bump version to 2.1.1-1

And switch to using submodules. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2025-08-17 11:52:48 +00:00 · 2017-11-20 11:14:38 +01:00 · 2017-11-20 11:14:38 +01:00 · bc7e56ac99
commit bc7e56ac99
parent a80b7b9414
17 changed files with 138 additions and 235 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
 [submodule "lxc"]
 	path = lxc
 	url = ../mirror_lxc
--- a/37
+++ b/37
@ -1,9 +1,9 @@
 PACKAGE=lxc-pve
-LXCVER=2.1.0
+LXCVER=2.1.1
-DEBREL=2
+DEBREL=1
 SRCDIR=lxc
-SRCTAR=${SRCDIR}.tgz
+BUILDSRC := $(SRCDIR).tmp
 ARCH:=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
 GITVERSION:=$(shell cat .git/refs/heads/master)
@ -16,24 +16,22 @@ DEBS=$(DEB1) $(DEB2)
 all: ${DEBS}
 	echo ${DEBS}
 .PHONY: submodule
 submodule:
 	test -f "${SRCDIR}/debian/changelog" || git submodule update --init
 .PHONY: deb
 deb: ${DEBS}
 $(DEB2): $(DEB1)
-$(DEB1): ${SRCTAR}
+$(DEB1): | submodule
-	rm -rf ${SRCDIR}
+	rm -f *.deb
-	tar xf ${SRCTAR}
+	rm -rf $(BUILDSRC)
-	cp -a debian ${SRCDIR}/debian
+	mkdir $(BUILDSRC)
-	echo "git clone git://git.proxmox.com/git/lxc.git\\ngit checkout ${GITVERSION}" >  ${SRCDIR}/debian/SOURCE
+	cp -a $(SRCDIR)/* $(BUILDSRC)/
-	cd ${SRCDIR}; dpkg-buildpackage -rfakeroot -b -us -uc
+	cp -a debian $(BUILDSRC)/debian
-	lintian ${DEBS}
+	echo "git clone git://git.proxmox.com/git/lxc.git\\ngit checkout $(GITVERSION)" > $(BUILDSRC)/debian/SOURCE
-
+	cd $(BUILDSRC); dpkg-buildpackage -rfakeroot -b -us -uc
-
+	lintian $(DEBS)
 .PHONY: download
 download ${SRCTAR}:
 	rm -rf ${SRCDIR} ${SRCTAR}
 	git clone -b lxc-${LXCVER} git://github.com/lxc/lxc
 	tar czf ${SRCTAR}.tmp ${SRCDIR}
 	mv ${SRCTAR}.tmp ${SRCTAR}
 .PHONY: upload
 upload: ${DEBS}
@ -43,8 +41,7 @@ distclean: clean
 .PHONY: clean
 clean:
-	rm -rf ${SRCDIR} ${SRCDIR}.tmp *_${ARCH}.deb *.changes *.dsc *.buildinfo
+	rm -rf $(BUILDSRC) *_${ARCH}.deb *.changes *.dsc *.buildinfo
 	find . -name '*~' -exec rm {} ';'
 .PHONY: dinstall
 dinstall: ${DEBS}
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
 lxc (2.1.1-1) unstable; urgency=medium
  * update to lxc-2.1.1
 -- Proxmox Support Team <support@proxmox.com>  Mon, 20 Nov 2017 11:18:38 +0100
 lxc (2.1.0-2) unstable; urgency=medium
  * update cgroup namespace separation for conflicting changes in 2.1.0
--- a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch
+++ b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch
@ -1,7 +1,7 @@
-From 674c54165393b3ad0059f4a5c5d1e1505eea9114 Mon Sep 17 00:00:00 2001
+From 92f2489b28e79f7a67f45bc698f1d61785a6537d Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:13:40 +0100
-Subject: [PATCH 01/10] lxc.service: start after a potential syslog.service
+Subject: [PATCH 1/8] lxc.service: start after a potential syslog.service
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
--- a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch
+++ b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch
@ -1,39 +0,0 @@
 From a5ee14df834c008294b790d96982a1fea36c807a Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:14:55 +0100
 Subject: [PATCH 02/10] jessie/systemd: remove Delegate flag to silence
 warnings
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
 config/init/systemd/lxc.service.in  | 1 -
 config/init/systemd/lxc@.service.in | 1 -
 2 files changed, 2 deletions(-)
 diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
 index 77541917..bdd58283 100644
 --- a/config/init/systemd/lxc.service.in
 +++ b/config/init/systemd/lxc.service.in
@@ -12,7 +12,6 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-containers start
 ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop
 # Environment=BOOTUP=serial
 # Environment=CONSOLETYPE=serial
 -Delegate=yes
 StandardOutput=syslog
 StandardError=syslog
 diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
 index a2aa2211..98d5a3a7 100644
 --- a/config/init/systemd/lxc@.service.in
 +++ b/config/init/systemd/lxc@.service.in
@@ -13,7 +13,6 @@ ExecStart=@BINDIR@/lxc-start -F -n %i
 ExecStop=@BINDIR@/lxc-stop -n %i
 # Environment=BOOTUP=serial
 # Environment=CONSOLETYPE=serial
 -Delegate=yes
 StandardOutput=syslog
 StandardError=syslog
 -- 
 2.11.0
--- a/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch
+++ b/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch
@ -1,7 +1,7 @@
-From 84da55875d3a9468957fe0f0012ea2b39b9f7785 Mon Sep 17 00:00:00 2001
+From 6aecf604cf28c5164f3d957b0ad33bf03527fa26 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:15:37 +0100
-Subject: [PATCH 03/10] pve: run lxcnetaddbr when instantiating veths
+Subject: [PATCH 2/8] pve: run lxcnetaddbr when instantiating veths
 FIXME: Why aren't we using regular up-scripts?
@ -11,7 +11,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 1 file changed, 5 insertions(+)
 diff --git a/src/lxc/network.c b/src/lxc/network.c
-index a7f054e7..3c0597c7 100644
+index 909b7e58..c9b510f6 100644
 --- a/src/lxc/network.c
 +++ b/src/lxc/network.c
@@ -208,6 +208,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd
--- a/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch
+++ b/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch
@ -1,7 +1,7 @@
-From 2d651f876f4afa97ddd6081d996776c10355732a Mon Sep 17 00:00:00 2001
+From 8c695baaff8d18a87233ffc119e8fd0495819dbe Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
 Date: Wed, 9 Nov 2016 09:14:26 +0100
-Subject: [PATCH 04/10] deny rw mounting of /sys and /proc
+Subject: [PATCH 3/8] deny rw mounting of /sys and /proc
 this would allow root in a privileged container to change
 the permissions of /sys on the host, which could lock out
@ -14,10 +14,10 @@ if a rw /sys is desired, set "lxc.mount.auto" accordingly
 2 files changed, 10 insertions(+), 2 deletions(-)
 diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
-index 06290de2..779aadd4 100644
+index a5e6c35f..4c3a4ba8 100644
 --- a/config/apparmor/abstractions/container-base
 +++ b/config/apparmor/abstractions/container-base
-@@ -84,7 +84,6 @@
+@@ -82,7 +82,6 @@
   deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
@ -25,7 +25,7 @@ index 06290de2..779aadd4 100644
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
-@@ -93,6 +92,11 @@
+@@ -91,6 +90,11 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
@ -38,10 +38,10 @@ index 06290de2..779aadd4 100644
   # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
 #  mount options=(rw,make-slave) -> **,
 diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
-index 5bc9b28b..5c8e441f 100644
+index 16529bbf..54f9ddf0 100644
 --- a/config/apparmor/abstractions/container-base.in
 +++ b/config/apparmor/abstractions/container-base.in
-@@ -84,7 +84,6 @@
+@@ -82,7 +82,6 @@
   deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
@ -49,7 +49,7 @@ index 5bc9b28b..5c8e441f 100644
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
-@@ -93,6 +92,11 @@
+@@ -91,6 +90,11 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
--- a/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
+++ b/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
@ -1,7 +1,7 @@
-From 9152a996a7413e1dc7dc3cb6c64af20cdf0389be Mon Sep 17 00:00:00 2001
+From 6ebdc24c00b4dee75aebef3136469a5297e1d9ee Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Tue, 15 Nov 2016 09:20:24 +0100
-Subject: [PATCH 05/10] separate the limiting from the namespaced cgroup root
+Subject: [PATCH 4/8] separate the limiting from the namespaced cgroup root
 When cgroup namespaces are enabled a privileged container
 with mixed cgroups has full write access to its own root
@ -22,8 +22,8 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 src/lxc/commands.c          | 76 ++++++++++++++++++++++++++++++++++---------
 src/lxc/commands.h          |  2 ++
 src/lxc/criu.c              |  4 +--
- src/lxc/start.c             | 21 ++++++++++--
+ src/lxc/start.c             | 27 ++++++++++++----
- 9 files changed, 201 insertions(+), 58 deletions(-)
+ 9 files changed, 204 insertions(+), 61 deletions(-)
 diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
 index bcbd6613..573ccb25 100644
@ -96,7 +96,7 @@ index bcbd6613..573ccb25 100644
 		return false;
 diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index fe3fd706..896e6da9 100644
+index 897336f0..81c589e0 100644
 --- a/src/lxc/cgroups/cgfsng.c
 +++ b/src/lxc/cgroups/cgfsng.c
@@ -77,6 +77,7 @@ struct hierarchy {
@ -115,7 +115,7 @@ index fe3fd706..896e6da9 100644
 	/* record if this is the cgroup v2 hierarchy */
 	if (!strcmp(base_cgroup, "cgroup2"))
-@@ -1300,6 +1302,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
+@@ -1302,6 +1304,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
 				free(h->fullcgpath);
 				h->fullcgpath = NULL;
 			}
@ -124,7 +124,7 @@ index fe3fd706..896e6da9 100644
 		}
 	}
-@@ -1317,18 +1321,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
+@@ -1319,18 +1323,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
 	return &cgfsng_ops;
 }
@ -156,7 +156,7 @@ index fe3fd706..896e6da9 100644
 }
 static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
-@@ -1339,11 +1350,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
+@@ -1341,11 +1352,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
 	h->fullcgpath = NULL;
 }
@ -185,7 +185,7 @@ index fe3fd706..896e6da9 100644
 {
 	int i;
 	size_t len;
-@@ -1355,9 +1382,15 @@ static inline bool cgfsng_create(void *hdata)
+@@ -1357,9 +1384,15 @@ static inline bool cgfsng_create(void *hdata)
 		return false;
 	if (d->container_cgroup) {
@ -201,7 +201,7 @@ index fe3fd706..896e6da9 100644
 	if (d->cgroup_meta.dir)
 		tmp = lxc_string_join("/", (const char *[]){d->cgroup_meta.dir, d->name, NULL}, false);
-@@ -1393,7 +1426,7 @@ again:
+@@ -1395,7 +1428,7 @@ again:
 		}
 	}
 	for (i = 0; hierarchies[i]; i++) {
@ -210,7 +210,7 @@ index fe3fd706..896e6da9 100644
 			int j;
 			ERROR("Failed to create \"%s\"", hierarchies[i]->fullcgpath);
 			free(hierarchies[i]->fullcgpath);
-@@ -1413,7 +1446,7 @@ out_free:
+@@ -1415,7 +1448,7 @@ out_free:
 	return false;
 }
@ -219,7 +219,7 @@ index fe3fd706..896e6da9 100644
 {
 	char pidstr[25];
 	int i, len;
-@@ -1423,7 +1456,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1425,7 +1458,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
 		return false;
 	for (i = 0; hierarchies[i]; i++) {
@ -234,7 +234,7 @@ index fe3fd706..896e6da9 100644
 						"cgroup.procs", NULL);
 		if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) {
 			SYSERROR("Failed to enter %s", fullpath);
-@@ -1439,6 +1478,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1441,6 +1480,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
 struct chown_data {
 	struct cgfsng_handler_data *d;
 	uid_t origuid; /* target uid in parent namespace */
@ -242,7 +242,7 @@ index fe3fd706..896e6da9 100644
 };
 /*
-@@ -1467,13 +1507,20 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1469,13 +1509,20 @@ static int chown_cgroup_wrapper(void *data)
 	for (i = 0; hierarchies[i]; i++) {
 		char *fullpath, *path = hierarchies[i]->fullcgpath;
@ -263,7 +263,7 @@ index fe3fd706..896e6da9 100644
 			return -1;
 		}
-@@ -1499,12 +1546,14 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1501,12 +1548,14 @@ static int chown_cgroup_wrapper(void *data)
 		if (chmod(fullpath, 0664) < 0)
 			WARN("Error chmoding %s: %s", path, strerror(errno));
 		free(fullpath);
@ -279,7 +279,7 @@ index fe3fd706..896e6da9 100644
 {
 	struct cgfsng_handler_data *d = hdata;
 	struct chown_data wrap;
-@@ -1517,6 +1566,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
+@@ -1519,6 +1568,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
 	wrap.d = d;
 	wrap.origuid = geteuid();
@ -287,7 +287,7 @@ index fe3fd706..896e6da9 100644
 	if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap,
 			  "chown_cgroup_wrapper") < 0) {
-@@ -1813,12 +1863,15 @@ static bool cgfsng_unfreeze(void *hdata)
+@@ -1815,12 +1865,15 @@ static bool cgfsng_unfreeze(void *hdata)
 	return true;
 }
@ -304,7 +304,7 @@ index fe3fd706..896e6da9 100644
 	return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL;
 }
-@@ -1846,7 +1899,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
+@@ -1848,7 +1901,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
 		char *path, *fullpath;
 		struct hierarchy *h = hierarchies[i];
@ -623,7 +623,7 @@ index 28428c77..9557dcaa 100644
 extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath);
 extern char *lxc_cmd_get_name(const char *hashed_sock);
 diff --git a/src/lxc/criu.c b/src/lxc/criu.c
-index 676d759d..1dd41473 100644
+index 96688edc..539ae8bd 100644
 --- a/src/lxc/criu.c
 +++ b/src/lxc/criu.c
@@ -324,7 +324,7 @@ static void exec_criu(struct criu_opts *opts)
@ -645,10 +645,10 @@ index 676d759d..1dd41473 100644
 		goto out_fini_handler;
 	}
 diff --git a/src/lxc/start.c b/src/lxc/start.c
-index 1370d681..b653a157 100644
+index a6a40c72..920f3c23 100644
 --- a/src/lxc/start.c
 +++ b/src/lxc/start.c
-@@ -1196,7 +1196,7 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1217,7 +1217,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	cgroups_connected = true;
@ -657,7 +657,7 @@ index 1370d681..b653a157 100644
 		ERROR("Failed creating cgroups.");
 		goto out_delete_net;
 	}
-@@ -1275,10 +1275,10 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1292,10 +1292,10 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
@ -669,8 +669,17 @@ index 1370d681..b653a157 100644
 +	if (!cgroup_chown(handler, false))
 		goto out_delete_net;
- 	if (failed_before_rename)
+ 	handler->netnsfd = lxc_preserve_ns(handler->pid, "net");
-@@ -1333,6 +1333,21 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1338,15 +1338,30 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
 -	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
 -		goto out_delete_net;
 -
 	if (!cgroup_setup_limits(handler, true)) {
 		ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
 		goto out_delete_net;
 	}
 	TRACE("Set up cgroup device limits");
@ -688,6 +697,9 @@ index 1370d681..b653a157 100644
 +			goto out_delete_net;
 +		}
 +	}
 +
 +	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
 +		goto out_delete_net;
 +
 	cgroup_disconnect();
 	cgroups_connected = false;
--- a/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch
+++ b/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch
@ -1,7 +1,7 @@
-From 3ec7cf35c1ca98f976a2c39cd58287d8137d0269 Mon Sep 17 00:00:00 2001
+From ef58cfcf70fbe666acee0c407f77a22eeb1eec4f Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Wed, 16 Nov 2016 09:53:42 +0100
-Subject: [PATCH 06/10] start/initutils: make cgroupns separation level
+Subject: [PATCH 5/8] start/initutils: make cgroupns separation level
 configurable
 Adds a new global config variable `lxc.cgroup.separate`
@ -57,10 +57,10 @@ index c021fd61..443ad026 100644
 extern void lxc_setup_fs(void);
 extern const char *lxc_global_config_value(const char *option_name);
 diff --git a/src/lxc/start.c b/src/lxc/start.c
-index b653a157..4fec27b9 100644
+index 920f3c23..89e9be96 100644
 --- a/src/lxc/start.c
 +++ b/src/lxc/start.c
-@@ -1334,17 +1334,20 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1345,17 +1345,20 @@ static int lxc_spawn(struct lxc_handler *handler)
 	TRACE("Set up cgroup device limits");
 	if (cgns_supported()) {
--- a/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch
+++ b/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch
@ -1,7 +1,7 @@
-From d80258c750c52470389056c212a0eb5f0901dd7b Mon Sep 17 00:00:00 2001
+From 1341290e8af87aab15e844abb1a1451cb21ec275 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 23 Dec 2016 15:57:24 +0100
-Subject: [PATCH 07/10] rename cgroup namespace directory to ns
+Subject: [PATCH 6/8] rename cgroup namespace directory to ns
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
--- a/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
+++ b/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
@ -1,32 +1,21 @@
-From 9f5dc10171f3546530a326b8d427683109fd2818 Mon Sep 17 00:00:00 2001
+From 6811fb42be10c4eaf026be35914c546a95520b9e Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 10 Feb 2017 10:23:36 +0100
+Date: Mon, 20 Nov 2017 10:49:41 +0100
-Subject: [PATCH 08/10] possibility to run lxc-monitord as a regular daemon
+Subject: [PATCH 7/8] possibility to run lxc-monitord as a regular daemon
-This includes an lxc-monitord.service, required by
+lxc-monitord instances are spawned on demand and, if this
-lxc@.service which is now of Type=forking.
+happens from a service, the daemon is considered part of
-
+it by systemd, as it is running in the same cgroups. This
-Previously the init process' output was dumped into the log
+can be avoided by leaving it running permanently.
 files since the service used Type=simple and
 StandardOutput/Error=syslog. Using lxc-start's daemon mode
 on the other hand used a wait call spawning an lxc-monitord
 in the background which could potentially stick around
 forever if there were clients connected to it. Since it was
 considered part of the lxc@foo.service unit by systemd this
 also meant the unit was considered active until not only the
 container but also lxc-monitord exited.
 This is now corrected by creating a separate lxc-monitord
 unit which lxc@.service depends on.
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
 config/init/systemd/Makefile.am             | 10 +++--
 config/init/systemd/lxc-monitord.service.in | 12 ++++++
 config/init/systemd/lxc@.service.in         |  7 ++--
 configure.ac                                |  1 +
 lxc.spec.in                                 |  1 +
 src/lxc/lxc_monitord.c                      | 60 +++++++++++++++++++++--------
- 6 files changed, 67 insertions(+), 24 deletions(-)
+ 5 files changed, 63 insertions(+), 21 deletions(-)
 create mode 100644 config/init/systemd/lxc-monitord.service.in
 diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
@ -77,32 +66,8 @@ index 00000000..40635168
 +
 +[Install]
 +WantedBy=multi-user.target
 diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
 index 98d5a3a7..4ee90b21 100644
 --- a/config/init/systemd/lxc@.service.in
 +++ b/config/init/systemd/lxc@.service.in
@@ -1,15 +1,16 @@
 [Unit]
 Description=LXC Container: %i
 # This pulls in apparmor, dev-setup, lxc-net
 -After=lxc.service
 +After=lxc.service lxc-monitord.service
 Wants=lxc.service
 +Requires=lxc-monitord.service
 Documentation=man:lxc-start man:lxc
 [Service]
 -Type=simple
 +Type=forking
 KillMode=mixed
 TimeoutStopSec=120s
 -ExecStart=@BINDIR@/lxc-start -F -n %i
 +ExecStart=@BINDIR@/lxc-start -n %i
 ExecStop=@BINDIR@/lxc-stop -n %i
 # Environment=BOOTUP=serial
 # Environment=CONSOLETYPE=serial
 diff --git a/configure.ac b/configure.ac
-index 35fe7964..d34eda1e 100644
+index 5566d298..31822e58 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -709,6 +709,7 @@ AC_CONFIG_FILES([
--- a/debian/patches/0008-Make-lxc-.service-forking.patch
+++ b/debian/patches/0008-Make-lxc-.service-forking.patch
@ -0,0 +1,40 @@
 From 2001f560675efca7d6dcabe8fb8b376442d5d6d0 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Mon, 20 Nov 2017 10:51:36 +0100
 Subject: [PATCH 8/8] Make lxc@.service forking
 Previously the init process' output was dumped into the log
 files since the service used Type=simple and
 StandardOutput/Error=syslog.
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
 config/init/systemd/lxc@.service.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
 index a2aa2211..f312763c 100644
 --- a/config/init/systemd/lxc@.service.in
 +++ b/config/init/systemd/lxc@.service.in
@@ -1,15 +1,15 @@
 [Unit]
 Description=LXC Container: %i
 # This pulls in apparmor, dev-setup, lxc-net
 -After=lxc.service
 +After=lxc.service lxc-monitord.service
 Wants=lxc.service
 Documentation=man:lxc-start man:lxc
 [Service]
 -Type=simple
 +Type=forking
 KillMode=mixed
 TimeoutStopSec=120s
 -ExecStart=@BINDIR@/lxc-start -F -n %i
 +ExecStart=@BINDIR@/lxc-start -n %i
 ExecStop=@BINDIR@/lxc-stop -n %i
 # Environment=BOOTUP=serial
 # Environment=CONSOLETYPE=serial
 -- 
 2.11.0
--- a/debian/patches/0009-network-add-missing-checks-for-empty-links.patch
+++ b/debian/patches/0009-network-add-missing-checks-for-empty-links.patch
@ -1,35 +0,0 @@
 From c1c1e55305a06786ee3dd938e421ca413db73dd1 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Wed, 6 Sep 2017 11:51:03 +0200
 Subject: [PATCH 09/10] network: add missing checks for empty links
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
 src/lxc/network.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/lxc/network.c b/src/lxc/network.c
 index 3c0597c7..0ad42318 100644
 --- a/src/lxc/network.c
 +++ b/src/lxc/network.c
@@ -2355,7 +2355,7 @@ bool lxc_delete_network_unpriv(struct lxc_handler *handler)
 		if (netdev->type != LXC_NET_VETH)
 			continue;
 -		if (!is_ovs_bridge(netdev->link))
 +		if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link))
 			continue;
 		if (netdev->priv.veth_attr.pair[0] != '\0')
@@ -2564,7 +2564,7 @@ bool lxc_delete_network_priv(struct lxc_handler *handler)
 		}
 		INFO("Removed interface \"%s\" from \"%s\"", hostveth, netdev->link);
 -		if (!is_ovs_bridge(netdev->link)) {
 +		if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) {
 			netdev->priv.veth_attr.veth1[0] = '\0';
 			continue;
 		}
 -- 
 2.11.0
--- a/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch
+++ b/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch
@ -1,45 +0,0 @@
 From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Tue, 19 Sep 2017 10:00:43 +0200
 Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits
 Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)"
 introduced another sync step before the cgroup device
 limits, but in order for cgroup namespace separation to work
 these limits must be setup before creating the separation
 directory, which means we need to move the unshare to after
 setting up the limits.
 Fixup-for: separate the limiting from the namespaced cgroup root
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
 src/lxc/start.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/src/lxc/start.c b/src/lxc/start.c
 index 4fec27b9..7715f64f 100644
 --- a/src/lxc/start.c
 +++ b/src/lxc/start.c
@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
 -	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
 -		goto out_delete_net;
 -
 	if (!cgroup_setup_limits(handler, true)) {
 		ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
 		goto out_delete_net;
@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler)
 		}
 	}
 +	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
 +		goto out_delete_net;
 +
 	cgroup_disconnect();
 	cgroups_connected = false;
 -- 
 2.11.0
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,10 +1,8 @@
 0001-lxc.service-start-after-a-potential-syslog.service.patch
-0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch
+0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch
-0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch
+0003-deny-rw-mounting-of-sys-and-proc.patch
-0004-deny-rw-mounting-of-sys-and-proc.patch
+0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
-0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
+0005-start-initutils-make-cgroupns-separation-level-confi.patch
-0006-start-initutils-make-cgroupns-separation-level-confi.patch
+0006-rename-cgroup-namespace-directory-to-ns.patch
-0007-rename-cgroup-namespace-directory-to-ns.patch
+0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
-0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
+0008-Make-lxc-.service-forking.patch
 0009-network-add-missing-checks-for-empty-links.patch
 0010-start-unshare-cgroup-after-setting-up-device-limits.patch
--- a/1
+++ b/1
@ -0,0 +1 @@
 Subproject commit 31546ced8a4cbed1455568934b59e3ba64bfcb63
--- a/lxc.tgz
+++ b/lxc.tgz
		`@ -0,0 +1 @@`
							`Subproject commit 31546ced8a4cbed1455568934b59e3ba64bfcb63`