From 674c54165393b3ad0059f4a5c5d1e1505eea9114 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:13:40 +0100
-Subject: [PATCH 1/9] lxc.service: start after a potential syslog.service
+Subject: [PATCH 01/10] lxc.service: start after a potential syslog.service
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
From a5ee14df834c008294b790d96982a1fea36c807a Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:14:55 +0100
-Subject: [PATCH 2/9] jessie/systemd: remove Delegate flag to silence warnings
+Subject: [PATCH 02/10] jessie/systemd: remove Delegate flag to silence
+ warnings
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
From 84da55875d3a9468957fe0f0012ea2b39b9f7785 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:15:37 +0100
-Subject: [PATCH 3/9] pve: run lxcnetaddbr when instantiating veths
+Subject: [PATCH 03/10] pve: run lxcnetaddbr when instantiating veths
FIXME: Why aren't we using regular up-scripts?
From 2d651f876f4afa97ddd6081d996776c10355732a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
-Subject: [PATCH 4/9] deny rw mounting of /sys and /proc
+Subject: [PATCH 04/10] deny rw mounting of /sys and /proc
this would allow root in a privileged container to change
the permissions of /sys on the host, which could lock out
From 9152a996a7413e1dc7dc3cb6c64af20cdf0389be Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 15 Nov 2016 09:20:24 +0100
-Subject: [PATCH 5/9] separate the limiting from the namespaced cgroup root
+Subject: [PATCH 05/10] separate the limiting from the namespaced cgroup root
When cgroup namespaces are enabled a privileged container
with mixed cgroups has full write access to its own root
From 3ec7cf35c1ca98f976a2c39cd58287d8137d0269 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 16 Nov 2016 09:53:42 +0100
-Subject: [PATCH 6/9] start/initutils: make cgroupns separation level
+Subject: [PATCH 06/10] start/initutils: make cgroupns separation level
configurable
Adds a new global config variable `lxc.cgroup.separate`
From d80258c750c52470389056c212a0eb5f0901dd7b Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 23 Dec 2016 15:57:24 +0100
-Subject: [PATCH 7/9] rename cgroup namespace directory to ns
+Subject: [PATCH 07/10] rename cgroup namespace directory to ns
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
From 9f5dc10171f3546530a326b8d427683109fd2818 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 10:23:36 +0100
-Subject: [PATCH 8/9] possibility to run lxc-monitord as a regular daemon
+Subject: [PATCH 08/10] possibility to run lxc-monitord as a regular daemon
This includes an lxc-monitord.service, required by
lxc@.service which is now of Type=forking.
From c1c1e55305a06786ee3dd938e421ca413db73dd1 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 6 Sep 2017 11:51:03 +0200
-Subject: [PATCH 9/9] network: add missing checks for empty links
+Subject: [PATCH 09/10] network: add missing checks for empty links
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
--- /dev/null
+From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 19 Sep 2017 10:00:43 +0200
+Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits
+
+Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)"
+introduced another sync step before the cgroup device
+limits, but in order for cgroup namespace separation to work
+these limits must be setup before creating the separation
+directory, which means we need to move the unshare to after
+setting up the limits.
+
+Fixup-for: separate the limiting from the namespaced cgroup root
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/start.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/start.c b/src/lxc/start.c
+index 4fec27b9..7715f64f 100644
+--- a/src/lxc/start.c
++++ b/src/lxc/start.c
+@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler)
+ goto out_delete_net;
+ }
+
+- if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
+- goto out_delete_net;
+-
+ if (!cgroup_setup_limits(handler, true)) {
+ ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
+ goto out_delete_net;
+@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler)
+ }
+ }
+
++ if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
++ goto out_delete_net;
++
+ cgroup_disconnect();
+ cgroups_connected = false;
+
+--
+2.11.0
+
0007-rename-cgroup-namespace-directory-to-ns.patch
0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
0009-network-add-missing-checks-for-empty-links.patch
+0010-start-unshare-cgroup-after-setting-up-device-limits.patch
projects / lxc.git / commitdiff