diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..90a83b1 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "lxc"] + path = lxc + url = ../mirror_lxc diff --git a/Makefile b/Makefile index d88440b..844b9c0 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,9 @@ PACKAGE=lxc-pve -LXCVER=2.1.0 -DEBREL=2 +LXCVER=2.1.1 +DEBREL=1 SRCDIR=lxc -SRCTAR=${SRCDIR}.tgz +BUILDSRC := $(SRCDIR).tmp ARCH:=$(shell dpkg-architecture -qDEB_BUILD_ARCH) GITVERSION:=$(shell cat .git/refs/heads/master) @@ -16,24 +16,22 @@ DEBS=$(DEB1) $(DEB2) all: ${DEBS} echo ${DEBS} +.PHONY: submodule +submodule: + test -f "${SRCDIR}/debian/changelog" || git submodule update --init + .PHONY: deb deb: ${DEBS} $(DEB2): $(DEB1) -$(DEB1): ${SRCTAR} - rm -rf ${SRCDIR} - tar xf ${SRCTAR} - cp -a debian ${SRCDIR}/debian - echo "git clone git://git.proxmox.com/git/lxc.git\\ngit checkout ${GITVERSION}" > ${SRCDIR}/debian/SOURCE - cd ${SRCDIR}; dpkg-buildpackage -rfakeroot -b -us -uc - lintian ${DEBS} - - -.PHONY: download -download ${SRCTAR}: - rm -rf ${SRCDIR} ${SRCTAR} - git clone -b lxc-${LXCVER} git://github.com/lxc/lxc - tar czf ${SRCTAR}.tmp ${SRCDIR} - mv ${SRCTAR}.tmp ${SRCTAR} +$(DEB1): | submodule + rm -f *.deb + rm -rf $(BUILDSRC) + mkdir $(BUILDSRC) + cp -a $(SRCDIR)/* $(BUILDSRC)/ + cp -a debian $(BUILDSRC)/debian + echo "git clone git://git.proxmox.com/git/lxc.git\\ngit checkout $(GITVERSION)" > $(BUILDSRC)/debian/SOURCE + cd $(BUILDSRC); dpkg-buildpackage -rfakeroot -b -us -uc + lintian $(DEBS) .PHONY: upload upload: ${DEBS} @@ -43,8 +41,7 @@ distclean: clean .PHONY: clean clean: - rm -rf ${SRCDIR} ${SRCDIR}.tmp *_${ARCH}.deb *.changes *.dsc *.buildinfo - find . -name '*~' -exec rm {} ';' + rm -rf $(BUILDSRC) *_${ARCH}.deb *.changes *.dsc *.buildinfo .PHONY: dinstall dinstall: ${DEBS} diff --git a/debian/changelog b/debian/changelog index f732750..684d184 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lxc (2.1.1-1) unstable; urgency=medium + + * update to lxc-2.1.1 + + -- Proxmox Support Team Mon, 20 Nov 2017 11:18:38 +0100 + lxc (2.1.0-2) unstable; urgency=medium * update cgroup namespace separation for conflicting changes in 2.1.0 diff --git a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch index 1a1c6f4..3050937 100644 --- a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch +++ b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch @@ -1,7 +1,7 @@ -From 674c54165393b3ad0059f4a5c5d1e1505eea9114 Mon Sep 17 00:00:00 2001 +From 92f2489b28e79f7a67f45bc698f1d61785a6537d Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:13:40 +0100 -Subject: [PATCH 01/10] lxc.service: start after a potential syslog.service +Subject: [PATCH 1/8] lxc.service: start after a potential syslog.service Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch deleted file mode 100644 index 6d987c0..0000000 --- a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a5ee14df834c008294b790d96982a1fea36c807a Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Fri, 10 Feb 2017 09:14:55 +0100 -Subject: [PATCH 02/10] jessie/systemd: remove Delegate flag to silence - warnings - -Signed-off-by: Wolfgang Bumiller ---- - config/init/systemd/lxc.service.in | 1 - - config/init/systemd/lxc@.service.in | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in -index 77541917..bdd58283 100644 ---- a/config/init/systemd/lxc.service.in -+++ b/config/init/systemd/lxc.service.in -@@ -12,7 +12,6 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-containers start - ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop - # Environment=BOOTUP=serial - # Environment=CONSOLETYPE=serial --Delegate=yes - StandardOutput=syslog - StandardError=syslog - -diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in -index a2aa2211..98d5a3a7 100644 ---- a/config/init/systemd/lxc@.service.in -+++ b/config/init/systemd/lxc@.service.in -@@ -13,7 +13,6 @@ ExecStart=@BINDIR@/lxc-start -F -n %i - ExecStop=@BINDIR@/lxc-stop -n %i - # Environment=BOOTUP=serial - # Environment=CONSOLETYPE=serial --Delegate=yes - StandardOutput=syslog - StandardError=syslog - --- -2.11.0 - diff --git a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch b/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch similarity index 83% rename from debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch rename to debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch index 7f683cd..a767784 100644 --- a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch +++ b/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch @@ -1,7 +1,7 @@ -From 84da55875d3a9468957fe0f0012ea2b39b9f7785 Mon Sep 17 00:00:00 2001 +From 6aecf604cf28c5164f3d957b0ad33bf03527fa26 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:15:37 +0100 -Subject: [PATCH 03/10] pve: run lxcnetaddbr when instantiating veths +Subject: [PATCH 2/8] pve: run lxcnetaddbr when instantiating veths FIXME: Why aren't we using regular up-scripts? @@ -11,7 +11,7 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 5 insertions(+) diff --git a/src/lxc/network.c b/src/lxc/network.c -index a7f054e7..3c0597c7 100644 +index 909b7e58..c9b510f6 100644 --- a/src/lxc/network.c +++ b/src/lxc/network.c @@ -208,6 +208,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd diff --git a/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch similarity index 90% rename from debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch rename to debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch index 2657a9e..ffb903e 100644 --- a/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch +++ b/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch @@ -1,7 +1,7 @@ -From 2d651f876f4afa97ddd6081d996776c10355732a Mon Sep 17 00:00:00 2001 +From 8c695baaff8d18a87233ffc119e8fd0495819dbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Nov 2016 09:14:26 +0100 -Subject: [PATCH 04/10] deny rw mounting of /sys and /proc +Subject: [PATCH 3/8] deny rw mounting of /sys and /proc this would allow root in a privileged container to change the permissions of /sys on the host, which could lock out @@ -14,10 +14,10 @@ if a rw /sys is desired, set "lxc.mount.auto" accordingly 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base -index 06290de2..779aadd4 100644 +index a5e6c35f..4c3a4ba8 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base -@@ -84,7 +84,6 @@ +@@ -82,7 +82,6 @@ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, @@ -25,7 +25,7 @@ index 06290de2..779aadd4 100644 deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, -@@ -93,6 +92,11 @@ +@@ -91,6 +90,11 @@ # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, @@ -38,10 +38,10 @@ index 06290de2..779aadd4 100644 # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. # mount options=(rw,make-slave) -> **, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in -index 5bc9b28b..5c8e441f 100644 +index 16529bbf..54f9ddf0 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in -@@ -84,7 +84,6 @@ +@@ -82,7 +82,6 @@ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, @@ -49,7 +49,7 @@ index 5bc9b28b..5c8e441f 100644 deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, -@@ -93,6 +92,11 @@ +@@ -91,6 +90,11 @@ # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, diff --git a/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch b/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch similarity index 92% rename from debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch rename to debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch index 6120cef..fd6f4be 100644 --- a/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch +++ b/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch @@ -1,7 +1,7 @@ -From 9152a996a7413e1dc7dc3cb6c64af20cdf0389be Mon Sep 17 00:00:00 2001 +From 6ebdc24c00b4dee75aebef3136469a5297e1d9ee Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 15 Nov 2016 09:20:24 +0100 -Subject: [PATCH 05/10] separate the limiting from the namespaced cgroup root +Subject: [PATCH 4/8] separate the limiting from the namespaced cgroup root When cgroup namespaces are enabled a privileged container with mixed cgroups has full write access to its own root @@ -22,8 +22,8 @@ Signed-off-by: Wolfgang Bumiller src/lxc/commands.c | 76 ++++++++++++++++++++++++++++++++++--------- src/lxc/commands.h | 2 ++ src/lxc/criu.c | 4 +-- - src/lxc/start.c | 21 ++++++++++-- - 9 files changed, 201 insertions(+), 58 deletions(-) + src/lxc/start.c | 27 ++++++++++++---- + 9 files changed, 204 insertions(+), 61 deletions(-) diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c index bcbd6613..573ccb25 100644 @@ -96,7 +96,7 @@ index bcbd6613..573ccb25 100644 return false; diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index fe3fd706..896e6da9 100644 +index 897336f0..81c589e0 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -77,6 +77,7 @@ struct hierarchy { @@ -115,7 +115,7 @@ index fe3fd706..896e6da9 100644 /* record if this is the cgroup v2 hierarchy */ if (!strcmp(base_cgroup, "cgroup2")) -@@ -1300,6 +1302,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) +@@ -1302,6 +1304,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) free(h->fullcgpath); h->fullcgpath = NULL; } @@ -124,7 +124,7 @@ index fe3fd706..896e6da9 100644 } } -@@ -1317,18 +1321,25 @@ struct cgroup_ops *cgfsng_ops_init(void) +@@ -1319,18 +1323,25 @@ struct cgroup_ops *cgfsng_ops_init(void) return &cgfsng_ops; } @@ -156,7 +156,7 @@ index fe3fd706..896e6da9 100644 } static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) -@@ -1339,11 +1350,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) +@@ -1341,11 +1352,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) h->fullcgpath = NULL; } @@ -185,7 +185,7 @@ index fe3fd706..896e6da9 100644 { int i; size_t len; -@@ -1355,9 +1382,15 @@ static inline bool cgfsng_create(void *hdata) +@@ -1357,9 +1384,15 @@ static inline bool cgfsng_create(void *hdata) return false; if (d->container_cgroup) { @@ -201,7 +201,7 @@ index fe3fd706..896e6da9 100644 if (d->cgroup_meta.dir) tmp = lxc_string_join("/", (const char *[]){d->cgroup_meta.dir, d->name, NULL}, false); -@@ -1393,7 +1426,7 @@ again: +@@ -1395,7 +1428,7 @@ again: } } for (i = 0; hierarchies[i]; i++) { @@ -210,7 +210,7 @@ index fe3fd706..896e6da9 100644 int j; ERROR("Failed to create \"%s\"", hierarchies[i]->fullcgpath); free(hierarchies[i]->fullcgpath); -@@ -1413,7 +1446,7 @@ out_free: +@@ -1415,7 +1448,7 @@ out_free: return false; } @@ -219,7 +219,7 @@ index fe3fd706..896e6da9 100644 { char pidstr[25]; int i, len; -@@ -1423,7 +1456,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid) +@@ -1425,7 +1458,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid) return false; for (i = 0; hierarchies[i]; i++) { @@ -234,7 +234,7 @@ index fe3fd706..896e6da9 100644 "cgroup.procs", NULL); if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) { SYSERROR("Failed to enter %s", fullpath); -@@ -1439,6 +1478,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid) +@@ -1441,6 +1480,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid) struct chown_data { struct cgfsng_handler_data *d; uid_t origuid; /* target uid in parent namespace */ @@ -242,7 +242,7 @@ index fe3fd706..896e6da9 100644 }; /* -@@ -1467,13 +1507,20 @@ static int chown_cgroup_wrapper(void *data) +@@ -1469,13 +1509,20 @@ static int chown_cgroup_wrapper(void *data) for (i = 0; hierarchies[i]; i++) { char *fullpath, *path = hierarchies[i]->fullcgpath; @@ -263,7 +263,7 @@ index fe3fd706..896e6da9 100644 return -1; } -@@ -1499,12 +1546,14 @@ static int chown_cgroup_wrapper(void *data) +@@ -1501,12 +1548,14 @@ static int chown_cgroup_wrapper(void *data) if (chmod(fullpath, 0664) < 0) WARN("Error chmoding %s: %s", path, strerror(errno)); free(fullpath); @@ -279,7 +279,7 @@ index fe3fd706..896e6da9 100644 { struct cgfsng_handler_data *d = hdata; struct chown_data wrap; -@@ -1517,6 +1566,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf) +@@ -1519,6 +1568,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf) wrap.d = d; wrap.origuid = geteuid(); @@ -287,7 +287,7 @@ index fe3fd706..896e6da9 100644 if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, "chown_cgroup_wrapper") < 0) { -@@ -1813,12 +1863,15 @@ static bool cgfsng_unfreeze(void *hdata) +@@ -1815,12 +1865,15 @@ static bool cgfsng_unfreeze(void *hdata) return true; } @@ -304,7 +304,7 @@ index fe3fd706..896e6da9 100644 return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL; } -@@ -1846,7 +1899,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid) +@@ -1848,7 +1901,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid) char *path, *fullpath; struct hierarchy *h = hierarchies[i]; @@ -623,7 +623,7 @@ index 28428c77..9557dcaa 100644 extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath); extern char *lxc_cmd_get_name(const char *hashed_sock); diff --git a/src/lxc/criu.c b/src/lxc/criu.c -index 676d759d..1dd41473 100644 +index 96688edc..539ae8bd 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -324,7 +324,7 @@ static void exec_criu(struct criu_opts *opts) @@ -645,10 +645,10 @@ index 676d759d..1dd41473 100644 goto out_fini_handler; } diff --git a/src/lxc/start.c b/src/lxc/start.c -index 1370d681..b653a157 100644 +index a6a40c72..920f3c23 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1196,7 +1196,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1217,7 +1217,7 @@ static int lxc_spawn(struct lxc_handler *handler) cgroups_connected = true; @@ -657,7 +657,7 @@ index 1370d681..b653a157 100644 ERROR("Failed creating cgroups."); goto out_delete_net; } -@@ -1275,10 +1275,10 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1292,10 +1292,10 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } @@ -669,8 +669,17 @@ index 1370d681..b653a157 100644 + if (!cgroup_chown(handler, false)) goto out_delete_net; - if (failed_before_rename) -@@ -1333,6 +1333,21 @@ static int lxc_spawn(struct lxc_handler *handler) + handler->netnsfd = lxc_preserve_ns(handler->pid, "net"); +@@ -1338,15 +1338,30 @@ static int lxc_spawn(struct lxc_handler *handler) + goto out_delete_net; + } + +- if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE)) +- goto out_delete_net; +- + if (!cgroup_setup_limits(handler, true)) { + ERROR("Failed to setup the devices cgroup for container \"%s\".", name); + goto out_delete_net; } TRACE("Set up cgroup device limits"); @@ -688,6 +697,9 @@ index 1370d681..b653a157 100644 + goto out_delete_net; + } + } ++ ++ if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE)) ++ goto out_delete_net; + cgroup_disconnect(); cgroups_connected = false; diff --git a/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch b/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch similarity index 93% rename from debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch rename to debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch index 64aefaf..01166e3 100644 --- a/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch +++ b/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch @@ -1,7 +1,7 @@ -From 3ec7cf35c1ca98f976a2c39cd58287d8137d0269 Mon Sep 17 00:00:00 2001 +From ef58cfcf70fbe666acee0c407f77a22eeb1eec4f Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 16 Nov 2016 09:53:42 +0100 -Subject: [PATCH 06/10] start/initutils: make cgroupns separation level +Subject: [PATCH 5/8] start/initutils: make cgroupns separation level configurable Adds a new global config variable `lxc.cgroup.separate` @@ -57,10 +57,10 @@ index c021fd61..443ad026 100644 extern void lxc_setup_fs(void); extern const char *lxc_global_config_value(const char *option_name); diff --git a/src/lxc/start.c b/src/lxc/start.c -index b653a157..4fec27b9 100644 +index 920f3c23..89e9be96 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1334,17 +1334,20 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1345,17 +1345,20 @@ static int lxc_spawn(struct lxc_handler *handler) TRACE("Set up cgroup device limits"); if (cgns_supported()) { diff --git a/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch b/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch similarity index 84% rename from debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch rename to debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch index de90acb..3f5a5c8 100644 --- a/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch +++ b/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch @@ -1,7 +1,7 @@ -From d80258c750c52470389056c212a0eb5f0901dd7b Mon Sep 17 00:00:00 2001 +From 1341290e8af87aab15e844abb1a1451cb21ec275 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 23 Dec 2016 15:57:24 +0100 -Subject: [PATCH 07/10] rename cgroup namespace directory to ns +Subject: [PATCH 6/8] rename cgroup namespace directory to ns Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch b/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch similarity index 77% rename from debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch rename to debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch index e589e88..63ef5d2 100644 --- a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch +++ b/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch @@ -1,32 +1,21 @@ -From 9f5dc10171f3546530a326b8d427683109fd2818 Mon Sep 17 00:00:00 2001 +From 6811fb42be10c4eaf026be35914c546a95520b9e Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller -Date: Fri, 10 Feb 2017 10:23:36 +0100 -Subject: [PATCH 08/10] possibility to run lxc-monitord as a regular daemon +Date: Mon, 20 Nov 2017 10:49:41 +0100 +Subject: [PATCH 7/8] possibility to run lxc-monitord as a regular daemon -This includes an lxc-monitord.service, required by -lxc@.service which is now of Type=forking. - -Previously the init process' output was dumped into the log -files since the service used Type=simple and -StandardOutput/Error=syslog. Using lxc-start's daemon mode -on the other hand used a wait call spawning an lxc-monitord -in the background which could potentially stick around -forever if there were clients connected to it. Since it was -considered part of the lxc@foo.service unit by systemd this -also meant the unit was considered active until not only the -container but also lxc-monitord exited. -This is now corrected by creating a separate lxc-monitord -unit which lxc@.service depends on. +lxc-monitord instances are spawned on demand and, if this +happens from a service, the daemon is considered part of +it by systemd, as it is running in the same cgroups. This +can be avoided by leaving it running permanently. Signed-off-by: Wolfgang Bumiller --- config/init/systemd/Makefile.am | 10 +++-- config/init/systemd/lxc-monitord.service.in | 12 ++++++ - config/init/systemd/lxc@.service.in | 7 ++-- configure.ac | 1 + lxc.spec.in | 1 + src/lxc/lxc_monitord.c | 60 +++++++++++++++++++++-------- - 6 files changed, 67 insertions(+), 24 deletions(-) + 5 files changed, 63 insertions(+), 21 deletions(-) create mode 100644 config/init/systemd/lxc-monitord.service.in diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am @@ -77,32 +66,8 @@ index 00000000..40635168 + +[Install] +WantedBy=multi-user.target -diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in -index 98d5a3a7..4ee90b21 100644 ---- a/config/init/systemd/lxc@.service.in -+++ b/config/init/systemd/lxc@.service.in -@@ -1,15 +1,16 @@ - [Unit] - Description=LXC Container: %i - # This pulls in apparmor, dev-setup, lxc-net --After=lxc.service -+After=lxc.service lxc-monitord.service - Wants=lxc.service -+Requires=lxc-monitord.service - Documentation=man:lxc-start man:lxc - - [Service] --Type=simple -+Type=forking - KillMode=mixed - TimeoutStopSec=120s --ExecStart=@BINDIR@/lxc-start -F -n %i -+ExecStart=@BINDIR@/lxc-start -n %i - ExecStop=@BINDIR@/lxc-stop -n %i - # Environment=BOOTUP=serial - # Environment=CONSOLETYPE=serial diff --git a/configure.ac b/configure.ac -index 35fe7964..d34eda1e 100644 +index 5566d298..31822e58 100644 --- a/configure.ac +++ b/configure.ac @@ -709,6 +709,7 @@ AC_CONFIG_FILES([ diff --git a/debian/patches/0008-Make-lxc-.service-forking.patch b/debian/patches/0008-Make-lxc-.service-forking.patch new file mode 100644 index 0000000..7431ca1 --- /dev/null +++ b/debian/patches/0008-Make-lxc-.service-forking.patch @@ -0,0 +1,40 @@ +From 2001f560675efca7d6dcabe8fb8b376442d5d6d0 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Mon, 20 Nov 2017 10:51:36 +0100 +Subject: [PATCH 8/8] Make lxc@.service forking + +Previously the init process' output was dumped into the log +files since the service used Type=simple and +StandardOutput/Error=syslog. + +Signed-off-by: Wolfgang Bumiller +--- + config/init/systemd/lxc@.service.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in +index a2aa2211..f312763c 100644 +--- a/config/init/systemd/lxc@.service.in ++++ b/config/init/systemd/lxc@.service.in +@@ -1,15 +1,15 @@ + [Unit] + Description=LXC Container: %i + # This pulls in apparmor, dev-setup, lxc-net +-After=lxc.service ++After=lxc.service lxc-monitord.service + Wants=lxc.service + Documentation=man:lxc-start man:lxc + + [Service] +-Type=simple ++Type=forking + KillMode=mixed + TimeoutStopSec=120s +-ExecStart=@BINDIR@/lxc-start -F -n %i ++ExecStart=@BINDIR@/lxc-start -n %i + ExecStop=@BINDIR@/lxc-stop -n %i + # Environment=BOOTUP=serial + # Environment=CONSOLETYPE=serial +-- +2.11.0 + diff --git a/debian/patches/0009-network-add-missing-checks-for-empty-links.patch b/debian/patches/0009-network-add-missing-checks-for-empty-links.patch deleted file mode 100644 index ee3966e..0000000 --- a/debian/patches/0009-network-add-missing-checks-for-empty-links.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c1c1e55305a06786ee3dd938e421ca413db73dd1 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 6 Sep 2017 11:51:03 +0200 -Subject: [PATCH 09/10] network: add missing checks for empty links - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/network.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/lxc/network.c b/src/lxc/network.c -index 3c0597c7..0ad42318 100644 ---- a/src/lxc/network.c -+++ b/src/lxc/network.c -@@ -2355,7 +2355,7 @@ bool lxc_delete_network_unpriv(struct lxc_handler *handler) - if (netdev->type != LXC_NET_VETH) - continue; - -- if (!is_ovs_bridge(netdev->link)) -+ if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) - continue; - - if (netdev->priv.veth_attr.pair[0] != '\0') -@@ -2564,7 +2564,7 @@ bool lxc_delete_network_priv(struct lxc_handler *handler) - } - INFO("Removed interface \"%s\" from \"%s\"", hostveth, netdev->link); - -- if (!is_ovs_bridge(netdev->link)) { -+ if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) { - netdev->priv.veth_attr.veth1[0] = '\0'; - continue; - } --- -2.11.0 - diff --git a/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch b/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch deleted file mode 100644 index 065a38b..0000000 --- a/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 19 Sep 2017 10:00:43 +0200 -Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits - -Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)" -introduced another sync step before the cgroup device -limits, but in order for cgroup namespace separation to work -these limits must be setup before creating the separation -directory, which means we need to move the unshare to after -setting up the limits. - -Fixup-for: separate the limiting from the namespaced cgroup root -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/start.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/lxc/start.c b/src/lxc/start.c -index 4fec27b9..7715f64f 100644 ---- a/src/lxc/start.c -+++ b/src/lxc/start.c -@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler) - goto out_delete_net; - } - -- if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE)) -- goto out_delete_net; -- - if (!cgroup_setup_limits(handler, true)) { - ERROR("Failed to setup the devices cgroup for container \"%s\".", name); - goto out_delete_net; -@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler) - } - } - -+ if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE)) -+ goto out_delete_net; -+ - cgroup_disconnect(); - cgroups_connected = false; - --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 1e860ae..3ff7181 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,10 +1,8 @@ 0001-lxc.service-start-after-a-potential-syslog.service.patch -0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch -0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch -0004-deny-rw-mounting-of-sys-and-proc.patch -0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch -0006-start-initutils-make-cgroupns-separation-level-confi.patch -0007-rename-cgroup-namespace-directory-to-ns.patch -0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch -0009-network-add-missing-checks-for-empty-links.patch -0010-start-unshare-cgroup-after-setting-up-device-limits.patch +0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch +0003-deny-rw-mounting-of-sys-and-proc.patch +0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch +0005-start-initutils-make-cgroupns-separation-level-confi.patch +0006-rename-cgroup-namespace-directory-to-ns.patch +0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch +0008-Make-lxc-.service-forking.patch diff --git a/lxc b/lxc new file mode 160000 index 0000000..31546ce --- /dev/null +++ b/lxc @@ -0,0 +1 @@ +Subproject commit 31546ced8a4cbed1455568934b59e3ba64bfcb63 diff --git a/lxc.tgz b/lxc.tgz deleted file mode 100644 index 2171b21..0000000 Binary files a/lxc.tgz and /dev/null differ