From 87c39e902ae7ca576ad3b9a1e24ab523425ba18c Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Thu, 2 Dec 2021 10:32:22 +0100 Subject: [PATCH] update patches for lxc-4.0.11 Signed-off-by: Wolfgang Bumiller --- ...ning-lxc-monitord-as-a-system-daemon.patch | 55 +++------- ...roup.dir.-monitor-container-containe.patch | 17 +-- ....container.namespace-lxc.cgroup.cont.patch | 8 +- ...tyle-fixes-for-set_config_cgroup_con.patch | 6 +- ...dd-and-document-cgroup_advanced_isol.patch | 13 +-- ...up.dir.-monitor-container-container..patch | 8 +- ...ervice-start-after-a-potential-syslo.patch | 2 +- ...fig-deny-rw-mounting-of-sys-and-proc.patch | 2 +- ...-PVE-Config-attach-always-use-getent.patch | 14 +-- ...tils-use-vfork-in-lxc_container_init.patch | 30 ++++++ ...nf-userns.conf-include-userns.conf.d.patch | 21 ---- ...ow-including-nonexisting-directories.patch | 36 ------- ...-use-2-sysfs-instances-for-sys-mixed.patch | 76 +++++++++++++ ...populate-hierarchy-for-device-cgroup.patch | 102 ------------------ ...nneeded-variables-from-cgroup_tree_c.patch | 65 ----------- debian/patches/series | 6 +- 16 files changed, 158 insertions(+), 303 deletions(-) create mode 100644 debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch delete mode 100644 debian/patches/pve/0010-conf-userns.conf-include-userns.conf.d.patch delete mode 100644 debian/patches/pve/0011-confile-allow-including-nonexisting-directories.patch create mode 100644 debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch delete mode 100644 debian/patches/pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch delete mode 100644 debian/patches/pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch diff --git a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch index 813b291..9c9bf3f 100644 --- a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch +++ b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 31 Mar 2020 15:22:42 +0200 -Subject: [PATCH] allow running lxc-monitord as a system daemon +Subject: [PATCH lxc] allow running lxc-monitord as a system daemon lxc-monitord instances are spawned on demand and, if this happens from a service, the daemon is considered part of @@ -11,17 +11,17 @@ can be avoided by leaving it running permanently. Signed-off-by: Wolfgang Bumiller --- .gitignore | 1 + - config/init/systemd/Makefile.am | 10 +++--- + config/init/systemd/Makefile.am | 10 +++++---- configure.ac | 1 + lxc.spec.in | 1 + - src/lxc/cmd/lxc_monitord.c | 60 +++++++++++++++++++++++---------- - 5 files changed, 52 insertions(+), 21 deletions(-) + src/lxc/cmd/lxc_monitord.c | 40 ++++++++++++++++++++++++++------- + 5 files changed, 41 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore -index 3cff48d96..44345454f 100644 +index 5070196cc..9f34f9b1e 100644 --- a/.gitignore +++ b/.gitignore -@@ -120,6 +120,7 @@ config/bash/lxc +@@ -124,6 +124,7 @@ config/bash/lxc config/init/common/lxc-containers config/init/common/lxc-net config/init/systemd/lxc-autostart-helper @@ -60,10 +60,10 @@ index c448850d1..4a4fde5e7 100644 pkglibexec_SCRIPTS = lxc-apparmor-load diff --git a/configure.ac b/configure.ac -index e30ea6f6e..16c5ab8c4 100644 +index e3a0c70bd..2bbf5dd4d 100644 --- a/configure.ac +++ b/configure.ac -@@ -913,6 +913,7 @@ AC_CONFIG_FILES([ +@@ -909,6 +909,7 @@ AC_CONFIG_FILES([ config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service @@ -72,10 +72,10 @@ index e30ea6f6e..16c5ab8c4 100644 config/init/sysvinit/lxc-containers config/init/sysvinit/lxc-net diff --git a/lxc.spec.in b/lxc.spec.in -index ec6321c33..ea6789fb6 100644 +index a7ce2601c..7ed9685bd 100644 --- a/lxc.spec.in +++ b/lxc.spec.in -@@ -251,6 +251,7 @@ fi +@@ -255,6 +255,7 @@ fi %{_unitdir}/lxc-net.service %{_unitdir}/lxc.service %{_unitdir}/lxc@.service @@ -84,10 +84,10 @@ index ec6321c33..ea6789fb6 100644 %{_sysconfdir}/rc.d/init.d/lxc %{_sysconfdir}/rc.d/init.d/lxc-net diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c -index bcb289ca6..da7db2820 100644 +index 2b0895fc6..997d11217 100644 --- a/src/lxc/cmd/lxc_monitord.c +++ b/src/lxc/cmd/lxc_monitord.c -@@ -338,17 +338,44 @@ static void lxc_monitord_sig_handler(int sig) +@@ -327,17 +327,44 @@ static void lxc_monitord_sig_handler(int sig) int main(int argc, char *argv[]) { @@ -136,7 +136,7 @@ index bcb289ca6..da7db2820 100644 "NOTE: lxc-monitord is intended for use by lxc internally\n" " and does not need to be run by hand\n\n"); exit(EXIT_FAILURE); -@@ -371,9 +398,6 @@ int main(int argc, char *argv[]) +@@ -360,9 +387,6 @@ int main(int argc, char *argv[]) INFO("Failed to open log file %s, log will be lost", lxcpath); lxc_log_options_no_override(); @@ -146,34 +146,7 @@ index bcb289ca6..da7db2820 100644 if (sigfillset(&mask) || sigdelset(&mask, SIGILL) || sigdelset(&mask, SIGSEGV) || -@@ -406,15 +430,17 @@ int main(int argc, char *argv[]) - goto on_error; - monitord_created = true; - -- /* sync with parent, we're ignoring the return from write -- * because regardless if it works or not, the following -- * close will sync us with the parent process. the -- * if-empty-statement construct is to quiet the -- * warn-unused-result warning. -- */ -- if (lxc_write_nointr(pipefd, "S", 1)) -- ; -- close(pipefd); -+ if (pipefd != -1) { -+ /* sync with parent, we're ignoring the return from write -+ * because regardless if it works or not, the following -+ * close will sync us with the parent process. the -+ * if-empty-statement construct is to quiet the -+ * warn-unused-result warning. -+ */ -+ if (lxc_write_nointr(pipefd, "S", 1)) -+ ; -+ close(pipefd); -+ } - - if (lxc_monitord_mainloop_add(&monitor)) { - ERROR("Failed to add mainloop handlers"); -@@ -425,7 +451,7 @@ int main(int argc, char *argv[]) +@@ -417,7 +441,7 @@ int main(int argc, char *argv[]) lxc_raw_getpid(), monitor.lxcpath); for (;;) { diff --git a/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch b/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch index 07b64fe..ce45035 100644 --- a/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch +++ b/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch @@ -1,7 +1,8 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Thu, 2 Apr 2020 10:01:37 +0200 -Subject: [PATCH] introduce lxc.cgroup.dir.{monitor,container,container.inner} +Subject: [PATCH lxc] introduce + lxc.cgroup.dir.{monitor,container,container.inner} This is a new approach to #1302 with a container-side configuration instead of a global boolean flag. @@ -28,10 +29,10 @@ Signed-off-by: Thomas Lamprecht 2 files changed, 171 insertions(+) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index e089fa61d..595cb3972 100644 +index 6c9271130..3bf62f082 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in -@@ -1757,6 +1757,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +@@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA @@ -86,7 +87,7 @@ index e089fa61d..595cb3972 100644 diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index 37c38fe1e..daf8ee474 100644 +index 213688060..23ed7837c 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -67,6 +67,9 @@ lxc_config_define(cap_keep); @@ -99,7 +100,7 @@ index 37c38fe1e..daf8ee474 100644 lxc_config_define(cgroup_relative); lxc_config_define(console_buffer_size); lxc_config_define(console_logfile); -@@ -185,6 +188,9 @@ static struct lxc_config_t config_jump_table[] = { +@@ -187,6 +190,9 @@ static struct lxc_config_t config_jump_table[] = { { "lxc.cap.drop", true, set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, }, { "lxc.cap.keep", true, set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, }, { "lxc.cgroup2", false, set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, }, @@ -109,7 +110,7 @@ index 37c38fe1e..daf8ee474 100644 { "lxc.cgroup.dir", true, set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, }, { "lxc.cgroup.relative", true, set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, }, { "lxc.cgroup", false, set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, }, -@@ -1795,6 +1801,48 @@ static int set_config_cgroup_dir(const char *key, const char *value, +@@ -1840,6 +1846,48 @@ static int set_config_cgroup_dir(const char *key, const char *value, return set_config_path_item(&lxc_conf->cgroup_meta.dir, value); } @@ -158,7 +159,7 @@ index 37c38fe1e..daf8ee474 100644 static int set_config_cgroup_relative(const char *key, const char *value, struct lxc_conf *lxc_conf, void *data) { -@@ -3654,6 +3702,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen, +@@ -3707,6 +3755,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen, return fulllen; } @@ -217,7 +218,7 @@ index 37c38fe1e..daf8ee474 100644 static inline int get_config_cgroup_relative(const char *key, char *retv, int inlen, struct lxc_conf *lxc_conf, void *data) -@@ -4491,6 +4591,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, +@@ -4568,6 +4668,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, return 0; } diff --git a/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch b/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch index 38ca69b..5a1cb84 100644 --- a/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch +++ b/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 3 Apr 2020 20:08:41 +0200 -Subject: [PATCH] doc: +Subject: [PATCH lxc] doc: s/lxc.cgroup.container.namespace/lxc.cgroup.container.inner/g Signed-off-by: Christian Brauner @@ -10,10 +10,10 @@ Signed-off-by: Christian Brauner 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index 595cb3972..18bf36aaf 100644 +index 3bf62f082..490793ddb 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in -@@ -1769,7 +1769,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +@@ -1813,7 +1813,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA exclusive with . Note that the final path the container attaches to may be extended further by the @@ -22,7 +22,7 @@ index 595cb3972..18bf36aaf 100644 -@@ -1786,7 +1786,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +@@ -1830,7 +1830,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA diff --git a/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch b/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch index 1c99e4e..eb006bc 100644 --- a/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch +++ b/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 3 Apr 2020 20:10:58 +0200 -Subject: [PATCH] confile: coding style fixes for +Subject: [PATCH lxc] confile: coding style fixes for set_config_cgroup_container_inner_dir() Signed-off-by: Christian Brauner @@ -10,10 +10,10 @@ Signed-off-by: Christian Brauner 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index daf8ee474..ae6e72c22 100644 +index 23ed7837c..c7e7887f3 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c -@@ -1828,19 +1828,14 @@ static int set_config_cgroup_container_inner_dir(const char *key, +@@ -1873,19 +1873,14 @@ static int set_config_cgroup_container_inner_dir(const char *key, void *data) { if (lxc_config_value_empty(value)) diff --git a/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch b/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch index 97f3b07..2dda02c 100644 --- a/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch +++ b/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch @@ -1,7 +1,8 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 4 Apr 2020 12:07:43 +0200 -Subject: [PATCH] api-extensions: add and document cgroup_advanced_isolation +Subject: [PATCH lxc] api-extensions: add and document + cgroup_advanced_isolation Signed-off-by: Christian Brauner --- @@ -10,7 +11,7 @@ Signed-off-by: Christian Brauner 2 files changed, 5 insertions(+) diff --git a/doc/api-extensions.md b/doc/api-extensions.md -index ff0df50ef..13ba41a62 100644 +index cdf82f937..6f9e1621d 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md @@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container. @@ -23,9 +24,9 @@ index ff0df50ef..13ba41a62 100644 + ## idmapped\_mounts - Whether this LXC instance can handle idmapped mounts. + Whether this LXC instance can handle idmapped mounts for the rootfs. diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h -index 06a4130ba..6653c7299 100644 +index c2509207d..ae71ff18e 100644 --- a/src/lxc/api_extensions.h +++ b/src/lxc/api_extensions.h @@ -41,6 +41,7 @@ static char *api_extensions[] = { @@ -34,5 +35,5 @@ index 06a4130ba..6653c7299 100644 "seccomp_proxy_send_notify_fd", + "cgroup_advanced_isolation", "idmapped_mounts", - }; - + "idmapped_mounts_v2", + "core_scheduling", diff --git a/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch b/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch index afc5cb8..2f52781 100644 --- a/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch +++ b/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch @@ -1,8 +1,8 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Sun, 5 Apr 2020 21:18:59 +0900 -Subject: [PATCH] doc: Add lxc.cgroup.dir.{monitor,container,container.inner} - to Japanese man +Subject: [PATCH lxc] doc: Add + lxc.cgroup.dir.{monitor,container,container.inner} to Japanese man Update for commit a900cba @@ -12,10 +12,10 @@ Signed-off-by: KATOH Yasufumi 1 file changed, 57 insertions(+) diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in -index fd6fb18e3..2c77d4ea3 100644 +index 05ae2f441..9ad6627ab 100644 --- a/doc/ja/lxc.container.conf.sgml.in +++ b/doc/ja/lxc.container.conf.sgml.in -@@ -2099,6 +2099,63 @@ by KATOH Yasufumi +@@ -2389,6 +2389,63 @@ by KATOH Yasufumi diff --git a/debian/patches/pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch b/debian/patches/pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch index 694a656..09e74ff 100644 --- a/debian/patches/pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch +++ b/debian/patches/pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:13:40 +0100 -Subject: [PATCH] PVE: [Config] lxc.service: start after a potential +Subject: [PATCH lxc] PVE: [Config] lxc.service: start after a potential syslog.service We could add this as a snippet from pve-container instead. diff --git a/debian/patches/pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch index ea82472..cdcfaad 100644 --- a/debian/patches/pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch +++ b/debian/patches/pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Nov 2016 09:14:26 +0100 -Subject: [PATCH] PVE: [Config] deny rw mounting of /sys and /proc +Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc Note that we don't actually make use of this anymore, since we switched to the generated profiles which already do this. diff --git a/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch b/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch index a9d3eee..0bbc2a4 100644 --- a/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch +++ b/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 13 Aug 2019 13:57:22 +0200 -Subject: [PATCH] PVE: [Config] attach: always use getent +Subject: [PATCH lxc] PVE: [Config] attach: always use getent In debian buster, some libnss plugins (if installed) can cause getpwent to segfault instead of erroring out cleanly. @@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c -index 97eff7f8e..01bd56f45 100644 +index cd526ab6b..845270ee5 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c -@@ -1810,12 +1810,8 @@ int lxc_attach_run_command(void *payload) +@@ -1841,12 +1841,8 @@ int lxc_attach_run_command(void *payload) int lxc_attach_run_shell(void* payload) { @@ -25,16 +25,16 @@ index 97eff7f8e..01bd56f45 100644 - struct passwd pwent; - struct passwd *pwentp = NULL; char *user_shell; -- size_t bufsize; +- ssize_t bufsize; int ret; /* Ignore payload parameter. */ -@@ -1823,32 +1819,13 @@ int lxc_attach_run_shell(void* payload) +@@ -1854,32 +1850,13 @@ int lxc_attach_run_shell(void* payload) uid = getuid(); - bufsize = sysconf(_SC_GETPW_R_SIZE_MAX); -- if (bufsize == -1) +- if (bufsize < 0) - bufsize = 1024; - - buf = malloc(bufsize); @@ -63,7 +63,7 @@ index 97eff7f8e..01bd56f45 100644 if (user_shell) execlp(user_shell, user_shell, (char *)NULL); -@@ -1858,8 +1835,7 @@ int lxc_attach_run_shell(void* payload) +@@ -1889,8 +1866,7 @@ int lxc_attach_run_shell(void* payload) execlp("/bin/sh", "/bin/sh", (char *)NULL); SYSERROR("Failed to execute shell"); diff --git a/debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch b/debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch new file mode 100644 index 0000000..3a5315f --- /dev/null +++ b/debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Sat, 13 Nov 2021 18:20:13 +0100 +Subject: [PATCH lxc] Revert "initutils: use vfork() in lxc_container_init()" + +This reverts commit d65e5e492f740bbb50e3005f97420c3ddae3d595. + +With vfork the child process modifies the parent's memory, +so the calls to `signal`, `fprintf` and regular `exit` may +be dangerous and might cause conflicting states in the +parent. + +Signed-off-by: Wolfgang Bumiller +--- + src/lxc/initutils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c +index 24baecc88..72278c1f1 100644 +--- a/src/lxc/initutils.c ++++ b/src/lxc/initutils.c +@@ -551,7 +551,7 @@ __noreturn int lxc_container_init(int argc, char *const *argv, bool quiet) + + remove_self(); + +- pid = vfork(); ++ pid = fork(); + if (pid < 0) + exit(EXIT_FAILURE); + diff --git a/debian/patches/pve/0010-conf-userns.conf-include-userns.conf.d.patch b/debian/patches/pve/0010-conf-userns.conf-include-userns.conf.d.patch deleted file mode 100644 index f752140..0000000 --- a/debian/patches/pve/0010-conf-userns.conf-include-userns.conf.d.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Mon, 5 Jul 2021 09:02:36 +0200 -Subject: [PATCH] conf: userns.conf: include userns.conf.d - -Signed-off-by: Wolfgang Bumiller ---- - config/templates/userns.conf.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in -index 69d992680..255dd01a3 100644 ---- a/config/templates/userns.conf.in -+++ b/config/templates/userns.conf.in -@@ -19,3 +19,6 @@ lxc.tty.dir = - - # Setup the default mounts - lxc.mount.auto = sys:rw -+ -+# Lastly, include all the configs from @LXCTEMPLATECONFIG@/userns.conf.d/ -+lxc.include = @LXCTEMPLATECONFIG@/userns.conf.d/ diff --git a/debian/patches/pve/0011-confile-allow-including-nonexisting-directories.patch b/debian/patches/pve/0011-confile-allow-including-nonexisting-directories.patch deleted file mode 100644 index ecd3132..0000000 --- a/debian/patches/pve/0011-confile-allow-including-nonexisting-directories.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Mon, 5 Jul 2021 10:53:41 +0200 -Subject: [PATCH] confile: allow including nonexisting directories - -If an include directive ends with a trailing slash, we now -always assume it is a directory and do not treat the -non-existence as an error. - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/confile.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index 6e2b68b1c..7f4fb13fb 100644 ---- a/src/lxc/confile.c -+++ b/src/lxc/confile.c -@@ -2689,7 +2689,7 @@ static int do_includedir(const char *dirp, struct lxc_conf *lxc_conf) - - dir = opendir(dirp); - if (!dir) -- return -errno; -+ return errno == ENOENT ? 0 : -errno; - - while ((direntp = readdir(dir))) { - const char *fnam; -@@ -2726,7 +2726,7 @@ static int set_config_includefiles(const char *key, const char *value, - return 0; - } - -- if (is_dir(value)) -+ if (value[strlen(value)-1] == '/' || is_dir(value)) - return do_includedir(value, lxc_conf); - - return lxc_config_read(value, lxc_conf, true); diff --git a/debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch b/debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch new file mode 100644 index 0000000..28ed5b9 --- /dev/null +++ b/debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch @@ -0,0 +1,76 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 3 Dec 2021 09:13:11 +0100 +Subject: [PATCH lxc] use 2 sysfs instances for sys:mixed + +In order to facilitate this, the default mount list's +'destination' may now be NULL to mean that the source should +be unmounted instead. + +Here's what we need to do: + +1) Ensure the first sysfs mount point is writable. +2) Mount a read-only sysfs on /sys +3) Bind devices/virtual/net *writably* into /sys + +We use /proc/sys as a staging directory for the first sysfs +mount in read-write mode, then mount /sys r/o. Afterwards we +bind the r/w devices/virtual/net and unmount the staging +/proc/sys mount point. + +The staging directory would not be required with the new +mount API, but this way we can support the old API and keep +the general workflow in the `default_mounts`. + +Once we drop support for the old mount API, the +default_mounts table could just get a subdirectory field to +mount subdirectories directly. + +Signed-off-by: Wolfgang Bumiller +--- + src/lxc/conf.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 8e068b8ac..c9ab285d8 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -708,9 +708,11 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags) + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false }, ++ /* /proc/sys is used as a temporary staging directory for the read-write sysfs mount and unmounted after binding net */ ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/proc/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false }, +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false }, +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false }, ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false }, ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys", NULL, NULL, 0, NULL, false }, + { 0, 0, NULL, NULL, NULL, 0, NULL, false } + }; + struct lxc_conf *conf = handler->conf; +@@ -778,14 +780,21 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags) + return syserror_set(-ENOMEM, "Failed to create source path"); + } + +- if (!default_mounts[i].destination) +- return syserror_set(-EINVAL, "BUG: auto mounts destination %d was NULL", i); +- + if (!has_cap_net_admin && default_mounts[i].requires_cap_net_admin) { + TRACE("Container does not have CAP_NET_ADMIN. Skipping \"%s\" mount", default_mounts[i].source ?: "(null)"); + continue; + } + ++ if (!default_mounts[i].destination) { ++ ret = umount2(source, MNT_DETACH); ++ if (ret < 0) ++ return log_error_errno(-1, errno, ++ "Failed to unmount \"%s\"", ++ source); ++ TRACE("Unmounted automount \"%s\"", source); ++ continue; ++ } ++ + /* will act like strdup if %r is not present */ + destination = lxc_string_replace("%r", rootfs->path ? rootfs->mount : "", default_mounts[i].destination); + if (!destination) diff --git a/debian/patches/pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch b/debian/patches/pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch deleted file mode 100644 index d24e45c..0000000 --- a/debian/patches/pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Stoiko Ivanov -Date: Mon, 19 Jul 2021 16:55:43 +0200 -Subject: [PATCH] cgroups: populate hierarchy for device cgroup - -With the changes introduced in: -b7b1e3a34ce28b01206c48227930ff83d399e7b6 -the hierarchy-struct did not have the path_lim set anymore, which is -needed by setup_limits_legacy to actually access the cgroup directory. - -The issue can be reproduced with a container config having -``` -lxc.cgroup.devices.deny = a -``` -(or any lxc.cgroup.devices entry) set on a system booted with -systemd.unified_cgroup_hierarchy=0. - -This affects all privileged containers on PVE (due to the default -devices.deny entry). - -Signed-off-by: Stoiko Ivanov ---- - src/lxc/cgroups/cgfsng.c | 39 +++++++++++++++++++-------------------- - 1 file changed, 19 insertions(+), 20 deletions(-) - -diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index 9e1ece5ca..e27baa625 100644 ---- a/src/lxc/cgroups/cgfsng.c -+++ b/src/lxc/cgroups/cgfsng.c -@@ -794,8 +794,12 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, - if (fd_limit < 0) - return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir); - -+ limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL); -+ h->dfd_lim = move_fd(fd_limit); -+ h->path_lim = move_ptr(limit_path); -+ - TRACE("Created limit cgroup %d->%d(%s)", -- fd_limit, h->dfd_base, cgroup_limit_dir); -+ h->dfd_lim, h->dfd_base, cgroup_limit_dir); - - /* - * With isolation the devices legacy cgroup needs to be -@@ -807,44 +811,39 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, - !ops->setup_limits_legacy(ops, conf, true)) - return log_error(false, "Failed to setup legacy device limits"); - -- limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL); -- path = must_make_path(limit_path, cgroup_leaf, NULL); -+ path = must_make_path(h->path_lim, cgroup_leaf, NULL); - - /* - * If we use a separate limit cgroup, the leaf cgroup, i.e. the - * cgroup the container actually resides in, is below fd_limit. - */ -- fd_final = __cgroup_tree_create(fd_limit, cgroup_leaf, 0755, cpuset_v1, false); -+ fd_final = __cgroup_tree_create(h->dfd_lim, cgroup_leaf, 0755, cpuset_v1, false); - if (fd_final < 0) { - /* Ensure we don't leave any garbage behind. */ - if (cgroup_tree_prune(h->dfd_base, cgroup_limit_dir)) - SYSWARN("Failed to destroy %d(%s)", h->dfd_base, cgroup_limit_dir); - else - TRACE("Removed cgroup tree %d(%s)", h->dfd_base, cgroup_limit_dir); -+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir); - } -+ h->dfd_con = move_fd(fd_final); -+ h->path_con = move_ptr(path); -+ - } else { - path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL); - - fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false); -- } -- if (fd_final < 0) -- return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir); -- -- if (payload) { -- h->dfd_con = move_fd(fd_final); -- h->path_con = move_ptr(path); -+ if (fd_final < 0) -+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir); - -- if (fd_limit < 0) -+ if (payload) { -+ h->dfd_con = move_fd(fd_final); - h->dfd_lim = h->dfd_con; -- else -- h->dfd_lim = move_fd(fd_limit); -- -- if (limit_path) -- h->path_lim = move_ptr(limit_path); -- else -+ h->path_con = move_ptr(path); - h->path_lim = h->path_con; -- } else { -- h->dfd_mon = move_fd(fd_final); -+ } else { -+ h->dfd_mon = move_fd(fd_final); -+ } - } - - return true; diff --git a/debian/patches/pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch b/debian/patches/pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch deleted file mode 100644 index 692233d..0000000 --- a/debian/patches/pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Stoiko Ivanov -Date: Tue, 20 Jul 2021 10:30:36 +0200 -Subject: [PATCH] cgroups: remove unneeded variables from cgroup_tree_create - -Signed-off-by: Stoiko Ivanov ---- - src/lxc/cgroups/cgfsng.c | 13 ++++--------- - 1 file changed, 4 insertions(+), 9 deletions(-) - -diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index e27baa625..35ba0fb9d 100644 ---- a/src/lxc/cgroups/cgfsng.c -+++ b/src/lxc/cgroups/cgfsng.c -@@ -779,7 +779,6 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, - const char *cgroup_leaf, bool payload) - { - __do_close int fd_limit = -EBADF, fd_final = -EBADF; -- __do_free char *path = NULL, *limit_path = NULL; - bool cpuset_v1 = false; - - /* -@@ -794,9 +793,8 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, - if (fd_limit < 0) - return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir); - -- limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL); -+ h->path_lim = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL); - h->dfd_lim = move_fd(fd_limit); -- h->path_lim = move_ptr(limit_path); - - TRACE("Created limit cgroup %d->%d(%s)", - h->dfd_lim, h->dfd_base, cgroup_limit_dir); -@@ -811,8 +809,6 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, - !ops->setup_limits_legacy(ops, conf, true)) - return log_error(false, "Failed to setup legacy device limits"); - -- path = must_make_path(h->path_lim, cgroup_leaf, NULL); -- - /* - * If we use a separate limit cgroup, the leaf cgroup, i.e. the - * cgroup the container actually resides in, is below fd_limit. -@@ -827,11 +823,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, - return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir); - } - h->dfd_con = move_fd(fd_final); -- h->path_con = move_ptr(path); -+ h->path_con = must_make_path(h->path_lim, cgroup_leaf, NULL); - - } else { -- path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL); -- - fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false); - if (fd_final < 0) - return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir); -@@ -839,7 +833,8 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, - if (payload) { - h->dfd_con = move_fd(fd_final); - h->dfd_lim = h->dfd_con; -- h->path_con = move_ptr(path); -+ h->path_con = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL); -+ - h->path_lim = h->path_con; - } else { - h->dfd_mon = move_fd(fd_final); diff --git a/debian/patches/series b/debian/patches/series index 348ad52..f71c8c4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,7 +7,5 @@ pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch pve/0009-PVE-Config-attach-always-use-getent.patch -pve/0010-conf-userns.conf-include-userns.conf.d.patch -pve/0011-confile-allow-including-nonexisting-directories.patch -pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch -pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch +pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch +pve/0011-use-2-sysfs-instances-for-sys-mixed.patch -- 2.39.5