From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 31 Mar 2020 15:22:42 +0200
-Subject: [PATCH] allow running lxc-monitord as a system daemon
+Subject: [PATCH lxc] allow running lxc-monitord as a system daemon
lxc-monitord instances are spawned on demand and, if this
happens from a service, the daemon is considered part of
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
.gitignore | 1 +
- config/init/systemd/Makefile.am | 10 +++---
+ config/init/systemd/Makefile.am | 10 +++++----
configure.ac | 1 +
lxc.spec.in | 1 +
- src/lxc/cmd/lxc_monitord.c | 60 +++++++++++++++++++++++----------
- 5 files changed, 52 insertions(+), 21 deletions(-)
+ src/lxc/cmd/lxc_monitord.c | 40 ++++++++++++++++++++++++++-------
+ 5 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/.gitignore b/.gitignore
-index 3cff48d96..44345454f 100644
+index 5070196cc..9f34f9b1e 100644
--- a/.gitignore
+++ b/.gitignore
-@@ -120,6 +120,7 @@ config/bash/lxc
+@@ -124,6 +124,7 @@ config/bash/lxc
config/init/common/lxc-containers
config/init/common/lxc-net
config/init/systemd/lxc-autostart-helper
pkglibexec_SCRIPTS = lxc-apparmor-load
diff --git a/configure.ac b/configure.ac
-index e30ea6f6e..16c5ab8c4 100644
+index e3a0c70bd..2bbf5dd4d 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -913,6 +913,7 @@ AC_CONFIG_FILES([
+@@ -909,6 +909,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service
config/init/sysvinit/lxc-containers
config/init/sysvinit/lxc-net
diff --git a/lxc.spec.in b/lxc.spec.in
-index ec6321c33..ea6789fb6 100644
+index a7ce2601c..7ed9685bd 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
-@@ -251,6 +251,7 @@ fi
+@@ -255,6 +255,7 @@ fi
%{_unitdir}/lxc-net.service
%{_unitdir}/lxc.service
%{_unitdir}/lxc@.service
%{_sysconfdir}/rc.d/init.d/lxc
%{_sysconfdir}/rc.d/init.d/lxc-net
diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c
-index bcb289ca6..da7db2820 100644
+index 2b0895fc6..997d11217 100644
--- a/src/lxc/cmd/lxc_monitord.c
+++ b/src/lxc/cmd/lxc_monitord.c
-@@ -338,17 +338,44 @@ static void lxc_monitord_sig_handler(int sig)
+@@ -327,17 +327,44 @@ static void lxc_monitord_sig_handler(int sig)
int main(int argc, char *argv[])
{
"NOTE: lxc-monitord is intended for use by lxc internally\n"
" and does not need to be run by hand\n\n");
exit(EXIT_FAILURE);
-@@ -371,9 +398,6 @@ int main(int argc, char *argv[])
+@@ -360,9 +387,6 @@ int main(int argc, char *argv[])
INFO("Failed to open log file %s, log will be lost", lxcpath);
lxc_log_options_no_override();
if (sigfillset(&mask) ||
sigdelset(&mask, SIGILL) ||
sigdelset(&mask, SIGSEGV) ||
-@@ -406,15 +430,17 @@ int main(int argc, char *argv[])
- goto on_error;
- monitord_created = true;
-
-- /* sync with parent, we're ignoring the return from write
-- * because regardless if it works or not, the following
-- * close will sync us with the parent process. the
-- * if-empty-statement construct is to quiet the
-- * warn-unused-result warning.
-- */
-- if (lxc_write_nointr(pipefd, "S", 1))
-- ;
-- close(pipefd);
-+ if (pipefd != -1) {
-+ /* sync with parent, we're ignoring the return from write
-+ * because regardless if it works or not, the following
-+ * close will sync us with the parent process. the
-+ * if-empty-statement construct is to quiet the
-+ * warn-unused-result warning.
-+ */
-+ if (lxc_write_nointr(pipefd, "S", 1))
-+ ;
-+ close(pipefd);
-+ }
-
- if (lxc_monitord_mainloop_add(&monitor)) {
- ERROR("Failed to add mainloop handlers");
-@@ -425,7 +451,7 @@ int main(int argc, char *argv[])
+@@ -417,7 +441,7 @@ int main(int argc, char *argv[])
lxc_raw_getpid(), monitor.lxcpath);
for (;;) {
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 2 Apr 2020 10:01:37 +0200
-Subject: [PATCH] introduce lxc.cgroup.dir.{monitor,container,container.inner}
+Subject: [PATCH lxc] introduce
+ lxc.cgroup.dir.{monitor,container,container.inner}
This is a new approach to #1302 with a container-side
configuration instead of a global boolean flag.
2 files changed, 171 insertions(+)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index e089fa61d..595cb3972 100644
+index 6c9271130..3bf62f082 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
-@@ -1757,6 +1757,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+@@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</para>
</listitem>
</varlistentry>
<term>
<option>lxc.cgroup.relative</option>
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 37c38fe1e..daf8ee474 100644
+index 213688060..23ed7837c 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -67,6 +67,9 @@ lxc_config_define(cap_keep);
lxc_config_define(cgroup_relative);
lxc_config_define(console_buffer_size);
lxc_config_define(console_logfile);
-@@ -185,6 +188,9 @@ static struct lxc_config_t config_jump_table[] = {
+@@ -187,6 +190,9 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.drop", true, set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, },
{ "lxc.cap.keep", true, set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", false, set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
{ "lxc.cgroup.dir", true, set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", true, set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", false, set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
-@@ -1795,6 +1801,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
+@@ -1840,6 +1846,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
return set_config_path_item(&lxc_conf->cgroup_meta.dir, value);
}
static int set_config_cgroup_relative(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
-@@ -3654,6 +3702,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
+@@ -3707,6 +3755,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
return fulllen;
}
static inline int get_config_cgroup_relative(const char *key, char *retv,
int inlen, struct lxc_conf *lxc_conf,
void *data)
-@@ -4491,6 +4591,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
+@@ -4568,6 +4668,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
return 0;
}
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:08:41 +0200
-Subject: [PATCH] doc:
+Subject: [PATCH lxc] doc:
s/lxc.cgroup.container.namespace/lxc.cgroup.container.inner/g
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index 595cb3972..18bf36aaf 100644
+index 3bf62f082..490793ddb 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
-@@ -1769,7 +1769,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+@@ -1813,7 +1813,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
exclusive with <option>lxc.cgroup.dir</option>.
Note that the final path the container attaches to may be
extended further by the
</para>
</listitem>
</varlistentry>
-@@ -1786,7 +1786,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+@@ -1830,7 +1830,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</varlistentry>
<varlistentry>
<term>
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:10:58 +0200
-Subject: [PATCH] confile: coding style fixes for
+Subject: [PATCH lxc] confile: coding style fixes for
set_config_cgroup_container_inner_dir()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index daf8ee474..ae6e72c22 100644
+index 23ed7837c..c7e7887f3 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
-@@ -1828,19 +1828,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
+@@ -1873,19 +1873,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
void *data)
{
if (lxc_config_value_empty(value))
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 4 Apr 2020 12:07:43 +0200
-Subject: [PATCH] api-extensions: add and document cgroup_advanced_isolation
+Subject: [PATCH lxc] api-extensions: add and document
+ cgroup_advanced_isolation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
-index ff0df50ef..13ba41a62 100644
+index cdf82f937..6f9e1621d 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
+
## idmapped\_mounts
- Whether this LXC instance can handle idmapped mounts.
+ Whether this LXC instance can handle idmapped mounts for the rootfs.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
-index 06a4130ba..6653c7299 100644
+index c2509207d..ae71ff18e 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -41,6 +41,7 @@ static char *api_extensions[] = {
"seccomp_proxy_send_notify_fd",
+ "cgroup_advanced_isolation",
"idmapped_mounts",
- };
-
+ "idmapped_mounts_v2",
+ "core_scheduling",
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Sun, 5 Apr 2020 21:18:59 +0900
-Subject: [PATCH] doc: Add lxc.cgroup.dir.{monitor,container,container.inner}
- to Japanese man
+Subject: [PATCH lxc] doc: Add
+ lxc.cgroup.dir.{monitor,container,container.inner} to Japanese man
Update for commit a900cba
1 file changed, 57 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
-index fd6fb18e3..2c77d4ea3 100644
+index 05ae2f441..9ad6627ab 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
-@@ -2099,6 +2099,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
+@@ -2389,6 +2389,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</para>
</listitem>
</varlistentry>
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:13:40 +0100
-Subject: [PATCH] PVE: [Config] lxc.service: start after a potential
+Subject: [PATCH lxc] PVE: [Config] lxc.service: start after a potential
syslog.service
We could add this as a snippet from pve-container instead.
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
-Subject: [PATCH] PVE: [Config] deny rw mounting of /sys and /proc
+Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc
Note that we don't actually make use of this anymore, since
we switched to the generated profiles which already do this.
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 13 Aug 2019 13:57:22 +0200
-Subject: [PATCH] PVE: [Config] attach: always use getent
+Subject: [PATCH lxc] PVE: [Config] attach: always use getent
In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly.
1 file changed, 2 insertions(+), 26 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
-index 97eff7f8e..01bd56f45 100644
+index cd526ab6b..845270ee5 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
-@@ -1810,12 +1810,8 @@ int lxc_attach_run_command(void *payload)
+@@ -1841,12 +1841,8 @@ int lxc_attach_run_command(void *payload)
int lxc_attach_run_shell(void* payload)
{
- struct passwd pwent;
- struct passwd *pwentp = NULL;
char *user_shell;
-- size_t bufsize;
+- ssize_t bufsize;
int ret;
/* Ignore payload parameter. */
-@@ -1823,32 +1819,13 @@ int lxc_attach_run_shell(void* payload)
+@@ -1854,32 +1850,13 @@ int lxc_attach_run_shell(void* payload)
uid = getuid();
- bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
-- if (bufsize == -1)
+- if (bufsize < 0)
- bufsize = 1024;
-
- buf = malloc(bufsize);
if (user_shell)
execlp(user_shell, user_shell, (char *)NULL);
-@@ -1858,8 +1835,7 @@ int lxc_attach_run_shell(void* payload)
+@@ -1889,8 +1866,7 @@ int lxc_attach_run_shell(void* payload)
execlp("/bin/sh", "/bin/sh", (char *)NULL);
SYSERROR("Failed to execute shell");
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Sat, 13 Nov 2021 18:20:13 +0100
+Subject: [PATCH lxc] Revert "initutils: use vfork() in lxc_container_init()"
+
+This reverts commit d65e5e492f740bbb50e3005f97420c3ddae3d595.
+
+With vfork the child process modifies the parent's memory,
+so the calls to `signal`, `fprintf` and regular `exit` may
+be dangerous and might cause conflicting states in the
+parent.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/initutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
+index 24baecc88..72278c1f1 100644
+--- a/src/lxc/initutils.c
++++ b/src/lxc/initutils.c
+@@ -551,7 +551,7 @@ __noreturn int lxc_container_init(int argc, char *const *argv, bool quiet)
+
+ remove_self();
+
+- pid = vfork();
++ pid = fork();
+ if (pid < 0)
+ exit(EXIT_FAILURE);
+
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Mon, 5 Jul 2021 09:02:36 +0200
-Subject: [PATCH] conf: userns.conf: include userns.conf.d
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- config/templates/userns.conf.in | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
-index 69d992680..255dd01a3 100644
---- a/config/templates/userns.conf.in
-+++ b/config/templates/userns.conf.in
-@@ -19,3 +19,6 @@ lxc.tty.dir =
-
- # Setup the default mounts
- lxc.mount.auto = sys:rw
-+
-+# Lastly, include all the configs from @LXCTEMPLATECONFIG@/userns.conf.d/
-+lxc.include = @LXCTEMPLATECONFIG@/userns.conf.d/
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Mon, 5 Jul 2021 10:53:41 +0200
-Subject: [PATCH] confile: allow including nonexisting directories
-
-If an include directive ends with a trailing slash, we now
-always assume it is a directory and do not treat the
-non-existence as an error.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/confile.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 6e2b68b1c..7f4fb13fb 100644
---- a/src/lxc/confile.c
-+++ b/src/lxc/confile.c
-@@ -2689,7 +2689,7 @@ static int do_includedir(const char *dirp, struct lxc_conf *lxc_conf)
-
- dir = opendir(dirp);
- if (!dir)
-- return -errno;
-+ return errno == ENOENT ? 0 : -errno;
-
- while ((direntp = readdir(dir))) {
- const char *fnam;
-@@ -2726,7 +2726,7 @@ static int set_config_includefiles(const char *key, const char *value,
- return 0;
- }
-
-- if (is_dir(value))
-+ if (value[strlen(value)-1] == '/' || is_dir(value))
- return do_includedir(value, lxc_conf);
-
- return lxc_config_read(value, lxc_conf, true);
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 3 Dec 2021 09:13:11 +0100
+Subject: [PATCH lxc] use 2 sysfs instances for sys:mixed
+
+In order to facilitate this, the default mount list's
+'destination' may now be NULL to mean that the source should
+be unmounted instead.
+
+Here's what we need to do:
+
+1) Ensure the first sysfs mount point is writable.
+2) Mount a read-only sysfs on /sys
+3) Bind devices/virtual/net *writably* into /sys
+
+We use /proc/sys as a staging directory for the first sysfs
+mount in read-write mode, then mount /sys r/o. Afterwards we
+bind the r/w devices/virtual/net and unmount the staging
+/proc/sys mount point.
+
+The staging directory would not be required with the new
+mount API, but this way we can support the old API and keep
+the general workflow in the `default_mounts`.
+
+Once we drop support for the old mount API, the
+default_mounts table could just get a subdirectory field to
+mount subdirectories directly.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/conf.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 8e068b8ac..c9ab285d8 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -708,9 +708,11 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false },
++ /* /proc/sys is used as a temporary staging directory for the read-write sysfs mount and unmounted after binding net */
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/proc/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys", NULL, NULL, 0, NULL, false },
+ { 0, 0, NULL, NULL, NULL, 0, NULL, false }
+ };
+ struct lxc_conf *conf = handler->conf;
+@@ -778,14 +780,21 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
+ return syserror_set(-ENOMEM, "Failed to create source path");
+ }
+
+- if (!default_mounts[i].destination)
+- return syserror_set(-EINVAL, "BUG: auto mounts destination %d was NULL", i);
+-
+ if (!has_cap_net_admin && default_mounts[i].requires_cap_net_admin) {
+ TRACE("Container does not have CAP_NET_ADMIN. Skipping \"%s\" mount", default_mounts[i].source ?: "(null)");
+ continue;
+ }
+
++ if (!default_mounts[i].destination) {
++ ret = umount2(source, MNT_DETACH);
++ if (ret < 0)
++ return log_error_errno(-1, errno,
++ "Failed to unmount \"%s\"",
++ source);
++ TRACE("Unmounted automount \"%s\"", source);
++ continue;
++ }
++
+ /* will act like strdup if %r is not present */
+ destination = lxc_string_replace("%r", rootfs->path ? rootfs->mount : "", default_mounts[i].destination);
+ if (!destination)
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stoiko Ivanov <s.ivanov@proxmox.com>
-Date: Mon, 19 Jul 2021 16:55:43 +0200
-Subject: [PATCH] cgroups: populate hierarchy for device cgroup
-
-With the changes introduced in:
-b7b1e3a34ce28b01206c48227930ff83d399e7b6
-the hierarchy-struct did not have the path_lim set anymore, which is
-needed by setup_limits_legacy to actually access the cgroup directory.
-
-The issue can be reproduced with a container config having
-```
-lxc.cgroup.devices.deny = a
-```
-(or any lxc.cgroup.devices entry) set on a system booted with
-systemd.unified_cgroup_hierarchy=0.
-
-This affects all privileged containers on PVE (due to the default
-devices.deny entry).
-
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- src/lxc/cgroups/cgfsng.c | 39 +++++++++++++++++++--------------------
- 1 file changed, 19 insertions(+), 20 deletions(-)
-
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 9e1ece5ca..e27baa625 100644
---- a/src/lxc/cgroups/cgfsng.c
-+++ b/src/lxc/cgroups/cgfsng.c
-@@ -794,8 +794,12 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
- if (fd_limit < 0)
- return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir);
-
-+ limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
-+ h->dfd_lim = move_fd(fd_limit);
-+ h->path_lim = move_ptr(limit_path);
-+
- TRACE("Created limit cgroup %d->%d(%s)",
-- fd_limit, h->dfd_base, cgroup_limit_dir);
-+ h->dfd_lim, h->dfd_base, cgroup_limit_dir);
-
- /*
- * With isolation the devices legacy cgroup needs to be
-@@ -807,44 +811,39 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
- !ops->setup_limits_legacy(ops, conf, true))
- return log_error(false, "Failed to setup legacy device limits");
-
-- limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
-- path = must_make_path(limit_path, cgroup_leaf, NULL);
-+ path = must_make_path(h->path_lim, cgroup_leaf, NULL);
-
- /*
- * If we use a separate limit cgroup, the leaf cgroup, i.e. the
- * cgroup the container actually resides in, is below fd_limit.
- */
-- fd_final = __cgroup_tree_create(fd_limit, cgroup_leaf, 0755, cpuset_v1, false);
-+ fd_final = __cgroup_tree_create(h->dfd_lim, cgroup_leaf, 0755, cpuset_v1, false);
- if (fd_final < 0) {
- /* Ensure we don't leave any garbage behind. */
- if (cgroup_tree_prune(h->dfd_base, cgroup_limit_dir))
- SYSWARN("Failed to destroy %d(%s)", h->dfd_base, cgroup_limit_dir);
- else
- TRACE("Removed cgroup tree %d(%s)", h->dfd_base, cgroup_limit_dir);
-+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
- }
-+ h->dfd_con = move_fd(fd_final);
-+ h->path_con = move_ptr(path);
-+
- } else {
- path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
-
- fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false);
-- }
-- if (fd_final < 0)
-- return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
--
-- if (payload) {
-- h->dfd_con = move_fd(fd_final);
-- h->path_con = move_ptr(path);
-+ if (fd_final < 0)
-+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
-
-- if (fd_limit < 0)
-+ if (payload) {
-+ h->dfd_con = move_fd(fd_final);
- h->dfd_lim = h->dfd_con;
-- else
-- h->dfd_lim = move_fd(fd_limit);
--
-- if (limit_path)
-- h->path_lim = move_ptr(limit_path);
-- else
-+ h->path_con = move_ptr(path);
- h->path_lim = h->path_con;
-- } else {
-- h->dfd_mon = move_fd(fd_final);
-+ } else {
-+ h->dfd_mon = move_fd(fd_final);
-+ }
- }
-
- return true;
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stoiko Ivanov <s.ivanov@proxmox.com>
-Date: Tue, 20 Jul 2021 10:30:36 +0200
-Subject: [PATCH] cgroups: remove unneeded variables from cgroup_tree_create
-
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- src/lxc/cgroups/cgfsng.c | 13 ++++---------
- 1 file changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index e27baa625..35ba0fb9d 100644
---- a/src/lxc/cgroups/cgfsng.c
-+++ b/src/lxc/cgroups/cgfsng.c
-@@ -779,7 +779,6 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
- const char *cgroup_leaf, bool payload)
- {
- __do_close int fd_limit = -EBADF, fd_final = -EBADF;
-- __do_free char *path = NULL, *limit_path = NULL;
- bool cpuset_v1 = false;
-
- /*
-@@ -794,9 +793,8 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
- if (fd_limit < 0)
- return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir);
-
-- limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
-+ h->path_lim = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
- h->dfd_lim = move_fd(fd_limit);
-- h->path_lim = move_ptr(limit_path);
-
- TRACE("Created limit cgroup %d->%d(%s)",
- h->dfd_lim, h->dfd_base, cgroup_limit_dir);
-@@ -811,8 +809,6 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
- !ops->setup_limits_legacy(ops, conf, true))
- return log_error(false, "Failed to setup legacy device limits");
-
-- path = must_make_path(h->path_lim, cgroup_leaf, NULL);
--
- /*
- * If we use a separate limit cgroup, the leaf cgroup, i.e. the
- * cgroup the container actually resides in, is below fd_limit.
-@@ -827,11 +823,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
- return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
- }
- h->dfd_con = move_fd(fd_final);
-- h->path_con = move_ptr(path);
-+ h->path_con = must_make_path(h->path_lim, cgroup_leaf, NULL);
-
- } else {
-- path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
--
- fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false);
- if (fd_final < 0)
- return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
-@@ -839,7 +833,8 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
- if (payload) {
- h->dfd_con = move_fd(fd_final);
- h->dfd_lim = h->dfd_con;
-- h->path_con = move_ptr(path);
-+ h->path_con = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
-+
- h->path_lim = h->path_con;
- } else {
- h->dfd_mon = move_fd(fd_final);
pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0009-PVE-Config-attach-always-use-getent.patch
-pve/0010-conf-userns.conf-include-userns.conf.d.patch
-pve/0011-confile-allow-including-nonexisting-directories.patch
-pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch
-pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch
+pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch
+pve/0011-use-2-sysfs-instances-for-sys-mixed.patch