From: Wolfgang Bumiller Date: Mon, 4 Apr 2022 09:27:40 +0000 (+0200) Subject: update patches for lxc-4.0.12 X-Git-Url: https://git.proxmox.com/?p=lxc.git;a=commitdiff_plain;h=545d7dec6e7d5c57093b4d69722bba40da8ca8c6 update patches for lxc-4.0.12 Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch index 9c9bf3f..fe9399a 100644 --- a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch +++ b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch @@ -18,10 +18,10 @@ Signed-off-by: Wolfgang Bumiller 5 files changed, 41 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore -index 5070196cc..9f34f9b1e 100644 +index fbe965b04..cd78e21cd 100644 --- a/.gitignore +++ b/.gitignore -@@ -124,6 +124,7 @@ config/bash/lxc +@@ -126,6 +126,7 @@ config/bash/lxc config/init/common/lxc-containers config/init/common/lxc-net config/init/systemd/lxc-autostart-helper @@ -60,10 +60,10 @@ index c448850d1..4a4fde5e7 100644 pkglibexec_SCRIPTS = lxc-apparmor-load diff --git a/configure.ac b/configure.ac -index e3a0c70bd..2bbf5dd4d 100644 +index f9fbd7273..079d0d990 100644 --- a/configure.ac +++ b/configure.ac -@@ -909,6 +909,7 @@ AC_CONFIG_FILES([ +@@ -908,6 +908,7 @@ AC_CONFIG_FILES([ config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service diff --git a/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch b/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch index ce45035..37e1b31 100644 --- a/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch +++ b/debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch @@ -29,7 +29,7 @@ Signed-off-by: Thomas Lamprecht 2 files changed, 171 insertions(+) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index 6c9271130..3bf62f082 100644 +index c1054ddbc..0fda37b5e 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA @@ -87,7 +87,7 @@ index 6c9271130..3bf62f082 100644 diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index 213688060..23ed7837c 100644 +index 5cb3ecfac..0929ba165 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -67,6 +67,9 @@ lxc_config_define(cap_keep); @@ -159,7 +159,7 @@ index 213688060..23ed7837c 100644 static int set_config_cgroup_relative(const char *key, const char *value, struct lxc_conf *lxc_conf, void *data) { -@@ -3707,6 +3755,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen, +@@ -3711,6 +3759,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen, return fulllen; } @@ -218,7 +218,7 @@ index 213688060..23ed7837c 100644 static inline int get_config_cgroup_relative(const char *key, char *retv, int inlen, struct lxc_conf *lxc_conf, void *data) -@@ -4568,6 +4668,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, +@@ -4572,6 +4672,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, return 0; } diff --git a/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch b/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch index 5a1cb84..19f59ed 100644 --- a/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch +++ b/debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch @@ -10,7 +10,7 @@ Signed-off-by: Christian Brauner 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index 3bf62f082..490793ddb 100644 +index 0fda37b5e..988b846e4 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1813,7 +1813,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA diff --git a/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch b/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch index eb006bc..76eb900 100644 --- a/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch +++ b/debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch @@ -10,7 +10,7 @@ Signed-off-by: Christian Brauner 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index 23ed7837c..c7e7887f3 100644 +index 0929ba165..0fdd4fa01 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -1873,19 +1873,14 @@ static int set_config_cgroup_container_inner_dir(const char *key, diff --git a/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch b/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch index 2dda02c..2648d19 100644 --- a/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch +++ b/debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch @@ -11,7 +11,7 @@ Signed-off-by: Christian Brauner 2 files changed, 5 insertions(+) diff --git a/doc/api-extensions.md b/doc/api-extensions.md -index cdf82f937..6f9e1621d 100644 +index 98686f9ed..fe1b1bdb7 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md @@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container. @@ -26,13 +26,13 @@ index cdf82f937..6f9e1621d 100644 Whether this LXC instance can handle idmapped mounts for the rootfs. diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h -index c2509207d..ae71ff18e 100644 +index d99adacbe..a10f2e5f3 100644 --- a/src/lxc/api_extensions.h +++ b/src/lxc/api_extensions.h -@@ -41,6 +41,7 @@ static char *api_extensions[] = { - "devpts_fd", +@@ -45,6 +45,7 @@ static char *api_extensions[] = { "seccomp_notify_fd_active", "seccomp_proxy_send_notify_fd", + #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */ + "cgroup_advanced_isolation", "idmapped_mounts", "idmapped_mounts_v2", diff --git a/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch b/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch index 2f52781..7ec274a 100644 --- a/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch +++ b/debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch @@ -12,10 +12,10 @@ Signed-off-by: KATOH Yasufumi 1 file changed, 57 insertions(+) diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in -index 05ae2f441..9ad6627ab 100644 +index c4d6c962e..0dd6dc487 100644 --- a/doc/ja/lxc.container.conf.sgml.in +++ b/doc/ja/lxc.container.conf.sgml.in -@@ -2389,6 +2389,63 @@ by KATOH Yasufumi +@@ -2425,6 +2425,63 @@ by KATOH Yasufumi diff --git a/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch b/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch index 0bbc2a4..fd204c4 100644 --- a/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch +++ b/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch @@ -13,7 +13,7 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c -index cd526ab6b..845270ee5 100644 +index 77da7bb45..9b98d842b 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -1841,12 +1841,8 @@ int lxc_attach_run_command(void *payload) diff --git a/debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch b/debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch deleted file mode 100644 index 3a5315f..0000000 --- a/debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Sat, 13 Nov 2021 18:20:13 +0100 -Subject: [PATCH lxc] Revert "initutils: use vfork() in lxc_container_init()" - -This reverts commit d65e5e492f740bbb50e3005f97420c3ddae3d595. - -With vfork the child process modifies the parent's memory, -so the calls to `signal`, `fprintf` and regular `exit` may -be dangerous and might cause conflicting states in the -parent. - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/initutils.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c -index 24baecc88..72278c1f1 100644 ---- a/src/lxc/initutils.c -+++ b/src/lxc/initutils.c -@@ -551,7 +551,7 @@ __noreturn int lxc_container_init(int argc, char *const *argv, bool quiet) - - remove_self(); - -- pid = vfork(); -+ pid = fork(); - if (pid < 0) - exit(EXIT_FAILURE); - diff --git a/debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch b/debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch deleted file mode 100644 index 28ed5b9..0000000 --- a/debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Fri, 3 Dec 2021 09:13:11 +0100 -Subject: [PATCH lxc] use 2 sysfs instances for sys:mixed - -In order to facilitate this, the default mount list's -'destination' may now be NULL to mean that the source should -be unmounted instead. - -Here's what we need to do: - -1) Ensure the first sysfs mount point is writable. -2) Mount a read-only sysfs on /sys -3) Bind devices/virtual/net *writably* into /sys - -We use /proc/sys as a staging directory for the first sysfs -mount in read-write mode, then mount /sys r/o. Afterwards we -bind the r/w devices/virtual/net and unmount the staging -/proc/sys mount point. - -The staging directory would not be required with the new -mount API, but this way we can support the old API and keep -the general workflow in the `default_mounts`. - -Once we drop support for the old mount API, the -default_mounts table could just get a subdirectory field to -mount subdirectories directly. - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/conf.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 8e068b8ac..c9ab285d8 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -708,9 +708,11 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags) - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false }, -+ /* /proc/sys is used as a temporary staging directory for the read-write sysfs mount and unmounted after binding net */ -+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/proc/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false }, -- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false }, -- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false }, -+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false }, -+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys", NULL, NULL, 0, NULL, false }, - { 0, 0, NULL, NULL, NULL, 0, NULL, false } - }; - struct lxc_conf *conf = handler->conf; -@@ -778,14 +780,21 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags) - return syserror_set(-ENOMEM, "Failed to create source path"); - } - -- if (!default_mounts[i].destination) -- return syserror_set(-EINVAL, "BUG: auto mounts destination %d was NULL", i); -- - if (!has_cap_net_admin && default_mounts[i].requires_cap_net_admin) { - TRACE("Container does not have CAP_NET_ADMIN. Skipping \"%s\" mount", default_mounts[i].source ?: "(null)"); - continue; - } - -+ if (!default_mounts[i].destination) { -+ ret = umount2(source, MNT_DETACH); -+ if (ret < 0) -+ return log_error_errno(-1, errno, -+ "Failed to unmount \"%s\"", -+ source); -+ TRACE("Unmounted automount \"%s\"", source); -+ continue; -+ } -+ - /* will act like strdup if %r is not present */ - destination = lxc_string_replace("%r", rootfs->path ? rootfs->mount : "", default_mounts[i].destination); - if (!destination) diff --git a/debian/patches/series b/debian/patches/series index f71c8c4..e1f9c16 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,5 +7,3 @@ pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch pve/0009-PVE-Config-attach-always-use-getent.patch -pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch -pve/0011-use-2-sysfs-instances-for-sys-mixed.patch