bump version to 2.1.1-1

And switch to using submodules.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "lxc"]
+	path = lxc
+	url = ../mirror_lxc

Makefile

@@ -1,9 +1,9 @@
 PACKAGE=lxc-pve
-LXCVER=2.1.0
-DEBREL=2
+LXCVER=2.1.1
+DEBREL=1
 
 SRCDIR=lxc
-SRCTAR=${SRCDIR}.tgz
+BUILDSRC := $(SRCDIR).tmp
 
 ARCH:=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
 GITVERSION:=$(shell cat .git/refs/heads/master)
@@ -16,24 +16,22 @@ DEBS=$(DEB1) $(DEB2)
 all: ${DEBS}
 	echo ${DEBS}
 
+.PHONY: submodule
+submodule:
+	test -f "${SRCDIR}/debian/changelog" || git submodule update --init
+
 .PHONY: deb
 deb: ${DEBS}
 $(DEB2): $(DEB1)
-$(DEB1): ${SRCTAR}
-	rm -rf ${SRCDIR}
-	tar xf ${SRCTAR}
-	cp -a debian ${SRCDIR}/debian
-	echo "git clone git://git.proxmox.com/git/lxc.git\\ngit checkout ${GITVERSION}" >  ${SRCDIR}/debian/SOURCE
-	cd ${SRCDIR}; dpkg-buildpackage -rfakeroot -b -us -uc
-	lintian ${DEBS}
-
-
-.PHONY: download
-download ${SRCTAR}:
-	rm -rf ${SRCDIR} ${SRCTAR}
-	git clone -b lxc-${LXCVER} git://github.com/lxc/lxc
-	tar czf ${SRCTAR}.tmp ${SRCDIR}
-	mv ${SRCTAR}.tmp ${SRCTAR}
+$(DEB1): | submodule
+	rm -f *.deb
+	rm -rf $(BUILDSRC)
+	mkdir $(BUILDSRC)
+	cp -a $(SRCDIR)/* $(BUILDSRC)/
+	cp -a debian $(BUILDSRC)/debian
+	echo "git clone git://git.proxmox.com/git/lxc.git\\ngit checkout $(GITVERSION)" > $(BUILDSRC)/debian/SOURCE
+	cd $(BUILDSRC); dpkg-buildpackage -rfakeroot -b -us -uc
+	lintian $(DEBS)
 
 .PHONY: upload
 upload: ${DEBS}
@@ -43,8 +41,7 @@ distclean: clean
 
 .PHONY: clean
 clean:
-	rm -rf ${SRCDIR} ${SRCDIR}.tmp *_${ARCH}.deb *.changes *.dsc *.buildinfo
-	find . -name '*~' -exec rm {} ';'
+	rm -rf $(BUILDSRC) *_${ARCH}.deb *.changes *.dsc *.buildinfo
 
 .PHONY: dinstall
 dinstall: ${DEBS}

debian/changelog

@@ -1,3 +1,9 @@
+lxc (2.1.1-1) unstable; urgency=medium
+
+  * update to lxc-2.1.1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 20 Nov 2017 11:18:38 +0100
+
 lxc (2.1.0-2) unstable; urgency=medium
 
   * update cgroup namespace separation for conflicting changes in 2.1.0

debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch

@@ -1,7 +1,7 @@
-From 674c54165393b3ad0059f4a5c5d1e1505eea9114 Mon Sep 17 00:00:00 2001
+From 92f2489b28e79f7a67f45bc698f1d61785a6537d Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:13:40 +0100
-Subject: [PATCH 01/10] lxc.service: start after a potential syslog.service
+Subject: [PATCH 1/8] lxc.service: start after a potential syslog.service
 
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---

debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch

@@ -1,39 +0,0 @@
-From a5ee14df834c008294b790d96982a1fea36c807a Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 10 Feb 2017 09:14:55 +0100
-Subject: [PATCH 02/10] jessie/systemd: remove Delegate flag to silence
- warnings
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- config/init/systemd/lxc.service.in  | 1 -
- config/init/systemd/lxc@.service.in | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
-index 77541917..bdd58283 100644
---- a/config/init/systemd/lxc.service.in
-+++ b/config/init/systemd/lxc.service.in
-@@ -12,7 +12,6 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-containers start
- ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop
- # Environment=BOOTUP=serial
- # Environment=CONSOLETYPE=serial
--Delegate=yes
- StandardOutput=syslog
- StandardError=syslog
- 
-diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
-index a2aa2211..98d5a3a7 100644
---- a/config/init/systemd/lxc@.service.in
-+++ b/config/init/systemd/lxc@.service.in
-@@ -13,7 +13,6 @@ ExecStart=@BINDIR@/lxc-start -F -n %i
- ExecStop=@BINDIR@/lxc-stop -n %i
- # Environment=BOOTUP=serial
- # Environment=CONSOLETYPE=serial
--Delegate=yes
- StandardOutput=syslog
- StandardError=syslog
- 
--- 
-2.11.0
-

debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch

@@ -1,7 +1,7 @@
-From 84da55875d3a9468957fe0f0012ea2b39b9f7785 Mon Sep 17 00:00:00 2001
+From 6aecf604cf28c5164f3d957b0ad33bf03527fa26 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:15:37 +0100
-Subject: [PATCH 03/10] pve: run lxcnetaddbr when instantiating veths
+Subject: [PATCH 2/8] pve: run lxcnetaddbr when instantiating veths
 
 FIXME: Why aren't we using regular up-scripts?
 
@@ -11,7 +11,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  1 file changed, 5 insertions(+)
 
 diff --git a/src/lxc/network.c b/src/lxc/network.c
-index a7f054e7..3c0597c7 100644
+index 909b7e58..c9b510f6 100644
 --- a/src/lxc/network.c
 +++ b/src/lxc/network.c
 @@ -208,6 +208,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd

debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch

@@ -1,7 +1,7 @@
-From 2d651f876f4afa97ddd6081d996776c10355732a Mon Sep 17 00:00:00 2001
+From 8c695baaff8d18a87233ffc119e8fd0495819dbe Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
 Date: Wed, 9 Nov 2016 09:14:26 +0100
-Subject: [PATCH 04/10] deny rw mounting of /sys and /proc
+Subject: [PATCH 3/8] deny rw mounting of /sys and /proc
 
 this would allow root in a privileged container to change
 the permissions of /sys on the host, which could lock out
@@ -14,10 +14,10 @@ if a rw /sys is desired, set "lxc.mount.auto" accordingly
  2 files changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
-index 06290de2..779aadd4 100644
+index a5e6c35f..4c3a4ba8 100644
 --- a/config/apparmor/abstractions/container-base
 +++ b/config/apparmor/abstractions/container-base
-@@ -84,7 +84,6 @@
+@@ -82,7 +82,6 @@
    deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
    mount fstype=proc -> /proc/,
    mount fstype=sysfs -> /sys/,
@@ -25,7 +25,7 @@ index 06290de2..779aadd4 100644
    deny /sys/firmware/efi/efivars/** rwklx,
    deny /sys/kernel/security/** rwklx,
    mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
-@@ -93,6 +92,11 @@
+@@ -91,6 +90,11 @@
    # deny reads from debugfs
    deny /sys/kernel/debug/{,**} rwklx,
  
@@ -38,10 +38,10 @@ index 06290de2..779aadd4 100644
    # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
  #  mount options=(rw,make-slave) -> **,
 diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
-index 5bc9b28b..5c8e441f 100644
+index 16529bbf..54f9ddf0 100644
 --- a/config/apparmor/abstractions/container-base.in
 +++ b/config/apparmor/abstractions/container-base.in
-@@ -84,7 +84,6 @@
+@@ -82,7 +82,6 @@
    deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
    mount fstype=proc -> /proc/,
    mount fstype=sysfs -> /sys/,
@@ -49,7 +49,7 @@ index 5bc9b28b..5c8e441f 100644
    deny /sys/firmware/efi/efivars/** rwklx,
    deny /sys/kernel/security/** rwklx,
    mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
-@@ -93,6 +92,11 @@
+@@ -91,6 +90,11 @@
    # deny reads from debugfs
    deny /sys/kernel/debug/{,**} rwklx,
  

debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch

@@ -1,7 +1,7 @@
-From 9152a996a7413e1dc7dc3cb6c64af20cdf0389be Mon Sep 17 00:00:00 2001
+From 6ebdc24c00b4dee75aebef3136469a5297e1d9ee Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Tue, 15 Nov 2016 09:20:24 +0100
-Subject: [PATCH 05/10] separate the limiting from the namespaced cgroup root
+Subject: [PATCH 4/8] separate the limiting from the namespaced cgroup root
 
 When cgroup namespaces are enabled a privileged container
 with mixed cgroups has full write access to its own root
@@ -22,8 +22,8 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  src/lxc/commands.c          | 76 ++++++++++++++++++++++++++++++++++---------
  src/lxc/commands.h          |  2 ++
  src/lxc/criu.c              |  4 +--
- src/lxc/start.c             | 21 ++++++++++--
- 9 files changed, 201 insertions(+), 58 deletions(-)
+ src/lxc/start.c             | 27 ++++++++++++----
+ 9 files changed, 204 insertions(+), 61 deletions(-)
 
 diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
 index bcbd6613..573ccb25 100644
@@ -96,7 +96,7 @@ index bcbd6613..573ccb25 100644
  		return false;
  
 diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index fe3fd706..896e6da9 100644
+index 897336f0..81c589e0 100644
 --- a/src/lxc/cgroups/cgfsng.c
 +++ b/src/lxc/cgroups/cgfsng.c
 @@ -77,6 +77,7 @@ struct hierarchy {
@@ -115,7 +115,7 @@ index fe3fd706..896e6da9 100644
  
  	/* record if this is the cgroup v2 hierarchy */
  	if (!strcmp(base_cgroup, "cgroup2"))
-@@ -1300,6 +1302,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
+@@ -1302,6 +1304,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
  				free(h->fullcgpath);
  				h->fullcgpath = NULL;
  			}
@@ -124,7 +124,7 @@ index fe3fd706..896e6da9 100644
  		}
  	}
  
-@@ -1317,18 +1321,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
+@@ -1319,18 +1323,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
  	return &cgfsng_ops;
  }
  
@@ -156,7 +156,7 @@ index fe3fd706..896e6da9 100644
  }
  
  static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
-@@ -1339,11 +1350,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
+@@ -1341,11 +1352,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
  	h->fullcgpath = NULL;
  }
  
@@ -185,7 +185,7 @@ index fe3fd706..896e6da9 100644
  {
  	int i;
  	size_t len;
-@@ -1355,9 +1382,15 @@ static inline bool cgfsng_create(void *hdata)
+@@ -1357,9 +1384,15 @@ static inline bool cgfsng_create(void *hdata)
  		return false;
  
  	if (d->container_cgroup) {
@@ -201,7 +201,7 @@ index fe3fd706..896e6da9 100644
  
  	if (d->cgroup_meta.dir)
  		tmp = lxc_string_join("/", (const char *[]){d->cgroup_meta.dir, d->name, NULL}, false);
-@@ -1393,7 +1426,7 @@ again:
+@@ -1395,7 +1428,7 @@ again:
  		}
  	}
  	for (i = 0; hierarchies[i]; i++) {
@@ -210,7 +210,7 @@ index fe3fd706..896e6da9 100644
  			int j;
  			ERROR("Failed to create \"%s\"", hierarchies[i]->fullcgpath);
  			free(hierarchies[i]->fullcgpath);
-@@ -1413,7 +1446,7 @@ out_free:
+@@ -1415,7 +1448,7 @@ out_free:
  	return false;
  }
  
@@ -219,7 +219,7 @@ index fe3fd706..896e6da9 100644
  {
  	char pidstr[25];
  	int i, len;
-@@ -1423,7 +1456,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1425,7 +1458,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
  		return false;
  
  	for (i = 0; hierarchies[i]; i++) {
@@ -234,7 +234,7 @@ index fe3fd706..896e6da9 100644
  						"cgroup.procs", NULL);
  		if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) {
  			SYSERROR("Failed to enter %s", fullpath);
-@@ -1439,6 +1478,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1441,6 +1480,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
  struct chown_data {
  	struct cgfsng_handler_data *d;
  	uid_t origuid; /* target uid in parent namespace */
@@ -242,7 +242,7 @@ index fe3fd706..896e6da9 100644
  };
  
  /*
-@@ -1467,13 +1507,20 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1469,13 +1509,20 @@ static int chown_cgroup_wrapper(void *data)
  	for (i = 0; hierarchies[i]; i++) {
  		char *fullpath, *path = hierarchies[i]->fullcgpath;
  
@@ -263,7 +263,7 @@ index fe3fd706..896e6da9 100644
  			return -1;
  		}
  
-@@ -1499,12 +1546,14 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1501,12 +1548,14 @@ static int chown_cgroup_wrapper(void *data)
  		if (chmod(fullpath, 0664) < 0)
  			WARN("Error chmoding %s: %s", path, strerror(errno));
  		free(fullpath);
@@ -279,7 +279,7 @@ index fe3fd706..896e6da9 100644
  {
  	struct cgfsng_handler_data *d = hdata;
  	struct chown_data wrap;
-@@ -1517,6 +1566,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
+@@ -1519,6 +1568,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
  
  	wrap.d = d;
  	wrap.origuid = geteuid();
@@ -287,7 +287,7 @@ index fe3fd706..896e6da9 100644
  
  	if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap,
  			  "chown_cgroup_wrapper") < 0) {
-@@ -1813,12 +1863,15 @@ static bool cgfsng_unfreeze(void *hdata)
+@@ -1815,12 +1865,15 @@ static bool cgfsng_unfreeze(void *hdata)
  	return true;
  }
  
@@ -304,7 +304,7 @@ index fe3fd706..896e6da9 100644
  	return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL;
  }
  
-@@ -1846,7 +1899,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
+@@ -1848,7 +1901,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
  		char *path, *fullpath;
  		struct hierarchy *h = hierarchies[i];
  
@@ -623,7 +623,7 @@ index 28428c77..9557dcaa 100644
  extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath);
  extern char *lxc_cmd_get_name(const char *hashed_sock);
 diff --git a/src/lxc/criu.c b/src/lxc/criu.c
-index 676d759d..1dd41473 100644
+index 96688edc..539ae8bd 100644
 --- a/src/lxc/criu.c
 +++ b/src/lxc/criu.c
 @@ -324,7 +324,7 @@ static void exec_criu(struct criu_opts *opts)
@@ -645,10 +645,10 @@ index 676d759d..1dd41473 100644
  		goto out_fini_handler;
  	}
 diff --git a/src/lxc/start.c b/src/lxc/start.c
-index 1370d681..b653a157 100644
+index a6a40c72..920f3c23 100644
 --- a/src/lxc/start.c
 +++ b/src/lxc/start.c
-@@ -1196,7 +1196,7 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1217,7 +1217,7 @@ static int lxc_spawn(struct lxc_handler *handler)
  
  	cgroups_connected = true;
  
@@ -657,7 +657,7 @@ index 1370d681..b653a157 100644
  		ERROR("Failed creating cgroups.");
  		goto out_delete_net;
  	}
-@@ -1275,10 +1275,10 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1292,10 +1292,10 @@ static int lxc_spawn(struct lxc_handler *handler)
  		goto out_delete_net;
  	}
  
@@ -669,8 +669,17 @@ index 1370d681..b653a157 100644
 +	if (!cgroup_chown(handler, false))
  		goto out_delete_net;
  
- 	if (failed_before_rename)
-@@ -1333,6 +1333,21 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 	handler->netnsfd = lxc_preserve_ns(handler->pid, "net");
+@@ -1338,15 +1338,30 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		goto out_delete_net;
+ 	}
+ 
+-	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
+-		goto out_delete_net;
+-
+ 	if (!cgroup_setup_limits(handler, true)) {
+ 		ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
+ 		goto out_delete_net;
  	}
  	TRACE("Set up cgroup device limits");
  
@@ -688,6 +697,9 @@ index 1370d681..b653a157 100644
 +			goto out_delete_net;
 +		}
 +	}
++
++	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
++		goto out_delete_net;
 +
  	cgroup_disconnect();
  	cgroups_connected = false;

debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch

@@ -1,7 +1,7 @@
-From 3ec7cf35c1ca98f976a2c39cd58287d8137d0269 Mon Sep 17 00:00:00 2001
+From ef58cfcf70fbe666acee0c407f77a22eeb1eec4f Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Wed, 16 Nov 2016 09:53:42 +0100
-Subject: [PATCH 06/10] start/initutils: make cgroupns separation level
+Subject: [PATCH 5/8] start/initutils: make cgroupns separation level
  configurable
 
 Adds a new global config variable `lxc.cgroup.separate`
@@ -57,10 +57,10 @@ index c021fd61..443ad026 100644
  extern void lxc_setup_fs(void);
  extern const char *lxc_global_config_value(const char *option_name);
 diff --git a/src/lxc/start.c b/src/lxc/start.c
-index b653a157..4fec27b9 100644
+index 920f3c23..89e9be96 100644
 --- a/src/lxc/start.c
 +++ b/src/lxc/start.c
-@@ -1334,17 +1334,20 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1345,17 +1345,20 @@ static int lxc_spawn(struct lxc_handler *handler)
  	TRACE("Set up cgroup device limits");
  
  	if (cgns_supported()) {

debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch

@@ -1,7 +1,7 @@
-From d80258c750c52470389056c212a0eb5f0901dd7b Mon Sep 17 00:00:00 2001
+From 1341290e8af87aab15e844abb1a1451cb21ec275 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 23 Dec 2016 15:57:24 +0100
-Subject: [PATCH 07/10] rename cgroup namespace directory to ns
+Subject: [PATCH 6/8] rename cgroup namespace directory to ns
 
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---

debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch

@@ -1,32 +1,21 @@
-From 9f5dc10171f3546530a326b8d427683109fd2818 Mon Sep 17 00:00:00 2001
+From 6811fb42be10c4eaf026be35914c546a95520b9e Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 10 Feb 2017 10:23:36 +0100
-Subject: [PATCH 08/10] possibility to run lxc-monitord as a regular daemon
+Date: Mon, 20 Nov 2017 10:49:41 +0100
+Subject: [PATCH 7/8] possibility to run lxc-monitord as a regular daemon
 
-This includes an lxc-monitord.service, required by
-lxc@.service which is now of Type=forking.
-
-Previously the init process' output was dumped into the log
-files since the service used Type=simple and
-StandardOutput/Error=syslog. Using lxc-start's daemon mode
-on the other hand used a wait call spawning an lxc-monitord
-in the background which could potentially stick around
-forever if there were clients connected to it. Since it was
-considered part of the lxc@foo.service unit by systemd this
-also meant the unit was considered active until not only the
-container but also lxc-monitord exited.
-This is now corrected by creating a separate lxc-monitord
-unit which lxc@.service depends on.
+lxc-monitord instances are spawned on demand and, if this
+happens from a service, the daemon is considered part of
+it by systemd, as it is running in the same cgroups. This
+can be avoided by leaving it running permanently.
 
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
  config/init/systemd/Makefile.am             | 10 +++--
  config/init/systemd/lxc-monitord.service.in | 12 ++++++
- config/init/systemd/lxc@.service.in         |  7 ++--
  configure.ac                                |  1 +
  lxc.spec.in                                 |  1 +
  src/lxc/lxc_monitord.c                      | 60 +++++++++++++++++++++--------
- 6 files changed, 67 insertions(+), 24 deletions(-)
+ 5 files changed, 63 insertions(+), 21 deletions(-)
  create mode 100644 config/init/systemd/lxc-monitord.service.in
 
 diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
@@ -77,32 +66,8 @@ index 00000000..40635168
 +
 +[Install]
 +WantedBy=multi-user.target
-diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
-index 98d5a3a7..4ee90b21 100644
---- a/config/init/systemd/lxc@.service.in
-+++ b/config/init/systemd/lxc@.service.in
-@@ -1,15 +1,16 @@
- [Unit]
- Description=LXC Container: %i
- # This pulls in apparmor, dev-setup, lxc-net
--After=lxc.service
-+After=lxc.service lxc-monitord.service
- Wants=lxc.service
-+Requires=lxc-monitord.service
- Documentation=man:lxc-start man:lxc
- 
- [Service]
--Type=simple
-+Type=forking
- KillMode=mixed
- TimeoutStopSec=120s
--ExecStart=@BINDIR@/lxc-start -F -n %i
-+ExecStart=@BINDIR@/lxc-start -n %i
- ExecStop=@BINDIR@/lxc-stop -n %i
- # Environment=BOOTUP=serial
- # Environment=CONSOLETYPE=serial
 diff --git a/configure.ac b/configure.ac
-index 35fe7964..d34eda1e 100644
+index 5566d298..31822e58 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -709,6 +709,7 @@ AC_CONFIG_FILES([

debian/patches/0008-Make-lxc-.service-forking.patch

@@ -0,0 +1,40 @@
+From 2001f560675efca7d6dcabe8fb8b376442d5d6d0 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 20 Nov 2017 10:51:36 +0100
+Subject: [PATCH 8/8] Make lxc@.service forking
+
+Previously the init process' output was dumped into the log
+files since the service used Type=simple and
+StandardOutput/Error=syslog.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ config/init/systemd/lxc@.service.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
+index a2aa2211..f312763c 100644
+--- a/config/init/systemd/lxc@.service.in
++++ b/config/init/systemd/lxc@.service.in
+@@ -1,15 +1,15 @@
+ [Unit]
+ Description=LXC Container: %i
+ # This pulls in apparmor, dev-setup, lxc-net
+-After=lxc.service
++After=lxc.service lxc-monitord.service
+ Wants=lxc.service
+ Documentation=man:lxc-start man:lxc
+ 
+ [Service]
+-Type=simple
++Type=forking
+ KillMode=mixed
+ TimeoutStopSec=120s
+-ExecStart=@BINDIR@/lxc-start -F -n %i
++ExecStart=@BINDIR@/lxc-start -n %i
+ ExecStop=@BINDIR@/lxc-stop -n %i
+ # Environment=BOOTUP=serial
+ # Environment=CONSOLETYPE=serial
+-- 
+2.11.0
+

debian/patches/0009-network-add-missing-checks-for-empty-links.patch

@@ -1,35 +0,0 @@
-From c1c1e55305a06786ee3dd938e421ca413db73dd1 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Wed, 6 Sep 2017 11:51:03 +0200
-Subject: [PATCH 09/10] network: add missing checks for empty links
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/network.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lxc/network.c b/src/lxc/network.c
-index 3c0597c7..0ad42318 100644
---- a/src/lxc/network.c
-+++ b/src/lxc/network.c
-@@ -2355,7 +2355,7 @@ bool lxc_delete_network_unpriv(struct lxc_handler *handler)
- 		if (netdev->type != LXC_NET_VETH)
- 			continue;
- 
--		if (!is_ovs_bridge(netdev->link))
-+		if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link))
- 			continue;
- 
- 		if (netdev->priv.veth_attr.pair[0] != '\0')
-@@ -2564,7 +2564,7 @@ bool lxc_delete_network_priv(struct lxc_handler *handler)
- 		}
- 		INFO("Removed interface \"%s\" from \"%s\"", hostveth, netdev->link);
- 
--		if (!is_ovs_bridge(netdev->link)) {
-+		if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) {
- 			netdev->priv.veth_attr.veth1[0] = '\0';
- 			continue;
- 		}
--- 
-2.11.0
-

debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch

@@ -1,45 +0,0 @@
-From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 19 Sep 2017 10:00:43 +0200
-Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits
-
-Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)"
-introduced another sync step before the cgroup device
-limits, but in order for cgroup namespace separation to work
-these limits must be setup before creating the separation
-directory, which means we need to move the unshare to after
-setting up the limits.
-
-Fixup-for: separate the limiting from the namespaced cgroup root
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/start.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/lxc/start.c b/src/lxc/start.c
-index 4fec27b9..7715f64f 100644
---- a/src/lxc/start.c
-+++ b/src/lxc/start.c
-@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler)
- 		goto out_delete_net;
- 	}
- 
--	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
--		goto out_delete_net;
--
- 	if (!cgroup_setup_limits(handler, true)) {
- 		ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
- 		goto out_delete_net;
-@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler)
- 		}
- 	}
- 
-+	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
-+		goto out_delete_net;
-+
- 	cgroup_disconnect();
- 	cgroups_connected = false;
- 
--- 
-2.11.0
-

debian/patches/series

@@ -1,10 +1,8 @@
 0001-lxc.service-start-after-a-potential-syslog.service.patch
-0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch
-0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch
-0004-deny-rw-mounting-of-sys-and-proc.patch
-0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
-0006-start-initutils-make-cgroupns-separation-level-confi.patch
-0007-rename-cgroup-namespace-directory-to-ns.patch
-0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
-0009-network-add-missing-checks-for-empty-links.patch
-0010-start-unshare-cgroup-after-setting-up-device-limits.patch
+0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch
+0003-deny-rw-mounting-of-sys-and-proc.patch
+0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
+0005-start-initutils-make-cgroupns-separation-level-confi.patch
+0006-rename-cgroup-namespace-directory-to-ns.patch
+0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
+0008-Make-lxc-.service-forking.patch

lxc

@@ -0,0 +1 @@
+Subproject commit 31546ced8a4cbed1455568934b59e3ba64bfcb63