+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 15 May 2020 15:06:38 +0200
-Subject: [PATCH] mainloop: add lxc_mainloop_add_handler_events
-
-in order to be able to listen for EPOLLPRI
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/mainloop.c | 15 ++++++++++++---
- src/lxc/mainloop.h | 4 ++++
- 2 files changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/src/lxc/mainloop.c b/src/lxc/mainloop.c
-index 6d4c5935a..d5ae2a67a 100644
---- a/src/lxc/mainloop.c
-+++ b/src/lxc/mainloop.c
-@@ -59,8 +59,10 @@ int lxc_mainloop(struct lxc_epoll_descr *descr, int timeout_ms)
- }
- }
-
--int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
-- lxc_mainloop_callback_t callback, void *data)
-+int lxc_mainloop_add_handler_events(struct lxc_epoll_descr *descr, int fd,
-+ int events,
-+ lxc_mainloop_callback_t callback,
-+ void *data)
- {
- __do_free struct mainloop_handler *handler = NULL;
- __do_free struct lxc_list *item = NULL;
-@@ -77,7 +79,7 @@ int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
- handler->fd = fd;
- handler->data = data;
-
-- ev.events = EPOLLIN;
-+ ev.events = events;
- ev.data.ptr = handler;
-
- if (epoll_ctl(descr->epfd, EPOLL_CTL_ADD, fd, &ev) < 0)
-@@ -92,6 +94,13 @@ int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
- return 0;
- }
-
-+int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
-+ lxc_mainloop_callback_t callback, void *data)
-+{
-+ return lxc_mainloop_add_handler_events(descr, fd, EPOLLIN, callback,
-+ data);
-+}
-+
- int lxc_mainloop_del_handler(struct lxc_epoll_descr *descr, int fd)
- {
- struct mainloop_handler *handler;
-diff --git a/src/lxc/mainloop.h b/src/lxc/mainloop.h
-index 8afac60d3..e6ab9a6d9 100644
---- a/src/lxc/mainloop.h
-+++ b/src/lxc/mainloop.h
-@@ -22,6 +22,10 @@ typedef int (*lxc_mainloop_callback_t)(int fd, uint32_t event, void *data,
-
- extern int lxc_mainloop(struct lxc_epoll_descr *descr, int timeout_ms);
-
-+extern int lxc_mainloop_add_handler_events(struct lxc_epoll_descr *descr,
-+ int fd, int events,
-+ lxc_mainloop_callback_t callback,
-+ void *data);
- extern int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
- lxc_mainloop_callback_t callback,
- void *data);
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 15 May 2020 15:07:07 +0200
-Subject: [PATCH] cgfsng: deduplicate freeze code
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/cgroups/cgfsng.c | 65 ++++++++++++----------------------------
- 1 file changed, 19 insertions(+), 46 deletions(-)
-
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 892fd915b..7136d27a8 100644
---- a/src/lxc/cgroups/cgfsng.c
-+++ b/src/lxc/cgroups/cgfsng.c
-@@ -2042,7 +2042,11 @@ static int freezer_cgroup_events_cb(int fd, uint32_t events, void *cbdata,
- return LXC_MAINLOOP_CONTINUE;
- }
-
--static int cg_unified_freeze(struct cgroup_ops *ops, int timeout)
-+static int cg_unified_freeze_do(struct cgroup_ops *ops, int timeout,
-+ const char *state_string,
-+ int state_num,
-+ const char *epoll_error,
-+ const char *wait_error)
- {
- __do_close int fd = -EBADF;
- call_cleaner(lxc_mainloop_close) struct lxc_epoll_descr *descr_ptr = NULL;
-@@ -2067,26 +2071,33 @@ static int cg_unified_freeze(struct cgroup_ops *ops, int timeout)
-
- ret = lxc_mainloop_open(&descr);
- if (ret)
-- return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container freeze");
-+ return log_error_errno(-1, errno, "%s", epoll_error);
-
- /* automatically cleaned up now */
- descr_ptr = &descr;
-
-- ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){1}));
-+ ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR(state_num));
- if (ret < 0)
- return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop");
- }
-
-- ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", "1", 1);
-+ ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", state_string, 1);
- if (ret < 0)
- return log_error_errno(-1, errno, "Failed to open cgroup.freeze file");
-
- if (timeout != 0 && lxc_mainloop(&descr, timeout))
-- return log_error_errno(-1, errno, "Failed to wait for container to be frozen");
-+ return log_error_errno(-1, errno, "%s", wait_error);
-
- return 0;
- }
-
-+static int cg_unified_freeze(struct cgroup_ops *ops, int timeout)
-+{
-+ return cg_unified_freeze_do(ops, timeout, "1", 1,
-+ "Failed to create epoll instance to wait for container freeze",
-+ "Failed to wait for container to be frozen");
-+}
-+
- __cgfsng_ops static int cgfsng_freeze(struct cgroup_ops *ops, int timeout)
- {
- if (!ops->hierarchies)
-@@ -2112,47 +2123,9 @@ static int cg_legacy_unfreeze(struct cgroup_ops *ops)
-
- static int cg_unified_unfreeze(struct cgroup_ops *ops, int timeout)
- {
-- __do_close int fd = -EBADF;
-- call_cleaner(lxc_mainloop_close)struct lxc_epoll_descr *descr_ptr = NULL;
-- int ret;
-- struct lxc_epoll_descr descr;
-- struct hierarchy *h;
--
-- h = ops->unified;
-- if (!h)
-- return ret_set_errno(-1, ENOENT);
--
-- if (!h->container_full_path)
-- return ret_set_errno(-1, EEXIST);
--
-- if (timeout != 0) {
-- __do_free char *events_file = NULL;
--
-- events_file = must_make_path(h->container_full_path, "cgroup.events", NULL);
-- fd = open(events_file, O_RDONLY | O_CLOEXEC);
-- if (fd < 0)
-- return log_error_errno(-1, errno, "Failed to open cgroup.events file");
--
-- ret = lxc_mainloop_open(&descr);
-- if (ret)
-- return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container unfreeze");
--
-- /* automatically cleaned up now */
-- descr_ptr = &descr;
--
-- ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){0}));
-- if (ret < 0)
-- return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop");
-- }
--
-- ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", "0", 1);
-- if (ret < 0)
-- return log_error_errno(-1, errno, "Failed to open cgroup.freeze file");
--
-- if (timeout != 0 && lxc_mainloop(&descr, timeout))
-- return log_error_errno(-1, errno, "Failed to wait for container to be unfrozen");
--
-- return 0;
-+ return cg_unified_freeze_do(ops, timeout, "0", 0,
-+ "Failed to create epoll instance to wait for container unfreeze",
-+ "Failed to wait for container to be unfrozen");
- }
-
- __cgfsng_ops static int cgfsng_unfreeze(struct cgroup_ops *ops, int timeout)
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 15 May 2020 15:07:35 +0200
-Subject: [PATCH] cgfsng: use EPOLLPRI when polling cgroup.events
-
-EPOLLIN will always be true and therefore end up
-busy-looping
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/cgroups/cgfsng.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 7136d27a8..f7af7c0a5 100644
---- a/src/lxc/cgroups/cgfsng.c
-+++ b/src/lxc/cgroups/cgfsng.c
-@@ -27,6 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <sys/epoll.h>
- #include <sys/types.h>
- #include <unistd.h>
-
-@@ -2076,7 +2077,7 @@ static int cg_unified_freeze_do(struct cgroup_ops *ops, int timeout,
- /* automatically cleaned up now */
- descr_ptr = &descr;
-
-- ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR(state_num));
-+ ret = lxc_mainloop_add_handler_events(&descr, fd, EPOLLPRI, freezer_cgroup_events_cb, INT_TO_PTR(state_num));
- if (ret < 0)
- return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop");
- }
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 10 Feb 2017 09:13:40 +0100
-Subject: [PATCH lxc] PVE: [Config] lxc.service: start after a potential
- syslog.service
-
-We could add this as a snippet from pve-container instead.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- config/init/systemd/lxc.service.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
-index e3745dc2d..fbe46f1d7 100644
---- a/config/init/systemd/lxc.service.in
-+++ b/config/init/systemd/lxc.service.in
-@@ -1,6 +1,6 @@
- [Unit]
- Description=LXC Container Initialization and Autoboot Code
--After=network.target lxc-net.service remote-fs.target
-+After=network.target lxc-net.service remote-fs.target syslog.target
- Wants=lxc-net.service
- Documentation=man:lxc-autostart man:lxc
-
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 31 Mar 2020 15:22:42 +0200
+Subject: [PATCH] allow running lxc-monitord as a system daemon
+
+lxc-monitord instances are spawned on demand and, if this
+happens from a service, the daemon is considered part of
+it by systemd, as it is running in the same cgroups. This
+can be avoided by leaving it running permanently.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ .gitignore | 1 +
+ config/init/systemd/Makefile.am | 10 ++--
+ config/init/systemd/lxc-monitord.service.in | 12 +++++
+ configure.ac | 1 +
+ lxc.spec.in | 1 +
+ src/lxc/cmd/lxc_monitord.c | 60 +++++++++++++++------
+ 6 files changed, 64 insertions(+), 21 deletions(-)
+ create mode 100644 config/init/systemd/lxc-monitord.service.in
+
+diff --git a/.gitignore b/.gitignore
+index 3cff48d96..44345454f 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -120,6 +120,7 @@ config/bash/lxc
+ config/init/common/lxc-containers
+ config/init/common/lxc-net
+ config/init/systemd/lxc-autostart-helper
++config/init/systemd/lxc-monitord.service
+ config/init/systemd/lxc-net.service
+ config/init/systemd/lxc.service
+ config/init/systemd/lxc@.service
+diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
+index c448850d1..4a4fde5e7 100644
+--- a/config/init/systemd/Makefile.am
++++ b/config/init/systemd/Makefile.am
+@@ -2,19 +2,21 @@ EXTRA_DIST = \
+ lxc-apparmor-load \
+ lxc.service.in \
+ lxc@.service.in \
+- lxc-net.service.in
++ lxc-net.service.in \
++ lxc-monitord.service.in
+
+ if INIT_SCRIPT_SYSTEMD
+-BUILT_SOURCES = lxc.service lxc@.service lxc-net.service
++BUILT_SOURCES = lxc.service lxc@.service lxc-net.service lxc-monitord.service
+
+-install-systemd: lxc.service lxc@.service lxc-net.service lxc-apparmor-load
++install-systemd: lxc.service lxc@.service lxc-net.service lxc-monitord.service lxc-apparmor-load
+ $(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
+- $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
++ $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service lxc-monitord.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
+
+ uninstall-systemd:
+ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc.service
+ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc@.service
+ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
++ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-monitord.service
+ rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
+
+ pkglibexec_SCRIPTS = lxc-apparmor-load
+diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in
+new file mode 100644
+index 000000000..406351688
+--- /dev/null
++++ b/config/init/systemd/lxc-monitord.service.in
+@@ -0,0 +1,12 @@
++[Unit]
++Description=LXC Container Monitoring Daemon
++After=syslog.service network.target
++
++[Service]
++Type=simple
++ExecStart=@LIBEXECDIR@/lxc/lxc-monitord --daemon
++StandardOutput=syslog
++StandardError=syslog
++
++[Install]
++WantedBy=multi-user.target
+diff --git a/configure.ac b/configure.ac
+index 059d57d38..c88a2f737 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -837,6 +837,7 @@ AC_CONFIG_FILES([
+ config/init/systemd/lxc.service
+ config/init/systemd/lxc@.service
+ config/init/systemd/lxc-net.service
++ config/init/systemd/lxc-monitord.service
+ config/init/sysvinit/Makefile
+ config/init/sysvinit/lxc-containers
+ config/init/sysvinit/lxc-net
+diff --git a/lxc.spec.in b/lxc.spec.in
+index ec6321c33..ea6789fb6 100644
+--- a/lxc.spec.in
++++ b/lxc.spec.in
+@@ -251,6 +251,7 @@ fi
+ %{_unitdir}/lxc-net.service
+ %{_unitdir}/lxc.service
+ %{_unitdir}/lxc@.service
++%{_unitdir}/lxc-monitord.service
+ %else
+ %{_sysconfdir}/rc.d/init.d/lxc
+ %{_sysconfdir}/rc.d/init.d/lxc-net
+diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c
+index bcb289ca6..da7db2820 100644
+--- a/src/lxc/cmd/lxc_monitord.c
++++ b/src/lxc/cmd/lxc_monitord.c
+@@ -338,17 +338,44 @@ static void lxc_monitord_sig_handler(int sig)
+
+ int main(int argc, char *argv[])
+ {
+- int ret, pipefd;
++ int ret, pipefd = -1;
+ char logpath[PATH_MAX];
+ sigset_t mask;
+- char *lxcpath = argv[1];
++ const char *lxcpath = NULL;
+ bool mainloop_opened = false;
+ bool monitord_created = false;
++ bool persistent = false;
+ struct lxc_log log;
+
+- if (argc != 3) {
++ if (argc > 1 && !strcmp(argv[1], "--daemon")) {
++ persistent = true;
++ --argc;
++ ++argv;
++ }
++
++ if (argc > 1) {
++ lxcpath = argv[1];
++ --argc;
++ ++argv;
++ } else {
++ lxcpath = lxc_global_config_value("lxc.lxcpath");
++ if (!lxcpath) {
++ ERROR("Failed to get default lxcpath");
++ exit(EXIT_FAILURE);
++ }
++ }
++
++ if (argc > 1) {
++ if (lxc_safe_int(argv[1], &pipefd) < 0)
++ exit(EXIT_FAILURE);
++ --argc;
++ ++argv;
++ }
++
++ if (argc != 1 || (persistent != (pipefd == -1))) {
+ fprintf(stderr,
+- "Usage: lxc-monitord lxcpath sync-pipe-fd\n\n"
++ "Usage: lxc-monitord lxcpath sync-pipe-fd\n"
++ " lxc-monitord --daemon lxcpath\n\n"
+ "NOTE: lxc-monitord is intended for use by lxc internally\n"
+ " and does not need to be run by hand\n\n");
+ exit(EXIT_FAILURE);
+@@ -371,9 +398,6 @@ int main(int argc, char *argv[])
+ INFO("Failed to open log file %s, log will be lost", lxcpath);
+ lxc_log_options_no_override();
+
+- if (lxc_safe_int(argv[2], &pipefd) < 0)
+- exit(EXIT_FAILURE);
+-
+ if (sigfillset(&mask) ||
+ sigdelset(&mask, SIGILL) ||
+ sigdelset(&mask, SIGSEGV) ||
+@@ -406,15 +430,17 @@ int main(int argc, char *argv[])
+ goto on_error;
+ monitord_created = true;
+
+- /* sync with parent, we're ignoring the return from write
+- * because regardless if it works or not, the following
+- * close will sync us with the parent process. the
+- * if-empty-statement construct is to quiet the
+- * warn-unused-result warning.
+- */
+- if (lxc_write_nointr(pipefd, "S", 1))
+- ;
+- close(pipefd);
++ if (pipefd != -1) {
++ /* sync with parent, we're ignoring the return from write
++ * because regardless if it works or not, the following
++ * close will sync us with the parent process. the
++ * if-empty-statement construct is to quiet the
++ * warn-unused-result warning.
++ */
++ if (lxc_write_nointr(pipefd, "S", 1))
++ ;
++ close(pipefd);
++ }
+
+ if (lxc_monitord_mainloop_add(&monitor)) {
+ ERROR("Failed to add mainloop handlers");
+@@ -425,7 +451,7 @@ int main(int argc, char *argv[])
+ lxc_raw_getpid(), monitor.lxcpath);
+
+ for (;;) {
+- ret = lxc_mainloop(&monitor.descr, 1000 * 30);
++ ret = lxc_mainloop(&monitor.descr, persistent ? -1 : 1000 * 30);
+ if (ret) {
+ ERROR("mainloop returned an error");
+ break;
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
-Date: Wed, 9 Nov 2016 09:14:26 +0100
-Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc
-
-Note that we don't actually make use of this anymore, since
-we switched to the generated profiles which already do this.
-
-this would allow root in a privileged container to change
-the permissions of /sys on the host, which could lock out
-non-root users.
-
-if a rw /sys is desired, set "lxc.mount.auto" accordingly
----
- config/apparmor/abstractions/container-base | 6 +++++-
- config/apparmor/abstractions/container-base.in | 6 +++++-
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
-index 077476559..fbd70fdf5 100644
---- a/config/apparmor/abstractions/container-base
-+++ b/config/apparmor/abstractions/container-base
-@@ -82,7 +82,6 @@
- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
- mount fstype=proc -> /proc/,
- mount fstype=sysfs -> /sys/,
-- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
- deny /sys/firmware/efi/efivars/** rwklx,
- deny /sys/kernel/security/** rwklx,
- mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
-@@ -91,6 +90,11 @@
- # deny reads from debugfs
- deny /sys/kernel/debug/{,**} rwklx,
-
-+ # prevent rw mounting of /sys, because that allows changing its global permissions
-+ deny mount -> /proc/,
-+ deny mount -> /sys/,
-+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
-+
- # allow paths to be made slave, shared, private or unbindable
- # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
- # mount options=(rw,make-slave) -> **,
-diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
-index 2606fb64c..3e61c62ea 100644
---- a/config/apparmor/abstractions/container-base.in
-+++ b/config/apparmor/abstractions/container-base.in
-@@ -83,7 +83,6 @@
- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
- mount fstype=proc -> /proc/,
- mount fstype=sysfs -> /sys/,
-- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
- deny /sys/firmware/efi/efivars/** rwklx,
- deny /sys/kernel/security/** rwklx,
- mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
-@@ -91,6 +90,11 @@
- # deny reads from debugfs
- deny /sys/kernel/debug/{,**} rwklx,
-
-+ # prevent rw mounting of /sys, because that allows changing its global permissions
-+ deny mount -> /proc/,
-+ deny mount -> /sys/,
-+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
-+
- # allow paths to be made slave, shared, private or unbindable
- # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
- # mount options=(rw,make-slave) -> **,
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
+Date: Wed, 1 Apr 2020 16:57:15 -0400
+Subject: [PATCH] systemd: Add Documentation key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ config/init/systemd/lxc-monitord.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in
+index 406351688..f528a6099 100644
+--- a/config/init/systemd/lxc-monitord.service.in
++++ b/config/init/systemd/lxc-monitord.service.in
+@@ -1,6 +1,7 @@
+ [Unit]
+ Description=LXC Container Monitoring Daemon
+ After=syslog.service network.target
++Documentation=man:lxc
+
+ [Service]
+ Type=simple
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 13 Aug 2019 13:57:22 +0200
-Subject: [PATCH lxc] PVE: [Config] attach: always use getent
-
-In debian buster, some libnss plugins (if installed) can
-cause getpwent to segfault instead of erroring out cleanly.
-To avoid this, stick to always using getent.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/attach.c | 28 ++--------------------------
- 1 file changed, 2 insertions(+), 26 deletions(-)
-
-diff --git a/src/lxc/attach.c b/src/lxc/attach.c
-index bbf95bd5b..de3a98cf9 100644
---- a/src/lxc/attach.c
-+++ b/src/lxc/attach.c
-@@ -1456,12 +1456,8 @@ int lxc_attach_run_command(void *payload)
-
- int lxc_attach_run_shell(void* payload)
- {
-- __do_free char *buf = NULL;
- uid_t uid;
-- struct passwd pwent;
-- struct passwd *pwentp = NULL;
- char *user_shell;
-- size_t bufsize;
- int ret;
-
- /* Ignore payload parameter. */
-@@ -1469,32 +1465,13 @@ int lxc_attach_run_shell(void* payload)
-
- uid = getuid();
-
-- bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
-- if (bufsize == -1)
-- bufsize = 1024;
--
-- buf = malloc(bufsize);
-- if (buf) {
-- ret = getpwuid_r(uid, &pwent, buf, bufsize, &pwentp);
-- if (!pwentp) {
-- if (ret == 0)
-- WARN("Could not find matched password record");
--
-- WARN("Failed to get password record - %u", uid);
-- }
-- }
--
- /* This probably happens because of incompatible nss implementations in
- * host and container (remember, this code is still using the host's
- * glibc but our mount namespace is in the container) we may try to get
- * the information by spawning a [getent passwd uid] process and parsing
- * the result.
- */
-- if (!pwentp)
-- user_shell = lxc_attach_getpwshell(uid);
-- else
-- user_shell = pwent.pw_shell;
--
-+ user_shell = lxc_attach_getpwshell(uid);
- if (user_shell)
- execlp(user_shell, user_shell, (char *)NULL);
-
-@@ -1504,8 +1481,7 @@ int lxc_attach_run_shell(void* payload)
- execlp("/bin/sh", "/bin/sh", (char *)NULL);
-
- SYSERROR("Failed to execute shell");
-- if (!pwentp)
-- free(user_shell);
-+ free(user_shell);
-
- return -1;
- }
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 2 Apr 2020 10:01:37 +0200
+Subject: [PATCH] introduce lxc.cgroup.dir.{monitor,container,container.inner}
+
+This is a new approach to #1302 with a container-side
+configuration instead of a global boolean flag.
+
+Contrary to the previous PR using an optional additional
+parameter for the get-cgroup command, this introduces two
+new additional commands to get the limiting cgroup path and
+cgroup2 file descriptor. If the limiting option is not in
+use, these behave identical to their full-path counterparts.
+
+If these variables are used the payload will end up in the
+concatenation of lxc.cgroup.dir.container and
+lxc.cgroup.dir.container.inner (which may be empty), and the
+monitor will end up in lxc.cgruop.dir.monitor. The
+directories are fixed, no retry count logic is applied,
+failing to create these directories will simply be a hard
+error.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ doc/lxc.container.conf.sgml.in | 47 +++++++++++++
+ src/lxc/commands.c | 5 +-
+ src/lxc/conf.c | 3 +
+ src/lxc/confile.c | 124 +++++++++++++++++++++++++++++++++
+ 4 files changed, 177 insertions(+), 2 deletions(-)
+
+diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
+index 3ed71c214..a9c87fe2a 100644
+--- a/doc/lxc.container.conf.sgml.in
++++ b/doc/lxc.container.conf.sgml.in
+@@ -1571,6 +1571,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>lxc.cgroup.dir.container</option>
++ </term>
++ <listitem>
++ <para>
++ This is similar to <option>lxc.cgroup.dir</option>, but must be
++ used together with <option>lxc.cgroup.dir.monitor</option> and
++ affects only the container's cgroup path. This option is mutually
++ exclusive with <option>lxc.cgroup.dir</option>.
++ Note that the final path the container attaches to may be
++ extended further by the
++ <option>lxc.cgroup.dir.container.namespace</option> option.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>lxc.cgroup.dir.monitor</option>
++ </term>
++ <listitem>
++ <para>
++ This is the monitor process counterpart to
++ <option>lxc.cgroup.dir.container</option>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>lxc.cgroup.dir.container.namespace</option>
++ </term>
++ <listitem>
++ <para>
++ Specify an additional subdirectory where the cgroup namespace
++ will be created. With this option, the cgroup limits will be
++ applied to the outer path specified in
++ <option>lxc.cgroup.dir.container</option>, which is not accessible
++ from within the container, making it possible to better enforce
++ limits for privileged containers in a way they cannot override
++ them.
++ This only works in conjunction with the
++ <option>lxc.cgroup.dir.container</option> and
++ <option>lxc.cgroup.dir.monitor</option> options and has otherwise
++ no effect.
++ </para>
++ </listitem>
++ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.relative</option>
+diff --git a/src/lxc/commands.c b/src/lxc/commands.c
+index b6ae101fc..44714f9ba 100644
+--- a/src/lxc/commands.c
++++ b/src/lxc/commands.c
+@@ -622,7 +622,7 @@ static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req,
+ struct lxc_handler *handler,
+ struct lxc_epoll_descr *descr)
+ {
+- return ret_errno(ENOSYS);
++ return lxc_cmd_get_cgroup_callback_do(fd, req, handler, descr, true);
+ }
+
+ /*
+@@ -1472,7 +1472,8 @@ static int lxc_cmd_get_limiting_cgroup2_fd_callback(int fd,
+ struct lxc_handler *handler,
+ struct lxc_epoll_descr *descr)
+ {
+- return ret_errno(ENOSYS);
++ return lxc_cmd_get_cgroup2_fd_callback_do(fd, req, handler, descr,
++ true);
+ }
+
+ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 00789961c..4aafca3cb 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -3750,6 +3750,9 @@ void lxc_conf_free(struct lxc_conf *conf)
+ lxc_clear_apparmor_raw(conf);
+ lxc_clear_namespace(conf);
+ free(conf->cgroup_meta.dir);
++ free(conf->cgroup_meta.monitor_dir);
++ free(conf->cgroup_meta.container_dir);
++ free(conf->cgroup_meta.namespace_dir);
+ free(conf->cgroup_meta.controllers);
+ free(conf->shmount.path_host);
+ free(conf->shmount.path_cont);
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index 4c27e7d4b..899dcd454 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -71,6 +71,9 @@ lxc_config_define(cap_keep);
+ lxc_config_define(cgroup_controller);
+ lxc_config_define(cgroup2_controller);
+ lxc_config_define(cgroup_dir);
++lxc_config_define(cgroup_monitor_dir);
++lxc_config_define(cgroup_container_dir);
++lxc_config_define(cgroup_container_inner_dir);
+ lxc_config_define(cgroup_relative);
+ lxc_config_define(console_buffer_size);
+ lxc_config_define(console_logfile);
+@@ -170,6 +173,9 @@ static struct lxc_config_t config_jump_table[] = {
+ { "lxc.cap.drop", set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, },
+ { "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
+ { "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
++ { "lxc.cgroup.dir.monitor", set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
++ { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
++ { "lxc.cgroup.dir.container.inner",set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir,},
+ { "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
+ { "lxc.cgroup.relative", set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
+ { "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
+@@ -1725,6 +1731,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
+ return set_config_string_item(&lxc_conf->cgroup_meta.dir, value);
+ }
+
++static int set_config_cgroup_monitor_dir(const char *key, const char *value,
++ struct lxc_conf *lxc_conf, void *data)
++{
++ if (lxc_config_value_empty(value))
++ return clr_config_cgroup_monitor_dir(key, lxc_conf, NULL);
++
++ return set_config_string_item(&lxc_conf->cgroup_meta.monitor_dir,
++ value);
++}
++
++static int set_config_cgroup_container_dir(const char *key, const char *value,
++ struct lxc_conf *lxc_conf,
++ void *data)
++{
++ if (lxc_config_value_empty(value))
++ return clr_config_cgroup_container_dir(key, lxc_conf, NULL);
++
++ return set_config_string_item(&lxc_conf->cgroup_meta.container_dir,
++ value);
++}
++
++static int set_config_cgroup_container_inner_dir(const char *key,
++ const char *value,
++ struct lxc_conf *lxc_conf,
++ void *data)
++{
++ if (lxc_config_value_empty(value))
++ return clr_config_cgroup_container_inner_dir(key, lxc_conf,
++ NULL);
++
++ if (strchr(value, '/') ||
++ strcmp(value, ".") == 0 ||
++ strcmp(value, "..") == 0)
++ {
++ ERROR("lxc.cgroup.dir.container.inner must be a single directory name");
++ return -1;
++ }
++
++ return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir,
++ value);
++}
++
+ static int set_config_cgroup_relative(const char *key, const char *value,
+ struct lxc_conf *lxc_conf, void *data)
+ {
+@@ -3648,6 +3696,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
+ return fulllen;
+ }
+
++static int get_config_cgroup_monitor_dir(const char *key, char *retv, int inlen,
++ struct lxc_conf *lxc_conf, void *data)
++{
++ int len;
++ int fulllen = 0;
++
++ if (!retv)
++ inlen = 0;
++ else
++ memset(retv, 0, inlen);
++
++ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.monitor_dir);
++
++ return fulllen;
++}
++
++static int get_config_cgroup_container_dir(const char *key, char *retv,
++ int inlen,
++ struct lxc_conf *lxc_conf,
++ void *data)
++{
++ int len;
++ int fulllen = 0;
++
++ if (!retv)
++ inlen = 0;
++ else
++ memset(retv, 0, inlen);
++
++ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.container_dir);
++
++ return fulllen;
++}
++
++static int get_config_cgroup_container_inner_dir(const char *key, char *retv,
++ int inlen,
++ struct lxc_conf *lxc_conf,
++ void *data)
++{
++ int len;
++ int fulllen = 0;
++
++ if (!retv)
++ inlen = 0;
++ else
++ memset(retv, 0, inlen);
++
++ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.namespace_dir);
++
++ return fulllen;
++}
++
+ static inline int get_config_cgroup_relative(const char *key, char *retv,
+ int inlen, struct lxc_conf *lxc_conf,
+ void *data)
+@@ -4462,6 +4562,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
+ return 0;
+ }
+
++static int clr_config_cgroup_monitor_dir(const char *key,
++ struct lxc_conf *lxc_conf,
++ void *data)
++{
++ free_disarm(lxc_conf->cgroup_meta.monitor_dir);
++ return 0;
++}
++
++static int clr_config_cgroup_container_dir(const char *key,
++ struct lxc_conf *lxc_conf,
++ void *data)
++{
++ free_disarm(lxc_conf->cgroup_meta.container_dir);
++ return 0;
++}
++
++static int clr_config_cgroup_container_inner_dir(const char *key,
++ struct lxc_conf *lxc_conf,
++ void *data)
++{
++ free_disarm(lxc_conf->cgroup_meta.namespace_dir);
++ return 0;
++}
++
+ static inline int clr_config_cgroup_relative(const char *key,
+ struct lxc_conf *lxc_conf,
+ void *data)
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stoiko Ivanov <s.ivanov@proxmox.com>
-Date: Wed, 22 Jul 2020 12:17:24 +0200
-Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
-
-The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
-necessary mount calls for /proc/sys/kernel/random/boot_id
-(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
-
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- config/apparmor/abstractions/start-container.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
-index 9998f1121..9f64c2727 100644
---- a/config/apparmor/abstractions/start-container.in
-+++ b/config/apparmor/abstractions/start-container.in
-@@ -22,6 +22,7 @@
- mount -> /var/lib/lxc/{**,},
-
- mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
-+ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
-
- # required for some pre-mount hooks
- mount fstype=overlayfs,
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Fri, 3 Apr 2020 20:08:41 +0200
+Subject: [PATCH] doc:
+ s/lxc.cgroup.container.namespace/lxc.cgroup.container.inner/g
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ doc/lxc.container.conf.sgml.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
+index a9c87fe2a..338903d66 100644
+--- a/doc/lxc.container.conf.sgml.in
++++ b/doc/lxc.container.conf.sgml.in
+@@ -1583,7 +1583,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ exclusive with <option>lxc.cgroup.dir</option>.
+ Note that the final path the container attaches to may be
+ extended further by the
+- <option>lxc.cgroup.dir.container.namespace</option> option.
++ <option>lxc.cgroup.dir.container.inner</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -1600,7 +1600,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ </varlistentry>
+ <varlistentry>
+ <term>
+- <option>lxc.cgroup.dir.container.namespace</option>
++ <option>lxc.cgroup.dir.container.inner</option>
+ </term>
+ <listitem>
+ <para>
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Fri, 3 Apr 2020 20:10:58 +0200
+Subject: [PATCH] confile: coding style fixes for
+ set_config_cgroup_container_inner_dir()
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/confile.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index 899dcd454..1abb23ef5 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -1758,19 +1758,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
+ void *data)
+ {
+ if (lxc_config_value_empty(value))
+- return clr_config_cgroup_container_inner_dir(key, lxc_conf,
+- NULL);
++ return clr_config_cgroup_container_inner_dir(key, lxc_conf, NULL);
+
+ if (strchr(value, '/') ||
+ strcmp(value, ".") == 0 ||
+ strcmp(value, "..") == 0)
+- {
+- ERROR("lxc.cgroup.dir.container.inner must be a single directory name");
+- return -1;
+- }
++ return log_error_errno(-EINVAL, EINVAL, "lxc.cgroup.dir.container.inner must be a single directory name");
+
+- return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir,
+- value);
++ return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir, value);
+ }
+
+ static int set_config_cgroup_relative(const char *key, const char *value,
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Sat, 4 Apr 2020 12:07:43 +0200
+Subject: [PATCH] api-extensions: add and document cgroup_advanced_isolation
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ doc/api-extensions.md | 4 ++++
+ src/lxc/api_extensions.h | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/doc/api-extensions.md b/doc/api-extensions.md
+index 5767583af..e8b5eb089 100644
+--- a/doc/api-extensions.md
++++ b/doc/api-extensions.md
+@@ -118,3 +118,7 @@ This adds a new API function `init_pidfd()` which allows to retrieve a pidfd for
+ ## pidfd
+
+ When running on kernels that support pidfds LXC will rely on them for most operations. This makes interacting with containers not just more reliable it also makes it significantly safer and eliminates various races inherent to PID-based kernel APIs. LXC will require that the running kernel at least support `pidfd_send_signal()`, `CLONE_PIDFD`, `P_PIDFD`, and pidfd polling support. Any kernel starting with `Linux 5.4` should have full support for pidfds.
++
++## cgroup\_advanced\_isolation
++
++Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
+diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
+index 3afdc35b9..b69467f26 100644
+--- a/src/lxc/api_extensions.h
++++ b/src/lxc/api_extensions.h
+@@ -39,6 +39,7 @@ static char *api_extensions[] = {
+ #endif
+ "cgroup2",
+ "pidfd",
++ "cgroup_advanced_isolation",
+ };
+
+ static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: KATOH Yasufumi <karma@jazz.email.ne.jp>
+Date: Sun, 5 Apr 2020 21:18:59 +0900
+Subject: [PATCH] doc: Add lxc.cgroup.dir.{monitor,container,container.inner}
+ to Japanese man
+
+Update for commit a900cba
+
+Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
+---
+ doc/ja/lxc.container.conf.sgml.in | 57 +++++++++++++++++++++++++++++++
+ 1 file changed, 57 insertions(+)
+
+diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
+index 38b623243..7a65e3fe4 100644
+--- a/doc/ja/lxc.container.conf.sgml.in
++++ b/doc/ja/lxc.container.conf.sgml.in
+@@ -2099,6 +2099,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>lxc.cgroup.dir.container</option>
++ </term>
++ <listitem>
++ <para>
++ <!--
++ This is similar to <option>lxc.cgroup.dir</option>, but must be
++ used together with <option>lxc.cgroup.dir.monitor</option> and
++ affects only the container's cgroup path. This option is mutually
++ exclusive with <option>lxc.cgroup.dir</option>.
++ Note that the final path the container attaches to may be
++ extended further by the
++ <option>lxc.cgroup.dir.container.inner</option> option.
++ -->
++ これは <option>lxc.cgroup.dir</option> と同様の設定ですが、かならず <option>lxc.cgroup.dir.monitor</option> と同時に使わなければなりません。そして、設定はコンテナの cgroup パスにのみ影響を与えます。このオプションは <option>lxc.cgroup.dir</option> と同時に設定できません。コンテナがアタッチされる最終的なパスは <option>lxc.cgroup.dir.container.inner</option> オプションによりさらに変更される可能性があります。
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>lxc.cgroup.dir.monitor</option>
++ </term>
++ <listitem>
++ <para>
++ <!--
++ This is the monitor process counterpart to
++ <option>lxc.cgroup.dir.container</option>.
++ -->
++ このオプションは、モニタプロセスに対して<option>lxc.cgroup.dir.container</option> と同様の働きをします。
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>lxc.cgroup.dir.container.inner</option>
++ </term>
++ <listitem>
++ <para>
++ <!--
++ Specify an additional subdirectory where the cgroup namespace
++ will be created. With this option, the cgroup limits will be
++ applied to the outer path specified in
++ <option>lxc.cgroup.dir.container</option>, which is not accessible
++ from within the container, making it possible to better enforce
++ limits for privileged containers in a way they cannot override
++ them.
++ This only works in conjunction with the
++ <option>lxc.cgroup.dir.container</option> and
++ <option>lxc.cgroup.dir.monitor</option> options and has otherwise
++ no effect.
++ -->
++ cgroup 名前空間が作られる追加のサブディレクトリを指定します。このオプションを使うと、cgroup の制限は <option>lxc.cgroup.dir.container</option> で指定した外部パスに適用されます。<option>lxc.cgroup.dir.container</option> はコンテナ内部からアクセスできないため、特権コンテナに対する制限を上書きできない方法でよりよい方法で強制できます。
++ このオプションは <option>lxc.cgroup.dir.container</option> と <option>lxc.cgroup.dir.monitor</option> と同時に指定したときのみ機能し、それ以外の場合は効果がありません。
++ </para>
++ </listitem>
++ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.relative</option>
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Sun, 5 Apr 2020 15:55:28 +0200
+Subject: [PATCH] confile: fix jump table order
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/confile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index 1abb23ef5..13ebdd059 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -174,8 +174,8 @@ static struct lxc_config_t config_jump_table[] = {
+ { "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
+ { "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
+ { "lxc.cgroup.dir.monitor", set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
+- { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
+ { "lxc.cgroup.dir.container.inner",set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir,},
++ { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
+ { "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
+ { "lxc.cgroup.relative", set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
+ { "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Sun, 5 Apr 2020 16:12:45 +0200
+Subject: [PATCH] get the right path in get_cgroup command
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/commands.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/lxc/commands.c b/src/lxc/commands.c
+index 44714f9ba..d735b5ff6 100644
+--- a/src/lxc/commands.c
++++ b/src/lxc/commands.c
+@@ -592,8 +592,8 @@ static int lxc_cmd_get_cgroup_callback_do(int fd, struct lxc_cmd_req *req,
+ reqdata = NULL;
+ }
+
+- get_fn = (limiting_cgroup ? cgroup_ops->get_cgroup
+- : cgroup_ops->get_limiting_cgroup);
++ get_fn = (limiting_cgroup ? cgroup_ops->get_limiting_cgroup
++ : cgroup_ops->get_cgroup);
+
+ path = get_fn(cgroup_ops, reqdata);
+
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Mon, 13 Apr 2020 14:39:18 +0200
+Subject: [PATCH] cgroups: adhere to boolean return
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cgroups/cgfsng.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index 603940683..6c64c996c 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -1196,11 +1196,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
+ * line, which is not possible once a subdirectory has been
+ * created.
+ */
+- if (string_in_list(h->controllers, "devices")) {
+- ret = ops->setup_limits_legacy(ops, conf, true);
+- if (ret < 0)
+- return ret;
+- }
++ if (string_in_list(h->controllers, "devices") &&
++ !ops->setup_limits_legacy(ops, conf, true))
++ return log_error(false, "Failed to setup legacy device limits");
+ }
+
+ ret = mkdir_eexist_on_last(path, 0755);
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 10 Feb 2017 09:13:40 +0100
+Subject: [PATCH] PVE: [Config] lxc.service: start after a potential
+ syslog.service
+
+We could add this as a snippet from pve-container instead.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ config/init/systemd/lxc.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
+index e3745dc2d..fbe46f1d7 100644
+--- a/config/init/systemd/lxc.service.in
++++ b/config/init/systemd/lxc.service.in
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=LXC Container Initialization and Autoboot Code
+-After=network.target lxc-net.service remote-fs.target
++After=network.target lxc-net.service remote-fs.target syslog.target
+ Wants=lxc-net.service
+ Documentation=man:lxc-autostart man:lxc
+
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Wed, 9 Nov 2016 09:14:26 +0100
+Subject: [PATCH] PVE: [Config] deny rw mounting of /sys and /proc
+
+Note that we don't actually make use of this anymore, since
+we switched to the generated profiles which already do this.
+
+this would allow root in a privileged container to change
+the permissions of /sys on the host, which could lock out
+non-root users.
+
+if a rw /sys is desired, set "lxc.mount.auto" accordingly
+---
+ config/apparmor/abstractions/container-base | 6 +++++-
+ config/apparmor/abstractions/container-base.in | 6 +++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
+index 077476559..fbd70fdf5 100644
+--- a/config/apparmor/abstractions/container-base
++++ b/config/apparmor/abstractions/container-base
+@@ -82,7 +82,6 @@
+ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+ mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+@@ -91,6 +90,11 @@
+ # deny reads from debugfs
+ deny /sys/kernel/debug/{,**} rwklx,
+
++ # prevent rw mounting of /sys, because that allows changing its global permissions
++ deny mount -> /proc/,
++ deny mount -> /sys/,
++# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
++
+ # allow paths to be made slave, shared, private or unbindable
+ # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+ # mount options=(rw,make-slave) -> **,
+diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
+index 2606fb64c..3e61c62ea 100644
+--- a/config/apparmor/abstractions/container-base.in
++++ b/config/apparmor/abstractions/container-base.in
+@@ -83,7 +83,6 @@
+ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+ mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
+@@ -91,6 +90,11 @@
+ # deny reads from debugfs
+ deny /sys/kernel/debug/{,**} rwklx,
+
++ # prevent rw mounting of /sys, because that allows changing its global permissions
++ deny mount -> /proc/,
++ deny mount -> /sys/,
++# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
++
+ # allow paths to be made slave, shared, private or unbindable
+ # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+ # mount options=(rw,make-slave) -> **,
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 13 Aug 2019 13:57:22 +0200
+Subject: [PATCH] PVE: [Config] attach: always use getent
+
+In debian buster, some libnss plugins (if installed) can
+cause getpwent to segfault instead of erroring out cleanly.
+To avoid this, stick to always using getent.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/attach.c | 28 ++--------------------------
+ 1 file changed, 2 insertions(+), 26 deletions(-)
+
+diff --git a/src/lxc/attach.c b/src/lxc/attach.c
+index 38e16f2d1..34d64c196 100644
+--- a/src/lxc/attach.c
++++ b/src/lxc/attach.c
+@@ -1452,12 +1452,8 @@ int lxc_attach_run_command(void *payload)
+
+ int lxc_attach_run_shell(void* payload)
+ {
+- __do_free char *buf = NULL;
+ uid_t uid;
+- struct passwd pwent;
+- struct passwd *pwentp = NULL;
+ char *user_shell;
+- size_t bufsize;
+ int ret;
+
+ /* Ignore payload parameter. */
+@@ -1465,32 +1461,13 @@ int lxc_attach_run_shell(void* payload)
+
+ uid = getuid();
+
+- bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+- if (bufsize == -1)
+- bufsize = 1024;
+-
+- buf = malloc(bufsize);
+- if (buf) {
+- ret = getpwuid_r(uid, &pwent, buf, bufsize, &pwentp);
+- if (!pwentp) {
+- if (ret == 0)
+- WARN("Could not find matched password record");
+-
+- WARN("Failed to get password record - %u", uid);
+- }
+- }
+-
+ /* This probably happens because of incompatible nss implementations in
+ * host and container (remember, this code is still using the host's
+ * glibc but our mount namespace is in the container) we may try to get
+ * the information by spawning a [getent passwd uid] process and parsing
+ * the result.
+ */
+- if (!pwentp)
+- user_shell = lxc_attach_getpwshell(uid);
+- else
+- user_shell = pwent.pw_shell;
+-
++ user_shell = lxc_attach_getpwshell(uid);
+ if (user_shell)
+ execlp(user_shell, user_shell, (char *)NULL);
+
+@@ -1500,8 +1477,7 @@ int lxc_attach_run_shell(void* payload)
+ execlp("/bin/sh", "/bin/sh", (char *)NULL);
+
+ SYSERROR("Failed to execute shell");
+- if (!pwentp)
+- free(user_shell);
++ free(user_shell);
+
+ return -1;
+ }
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Wed, 22 Jul 2020 12:17:24 +0200
+Subject: [PATCH] apparmor: Allow ro remount of boot_id
+
+The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
+necessary mount calls for /proc/sys/kernel/random/boot_id
+(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
+
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ config/apparmor/abstractions/start-container.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
+index 9998f1121..9f64c2727 100644
+--- a/config/apparmor/abstractions/start-container.in
++++ b/config/apparmor/abstractions/start-container.in
+@@ -22,6 +22,7 @@
+ mount -> /var/lib/lxc/{**,},
+
+ mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
+
+ # required for some pre-mount hooks
+ mount fstype=overlayfs,
-pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
-pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
-pve/0003-PVE-Config-attach-always-use-getent.patch
-pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
-extra/0001-mainloop-add-lxc_mainloop_add_handler_events.patch
-extra/0002-cgfsng-deduplicate-freeze-code.patch
-extra/0003-cgfsng-use-EPOLLPRI-when-polling-cgroup.events.patch
+pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
+pve/0002-systemd-Add-Documentation-key.patch
+pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
+pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
+pve/0005-confile-coding-style-fixes-for-set_config_cgroup_con.patch
+pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch
+pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
+pve/0008-confile-fix-jump-table-order.patch
+pve/0009-get-the-right-path-in-get_cgroup-command.patch
+pve/0010-cgroups-adhere-to-boolean-return.patch
+pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
+pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
+pve/0013-PVE-Config-attach-always-use-getent.patch
+pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch
-Subproject commit 4547e73e3e1c7f7a9fc88da6ac3276d99df1c5ec
+Subproject commit 6dc1208ded87c9b3db70aa43cca61857e0d19428
projects / lxc.git / commitdiff