Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-16 10:50:38 +03:00
Code Releases Activity

update patches for lxc-5

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2022-06-22 11:14:43 +02:00
parent 1b640cf1dc
commit 01ed43133f
10 changed files with 13 additions and 618 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/patches/pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch → debian/patches/pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:13:40 +0100
Subject: [PATCH lxc] PVE: [Config] lxc.service: start after a potential
Subject: [PATCH] PVE: [Config] lxc.service: start after a potential
syslog.service
We could add this as a snippet from pve-container instead.

157
debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch vendored
View File

@ -1,157 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 31 Mar 2020 15:22:42 +0200
Subject: [PATCH lxc] allow running lxc-monitord as a system daemon
lxc-monitord instances are spawned on demand and, if this
happens from a service, the daemon is considered part of
it by systemd, as it is running in the same cgroups. This
can be avoided by leaving it running permanently.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
.gitignore | 1 +
config/init/systemd/Makefile.am | 10 +++++----
configure.ac | 1 +
lxc.spec.in | 1 +
src/lxc/cmd/lxc_monitord.c | 40 ++++++++++++++++++++++++++-------
5 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/.gitignore b/.gitignore
index fbe965b04..cd78e21cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -126,6 +126,7 @@ config/bash/lxc
config/init/common/lxc-containers
config/init/common/lxc-net
config/init/systemd/lxc-autostart-helper
+config/init/systemd/lxc-monitord.service
config/init/systemd/lxc-net.service
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
index c448850d1..4a4fde5e7 100644
--- a/config/init/systemd/Makefile.am
+++ b/config/init/systemd/Makefile.am
@@ -2,19 +2,21 @@ EXTRA_DIST = \
lxc-apparmor-load \
lxc.service.in \
lxc@.service.in \
- lxc-net.service.in
+ lxc-net.service.in \
+ lxc-monitord.service.in
if INIT_SCRIPT_SYSTEMD
-BUILT_SOURCES = lxc.service lxc@.service lxc-net.service
+BUILT_SOURCES = lxc.service lxc@.service lxc-net.service lxc-monitord.service
-install-systemd: lxc.service lxc@.service lxc-net.service lxc-apparmor-load
+install-systemd: lxc.service lxc@.service lxc-net.service lxc-monitord.service lxc-apparmor-load
$(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
- $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
+ $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service lxc-monitord.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
uninstall-systemd:
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc.service
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc@.service
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
+ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-monitord.service
rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
pkglibexec_SCRIPTS = lxc-apparmor-load
diff --git a/configure.ac b/configure.ac
index f9fbd7273..079d0d990 100644
--- a/configure.ac
+++ b/configure.ac
@@ -908,6 +908,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service
+ config/init/systemd/lxc-monitord.service
config/init/sysvinit/Makefile
config/init/sysvinit/lxc-containers
config/init/sysvinit/lxc-net
diff --git a/lxc.spec.in b/lxc.spec.in
index a7ce2601c..7ed9685bd 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -255,6 +255,7 @@ fi
%{_unitdir}/lxc-net.service
%{_unitdir}/lxc.service
%{_unitdir}/lxc@.service
+%{_unitdir}/lxc-monitord.service
%else
%{_sysconfdir}/rc.d/init.d/lxc
%{_sysconfdir}/rc.d/init.d/lxc-net
diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c
index 2b0895fc6..997d11217 100644
--- a/src/lxc/cmd/lxc_monitord.c
+++ b/src/lxc/cmd/lxc_monitord.c
@@ -327,17 +327,44 @@ static void lxc_monitord_sig_handler(int sig)
int main(int argc, char *argv[])
{
- int ret, pipefd;
+ int ret, pipefd = -1;
char logpath[PATH_MAX];
sigset_t mask;
- char *lxcpath = argv[1];
+ const char *lxcpath = NULL;
bool mainloop_opened = false;
bool monitord_created = false;
+ bool persistent = false;
struct lxc_log log;
- if (argc != 3) {
+ if (argc > 1 && !strcmp(argv[1], "--daemon")) {
+ persistent = true;
+ --argc;
+ ++argv;
+ }
+
+ if (argc > 1) {
+ lxcpath = argv[1];
+ --argc;
+ ++argv;
+ } else {
+ lxcpath = lxc_global_config_value("lxc.lxcpath");
+ if (!lxcpath) {
+ ERROR("Failed to get default lxcpath");
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (argc > 1) {
+ if (lxc_safe_int(argv[1], &pipefd) < 0)
+ exit(EXIT_FAILURE);
+ --argc;
+ ++argv;
+ }
+
+ if (argc != 1 || (persistent != (pipefd == -1))) {
fprintf(stderr,
- "Usage: lxc-monitord lxcpath sync-pipe-fd\n\n"
+ "Usage: lxc-monitord lxcpath sync-pipe-fd\n"
+ " lxc-monitord --daemon lxcpath\n\n"
"NOTE: lxc-monitord is intended for use by lxc internally\n"
" and does not need to be run by hand\n\n");
exit(EXIT_FAILURE);
@@ -360,9 +387,6 @@ int main(int argc, char *argv[])
INFO("Failed to open log file %s, log will be lost", lxcpath);
lxc_log_options_no_override();
- if (lxc_safe_int(argv[2], &pipefd) < 0)
- exit(EXIT_FAILURE);
-
if (sigfillset(&mask) ||
sigdelset(&mask, SIGILL) ||
sigdelset(&mask, SIGSEGV) ||
@@ -417,7 +441,7 @@ int main(int argc, char *argv[])
lxc_raw_getpid(), monitor.lxcpath);
for (;;) {
- ret = lxc_mainloop(&monitor.descr, 1000 * 30);
+ ret = lxc_mainloop(&monitor.descr, persistent ? -1 : 1000 * 30);
if (ret) {
ERROR("mainloop returned an error");
break;

2
debian/patches/pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch → debian/patches/pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc
Subject: [PATCH] PVE: [Config] deny rw mounting of /sys and /proc
Note that we don't actually make use of this anymore, since
we switched to the generated profiles which already do this.

251
debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch vendored
View File

@ -1,251 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 2 Apr 2020 10:01:37 +0200
Subject: [PATCH lxc] introduce
lxc.cgroup.dir.{monitor,container,container.inner}
This is a new approach to #1302 with a container-side
configuration instead of a global boolean flag.
Contrary to the previous PR using an optional additional
parameter for the get-cgroup command, this introduces two
new additional commands to get the limiting cgroup path and
cgroup2 file descriptor. If the limiting option is not in
use, these behave identical to their full-path counterparts.
If these variables are used the payload will end up in the
concatenation of lxc.cgroup.dir.container and
lxc.cgroup.dir.container.inner (which may be empty), and the
monitor will end up in lxc.cgruop.dir.monitor. The
directories are fixed, no retry count logic is applied,
failing to create these directories will simply be a hard
error.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
doc/lxc.container.conf.sgml.in | 47 +++++++++++++
src/lxc/confile.c | 124 +++++++++++++++++++++++++++++++++
2 files changed, 171 insertions(+)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index c1054ddbc..0fda37b5e 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container</option>
+ </term>
+ <listitem>
+ <para>
+ This is similar to <option>lxc.cgroup.dir</option>, but must be
+ used together with <option>lxc.cgroup.dir.monitor</option> and
+ affects only the container's cgroup path. This option is mutually
+ exclusive with <option>lxc.cgroup.dir</option>.
+ Note that the final path the container attaches to may be
+ extended further by the
+ <option>lxc.cgroup.dir.container.namespace</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.monitor</option>
+ </term>
+ <listitem>
+ <para>
+ This is the monitor process counterpart to
+ <option>lxc.cgroup.dir.container</option>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container.namespace</option>
+ </term>
+ <listitem>
+ <para>
+ Specify an additional subdirectory where the cgroup namespace
+ will be created. With this option, the cgroup limits will be
+ applied to the outer path specified in
+ <option>lxc.cgroup.dir.container</option>, which is not accessible
+ from within the container, making it possible to better enforce
+ limits for privileged containers in a way they cannot override
+ them.
+ This only works in conjunction with the
+ <option>lxc.cgroup.dir.container</option> and
+ <option>lxc.cgroup.dir.monitor</option> options and has otherwise
+ no effect.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>lxc.cgroup.relative</option>
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 5cb3ecfac..0929ba165 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -67,6 +67,9 @@ lxc_config_define(cap_keep);
lxc_config_define(cgroup_controller);
lxc_config_define(cgroup2_controller);
lxc_config_define(cgroup_dir);
+lxc_config_define(cgroup_monitor_dir);
+lxc_config_define(cgroup_container_dir);
+lxc_config_define(cgroup_container_inner_dir);
lxc_config_define(cgroup_relative);
lxc_config_define(console_buffer_size);
lxc_config_define(console_logfile);
@@ -187,6 +190,9 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.drop", true, set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, },
{ "lxc.cap.keep", true, set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", false, set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
+ { "lxc.cgroup.dir.monitor", true, set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
+ { "lxc.cgroup.dir.container.inner", true, set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir, },
+ { "lxc.cgroup.dir.container", true, set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
{ "lxc.cgroup.dir", true, set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", true, set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", false, set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
@@ -1840,6 +1846,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
return set_config_path_item(&lxc_conf->cgroup_meta.dir, value);
}
+static int set_config_cgroup_monitor_dir(const char *key, const char *value,
+ struct lxc_conf *lxc_conf, void *data)
+{
+ if (lxc_config_value_empty(value))
+ return clr_config_cgroup_monitor_dir(key, lxc_conf, NULL);
+
+ return set_config_string_item(&lxc_conf->cgroup_meta.monitor_dir,
+ value);
+}
+
+static int set_config_cgroup_container_dir(const char *key, const char *value,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ if (lxc_config_value_empty(value))
+ return clr_config_cgroup_container_dir(key, lxc_conf, NULL);
+
+ return set_config_string_item(&lxc_conf->cgroup_meta.container_dir,
+ value);
+}
+
+static int set_config_cgroup_container_inner_dir(const char *key,
+ const char *value,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ if (lxc_config_value_empty(value))
+ return clr_config_cgroup_container_inner_dir(key, lxc_conf,
+ NULL);
+
+ if (strchr(value, '/') ||
+ strcmp(value, ".") == 0 ||
+ strcmp(value, "..") == 0)
+ {
+ ERROR("lxc.cgroup.dir.container.inner must be a single directory name");
+ return -1;
+ }
+
+ return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir,
+ value);
+}
+
static int set_config_cgroup_relative(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
@@ -3711,6 +3759,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
return fulllen;
}
+static int get_config_cgroup_monitor_dir(const char *key, char *retv, int inlen,
+ struct lxc_conf *lxc_conf, void *data)
+{
+ int len;
+ int fulllen = 0;
+
+ if (!retv)
+ inlen = 0;
+ else
+ memset(retv, 0, inlen);
+
+ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.monitor_dir);
+
+ return fulllen;
+}
+
+static int get_config_cgroup_container_dir(const char *key, char *retv,
+ int inlen,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ int len;
+ int fulllen = 0;
+
+ if (!retv)
+ inlen = 0;
+ else
+ memset(retv, 0, inlen);
+
+ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.container_dir);
+
+ return fulllen;
+}
+
+static int get_config_cgroup_container_inner_dir(const char *key, char *retv,
+ int inlen,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ int len;
+ int fulllen = 0;
+
+ if (!retv)
+ inlen = 0;
+ else
+ memset(retv, 0, inlen);
+
+ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.namespace_dir);
+
+ return fulllen;
+}
+
static inline int get_config_cgroup_relative(const char *key, char *retv,
int inlen, struct lxc_conf *lxc_conf,
void *data)
@@ -4572,6 +4672,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
return 0;
}
+static int clr_config_cgroup_monitor_dir(const char *key,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ free_disarm(lxc_conf->cgroup_meta.monitor_dir);
+ return 0;
+}
+
+static int clr_config_cgroup_container_dir(const char *key,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ free_disarm(lxc_conf->cgroup_meta.container_dir);
+ return 0;
+}
+
+static int clr_config_cgroup_container_inner_dir(const char *key,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ free_disarm(lxc_conf->cgroup_meta.namespace_dir);
+ return 0;
+}
+
static inline int clr_config_cgroup_relative(const char *key,
struct lxc_conf *lxc_conf,
void *data)

16
debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch → debian/patches/pve/0003-PVE-Config-attach-always-use-getent.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 13 Aug 2019 13:57:22 +0200
Subject: [PATCH lxc] PVE: [Config] attach: always use getent
Subject: [PATCH] PVE: [Config] attach: always use getent
In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly.
@ -9,14 +9,14 @@ To avoid this, stick to always using getent.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/attach.c | 28 ++--------------------------
1 file changed, 2 insertions(+), 26 deletions(-)
src/lxc/attach.c | 29 ++---------------------------
1 file changed, 2 insertions(+), 27 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 77da7bb45..9b98d842b 100644
index 77da7bb45..65c953298 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1841,12 +1841,8 @@ int lxc_attach_run_command(void *payload)
@@ -1841,45 +1841,21 @@ int lxc_attach_run_command(void *payload)
int lxc_attach_run_shell(void* payload)
{
@ -26,10 +26,10 @@ index 77da7bb45..9b98d842b 100644
- struct passwd *pwentp = NULL;
char *user_shell;
- ssize_t bufsize;
int ret;
- int ret;
/* Ignore payload parameter. */
@@ -1854,32 +1850,13 @@ int lxc_attach_run_shell(void* payload)
(void)payload;
uid = getuid();
@ -63,7 +63,7 @@ index 77da7bb45..9b98d842b 100644
if (user_shell)
execlp(user_shell, user_shell, (char *)NULL);
@@ -1889,8 +1866,7 @@ int lxc_attach_run_shell(void* payload)
@@ -1889,8 +1865,7 @@ int lxc_attach_run_shell(void* payload)
execlp("/bin/sh", "/bin/sh", (char *)NULL);
SYSERROR("Failed to execute shell");

33
debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch vendored
View File

@ -1,33 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:08:41 +0200
Subject: [PATCH lxc] doc:
s/lxc.cgroup.container.namespace/lxc.cgroup.container.inner/g
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
doc/lxc.container.conf.sgml.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 0fda37b5e..988b846e4 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1813,7 +1813,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
exclusive with <option>lxc.cgroup.dir</option>.
Note that the final path the container attaches to may be
extended further by the
- <option>lxc.cgroup.dir.container.namespace</option> option.
+ <option>lxc.cgroup.dir.container.inner</option> option.
</para>
</listitem>
</varlistentry>
@@ -1830,7 +1830,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</varlistentry>
<varlistentry>
<term>
- <option>lxc.cgroup.dir.container.namespace</option>
+ <option>lxc.cgroup.dir.container.inner</option>
</term>
<listitem>
<para>

38
debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch vendored
View File

@ -1,38 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:10:58 +0200
Subject: [PATCH lxc] confile: coding style fixes for
set_config_cgroup_container_inner_dir()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/confile.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 0929ba165..0fdd4fa01 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1873,19 +1873,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
void *data)
{
if (lxc_config_value_empty(value))
- return clr_config_cgroup_container_inner_dir(key, lxc_conf,
- NULL);
+ return clr_config_cgroup_container_inner_dir(key, lxc_conf, NULL);
if (strchr(value, '/') ||
strcmp(value, ".") == 0 ||
strcmp(value, "..") == 0)
- {
- ERROR("lxc.cgroup.dir.container.inner must be a single directory name");
- return -1;
- }
+ return log_error_errno(-EINVAL, EINVAL, "lxc.cgroup.dir.container.inner must be a single directory name");
- return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir,
- value);
+ return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir, value);
}
static int set_config_cgroup_relative(const char *key, const char *value,

39
debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch vendored
View File

@ -1,39 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 4 Apr 2020 12:07:43 +0200
Subject: [PATCH lxc] api-extensions: add and document
cgroup_advanced_isolation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
doc/api-extensions.md | 4 ++++
src/lxc/api_extensions.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 98686f9ed..fe1b1bdb7 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
Whether the seccomp notify proxy sends a long a notify fd file descriptor.
+## cgroup\_advanced\_isolation
+
+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
+
## idmapped\_mounts
Whether this LXC instance can handle idmapped mounts for the rootfs.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index d99adacbe..a10f2e5f3 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -45,6 +45,7 @@ static char *api_extensions[] = {
"seccomp_notify_fd_active",
"seccomp_proxy_send_notify_fd",
#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
+ "cgroup_advanced_isolation",
"idmapped_mounts",
"idmapped_mounts_v2",
"core_scheduling",

81
debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch vendored
View File

@ -1,81 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Sun, 5 Apr 2020 21:18:59 +0900
Subject: [PATCH lxc] doc: Add
lxc.cgroup.dir.{monitor,container,container.inner} to Japanese man
Update for commit a900cba
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
---
doc/ja/lxc.container.conf.sgml.in | 57 +++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index c4d6c962e..0dd6dc487 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -2425,6 +2425,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ This is similar to <option>lxc.cgroup.dir</option>, but must be
+ used together with <option>lxc.cgroup.dir.monitor</option> and
+ affects only the container's cgroup path. This option is mutually
+ exclusive with <option>lxc.cgroup.dir</option>.
+ Note that the final path the container attaches to may be
+ extended further by the
+ <option>lxc.cgroup.dir.container.inner</option> option.
+ -->
+ これは <option>lxc.cgroup.dir</option> と同様の設定ですが、かならず <option>lxc.cgroup.dir.monitor</option> と同時に使わなければなりません。そして、設定はコンテナの cgroup パスにのみ影響を与えます。このオプションは <option>lxc.cgroup.dir</option> と同時に設定できません。コンテナがアタッチされる最終的なパスは <option>lxc.cgroup.dir.container.inner</option> オプションによりさらに変更される可能性があります。
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.monitor</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ This is the monitor process counterpart to
+ <option>lxc.cgroup.dir.container</option>.
+ -->
+ このオプションは、モニタプロセスに対して<option>lxc.cgroup.dir.container</option> と同様の働きをします。
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container.inner</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ Specify an additional subdirectory where the cgroup namespace
+ will be created. With this option, the cgroup limits will be
+ applied to the outer path specified in
+ <option>lxc.cgroup.dir.container</option>, which is not accessible
+ from within the container, making it possible to better enforce
+ limits for privileged containers in a way they cannot override
+ them.
+ This only works in conjunction with the
+ <option>lxc.cgroup.dir.container</option> and
+ <option>lxc.cgroup.dir.monitor</option> options and has otherwise
+ no effect.
+ -->
+ cgroup 名前空間が作られる追加のサブディレクトリを指定します。このオプションを使うと、cgroup の制限は <option>lxc.cgroup.dir.container</option> で指定した外部パスに適用されます。<option>lxc.cgroup.dir.container</option> はコンテナ内部からアクセスできないため、特権コンテナに対する制限を上書きできない方法でよりよい方法で強制できます。
+ このオプションは <option>lxc.cgroup.dir.container</option> と <option>lxc.cgroup.dir.monitor</option> と同時に指定したときのみ機能し、それ以外の場合は効果がありません。
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>lxc.cgroup.relative</option>

12
debian/patches/series vendored
View File

@ -1,9 +1,3 @@
pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch
pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch
pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0009-PVE-Config-attach-always-use-getent.patch
pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0003-PVE-Config-attach-always-use-getent.patch