commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
fixes the apparmor deny for mounting boot_id (used for example for identifying
different boots with `journalctl`) inside the container.
Tested by editing the profile and replacing it disregarding the cache:
`apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit fast-forwards 7 commits from upstream/master. The first commit
(partially) fixes a missing apparmor rule for /proc/sys/kernel/random/boot_id)
The last commit fixes running containers in pure cgroupv2 environments (by
premounting cgroup2).
It contains one other fix for a netlink bug, which I haven't seen in our
support channels, thus assume limited potential for regressions.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
We dropped some configuration aptches with lxc-4 which
pve-container needs to account for when writing a
container's /var/lib/lxc/$vmid/config file, so lxc-4 should
not be used with an older pve-container package.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
since the debhelper-generated default enabling should come before we
attempt to start/reload/restart it.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
otherwise this could fail posinst execution (and thus package
installation!) on systems coming from plain Debian, or where lxc.service
is masked.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
the previous patch removed some required lines from the
nesting profile part, this brings it closer to lxd plus the
additional read-only-bind-remount rule generation
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Merge: attach: always use getent
Commit message:
In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly.
To avoid this, stick to always using getent.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Add a patch to add an ExecReload for lxc.service, and use
the new dh_installsystemd instead of the old
dh_systemd_start.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
* Revert "conf: remove extra MS_BIND with sysfs:mixed"
This should let privileged Ubuntu 14.04 containers boot
again.
* conf: use SYSERROR on lxc_write_to_file errors
Slightly more useful error output in a specific error
case.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
The default cgroup pattern was switched from lxc/%n to
lxc.payload/%n, so add a ./configure option to revert this
change as PVE expects containers in lxc/%n.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
