5 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/.gitignore b/.gitignore
-index 5070196cc..9f34f9b1e 100644
+index fbe965b04..cd78e21cd 100644
--- a/.gitignore
+++ b/.gitignore
-@@ -124,6 +124,7 @@ config/bash/lxc
+@@ -126,6 +126,7 @@ config/bash/lxc
config/init/common/lxc-containers
config/init/common/lxc-net
config/init/systemd/lxc-autostart-helper
pkglibexec_SCRIPTS = lxc-apparmor-load
diff --git a/configure.ac b/configure.ac
-index e3a0c70bd..2bbf5dd4d 100644
+index f9fbd7273..079d0d990 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -909,6 +909,7 @@ AC_CONFIG_FILES([
+@@ -908,6 +908,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service
2 files changed, 171 insertions(+)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index 6c9271130..3bf62f082 100644
+index c1054ddbc..0fda37b5e 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<term>
<option>lxc.cgroup.relative</option>
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 213688060..23ed7837c 100644
+index 5cb3ecfac..0929ba165 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -67,6 +67,9 @@ lxc_config_define(cap_keep);
static int set_config_cgroup_relative(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
-@@ -3707,6 +3755,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
+@@ -3711,6 +3759,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
return fulllen;
}
static inline int get_config_cgroup_relative(const char *key, char *retv,
int inlen, struct lxc_conf *lxc_conf,
void *data)
-@@ -4568,6 +4668,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
+@@ -4572,6 +4672,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
return 0;
}
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index 3bf62f082..490793ddb 100644
+index 0fda37b5e..988b846e4 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1813,7 +1813,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 23ed7837c..c7e7887f3 100644
+index 0929ba165..0fdd4fa01 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1873,19 +1873,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
-index cdf82f937..6f9e1621d 100644
+index 98686f9ed..fe1b1bdb7 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
Whether this LXC instance can handle idmapped mounts for the rootfs.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
-index c2509207d..ae71ff18e 100644
+index d99adacbe..a10f2e5f3 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
-@@ -41,6 +41,7 @@ static char *api_extensions[] = {
- "devpts_fd",
+@@ -45,6 +45,7 @@ static char *api_extensions[] = {
"seccomp_notify_fd_active",
"seccomp_proxy_send_notify_fd",
+ #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
+ "cgroup_advanced_isolation",
"idmapped_mounts",
"idmapped_mounts_v2",
1 file changed, 57 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
-index 05ae2f441..9ad6627ab 100644
+index c4d6c962e..0dd6dc487 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
-@@ -2389,6 +2389,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
+@@ -2425,6 +2425,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</para>
</listitem>
</varlistentry>
1 file changed, 2 insertions(+), 26 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
-index cd526ab6b..845270ee5 100644
+index 77da7bb45..9b98d842b 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1841,12 +1841,8 @@ int lxc_attach_run_command(void *payload)
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Sat, 13 Nov 2021 18:20:13 +0100
-Subject: [PATCH lxc] Revert "initutils: use vfork() in lxc_container_init()"
-
-This reverts commit d65e5e492f740bbb50e3005f97420c3ddae3d595.
-
-With vfork the child process modifies the parent's memory,
-so the calls to `signal`, `fprintf` and regular `exit` may
-be dangerous and might cause conflicting states in the
-parent.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/initutils.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
-index 24baecc88..72278c1f1 100644
---- a/src/lxc/initutils.c
-+++ b/src/lxc/initutils.c
-@@ -551,7 +551,7 @@ __noreturn int lxc_container_init(int argc, char *const *argv, bool quiet)
-
- remove_self();
-
-- pid = vfork();
-+ pid = fork();
- if (pid < 0)
- exit(EXIT_FAILURE);
-
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 3 Dec 2021 09:13:11 +0100
-Subject: [PATCH lxc] use 2 sysfs instances for sys:mixed
-
-In order to facilitate this, the default mount list's
-'destination' may now be NULL to mean that the source should
-be unmounted instead.
-
-Here's what we need to do:
-
-1) Ensure the first sysfs mount point is writable.
-2) Mount a read-only sysfs on /sys
-3) Bind devices/virtual/net *writably* into /sys
-
-We use /proc/sys as a staging directory for the first sysfs
-mount in read-write mode, then mount /sys r/o. Afterwards we
-bind the r/w devices/virtual/net and unmount the staging
-/proc/sys mount point.
-
-The staging directory would not be required with the new
-mount API, but this way we can support the old API and keep
-the general workflow in the `default_mounts`.
-
-Once we drop support for the old mount API, the
-default_mounts table could just get a subdirectory field to
-mount subdirectories directly.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/conf.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index 8e068b8ac..c9ab285d8 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -708,9 +708,11 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false },
-+ /* /proc/sys is used as a temporary staging directory for the read-write sysfs mount and unmounted after binding net */
-+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/proc/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
-- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
-- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
-+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
-+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys", NULL, NULL, 0, NULL, false },
- { 0, 0, NULL, NULL, NULL, 0, NULL, false }
- };
- struct lxc_conf *conf = handler->conf;
-@@ -778,14 +780,21 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
- return syserror_set(-ENOMEM, "Failed to create source path");
- }
-
-- if (!default_mounts[i].destination)
-- return syserror_set(-EINVAL, "BUG: auto mounts destination %d was NULL", i);
--
- if (!has_cap_net_admin && default_mounts[i].requires_cap_net_admin) {
- TRACE("Container does not have CAP_NET_ADMIN. Skipping \"%s\" mount", default_mounts[i].source ?: "(null)");
- continue;
- }
-
-+ if (!default_mounts[i].destination) {
-+ ret = umount2(source, MNT_DETACH);
-+ if (ret < 0)
-+ return log_error_errno(-1, errno,
-+ "Failed to unmount \"%s\"",
-+ source);
-+ TRACE("Unmounted automount \"%s\"", source);
-+ continue;
-+ }
-+
- /* will act like strdup if %r is not present */
- destination = lxc_string_replace("%r", rootfs->path ? rootfs->mount : "", default_mounts[i].destination);
- if (!destination)
pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0009-PVE-Config-attach-always-use-getent.patch
-pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch
-pve/0011-use-2-sysfs-instances-for-sys-mixed.patch
projects / lxc.git / commitdiff