Since we can't really get useful error reporting from virCommandExec since
it needs to be the last thing we do.

Add a handshake with the cloned container process to try and detect
if it fails to start.

Add a simple handshake with the lxc_controller process so we can detect
process startup failures. We do this by adding a new --handshake cli arg
to lxc_controller for passing a file descriptor. If the process fails to
launch, we scrape all output from the logfile and report it to the user.

We will reuse these shortly, and each use should have a different error
message.

Makes it more likely we get useful error output in the logs

These VIR_XXXX0 APIs make us confused, use the non-0-suffix APIs instead.

How do these coversions works? The magic is using the gcc extension of ##.
When __VA_ARGS__ is empty, "##" will swallow the "," in "fmt," to
avoid compile error.

example: origin				after CPP
	high_level_api("%d", a_int)	low_level_api("%d", a_int)
	high_level_api("a  string")	low_level_api("a  string")

About 400 conversions.

8 special conversions:
VIR_XXXX0("") -> VIR_XXXX("msg") (avoid empty format) 2 conversions
VIR_XXXX0(string_literal_with_%) -> VIR_XXXX(%->%%) 0 conversions
VIR_XXXX0(non_string_literal) -> VIR_XXXX("%s", non_string_literal)
  (for security) 6 conversions
Signed-off-by: NLai Jiangshan <laijs@cn.fujitsu.com>

That way we can log the 'init' argv for debugging.

* src/internal.h: Define a ATTRIBUTE_NO_RETURN annotation
* src/lxc/lxc_container.c: Annotate lxcContainerDummyChild
  with ATTRIBUTE_NO_RETURN
* tests/eventtest.c: Mark async thread as ATTRIBUTE_NO_RETURN
* m4/virt-compile-warnings.m4: Enable -Wmissing-noreturn

Using the 'personality(2)' system call, we can make a container
on an x86_64 host appear to be i686. Likewise for most other
Linux 64bit arches.

* src/lxc/lxc_conf.c: Fill in 32bit capabilities for x86_64 hosts
* src/lxc/lxc_container.h, src/lxc/lxc_container.c: Add API to
  check if an arch has a 32bit alternative
* src/lxc/lxc_controller.c: Set the process personality when
  starting guest

When spawning 'init' in the container, set

  LIBVIRT_LXC_UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
  LIBVIRT_LXC_NAME=YYYYYYYYYYYY

to allow guest software to detect & identify that they
are in a container

* src/lxc/lxc_container.c: Set LIBVIRT_LXC_UUID and
  LIBVIRT_LXC_NAME env vars

Done mechanically with:
$ git grep -l '\bDEBUG0\? *(' | xargs -L1 sed -i 's/\bDEBUG0\? *(/VIR_&/'

followed by manual deletion of qemudDebug in daemon/libvirtd.c, along
with a single 'make syntax-check' fallout in the same file, and the
actual deletion in src/util/logging.h.

* src/util/logging.h (DEBUG, DEBUG0): Delete.
* daemon/libvirtd.h (qemudDebug): Likewise.
* global: Change remaining clients over to VIR_DEBUG counterpart.

Until now, user namespaces have not done much, but (for that
reason) have been innocuous to glob in with other CLONE_
flags.  Upcoming userns development, however, will make tasks
cloned with CLONE_NEWUSER far more restricted.  In particular,
for some time they will be unable to access files with anything
other than the world access perms.

This patch assumes that noone really needs the user namespaces
to be enabled.  If that is wrong, then we can try a more
baroque patch where we create a file owned by a test userid with
700 perms and, if we can't access it after setuid'ing to that
userid, then return 0.  Otherwise, assume we are using an
older, 'harmless' user namespace implementation.

Comments appreciated.  Is it ok to do this?
Signed-off-by: NSerge Hallyn <serge.hallyn@canonical.com>

Pure cosmetic change.

The /dev/console device inside the container must NOT map
to the real /dev/console device node, since this allows the
container control over the current host console. A fun side
effect of this is that starting a container containing a
real Fedora OS will kill off your X server.

Remove the /dev/console node, and replace it with a symlink
to the primary console TTY

* src/lxc/lxc_container.c: Replace /dev/console with a
  symlink to /dev/pty/0
* src/lxc/lxc_controller.c: Remove /dev/console from cgroups
  ACL

Using automated replacement with sed and editing I have now replaced all
occurrences of close() with VIR_(FORCE_)CLOSE() except for one, of
course. Some replacements were straight forward, others I needed to pay
attention. I hope I payed attention in all the right places... Please
have a look. This should have at least solved one more double-close
error.

Previously, the functions in src/lxc/veth.c could sometimes return
positive values on failure rather than -1. This made accurate error
reporting difficult, and led to one failure to catch an error in a
calling function.

This patch makes all the functions in veth.c consistently return 0 on
success, and -1 on failure. It also fixes up the callers to the veth.c
functions where necessary.

Note that this patch may be related to the bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=607496.

It will not fix the bug, but should unveil what happens.

* po/POTFILES.in - add veth.c, which previously had no translatable strings
* src/lxc/lxc_controller.c
* src/lxc/lxc_container.c
* src/lxc/lxc_driver.c    - fixup callers to veth.c, and remove error logs,
                            as they are now done in veth.c
* src/lxc/veth.c - make all functions consistently return -1 on error.
* src/lxc/veth.h - use ATTRIBUTE_NONNULL to protect against NULL args.

The function is expected to return negative value on failure,
however, it returns positive value when either setInterfaceName
or vethInterfaceUpOrDown fails. Because the function returns
the return value of either as is, however, the two functions
may return positive value on failure.

The patch fixes the defects and add error messages.

Approximately 60 messages were marked.  Since these diagnostics are
intended solely for developers and maintainers, encouraging translation
is deemed to be counterproductive:
http://thread.gmane.org/gmane.comp.emulators.libvirt/25050/focus=25052

Run this command:
  git grep -l VIR_WARN|xargs perl -pi -e \
    's/(VIR_WARN0?)\s*\(_\((".*?")\)/$1($2/'

Spell out 'Red Hat, Inc.':
 git grep -i 'Copyright.*Red Hat' | grep -v Inc

Include (C) consistently:
 git grep -i 'Copyright [^(].*Red Hat'

* src/lxc/lxc_container.c: Update copyright formatting.
* src/node_device/node_device_udev.c: Likewise.
* src/node_device/node_device_udev.h: Likewise.
* src/xen/xend_internal.h: Likewise.
* src/xen/xm_internal.c: Likewise.
* src/xen/xm_internal.h: Likewise.
* tests/xmconfigtest.c: Likewise.
* tests/object-locking.ml: Likewise.
* tools/virt-pki-validate.in: Likewise.
* tools/virt-xml-validate.in: Likewise.

* global: patch created by running:
for f in $(git ls-files '*.[ch]') ; do
    cppi $f > $f.t && mv $f.t $f
done

Upstart crashes & burns in a heap if $TERM environment variable
is missing. Presumably the kernel always sets this when booting
init on a real machine, so libvirt should set it for containers
too.

To make a typical inittab / mingetty setup happier, we need to
symlink the primary console /dev/pts/0 to /dev/tty1.

Improve logging in certain scenarios to make troubleshooting
easier

* src/lxc/lxc_container.c: Create /dev/tty1 and set $TERM

Two files were using functions from <sys/stat.h> but not including
in. Most of the time they got this automatically via another header,
but certain build flag combinations can reveal the problem

* src/lxc/lxc_container.c, src/node_device/node_device_linux_sysfs.c:
  Add <sys/stat.h>

* src/lxc/lxc_container.c src/lxc/lxc_controller.c src/lxc/lxc_driver.c
  src/network/bridge_driver.c src/qemu/qemu_driver.c
  src/uml/uml_driver.c: virFileMakePath returns 0 for success, or the
  value of errno on failure, so error checking should be to test
  if non-zero, not if lower than 0

The capng_lock() call sets the SECURE_NO_SETUID_FIXUP and SECURE_NOROOT
bits on the process. This prevents the kernel granting capabilities to
processes with an effective UID of 0, or with setuid programs. This is
not actually what we want in the container init process. It should be
allowed to run setuid processes & keep capabilities when root. All that
is required is masking a handful of dangerous capabilities from the
bounding set.

* src/lxc/lxc_container.c: Remove bogus capng_lock() call.

* src/libvirt.c src/lxc/lxc_conf.c src/lxc/lxc_container.c
  src/lxc/lxc_controller.c src/node_device/node_device_hal.c
  src/openvz/openvz_conf.c src/qemu/qemu_driver.c
  src/qemu/qemu_monitor_text.c src/remote/remote_driver.c
  src/storage/storage_backend_disk.c src/storage/storage_driver.c
  src/util/logging.c src/xen/sexpr.c src/xen/xend_internal.c
  src/xen/xm_internal.c: Steve Grubb <sgrubb@redhat.com> sent a code
  review and those are the fixes correcting the problems

Current implementation of lxc driver creates vethN named
interface(s) in the host and passes as it is to a container.
The reason why it doesn't use ethN is due to the limitation
that one namespace cannot have multiple iterfaces that have
an identical name so that we give up creating ethN named
interface in the host for the container.

However, we should be able to allow the container to have
ethN by changing the name after clone(CLONE_NEWNET).

* src/lxc/lxc_container.c src/lxc/veth.c src/lxc/veth.h: do the clone
  and then renames interfaces eth0 ... ethN to keep the interface names
  familiar in the domain

* src/lxc/lxc_container.c src/lxc/lxc_controller.c src/lxc/lxc_driver.c
  src/lxc/veth.c: most of cleanups are just capitalizing their messages
  though, some fixes wrong error messages and awkward indentations, and
  improves error messages.

* src/lxc/lxc_container.c src/lxc/lxc_controller.c src/lxc/lxc_driver.c
  src/lxc/veth.c: fix broken function comments

* src/lxc_conf.c, src/lxc_conf.h, src/lxc_container.c,
  src/lxc_container.h, src/lxc_controller.c, src/lxc_driver.c,
  src/lxc_driver.h, src/veth.c, src/veth.h: Move to src/lxc/
* src/opennebula/one_driver.c: Remove bogus veth.h include
* src/Makefile.am: Adjust for lxc paths
* daemon/qemud.c: Adjust include for lxc

* src/lxc_container.c (lxcContainerMountBasicFS): Don't leak upon failure.
Add "cleanup:" label and change each post-allocation failure to
use "goto cleanup" rather than returning immediately.

* src/lxc_container.c (lxcContainerUnmountOldFS): Don't pass
a NULL pointer to qsort.

* src/lxc_container.c: fix a portability issue if PR_CAPBSET_DROP is
  not defined.
Daniel

* src/lxc_container.c: drop LXC CAP_SYS_BOOT capability to avoid
  reboot from inside containers, patch by Ryota Ozaki
Daniel