephemeral, by using lxc.rootfs = overlayfs:/readonly-dir:writeable-dir 5. add a set of simple clone testcases 6. Write a new lxc_clone.c based on api clone. Still to do (there's more, but off top of my head): 1. support zfs, aufs 2. have clone handle other mount entries (right now it only clones the rootfs) 3. python, lua, and go bindings (not me :) 4. lxc-destroy: if lvm backing store, check for snapshots of it. (what about directories which have overlayfs clones?) Changes since v2: Initialize random generator when picking new macaddr (reported by caglar@10ur.org) Fix wrong use of bitmask flags On copy-clone of btrfs, create a subvolume lxc_clone.c: respect the command line usage of the old script lxc-clone(1): update documentation Refuse to try changing backing stores expect to overlayfs, as it is not implemented (yet) anyway. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Conflicts: src/lxc/utils.h

include tests in make dist This should eventually make the source releases available on sourceforge also contain the tests. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

cgroup: improve support for multiple lxcpaths (v3) Add a monitor command to get the cgroup for a running container. This allows container r1 started from /var/lib/lxc and container r1 started from /home/ubuntu/lxcbase to pick unique cgroup directories (which will be /sys/fs/cgroup/$subsys/lxc/r1 and .../r1-1), and all the lxc-* tools to get that path over the monitor at lxcpath. Rework the cgroup code. Before, if /sys/fs/cgroup/$subsys/lxc/r1 already existed, it would be moved to 'deadXXXXX', and a new r1 created. Instead, if r1 exists, use r1-1, r1-2, etc. I ended up removing both the use of cgroup.clone_children and support for ns cgroup. Presumably we'll want to put support for ns cgroup back in for older kernels. Instead of guessing whether or not we have clone_children support, just always explicitly do the only thing that feature buys us - set cpuset.{cpus,mems} for newly created cgroups. Note that upstream kernel is working toward strict hierarchical limit enforcements, which will be good for us. NOTE - I am changing the lxc_answer struct size. This means that upgrades to this version while containers are running will result in lxc_* commands on pre-running containers will fail. Changelog: (v3) implement cgroup attach fix a subtle bug arising when we lxc_get_cgpath() returned STOPPED rather than -1 (STOPPED is 0, and 0 meant success). Rename some functions and add detailed comments above most. Drop all my lxc_attach changes in favor of those by Christian Seiler (which are mostly the same, but improved). Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Use AC_SEARCH_LIBS instead of hardcoded lists Use AC_SEARCH_LIBS to detect what library provides sem_*. This allows us to stop hardcoding the ld arguments in the various MakeFiles. Suggested-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc api: fix some config_path oddities 1. When calling c->set_config_path(), update configfile. I.e. if we are setting the config_path to /var/lib/lxc, then the configfile should be changed to /var/lib/lxc/$container/config 2. Add an optional configpath argument to lxc_container_new. If NULL, then the default will be used (as before). If set, then the passed-in path will be used. This way you can do c1 = lxc.Container("r1", "/var/lib/lxc"); c2 = lxc.Container("r2", "/home/user/lxcbase"); (Note I did *not* implement the python or lua binding to pass that argument along) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Switch from use of LXCPATH to a configurable default_lxc_path Here is a patch to introduce a configurable system-wide lxcpath. It seems to work with lxc-create, lxc-start, and basic python3 lxc usage through the api. For shell functions, a new /usr/share/lxc/lxc.functions is introduced which sets some of the basic global variables, including evaluating the right place for lxc_path. I have not converted any of the other python code, as I was not sure where we should keep the common functions (i.e. for now just default_lxc_path()). configure.ac: add an option for setting the global config file name. utils: add a default_lxc_path() function Use default_lxc_path in .c files define get_lxc_path() and set_lxc_path() in C api use get_lxc_path() in lua api create sh helper for getting default path from config file fix up scripts to use lxc.functions Changelog: feb6: fix lxc_path in lxc.functions utils.c: as Dwight pointed out, don't close a NULL fin. utils.c: fix the parsing of lxcpath line lxc-start: print which rcfile we are using commands.c: As Dwight alluded to, the sockname handling was just ridiculous. Clean that up. use Dwight's recommendation for lxc.functions path: $datadir/lxc make lxccontainer->get_config_path() return const char * Per Dwight's suggestion, much nicer than returning strdup. feb6 (v2): lxccontainer: set c->config_path before using it. convert legacy lxc-ls Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

tests/Makefile.am: Update for bionic -lpthread doesn't exist and isn't necessary on bionic. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Fix build with --enable-tests on Fedora When using --enable-tests on Fedora, the linker complains with: "undefined reference to symbol sem_getvalue", which nm shows to be in libpthread not librt. Build tested on Fedora, Oracle Linux, and Ubuntu. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Prefix the test binaries by lxc-test- Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Make building the API tests/examples optional Add a new --enable-tests option to configure which is used to optionally build the tests/examples. Default is off. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge the liblxc API work by Serge Hallyn. This turns liblxc into a public library implementing a container structure. The container structure is meant to cover most LXC commands and can easily be used to write bindings in other programming languages. More information on the new functions can be found in src/lxc/lxccontainer.h Test programs using the API can also be found in src/tests/ Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>