I opened a PR at lxc-upstream with these changes [0].
Testing in my hybrid layout environment fixes the issue with
priviledged container reported in the forum.
(Note that the issue also occurs with unprivileged container, if they
have a `lxc.cgroup.devices.(allow|deny)` entry (which they don't in
our default config)
[0] https://github.com/lxc/lxc/pull/3911
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
fixes the apparmor deny for mounting boot_id (used for example for identifying
different boots with `journalctl`) inside the container.
Tested by editing the profile and replacing it disregarding the cache:
`apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
the previous patch removed some required lines from the
nesting profile part, this brings it closer to lxd plus the
additional read-only-bind-remount rule generation
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Merge: attach: always use getent
Commit message:
In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly.
To avoid this, stick to always using getent.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Add a patch to add an ExecReload for lxc.service, and use
the new dh_installsystemd instead of the old
dh_systemd_start.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
* Revert "conf: remove extra MS_BIND with sysfs:mixed"
This should let privileged Ubuntu 14.04 containers boot
again.
* conf: use SYSERROR on lxc_write_to_file errors
Slightly more useful error output in a specific error
case.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
The default cgroup pattern was switched from lxc/%n to
lxc.payload/%n, so add a ./configure option to revert this
change as PVE expects containers in lxc/%n.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
* fix some memory leaks
* fix temp file creation
* fix rootfs pinning with NFS
* drop supplementary groups on attach
* fix gid=5 mount option on /dev/pts
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
