././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1743709496.2732882 lxc-6.0.4/0000775000175000017500000000000014773562470012574 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/0000775000175000017500000000000014773562270014132 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/ISSUE_TEMPLATE.md0000664000175000017500000000133714773562270016643 0ustar00stgraberstgraberThe template below is mostly useful for bug reports and support questions. Feel free to remove anything which doesn't apply to you and add more information where it makes sense. # Required information * Distribution: * Distribution version: * The output of * `lxc-start --version` * `lxc-checkconfig` * `uname -a` * `cat /proc/self/cgroup` * `cat /proc/1/mounts` # Issue description A brief description of what failed or what could be improved. # Steps to reproduce 1. Step one 2. Step two 3. Step three # Information to attach - [ ] any relevant kernel output (`dmesg`) - [ ] container log (The file from running `lxc-start -n -l TRACE -o `) - [ ] the containers configuration file ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/dependabot.yml0000664000175000017500000000016614773562270016765 0ustar00stgraberstgraberversion: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/workflows/0000775000175000017500000000000014773562270016167 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/workflows/builds.yml0000664000175000017500000000410614773562270020175 0ustar00stgraberstgrabername: Builds on: - push permissions: contents: read jobs: packaging: name: Packaging runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: os: - focal - jammy - noble steps: - name: Checkout code uses: actions/checkout@v4 - name: Install dependencies run: | sudo apt-get update -qq sudo apt-get install -qq \ debhelper \ devscripts \ meson \ pkg-config \ uuid-runtime \ docbook2x \ linux-libc-dev \ libapparmor-dev \ libcap-dev \ libdbus-1-dev \ libpam0g-dev \ libseccomp-dev \ libselinux1-dev - name: Checkout the packaging branch run: | git clone https://github.com/lxc/lxc-pkg-ubuntu \ -b ppa-main --depth 1 ../packaging - name: Generate a dist tarball run: | make dist TARBALL=$(ls -1 *.tar.gz) mv ${TARBALL} ../$(echo ${TARBALL} | sed -e "s/.tar.gz$/.orig.tar.gz/g" -e "s/lxc-/lxc_/g") - name: Assemble the package env: DEBEMAIL: "lxc-devel@lists.linuxcontainers.org" DEBFULLNAME: "LXC snapshot packages" run: | VERSION=$(cat meson.build | grep ' version: ' | head -1 | sed -e "s/.*version: '//g" -e "s/'.*//g") cd .. tar zxf *.orig.tar.gz cd lxc-*/ cp -R ../packaging/debian . rm -f debian/changelog dch --create --package lxc \ -v 2:${VERSION}-0+daily~${{ matrix.os }}~$(date -u +%Y%m%d%H%M) \ --distribution ${{ matrix.os }} \ "Automated snapshot build." debuild -S -sa -us -uc -d - name: Prepare the upload run: | mkdir out mv ../lxc_* out/ - name: Upload resulting build uses: actions/upload-artifact@v4 continue-on-error: true with: name: ${{ matrix.os }} path: out/* ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/workflows/commits.yml0000664000175000017500000000164414773562270020372 0ustar00stgraberstgrabername: Commits on: - pull_request permissions: contents: read jobs: dco-check: permissions: pull-requests: read # for tim-actions/get-pr-commits to get list of commits from the PR name: Signed-off-by (DCO) runs-on: ubuntu-24.04 steps: - name: Get PR Commits id: 'get-pr-commits' uses: tim-actions/get-pr-commits@master with: token: ${{ secrets.GITHUB_TOKEN }} - name: Check that all commits are signed-off uses: tim-actions/dco@master with: commits: ${{ steps.get-pr-commits.outputs.commits }} target-branch: permissions: contents: none name: Branch target runs-on: ubuntu-24.04 steps: - name: Check branch target env: TARGET: ${{ github.event.pull_request.base.ref }} run: | set -x [ "${TARGET}" = "main" ] && exit 0 echo "Invalid branch target: ${TARGET}" exit 1 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/workflows/coverity.yml0000664000175000017500000000341014773562270020554 0ustar00stgraberstgrabername: Coverity on: push: branches: - main permissions: contents: read jobs: coverity: name: Build and upload runs-on: ubuntu-24.04 if: github.repository == 'lxc/lxc' steps: - name: Checkout code uses: actions/checkout@v4 - name: Download Coverity Build Tool run: | wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=lxc/lxc" -O cov-analysis-linux64.tar.gz mkdir cov-analysis-linux64 tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 env: TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} - name: Install dependencies run: | sudo apt-get update -qq sudo apt-get install -qq gcc clang meson sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libdbus-1-dev - name: Run coverity run: | # Configure export PATH="$(pwd)/cov-analysis-linux64/bin:${PATH}" export CFLAGS="-Wall -Werror" export LDFLAGS="-pthread -lpthread" BUILD="$(pwd)/build" meson setup -Dtests=true -Dpam-cgroup=true -Dcoverity-build=true build/ # Build cov-build --dir cov-int ninja -C ${BUILD} tar czvf upload.tgz cov-int # Submit the results curl \ --form project=lxc/lxc \ --form token=${TOKEN} \ --form email=lxc-devel@lists.linuxcontainers.org \ --form file=@upload.tgz \ --form version=main \ --form description="${GITHUB_SHA}" \ https://scan.coverity.com/builds?project=lxc/lxc env: TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/workflows/fuzzing.yml0000664000175000017500000000214614773562270020411 0ustar00stgraberstgrabername: Fuzzing on: push: branches: permissions: contents: read jobs: fuzzing: name: OSS-Fuzz runs-on: ubuntu-24.04 if: github.repository == 'lxc/lxc' strategy: fail-fast: false matrix: sanitizer: - address - undefined - memory steps: - name: Build Fuzzers (${{ matrix.sanitizer }}) id: build uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'lxc' dry-run: false allowed-broken-targets-percentage: 0 sanitizer: ${{ matrix.sanitizer }} - name: Run Fuzzers (${{ matrix.sanitizer }}) uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'lxc' fuzz-seconds: 360 dry-run: false sanitizer: ${{ matrix.sanitizer }} - name: Upload Crash uses: actions/upload-artifact@v4 if: failure() && steps.build.outcome == 'success' with: name: ${{ matrix.sanitizer }}-artifacts path: ./out/artifacts ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.github/workflows/tests.yml0000664000175000017500000001071314773562270020056 0ustar00stgraberstgrabername: Tests on: - push - pull_request permissions: contents: read jobs: code-tests: name: Code runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v4 - name: Install dependencies run: | sudo apt-get update -qq sudo apt-get install -qq coccinelle - name: Confirm coccinelle output is clean run: | ./coccinelle/run-coccinelle.sh -i git diff --exit-code - name: Confirm apparmor profile is up to date run: | cd config/apparmor/ ./lxc-generate-aa-rules.py container-rules.base > container-rules cat abstractions/container-base.in container-rules > abstractions/container-base git diff --exit-code testsuite: name: Test suite strategy: fail-fast: false matrix: compiler: - gcc - clang os: - ubuntu-22.04 - ubuntu-24.04 - ubuntu-22.04-arm - ubuntu-24.04-arm variant: - default - sanitizer exclude: - variant: sanitizer compiler: gcc - variant: sanitizer os: ubuntu-22.04-arm - variant: sanitizer os: ubuntu-24.04-arm runs-on: ${{ matrix.os }} steps: - name: Checkout code uses: actions/checkout@v4 - name: Install dependencies run: | sudo apt-get update -qq sudo apt-get install -qq \ ${{ matrix.compiler }} \ meson \ pkg-config \ uuid-runtime \ docbook2x \ linux-libc-dev \ llvm \ libapparmor-dev \ libcap-dev \ libdbus-1-dev \ libpam0g-dev \ libseccomp-dev \ libselinux1-dev - name: Compiler version env: CC: ${{ matrix.compiler }} run: | ${CC} --version - name: Build env: CC: ${{ matrix.compiler }} run: | # Standard build if [ "${{ matrix.variant }}" = "default" ]; then meson setup build \ -Dprefix=/usr \ -Dtests=true \ -Dpam-cgroup=true \ -Dtools-multicall=true \ -Dwerror=true \ -Db_lto_mode=default elif [ "${{ matrix.variant }}" = "sanitizer" ]; then meson setup build \ -Dprefix=/usr \ -Dtests=true \ -Dpam-cgroup=true \ -Dtools-multicall=true \ -Dwerror=true \ -Db_lto_mode=default \ -Dio-uring-event-loop=false \ -Db_lundef=false \ -Db_sanitize=address,undefined fi meson compile -C build - name: Remove existing installation run: | sudo apt-get remove --purge -qq \ liblxc1 \ liblxc-common \ liblxc-dev \ lxc-utils - name: Install dependencies run: | sudo apt-get install --purge -qq \ apparmor \ acl \ busybox-static \ dnsmasq-base \ iptables \ rsync \ uidmap - name: Test env: CC: ${{ matrix.compiler }} run: | # Install LXC on the system sudo meson install -C build if [ "${{ matrix.variant }}" = "sanitizer" ]; then # Set sanitizer configuration export ASAN_OPTIONS="detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:strict_string_checks=1:detect_odr_violation=0" export UBSAN_OPTIONS="print_stacktrace=1:print_summary=1:halt_on_error=1" # Disable problematic tests sudo rm /usr/bin/lxc-test-concurrent sudo rm /usr/bin/lxc-test-share-ns fi # Bring up systemd units sudo sed -i 's/USE_LXC_BRIDGE="false"/USE_LXC_BRIDGE="true"/' /etc/default/lxc sudo systemctl daemon-reload sudo systemctl restart apparmor sudo systemctl restart lxc-net # Undo default ACLs from Github sudo setfacl -b -R /home # Run the testsuite git clone --depth=1 https://github.com/lxc/lxc-ci sudo -E lxc-ci/deps/lxc-exercise ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/.gitignore0000664000175000017500000000011614773562270014560 0ustar00stgraberstgraber# Temporarily files. *~ *.swp *.orig *.rej # Release tarballs. lxc-*.tar.gz* ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/AUTHORS0000664000175000017500000000016714773562270013646 0ustar00stgraberstgraberThe list of authors and contributors can be retrieved from the git commit history and in some cases, the file headers. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/CODING_STYLE.md0000664000175000017500000006545514773562270015056 0ustar00stgraberstgraberLXC Coding Style Guide ====================== In general the LXC project follows the Linux kernel coding style. However, there are a few differences. They are outlined in this document. The Linux kernel coding style guide can be found within the kernel tree: Documentation/process/coding-style.rst It can be accessed online too: https://www.kernel.org/doc/html/latest/process/coding-style.html ## 1) General Notes - The coding style guide refers to new code. But legacy code can be cleaned up and we are happy to take those patches. - Just because there is still code in LXC that doesn't adhere to the coding standards outlined here does not license not adhering to the coding style. In other words: please stick to the coding style. - Maintainers are free to ignore rules specified here when merging pull requests. This guideline might seem a little weird but it exits to ease new developers into the code base and to prevent unnecessary bikeshedding. If a maintainer feels hat enforcing a specific rule in a given commit would do more harm than good they should always feel free to ignore the rule. Furthermore, when merging pull requests that do not adhere to our coding style maintainers should feel free to grab the commit, adapt it to our coding style and add their Signed-off-by line to it. This is especially helpful to make it easier for first-time contributors and to prevent having pull requests being stuck in the merge queue because of minor details. - We currently do not provide automatic coding style checks but if a suitable tool is found we are happy to integrate it into our test suite. It is possible and recommended to use the `clang-format` binary to check your code. The following options are an approximation of the coding style used here. Simply create a file called `.clang-format` in your home directory with the following options: ```sh cat << EOF > "${HOME}"/.clang-format AlignEscapedNewlines: Left BreakBeforeBraces: Attach AlwaysBreakBeforeMultilineStrings: false BreakBeforeBinaryOperators: None MaxEmptyLinesToKeep: 1 PenaltyBreakBeforeFirstCallParameter: 1000000 BinPackArguments: true BinPackParameters: true AllowAllParametersOfDeclarationOnNextLine: false AlignAfterOpenBracket: true SpacesInSquareBrackets: false SpacesInCStyleCastParentheses: false SpaceInEmptyParentheses: false SpaceBeforeParens: ControlStatements SpaceAfterCStyleCast: false SortIncludes: true PenaltyReturnTypeOnItsOwnLine: 10000 PenaltyExcessCharacter: 10 Language: Cpp ForEachMacros: ['lxc_list_for_each', 'lxc_list_for_each_safe'] AllowShortLoopsOnASingleLine: false AllowShortIfStatementsOnASingleLine: false AllowShortFunctionsOnASingleLine: None AllowShortCaseLabelsOnASingleLine: false AllowShortBlocksOnASingleLine: false BasedOnStyle: LLVM TabWidth: 8 IndentWidth: 8 UseTab: Always BreakBeforeBraces: Linux AllowShortIfStatementsOnASingleLine: false IndentCaseLabels: false EOF ``` However, it will not handle all cases correctly. For example, most `struct` initializations will not be correct. In such cases please refer to the coding style here. ## 2) Only Use Tabs - LXC uses tabs. ## 3) Only use `/* */` Style Comments - Any comments that are added must use `/* */`. - Single-line comments should start on the same line as the opening `/*`. - Single-line comments should simply be placed between `/* */`. For example: ```C /* Define pivot_root() if missing from the C library */ ``` - Mutli-line comment should start on the next line following the opening `/*`and should end with the closing `*/` on a separate line. For example: ```C /* * At this point the old-root is mounted on top of our new-root * To unmounted it we must not be chdir()ed into it, so escape back * to old-root. */ ``` ## 4) Try To Wrap At 80chars - This is not strictly enforced. It is perfectly valid to sometimes overflow this limit if it helps clarity. Nonetheless, try to stick to it and use common sense to decide when not to. ## 5) Error Messages - Error messages must start with a capital letter and must **not** end with a punctuation sign. - They should be descriptive, without being needlessly long. It is best to just use already existing error messages as examples. - The commit message itself is not subject to rule 4), i.e. it should not be wrapped at 80chars. This is to make it easy to grep for it. - Examples of acceptable error messages are: ```C SYSERROR("Failed to create directory \"%s\"", path); WARN("\"/dev\" directory does not exist. Proceeding without autodev being set up"); ``` ## 6) Set `errno` - Functions that can fail in a non-binary way should return `-1` and set `errno` to a meaningful error code. As a convenience LXC provides the `minus_one_set_errno` macro: ```C static int set_config_net_l2proxy(const char *key, const char *value, struct lxc_conf *lxc_conf, void *data) { struct lxc_netdev *netdev = data; unsigned int val = 0; int ret; if (lxc_config_value_empty(value)) return clr_config_net_l2proxy(key, lxc_conf, data); if (!netdev) return minus_one_set_errno(EINVAL); ret = lxc_safe_uint(value, &val); if (ret < 0) return minus_one_set_errno(-ret); switch (val) { case 0: netdev->l2proxy = false; return 0; case 1: netdev->l2proxy = true; return 0; } return minus_one_set_errno(EINVAL); } ``` ## 7) All Unexported Functions Must Be Declared `static` - Functions which are only used in the current file and are not exported within the codebase need to be declared with the `static` attribute. ## 8) All Exported Functions Must Be Declared `extern` In A Header File - Functions declared in header files (`*.h`) should use the `extern` keyword. - Functions declared in source files (`*.c`) should not use the `extern` keyword. ## 9) Declaring Variables - variables should be declared at the top of the function or at the beginning of a new scope but **never** in the middle of a scope. They should be ordered in the following way: 1. automatically freed variables - This specifically references variables cleaned up via the `cleanup` attribute as supported by `gcc` and `clang`. 2. initialized variables 3. uninitialized variables General rules are: - put base types before complex types - put standard types defined by libc before types defined by LXC - put multiple declarations of the same type on the same line - Examples of good declarations can be seen in the following function: ```C int lxc_clear_procs(struct lxc_conf *c, const char *key) { struct lxc_list *it, *next; bool all = false; const char *k = NULL; if (strcmp(key, "lxc.proc") == 0) all = true; else if (strncmp(key, "lxc.proc.", sizeof("lxc.proc.") - 1) == 0) k = key + sizeof("lxc.proc.") - 1; else return -1; lxc_list_for_each_safe(it, &c->procs, next) { struct lxc_proc *proc = it->elem; if (!all && strcmp(proc->filename, k) != 0) continue; lxc_list_del(it); free(proc->filename); free(proc->value); free(proc); free(it); } return 0; } ``` ## 10) Functions Not Returning Booleans Must Assign Return Value Before Performing Checks - When checking whether a function not returning booleans was successful or not the returned value must be assigned before it is checked (`str{n}cmp()` functions being one notable exception). For example: ```C /* assign value to "ret" first */ ret = mount(sourcepath, cgpath, "cgroup", remount_flags, NULL); /* check whether function was successful */ if (ret < 0) { SYSERROR("Failed to remount \"%s\" ro", cgpath); free(sourcepath); return -1; } ``` Functions returning booleans can be checked directly. For example: ```C extern bool lxc_string_in_array(const char *needle, const char **haystack); /* check right away */ if (lxc_string_in_array("ns", (const char **)h->subsystems)) continue; ``` ## 11) Non-Boolean Functions That Behave Like Boolean Functions Must Explicitly Check Against A Value - This rule mainly exists for `str{n}cmp()` type functions. In most cases they are used like a boolean function to check whether a string matches or not. But they return an integer. It is perfectly fine to check `str{n}cmp()` functions directly but you must compare explicitly against a value. That is to say, while they are conceptually boolean functions they shouldn't be treated as such since they don't really behave like boolean functions. So `if (!str{n}cmp())` and `if (str{n}cmp())` checks must not be used. Good examples are found in the following functions: ```C static int set_config_hooks(const char *key, const char *value, struct lxc_conf *lxc_conf, void *data) char *copy; if (lxc_config_value_empty(value)) return lxc_clear_hooks(lxc_conf, key); if (strcmp(key + 4, "hook") == 0) { ERROR("lxc.hook must not have a value"); return -1; } copy = strdup(value); if (!copy) return -1; if (strcmp(key + 9, "pre-start") == 0) return add_hook(lxc_conf, LXCHOOK_PRESTART, copy); else if (strcmp(key + 9, "start-host") == 0) return add_hook(lxc_conf, LXCHOOK_START_HOST, copy); else if (strcmp(key + 9, "pre-mount") == 0) return add_hook(lxc_conf, LXCHOOK_PREMOUNT, copy); else if (strcmp(key + 9, "autodev") == 0) return add_hook(lxc_conf, LXCHOOK_AUTODEV, copy); else if (strcmp(key + 9, "mount") == 0) return add_hook(lxc_conf, LXCHOOK_MOUNT, copy); else if (strcmp(key + 9, "start") == 0) return add_hook(lxc_conf, LXCHOOK_START, copy); else if (strcmp(key + 9, "stop") == 0) return add_hook(lxc_conf, LXCHOOK_STOP, copy); else if (strcmp(key + 9, "post-stop") == 0) return add_hook(lxc_conf, LXCHOOK_POSTSTOP, copy); else if (strcmp(key + 9, "clone") == 0) return add_hook(lxc_conf, LXCHOOK_CLONE, copy); else if (strcmp(key + 9, "destroy") == 0) return add_hook(lxc_conf, LXCHOOK_DESTROY, copy); free(copy); return -1; } ``` ## 12) Do Not Use C99 Variable Length Arrays (VLA) - They are made optional and there is no guarantee that future C standards will support them. ## 13) Use Standard libc Macros When Exiting - libc provides `EXIT_FAILURE` and `EXIT_SUCCESS`. Use them whenever possible in the child of `fork()`ed process or when exiting from a `main()` function. ## 14) Use `goto`s `goto`s are an essential language construct of C and are perfect to perform cleanup operations or simplify the logic of functions. However, here are the rules to use them: - use descriptive `goto` labels. For example, if you know that this label is only used as an error path you should use something like `on_error` instead of `out` as label name. - **only** jump downwards unless you are handling `EAGAIN` errors and want to avoid `do-while` constructs. - An example of a good usage of `goto` is: ```C static int set_config_idmaps(const char *key, const char *value, struct lxc_conf *lxc_conf, void *data) { unsigned long hostid, nsid, range; char type; int ret; struct lxc_list *idmaplist = NULL; struct id_map *idmap = NULL; if (lxc_config_value_empty(value)) return lxc_clear_idmaps(lxc_conf); idmaplist = malloc(sizeof(*idmaplist)); if (!idmaplist) goto on_error; idmap = malloc(sizeof(*idmap)); if (!idmap) goto on_error; memset(idmap, 0, sizeof(*idmap)); ret = parse_idmaps(value, &type, &nsid, &hostid, &range); if (ret < 0) { ERROR("Failed to parse id mappings"); goto on_error; } INFO("Read uid map: type %c nsid %lu hostid %lu range %lu", type, nsid, hostid, range); if (type == 'u') idmap->idtype = ID_TYPE_UID; else if (type == 'g') idmap->idtype = ID_TYPE_GID; else goto on_error; idmap->hostid = hostid; idmap->nsid = nsid; idmap->range = range; idmaplist->elem = idmap; lxc_list_add_tail(&lxc_conf->id_map, idmaplist); if (!lxc_conf->root_nsuid_map && idmap->idtype == ID_TYPE_UID) if (idmap->nsid == 0) lxc_conf->root_nsuid_map = idmap; if (!lxc_conf->root_nsgid_map && idmap->idtype == ID_TYPE_GID) if (idmap->nsid == 0) lxc_conf->root_nsgid_map = idmap; idmap = NULL; return 0; on_error: free(idmaplist); free(idmap); return -1; } ``` ## 15) Use Booleans instead of integers - When something can be conceptualized in a binary way use a boolean not an integer. ## 16) Cleanup Functions Must Handle The Object's Null Type And Being Passed Already Cleaned Up Objects - If you implement a custom cleanup function to e.g. free a complex type you declared you must ensure that the object's null type is handled and treated as a NOOP. For example: ```C void lxc_free_array(void **array, lxc_free_fn element_free_fn) { void **p; for (p = array; p && *p; p++) element_free_fn(*p); free((void*)array); } ``` - Cleanup functions should also expect to be passed already cleaned up objects. One way to handle this cleanly is to initialize the cleaned up variable to a special value that signals the function that the element has already been freed on the next call. For example, the following function cleans up file descriptors and sets the already closed file descriptors to `-EBADF`. On the next call it can simply check whether the file descriptor is positive and move on if it isn't: ```C static void lxc_put_attach_clone_payload(struct attach_clone_payload *p) { if (p->ipc_socket >= 0) { shutdown(p->ipc_socket, SHUT_RDWR); close(p->ipc_socket); p->ipc_socket = -EBADF; } if (p->pty_fd >= 0) { close(p->pty_fd); p->pty_fd = -EBADF; } if (p->init_ctx) { lxc_proc_put_context_info(p->init_ctx); p->init_ctx = NULL; } } ``` ## 17) Cast to `(void)` When Intentionally Ignoring Return Values - There are cases where you do not care about the return value of a function. Please cast the return value to `(void)` when doing so. - Standard library functions or functions which are known to be ignored by default do not need to be cast to `(void)`. Classical candidates are `close()` and `fclose()`. - A good example is: ```C for (i = 0; hierarchies[i]; i++) { char *fullpath; char *path = hierarchies[i]->fullcgpath; ret = chowmod(path, destuid, nsgid, 0755); if (ret < 0) return -1; /* failures to chown() these are inconvenient but not * detrimental we leave these owned by the container launcher, * so that container root can write to the files to attach. we * chmod() them 664 so that container systemd can write to the * files (which systemd in wily insists on doing). */ if (hierarchies[i]->version == cgroup_super_magic) { fullpath = must_make_path(path, "tasks", null); (void)chowmod(fullpath, destuid, nsgid, 0664); free(fullpath); } fullpath = must_make_path(path, "cgroup.procs", null); (void)chowmod(fullpath, destuid, 0, 0664); free(fullpath); if (hierarchies[i]->version != cgroup2_super_magic) continue; fullpath = must_make_path(path, "cgroup.subtree_control", null); (void)chowmod(fullpath, destuid, nsgid, 0664); free(fullpath); fullpath = must_make_path(path, "cgroup.threads", null); (void)chowmod(fullpath, destuid, nsgid, 0664); free(fullpath); } ``` ## 18) Use `for (;;)` instead of `while (1)` or `while (true)` - Let's be honest, it is really the only sensible way to do this. ## 19) Use The Set Of Supported DCO Statements - Signed-off-by: Random J Developer - You did write this code or have the right to contribute it to LXC. - Acked-by: Random J Developer - You did read the code and think it is correct. This is usually only used by maintainers or developers that have made significant contributions and can vouch for the correctness of someone else's code. - Reviewed-by: Random J Developer - You did review the code and vouch for its correctness, i.e. you'd be prepared to fix bugs it might cause. This is usually only used by maintainers or developers that have made significant contributions and can vouch for the correctness of someone else's code. - Co-developed-by: Random J Developer - The code can not be reasonably attributed to a single developer, i.e. you worked on this together. - Tested-by: Random J Developer - You verified that the code fixes a given bug or is behaving as advertised. - Reported-by: Random J Developer - You found and reported the bug. - Suggested-by: Random J Developer - You wrote the code but someone contributed the idea. This line is usually overlooked but it is a sign of good etiquette and coding ethics: if someone helped you solve a problem or had a clever idea do not silently claim it by slapping your Signed-off-by underneath. Be honest and add a Suggested-by. ## 20) Commit Message Outline - You **must** stick to the 80chars limit especially in the title of the commit message. - Please use English commit messages only. - use meaningful commit messages. - Use correct spelling and grammar. If you are not a native speaker and/or feel yourself struggling with this it is perfectly fine to point this out and there's no need to apologize. Usually developers will be happy to pull your branch and adopt the commit message. - Please always use the affected file (without the file type suffix) or module as a prefix in the commit message. - Examples of good commit messages are: ```Diff commit b87243830e3b5e95fa31a17cf1bfebe55353bf13 Author: Felix Abecassis Date: Fri Feb 2 06:19:13 2018 -0800 hooks: change the semantic of NVIDIA_VISIBLE_DEVICES="" With LXC, you can override the value of an environment variable to null, but you can't unset an existing variable. The NVIDIA hook was previously activated when NVIDIA_VISIBLE_DEVICES was set to null. As a result, it was not possible to disable the hook by overriding the environment variable in the configuration. The hook can now be disabled by setting NVIDIA_VISIBLE_DEVICES to null or to the new special value "void". Signed-off-by: Felix Abecassis commit d6337a5f9dc7311af168aa3d586fdf239f5a10d3 Author: Christian Brauner Date: Wed Jan 31 16:25:11 2018 +0100 cgroups: get controllers on the unified hierarchy Signed-off-by: Christian Brauner ``` ## 21) Use `_exit()` To Terminate `fork()`ed Child Processes - When `fork()`ing off a child process use `_exit()` to terminate it instead of `exit()`. The `exit()` function is not thread-safe and thus not suited for the shared library which must ensure that it is thread-safe. ## 22) Keep Arrays of `struct`s Aligned Horizontally When Initializing - Arrays of `struct`s are: ```C struct foo_struct { int n; int m; int p; }; struct foo_struct new_instance[] = { { 1, 2, 3 }, { 4, 5, 6 }, { 7, 8, 9 }, }; ``` - Leave a single space after the opening `{` and before closing `}` of the largest member of the last column. - Always leave a single space between the largest member of the current column and the member in the next column. - A good example is ```C struct signame { int num; const char *name; }; static const struct signame signames[] = { { SIGHUP, "HUP" }, { SIGINT, "INT" }, { SIGQUIT, "QUIT" }, { SIGILL, "ILL" }, { SIGABRT, "ABRT" }, { SIGFPE, "FPE" }, { SIGKILL, "KILL" }, { SIGSEGV, "SEGV" }, { SIGPIPE, "PIPE" }, { SIGALRM, "ALRM" }, { SIGTERM, "TERM" }, { SIGUSR1, "USR1" }, { SIGUSR2, "USR2" }, { SIGCHLD, "CHLD" }, { SIGCONT, "CONT" }, { SIGSTOP, "STOP" }, { SIGTSTP, "TSTP" }, { SIGTTIN, "TTIN" }, { SIGTTOU, "TTOU" }, #ifdef SIGTRAP { SIGTRAP, "TRAP" }, #endif #ifdef SIGIOT { SIGIOT, "IOT" }, #endif #ifdef SIGEMT { SIGEMT, "EMT" }, #endif #ifdef SIGBUS { SIGBUS, "BUS" }, #endif #ifdef SIGSTKFLT { SIGSTKFLT, "STKFLT" }, #endif #ifdef SIGCLD { SIGCLD, "CLD" }, #endif #ifdef SIGURG { SIGURG, "URG" }, #endif #ifdef SIGXCPU { SIGXCPU, "XCPU" }, #endif #ifdef SIGXFSZ { SIGXFSZ, "XFSZ" }, #endif #ifdef SIGVTALRM { SIGVTALRM, "VTALRM" }, #endif #ifdef SIGPROF { SIGPROF, "PROF" }, #endif #ifdef SIGWINCH { SIGWINCH, "WINCH" }, #endif #ifdef SIGIO { SIGIO, "IO" }, #endif #ifdef SIGPOLL { SIGPOLL, "POLL" }, #endif #ifdef SIGINFO { SIGINFO, "INFO" }, #endif #ifdef SIGLOST { SIGLOST, "LOST" }, #endif #ifdef SIGPWR { SIGPWR, "PWR" }, #endif #ifdef SIGUNUSED { SIGUNUSED, "UNUSED" }, #endif #ifdef SIGSYS { SIGSYS, "SYS" }, #endif }; ``` ## 23) Use `strlcpy()` instead of `strncpy()` When copying strings always use `strlcpy()` instead of `strncpy()`. The advantage of `strlcpy()` is that it will always append a `\0` byte to the string. Unless you have a valid reason to accept truncation you must check whether truncation has occurred, treat it as an error, and handle the error appropriately. ## 24) Use `strlcat()` instead of `strncat()` When concatenating strings always use `strlcat()` instead of `strncat()`. The advantage of `strlcat()` is that it will always append a `\0` byte to the string. Unless you have a valid reason to accept truncation you must check whether truncation has occurred, treat it as an error, and handle the error appropriately. ## 25) Use `__fallthrough__` in switch statements If LXC detects that the compiler is new enough it will tell it to check `switch` statements for non-documented fallthroughs. Please always place a `__fallthrough__` after a `case` which falls through the next one. ```c int lxc_attach_run_command(void *payload) { int ret = -1; lxc_attach_command_t *cmd = payload; ret = execvp(cmd->program, cmd->argv); if (ret < 0) { switch (errno) { case ENOEXEC: ret = 126; break; case ENOTDIR: __fallthrough; case ENOENT: ret = 127; break; } } SYSERROR("Failed to exec \"%s\"", cmd->program); return ret; } ``` ## 24) Never use `fgets()` LXC does not allow the use of `fgets()`. Use `getline()` or other methods instead. ## 25) Never allocate memory on the stack This specifically forbids any usage of `alloca()` in the codebase. ## 26) Use cleanup macros supported by `gcc` and `clang` LXC has switched from manually cleaning up resources to using cleanup macros supported by `gcc` and `clang`: ```c __attribute__((__cleanup__())) ``` We do not allow manually cleanups anymore if there are appropriate macros. Currently the following macros are supported: ```c /* close file descriptor */ __do_close_prot_errno /* free allocated memory */ __do_free __attribute__((__cleanup__(__auto_free__))) /* close FILEs */ __do_fclose __attribute__((__cleanup__(__auto_fclose__))) /* close DIRs */ __do_closedir __attribute__((__cleanup__(__auto_closedir__))) ``` For example: ```c void turn_into_dependent_mounts(void) { __do_free char *line = NULL; __do_fclose FILE *f = NULL; __do_close int memfd = -EBADF, mntinfo_fd = -EBADF; int ret; ssize_t copied; size_t len = 0; mntinfo_fd = open("/proc/self/mountinfo", O_RDONLY | O_CLOEXEC); if (mntinfo_fd < 0) { SYSERROR("Failed to open \"/proc/self/mountinfo\""); return; } memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC); if (memfd < 0) { char template[] = P_tmpdir "/.lxc_mountinfo_XXXXXX"; if (errno != ENOSYS) { SYSERROR("Failed to create temporary in-memory file"); return; } memfd = lxc_make_tmpfile(template, true); if (memfd < 0) { WARN("Failed to create temporary file"); return; } } again: copied = lxc_sendfile_nointr(memfd, mntinfo_fd, NULL, LXC_SENDFILE_MAX); if (copied < 0) { if (errno == EINTR) goto again; SYSERROR("Failed to copy \"/proc/self/mountinfo\""); return; } ret = lseek(memfd, 0, SEEK_SET); if (ret < 0) { SYSERROR("Failed to reset file descriptor offset"); return; } f = fdopen(memfd, "re"); if (!f) { SYSERROR("Failed to open copy of \"/proc/self/mountinfo\" to mark all shared. Continuing"); return; } /* * After a successful fdopen() memfd will be closed when calling * fclose(f). Calling close(memfd) afterwards is undefined. */ move_fd(memfd); while (getline(&line, &len, f) != -1) { char *opts, *target; target = get_field(line, 4); if (!target) continue; opts = get_field(target, 2); if (!opts) continue; null_endofword(opts); if (!strstr(opts, "shared")) continue; null_endofword(target); ret = mount(NULL, target, NULL, MS_SLAVE, NULL); if (ret < 0) { SYSERROR("Failed to recursively turn old root mount tree into dependent mount. Continuing..."); continue; } TRACE("Recursively turned old root mount tree into dependent mount"); } TRACE("Turned all mount table entries into dependent mount"); } ``` ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/CONTRIBUTING0000664000175000017500000001105614773562270014427 0ustar00stgraberstgraberContributing to this project ---------------------------- This project accepts contributions. In order to contribute, you should pay attention to a few things: 1 - your code must follow the coding style rules 2 - the format of the submission must be GitHub pull requests 3 - your work must be signed Coding Style: ------------- The LXC project generally follows the Linux kernel coding style. However there are a few differences, these are outlined it CODING_STLYE.md The Linux kernel coding style guide can be found within the kernel tree: Documentation/process/coding-style.rst It can be accessed online too: https://www.kernel.org/doc/html/latest/process/coding-style.html Submitting Modifications: ------------------------- The contributions must be GitHub pull requests. Licensing for new files: ------------------------ LXC is made of files shipped under a few different licenses. Anything that ends up being part of the LXC library needs to be released under LGPLv2.1+ or a license compatible with it (though the latter will only be accepted for cases where the code originated elsewhere and was imported into LXC). Language bindings for the libraries need to be released under LGPLv2.1+. Anything else (non-libraries) needs to be Free Software and needs to be allowed to link with LGPLv2.1+ code (if needed). LXC upstream prefers LGPLv2.1+ or GPLv2 for those. When introducing a new file into the project, please make sure it has a copyright header making clear under which license it's being released and if it doesn't match the criteria described above, please explain your decision on the lxc-devel mailing-list when submitting your patch. Developer Certificate of Origin: -------------------------------- To improve tracking of contributions to this project we will use a process modeled on the modified DCO 1.1 and use a "sign-off" procedure. The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. The rules are pretty simple: if you can certify the below: By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source License and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) The contribution is made free of any other party's intellectual property claims or rights. (e) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. then you just add a line saying Signed-off-by: Random J Developer You can do it by using option -s or --signoff when you commit git commit --signoff ... using your real name (sorry, no pseudonyms or anonymous contributions.) In addition we support the following DCOs which maintainers can use to indicate that a patch is acceptable: Acked-by: Random J Developer Reviewed-by: Random J Developer If you are contributing as a group who is implementing a feature together such that it cannot be reasonably attributed to a single developer please use: Co-developed-by: Random J Developer 1 Co-developed-by: Random J Developer 2 AI Generated Code: ------------------ Substantially AI generated code is not welcome. There are several reasons for this. First, it violates the "The contribution was created in whole or in part by me" statement of DCO. Second, the licensing implications are not yet clear. Thirdly, we expect anyone who submits code to fully understand what they are submitting. Finally, we put a lot of time into reviewing patch submissions. Increasing the volume of code to be reviewed with autogenerated boilerplate drivel will take away time from more important reviews. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/COPYING0000664000175000017500000000042514773562270013626 0ustar00stgraberstgraberAll source files have SPDX headers that declare what license applies. The applicable licenses are included in the code repository. For other files such as examples, config files, ... they can be assumed to be licensed the same way that the LXC library is, so under LGPLv2.1+. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/LICENSE.GPL20000664000175000017500000004310314773562270014303 0ustar00stgraberstgraber GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/LICENSE.LGPL2.10000664000175000017500000006364214773562270014570 0ustar00stgraberstgraber GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/MAINTAINERS0000664000175000017500000000107214773562270014267 0ustar00stgraberstgraberBefore submitting your patches, check they are signed-off-by conforming with the DCO contained in the ./CONTRIBUTING file. Maintainer ---------- Committers : Serge Hallyn, Stéphane Graber, Christian Brauner and Wolfgang Bumiller Mail patches to : lxc-devel@lists.linuxcontainers.org Send pull requests at : https://github.com/lxc/lxc Mailing lists : lxc-devel@lists.linuxcontainers.org, lxc-users@lists.linuxcontainers.org Web page : https://linuxcontainers.org/lxc Git location : https://github.com/lxc/lxc ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/Makefile0000664000175000017500000000045414773562270014235 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ .PHONY: all all: meson ninja -C build .PHONY: meson meson: [ -d build ] || meson setup build/ .PHONY: dist dist: meson meson dist -C build/ --formats=gztar cp build/meson-dist/*.tar.gz . .PHONY: install install: DESTDIR=$(DESTDIR) ninja -C build install ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/README.md0000664000175000017500000002034214773562270014052 0ustar00stgraberstgraber![Linux Containers logo](https://linuxcontainers.org/static/img/containers.png) # LXC LXC is the well-known and heavily tested low-level Linux container runtime. It is in active development since 2008 and has proven itself in critical production environments world-wide. Some of its core contributors are the same people that helped to implement various well-known containerization features inside the Linux kernel. ## Status Type | Service | Status --- | --- | --- CI (Linux) | GitHub | [![Build Status](https://github.com/lxc/lxc/actions/workflows/build.yml/badge.svg)](https://github.com/lxc/lxc/actions) CI (Linux) | Jenkins | [![Build Status](https://jenkins.linuxcontainers.org/job/lxc-github-commit/badge/icon)](https://jenkins.linuxcontainers.org/job/lxc-github-commit/) Project status | CII Best Practices | [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1087/badge)](https://bestpractices.coreinfrastructure.org/projects/1087) Fuzzing | OSS-Fuzz | [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/lxc.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#lxc) Fuzzing | CIFuzz | [![CIFuzz](https://github.com/lxc/lxc/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/lxc/lxc/actions/workflows/cifuzz.yml) ## System Containers LXC's main focus is system containers. That is, containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware. This is achieved through a combination of kernel security features such as namespaces, mandatory access control and control groups. ## Unprivileged Containers Unprivileged containers are containers that are run without any privilege. This requires support for user namespaces in the kernel that the container is run on. LXC was the first runtime to support unprivileged containers after user namespaces were merged into the mainline kernel. In essence, user namespaces isolate given sets of UIDs and GIDs. This is achieved by establishing a mapping between a range of UIDs and GIDs on the host to a different (unprivileged) range of UIDs and GIDs in the container. The kernel will translate this mapping in such a way that inside the container all UIDs and GIDs appear as you would expect from the host whereas on the host these UIDs and GIDs are in fact unprivileged. For example, a process running as UID and GID 0 inside the container might appear as UID and GID 100000 on the host. The implementation and working details can be gathered from the corresponding user namespace man page. Since unprivileged containers are a security enhancement they naturally come with a few restrictions enforced by the kernel. In order to provide a fully functional unprivileged container LXC interacts with 3 pieces of setuid code: - lxc-user-nic (setuid helper to create a veth pair and bridge it on the host) - newuidmap (from the shadow package, sets up a uid map) - newgidmap (from the shadow package, sets up a gid map) Everything else is run as your own user or as a uid which your user owns. In general, LXC's goal is to make use of every security feature available in the kernel. This means LXC's configuration management will allow experienced users to intricately tune LXC to their needs. A more detailed introduction into LXC security can be found under the following link - https://linuxcontainers.org/lxc/security/ ### Removing all Privilege In principle LXC can be run without any of these tools provided the correct configuration is applied. However, the usefulness of such containers is usually quite restricted. Just to highlight the two most common problems: 1. Network: Without relying on a setuid helper to setup appropriate network devices for an unprivileged user (see LXC's `lxc-user-nic` binary) the only option is to share the network namespace with the host. Although this should be secure in principle, sharing the host's network namespace is still one step of isolation less and increases the attack vector. Furthermore, when host and container share the same network namespace the kernel will refuse any sysfs mounts. This usually means that the init binary inside of the container will not be able to boot up correctly. 2. User Namespaces: As outlined above, user namespaces are a big security enhancement. However, without relying on privileged helpers users who are unprivileged on the host are only permitted to map their own UID into a container. A standard POSIX system however, requires 65536 UIDs and GIDs to be available to guarantee full functionality. ## Configuration LXC is configured via a simple set of keys. For example, - `lxc.rootfs.path` - `lxc.mount.entry` LXC namespaces configuration keys by using single dots. This means complex configuration keys such as `lxc.net.0` expose various subkeys such as `lxc.net.0.type`, `lxc.net.0.link`, `lxc.net.0.ipv6.address`, and others for even more fine-grained configuration. LXC is used as the default runtime for [Incus](https://github.com/lxc/incus), a container hypervisor exposing a well-designed and stable REST-api on top of it. ## Kernel Requirements LXC runs on any kernel from 2.6.32 onwards. All it requires is a functional C compiler. LXC works on all architectures that provide the necessary kernel features. This includes (but isn't limited to): - i686 - x86_64 - ppc, ppc64, ppc64le - riscv64 - s390x - armv7l, arm64 - loongarch64 LXC also supports at least the following C standard libraries: - glibc - musl - bionic (Android's libc) ## Backwards Compatibility LXC has always focused on strong backwards compatibility. In fact, the API hasn't been broken from release `1.0.0` onwards. Main LXC is currently at version `4.*.*`. ## Reporting Security Issues The LXC project has a good reputation in handling security issues quickly and efficiently. If you think you've found a potential security issue, please report it by e-mail to security (at) linuxcontainers (dot) org. For further details please have a look at - https://linuxcontainers.org/lxc/security/ ## Becoming Active in LXC development We always welcome new contributors and are happy to provide guidance when necessary. LXC follows the kernel coding conventions. This means we only require that each commit includes a `Signed-off-by` line. The coding style we use is identical to the one used by the Linux kernel. You can find a detailed introduction at: - https://www.kernel.org/doc/html/v4.10/process/coding-style.html and should also take a look at the [CONTRIBUTING](CONTRIBUTING) file in this repo. If you want to become more active it is usually also a good idea to show up in the LXC IRC channel [#lxc-dev](https://kiwiirc.com/client/irc.libera.chat/#lxc-dev) on irc.libera.chat. We try to do all development out in the open and discussion of new features or bugs is done either in appropriate GitHub issues or on IRC. When thinking about making security critical contributions or substantial changes it is usually a good idea to ping the developers first and ask whether a PR would be accepted. ## Semantic Versioning LXC and its related projects strictly adhere to a [semantic versioning](http://semver.org/) scheme. ## Downloading the current source code Source for the latest released version can always be downloaded from - https://linuxcontainers.org/lxc/downloads/ You can browse the up to the minute source code and change history online - https://github.com/lxc/lxc ## Building LXC Without considering distribution specific details a simple meson setup -Dprefix=/usr build meson compile -C build is usually sufficient. ## Getting help When you find you need help, the LXC projects provides you with several options. ### Discuss Forum We maintain a discuss forum at - https://discuss.linuxcontainers.org/ where you can get support. ### IRC You can find us in [#lxc](https://kiwiirc.com/client/irc.libera.chat/#lxc) on irc.libera.chat. ### Mailing Lists You can check out one of the two LXC mailing list archives and register if interested: - http://lists.linuxcontainers.org/listinfo/lxc-devel - http://lists.linuxcontainers.org/listinfo/lxc-users ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/coccinelle/0000775000175000017500000000000014773562270014672 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/coccinelle/exit.cocci0000664000175000017500000000024014773562270016641 0ustar00stgraberstgraber@@ @@ - exit(0); + exit(EXIT_SUCCESS); @@ @@ - _exit(0); + _exit(EXIT_SUCCESS); @@ @@ - exit(1); + exit(EXIT_FAILURE); @@ @@ - _exit(1); + _exit(EXIT_FAILURE); ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/coccinelle/run-coccinelle.sh0000775000175000017500000000133714773562270020137 0ustar00stgraberstgraber#!/bin/bash -e top="$(git rev-parse --show-toplevel)" files="$(git ls-files ':/*.[ch]')" args= case "$1" in -i) args="$args --in-place" shift ;; esac if ! parallel -h >/dev/null; then echo 'Please install GNU parallel (package "parallel")' exit 1 fi for SCRIPT in ${@-$top/coccinelle/*.cocci} ; do echo "--x-- Processing $SCRIPT --x--" TMPFILE=$(mktemp) echo "+ spatch --sp-file $SCRIPT $args ..." parallel --halt now,fail=1 --keep-order --noswap --max-args=20 \ spatch --sp-file $SCRIPT $args ::: $files \ 2>"$TMPFILE" || cat "$TMPFILE" echo -e "--x-- Processed $SCRIPT --x--\n" done ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/coccinelle/while-true.cocci0000664000175000017500000000013314773562270017756 0ustar00stgraberstgraber@@ statement s; @@ - while (true) + for (;;) s @@ statement s; @@ - while (1) + for (;;) s ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/0000775000175000017500000000000014773562270014037 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/0000775000175000017500000000000014773562270015660 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/README0000664000175000017500000000067714773562270016552 0ustar00stgraberstgraberThe abstractions/container-base file is partially automatically generated. The two source files are container-rules.base and abstractions/container-base.in. If these file are updated, then 1. Generate a new container-rules file using ./lxc-generate-aa-rules.py container-rules.base > container-rules 2. Concatenate container-base.in with container-rules using cat abstractions/container-base.in container-rules > abstractions/container-base ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/abstractions/0000775000175000017500000000000014773562270020354 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/abstractions/container-base0000664000175000017500000002040714773562270023174 0ustar00stgraberstgraber network, capability, file, umount, # dbus, signal, ptrace and unix are only supported by recent apparmor # versions. Comment them if the apparmor parser doesn't recognize them. # This also needs additional rules to reach outside of the container via # DBus, so just let all of DBus within the container. dbus, # Allow us to receive signals from anywhere. Note: if per-container profiles # are supported, for container isolation this should be changed to something # like: # signal (receive) peer=unconfined, # signal (receive) peer=/usr/bin/lxc-start, signal (receive), # Allow us to send signals to ourselves signal peer=@{profile_name}, # Allow other processes to read our /proc entries, futexes, perf tracing and # kcmp for now (they will need 'read' in the first place). Administrators can # override with: # deny ptrace (readby) ... ptrace (readby), # Allow other processes to trace us by default (they will need 'trace' in # the first place). Administrators can override with: # deny ptrace (tracedby) ... ptrace (tracedby), # Allow us to ptrace ourselves ptrace peer=@{profile_name}, # Allow receive via unix sockets from anywhere. Note: if per-container # profiles are supported, for container isolation this should be changed to # something like: # unix (receive) peer=(label=unconfined), unix (receive), # Allow all unix in the container unix peer=(label=@{profile_name}), # ignore DENIED message on / remount deny mount options=(ro, remount) -> /, deny mount options=(ro, remount, silent) -> /, # allow tmpfs mounts everywhere mount fstype=tmpfs, # allow hugetlbfs mounts everywhere mount fstype=hugetlbfs, # allow mqueue mounts everywhere mount fstype=mqueue, # allow fuse mounts everywhere mount fstype=fuse, mount fstype=fuse.*, # deny access under /proc/bus to avoid e.g. messing with pci devices directly deny @{PROC}/bus/** wklx, # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, deny @{PROC}/sys/fs/** wklx, # allow efivars to be mounted, writing to it will be blocked though mount fstype=efivarfs -> /sys/firmware/efi/efivars/, # block some other dangerous paths deny @{PROC}/kcore rwklx, deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/acpi/** rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) mount fstype=fusectl -> /sys/fs/fuse/connections/, mount fstype=securityfs -> /sys/kernel/security/, mount fstype=debugfs -> /sys/kernel/debug/, deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, # allow paths to be made slave, shared, private or unbindable mount options=(rw,make-slave) -> /{,**}, mount options=(rw,make-rslave) -> /{,**}, mount options=(rw,make-shared) -> /{,**}, mount options=(rw,make-rshared) -> /{,**}, mount options=(rw,make-private) -> /{,**}, mount options=(rw,make-rprivate) -> /{,**}, mount options=(rw,make-unbindable) -> /{,**}, mount options=(rw,make-runbindable) -> /{,**}, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**}, mount options=(rw,bind) /d[^e]*{,/**}, mount options=(rw,bind) /de[^v]*{,/**}, mount options=(rw,bind) /dev/.[^l]*{,/**}, mount options=(rw,bind) /dev/.l[^x]*{,/**}, mount options=(rw,bind) /dev/.lx[^c]*{,/**}, mount options=(rw,bind) /dev/.lxc?*{,/**}, mount options=(rw,bind) /dev/[^.]*{,/**}, mount options=(rw,bind) /dev?*{,/**}, mount options=(rw,bind) /p[^r]*{,/**}, mount options=(rw,bind) /pr[^o]*{,/**}, mount options=(rw,bind) /pro[^c]*{,/**}, mount options=(rw,bind) /proc?*{,/**}, mount options=(rw,bind) /s[^y]*{,/**}, mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, # allow various ro-bind-*re*-mounts mount options=(ro,remount,bind), mount options=(ro,remount,bind,nosuid), mount options=(ro,remount,bind,noexec), mount options=(ro,remount,bind,nodev), mount options=(ro,remount,bind,nosuid,noexec), mount options=(ro,remount,bind,noexec,nodev), mount options=(ro,remount,bind,nodev,nosuid), mount options=(ro,remount,bind,nosuid,noexec,nodev), # allow moving mounts except for /proc, /sys and /dev mount options=(rw,move) /[^spd]*{,/**}, mount options=(rw,move) /d[^e]*{,/**}, mount options=(rw,move) /de[^v]*{,/**}, mount options=(rw,move) /dev/.[^l]*{,/**}, mount options=(rw,move) /dev/.l[^x]*{,/**}, mount options=(rw,move) /dev/.lx[^c]*{,/**}, mount options=(rw,move) /dev/.lxc?*{,/**}, mount options=(rw,move) /dev/[^.]*{,/**}, mount options=(rw,move) /dev?*{,/**}, mount options=(rw,move) /p[^r]*{,/**}, mount options=(rw,move) /pr[^o]*{,/**}, mount options=(rw,move) /pro[^c]*{,/**}, mount options=(rw,move) /proc?*{,/**}, mount options=(rw,move) /s[^y]*{,/**}, mount options=(rw,move) /sy[^s]*{,/**}, mount options=(rw,move) /sys?*{,/**}, # generated by: lxc-generate-aa-rules.py container-rules.base deny /proc/sys/[^kn]*{,/**} wklx, deny /proc/sys/k[^e]*{,/**} wklx, deny /proc/sys/ke[^r]*{,/**} wklx, deny /proc/sys/ker[^n]*{,/**} wklx, deny /proc/sys/kern[^e]*{,/**} wklx, deny /proc/sys/kerne[^l]*{,/**} wklx, deny /proc/sys/kernel/[^smhd]*{,/**} wklx, deny /proc/sys/kernel/d[^o]*{,/**} wklx, deny /proc/sys/kernel/do[^m]*{,/**} wklx, deny /proc/sys/kernel/dom[^a]*{,/**} wklx, deny /proc/sys/kernel/doma[^i]*{,/**} wklx, deny /proc/sys/kernel/domai[^n]*{,/**} wklx, deny /proc/sys/kernel/domain[^n]*{,/**} wklx, deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, deny /proc/sys/kernel/domainname?*{,/**} wklx, deny /proc/sys/kernel/h[^o]*{,/**} wklx, deny /proc/sys/kernel/ho[^s]*{,/**} wklx, deny /proc/sys/kernel/hos[^t]*{,/**} wklx, deny /proc/sys/kernel/host[^n]*{,/**} wklx, deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, deny /proc/sys/kernel/hostname?*{,/**} wklx, deny /proc/sys/kernel/m[^s]*{,/**} wklx, deny /proc/sys/kernel/ms[^g]*{,/**} wklx, deny /proc/sys/kernel/msg*/** wklx, deny /proc/sys/kernel/s[^he]*{,/**} wklx, deny /proc/sys/kernel/se[^m]*{,/**} wklx, deny /proc/sys/kernel/sem*/** wklx, deny /proc/sys/kernel/sh[^m]*{,/**} wklx, deny /proc/sys/kernel/shm*/** wklx, deny /proc/sys/kernel?*{,/**} wklx, deny /proc/sys/n[^e]*{,/**} wklx, deny /proc/sys/ne[^t]*{,/**} wklx, deny /proc/sys/net?*{,/**} wklx, deny /sys/[^fdc]*{,/**} wklx, deny /sys/c[^l]*{,/**} wklx, deny /sys/cl[^a]*{,/**} wklx, deny /sys/cla[^s]*{,/**} wklx, deny /sys/clas[^s]*{,/**} wklx, deny /sys/class/[^n]*{,/**} wklx, deny /sys/class/n[^e]*{,/**} wklx, deny /sys/class/ne[^t]*{,/**} wklx, deny /sys/class/net?*{,/**} wklx, deny /sys/class?*{,/**} wklx, deny /sys/d[^e]*{,/**} wklx, deny /sys/de[^v]*{,/**} wklx, deny /sys/dev[^i]*{,/**} wklx, deny /sys/devi[^c]*{,/**} wklx, deny /sys/devic[^e]*{,/**} wklx, deny /sys/device[^s]*{,/**} wklx, deny /sys/devices/[^v]*{,/**} wklx, deny /sys/devices/v[^i]*{,/**} wklx, deny /sys/devices/vi[^r]*{,/**} wklx, deny /sys/devices/vir[^t]*{,/**} wklx, deny /sys/devices/virt[^u]*{,/**} wklx, deny /sys/devices/virtu[^a]*{,/**} wklx, deny /sys/devices/virtua[^l]*{,/**} wklx, deny /sys/devices/virtual/[^n]*{,/**} wklx, deny /sys/devices/virtual/n[^e]*{,/**} wklx, deny /sys/devices/virtual/ne[^t]*{,/**} wklx, deny /sys/devices/virtual/net?*{,/**} wklx, deny /sys/devices/virtual?*{,/**} wklx, deny /sys/devices?*{,/**} wklx, deny /sys/f[^s]*{,/**} wklx, deny /sys/fs/[^c]*{,/**} wklx, deny /sys/fs/c[^g]*{,/**} wklx, deny /sys/fs/cg[^r]*{,/**} wklx, deny /sys/fs/cgr[^o]*{,/**} wklx, deny /sys/fs/cgro[^u]*{,/**} wklx, deny /sys/fs/cgrou[^p]*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/abstractions/container-base.in0000664000175000017500000001242714773562270023604 0ustar00stgraberstgraber network, capability, file, umount, # dbus, signal, ptrace and unix are only supported by recent apparmor # versions. Comment them if the apparmor parser doesn't recognize them. # This also needs additional rules to reach outside of the container via # DBus, so just let all of DBus within the container. dbus, # Allow us to receive signals from anywhere. Note: if per-container profiles # are supported, for container isolation this should be changed to something # like: # signal (receive) peer=unconfined, # signal (receive) peer=/usr/bin/lxc-start, signal (receive), # Allow us to send signals to ourselves signal peer=@{profile_name}, # Allow other processes to read our /proc entries, futexes, perf tracing and # kcmp for now (they will need 'read' in the first place). Administrators can # override with: # deny ptrace (readby) ... ptrace (readby), # Allow other processes to trace us by default (they will need 'trace' in # the first place). Administrators can override with: # deny ptrace (tracedby) ... ptrace (tracedby), # Allow us to ptrace ourselves ptrace peer=@{profile_name}, # Allow receive via unix sockets from anywhere. Note: if per-container # profiles are supported, for container isolation this should be changed to # something like: # unix (receive) peer=(label=unconfined), unix (receive), # Allow all unix in the container unix peer=(label=@{profile_name}), # ignore DENIED message on / remount deny mount options=(ro, remount) -> /, deny mount options=(ro, remount, silent) -> /, # allow tmpfs mounts everywhere mount fstype=tmpfs, # allow hugetlbfs mounts everywhere mount fstype=hugetlbfs, # allow mqueue mounts everywhere mount fstype=mqueue, # allow fuse mounts everywhere mount fstype=fuse, mount fstype=fuse.*, # deny access under /proc/bus to avoid e.g. messing with pci devices directly deny @{PROC}/bus/** wklx, # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, deny @{PROC}/sys/fs/** wklx, # allow efivars to be mounted, writing to it will be blocked though mount fstype=efivarfs -> /sys/firmware/efi/efivars/, # block some other dangerous paths deny @{PROC}/kcore rwklx, deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/acpi/** rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) mount fstype=fusectl -> /sys/fs/fuse/connections/, mount fstype=securityfs -> /sys/kernel/security/, mount fstype=debugfs -> /sys/kernel/debug/, deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, # allow paths to be made slave, shared, private or unbindable mount options=(rw,make-slave) -> /{,**}, mount options=(rw,make-rslave) -> /{,**}, mount options=(rw,make-shared) -> /{,**}, mount options=(rw,make-rshared) -> /{,**}, mount options=(rw,make-private) -> /{,**}, mount options=(rw,make-rprivate) -> /{,**}, mount options=(rw,make-unbindable) -> /{,**}, mount options=(rw,make-runbindable) -> /{,**}, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**}, mount options=(rw,bind) /d[^e]*{,/**}, mount options=(rw,bind) /de[^v]*{,/**}, mount options=(rw,bind) /dev/.[^l]*{,/**}, mount options=(rw,bind) /dev/.l[^x]*{,/**}, mount options=(rw,bind) /dev/.lx[^c]*{,/**}, mount options=(rw,bind) /dev/.lxc?*{,/**}, mount options=(rw,bind) /dev/[^.]*{,/**}, mount options=(rw,bind) /dev?*{,/**}, mount options=(rw,bind) /p[^r]*{,/**}, mount options=(rw,bind) /pr[^o]*{,/**}, mount options=(rw,bind) /pro[^c]*{,/**}, mount options=(rw,bind) /proc?*{,/**}, mount options=(rw,bind) /s[^y]*{,/**}, mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, # allow various ro-bind-*re*-mounts mount options=(ro,remount,bind), mount options=(ro,remount,bind,nosuid), mount options=(ro,remount,bind,noexec), mount options=(ro,remount,bind,nodev), mount options=(ro,remount,bind,nosuid,noexec), mount options=(ro,remount,bind,noexec,nodev), mount options=(ro,remount,bind,nodev,nosuid), mount options=(ro,remount,bind,nosuid,noexec,nodev), # allow moving mounts except for /proc, /sys and /dev mount options=(rw,move) /[^spd]*{,/**}, mount options=(rw,move) /d[^e]*{,/**}, mount options=(rw,move) /de[^v]*{,/**}, mount options=(rw,move) /dev/.[^l]*{,/**}, mount options=(rw,move) /dev/.l[^x]*{,/**}, mount options=(rw,move) /dev/.lx[^c]*{,/**}, mount options=(rw,move) /dev/.lxc?*{,/**}, mount options=(rw,move) /dev/[^.]*{,/**}, mount options=(rw,move) /dev?*{,/**}, mount options=(rw,move) /p[^r]*{,/**}, mount options=(rw,move) /pr[^o]*{,/**}, mount options=(rw,move) /pro[^c]*{,/**}, mount options=(rw,move) /proc?*{,/**}, mount options=(rw,move) /s[^y]*{,/**}, mount options=(rw,move) /sy[^s]*{,/**}, mount options=(rw,move) /sys?*{,/**}, ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/abstractions/meson.build0000664000175000017500000000100314773562270022510 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ if libapparmor.found() configure_file( configuration: conf, input: 'container-base', output: 'container-base', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d', 'abstractions', 'lxc')) configure_file( configuration: conf, input: 'start-container.in', output: 'start-container', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d', 'abstractions', 'lxc')) endif ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/abstractions/start-container.in0000664000175000017500000000335514773562270024027 0ustar00stgraberstgraber network, capability, file, # The following 3 entries are only supported by recent apparmor versions. # Comment them if the apparmor parser doesn't recognize them. dbus, signal, ptrace, # currently blocked by apparmor bug mount -> /usr/lib*/*/lxc/{**,}, mount -> /usr/lib*/lxc/{**,}, mount -> @LXCROOTFSMOUNT@/{,**}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, mount options=(rw, make-slave) -> /{,**}, mount options=(rw, make-rslave) -> /{,**}, mount options=(rw, make-shared) -> /{,**}, mount options=(rw, make-rshared) -> /{,**}, mount fstype=debugfs, mount fstype=fuse.*, # allow pre-mount hooks to stage mounts under /var/lib/lxc// mount -> /var/lib/lxc/{**,}, mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, # required for some pre-mount hooks mount fstype=overlayfs, mount fstype=aufs, mount fstype=ecryptfs, # all umounts are under the original root's /mnt, but right now we # can't allow those umounts after pivot_root. So allow all umounts # right now. They'll be restricted for the container at least. umount, #umount /mnt/{**,}, # This may look a bit redundant, however it appears we need all of # them if we want things to work properly on all combinations of kernel # and userspace parser... pivot_root /usr/lib*/lxc/, pivot_root /usr/lib*/*/lxc/, pivot_root /usr/lib*/lxc/**, pivot_root /usr/lib*/*/lxc/**, pivot_root @LXCROOTFSMOUNT@/{,**}, change_profile -> lxc-*, change_profile -> lxc-**, change_profile -> unconfined, change_profile -> :lxc-*:unconfined, ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/container-rules0000664000175000017500000000576014773562270020725 0ustar00stgraberstgraber # generated by: lxc-generate-aa-rules.py container-rules.base deny /proc/sys/[^kn]*{,/**} wklx, deny /proc/sys/k[^e]*{,/**} wklx, deny /proc/sys/ke[^r]*{,/**} wklx, deny /proc/sys/ker[^n]*{,/**} wklx, deny /proc/sys/kern[^e]*{,/**} wklx, deny /proc/sys/kerne[^l]*{,/**} wklx, deny /proc/sys/kernel/[^smhd]*{,/**} wklx, deny /proc/sys/kernel/d[^o]*{,/**} wklx, deny /proc/sys/kernel/do[^m]*{,/**} wklx, deny /proc/sys/kernel/dom[^a]*{,/**} wklx, deny /proc/sys/kernel/doma[^i]*{,/**} wklx, deny /proc/sys/kernel/domai[^n]*{,/**} wklx, deny /proc/sys/kernel/domain[^n]*{,/**} wklx, deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, deny /proc/sys/kernel/domainname?*{,/**} wklx, deny /proc/sys/kernel/h[^o]*{,/**} wklx, deny /proc/sys/kernel/ho[^s]*{,/**} wklx, deny /proc/sys/kernel/hos[^t]*{,/**} wklx, deny /proc/sys/kernel/host[^n]*{,/**} wklx, deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, deny /proc/sys/kernel/hostname?*{,/**} wklx, deny /proc/sys/kernel/m[^s]*{,/**} wklx, deny /proc/sys/kernel/ms[^g]*{,/**} wklx, deny /proc/sys/kernel/msg*/** wklx, deny /proc/sys/kernel/s[^he]*{,/**} wklx, deny /proc/sys/kernel/se[^m]*{,/**} wklx, deny /proc/sys/kernel/sem*/** wklx, deny /proc/sys/kernel/sh[^m]*{,/**} wklx, deny /proc/sys/kernel/shm*/** wklx, deny /proc/sys/kernel?*{,/**} wklx, deny /proc/sys/n[^e]*{,/**} wklx, deny /proc/sys/ne[^t]*{,/**} wklx, deny /proc/sys/net?*{,/**} wklx, deny /sys/[^fdc]*{,/**} wklx, deny /sys/c[^l]*{,/**} wklx, deny /sys/cl[^a]*{,/**} wklx, deny /sys/cla[^s]*{,/**} wklx, deny /sys/clas[^s]*{,/**} wklx, deny /sys/class/[^n]*{,/**} wklx, deny /sys/class/n[^e]*{,/**} wklx, deny /sys/class/ne[^t]*{,/**} wklx, deny /sys/class/net?*{,/**} wklx, deny /sys/class?*{,/**} wklx, deny /sys/d[^e]*{,/**} wklx, deny /sys/de[^v]*{,/**} wklx, deny /sys/dev[^i]*{,/**} wklx, deny /sys/devi[^c]*{,/**} wklx, deny /sys/devic[^e]*{,/**} wklx, deny /sys/device[^s]*{,/**} wklx, deny /sys/devices/[^v]*{,/**} wklx, deny /sys/devices/v[^i]*{,/**} wklx, deny /sys/devices/vi[^r]*{,/**} wklx, deny /sys/devices/vir[^t]*{,/**} wklx, deny /sys/devices/virt[^u]*{,/**} wklx, deny /sys/devices/virtu[^a]*{,/**} wklx, deny /sys/devices/virtua[^l]*{,/**} wklx, deny /sys/devices/virtual/[^n]*{,/**} wklx, deny /sys/devices/virtual/n[^e]*{,/**} wklx, deny /sys/devices/virtual/ne[^t]*{,/**} wklx, deny /sys/devices/virtual/net?*{,/**} wklx, deny /sys/devices/virtual?*{,/**} wklx, deny /sys/devices?*{,/**} wklx, deny /sys/f[^s]*{,/**} wklx, deny /sys/fs/[^c]*{,/**} wklx, deny /sys/fs/c[^g]*{,/**} wklx, deny /sys/fs/cg[^r]*{,/**} wklx, deny /sys/fs/cgr[^o]*{,/**} wklx, deny /sys/fs/cgro[^u]*{,/**} wklx, deny /sys/fs/cgrou[^p]*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/container-rules.base0000664000175000017500000000074014773562270021627 0ustar00stgraberstgraber# Run lxc-generate-aa-rules.py on this file after any modification, to generate # the container-rules file which is appended to container-base.in to create the # final abstractions/container-base. block /sys allow /sys/fs/cgroup/** allow /sys/devices/virtual/net/** allow /sys/class/net/** block /proc/sys allow /proc/sys/kernel/shm* allow /proc/sys/kernel/sem* allow /proc/sys/kernel/msg* allow /proc/sys/kernel/hostname allow /proc/sys/kernel/domainname allow /proc/sys/net/** ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/lxc-containers0000664000175000017500000000030614773562270020533 0ustar00stgraberstgraber# This file exists only to ensure that all per-container policies # listed under /etc/apparmor.d/lxc get loaded at boot. Please do # not edit this file. #include #include ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/lxc-generate-aa-rules.py0000775000175000017500000000775314773562270022336 0ustar00stgraberstgraber#!/usr/bin/env python3 import sys blocks = [] denies = [] # # blocks is an array of paths under which we want to block by # default. # # blocks[0] = ['path' = '/sys', 'children' = [A,B] ] # blocks[1] = ['path' = '/proc/sys', 'children' = [ E ] ] # A = [ 'path' = 'fs', children = [C] ] # C = [ 'path' = 'cgroup', children = [F] ] # B = [ 'path' = 'class', children = [D] ] # D = [ 'path' = 'net', children = [F] ] # E = [ 'path' = 'shm*' ] # F = [ 'path' = '**' ] def add_block(path): for b in blocks: if b['path'] == path: # duplicate return blocks.append({'path': path.strip(), 'children': []}) # @prev is an array of dicts which containing 'path' and # 'children'. @path is a string. We are looking for an entry # in @prev which contains @path, and will return its # children array. def child_get(prev, path): for p in prev: if p['path'] == path: return p['children'] return None def add_allow(path): # find which block we belong to found = None for b in blocks: l = len(b['path']) if len(path) <= l: continue # TODO - should we find the longest match? if path[0:l] == b['path']: found = b break if found is None: print("allow with no previous block at %s" % path) sys.exit(1) p = path[l:].strip() while p[:1] == "/": p = p[1:] prev = b['children'] for s in p.split('/'): n = {'path': s.strip(), 'children': []} tmp = child_get(prev, n['path']) if tmp is not None: prev = tmp else: prev.append(n) prev = n['children'] def collect_chars(children, ref, index): r = "" for c in children: if index >= len(c['path']): continue if ref[0:index] != c['path'][0:index]: continue if c['path'][index] not in r: r = r + c['path'][index] return r def append_deny(s): s = "%s wklx," % s if s not in denies: denies.append(s) def gen_denies(pathsofar, children): for c in children: for char in range(len(c['path'])): if char == len(c['path'])-1 and c['path'][char] == '*': continue if char == len(c['path'])-2: if c['path'][char:char+2] == '**': continue x = collect_chars(children, c['path'], char) newdeny = "deny %s/%s[^%s]*{,/**}" % (pathsofar, c['path'][0:char], x) append_deny(newdeny) if c['path'] != '**' and c['path'][len(c['path'])-1] != '*': newdeny = "deny %s/%s?*{,/**}" % (pathsofar, c['path']) append_deny(newdeny) elif c['path'] != '**': newdeny = "deny %s/%s/**" % (pathsofar, c['path']) append_deny(newdeny) if len(c['children']) != 0: newpath = "%s/%s" % (pathsofar, c['path']) gen_denies(newpath, c['children']) def main(): config = "config" if len(sys.argv) > 1: config = sys.argv[1] lines = None try: with open(config) as f: lines = f.readlines() except FileNotFoundError as err: print("Config file not found") print(err) sys.exit(1) for line in lines: line.strip() if line.startswith('#'): continue try: (cmd, path) = line.split(' ') except: # blank line continue if cmd == "block": add_block(path) elif cmd == "allow": add_allow(path) else: print("Unknown command: %s" % cmd) sys.exit(1) for block in blocks: gen_denies(block['path'], block['children']) denies.sort() genby = " # generated by: lxc-generate-aa-rules.py" for a in sys.argv[1:]: genby += " %s" % a print(genby) for d in denies: print(" %s" % d) if __name__ == "__main__": main() ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/meson.build0000664000175000017500000000131014773562270020015 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ if libapparmor.found() configure_file( configuration: dummy_config_data, input: 'lxc-containers', output: 'lxc-containers', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d')) configure_file( configuration: dummy_config_data, input: 'usr.bin.lxc-start', output: 'usr.bin.lxc-start', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d')) configure_file( configuration: dummy_config_data, input: 'usr.bin.lxc-copy', output: 'usr.bin.lxc-copy', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d')) endif ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/profiles/0000775000175000017500000000000014773562270017503 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/profiles/lxc-default0000664000175000017500000000073714773562270021645 0ustar00stgraberstgraber# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default flags=(attach_disconnected,mediate_deleted) { #include # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). deny mount fstype=devpts, } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/profiles/lxc-default-cgns0000664000175000017500000000112514773562270022565 0ustar00stgraberstgraber# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { #include # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). deny mount fstype=devpts, mount fstype=cgroup -> /sys/fs/cgroup/**, mount fstype=cgroup2 -> /sys/fs/cgroup/**, mount fstype=overlay, } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/profiles/lxc-default-with-mounting0000664000175000017500000000104014773562270024440 0ustar00stgraberstgraber# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) { #include # allow standard blockdevtypes. # The concern here is in-kernel superblock parsers bringing down the # host with bad data. However, we continue to disallow proc, sys, securityfs, # etc to nonstandard locations. mount fstype=ext*, mount fstype=xfs, mount fstype=btrfs, } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/profiles/lxc-default-with-nesting0000664000175000017500000000107414773562270024256 0ustar00stgraberstgraber# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) { #include #include deny /dev/.lxc/proc/** rw, deny /dev/.lxc/sys/** rw, mount fstype=proc -> /var/cache/lxc/**, mount fstype=sysfs -> /var/cache/lxc/**, mount options=(rw,bind), mount fstype=cgroup -> /sys/fs/cgroup/**, mount fstype=cgroup2 -> /sys/fs/cgroup/**, } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/profiles/meson.build0000664000175000017500000000172614773562270021653 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ if libapparmor.found() configure_file( configuration: dummy_config_data, input: 'lxc-default', output: 'lxc-default', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc')) configure_file( configuration: dummy_config_data, input: 'lxc-default-cgns', output: 'lxc-default-cgns', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc')) configure_file( configuration: dummy_config_data, input: 'lxc-default-with-mounting', output: 'lxc-default-with-mounting', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc')) configure_file( configuration: dummy_config_data, input: 'lxc-default-with-nesting', output: 'lxc-default-with-nesting', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc')) endif ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/usr.bin.lxc-copy0000664000175000017500000000017414773562270020722 0ustar00stgraberstgraber#include /usr/bin/lxc-copy flags=(attach_disconnected) { #include } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/apparmor/usr.bin.lxc-start0000664000175000017500000000017514773562270021106 0ustar00stgraberstgraber#include /usr/bin/lxc-start flags=(attach_disconnected) { #include } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/bash/0000775000175000017500000000000014773562270014754 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/bash/_lxc.in0000664000175000017500000010046614773562270016240 0ustar00stgraberstgraber# lxc-* commands completion __lxc_names() { declare -a names case ${words[0]} in lxc-attach | lxc-cgroup | lxc-checkpoint | lxc-console | lxc-device | lxc-freeze | lxc-stop ) mapfile -t names < <(command lxc-ls --running -1) ;; lxc-destroy | lxc-execute | lxc-snapshot | lxc-start ) mapfile -t names < <(command lxc-ls --stopped -1) ;; lxc-copy | lxc-info | lxc-monitor | lxc-wait ) mapfile -t names < <(command lxc-ls --defined -1) ;; lxc-autostart | lxc-create | lxc-checkconfig | lxc-config | lxc-ls | \ lxc-top | lxc-unshare | lxc-update-config | lxc-usernsexec ) ;; lxc-unfreeze ) mapfile -t names < <(command lxc-ls --frozen -1) ;; *) # If we are running as an alias or symlink with different name, # fallback to old behaviour. mapfile -t names < <(command lxc-ls -1) ;; esac COMPREPLY=() for i in "${!names[@]}"; do # For composed names with spaces escaped by '\'. names[${i}]=$(command printf "%q" "${names[${i}]}") if [[ -n $(compgen -W "${names[${i}]}" -- "${cur}") ]]; then COMPREPLY+=("${names[${i}]}") fi done } __lxc_check_name_present() { mapfile -t names < <(command lxc-ls -1) local -r shortoptnamexp="^-[0-9A-Za-mo-z]*n[0-9A-Za-mo-z]*$" local container local param local parsed # Current word on command line, minus double/single quote and backslash. local -r current="${cur//[\\\"\']}" # If `--name` or `-n` are present, then a container name should be available. for i in "${!words[@]}"; do param="${words[${i}]}" # Parse names from command line when space is escaped by backslash. parsed="${param//[\\\"\']}" if [[ ${parsed} =~ ^--name(=(.*))?$ ]]; then if [[ -n "${BASH_REMATCH[2]}" ]]; then container="${BASH_REMATCH[2]}" else container="${words[${i}+1]}" fi command printf "%q" "${container}" return 0 elif [[ ${parsed} =~ ${shortoptnamexp} ]]; then command printf "%q" "${words[${i}+1]}" return 0 fi for name in "${names[@]}"; do if [[ "${parsed}" == "${name}" ]] && [[ "${current}" != "${parsed}" ]]; then command printf "%q" "${name}" return 0 fi done done return 1 } __lxc_append_name() { local -r name=$(__lxc_check_name_present) if [[ -z "${name}" ]]; then __lxc_names fi } __lxc_get_snapshots() { local -r container=$(__lxc_check_name_present) [[ -z "${container}" ]] && return mapfile -t snaps < <(command lxc-snapshot --name="${container}" --list) local -r nosnapxp="^No snapshots$" if [[ ! "${snaps[*]}" =~ ${nosnapxp} ]]; then for i in "${!snaps[@]}"; do read -r -e -a line <<< "${snaps[${i}]}" command printf "%s " "${line[0]}" done fi } __lxc_common_opt() { # End of options. if [[ "${words[*]}" =~ ' -- ' ]]; then return 1 fi case ${prev} in --help | -h | -\? | --usage | --version ) return 1 ;; --lxcpath | -P ) _filedir -d return 1 ;; --logfile | -o ) _filedir log return 1 ;; --logpriority | -l ) COMPREPLY=( $( compgen -W 'FATAL CRIT WARN ERROR NOTICE INFO DEBUG' -- "${cur}" ) ) return 1 ;; --quiet | -q ) # Only flags. return ;; esac } __lxc_concat_array_sep() { local -r sep="${1}" local concat for word in "${@:2}"; do if [[ "${word}" == "${sep}" ]]; then concat+="${word}" else concat+="${word}${sep}" fi done command printf "%s" "${concat}" } __lxc_check_completion_avail() { local -r word="${1}" local -r pattern="^${word}" for w in "${@:2}"; do if [[ "${w}" =~ ${pattern} ]] && [[ "${w}" != "${word}" ]]; then return 0 fi done return 1 } __lxc_array_has_duplicates() { declare -A unique for word in "${@}"; do if [[ -z "${unique[${word}]}" ]]; then unique["${word}"]="${word}" else return 0 fi done return 1 } __lxc_check_word_in_array() { local -r word="${1}" for w in "${@:2}"; do if [[ "${w}" == "${word}" ]]; then return 0 fi done return 1 } __lxc_piped_args() { local -r currentWord="${1}" local -r sep="${2}" declare -a completionWords=("${@:3}") # Remove double/single quote and backslash from current completion parameter. IFS=$"${sep}" read -r -e -a current <<< "${currentWord//[\\\"\']}" # Add separator back to current in case it is part of completion list. for i in "${!current[@]}"; do if [[ -z "${current[${i}]}" ]]; then current["${i}"]="${sep}" fi done # Remove words from completion already added to argument. declare -a minuslast=("${current[@]::${#current[@]}-1}") declare -a completion=("${completionWords[@]}") for i in "${!completion[@]}"; do if __lxc_check_word_in_array "${completion[${i}]}" "${minuslast[@]}"; then command unset -v 'completion[${i}]' fi done completion=("${completion[@]}") # Check if words from argument are uniquely part of completion. if __lxc_array_has_duplicates "${minuslast[@]}"; then return fi declare -a allcomps=("${completionWords[@]}") for i in "${!minuslast[@]}"; do if ! __lxc_check_word_in_array "${minuslast[${i}]}" "${allcomps[@]}"; then return fi done # Actual completion array. declare -a extcompletion local -r nparts="${#current[@]}" if [[ "${nparts}" -gt 0 ]]; then local prefix=$(__lxc_concat_array_sep "${sep}" "${current[@]::${nparts}-1}") local -r lastword="${current[${nparts}-1]}" if __lxc_check_completion_avail "${lastword}" "${completion[@]}"; then for comp in "${completion[@]}"; do extcompletion+=("\"${prefix}${comp}\"") done fi # TAB after quotes to complete for next value. if ! __lxc_array_has_duplicates "${current[@]}" && __lxc_check_word_in_array "${lastword}" "${allcomps[@]}"; then if ! __lxc_check_completion_avail "${lastword}" "${completion[@]}" || [[ "${#currentWord}" -lt "${#sep}" ]] || [[ "${currentWord: -${#sep}}" == "${sep}" ]]; then prefix=$(__lxc_concat_array_sep "${sep}" "${current[@]}") for comp in "${completion[@]}"; do [[ "${comp}" == "${lastword}" ]] && continue if [[ "${comp}" != "${sep}" ]]; then extcompletion+=("\"${prefix}${comp}\"") else # Trailing sep. extcompletion+=("\"${prefix}\"") [[ "${#completion[@]}" -gt 2 ]] && extcompletion+=("\"${prefix}${comp}\"") fi done fi fi else # [[ "${nparts}" -eq 0 ]] for word in "${allcomps[@]}"; do extcompletion+=("${word}") done fi COMPREPLY=( $( compgen -P '"' -S '"' -W "$(command echo -e ${extcompletion[@]})" -- "${cur}" ) ) [[ "${#extcompletion[@]}" -gt 1 ]] && compopt -o nospace } __lxc_get_selinux_contexts() { declare -a sepolicies=() local sepolicy # Check for SElinux tool. if ! command -v semanage > /dev/null 2>&1; then return fi # Skip header + following empty line. mapfile -s 2 -t output < <(command semanage fcontext -l 2>/dev/null) local -r none="<>" for line in "${output[@]}"; do if [[ "${line}" =~ "SELinux Distribution fcontext Equivalence" ]]; then break fi read -r -e -a current <<< "${line}" if [[ "${#current[@]}" -gt 0 ]]; then sepolicy="${current[${#current[@]}-1]}" [[ ! "${sepolicy}" =~ ${none} ]] && sepolicies+=("${sepolicy}") fi done # Default context. sepolicies+=("unconfined_u:object_r:default_t:s0") COMPREPLY=( $( compgen -P'"' -S'"' -W "${sepolicies[*]}" -- "${cur}" ) ) } _lxc_attach() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile | -f ) _filedir return ;; --pty-log | -L ) _filedir log return ;; --arch | -a ) # https://github.com/lxc/lxc/blob/stable-4.0/src/tests/arch_parse.c#L37 COMPREPLY=( $( compgen -W 'arm armel armhf armv7l athlon i386 i486 i586 i686 linux32 mips mipsel ppc powerpc x86 aarch64 amd64 arm64 linux64 loongarch64 mips64 mips64el ppc64 ppc64el ppc64le powerpc64 riscv64 s390x x86_64' -- "${cur}" ) ) return ;; --elevated-privileges | -e ) __lxc_piped_args "${cur}" '|' CGROUP CAP LSM return ;; --namespaces | -s ) __lxc_piped_args "${cur}" '|' MOUNT PID UTSNAME IPC USER NETWORK return ;; --remount-sys-proc | -R | --keep-env | --clear-env ) # Only flags. ;; --set-var | -v ) # custom VAR=VALUE return ;; --keep-var ) COMPREPLY=( $( compgen -A variable -- "${cur}" ) ) return ;; --uid | -u ) _uids return ;; --gid | -g ) _gids return ;; --context | -c ) __lxc_get_selinux_contexts return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_attach lxc-attach __lxc_get_groups() { declare -A groups local key declare -a linegroups # Discard "GROUPS" header and lines without any groups (with only '-'). mapfile -s 1 -t lines < <(command lxc-ls -f --fancy-format GROUPS | command sed -e '/^-/d') for line in "${lines[@]}"; do line=$(command echo -e "${line}" | command sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') IFS=$',' read -r -e -a linegroups <<< "${line}" for entry in "${linegroups[@]}"; do key=$(command printf "%q" "${entry}") groups+=(["${key}"]=1) done done declare -a output=("${!groups[@]}") command printf "%s" "${output[*]}" } _lxc_autostart() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --reboot | -r | --shutdown | -s | --kill | -k | --list | -L | --all | -a | --ignore-auto | -A ) # Only flags. ;; --timeout | -t ) COMPREPLY=( $( compgen -P "${cur}" -W "{0..9}" ) ) compopt -o nospace return ;; --groups | -g ) __lxc_piped_args "${cur}" ',' $( __lxc_get_groups ) ',' return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi } && complete -F _lxc_autostart lxc-autostart __lxc_cgroup_v2() { declare -a stateObjects local -r path="${1}" [[ ! -f "${path}/cgroup.controllers" ]] && return for controller in $(<"${path}/cgroup.controllers"); do for so in "${path}/${controller}".*; do [[ ! -f "${so}" ]] && continue stateObjects+=("${so##*/}") done done command printf "%s" "${stateObjects[*]}" } __lxc_cgroup_v1() { declare -a stateObjects local -r path="${1}" local prefix for controller in "${path}"/*; do [[ ! -d "${controller}" ]] && continue prefix="${controller##*/}" for so in "${controller}/${prefix}".*; do [[ ! -f "${so}" ]] && continue stateObjects+=("${so##*/}") done done command printf "%s" "${stateObjects[*]}" } __lxc_cgroup_state_object() { local -r name="${1}" local -r cgroupPath="/sys/fs/cgroup" local output local -r userSlicePath="${cgroupPath}/user.slice" local -r lxcPayloadPath="${cgroupPath}/lxc.payload.${name}" if [[ -d "${userSlicePath}" ]]; then # cgroup_v2 + user.slice read -r -e -a output <<< $(__lxc_cgroup_v2 "${userSlicePath}") elif [[ -d "${lxcPayloadPath}" ]]; then # cgroup_v2 + lxc.payload read -r -e -a output <<< $(__lxc_cgroup_v2 "${lxcPayloadPath}") else # cgroup_v1 read -r -e -a output <<< $(__lxc_cgroup_v1 "${cgroupPath}") fi # Check if state-object is present already. for w in "${words[@]}"; do if [[ "${cur}" != "${w}" ]] && __lxc_check_word_in_array "${w}" "${output[@]}"; then return elif [[ "${cur}" == "${w}" ]] && ! __lxc_check_completion_avail "${w}" "${output[@]}"; then return fi done COMPREPLY=( $( compgen -W "${output[*]}" -- "${cur}" ) ) } _lxc_cgroup() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi local -r custom=$(__lxc_check_name_present) if [[ -n "${custom}" ]]; then __lxc_cgroup_state_object "${custom}" else __lxc_append_name fi } && complete -F _lxc_cgroup lxc-cgroup _lxc_checkpoint() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --restore | -r | --stop | -s | --verbose | -v | --daemon | -d | --foreground | -F ) # Only flags. ;; --checkpoint-dir | -D ) _filedir -d return ;; --action-script | -A ) _filedir return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_checkpoint lxc-checkpoint _lxc_config() { local cur prev words cword split _init_completion -s -n : || return $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '-l' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi COMPREPLY=( $( compgen -W "$( command lxc-config -l )" -- "${cur}" ) ) } && complete -F _lxc_config lxc-config _lxc_console() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --escape | -e ) COMPREPLY+=( $( compgen -P "'" -S "'" -W "^{a..z} {a..z}" -- "${cur}" ) ) return ;; --tty | -t ) COMPREPLY=( $( compgen -P "${cur}" -W "{0..9}" ) ) compopt -o nospace return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_console lxc-console __lxc_backing_stores() { COMPREPLY=( $( compgen -W 'best btrfs dir loop lvm nbd overlay overlayfs rbd zfs' -- "${cur}" ) ) } __lxc_size_unit() { if [[ -n "${cur}" ]] && [[ ! "${cur}" =~ ^[0-9]+$ ]]; then return fi # Size. if [[ -z "${cur}" ]]; then COMPREPLY=( $( compgen -P "${cur}" -W "{1..9}" ) ) else COMPREPLY=( $( compgen -P "${cur}" -W "{0..9}" ) ) # Unit COMPREPLY+=( $( compgen -P "${cur}" -W "$( command echo ${@})" ) ) fi compopt -o nospace } _lxc_copy() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --newname | -N | --mount | -m ) return ;; --newpath | -p ) _filedir -d return ;; --rename | -R | --snapshot | -s | --allowrunning | -a | --foreground | -F | --daemon | -d | --tmpfs | -t | --keepname | -K | --keepdata | -D | --keepmac | -M ) # Only flags. ;; --backingstorage | -B ) __lxc_backing_stores return ;; --fssize | -L ) __lxc_size_unit K M G T return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_copy lxc-copy __lxc_templates() { COMPREPLY=( $( compgen -W "$(command ls @LXCTEMPLATEDIR@/ | command sed -e 's|^lxc-||' )" -- "${cur}" ) ) } _lxc_create() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --config | -f ) _filedir return ;; --template | -t ) __lxc_templates return ;; --bdev | -B ) __lxc_backing_stores return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi } && complete -F _lxc_create lxc-create _lxc_destroy() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --force | -f | --snapshots | -s ) # Only flags. ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_destroy lxc-destroy _lxc_device() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return case ${prev} in -h ) return ;; --name | -n ) __lxc_names return ;; add ) _available_interfaces COMPREPLY+=( $( compgen -f -d -X "!*/?*" -- "${cur:-/dev/}" ) ) return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_device lxc-device _lxc_execute() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile | -f ) _filedir return ;; --define | -s ) # @TODO: list values from source code. # tag=value # https://github.com/lxc/lxc/blob/stable-4.0/src/lxc/confile.c#L178 return ;; --daemon | -d ) # Only flags. ;; --uid | -u ) _uids return ;; --gid | -g ) _gids return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_execute lxc-execute _lxc_freeze() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile | -f ) _filedir return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_freeze lxc-freeze _lxc_info() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --config | -c ) # @TODO: list values from source code. # tag # https://github.com/lxc/lxc/blob/stable-4.0/src/lxc/confile.c#L178 return ;; --ips | -i | --pid | -p | --stats | -S | --no-humanize | -H | --state | -s ) # Only flags. ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_info lxc-info _lxc_ls() { local cur prev words cword split _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --line | -1 | --fancy | -f | --active | --frozen | --running | --stopped | --defined ) # Only flags. ;; --fancy-format | -F ) __lxc_piped_args "${cur}" ',' NAME STATE PID RAM SWAP AUTOSTART GROUPS INTERFACE IPV4 IPV6 UNPRIVILEGED return ;; --groups | -g ) __lxc_piped_args "${cur}" ',' $( __lxc_get_groups ) ',' return ;; --nesting ) COMPREPLY=( $( compgen -P "${cur}" -W "{0..9}" ) ) compopt -o nospace return ;; --filter ) # POSIX extended regular expression. return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi } && complete -F _lxc_ls lxc-ls _lxc_monitor() { local cur prev words cword split _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --quit | -Q ) # Only flags. ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_monitor lxc-monitor _lxc_snapshot() { local cur prev words cword split _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --comment | -c ) _filedir return ;; --destroy | -d ) COMPREPLY=( $( compgen -W 'ALL $( __lxc_get_snapshots )' -- "${cur}" ) ) return ;; --list | -L | --showcomments | -C ) # Only flags. ;; --restore | -r ) COMPREPLY=( $( compgen -W '$( __lxc_get_snapshots )' -- "${cur}" ) ) return ;; --newname | -N ) return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_snapshot lxc-snapshot _lxc_start() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --daemon | -d | --foreground | -F | --close-all-fds | -C ) # Only flags. ;; --pidfile | -p ) _filedir pid return ;; --rcfile | -f ) _filedir return ;; --console | -c ) # Output devices, such as /dev/tty* _filedir return ;; --console-log | -L) _filedir return ;; --define | -s ) # @TODO: list values from source code. # tag=value # https://github.com/lxc/lxc/blob/stable-4.0/src/lxc/confile.c#L178 return ;; --share-net | --share-ipc | --share-uts ) _pids COMPREPLY+=( $( compgen -W "$( command lxc-ls --active )" -- "${cur}" ) ) return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) # Needed due to weird `_parse_help` output for the `--share-*` options. COMPREPLY=( $( compgen -W '${COMPREPLY[@]/--share-} --share-net --share-ipc --share-uts' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_start lxc-start _lxc_stop() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --reboot | -r | --kill | -k | --nokill | --nolock | --nowait | -W ) # Only flags. ;; --timeout | -t ) COMPREPLY=( $( compgen -P "${cur}" -W "{0..9}" ) ) compopt -o nospace return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_stop lxc-stop _lxc_top() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --batch | -b | --reverse | -r ) # Only flags. ;; --delay | -d ) COMPREPLY=( $( compgen -P "${cur}" -W "{0..9}" ) ) compopt -o nospace return ;; --sort | -s ) COMPREPLY=( $( compgen -W 'n c b m k' -- "${cur}" ) ) return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi } && complete -F _lxc_top lxc-top _lxc_unfreeze() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_unfreeze lxc-unfreeze _lxc_unshare() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --namespaces | -s ) __lxc_piped_args "${cur}" '|' MOUNT PID UTSNAME IPC USER NETWORK return ;; --user | -u ) _uids return ;; --hostname | -H ) return ;; --ifname | -i ) _available_interfaces return ;; --daemon | -d | --remount | -M ) # Only flags. ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi } && complete -F _lxc_unshare lxc-unshare _lxc_update_config() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return case ${prev} in --help | -h ) return ;; --config | -c ) _filedir return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi } && complete -F _lxc_update_config lxc-update-config __lxc_id_mapping() { local -r tmp="${cur//[^:]}" if [[ "${#tmp}" -eq 0 ]]; then COMPREPLY=( $( compgen -W "u: g: b:" -- "${cur}" ) ) fi compopt -o nospace } _lxc_usernsexec() { local cur prev words cword split COMPREPLY=() _init_completion -s -n : || return # End of options. if [[ "${words[*]}" =~ ' -- ' ]]; then return fi case ${prev} in -h ) return ;; -m ) # ^[ugb]:[0-9]+:[0-9]+(:[0-9]+)?$ __lxc_id_mapping return ;; -s ) # Only flags. ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '-h -m -s' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace fi } && complete -F _lxc_usernsexec lxc-usernsexec _lxc_wait() { local cur prev words cword split _init_completion -s -n : || return __lxc_common_opt || return case ${prev} in --name | -n ) __lxc_names return ;; --rcfile ) _filedir return ;; --state | -s ) __lxc_piped_args "${cur}" '|' STOPPED STARTING RUNNING STOPPING ABORTING FREEZING FROZEN THAWED return ;; --timeout | -t ) COMPREPLY=( $( compgen -P "${cur}" -W "{0..9}" ) ) compopt -o nospace return ;; esac $split && return if [[ ${cur} == -* ]]; then COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "${cur}" ) ) [[ ${COMPREPLY-} == *= ]] && compopt -o nospace return fi __lxc_append_name } && complete -F _lxc_wait lxc-wait # ex: filetype=sh ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/bash/meson.build0000664000175000017500000000134014773562270017114 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ bash_completion = configure_file( configuration: conf, input: '_lxc.in', output: '_lxc', install: true, install_dir: bashcompletiondir) foreach cmd: [ 'lxc-attach', 'lxc-autostart', 'lxc-cgroup', 'lxc-checkpoint', 'lxc-config', 'lxc-console', 'lxc-copy', 'lxc-create', 'lxc-destroy', 'lxc-device', 'lxc-execute', 'lxc-freeze', 'lxc-info', 'lxc-ls', 'lxc-monitor', 'lxc-snapshot', 'lxc-start', 'lxc-stop', 'lxc-top', 'lxc-unfreeze', 'lxc-unshare', 'lxc-usernsexec', 'lxc-wait', ] install_symlink(cmd, pointing_to: '_lxc', install_dir: bashcompletiondir) endforeach ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/etc/0000775000175000017500000000000014773562270014612 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/etc/default.conf.libvirt0000664000175000017500000000010314773562270020551 0ustar00stgraberstgraberlxc.net.0.type = veth lxc.net.0.link = virbr0 lxc.net.0.flags = up ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/etc/default.conf.lxcbr0000664000175000017500000000015014773562270020212 0ustar00stgraberstgraberlxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 10:66:6a:xx:xx:xx ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/etc/default.conf.unknown0000664000175000017500000000002714773562270020602 0ustar00stgraberstgraberlxc.net.0.type = empty ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/etc/meson.build0000664000175000017500000000033514773562270016755 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ lxc_system_config = configure_file( configuration: dummy_config_data, input: 'default.conf.lxcbr', output: 'default.conf', install: true, install_dir: lxcconfdir) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/0000775000175000017500000000000014773562270015002 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/common/0000775000175000017500000000000014773562270016272 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/common/lxc-containers.in0000775000175000017500000000606714773562270021567 0ustar00stgraberstgraber#!/bin/sh sysconfdir="@SYSCONFDIR@" distrosysconfdir="@LXC_DISTRO_SYSCONF@" bindir="@BINDIR@" localstatedir="@LOCALSTATEDIR@" # These can be overridden in @LXC_DISTRO_SYSCONF@/lxc # Autostart containers? LXC_AUTO="true" # BOOTGROUPS - What groups should start on bootup? # Comma separated list of groups. # Leading comma, trailing comma or embedded double # comma indicates when the NULL group should be run. # Example (default): boot the onboot group first then the NULL group BOOTGROUPS="onboot," # SHUTDOWNDELAY - Wait time for a container to shut down. # Container shutdown can result in lengthy system # shutdown times. Even 5 seconds per container can be # too long. SHUTDOWNDELAY=5 # OPTIONS can be used for anything else. # If you want to boot everything then # options can be "-a" or "-a -A". OPTIONS= # STOPOPTS are stop options. The can be used for anything else to stop. # If you want to kill containers fast, use -k STOPOPTS="-a -A -s" if [ -d "$localstatedir"/lock/subsys ] then lockdir="$localstatedir"/lock/subsys else lockdir="$localstatedir"/lock fi # Source any configurable options [ ! -f "$distrosysconfdir"/lxc ] || . "$distrosysconfdir"/lxc # Check for needed utility program [ -x "$bindir"/lxc-autostart ] || exit 1 # If libvirtd is providing the bridge, it might not be # immediately available, so wait a bit for it before starting # up the containers or else any that use the bridge will fail # to start wait_for_bridge() { [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { return 0; } local BRNAME try flags br [ -f "$sysconfdir"/lxc/default.conf ] || { return 0; } BRNAME=$(grep '^[ ]*lxc.net.0.link' "$sysconfdir"/lxc/default.conf | sed 's/^.*=[ ]*//') if [ -z "$BRNAME" ]; then return 0 fi for try in $(seq 1 30); do for br in ${BRNAME}; do [ -r /sys/class/net/${br}/flags ] || { sleep 1; continue 2; } read flags < /sys/class/net/${br}/flags [ $((flags & 0x1)) -eq 1 ] || { sleep 1; continue 2; } done return 0 done } # See how we were called. case "$1" in start) [ "x$LXC_AUTO" = "xtrue" ] || { exit 0; } [ ! -f "$lockdir"/lxc ] || { exit 0; } if [ -n "$BOOTGROUPS" ]; then BOOTGROUPS="-g $BOOTGROUPS" fi touch "$lockdir"/lxc # Start containers wait_for_bridge # Start autoboot containers first then the NULL group "onboot,". "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS rm -f "$lockdir"/lxc ;; stop) if [ -n "$SHUTDOWNDELAY" ]; then SHUTDOWNDELAY="-t $SHUTDOWNDELAY" fi # The stop is serialized and can take excessive time. We need to avoid # delaying the system shutdown / reboot as much as we can since it's not # parallelized... Even 5 second timeout may be too long. "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY ;; restart|reload|force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 2 ;; esac exit $? ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/common/lxc-net.in0000775000175000017500000002115414773562270020202 0ustar00stgraberstgraber#!/bin/sh - distrosysconfdir="@LXC_DISTRO_SYSCONF@" varrun="@RUNTIME_PATH@/lxc" varlib="@LOCALSTATEDIR@/lib" # These can be overridden in @LXC_DISTRO_SYSCONF@/lxc # or in @LXC_DISTRO_SYSCONF@/lxc-net USE_LXC_BRIDGE="true" LXC_BRIDGE="lxcbr0" LXC_BRIDGE_MAC="10:66:6a:00:00:00" LXC_ADDR="10.0.3.1" LXC_NETMASK="255.255.255.0" LXC_NETWORK="10.0.3.0/24" LXC_DHCP_RANGE="10.0.3.2,10.0.3.254" LXC_DHCP_MAX="253" LXC_DHCP_CONFILE="" LXC_DHCP_PING="true" LXC_DOMAIN="" LXC_USE_NFT="true" # IPv6 connectivity LXC_IPV6_ENABLE="true" LXC_IPV6_ADDR="fc42:5009:ba4b:5ab0::1" LXC_IPV6_MASK="64" LXC_IPV6_NETWORK="fc42:5009:ba4b:5ab0::/64" LXC_IPV6_NAT="true" [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc use_nft() { [ -n "$NFT" ] && nft list ruleset > /dev/null 2>&1 && [ "$LXC_USE_NFT" = "true" ] } NFT="$(command -v nft)" if ! use_nft; then use_iptables_lock="-w" iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock="" fi _netmask2cidr () { # Assumes there's no "255." after a non-255 byte in the mask local x=${1##*255.} set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#x})*2 )) ${x%%.*} x=${1%%$3*} echo $(( $2 + (${#x}/4) )) } _ifdown() { ip addr flush dev ${LXC_BRIDGE} ip link set dev ${LXC_BRIDGE} down } _ifup() { MASK=$(_netmask2cidr ${LXC_NETMASK}) CIDR_ADDR="${LXC_ADDR}/${MASK}" ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE} ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC ip link set dev ${LXC_BRIDGE} up } start_ipv6() { LXC_IPV6_ARG="" [ "${LXC_IPV6_ENABLE}" = "true" ] || return 0 if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK} LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}" fi } start_iptables() { start_ipv6 if [ -n "$LXC_IPV6_ARG" ] && [ "$LXC_IPV6_NAT" = "true" ]; then ip6tables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE fi iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill } start_nftables() { start_ipv6 NFT_RULESET="" if [ -n "$LXC_IPV6_ARG" ] && [ "$LXC_IPV6_NAT" = "true" ]; then NFT_RULESET="${NFT_RULESET} add table ip6 lxc; flush table ip6 lxc; add chain ip6 lxc postrouting { type nat hook postrouting priority 100; }; add rule ip6 lxc postrouting ip6 saddr ${LXC_IPV6_NETWORK} ip6 daddr != ${LXC_IPV6_NETWORK} counter masquerade; " fi NFT_RULESET="${NFT_RULESET}; add table inet lxc; flush table inet lxc; add chain inet lxc input { type filter hook input priority 0; }; add rule inet lxc input iifname ${LXC_BRIDGE} udp dport { 53, 67 } accept; add rule inet lxc input iifname ${LXC_BRIDGE} tcp dport { 53, 67 } accept; add chain inet lxc forward { type filter hook forward priority 0; }; add rule inet lxc forward iifname ${LXC_BRIDGE} accept; add rule inet lxc forward oifname ${LXC_BRIDGE} accept; add table ip lxc; flush table ip lxc; add chain ip lxc postrouting { type nat hook postrouting priority 100; }; add rule ip lxc postrouting ip saddr ${LXC_NETWORK} ip daddr != ${LXC_NETWORK} counter masquerade" nft "${NFT_RULESET}" } start() { [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; } [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; } if [ -d /sys/class/net/${LXC_BRIDGE} ]; then stop force || true fi FAILED=1 cleanup() { set +e if [ "$FAILED" = "1" ]; then echo "Failed to setup lxc-net." >&2 stop force exit 1 fi } trap cleanup EXIT HUP INT TERM set -e # set up the lxc network [ ! -d /sys/class/net/${LXC_BRIDGE} ] && ip link add dev ${LXC_BRIDGE} type bridge echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true # if we are run from systemd on a system with selinux enabled, # the mkdir will create /run/lxc as init_var_run_t which dnsmasq # can't write its pid into, so we restorecon it (to var_run_t) if [ ! -d "${varrun}" ]; then mkdir -p "${varrun}" if command -v restorecon >/dev/null 2>&1; then restorecon "${varrun}" fi fi _ifup if use_nft; then start_nftables else start_iptables fi LXC_DOMAIN_ARG="" if [ -n "$LXC_DOMAIN" ]; then LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/" fi # lxc's dnsmasq should be hermetic and not read `/etc/dnsmasq.conf` (which # it does by default if `--conf-file` is not present LXC_DHCP_CONFILE_ARG="--conf-file=${LXC_DHCP_CONFILE:-/dev/null}" # https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010561.html for DNSMASQ_USER in lxc-dnsmasq dnsmasq nobody do if getent passwd ${DNSMASQ_USER} >/dev/null; then break fi done LXC_DHCP_PING_ARG="" if [ "x$LXC_DHCP_PING" = "xfalse" ]; then LXC_DHCP_PING_ARG="--no-ping" fi DNSMASQ_MISC_DIR="$varlib/misc" if [ ! -d "$DNSMASQ_MISC_DIR" ]; then mkdir -p "$DNSMASQ_MISC_DIR" fi dnsmasq $LXC_DHCP_CONFILE_ARG $LXC_DOMAIN_ARG $LXC_DHCP_PING_ARG -u ${DNSMASQ_USER} \ --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid \ --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \ --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \ --except-interface=lo --interface=${LXC_BRIDGE} \ --dhcp-leasefile="${DNSMASQ_MISC_DIR}"/dnsmasq.${LXC_BRIDGE}.leases \ --dhcp-authoritative $LXC_IPV6_ARG || cleanup touch "${varrun}"/network_up FAILED=0 } stop_iptables() { iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill if [ "$LXC_IPV6_NAT" = "true" ]; then ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE fi } stop_nftables() { # Adding table before removing them is just to avoid # delete error for non-existent table NFT_RULESET="add table inet lxc; delete table inet lxc; add table ip lxc; delete table ip lxc; " if [ "$LXC_IPV6_NAT" = "true" ]; then NFT_RULESET="${NFT_RULESET}; add table ip6 lxc; delete table ip6 lxc;" fi nft "${NFT_RULESET}" } stop() { [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; } [ -f "${varrun}/network_up" ] || [ "$1" = "force" ] || { echo "lxc-net isn't running"; exit 1; } if [ -d /sys/class/net/${LXC_BRIDGE} ]; then _ifdown if use_nft; then stop_nftables else stop_iptables fi pid=$(cat "${varrun}"/dnsmasq.pid 2>/dev/null) && kill -9 $pid rm -f "${varrun}"/dnsmasq.pid # if $LXC_BRIDGE has attached interfaces, don't destroy the bridge ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 || ip link delete ${LXC_BRIDGE} fi rm -f "${varrun}"/network_up } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload|force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 2 esac exit $? ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/common/meson.build0000664000175000017500000000054214773562270020435 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ lxc_containers = configure_file( configuration: conf, input: 'lxc-containers.in', output: 'lxc-containers', install: true, install_dir: lxclibexec) lxc_net = configure_file( configuration: conf, input: 'lxc-net.in', output: 'lxc-net', install: true, install_dir: lxclibexec) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/systemd/0000775000175000017500000000000014773562270016472 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/systemd/lxc-apparmor-load0000775000175000017500000000115214773562270021741 0ustar00stgraberstgraber#!/bin/sh # lxc-apparmor-load: Load AppArmor profiles, if supported by the system set -eu # don't load profiles if mount mediation is not supported SYSF=/sys/kernel/security/apparmor/features/mount/mask if [ -f $SYSF ]; then if [ -x /lib/apparmor/profile-load ]; then /lib/apparmor/profile-load usr.bin.lxc-copy /lib/apparmor/profile-load usr.bin.lxc-start /lib/apparmor/profile-load lxc-containers elif [ -x /lib/init/apparmor-profile-load ]; then /lib/init/apparmor-profile-load usr.bin.lxc-copy /lib/init/apparmor-profile-load usr.bin.lxc-start /lib/init/apparmor-profile-load lxc-containers fi fi ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/systemd/lxc-monitord.service.in0000664000175000017500000000033314773562270023077 0ustar00stgraberstgraber[Unit] Description=LXC Container Monitoring Daemon After=syslog.service network.target Documentation=man:lxc [Service] Type=simple ExecStart=@LIBEXECDIR@/lxc/lxc-monitord --daemon [Install] WantedBy=multi-user.target ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/systemd/lxc-net.service.in0000664000175000017500000000046014773562270022033 0ustar00stgraberstgraber[Unit] Description=LXC network bridge setup After=network-online.target Before=lxc.service Documentation=man:lxc ConditionVirtualization=!lxc [Service] Type=oneshot RemainAfterExit=yes ExecStart=@LIBEXECDIR@/lxc/lxc-net start ExecStop=@LIBEXECDIR@/lxc/lxc-net stop [Install] WantedBy=multi-user.target ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/systemd/lxc.service.in0000664000175000017500000000101614773562270021245 0ustar00stgraberstgraber[Unit] Description=LXC Container Initialization and Autoboot Code After=network.target lxc-net.service remote-fs.target Wants=lxc-net.service Documentation=man:lxc-autostart man:lxc [Service] Type=oneshot RemainAfterExit=yes ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load ExecStart=@LIBEXECDIR@/lxc/lxc-containers start ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop ExecReload=@LIBEXECDIR@/lxc/lxc-apparmor-load # Environment=BOOTUP=serial # Environment=CONSOLETYPE=serial Delegate=yes [Install] WantedBy=multi-user.target ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/systemd/lxc@.service.in0000664000175000017500000000061314773562270021347 0ustar00stgraberstgraber[Unit] Description=LXC Container: %i # This pulls in apparmor, dev-setup, lxc-net After=lxc.service Wants=lxc.service Documentation=man:lxc-start man:lxc [Service] Type=simple KillMode=mixed TimeoutStopSec=120s ExecStart=@BINDIR@/lxc-start -F -n %i ExecStop=@BINDIR@/lxc-stop -n %i # Environment=BOOTUP=serial # Environment=CONSOLETYPE=serial Delegate=yes [Install] WantedBy=multi-user.target ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/systemd/meson.build0000664000175000017500000000233614773562270020640 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ lxc_apparmor_load = configure_file( configuration: dummy_config_data, input: 'lxc-apparmor-load', output: 'lxc-apparmor-load', install: true, install_dir: lxclibexec) if 'systemd' in init_script systemd_system_unit_dir = get_option('systemd-unitdir') if systemd_system_unit_dir == '' systemd = dependency('systemd') systemd_system_unit_dir = systemd.get_variable('systemdsystemunitdir') endif configure_file( configuration: conf, input: 'lxc-monitord.service.in', output: 'lxc-monitord.service', install: true, install_dir: systemd_system_unit_dir) configure_file( configuration: conf, input: 'lxc-net.service.in', output: 'lxc-net.service', install: true, install_dir: systemd_system_unit_dir) configure_file( configuration: conf, input: 'lxc.service.in', output: 'lxc.service', install: true, install_dir: systemd_system_unit_dir) configure_file( configuration: conf, input: 'lxc@.service.in', output: 'lxc@.service', install: true, install_dir: systemd_system_unit_dir) endif ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/sysvinit/0000775000175000017500000000000014773562270016672 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/sysvinit/lxc-containers.in0000664000175000017500000000247314773562270022161 0ustar00stgraberstgraber#!/bin/sh # # lxc Start/Stop LXC autoboot containers # # chkconfig: 345 99 01 # description: Starts/Stops all LXC containers configured for autostart. # ### BEGIN INIT INFO # Provides: lxc # Required-Start: $syslog $remote_fs # Required-Stop: $syslog $remote_fs # Should-Start: cgroupfs-mount # Should-Stop: cgroupfs-mount # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Bring up/down LXC autostart containers # Description: Bring up/down LXC autostart containers ### END INIT INFO # To be replaced by LSB functions, if they can be found # Defined here for distributions that don't have log_daemon_msg log_daemon_msg () { echo $@ } # Try to source LSB init functions to define LSB log_* functions. test ! -r /lib/lsb/init-functions || . /lib/lsb/init-functions start() { # Setup host /dev for autodev containers. log_daemon_msg "Starting LXC autoboot containers: " @LIBEXECDIR@/lxc/lxc-containers start } stop() { log_daemon_msg "Stopping LXC containers: " @LIBEXECDIR@/lxc/lxc-containers stop } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload|force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 2 ;; esac exit $? ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/sysvinit/lxc-net.in0000664000175000017500000000227314773562270020600 0ustar00stgraberstgraber#!/bin/sh - # # lxc-net Start/Stop LXC Networking # # chkconfig: 345 98 01 # description: Starts/Stops LXC Network Bridge # ### BEGIN INIT INFO # Provides: lxc-net # Required-Start: $syslog $remote_fs # Required-Stop: $syslog $remote_fs # Should-Start: # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Bring up/down LXC Network Bridge # Description: Bring up/down LXC Network Bridge ### END INIT INFO # To be replaced by LSB functions, if they can be found # Defined here for distributions that don't have log_daemon_msg log_daemon_msg () { echo $@ } # Try to source LSB init functions to define LSB log_* functions. test ! -r /lib/lsb/init-functions || . /lib/lsb/init-functions start() { log_daemon_msg "Starting LXC network bridge: " @LIBEXECDIR@/lxc/lxc-net start } stop() { log_daemon_msg "Stopping LXC network bridge: " @LIBEXECDIR@/lxc/lxc-net stop } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload|force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 2 ;; esac exit $? ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/init/sysvinit/meson.build0000664000175000017500000000070614773562270021037 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ if 'sysvinit' in init_script configure_file( configuration: conf, input: 'lxc-containers.in', output: 'lxc-containers', install: true, install_dir: join_paths(sysconfdir, 'init.d')) configure_file( configuration: conf, input: 'lxc-net.in', output: 'lxc-net', install: true, install_dir: join_paths(sysconfdir, 'init.d')) endif ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/selinux/0000775000175000017500000000000014773562270015526 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/selinux/lxc.if0000664000175000017500000000006014773562270016630 0ustar00stgraberstgraber## Policy for LXC containers ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/selinux/lxc.te0000664000175000017500000000546514773562270016660 0ustar00stgraberstgraber# # SELinux policy for LXC for RHEL/CentOS/Oracle 6.5. # It attempts to restrict the container to the same amount of access # as an unprivileged user. To build and insert this policy module: # # make -f /usr/share/selinux/devel/Makefile lxc.pp # semodule -i lxc.pp # # In your container's lxc config: # lxc.selinux.context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228 # # Ensure your container's rootfs files are labeled: # chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs # # To keep containers separated from each other, you should vary the MCS # portion of the contexts above to be a unique set of values for each # container, each MCS compartment can be a number from 0-1023. # policy_module(lxc,0.35) userdom_unpriv_user_template(lxc) type lxc_file_t; files_type(lxc_file_t); role system_r types { lxc_t lxc_file_t }; gen_require(` type devpts_t; type proc_t; type ssh_port_t; type sysctl_kernel_t; type sysctl_modprobe_t; type sysctl_net_t; type tmpfs_t; type unconfined_t; class filesystem { relabelfrom unmount }; class tcp_socket name_bind; class udp_socket name_bind; '); # So lxc can transition to lxc_t on exec allow unconfined_t lxc_t:process transition; can_exec(lxc_t, lxc_file_t) # So lxc can dyntransition to lxc_t for attach executing a function allow unconfined_t lxc_t:process dyntransition; # So lxc-start can relabel the pty allocated for the console allow lxc_file_t devpts_t:filesystem associate; # So container can mount /dev/shm and relabel it allow lxc_t tmpfs_t:filesystem relabelfrom; # Allow all access to an lxc_file_t type; devices can be restricted # with the device cgroup, they are not here allow lxc_t lxc_file_t:file *; allow lxc_t lxc_file_t:lnk_file *; allow lxc_t lxc_file_t:chr_file *; allow lxc_t lxc_file_t:blk_file *; allow lxc_t lxc_file_t:sock_file *; allow lxc_t lxc_file_t:fifo_file *; allow lxc_t lxc_file_t:socket *; allow lxc_t lxc_file_t:dir *; allow lxc_t lxc_file_t:filesystem unmount; fs_unmount_all_fs(lxc_t) allow lxc_t proc_t:dir mounton; allow lxc_t proc_t:filesystem mount; allow lxc_t tmpfs_t:filesystem mount; allow lxc_t self:capability { dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service net_broadcast net_raw sys_admin sys_boot sys_tty_config }; allow lxc_t sysctl_net_t:file write; allow lxc_t ssh_port_t:tcp_socket name_bind; corenet_tcp_connect_all_ports(lxc_t) corenet_tcp_bind_all_ports(lxc_t) corenet_udp_bind_all_ports(lxc_t) # Needed for ifup/ip/dhcp allow lxc_t self:packet_socket create_socket_perms; allow lxc_t self:rawip_socket create_socket_perms; allow lxc_t self:netlink_route_socket create_netlink_socket_perms; # Needed to set label that the keyring will be created with allow lxc_t self:process { setkeycreate }; dontaudit lxc_t sysctl_kernel_t:file write; dontaudit lxc_t sysctl_modprobe_t:file write; ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/selinux/meson.build0000664000175000017500000000061514773562270017672 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ lxc_selinux_if = configure_file( configuration: dummy_config_data, input: 'lxc.if', output: 'lxc.if', install: libselinux.found(), install_dir: lxcselinuxdir) lxc_selinux_te = configure_file( configuration: dummy_config_data, input: 'lxc.te', output: 'lxc.te', install: libselinux.found(), install_dir: lxcselinuxdir) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/sysconfig/0000775000175000017500000000000014773562270016043 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/sysconfig/lxc.in0000664000175000017500000000161014773562270017157 0ustar00stgraberstgraber# LXC_AUTO - whether or not to start containers at boot LXC_AUTO="true" # BOOTGROUPS - What groups should start on bootup? # Comma separated list of groups. # Leading comma, trailing comma or embedded double # comma indicates when the NULL group should be run. # Example (default): boot the onboot group first then the NULL group BOOTGROUPS="onboot," # SHUTDOWNDELAY - Wait time for a container to shut down. # Container shutdown can result in lengthy system # shutdown times. Even 5 seconds per container can be # too long. SHUTDOWNDELAY=5 # OPTIONS can be used for anything else. # If you want to boot everything then # options can be "-a" or "-a -A". OPTIONS= # STOPOPTS are stop options. The can be used for anything else to stop. # If you want to kill containers fast, use -k STOPOPTS="-a -A -s" USE_LXC_BRIDGE="false" [ ! -f @LXC_DISTRO_SYSCONF@/lxc-net ] || . @LXC_DISTRO_SYSCONF@/lxc-net ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/sysconfig/meson.build0000664000175000017500000000034514773562270020207 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ if distrosysconfdir != '' configure_file( configuration: conf, input: 'lxc.in', output: 'lxc', install: true, install_dir: distrosysconfdir) endif ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/0000775000175000017500000000000014773562270016035 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/common.conf.d/0000775000175000017500000000000014773562270020473 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/common.conf.d/README0000664000175000017500000000044714773562270021360 0ustar00stgraberstgraberThis directory can be used by packages and users to dump LXC configuration snippets which will then be used by all containers using the common.conf configuration file (directly or indirectly). Configuration files must end with the .conf suffix and LXC will include those in alphabetical order. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/common.conf.d/meson.build0000664000175000017500000000033614773562270022637 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ lxc_conf_common_readme = configure_file( configuration: dummy_config_data, input: 'README', output: 'README', install: true, install_dir: lxctemplateconfcommondir) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/common.conf.in0000664000175000017500000000443014773562270020602 0ustar00stgraberstgraber# Default configuration shared by all containers # Setup the LXC devices in /dev/lxc/ lxc.tty.dir = lxc # Allow for 1024 pseudo terminals lxc.pty.max = 1024 # Setup 4 tty devices lxc.tty.max = 4 # Drop some harmful capabilities lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio # Ensure hostname is changed on clone lxc.hook.clone = @LXCHOOKDIR@/clonehostname # Default legacy cgroup configuration # # CGroup allowlist lxc.cgroup.devices.deny = a ## Allow any mknod (but not reading/writing the node) lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m ## Allow specific devices ### /dev/null lxc.cgroup.devices.allow = c 1:3 rwm ### /dev/zero lxc.cgroup.devices.allow = c 1:5 rwm ### /dev/full lxc.cgroup.devices.allow = c 1:7 rwm ### /dev/tty lxc.cgroup.devices.allow = c 5:0 rwm ### /dev/console lxc.cgroup.devices.allow = c 5:1 rwm ### /dev/ptmx lxc.cgroup.devices.allow = c 5:2 rwm ### /dev/random lxc.cgroup.devices.allow = c 1:8 rwm ### /dev/urandom lxc.cgroup.devices.allow = c 1:9 rwm ### /dev/pts/* lxc.cgroup.devices.allow = c 136:* rwm ### fuse lxc.cgroup.devices.allow = c 10:229 rwm # Default unified cgroup configuration # # CGroup allowlist lxc.cgroup2.devices.deny = a ## Allow any mknod (but not reading/writing the node) lxc.cgroup2.devices.allow = c *:* m lxc.cgroup2.devices.allow = b *:* m ## Allow specific devices ### /dev/null lxc.cgroup2.devices.allow = c 1:3 rwm ### /dev/zero lxc.cgroup2.devices.allow = c 1:5 rwm ### /dev/full lxc.cgroup2.devices.allow = c 1:7 rwm ### /dev/tty lxc.cgroup2.devices.allow = c 5:0 rwm ### /dev/console lxc.cgroup2.devices.allow = c 5:1 rwm ### /dev/ptmx lxc.cgroup2.devices.allow = c 5:2 rwm ### /dev/random lxc.cgroup2.devices.allow = c 1:8 rwm ### /dev/urandom lxc.cgroup2.devices.allow = c 1:9 rwm ### /dev/pts/* lxc.cgroup2.devices.allow = c 136:* rwm ### fuse lxc.cgroup2.devices.allow = c 10:229 rwm # Setup the default mounts lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 # Block some syscalls which are not safe in privileged # containers lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp # Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/ lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/common.seccomp0000664000175000017500000000030614773562270020677 0ustar00stgraberstgraber2 denylist reject_force_umount # comment this to allow umount -f; not recommended [all] kexec_load errno 1 open_by_handle_at errno 1 init_module errno 1 finit_module errno 1 delete_module errno 1 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/meson.build0000664000175000017500000000165614773562270020207 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ lxc_conf_common_seccomp = configure_file( configuration: conf, input: 'common.seccomp', output: 'common.seccomp', install: true, install_dir: lxctemplateconfdir) lxc_conf_common_main = configure_file( configuration: conf, input: 'common.conf.in', output: 'common.conf', install: true, install_dir: lxctemplateconfdir) lxc_conf_common_nesting = configure_file( configuration: conf, input: 'nesting.conf.in', output: 'nesting.conf', install: true, install_dir: lxctemplateconfdir) lxc_conf_common_oci = configure_file( configuration: conf, input: 'oci.common.conf.in', output: 'oci.common.conf', install: true, install_dir: lxctemplateconfdir) lxc_conf_common_userns = configure_file( configuration: conf, input: 'userns.conf.in', output: 'userns.conf', install: true, install_dir: lxctemplateconfdir) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/nesting.conf.in0000664000175000017500000000047314773562270020764 0ustar00stgraberstgraber# Use a profile which allows nesting lxc.apparmor.profile = lxc-container-default-with-nesting # Add uncovered mounts of proc and sys, else unprivileged users # cannot remount those lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0 lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/oci.common.conf.in0000664000175000017500000000023114773562270021346 0ustar00stgraberstgraber# Uncomment the following if you want to use DHCP for OCI containers #lxc.hook.start-host = @LXCHOOKDIR@/dhclient #lxc.hook.stop = @LXCHOOKDIR@/dhclient ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/templates/userns.conf.in0000664000175000017500000000111514773562270020626 0ustar00stgraberstgraber# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices # # Default legacy cgroup configuration # lxc.cgroup.devices.deny = lxc.cgroup.devices.allow = # Default unified cgroup configuration # lxc.cgroup2.devices.deny = lxc.cgroup2.devices.allow = # Start with a full set of capabilities in user namespaces. lxc.cap.drop = lxc.cap.keep = # We can't move bind-mounts, so don't use /dev/lxc/ lxc.tty.dir = # Setup the default mounts lxc.mount.auto = sys:rw # Lastly, include all the configs from @LXCTEMPLATECONFIG@/userns.conf.d/ lxc.include = @LXCTEMPLATECONFIG@/userns.conf.d/ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/yum/0000775000175000017500000000000014773562270014651 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/yum/lxc-patch.py0000664000175000017500000000203614773562270017107 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ # # Yum plugin to re-patch container rootfs after a yum update is done import os from fnmatch import fnmatch from yum.plugins import TYPE_INTERACTIVE requires_api_version = '2.0' plugin_type = (TYPE_INTERACTIVE,) def posttrans_hook(conduit): pkgs = [] patch_required = False # If we aren't root, we can't have updated anything if os.geteuid(): return # See what packages have files that were patched confpkgs = conduit.confString('main', 'packages') if not confpkgs: return tmp = confpkgs.split(",") for confpkg in tmp: pkgs.append(confpkg.strip()) conduit.info(2, "lxc-patch: checking if updated pkgs need patching...") ts = conduit.getTsInfo() for tsmem in ts.getMembers(): for pkg in pkgs: if fnmatch(pkg, tsmem.po.name): patch_required = True if patch_required: conduit.info(2, "lxc-patch: patching container...") os.spawnlp(os.P_WAIT, "lxc-patch", "lxc-patch", "--patch", "/") ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/config/yum/meson.build0000664000175000017500000000031714773562270017014 0ustar00stgraberstgraber# SPDX-License-Identifier: LGPL-2.1+ lxc_patch = configure_file( configuration: dummy_config_data, input: 'lxc-patch.py', output: 'lxc-patch.py', install: true, install_dir: lxcdatadir) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/doc/0000775000175000017500000000000014773562270013337 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/doc/FAQ.txt0000664000175000017500000000147514773562270014516 0ustar00stgraberstgraber Troubleshooting: =============== Error: ------ error while loading shared libraries reported after sudo make install and when trying to run lxc-execute. "lxc-execute -n foo -f /usr/local/etc/lxc/lxc-macvlan.conf /bin/bash" /usr/local/bin/lxc-execute: error while loading shared libraries: liblxc-0.5.0.so: cannot open shared object file: No such file or directory Answer: ------- update the ld cache by running ldconfig. Error: ------ error when starting a container. "lxc-start Invalid argument" "lxc-execute -n foo -f /usr/local/etc/lxc/lxc-macvlan.conf /bin/bash" "[syserr] lxc_start:96: Invalid argument - failed to fork into a new namespace" Answer: ------- read the lxc man page about kernel version prereq :) most probably your kernel is not configured to support the container options you want to use. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/doc/api/0000775000175000017500000000000014773562270014110 5ustar00stgraberstgraber././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1743709368.0 lxc-6.0.4/doc/api/Doxyfile0000664000175000017500000030211214773562270015615 0ustar00stgraberstgraber# Doxyfile 1.8.5 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project. # # All text after a double hash (##) is considered a comment and is placed in # front of the TAG it is preceding. # # All text after a single hash (#) is considered a comment and will be ignored. # The format is: # TAG = value [value, ...] # For lists, items can also be appended using: # TAG += value [value, ...] # Values that contain spaces should be placed between quotes (\" \"). #--------------------------------------------------------------------------- # Project related configuration options #--------------------------------------------------------------------------- # This tag specifies the encoding used for all characters in the config file # that follow. The default is UTF-8 which is also the encoding used for all text # before the first occurrence of this tag. Doxygen uses libiconv (or the iconv # built into libc) for the transcoding. See http://www.gnu.org/software/libiconv # for the list of possible encodings. # The default value is: UTF-8. DOXYFILE_ENCODING = UTF-8 # The PROJECT_NAME tag is a single word (or a sequence of words surrounded by # double-quotes, unless you are using Doxywizard) that should identify the # project for which the documentation is generated. This name is used in the # title of most generated pages and in a few other places. # The default value is: My Project. PROJECT_NAME = "LXC" # The PROJECT_NUMBER tag can be used to enter a project or revision number. This # could be handy for archiving the generated documentation or if some version # control system is used. PROJECT_NUMBER = # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a # quick idea about the purpose of the project. Keep the description short. PROJECT_BRIEF = # With the PROJECT_LOGO tag one can specify an logo or icon that is included in # the documentation. The maximum height of the logo should not exceed 55 pixels # and the maximum width should not exceed 200 pixels. Doxygen will copy the logo # to the output directory. PROJECT_LOGO = # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path # into which the generated documentation will be written. If a relative path is # entered, it will be relative to the location where doxygen was started. If # left blank the current directory will be used. OUTPUT_DIRECTORY = . # If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub- # directories (in 2 levels) under the output directory of each output format and # will distribute the generated files over these directories. Enabling this # option can be useful when feeding doxygen a huge amount of source files, where # putting all generated files in the same directory would otherwise causes # performance problems for the file system. # The default value is: NO. CREATE_SUBDIRS = NO # The OUTPUT_LANGUAGE tag is used to specify the language in which all # documentation generated by doxygen is written. Doxygen will use this # information to generate all constant output in the proper language. # Possible values are: Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese- # Traditional, Croatian, Czech, Danish, Dutch, English, Esperanto, Farsi, # Finnish, French, German, Greek, Hungarian, Italian, Japanese, Japanese-en, # Korean, Korean-en, Latvian, Norwegian, Macedonian, Persian, Polish, # Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, # Turkish, Ukrainian and Vietnamese. # The default value is: English. OUTPUT_LANGUAGE = English # If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member # descriptions after the members that are listed in the file and class # documentation (similar to Javadoc). Set to NO to disable this. # The default value is: YES. BRIEF_MEMBER_DESC = YES # If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief # description of a member or function before the detailed description # # Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the # brief descriptions will be completely suppressed. # The default value is: YES. REPEAT_BRIEF = YES # This tag implements a quasi-intelligent brief description abbreviator that is # used to form the text in various listings. Each string in this list, if found # as the leading text of the brief description, will be stripped from the text # and the result, after processing the whole list, is used as the annotated # text. Otherwise, the brief description is used as-is. If left blank, the # following values are used ($name is automatically replaced with the name of # the entity):The $name class, The $name widget, The $name file, is, provides, # specifies, contains, represents, a, an and the. ABBREVIATE_BRIEF = # If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then # doxygen will generate a detailed section even if there is only a brief # description. # The default value is: NO. ALWAYS_DETAILED_SEC = NO # If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all # inherited members of a class in the documentation of that class as if those # members were ordinary class members. Constructors, destructors and assignment # operators of the base classes will not be shown. # The default value is: NO. INLINE_INHERITED_MEMB = NO # If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path # before files name in the file list and in the header files. If set to NO the # shortest path that makes the file name unique will be used # The default value is: YES. FULL_PATH_NAMES = NO # The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path. # Stripping is only done if one of the specified strings matches the left-hand # part of the path. The tag can be used to show relative paths in the file list. # If left blank the directory from which doxygen is run is used as the path to # strip. # # Note that you can specify absolute paths here, but also relative paths, which # will be relative from the directory where doxygen is started. # This tag requires that the tag FULL_PATH_NAMES is set to YES. STRIP_FROM_PATH = # The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the # path mentioned in the documentation of a class, which tells the reader which # header file to include in order to use a class. If left blank only the name of # the header file containing the class definition is used. Otherwise one should # specify the list of include paths that are normally passed to the compiler # using the -I flag. STRIP_FROM_INC_PATH = # If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but # less readable) file names. This can be useful is your file systems doesn't # support long names like on DOS, Mac, or CD-ROM. # The default value is: NO. SHORT_NAMES = NO # If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the # first line (until the first dot) of a Javadoc-style comment as the brief # description. If set to NO, the Javadoc-style will behave just like regular Qt- # style comments (thus requiring an explicit @brief command for a brief # description.) # The default value is: NO. JAVADOC_AUTOBRIEF = NO # If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first # line (until the first dot) of a Qt-style comment as the brief description. If # set to NO, the Qt-style will behave just like regular Qt-style comments (thus # requiring an explicit \brief command for a brief description.) # The default value is: NO. QT_AUTOBRIEF = NO # The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a # multi-line C++ special comment block (i.e. a block of //! or /// comments) as # a brief description. This used to be the default behavior. The new default is # to treat a multi-line C++ comment block as a detailed description. Set this # tag to YES if you prefer the old behavior instead. # # Note that setting this tag to YES also means that rational rose comments are # not recognized any more. # The default value is: NO. MULTILINE_CPP_IS_BRIEF = NO # If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the # documentation from any documented member that it re-implements. # The default value is: YES. INHERIT_DOCS = YES # If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a # new page for each member. If set to NO, the documentation of a member will be # part of the file/class/namespace that contains it. # The default value is: NO. SEPARATE_MEMBER_PAGES = NO # The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen # uses this value to replace tabs by spaces in code fragments. # Minimum value: 1, maximum value: 16, default value: 4. TAB_SIZE = 4 # This tag can be used to specify a number of aliases that act as commands in # the documentation. An alias has the form: # name=value # For example adding # "sideeffect=@par Side Effects:\n" # will allow you to put the command \sideeffect (or @sideeffect) in the # documentation, which will result in a user-defined paragraph with heading # "Side Effects:". You can put \n's in the value part of an alias to insert # newlines. ALIASES = # This tag can be used to specify a number of word-keyword mappings (TCL only). # A mapping has the form "name=value". For example adding "class=itcl::class" # will allow you to use the command class in the itcl::class meaning. TCL_SUBST = # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources # only. Doxygen will then generate output that is more tailored for C. For # instance, some of the names that are used will be different. The list of all # members will be omitted, etc. # The default value is: NO. OPTIMIZE_OUTPUT_FOR_C = YES # Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or # Python sources only. Doxygen will then generate output that is more tailored # for that language. For instance, namespaces will be presented as packages, # qualified scopes will look different, etc. # The default value is: NO. OPTIMIZE_OUTPUT_JAVA = NO # Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran # sources. Doxygen will then generate output that is tailored for Fortran. # The default value is: NO. OPTIMIZE_FOR_FORTRAN = NO # Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL # sources. Doxygen will then generate output that is tailored for VHDL. # The default value is: NO. OPTIMIZE_OUTPUT_VHDL = NO # Doxygen selects the parser to use depending on the extension of the files it # parses. With this tag you can assign which parser to use for a given # extension. Doxygen has a built-in mapping, but you can override or extend it # using this tag. The format is ext=language, where ext is a file extension, and # language is one of the parsers supported by doxygen: IDL, Java, JavaScript, # C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make # doxygen treat .inc files as Fortran files (default is PHP), and .f files as C # (default is Fortran), use: inc=Fortran f=C. # # Note For files without extension you can use no_extension as a placeholder. # # Note that for custom extensions you also need to set FILE_PATTERNS otherwise # the files are not read by doxygen. EXTENSION_MAPPING = # If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments # according to the Markdown format, which allows for more readable # documentation. See http://daringfireball.net/projects/markdown/ for details. # The output of markdown processing is further processed by doxygen, so you can # mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in # case of backward compatibilities issues. # The default value is: YES. MARKDOWN_SUPPORT = YES # When enabled doxygen tries to link words that correspond to documented # classes, or namespaces to their corresponding documentation. Such a link can # be prevented in individual cases by by putting a % sign in front of the word # or globally by setting AUTOLINK_SUPPORT to NO. # The default value is: YES. AUTOLINK_SUPPORT = YES # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want # to include (a tag file for) the STL sources as input, then you should set this # tag to YES in order to let doxygen match functions declarations and # definitions whose arguments contain STL classes (e.g. func(std::string); # versus func(std::string) {}). This also make the inheritance and collaboration # diagrams that involve STL classes more complete and accurate. # The default value is: NO. BUILTIN_STL_SUPPORT = NO # If you use Microsoft's C++/CLI language, you should set this option to YES to # enable parsing support. # The default value is: NO. CPP_CLI_SUPPORT = NO # Set the SIP_SUPPORT tag to YES if your project consists of sip (see: # http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen # will parse them like normal C++ but will assume all classes use public instead # of private inheritance when no explicit protection keyword is present. # The default value is: NO. SIP_SUPPORT = NO # For Microsoft's IDL there are propget and propput attributes to indicate # getter and setter methods for a property. Setting this option to YES will make # doxygen to replace the get and set methods by a property in the documentation. # This will only work if the methods are indeed getting or setting a simple # type. If this is not the case, or you want to show the methods anyway, you # should set this option to NO. # The default value is: YES. IDL_PROPERTY_SUPPORT = YES # If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC # tag is set to YES, then doxygen will reuse the documentation of the first # member in the group (if any) for the other members of the group. By default # all members of a group must be documented explicitly. # The default value is: NO. DISTRIBUTE_GROUP_DOC = YES # Set the SUBGROUPING tag to YES to allow class member groups of the same type # (for instance a group of public functions) to be put as a subgroup of that # type (e.g. under the Public Functions section). Set it to NO to prevent # subgrouping. Alternatively, this can be done per class using the # \nosubgrouping command. # The default value is: YES. SUBGROUPING = YES # When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions # are shown inside the group in which they are included (e.g. using \ingroup) # instead of on a separate page (for HTML and Man pages) or section (for LaTeX # and RTF). # # Note that this feature does not work in combination with # SEPARATE_MEMBER_PAGES. # The default value is: NO. INLINE_GROUPED_CLASSES = NO # When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions # with only public data fields or simple typedef fields will be shown inline in # the documentation of the scope in which they are defined (i.e. file, # namespace, or group documentation), provided this scope is documented. If set # to NO, structs, classes, and unions are shown on a separate page (for HTML and # Man pages) or section (for LaTeX and RTF). # The default value is: NO. INLINE_SIMPLE_STRUCTS = NO # When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or # enum is documented as struct, union, or enum with the name of the typedef. So # typedef struct TypeS {} TypeT, will appear in the documentation as a struct # with name TypeT. When disabled the typedef will appear as a member of a file, # namespace, or class. And the struct will be named TypeS. This can typically be # useful for C code in case the coding convention dictates that all compound # types are typedef'ed and only the typedef is referenced, never the tag name. # The default value is: NO. TYPEDEF_HIDES_STRUCT = NO # The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This # cache is used to resolve symbols given their name and scope. Since this can be # an expensive process and often the same symbol appears multiple times in the # code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small # doxygen will become slower. If the cache is too large, memory is wasted. The # cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range # is 0..9, the default is 0, corresponding to a cache size of 2^16=65536 # symbols. At the end of a run doxygen will report the cache usage and suggest # the optimal cache size from a speed point of view. # Minimum value: 0, maximum value: 9, default value: 0. LOOKUP_CACHE_SIZE = 0 #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- # If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in # documentation are documented, even if no documentation was available. Private # class members and static file members will be hidden unless the # EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES. # Note: This will also disable the warnings about undocumented members that are # normally produced when WARNINGS is set to YES. # The default value is: NO. EXTRACT_ALL = NO # If the EXTRACT_PRIVATE tag is set to YES all private members of a class will # be included in the documentation. # The default value is: NO. EXTRACT_PRIVATE = NO # If the EXTRACT_PACKAGE tag is set to YES all members with package or internal # scope will be included in the documentation. # The default value is: NO. EXTRACT_PACKAGE = NO # If the EXTRACT_STATIC tag is set to YES all static members of a file will be # included in the documentation. # The default value is: NO. EXTRACT_STATIC = NO # If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined # locally in source files will be included in the documentation. If set to NO # only classes defined in header files are included. Does not have any effect # for Java sources. # The default value is: YES. EXTRACT_LOCAL_CLASSES = YES # This flag is only useful for Objective-C code. When set to YES local methods, # which are defined in the implementation section but not in the interface are # included in the documentation. If set to NO only methods in the interface are # included. # The default value is: NO. EXTRACT_LOCAL_METHODS = NO # If this flag is set to YES, the members of anonymous namespaces will be # extracted and appear in the documentation as a namespace called # 'anonymous_namespace{file}', where file will be replaced with the base name of # the file that contains the anonymous namespace. By default anonymous namespace # are hidden. # The default value is: NO. EXTRACT_ANON_NSPACES = NO # If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all # undocumented members inside documented classes or files. If set to NO these # members will be included in the various overviews, but no documentation # section is generated. This option has no effect if EXTRACT_ALL is enabled. # The default value is: NO. HIDE_UNDOC_MEMBERS = NO # If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all # undocumented classes that are normally visible in the class hierarchy. If set # to NO these classes will be included in the various overviews. This option has # no effect if EXTRACT_ALL is enabled. # The default value is: NO. HIDE_UNDOC_CLASSES = NO # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend # (class|struct|union) declarations. If set to NO these declarations will be # included in the documentation. # The default value is: NO. HIDE_FRIEND_COMPOUNDS = NO # If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any # documentation blocks found inside the body of a function. If set to NO these # blocks will be appended to the function's detailed documentation block. # The default value is: NO. HIDE_IN_BODY_DOCS = NO # The INTERNAL_DOCS tag determines if documentation that is typed after a # \internal command is included. If the tag is set to NO then the documentation # will be excluded. Set it to YES to include the internal documentation. # The default value is: NO. INTERNAL_DOCS = NO # If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file # names in lower-case letters. If set to YES upper-case letters are also # allowed. This is useful if you have classes or files whose names only differ # in case and if your file system supports case sensitive file names. Windows # and Mac users are advised to set this option to NO. # The default value is: system dependent. CASE_SENSE_NAMES = YES # If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with # their full class and namespace scopes in the documentation. If set to YES the # scope will be hidden. # The default value is: NO. HIDE_SCOPE_NAMES = NO # If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of # the files that are included by a file in the documentation of that file. # The default value is: YES. SHOW_INCLUDE_FILES = YES # If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include # files with double quotes in the documentation rather than with sharp brackets. # The default value is: NO. FORCE_LOCAL_INCLUDES = NO # If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the # documentation for inline members. # The default value is: YES. INLINE_INFO = YES # If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the # (detailed) documentation of file and class members alphabetically by member # name. If set to NO the members will appear in declaration order. # The default value is: YES. SORT_MEMBER_DOCS = YES # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief # descriptions of file, namespace and class members alphabetically by member # name. If set to NO the members will appear in declaration order. # The default value is: NO. SORT_BRIEF_DOCS = NO # If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the # (brief and detailed) documentation of class members so that constructors and # destructors are listed first. If set to NO the constructors will appear in the # respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS. # Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief # member documentation. # Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting # detailed member documentation. # The default value is: NO. SORT_MEMBERS_CTORS_1ST = NO # If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy # of group names into alphabetical order. If set to NO the group names will # appear in their defined order. # The default value is: NO. SORT_GROUP_NAMES = NO # If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by # fully-qualified names, including namespaces. If set to NO, the class list will # be sorted only by class name, not including the namespace part. # Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. # Note: This option applies only to the class list, not to the alphabetical # list. # The default value is: NO. SORT_BY_SCOPE_NAME = NO # If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper # type resolution of all parameters of a function it will reject a match between # the prototype and the implementation of a member function even if there is # only one candidate or it is obvious which candidate to choose by doing a # simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still # accept a match between prototype and implementation in such cases. # The default value is: NO. STRICT_PROTO_MATCHING = NO # The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the # todo list. This list is created by putting \todo commands in the # documentation. # The default value is: YES. GENERATE_TODOLIST = YES # The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the # test list. This list is created by putting \test commands in the # documentation. # The default value is: YES. GENERATE_TESTLIST = YES # The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug # list. This list is created by putting \bug commands in the documentation. # The default value is: YES. GENERATE_BUGLIST = YES # The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO) # the deprecated list. This list is created by putting \deprecated commands in # the documentation. # The default value is: YES. GENERATE_DEPRECATEDLIST= YES # The ENABLED_SECTIONS tag can be used to enable conditional documentation # sections, marked by \if ... \endif and \cond # ... \endcond blocks. ENABLED_SECTIONS = # The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the # initial value of a variable or macro / define can have for it to appear in the # documentation. If the initializer consists of more lines than specified here # it will be hidden. Use a value of 0 to hide initializers completely. The # appearance of the value of individual variables and macros / defines can be # controlled using \showinitializer or \hideinitializer command in the # documentation regardless of this setting. # Minimum value: 0, maximum value: 10000, default value: 30. MAX_INITIALIZER_LINES = 30 # Set the SHOW_USED_FILES tag to NO to disable the list of files generated at # the bottom of the documentation of classes and structs. If set to YES the list # will mention the files that were used to generate the documentation. # The default value is: YES. SHOW_USED_FILES = YES # Set the SHOW_FILES tag to NO to disable the generation of the Files page. This # will remove the Files entry from the Quick Index and from the Folder Tree View # (if specified). # The default value is: YES. SHOW_FILES = YES # Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces # page. This will remove the Namespaces entry from the Quick Index and from the # Folder Tree View (if specified). # The default value is: YES. SHOW_NAMESPACES = YES # The FILE_VERSION_FILTER tag can be used to specify a program or script that # doxygen should invoke to get the current version for each file (typically from # the version control system). Doxygen will invoke the program by executing (via # popen()) the command command input-file, where command is the value of the # FILE_VERSION_FILTER tag, and input-file is the name of an input file provided # by doxygen. Whatever the program writes to standard output is used as the file # version. For an example see the documentation. FILE_VERSION_FILTER = # The LAYOUT_FILE tag can be used to specify a layout file which will be parsed # by doxygen. The layout file controls the global structure of the generated # output files in an output format independent way. To create the layout file # that represents doxygen's defaults, run doxygen with the -l option. You can # optionally specify a file name after the option, if omitted DoxygenLayout.xml # will be used as the name of the layout file. # # Note that if you run doxygen from a directory containing a file called # DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE # tag is left empty. LAYOUT_FILE = # The CITE_BIB_FILES tag can be used to specify one or more bib files containing # the reference definitions. This must be a list of .bib files. The .bib # extension is automatically appended if omitted. This requires the bibtex tool # to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info. # For LaTeX the style of the bibliography can be controlled using # LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the # search path. Do not use file names with spaces, bibtex cannot handle them. See # also \cite for info how to create references. CITE_BIB_FILES = #--------------------------------------------------------------------------- # Configuration options related to warning and progress messages #--------------------------------------------------------------------------- # The QUIET tag can be used to turn on/off the messages that are generated to # standard output by doxygen. If QUIET is set to YES this implies that the # messages are off. # The default value is: NO. QUIET = NO # The WARNINGS tag can be used to turn on/off the warning messages that are # generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES # this implies that the warnings are on. # # Tip: Turn warnings on while writing the documentation. # The default value is: YES. WARNINGS = YES # If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate # warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag # will automatically be disabled. # The default value is: YES. WARN_IF_UNDOCUMENTED = YES # If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for # potential errors in the documentation, such as not documenting some parameters # in a documented function, or documenting parameters that don't exist or using # markup commands wrongly. # The default value is: YES. WARN_IF_DOC_ERROR = YES # This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that # are documented, but have no documentation for their parameters or return # value. If set to NO doxygen will only warn about wrong or incomplete parameter # documentation, but not about the absence of documentation. # The default value is: NO. WARN_NO_PARAMDOC = YES # The WARN_FORMAT tag determines the format of the warning messages that doxygen # can produce. The string should contain the $file, $line, and $text tags, which # will be replaced by the file and line number from which the warning originated # and the warning text. Optionally the format may contain $version, which will # be replaced by the version of the file (if it could be obtained via # FILE_VERSION_FILTER) # The default value is: $file:$line: $text. WARN_FORMAT = "$file:$line: $text" # The WARN_LOGFILE tag can be used to specify a file to which warning and error # messages should be written. If left blank the output is written to standard # error (stderr). WARN_LOGFILE = #--------------------------------------------------------------------------- # Configuration options related to the input files #--------------------------------------------------------------------------- # The INPUT tag is used to specify the files and/or directories that contain # documented source files. You may enter file names like myfile.cpp or # directories like /usr/src/myproject. Separate the files or directories with # spaces. # Note: If this tag is empty the current directory is searched. INPUT = \ ../../src/lxc/lxccontainer.h \ ../../src/lxc/lxclock.h \ ../../src/lxc/attach_options.h # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses # libiconv (or the iconv built into libc) for the transcoding. See the libiconv # documentation (see: http://www.gnu.org/software/libiconv) for the list of # possible encodings. # The default value is: UTF-8. INPUT_ENCODING = UTF-8 # If the value of the INPUT tag contains directories, you can use the # FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and # *.h) to filter out the source-files in the directories. If left blank the # following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii, # *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp, # *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown, # *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf, # *.qsf, *.as and *.js. FILE_PATTERNS = *.h # The RECURSIVE tag can be used to specify whether or not subdirectories should # be searched for input files as well. # The default value is: NO. RECURSIVE = NO # The EXCLUDE tag can be used to specify files and/or directories that should be # excluded from the INPUT source files. This way you can easily exclude a # subdirectory from a directory tree whose root is specified with the INPUT tag. # # Note that relative paths are relative to the directory from which doxygen is # run. EXCLUDE = # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or # directories that are symbolic links (a Unix file system feature) are excluded # from the input. # The default value is: NO. EXCLUDE_SYMLINKS = NO # If the value of the INPUT tag contains directories, you can use the # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude # certain files from those directories. # # Note that the wildcards are matched against the file with absolute path, so to # exclude all test directories for example use the pattern */test/* EXCLUDE_PATTERNS = # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names # (namespaces, classes, functions, etc.) that should be excluded from the # output. The symbol name can be a fully qualified name, a word, or if the # wildcard * is used, a substring. Examples: ANamespace, AClass, # AClass::ANamespace, ANamespace::*Test # # Note that the wildcards are matched against the file with absolute path, so to # exclude all test directories use the pattern */test/* EXCLUDE_SYMBOLS = # The EXAMPLE_PATH tag can be used to specify one or more files or directories # that contain example code fragments that are included (see the \include # command). EXAMPLE_PATH = # If the value of the EXAMPLE_PATH tag contains directories, you can use the # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and # *.h) to filter out the source-files in the directories. If left blank all # files are included. EXAMPLE_PATTERNS = # If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be # searched for input files to be used with the \include or \dontinclude commands # irrespective of the value of the RECURSIVE tag. # The default value is: NO. EXAMPLE_RECURSIVE = NO # The IMAGE_PATH tag can be used to specify one or more files or directories # that contain images that are to be included in the documentation (see the # \image command). IMAGE_PATH = # The INPUT_FILTER tag can be used to specify a program that doxygen should # invoke to filter for each input file. Doxygen will invoke the filter program # by executing (via popen()) the command: # # # # where is the value of the INPUT_FILTER tag, and is the # name of an input file. Doxygen will then use the output that the filter # program writes to standard output. If FILTER_PATTERNS is specified, this tag # will be ignored. # # Note that the filter must not add or remove lines; it is applied before the # code is scanned, but not when the output code is generated. If lines are added # or removed, the anchors will not be placed correctly. INPUT_FILTER = # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern # basis. Doxygen will compare the file name with each pattern and apply the # filter if there is a match. The filters are a list of the form: pattern=filter # (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how # filters are used. If the FILTER_PATTERNS tag is empty or if none of the # patterns match the file name, INPUT_FILTER is applied. FILTER_PATTERNS = # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using # INPUT_FILTER ) will also be used to filter the input files that are used for # producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES). # The default value is: NO. FILTER_SOURCE_FILES = NO # The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file # pattern. A pattern will override the setting for FILTER_PATTERN (if any) and # it is also possible to disable source filtering for a specific pattern using # *.ext= (so without naming a filter). # This tag requires that the tag FILTER_SOURCE_FILES is set to YES. FILTER_SOURCE_PATTERNS = # If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that # is part of the input, its contents will be placed on the main page # (index.html). This can be useful if you have a project on for instance GitHub # and want to reuse the introduction page also for the doxygen output. USE_MDFILE_AS_MAINPAGE = #--------------------------------------------------------------------------- # Configuration options related to source browsing #--------------------------------------------------------------------------- # If the SOURCE_BROWSER tag is set to YES then a list of source files will be # generated. Documented entities will be cross-referenced with these sources. # # Note: To get rid of all source code in the generated output, make sure that # also VERBATIM_HEADERS is set to NO. # The default value is: NO. SOURCE_BROWSER = NO # Setting the INLINE_SOURCES tag to YES will include the body of functions, # classes and enums directly into the documentation. # The default value is: NO. INLINE_SOURCES = NO # Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any # special comment blocks from generated source code fragments. Normal C, C++ and # Fortran comments will always remain visible. # The default value is: YES. STRIP_CODE_COMMENTS = YES # If the REFERENCED_BY_RELATION tag is set to YES then for each documented # function all documented functions referencing it will be listed. # The default value is: NO. REFERENCED_BY_RELATION = NO # If the REFERENCES_RELATION tag is set to YES then for each documented function # all documented entities called/used by that function will be listed. # The default value is: NO. REFERENCES_RELATION = NO # If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set # to YES, then the hyperlinks from functions in REFERENCES_RELATION and # REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will # link to the documentation. # The default value is: YES. REFERENCES_LINK_SOURCE = YES # If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the # source code will show a tooltip with additional information such as prototype, # brief description and links to the definition and documentation. Since this # will make the HTML file larger and loading of large files a bit slower, you # can opt to disable this feature. # The default value is: YES. # This tag requires that the tag SOURCE_BROWSER is set to YES. SOURCE_TOOLTIPS = YES # If the USE_HTAGS tag is set to YES then the references to source code will # point to the HTML generated by the htags(1) tool instead of doxygen built-in # source browser. The htags tool is part of GNU's global source tagging system # (see http://www.gnu.org/software/global/global.html). You will need version # 4.8.6 or higher. # # To use it do the following: # - Install the latest version of global # - Enable SOURCE_BROWSER and USE_HTAGS in the config file # - Make sure the INPUT points to the root of the source tree # - Run doxygen as normal # # Doxygen will invoke htags (and that will in turn invoke gtags), so these # tools must be available from the command line (i.e. in the search path). # # The result: instead of the source browser generated by doxygen, the links to # source code will now point to the output of htags. # The default value is: NO. # This tag requires that the tag SOURCE_BROWSER is set to YES. USE_HTAGS = NO # If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a # verbatim copy of the header file for each class for which an include is # specified. Set to NO to disable this. # See also: Section \class. # The default value is: YES. VERBATIM_HEADERS = YES #--------------------------------------------------------------------------- # Configuration options related to the alphabetical class index #--------------------------------------------------------------------------- # If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all # compounds will be generated. Enable this if the project contains a lot of # classes, structs, unions or interfaces. # The default value is: YES. ALPHABETICAL_INDEX = YES # The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in # which the alphabetical index list will be split. # Minimum value: 1, maximum value: 20, default value: 5. # This tag requires that the tag ALPHABETICAL_INDEX is set to YES. COLS_IN_ALPHA_INDEX = 5 # In case all classes in a project start with a common prefix, all classes will # be put under the same header in the alphabetical index. The IGNORE_PREFIX tag # can be used to specify a prefix (or a list of prefixes) that should be ignored # while generating the index headers. # This tag requires that the tag ALPHABETICAL_INDEX is set to YES. IGNORE_PREFIX = #--------------------------------------------------------------------------- # Configuration options related to the HTML output #--------------------------------------------------------------------------- # If the GENERATE_HTML tag is set to YES doxygen will generate HTML output # The default value is: YES. GENERATE_HTML = YES # The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a # relative path is entered the value of OUTPUT_DIRECTORY will be put in front of # it. # The default directory is: html. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_OUTPUT = html # The HTML_FILE_EXTENSION tag can be used to specify the file extension for each # generated HTML page (for example: .htm, .php, .asp). # The default value is: .html. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_FILE_EXTENSION = .html # The HTML_HEADER tag can be used to specify a user-defined HTML header file for # each generated HTML page. If the tag is left blank doxygen will generate a # standard header. # # To get valid HTML the header file that includes any scripts and style sheets # that doxygen needs, which is dependent on the configuration options used (e.g. # the setting GENERATE_TREEVIEW). It is highly recommended to start with a # default header using # doxygen -w html new_header.html new_footer.html new_stylesheet.css # YourConfigFile # and then modify the file new_header.html. See also section "Doxygen usage" # for information on how to generate the default header that doxygen normally # uses. # Note: The header is subject to change so you typically have to regenerate the # default header when upgrading to a newer version of doxygen. For a description # of the possible markers and block names see the documentation. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_HEADER = # The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each # generated HTML page. If the tag is left blank doxygen will generate a standard # footer. See HTML_HEADER for more information on how to generate a default # footer and what special commands can be used inside the footer. See also # section "Doxygen usage" for information on how to generate the default footer # that doxygen normally uses. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_FOOTER = # The HTML_STYLESHEET tag can be used to specify a user-defined cascading style # sheet that is used by each HTML page. It can be used to fine-tune the look of # the HTML output. If left blank doxygen will generate a default style sheet. # See also section "Doxygen usage" for information on how to generate the style # sheet that doxygen normally uses. # Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as # it is more robust and this tag (HTML_STYLESHEET) will in the future become # obsolete. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_STYLESHEET = # The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user- # defined cascading style sheet that is included after the standard style sheets # created by doxygen. Using this option one can overrule certain style aspects. # This is preferred over using HTML_STYLESHEET since it does not replace the # standard style sheet and is therefor more robust against future updates. # Doxygen will copy the style sheet file to the output directory. For an example # see the documentation. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_EXTRA_STYLESHEET = # The HTML_EXTRA_FILES tag can be used to specify one or more extra images or # other source files which should be copied to the HTML output directory. Note # that these files will be copied to the base HTML output directory. Use the # $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these # files. In the HTML_STYLESHEET file, use the file name only. Also note that the # files will be copied as-is; there are no commands or markers available. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_EXTRA_FILES = # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen # will adjust the colors in the stylesheet and background images according to # this color. Hue is specified as an angle on a colorwheel, see # http://en.wikipedia.org/wiki/Hue for more information. For instance the value # 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300 # purple, and 360 is red again. # Minimum value: 0, maximum value: 359, default value: 220. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_HUE = 220 # The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors # in the HTML output. For a value of 0 the output will use grayscales only. A # value of 255 will produce the most vivid colors. # Minimum value: 0, maximum value: 255, default value: 100. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_SAT = 100 # The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the # luminance component of the colors in the HTML output. Values below 100 # gradually make the output lighter, whereas values above 100 make the output # darker. The value divided by 100 is the actual gamma applied, so 80 represents # a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not # change the gamma. # Minimum value: 40, maximum value: 240, default value: 80. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_GAMMA = 80 # If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML # page will contain the date and time when the page was generated. Setting this # to NO can help when comparing the output of multiple runs. # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_TIMESTAMP = YES # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML # documentation will contain sections that can be hidden and shown after the # page has loaded. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_DYNAMIC_SECTIONS = NO # With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries # shown in the various tree structured indices initially; the user can expand # and collapse entries dynamically later on. Doxygen will expand the tree to # such a level that at most the specified number of entries are visible (unless # a fully collapsed tree already exceeds this amount). So setting the number of # entries 1 will produce a full collapsed tree by default. 0 is a special value # representing an infinite number of entries and will result in a full expanded # tree by default. # Minimum value: 0, maximum value: 9999, default value: 100. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_INDEX_NUM_ENTRIES = 100 # If the GENERATE_DOCSET tag is set to YES, additional index files will be # generated that can be used as input for Apple's Xcode 3 integrated development # environment (see: http://developer.apple.com/tools/xcode/), introduced with # OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a # Makefile in the HTML output directory. Running make will produce the docset in # that directory and running make install will install the docset in # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at # startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html # for more information. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_DOCSET = NO # This tag determines the name of the docset feed. A documentation feed provides # an umbrella under which multiple documentation sets from a single provider # (such as a company or product suite) can be grouped. # The default value is: Doxygen generated docs. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_FEEDNAME = "Doxygen generated docs" # This tag specifies a string that should uniquely identify the documentation # set bundle. This should be a reverse domain-name style string, e.g. # com.mycompany.MyDocSet. Doxygen will append .docset to the name. # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_BUNDLE_ID = org.doxygen.Project # The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify # the documentation publisher. This should be a reverse domain-name style # string, e.g. com.mycompany.MyDocSet.documentation. # The default value is: org.doxygen.Publisher. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_PUBLISHER_ID = org.doxygen.Publisher # The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher. # The default value is: Publisher. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_PUBLISHER_NAME = Publisher # If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three # additional HTML index files: index.hhp, index.hhc, and index.hhk. The # index.hhp is a project file that can be read by Microsoft's HTML Help Workshop # (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on # Windows. # # The HTML Help Workshop contains a compiler that can convert all HTML output # generated by doxygen into a single compiled HTML file (.chm). Compiled HTML # files are now used as the Windows 98 help format, and will replace the old # Windows help format (.hlp) on all Windows platforms in the future. Compressed # HTML files also contain an index, a table of contents, and you can search for # words in the documentation. The HTML workshop also contains a viewer for # compressed HTML files. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_HTMLHELP = NO # The CHM_FILE tag can be used to specify the file name of the resulting .chm # file. You can add a path in front of the file if the result should not be # written to the html output directory. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. CHM_FILE = # The HHC_LOCATION tag can be used to specify the location (absolute path # including file name) of the HTML help compiler ( hhc.exe). If non-empty # doxygen will try to run the HTML help compiler on the generated index.hhp. # The file has to be specified with full path. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. HHC_LOCATION = # The GENERATE_CHI flag controls if a separate .chi index file is generated ( # YES) or that it should be included in the master .chm file ( NO). # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. GENERATE_CHI = NO # The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc) # and project file content. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. CHM_INDEX_ENCODING = # The BINARY_TOC flag controls whether a binary table of contents is generated ( # YES) or a normal table of contents ( NO) in the .chm file. # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. BINARY_TOC = NO # The TOC_EXPAND flag can be set to YES to add extra items for group members to # the table of contents of the HTML help documentation and to the tree view. # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. TOC_EXPAND = NO # If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and # QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that # can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help # (.qch) of the generated HTML documentation. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_QHP = NO # If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify # the file name of the resulting .qch file. The path specified is relative to # the HTML output folder. # This tag requires that the tag GENERATE_QHP is set to YES. QCH_FILE = # The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help # Project output. For more information please see Qt Help Project / Namespace # (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace). # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_QHP is set to YES. QHP_NAMESPACE = org.doxygen.Project # The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt # Help Project output. For more information please see Qt Help Project / Virtual # Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual- # folders). # The default value is: doc. # This tag requires that the tag GENERATE_QHP is set to YES. QHP_VIRTUAL_FOLDER = doc # If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom # filter to add. For more information please see Qt Help Project / Custom # Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- # filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_NAME = # The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the # custom filter to add. For more information please see Qt Help Project / Custom # Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- # filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_ATTRS = # The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this # project's filter section matches. Qt Help Project / Filter Attributes (see: # http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_SECT_FILTER_ATTRS = # The QHG_LOCATION tag can be used to specify the location of Qt's # qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the # generated .qhp file. # This tag requires that the tag GENERATE_QHP is set to YES. QHG_LOCATION = # If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be # generated, together with the HTML files, they form an Eclipse help plugin. To # install this plugin and make it available under the help contents menu in # Eclipse, the contents of the directory containing the HTML and XML files needs # to be copied into the plugins directory of eclipse. The name of the directory # within the plugins directory should be the same as the ECLIPSE_DOC_ID value. # After copying Eclipse needs to be restarted before the help appears. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_ECLIPSEHELP = NO # A unique identifier for the Eclipse help plugin. When installing the plugin # the directory name containing the HTML and XML files should also have this # name. Each documentation set should have its own identifier. # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES. ECLIPSE_DOC_ID = org.doxygen.Project # If you want full control over the layout of the generated HTML pages it might # be necessary to disable the index and replace it with your own. The # DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top # of each HTML page. A value of NO enables the index and the value YES disables # it. Since the tabs in the index contain the same information as the navigation # tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. DISABLE_INDEX = NO # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index # structure should be generated to display hierarchical information. If the tag # value is set to YES, a side panel will be generated containing a tree-like # index structure (just like the one that is generated for HTML Help). For this # to work a browser that supports JavaScript, DHTML, CSS and frames is required # (i.e. any modern browser). Windows users are probably better off using the # HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can # further fine-tune the look of the index. As an example, the default style # sheet generated by doxygen has an example that shows how to put an image at # the root of the tree instead of the PROJECT_NAME. Since the tree basically has # the same information as the tab index, you could consider setting # DISABLE_INDEX to YES when enabling this option. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_TREEVIEW = NO # The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that # doxygen will group on one line in the generated HTML documentation. # # Note that a value of 0 will completely suppress the enum values from appearing # in the overview section. # Minimum value: 0, maximum value: 20, default value: 4. # This tag requires that the tag GENERATE_HTML is set to YES. ENUM_VALUES_PER_LINE = 4 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used # to set the initial width (in pixels) of the frame in which the tree is shown. # Minimum value: 0, maximum value: 1500, default value: 250. # This tag requires that the tag GENERATE_HTML is set to YES. TREEVIEW_WIDTH = 250 # When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to # external symbols imported via tag files in a separate window. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. EXT_LINKS_IN_WINDOW = NO # Use this tag to change the font size of LaTeX formulas included as images in # the HTML documentation. When you change the font size after a successful # doxygen run you need to manually remove any form_*.png images from the HTML # output directory to force them to be regenerated. # Minimum value: 8, maximum value: 50, default value: 10. # This tag requires that the tag GENERATE_HTML is set to YES. FORMULA_FONTSIZE = 10 # Use the FORMULA_TRANPARENT tag to determine whether or not the images # generated for formulas are transparent PNGs. Transparent PNGs are not # supported properly for IE 6.0, but are supported on all modern browsers. # # Note that when changing this option you need to delete any form_*.png files in # the HTML output directory before the changes have effect. # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. FORMULA_TRANSPARENT = YES # Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see # http://www.mathjax.org) which uses client side JavaScript for the rendering # instead of using prerendered bitmaps. Use this if you do not have LaTeX # installed or if you want to formulas look prettier in the HTML output. When # enabled you may also need to install MathJax separately and configure the path # to it using the MATHJAX_RELPATH option. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. USE_MATHJAX = NO # When MathJax is enabled you can set the default output format to be used for # the MathJax output. See the MathJax site (see: # http://docs.mathjax.org/en/latest/output.html) for more details. # Possible values are: HTML-CSS (which is slower, but has the best # compatibility), NativeMML (i.e. MathML) and SVG. # The default value is: HTML-CSS. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_FORMAT = HTML-CSS # When MathJax is enabled you need to specify the location relative to the HTML # output directory using the MATHJAX_RELPATH option. The destination directory # should contain the MathJax.js script. For instance, if the mathjax directory # is located at the same level as the HTML output directory, then # MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax # Content Delivery Network so you can quickly see the result without installing # MathJax. However, it is strongly recommended to install a local copy of # MathJax from http://www.mathjax.org before deployment. # The default value is: http://cdn.mathjax.org/mathjax/latest. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest # The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax # extension names that should be enabled during MathJax rendering. For example # MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_EXTENSIONS = # The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces # of code that will be used on startup of the MathJax code. See the MathJax site # (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an # example see the documentation. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_CODEFILE = # When the SEARCHENGINE tag is enabled doxygen will generate a search box for # the HTML output. The underlying search engine uses javascript and DHTML and # should work on any modern browser. Note that when using HTML help # (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET) # there is already a search function so this one should typically be disabled. # For large projects the javascript based search engine can be slow, then # enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to # search using the keyboard; to jump to the search box use + S # (what the is depends on the OS and browser, but it is typically # , /