From ade16ee61118ed9bba3a60da35b1f7ee7befd422 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 10:28:26 +0100 Subject: [PATCH] switch to git-patch workflow; add lxc-monitord.service --- ...art-after-a-potential-syslog.service.patch | 25 ++ ...emove-Delegate-flag-to-silence-warni.patch | 38 +++ ...lxcnetaddbr-when-instantiating-veths.patch | 34 +++ ...04-deny-rw-mounting-of-sys-and-proc.patch} | 8 +- ...ting-from-the-namespaced-cgroup-roo.patch} | 18 +- ...ake-cgroupns-separation-level-confi.patch} | 14 +- ...me-cgroup-namespace-directory-to-ns.patch} | 4 +- ...run-lxc-monitord-as-a-regular-daemon.patch | 229 ++++++++++++++++++ debian/patches/delete_network_show_error.diff | 21 -- .../patches/fix-systemd-service-depends.patch | 14 -- .../remove-systemd-delegate-flag.patch | 26 -- debian/patches/run-lxcnetaddbr.patch | 19 -- debian/patches/series | 16 +- .../patches/use-forking-systemd-service.patch | 34 --- 14 files changed, 356 insertions(+), 144 deletions(-) create mode 100644 debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch create mode 100644 debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch create mode 100644 debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch rename debian/patches/{deny-rw-mounting-of-sys-and-proc.patch => 0004-deny-rw-mounting-of-sys-and-proc.patch} (93%) rename debian/patches/{0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch => 0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch} (97%) rename debian/patches/{0002-start-initutils-make-cgroupns-separation-level-confi.patch => 0006-start-initutils-make-cgroupns-separation-level-confi.patch} (90%) rename debian/patches/{rename-cgns-subdir-to-ns.patch => 0007-rename-cgroup-namespace-directory-to-ns.patch} (84%) create mode 100644 debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch delete mode 100644 debian/patches/delete_network_show_error.diff delete mode 100644 debian/patches/fix-systemd-service-depends.patch delete mode 100644 debian/patches/remove-systemd-delegate-flag.patch delete mode 100644 debian/patches/run-lxcnetaddbr.patch delete mode 100644 debian/patches/use-forking-systemd-service.patch diff --git a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch new file mode 100644 index 0000000..131c213 --- /dev/null +++ b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch @@ -0,0 +1,25 @@ +From 10bc10054434f20870f812bb710eef5b5e22040b Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 10 Feb 2017 09:13:40 +0100 +Subject: [PATCH 1/8] lxc.service: start after a potential syslog.service + +Signed-off-by: Wolfgang Bumiller +--- + config/init/systemd/lxc.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in +index cd61996..7754191 100644 +--- a/config/init/systemd/lxc.service.in ++++ b/config/init/systemd/lxc.service.in +@@ -1,6 +1,6 @@ + [Unit] + Description=LXC Container Initialization and Autoboot Code +-After=network.target lxc-net.service ++After=syslog.service network.target lxc-net.service + Wants=lxc-net.service + Documentation=man:lxc-autostart man:lxc + +-- +2.1.4 + diff --git a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch new file mode 100644 index 0000000..8d22d8e --- /dev/null +++ b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch @@ -0,0 +1,38 @@ +From e68a4291abec1c140fffbc8c954ff9596b17aad4 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 10 Feb 2017 09:14:55 +0100 +Subject: [PATCH 2/8] jessie/systemd: remove Delegate flag to silence warnings + +Signed-off-by: Wolfgang Bumiller +--- + config/init/systemd/lxc.service.in | 1 - + config/init/systemd/lxc@.service.in | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in +index 7754191..bdd5828 100644 +--- a/config/init/systemd/lxc.service.in ++++ b/config/init/systemd/lxc.service.in +@@ -12,7 +12,6 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-containers start + ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop + # Environment=BOOTUP=serial + # Environment=CONSOLETYPE=serial +-Delegate=yes + StandardOutput=syslog + StandardError=syslog + +diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in +index 44d11e8..6b8b5ff 100644 +--- a/config/init/systemd/lxc@.service.in ++++ b/config/init/systemd/lxc@.service.in +@@ -13,7 +13,6 @@ TimeoutStopSec=120s + ExecStart=@BINDIR@/lxc-start -F -n %i + # Environment=BOOTUP=serial + # Environment=CONSOLETYPE=serial +-Delegate=yes + StandardOutput=syslog + StandardError=syslog + +-- +2.1.4 + diff --git a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch b/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch new file mode 100644 index 0000000..619047a --- /dev/null +++ b/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch @@ -0,0 +1,34 @@ +From 6b3de84e0654c3b0b13166d63af9961a3a757c6e Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 10 Feb 2017 09:15:37 +0100 +Subject: [PATCH 3/8] pve: run lxcnetaddbr when instantiating veths + +FIXME: Why aren't we using regular up-scripts? + +Signed-off-by: Wolfgang Bumiller +--- + src/lxc/conf.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index a93124b..c4079bb 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2683,8 +2683,13 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd + "veth", veth1, (char*) NULL); + if (err) + goto out_delete; ++ } else if (!netdev->link) { ++ err = run_script(handler->name, "net", "/usr/share/lxc/lxcnetaddbr", "up", ++ "veth", veth1, (char*) NULL); ++ if (err) ++ goto out_delete; + } +- ++ + DEBUG("instantiated veth '%s/%s', index is '%d'", + veth1, veth2, netdev->ifindex); + +-- +2.1.4 + diff --git a/debian/patches/deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch similarity index 93% rename from debian/patches/deny-rw-mounting-of-sys-and-proc.patch rename to debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch index 466f375..2cdfd36 100644 --- a/debian/patches/deny-rw-mounting-of-sys-and-proc.patch +++ b/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch @@ -1,7 +1,7 @@ -From 77596df581ee381896a5d9a9152c046ff164c65a Mon Sep 17 00:00:00 2001 +From e7d6b0d2384070f2c34a46aaa20250ce31f96c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Nov 2016 09:14:26 +0100 -Subject: [PATCH] deny rw mounting of /sys and /proc +Subject: [PATCH 4/8] deny rw mounting of /sys and /proc this would allow root in a privileged container to change the permissions of /sys on the host, which could lock out @@ -14,7 +14,7 @@ if a rw /sys is desired, set "lxc.mount.auto" accordingly 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base -index 06290de..3c64c66 100644 +index 06290de..779aadd 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -84,7 +84,6 @@ @@ -38,7 +38,7 @@ index 06290de..3c64c66 100644 # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. # mount options=(rw,make-slave) -> **, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in -index 5bc9b28..482214e 100644 +index 5bc9b28..5c8e441 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -84,7 +84,6 @@ diff --git a/debian/patches/0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch b/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch similarity index 97% rename from debian/patches/0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch rename to debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch index 718c75e..163da92 100644 --- a/debian/patches/0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch +++ b/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch @@ -1,7 +1,7 @@ -From 2e386b0ab03ebc04bd3b08fa3cf9aa14c596b883 Mon Sep 17 00:00:00 2001 +From 6adbaea0d07553932f4cd78b5530cd5291c3b41f Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 15 Nov 2016 09:20:24 +0100 -Subject: [PATCH 1/2] separate the limiting from the namespaced cgroup root +Subject: [PATCH 5/8] separate the limiting from the namespaced cgroup root When cgroup namespaces are enabled a privileged container with mixed cgroups has full write access to its own root @@ -679,10 +679,10 @@ index 184eefa..6430b33 100644 extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath); extern char *lxc_cmd_get_name(const char *hashed_sock); diff --git a/src/lxc/criu.c b/src/lxc/criu.c -index 125e674..5a9e36b 100644 +index 8a0702f..5843f97 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c -@@ -284,7 +284,7 @@ static void exec_criu(struct criu_opts *opts) +@@ -283,7 +283,7 @@ static void exec_criu(struct criu_opts *opts) } else { const char *p; @@ -691,7 +691,7 @@ index 125e674..5a9e36b 100644 if (!p) { ERROR("failed to get cgroup path for %s", controllers[0]); goto err; -@@ -797,7 +797,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ +@@ -795,7 +795,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ goto out_fini_handler; } @@ -701,10 +701,10 @@ index 125e674..5a9e36b 100644 goto out_fini_handler; } diff --git a/src/lxc/start.c b/src/lxc/start.c -index 71206e0..c9d78b7 100644 +index c2c14a7..e889421 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1121,7 +1121,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1104,7 +1104,7 @@ static int lxc_spawn(struct lxc_handler *handler) cgroups_connected = true; @@ -713,7 +713,7 @@ index 71206e0..c9d78b7 100644 ERROR("Failed creating cgroups."); goto out_delete_net; } -@@ -1208,10 +1208,10 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1191,10 +1191,10 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } @@ -726,7 +726,7 @@ index 71206e0..c9d78b7 100644 goto out_delete_net; if (failed_before_rename) -@@ -1254,6 +1254,21 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1237,6 +1237,21 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } diff --git a/debian/patches/0002-start-initutils-make-cgroupns-separation-level-confi.patch b/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch similarity index 90% rename from debian/patches/0002-start-initutils-make-cgroupns-separation-level-confi.patch rename to debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch index 51dd994..c8c087a 100644 --- a/debian/patches/0002-start-initutils-make-cgroupns-separation-level-confi.patch +++ b/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch @@ -1,7 +1,7 @@ -From e1fecf743d507ea7df458ed7e14222d02fe76cae Mon Sep 17 00:00:00 2001 +From af72260927efd412210ec85842e1ef70ccc0c5e8 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 16 Nov 2016 09:53:42 +0100 -Subject: [PATCH 2/2] start/initutils: make cgroupns separation level +Subject: [PATCH 6/8] start/initutils: make cgroupns separation level configurable Adds a new global config variable `lxc.cgroup.separate` @@ -17,7 +17,7 @@ Signed-off-by: Wolfgang Bumiller 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c -index 3213bd3..d07fd10 100644 +index 8d9016c..0630293 100644 --- a/src/lxc/initutils.c +++ b/src/lxc/initutils.c @@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p) @@ -57,10 +57,10 @@ index c021fd6..443ad02 100644 extern void lxc_setup_fs(void); extern const char *lxc_global_config_value(const char *option_name); diff --git a/src/lxc/start.c b/src/lxc/start.c -index c9d78b7..fe2e335 100644 +index e889421..4217c5d 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1067,6 +1067,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1050,6 +1050,7 @@ static int lxc_spawn(struct lxc_handler *handler) int saved_ns_fd[LXC_NS_MAX]; int preserve_mask = 0, i, flags; int netpipepair[2], nveths; @@ -68,7 +68,7 @@ index c9d78b7..fe2e335 100644 netpipe = -1; -@@ -1130,7 +1131,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1113,7 +1114,7 @@ static int lxc_spawn(struct lxc_handler *handler) * it readonly. * If the container is unprivileged then skip rootfs pinning. */ @@ -77,7 +77,7 @@ index c9d78b7..fe2e335 100644 handler->pinfd = pin_rootfs(handler->conf->rootfs.path); if (handler->pinfd == -1) INFO("Failed to pin the rootfs for container \"%s\".", handler->name); -@@ -1255,17 +1256,20 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1238,17 +1239,20 @@ static int lxc_spawn(struct lxc_handler *handler) } if (cgns_supported()) { diff --git a/debian/patches/rename-cgns-subdir-to-ns.patch b/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch similarity index 84% rename from debian/patches/rename-cgns-subdir-to-ns.patch rename to debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch index a1fde7b..6ed92de 100644 --- a/debian/patches/rename-cgns-subdir-to-ns.patch +++ b/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch @@ -1,7 +1,7 @@ -From 9b5f49f361290267e00665ec9f0bdbfaeda39bc0 Mon Sep 17 00:00:00 2001 +From 3790507952f3cda5c6dd9bb6f87c80d9b0ddadf7 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 23 Dec 2016 15:57:24 +0100 -Subject: [PATCH] rename cgroup namespace directory to ns +Subject: [PATCH 7/8] rename cgroup namespace directory to ns Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch b/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch new file mode 100644 index 0000000..c901dd5 --- /dev/null +++ b/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch @@ -0,0 +1,229 @@ +From 1bdcf98811093349ca856dac4beb3f5bd0dd501b Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 10 Feb 2017 10:23:36 +0100 +Subject: [PATCH 8/8] possibility to run lxc-monitord as a regular daemon + +This includes an lxc-monitord.service, required by +lxc@.service which is now of Type=forking. + +Previously the init process' output was dumped into the log +files since the service used Type=simple and +StandardOutput/Error=syslog. Using lxc-start's daemon mode +on the other hand used a wait call spawning an lxc-monitord +in the background which could potentially stick around +forever if there were clients connected to it. Since it was +considered part of the lxc@foo.service unit by systemd this +also meant the unit was considered active until not only the +container but also lxc-monitord exited. +This is now corrected by creating a separate lxc-monitord +unit which lxc@.service depends on. + +Signed-off-by: Wolfgang Bumiller +--- + config/init/systemd/Makefile.am | 10 +++-- + config/init/systemd/lxc-monitord.service.in | 12 ++++++ + config/init/systemd/lxc@.service.in | 7 ++-- + configure.ac | 1 + + lxc.spec.in | 1 + + src/lxc/lxc_monitord.c | 60 +++++++++++++++++++++-------- + 6 files changed, 67 insertions(+), 24 deletions(-) + create mode 100644 config/init/systemd/lxc-monitord.service.in + +diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am +index c448850..4a4fde5 100644 +--- a/config/init/systemd/Makefile.am ++++ b/config/init/systemd/Makefile.am +@@ -2,19 +2,21 @@ EXTRA_DIST = \ + lxc-apparmor-load \ + lxc.service.in \ + lxc@.service.in \ +- lxc-net.service.in ++ lxc-net.service.in \ ++ lxc-monitord.service.in + + if INIT_SCRIPT_SYSTEMD +-BUILT_SOURCES = lxc.service lxc@.service lxc-net.service ++BUILT_SOURCES = lxc.service lxc@.service lxc-net.service lxc-monitord.service + +-install-systemd: lxc.service lxc@.service lxc-net.service lxc-apparmor-load ++install-systemd: lxc.service lxc@.service lxc-net.service lxc-monitord.service lxc-apparmor-load + $(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR) +- $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/ ++ $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service lxc-monitord.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/ + + uninstall-systemd: + rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc.service + rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc@.service + rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service ++ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-monitord.service + rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || : + + pkglibexec_SCRIPTS = lxc-apparmor-load +diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in +new file mode 100644 +index 0000000..4063516 +--- /dev/null ++++ b/config/init/systemd/lxc-monitord.service.in +@@ -0,0 +1,12 @@ ++[Unit] ++Description=LXC Container Monitoring Daemon ++After=syslog.service network.target ++ ++[Service] ++Type=simple ++ExecStart=@LIBEXECDIR@/lxc/lxc-monitord --daemon ++StandardOutput=syslog ++StandardError=syslog ++ ++[Install] ++WantedBy=multi-user.target +diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in +index 6b8b5ff..ffb9136 100644 +--- a/config/init/systemd/lxc@.service.in ++++ b/config/init/systemd/lxc@.service.in +@@ -1,16 +1,17 @@ + [Unit] + Description=LXC Container: %i + # This pulls in apparmor, dev-setup, lxc-net +-After=lxc.service ++After=lxc.service lxc-monitord.service + Wants=lxc.service ++Requires = lxc-monitord.service + Documentation=man:lxc-start man:lxc + + [Service] +-Type=simple ++Type=forking + KillMode=mixed + KillSignal=SIGPWR + TimeoutStopSec=120s +-ExecStart=@BINDIR@/lxc-start -F -n %i ++ExecStart=@BINDIR@/lxc-start -n %i + # Environment=BOOTUP=serial + # Environment=CONSOLETYPE=serial + StandardOutput=syslog +diff --git a/configure.ac b/configure.ac +index 42ece7a..c6b2a78 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -694,6 +694,7 @@ AC_CONFIG_FILES([ + config/init/systemd/lxc.service + config/init/systemd/lxc@.service + config/init/systemd/lxc-net.service ++ config/init/systemd/lxc-monitord.service + config/init/sysvinit/Makefile + config/init/sysvinit/lxc-containers + config/init/sysvinit/lxc-net +diff --git a/lxc.spec.in b/lxc.spec.in +index 0e64907..f35d81c 100644 +--- a/lxc.spec.in ++++ b/lxc.spec.in +@@ -259,6 +259,7 @@ fi + %{_unitdir}/lxc-net.service + %{_unitdir}/lxc.service + %{_unitdir}/lxc@.service ++%{_unitdir}/lxc-monitord.service + %else + %{_sysconfdir}/rc.d/init.d/lxc + %{_sysconfdir}/rc.d/init.d/lxc-net +diff --git a/src/lxc/lxc_monitord.c b/src/lxc/lxc_monitord.c +index 62e2121..ad40dbe 100644 +--- a/src/lxc/lxc_monitord.c ++++ b/src/lxc/lxc_monitord.c +@@ -344,16 +344,43 @@ static void lxc_monitord_sig_handler(int sig) + + int main(int argc, char *argv[]) + { +- int ret, pipefd; ++ int ret, pipefd = -1; + char logpath[PATH_MAX]; + sigset_t mask; +- char *lxcpath = argv[1]; ++ const char *lxcpath = NULL; + bool mainloop_opened = false; + bool monitord_created = false; ++ bool persistent = false; + +- if (argc != 3) { ++ if (argc > 1 && !strcmp(argv[1], "--daemon")) { ++ persistent = true; ++ --argc; ++ ++argv; ++ } ++ ++ if (argc > 1) { ++ lxcpath = argv[1]; ++ --argc; ++ ++argv; ++ } else { ++ lxcpath = lxc_global_config_value("lxc.lxcpath"); ++ if (!lxcpath) { ++ ERROR("Out of memory getting lxcpath"); ++ exit(EXIT_FAILURE); ++ } ++ } ++ ++ if (argc > 1) { ++ if (lxc_safe_int(argv[1], &pipefd) < 0) ++ exit(EXIT_FAILURE); ++ --argc; ++ ++argv; ++ } ++ ++ if (argc != 1 || (persistent != (pipefd == -1))) { + fprintf(stderr, +- "Usage: lxc-monitord lxcpath sync-pipe-fd\n\n" ++ "Usage: lxc-monitord lxcpath sync-pipe-fd\n" ++ " lxc-monitord --daemon lxcpath\n\n" + "NOTE: lxc-monitord is intended for use by lxc internally\n" + " and does not need to be run by hand\n\n"); + exit(EXIT_FAILURE); +@@ -369,9 +396,6 @@ int main(int argc, char *argv[]) + INFO("Failed to open log file %s, log will be lost.", lxcpath); + lxc_log_options_no_override(); + +- if (lxc_safe_int(argv[2], &pipefd) < 0) +- exit(EXIT_FAILURE); +- + if (sigfillset(&mask) || + sigdelset(&mask, SIGILL) || + sigdelset(&mask, SIGSEGV) || +@@ -403,15 +427,17 @@ int main(int argc, char *argv[]) + goto on_error; + monitord_created = true; + +- /* sync with parent, we're ignoring the return from write +- * because regardless if it works or not, the following +- * close will sync us with the parent process. the +- * if-empty-statement construct is to quiet the +- * warn-unused-result warning. +- */ +- if (write(pipefd, "S", 1)) +- ; +- close(pipefd); ++ if (pipefd != -1) { ++ /* sync with parent, we're ignoring the return from write ++ * because regardless if it works or not, the following ++ * close will sync us with the parent process. the ++ * if-empty-statement construct is to quiet the ++ * warn-unused-result warning. ++ */ ++ if (write(pipefd, "S", 1)) ++ ; ++ close(pipefd); ++ } + + if (lxc_monitord_mainloop_add(&mon)) { + ERROR("Failed to add mainloop handlers."); +@@ -421,7 +447,7 @@ int main(int argc, char *argv[]) + NOTICE("lxc-monitord with pid %d is now monitoring lxcpath %s.", + getpid(), mon.lxcpath); + for (;;) { +- ret = lxc_mainloop(&mon.descr, 1000 * 30); ++ ret = lxc_mainloop(&mon.descr, persistent ? -1 : 1000 * 30); + if (mon.clientfds_cnt <= 0) { + NOTICE("No remaining clients. lxc-monitord is exiting."); + break; +-- +2.1.4 + diff --git a/debian/patches/delete_network_show_error.diff b/debian/patches/delete_network_show_error.diff deleted file mode 100644 index 1c8892c..0000000 --- a/debian/patches/delete_network_show_error.diff +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 0e3421b..91c90b1 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -3083,9 +3083,13 @@ void lxc_delete_network(struct lxc_handler *handler) - * namespace is destroyed but in case we did not moved the - * interface to the network namespace, we have to destroy it - */ -- if (netdev->ifindex != 0 && -- lxc_netdev_delete_by_index(netdev->ifindex)) -- WARN("failed to remove interface '%s'", netdev->name); -+ if (netdev->ifindex != 0) { -+ int err = lxc_netdev_delete_by_index(netdev->ifindex); -+ if (err) { -+ WARN("failed to remove interface '%s': %i: %s", netdev->name, -+ err, strerror(-err)); -+ } -+ } - } - } - diff --git a/debian/patches/fix-systemd-service-depends.patch b/debian/patches/fix-systemd-service-depends.patch deleted file mode 100644 index d169490..0000000 --- a/debian/patches/fix-systemd-service-depends.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: new/config/init/systemd/lxc.service.in -=================================================================== ---- new.orig/config/init/systemd/lxc.service.in -+++ new/config/init/systemd/lxc.service.in -@@ -1,7 +1,7 @@ - [Unit] - Description=LXC Container Initialization and Autoboot Code --After=network.target lxc-net.service --Wants=lxc-net.service -+After=syslog.service network.target lxc-net.service -+Wants=lxc-net.service - Documentation=man:lxc-autostart man:lxc - - [Service] diff --git a/debian/patches/remove-systemd-delegate-flag.patch b/debian/patches/remove-systemd-delegate-flag.patch deleted file mode 100644 index c8e157f..0000000 --- a/debian/patches/remove-systemd-delegate-flag.patch +++ /dev/null @@ -1,26 +0,0 @@ -This flag requires systemd 218 or newer - -Index: new/config/init/systemd/lxc.service.in -=================================================================== ---- new.orig/config/init/systemd/lxc.service.in -+++ new/config/init/systemd/lxc.service.in -@@ -12,7 +12,7 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-container - ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop - # Environment=BOOTUP=serial - # Environment=CONSOLETYPE=serial --Delegate=yes -+#Delegate=yes - StandardOutput=syslog - StandardError=syslog - ---- new.orig/config/init/systemd/lxc@.service.in -+++ new/config/init/systemd/lxc@.service.in -@@ -12,7 +12,7 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-container - ExecStart=/usr/bin/lxc-start -n %i - # Environment=BOOTUP=serial - # Environment=CONSOLETYPE=serial --Delegate=yes -+#Delegate=yes - StandardOutput=syslog - StandardError=syslog - diff --git a/debian/patches/run-lxcnetaddbr.patch b/debian/patches/run-lxcnetaddbr.patch deleted file mode 100644 index 562a88b..0000000 --- a/debian/patches/run-lxcnetaddbr.patch +++ /dev/null @@ -1,19 +0,0 @@ -Index: new/src/lxc/conf.c -=================================================================== ---- new.orig/src/lxc/conf.c -+++ new/src/lxc/conf.c -@@ -2691,8 +2691,13 @@ static int instantiate_veth(struct lxc_h - "veth", veth1, (char*) NULL); - if (err) - goto out_delete; -+ } else if (!netdev->link) { -+ err = run_script(handler->name, "net", "/usr/share/lxc/lxcnetaddbr", "up", -+ "veth", veth1, (char*) NULL); -+ if (err) -+ goto out_delete; - } -- -+ - DEBUG("instantiated veth '%s/%s', index is '%d'", - veth1, veth2, netdev->ifindex); - diff --git a/debian/patches/series b/debian/patches/series index a5d0c35..35ae8f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,8 +1,8 @@ -fix-systemd-service-depends.patch -use-forking-systemd-service.patch -remove-systemd-delegate-flag.patch -run-lxcnetaddbr.patch -deny-rw-mounting-of-sys-and-proc.patch -0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch -0002-start-initutils-make-cgroupns-separation-level-confi.patch -rename-cgns-subdir-to-ns.patch +0001-lxc.service-start-after-a-potential-syslog.service.patch +0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch +0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch +0004-deny-rw-mounting-of-sys-and-proc.patch +0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch +0006-start-initutils-make-cgroupns-separation-level-confi.patch +0007-rename-cgroup-namespace-directory-to-ns.patch +0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch diff --git a/debian/patches/use-forking-systemd-service.patch b/debian/patches/use-forking-systemd-service.patch deleted file mode 100644 index 881c842..0000000 --- a/debian/patches/use-forking-systemd-service.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ba028c2a3f73eec5e45842cc742a20471ee0d921 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Thu, 2 Feb 2017 11:15:22 +0100 -Subject: [PATCH] init: systemd: use forking mode in lxc@.service - -To avoid dumping the entire console outputs into the -logs - -Signed-off-by: Wolfgang Bumiller ---- - config/init/systemd/lxc@.service.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in -index 44d11e8..52c6a27 100644 ---- a/config/init/systemd/lxc@.service.in -+++ b/config/init/systemd/lxc@.service.in -@@ -6,11 +6,11 @@ Wants=lxc.service - Documentation=man:lxc-start man:lxc - - [Service] --Type=simple -+Type=forking - KillMode=mixed - KillSignal=SIGPWR - TimeoutStopSec=120s --ExecStart=@BINDIR@/lxc-start -F -n %i -+ExecStart=@BINDIR@/lxc-start -n %i - # Environment=BOOTUP=serial - # Environment=CONSOLETYPE=serial - Delegate=yes --- -2.1.4 - -- 2.39.5