canonical · tomponline · Nov 6, 2023 · Oct 24, 2023 · Nov 6, 2023 · Oct 24, 2023
diff --git a/doc/howto/instances_troubleshoot.md b/doc/howto/instances_troubleshoot.md
@@ -78,7 +78,7 @@ Console log:
 Now that the container has started, you can check it and see that things are not running as well as expected:
 
 ```{terminal}
-:input: lxc exec systemd bash
+:input: lxc exec systemd -- bash
 
 [root@systemd ~]# ls
 [root@systemd ~]# mount

diff --git a/doc/howto/network_ovn_setup.md b/doc/howto/network_ovn_setup.md
@@ -173,7 +173,7 @@ See the linked YouTube video for the complete tutorial using four machines.
        lxc launch ubuntu:22.04 c3 --network my-ovn
        lxc launch ubuntu:22.04 c4 --network my-ovn
        lxc list
-       lxc exec c4 bash
+       lxc exec c4 -- bash
        ping <IP of c1>
        ping <nameserver>
        ping6 -n www.example.com

diff --git a/lxd/devlxd.go b/lxd/devlxd.go
@@ -405,7 +405,7 @@ func findContainerForPid(pid int32, s *state.State) (instance.Container, error)
 	 * 1. Walk up the process tree until you see something that looks like
 	 *    an lxc monitor process and extract its name from there.
 	 *
-	 * 2. If this fails, it may be that someone did an `lxc exec foo bash`,
+	 * 2. If this fails, it may be that someone did an `lxc exec foo -- bash`,
 	 *    so the process isn't actually a descendant of the container's
 	 *    init. In this case we just look through all the containers until
 	 *    we find an init with a matching pid namespace. This is probably

diff --git a/test/suites/basic.sh b/test/suites/basic.sh
@@ -149,7 +149,7 @@ test_basic_usage() {
   lxc publish bar --alias=foo-image --alias=foo-image2
   lxc launch testimage baz
   # change the container filesystem so the resulting image is different
-  lxc exec baz touch /somefile
+  lxc exec baz -- touch /somefile
   lxc stop baz --force
   # publishing another image with same alias should fail
   ! lxc publish baz --alias=foo-image || false
@@ -171,7 +171,7 @@ test_basic_usage() {
   lxc publish bar --alias=foo-image --alias=foo-image2
   lxc launch testimage baz
   # change the container filesystem so the resulting image is different
-  lxc exec baz touch /somefile
+  lxc exec baz -- touch /somefile
   lxc stop baz --force
   # publishing another image with same aliases
   lxc publish baz --alias=foo-image --alias=foo-image2 --reuse
@@ -377,10 +377,10 @@ test_basic_usage() {
 
   # cycle it a few times
   lxc start foo
-  mac1=$(lxc exec foo cat /sys/class/net/eth0/address)
+  mac1=$(lxc exec foo -- cat /sys/class/net/eth0/address)
   lxc stop foo --force
   lxc start foo
-  mac2=$(lxc exec foo cat /sys/class/net/eth0/address)
+  mac2=$(lxc exec foo -- cat /sys/class/net/eth0/address)
 
   if [ -n "${mac1}" ] && [ -n "${mac2}" ] && [ "${mac1}" != "${mac2}" ]; then
     echo "==> MAC addresses didn't match across restarts (${mac1} vs ${mac2})"
@@ -412,9 +412,9 @@ test_basic_usage() {
   [ "$(lxc exec foo --user 1234 --group 5678 --cwd /blah -- pwd)" = "/blah" ] || false
 
   # check that we can set the environment
-  lxc exec foo pwd | grep /root
-  lxc exec --env BEST_BAND=meshuggah foo env | grep meshuggah
-  lxc exec foo ip link show | grep eth0
+  lxc exec foo -- pwd | grep /root
+  lxc exec --env BEST_BAND=meshuggah foo -- env | grep meshuggah
+  lxc exec foo -- ip link show | grep eth0
 
   # check that we can get the return code for a non- wait-for-websocket exec
   op=$(my_curl -X POST "https://${LXD_ADDR}/1.0/containers/foo/exec" -d '{"command": ["echo", "test"], "environment": {}, "wait-for-websocket": false, "interactive": false}' | jq -r .operation)
@@ -424,11 +424,11 @@ test_basic_usage() {
   echo abc > "${LXD_DIR}/in"
 
   lxc file push "${LXD_DIR}/in" foo/root/
-  lxc exec foo /bin/cat /root/in | grep abc
+  lxc exec foo -- /bin/cat /root/in | grep -xF abc
   lxc exec foo -- /bin/rm -f root/in
 
   lxc file push "${LXD_DIR}/in" foo/root/in1
-  lxc exec foo /bin/cat /root/in1 | grep abc
+  lxc exec foo -- /bin/cat /root/in1 | grep -xF abc
   lxc exec foo -- /bin/rm -f root/in1
 
   # test lxc file edit doesn't change target file's owner and permissions
@@ -442,10 +442,14 @@ test_basic_usage() {
   # make sure stdin is chowned to our container root uid (Issue #590)
   [ -t 0 ] && [ -t 1 ] && lxc exec foo -- chown 1000:1000 /proc/self/fd/0
 
-  echo foo | lxc exec foo tee /tmp/foo
+  echo foo | lxc exec foo -- tee /tmp/foo
+
+  # test exec with/without "--" separator
+  lxc exec foo -- true
+  lxc exec foo true
 
   # Detect regressions/hangs in exec
-  sum=$(ps aux | tee "${LXD_DIR}/out" | lxc exec foo md5sum | cut -d' ' -f1)
+  sum=$(ps aux | tee "${LXD_DIR}/out" | lxc exec foo -- md5sum | cut -d' ' -f1)
   [ "${sum}" = "$(md5sum "${LXD_DIR}/out" | cut -d' ' -f1)" ]
   rm "${LXD_DIR}/out"
 
@@ -566,7 +570,7 @@ test_basic_usage() {
         REBOOTED="true"
         break
       else
-        lxc exec foo reboot || true  # Signal to running old init process to reboot if not rebooted yet.
+        lxc exec foo -- reboot || true  # Signal to running old init process to reboot if not rebooted yet.
       fi
     fi
 

diff --git a/test/suites/clustering.sh b/test/suites/clustering.sh
@@ -434,7 +434,7 @@ test_clustering_containers() {
   ! LXD_DIR="${LXD_ONE_DIR}" lxc cluster remove node2 || false
 
   # Exec a command in the container via node1
-  LXD_DIR="${LXD_ONE_DIR}" lxc exec foo ls / | grep -q proc
+  LXD_DIR="${LXD_ONE_DIR}" lxc exec foo -- ls / | grep -qxF proc
 
   # Pull, push and delete files from the container via node1
   ! LXD_DIR="${LXD_ONE_DIR}" lxc file pull foo/non-existing-file "${TEST_DIR}/non-existing-file" || false
@@ -1506,8 +1506,8 @@ used_by:
 EOF
   ) | LXD_DIR="${LXD_TWO_DIR}" lxc profile edit web
 
-  LXD_DIR="${LXD_TWO_DIR}" lxc exec c1 ls /mnt | grep -q hello
-  LXD_DIR="${LXD_TWO_DIR}" lxc exec c2 ls /mnt | grep -q hello
+  LXD_DIR="${LXD_TWO_DIR}" lxc exec c1 -- ls /mnt | grep -qxF hello
+  LXD_DIR="${LXD_TWO_DIR}" lxc exec c2 -- ls /mnt | grep -qxF hello
 
   LXD_DIR="${LXD_TWO_DIR}" lxc stop c1 --force
   LXD_DIR="${LXD_ONE_DIR}" lxc stop c2 --force

diff --git a/test/suites/config.sh b/test/suites/config.sh
@@ -69,14 +69,14 @@ testloopmounts() {
   umount -l "${TEST_DIR}/mnt"
   lxc start foo
   lxc config device add foo mnt disk source="${lpath}" path=/mnt
-  lxc exec foo stat /mnt/hello
+  lxc exec foo -- stat /mnt/hello
   # Note - we need to add a set_running_config_item to lxc
   # or work around its absence somehow.  Once that's done, we
   # can run the following two lines:
-  #lxc exec foo reboot
-  #lxc exec foo stat /mnt/hello
+  #lxc exec foo -- reboot
+  #lxc exec foo -- stat /mnt/hello
   lxc restart foo --force
-  lxc exec foo stat /mnt/hello
+  lxc exec foo -- stat /mnt/hello
   lxc config device remove foo mnt
   ensure_fs_unmounted "fs should have been hot-unmounted"
   lxc restart foo --force

diff --git a/test/suites/devlxd.sh b/test/suites/devlxd.sh
@@ -12,24 +12,22 @@ test_devlxd() {
   ! lxc exec devlxd -- test -S /dev/lxd/sock || false
   lxc config unset devlxd security.devlxd
   lxc exec devlxd -- test -S /dev/lxd/sock
-  lxc file push "devlxd-client/devlxd-client" devlxd/bin/
-
-  lxc exec devlxd chmod +x /bin/devlxd-client
+  lxc file push --mode 0755 "devlxd-client/devlxd-client" devlxd/bin/
 
   lxc config set devlxd user.foo bar
-  lxc exec devlxd devlxd-client user.foo | grep bar
+  lxc exec devlxd -- devlxd-client user.foo | grep bar
 
   lxc config set devlxd user.foo "bar %s bar"
-  lxc exec devlxd devlxd-client user.foo | grep "bar %s bar"
+  lxc exec devlxd -- devlxd-client user.foo | grep "bar %s bar"
 
   lxc config set devlxd security.nesting true
-  ! lxc exec devlxd devlxd-client security.nesting | grep true || false
+  ! lxc exec devlxd -- devlxd-client security.nesting | grep true || false
 
   cmd=$(unset -f lxc; command -v lxc)
-  ${cmd} exec devlxd devlxd-client monitor-websocket > "${TEST_DIR}/devlxd-websocket.log" &
+  ${cmd} exec devlxd -- devlxd-client monitor-websocket > "${TEST_DIR}/devlxd-websocket.log" &
   client_websocket=$!
 
-  ${cmd} exec devlxd devlxd-client monitor-stream > "${TEST_DIR}/devlxd-stream.log" &
+  ${cmd} exec devlxd -- devlxd-client monitor-stream > "${TEST_DIR}/devlxd-stream.log" &
   client_stream=$!
 
   (
@@ -95,13 +93,13 @@ EOF
 
   # Test instance Ready state
   lxc info devlxd | grep -q 'Status: RUNNING'
-  lxc exec devlxd devlxd-client ready-state true
+  lxc exec devlxd -- devlxd-client ready-state true
   [ "$(lxc config get devlxd volatile.last_state.ready)" = "true" ]
 
   grep -Fc "instance-ready" "${TEST_DIR}/devlxd.log" | grep -Fx 1
 
   lxc info devlxd | grep -q 'Status: READY'
-  lxc exec devlxd devlxd-client ready-state false
+  lxc exec devlxd -- devlxd-client ready-state false
   [ "$(lxc config get devlxd volatile.last_state.ready)" = "false" ]
 
   grep -Fc "instance-ready" "${TEST_DIR}/devlxd.log" | grep -Fx 1
@@ -119,7 +117,7 @@ EOF
   lxc monitor --type=lifecycle > "${TEST_DIR}/devlxd.log" &
   monitorDevlxdPID=$!
 
-  lxc exec devlxd devlxd-client ready-state true
+  lxc exec devlxd -- devlxd-client ready-state true
   [ "$(lxc config get devlxd volatile.last_state.ready)" = "true" ]
 
   grep -Fc "instance-ready" "${TEST_DIR}/devlxd.log" | grep -Fx 1
@@ -128,14 +126,14 @@ EOF
   [ "$(lxc config get devlxd volatile.last_state.ready)" = "false" ]
 
   lxc start devlxd
-  lxc exec devlxd devlxd-client ready-state true
+  lxc exec devlxd -- devlxd-client ready-state true
   [ "$(lxc config get devlxd volatile.last_state.ready)" = "true" ]
 
   grep -Fc "instance-ready" "${TEST_DIR}/devlxd.log" | grep -Fx 2
 
   # Check device configs are available and that NIC hwaddr is available even if volatile.
   hwaddr=$(lxc config get devlxd volatile.eth0.hwaddr)
-  lxc exec devlxd devlxd-client devices | jq -r .eth0.hwaddr | grep -Fx "${hwaddr}"
+  lxc exec devlxd -- devlxd-client devices | jq -r .eth0.hwaddr | grep -Fx "${hwaddr}"
 
   lxc delete devlxd --force
   kill -9 ${monitorDevlxdPID} || true

diff --git a/test/suites/image_acl.sh b/test/suites/image_acl.sh
@@ -4,7 +4,7 @@ test_image_acl() {
   # Launch a new container with an ACL applied file
   lxc launch testimage c1
   CONTAINER_PID="$(lxc query /1.0/instances/c1?recursion=1 | jq '.state.pid')"
-  lxc exec c1 touch foo
+  lxc exec c1 -- touch foo
   setfacl -m user:1000001:rwx "/proc/$CONTAINER_PID/root/root/foo"
   setfacl -m group:1000001:rwx "/proc/$CONTAINER_PID/root/root/foo"
 

diff --git a/test/suites/storage_snapshots.sh b/test/suites/storage_snapshots.sh
@@ -104,7 +104,7 @@ test_storage_volume_snapshots() {
   lxc launch testimage "c1"
   lxc storage volume create "${storage_pool}" "vol1"
   lxc storage volume attach "${storage_pool}" "vol1" "c1" /mnt
-  lxc exec "c1" touch /mnt/foo
+  lxc exec "c1" -- touch /mnt/foo
   lxc delete -f "c1"
   lxc storage volume snapshot "${storage_pool}" "vol1" "snap0"
   lxc storage volume copy "${storage_pool}/vol1/snap0" "${storage_pool}/vol2" --mode pull