[pve-devel] [PATCH lxc 1/2] update upstream to 4.0.4 and rebase patches

Stoiko Ivanov s.ivanov at proxmox.com
Thu Sep 10 14:40:49 CEST 2020 

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 ...ning-lxc-monitord-as-a-system-daemon.patch |  4 +--
 ...roup.dir.-monitor-container-containe.patch |  8 +++---
 ....container.namespace-lxc.cgroup.cont.patch |  2 +-
 ...dd-and-document-cgroup_advanced_isol.patch | 14 +++++-----
 ...up.dir.-monitor-container-container..patch |  2 +-
 ...09-cgroups-adhere-to-boolean-return.patch} |  4 +--
 ...the-right-path-in-get_cgroup-command.patch | 25 ------------------
 ...rvice-start-after-a-potential-syslo.patch} |  0
 ...ig-deny-rw-mounting-of-sys-and-proc.patch} |  0
 ...PVE-Config-attach-always-use-getent.patch} |  8 +++---
 ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 -------------------
 debian/patches/series                         | 10 +++----
 lxc                                           |  2 +-
 13 files changed, 26 insertions(+), 79 deletions(-)
 rename debian/patches/pve/{0010-cgroups-adhere-to-boolean-return.patch => 0009-cgroups-adhere-to-boolean-return.patch} (90%)
 delete mode 100644 debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch
 rename debian/patches/pve/{0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch => 0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch} (100%)
 rename debian/patches/pve/{0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch => 0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch} (100%)
 rename debian/patches/pve/{0013-PVE-Config-attach-always-use-getent.patch => 0012-PVE-Config-attach-always-use-getent.patch} (89%)
 delete mode 100644 debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch

diff --git a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
index a2b423a..3889e1e 100644
--- a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
+++ b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
@@ -80,10 +80,10 @@ index 000000000..406351688
 +[Install]
 +WantedBy=multi-user.target
 diff --git a/configure.ac b/configure.ac
-index 059d57d38..c88a2f737 100644
+index f5e9e909e..5b224d2bc 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -837,6 +837,7 @@ AC_CONFIG_FILES([
+@@ -841,6 +841,7 @@ AC_CONFIG_FILES([
  	config/init/systemd/lxc.service
  	config/init/systemd/lxc at .service
  	config/init/systemd/lxc-net.service
diff --git a/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch b/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
index fcd5220..98b1aa3 100644
--- a/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
+++ b/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
@@ -29,7 +29,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
  4 files changed, 177 insertions(+), 2 deletions(-)
 
 diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index 3ed71c214..a9c87fe2a 100644
+index 3e0e55cee..4011f5734 100644
 --- a/doc/lxc.container.conf.sgml.in
 +++ b/doc/lxc.container.conf.sgml.in
 @@ -1571,6 +1571,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -87,7 +87,7 @@ index 3ed71c214..a9c87fe2a 100644
            <term>
              <option>lxc.cgroup.relative</option>
 diff --git a/src/lxc/commands.c b/src/lxc/commands.c
-index b6ae101fc..44714f9ba 100644
+index 3c1ca03a1..726d57ae0 100644
 --- a/src/lxc/commands.c
 +++ b/src/lxc/commands.c
 @@ -622,7 +622,7 @@ static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req,
@@ -110,10 +110,10 @@ index b6ae101fc..44714f9ba 100644
  
  static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
 diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index 00789961c..4aafca3cb 100644
+index 25e58a06f..613bbffbb 100644
 --- a/src/lxc/conf.c
 +++ b/src/lxc/conf.c
-@@ -3750,6 +3750,9 @@ void lxc_conf_free(struct lxc_conf *conf)
+@@ -3758,6 +3758,9 @@ void lxc_conf_free(struct lxc_conf *conf)
  	lxc_clear_apparmor_raw(conf);
  	lxc_clear_namespace(conf);
  	free(conf->cgroup_meta.dir);
diff --git a/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch b/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
index e677343..efdf2bc 100644
--- a/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
+++ b/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
@@ -10,7 +10,7 @@ Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index a9c87fe2a..338903d66 100644
+index 4011f5734..006dcad92 100644
 --- a/doc/lxc.container.conf.sgml.in
 +++ b/doc/lxc.container.conf.sgml.in
 @@ -1583,7 +1583,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
diff --git a/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch b/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch
index 90d336c..b8b91a1 100644
--- a/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch
+++ b/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch
@@ -10,25 +10,25 @@ Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
  2 files changed, 5 insertions(+)
 
 diff --git a/doc/api-extensions.md b/doc/api-extensions.md
-index 5767583af..e8b5eb089 100644
+index f2a28239b..f815e8362 100644
 --- a/doc/api-extensions.md
 +++ b/doc/api-extensions.md
-@@ -118,3 +118,7 @@ This adds a new API function `init_pidfd()` which allows to retrieve a pidfd for
- ## pidfd
+@@ -122,3 +122,7 @@ When running on kernels that support pidfds LXC will rely on them for most opera
+ ## seccomp\_allow\_deny\_syntax
  
- When running on kernels that support pidfds LXC will rely on them for most operations. This makes interacting with containers not just more reliable it also makes it significantly safer and eliminates various races inherent to PID-based kernel APIs. LXC will require that the running kernel at least support `pidfd_send_signal()`, `CLONE_PIDFD`, `P_PIDFD`, and pidfd polling support. Any kernel starting with `Linux 5.4` should have full support for pidfds.
+ This adds the ability to use "denylist" and "allowlist" in seccomp v2 policies.
 +
 +## cgroup\_advanced\_isolation
 +
 +Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
 diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
-index 3afdc35b9..b69467f26 100644
+index ef2b14085..b930c9cd5 100644
 --- a/src/lxc/api_extensions.h
 +++ b/src/lxc/api_extensions.h
-@@ -39,6 +39,7 @@ static char *api_extensions[] = {
- #endif
+@@ -40,6 +40,7 @@ static char *api_extensions[] = {
  	"cgroup2",
  	"pidfd",
+ 	"seccomp_allow_deny_syntax",
 +	"cgroup_advanced_isolation",
  };
  
diff --git a/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch b/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
index 263adbd..afc5cb8 100644
--- a/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
+++ b/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
@@ -12,7 +12,7 @@ Signed-off-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
  1 file changed, 57 insertions(+)
 
 diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
-index 38b623243..7a65e3fe4 100644
+index fd6fb18e3..2c77d4ea3 100644
 --- a/doc/ja/lxc.container.conf.sgml.in
 +++ b/doc/ja/lxc.container.conf.sgml.in
 @@ -2099,6 +2099,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
diff --git a/debian/patches/pve/0010-cgroups-adhere-to-boolean-return.patch b/debian/patches/pve/0009-cgroups-adhere-to-boolean-return.patch
similarity index 90%
rename from debian/patches/pve/0010-cgroups-adhere-to-boolean-return.patch
rename to debian/patches/pve/0009-cgroups-adhere-to-boolean-return.patch
index 5bf3fe2..e650dc1 100644
--- a/debian/patches/pve/0010-cgroups-adhere-to-boolean-return.patch
+++ b/debian/patches/pve/0009-cgroups-adhere-to-boolean-return.patch
@@ -9,10 +9,10 @@ Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
  1 file changed, 3 insertions(+), 5 deletions(-)
 
 diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 603940683..6c64c996c 100644
+index 12646f21f..8d9e3d511 100644
 --- a/src/lxc/cgroups/cgfsng.c
 +++ b/src/lxc/cgroups/cgfsng.c
-@@ -1196,11 +1196,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
+@@ -1195,11 +1195,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
  		 * line, which is not possible once a subdirectory has been
  		 * created.
  		 */
diff --git a/debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch b/debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch
deleted file mode 100644
index e41735b..0000000
--- a/debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller at proxmox.com>
-Date: Sun, 5 Apr 2020 16:12:45 +0200
-Subject: [PATCH] get the right path in get_cgroup command
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
----
- src/lxc/commands.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lxc/commands.c b/src/lxc/commands.c
-index 44714f9ba..d735b5ff6 100644
---- a/src/lxc/commands.c
-+++ b/src/lxc/commands.c
-@@ -592,8 +592,8 @@ static int lxc_cmd_get_cgroup_callback_do(int fd, struct lxc_cmd_req *req,
- 		reqdata = NULL;
- 	}
- 
--	get_fn = (limiting_cgroup ? cgroup_ops->get_cgroup
--				  : cgroup_ops->get_limiting_cgroup);
-+	get_fn = (limiting_cgroup ? cgroup_ops->get_limiting_cgroup
-+				  : cgroup_ops->get_cgroup);
- 
- 	path = get_fn(cgroup_ops, reqdata);
- 
diff --git a/debian/patches/pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch b/debian/patches/pve/0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
similarity index 100%
rename from debian/patches/pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
rename to debian/patches/pve/0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
diff --git a/debian/patches/pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/pve/0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
similarity index 100%
rename from debian/patches/pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
rename to debian/patches/pve/0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
diff --git a/debian/patches/pve/0013-PVE-Config-attach-always-use-getent.patch b/debian/patches/pve/0012-PVE-Config-attach-always-use-getent.patch
similarity index 89%
rename from debian/patches/pve/0013-PVE-Config-attach-always-use-getent.patch
rename to debian/patches/pve/0012-PVE-Config-attach-always-use-getent.patch
index 073eacd..a9f9346 100644
--- a/debian/patches/pve/0013-PVE-Config-attach-always-use-getent.patch
+++ b/debian/patches/pve/0012-PVE-Config-attach-always-use-getent.patch
@@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
  1 file changed, 2 insertions(+), 26 deletions(-)
 
 diff --git a/src/lxc/attach.c b/src/lxc/attach.c
-index 38e16f2d1..34d64c196 100644
+index ad25aada9..816b0325b 100644
 --- a/src/lxc/attach.c
 +++ b/src/lxc/attach.c
-@@ -1452,12 +1452,8 @@ int lxc_attach_run_command(void *payload)
+@@ -1453,12 +1453,8 @@ int lxc_attach_run_command(void *payload)
  
  int lxc_attach_run_shell(void* payload)
  {
@@ -29,7 +29,7 @@ index 38e16f2d1..34d64c196 100644
  	int ret;
  
  	/* Ignore payload parameter. */
-@@ -1465,32 +1461,13 @@ int lxc_attach_run_shell(void* payload)
+@@ -1466,32 +1462,13 @@ int lxc_attach_run_shell(void* payload)
  
  	uid = getuid();
  
@@ -63,7 +63,7 @@ index 38e16f2d1..34d64c196 100644
  	if (user_shell)
  		execlp(user_shell, user_shell, (char *)NULL);
  
-@@ -1500,8 +1477,7 @@ int lxc_attach_run_shell(void* payload)
+@@ -1501,8 +1478,7 @@ int lxc_attach_run_shell(void* payload)
  	execlp("/bin/sh", "/bin/sh", (char *)NULL);
  
  	SYSERROR("Failed to execute shell");
diff --git a/debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch
deleted file mode 100644
index ee49687..0000000
--- a/debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stoiko Ivanov <s.ivanov at proxmox.com>
-Date: Wed, 22 Jul 2020 12:17:24 +0200
-Subject: [PATCH] apparmor: Allow ro remount of boot_id
-
-The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
-necessary mount calls for /proc/sys/kernel/random/boot_id
-(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
-
-Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
----
- config/apparmor/abstractions/start-container.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
-index 9998f1121..9f64c2727 100644
---- a/config/apparmor/abstractions/start-container.in
-+++ b/config/apparmor/abstractions/start-container.in
-@@ -22,6 +22,7 @@
-   mount -> /var/lib/lxc/{**,},
- 
-   mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
-+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
- 
-   # required for some pre-mount hooks
-   mount fstype=overlayfs,
diff --git a/debian/patches/series b/debian/patches/series
index 4d02a7e..708b74f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,9 +6,7 @@ pve/0005-confile-coding-style-fixes-for-set_config_cgroup_con.patch
 pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch
 pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
 pve/0008-confile-fix-jump-table-order.patch
-pve/0009-get-the-right-path-in-get_cgroup-command.patch
-pve/0010-cgroups-adhere-to-boolean-return.patch
-pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
-pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
-pve/0013-PVE-Config-attach-always-use-getent.patch
-pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch
+pve/0009-cgroups-adhere-to-boolean-return.patch
+pve/0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
+pve/0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
+pve/0012-PVE-Config-attach-always-use-getent.patch
diff --git a/lxc b/lxc
index 6dc1208..531e012 160000
--- a/lxc
+++ b/lxc
@@ -1 +1 @@
-Subproject commit 6dc1208ded87c9b3db70aa43cca61857e0d19428
+Subproject commit 531e0128036542fb959b05eceec78e52deefafe0
-- 
2.20.1

More information about the pve-devel mailing list