update to lxc-4.0.6

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch

@@ -10,14 +10,12 @@ can be avoided by leaving it running permanently.
 
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
- .gitignore                                  |  1 +
- config/init/systemd/Makefile.am             | 10 ++--
- config/init/systemd/lxc-monitord.service.in | 12 +++++
- configure.ac                                |  1 +
- lxc.spec.in                                 |  1 +
- src/lxc/cmd/lxc_monitord.c                  | 60 +++++++++++++++------
- 6 files changed, 64 insertions(+), 21 deletions(-)
- create mode 100644 config/init/systemd/lxc-monitord.service.in
+ .gitignore                      |  1 +
+ config/init/systemd/Makefile.am | 10 +++---
+ configure.ac                    |  1 +
+ lxc.spec.in                     |  1 +
+ src/lxc/cmd/lxc_monitord.c      | 60 +++++++++++++++++++++++----------
+ 5 files changed, 52 insertions(+), 21 deletions(-)
 
 diff --git a/.gitignore b/.gitignore
 index 3cff48d96..44345454f 100644
@@ -61,29 +59,11 @@ index c448850d1..4a4fde5e7 100644
  	rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
  
  pkglibexec_SCRIPTS = lxc-apparmor-load
-diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in
-new file mode 100644
-index 000000000..406351688
---- /dev/null
-+++ b/config/init/systemd/lxc-monitord.service.in
-@@ -0,0 +1,12 @@
-+[Unit]
-+Description=LXC Container Monitoring Daemon
-+After=syslog.service network.target
-+
-+[Service]
-+Type=simple
-+ExecStart=@LIBEXECDIR@/lxc/lxc-monitord --daemon
-+StandardOutput=syslog
-+StandardError=syslog
-+
-+[Install]
-+WantedBy=multi-user.target
 diff --git a/configure.ac b/configure.ac
-index 059d57d38..c88a2f737 100644
+index d32fecc06..1dd916248 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -837,6 +837,7 @@ AC_CONFIG_FILES([
+@@ -842,6 +842,7 @@ AC_CONFIG_FILES([
  	config/init/systemd/lxc.service
  	config/init/systemd/lxc@.service
  	config/init/systemd/lxc-net.service

debian/patches/pve/0002-doc-introduce-lxc.cgroup.dir.-monitor-container-cont.patch

@@ -1,7 +1,8 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Thu, 2 Apr 2020 10:01:37 +0200
-Subject: [PATCH] introduce lxc.cgroup.dir.{monitor,container,container.inner}
+Subject: [PATCH] [doc] introduce
+ lxc.cgroup.dir.{monitor,container,container.inner}
 
 This is a new approach to #1302 with a container-side
 configuration instead of a global boolean flag.
@@ -29,7 +30,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  4 files changed, 177 insertions(+), 2 deletions(-)
 
 diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index 3ed71c214..a9c87fe2a 100644
+index 3e0e55cee..4011f5734 100644
 --- a/doc/lxc.container.conf.sgml.in
 +++ b/doc/lxc.container.conf.sgml.in
 @@ -1571,6 +1571,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -87,10 +88,10 @@ index 3ed71c214..a9c87fe2a 100644
            <term>
              <option>lxc.cgroup.relative</option>
 diff --git a/src/lxc/commands.c b/src/lxc/commands.c
-index b6ae101fc..44714f9ba 100644
+index 3046587c7..a9a03ca2c 100644
 --- a/src/lxc/commands.c
 +++ b/src/lxc/commands.c
-@@ -622,7 +622,7 @@ static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req,
+@@ -719,7 +719,7 @@ static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req,
  						struct lxc_handler *handler,
  						struct lxc_epoll_descr *descr)
  {
@@ -99,7 +100,7 @@ index b6ae101fc..44714f9ba 100644
  }
  
  /*
-@@ -1472,7 +1472,8 @@ static int lxc_cmd_get_limiting_cgroup2_fd_callback(int fd,
+@@ -1569,7 +1569,8 @@ static int lxc_cmd_get_limiting_cgroup2_fd_callback(int fd,
  						    struct lxc_handler *handler,
  						    struct lxc_epoll_descr *descr)
  {
@@ -110,10 +111,10 @@ index b6ae101fc..44714f9ba 100644
  
  static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
 diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index 00789961c..4aafca3cb 100644
+index ae4972551..f1f01898f 100644
 --- a/src/lxc/conf.c
 +++ b/src/lxc/conf.c
-@@ -3750,6 +3750,9 @@ void lxc_conf_free(struct lxc_conf *conf)
+@@ -3844,6 +3844,9 @@ void lxc_conf_free(struct lxc_conf *conf)
  	lxc_clear_apparmor_raw(conf);
  	lxc_clear_namespace(conf);
  	free(conf->cgroup_meta.dir);
@@ -124,7 +125,7 @@ index 00789961c..4aafca3cb 100644
  	free(conf->shmount.path_host);
  	free(conf->shmount.path_cont);
 diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 4c27e7d4b..899dcd454 100644
+index da0da5ff9..dab5aaca2 100644
 --- a/src/lxc/confile.c
 +++ b/src/lxc/confile.c
 @@ -71,6 +71,9 @@ lxc_config_define(cap_keep);
@@ -147,7 +148,7 @@ index 4c27e7d4b..899dcd454 100644
  	{ "lxc.cgroup.dir",                set_config_cgroup_dir,                  get_config_cgroup_dir,                  clr_config_cgroup_dir,                },
  	{ "lxc.cgroup.relative",           set_config_cgroup_relative,             get_config_cgroup_relative,             clr_config_cgroup_relative,           },
  	{ "lxc.cgroup",                    set_config_cgroup_controller,           get_config_cgroup_controller,           clr_config_cgroup_controller,         },
-@@ -1725,6 +1731,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
+@@ -1687,6 +1693,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
  	return set_config_string_item(&lxc_conf->cgroup_meta.dir, value);
  }
  
@@ -196,7 +197,7 @@ index 4c27e7d4b..899dcd454 100644
  static int set_config_cgroup_relative(const char *key, const char *value,
  				      struct lxc_conf *lxc_conf, void *data)
  {
-@@ -3648,6 +3696,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
+@@ -3498,6 +3546,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
  	return fulllen;
  }
  
@@ -255,7 +256,7 @@ index 4c27e7d4b..899dcd454 100644
  static inline int get_config_cgroup_relative(const char *key, char *retv,
  					     int inlen, struct lxc_conf *lxc_conf,
  					     void *data)
-@@ -4462,6 +4562,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
+@@ -4308,6 +4408,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
  	return 0;
  }
  

debian/patches/pve/0002-systemd-Add-Documentation-key.patch

@@ -1,25 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
-Date: Wed, 1 Apr 2020 16:57:15 -0400
-Subject: [PATCH] systemd: Add Documentation key
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
----
- config/init/systemd/lxc-monitord.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in
-index 406351688..f528a6099 100644
---- a/config/init/systemd/lxc-monitord.service.in
-+++ b/config/init/systemd/lxc-monitord.service.in
-@@ -1,6 +1,7 @@
- [Unit]
- Description=LXC Container Monitoring Daemon
- After=syslog.service network.target
-+Documentation=man:lxc
- 
- [Service]
- Type=simple

debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch

@@ -10,7 +10,7 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index a9c87fe2a..338903d66 100644
+index 4011f5734..006dcad92 100644
 --- a/doc/lxc.container.conf.sgml.in
 +++ b/doc/lxc.container.conf.sgml.in
 @@ -1583,7 +1583,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch

@@ -10,10 +10,10 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
  1 file changed, 3 insertions(+), 8 deletions(-)
 
 diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 899dcd454..1abb23ef5 100644
+index dab5aaca2..3a388fed1 100644
 --- a/src/lxc/confile.c
 +++ b/src/lxc/confile.c
-@@ -1758,19 +1758,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
+@@ -1720,19 +1720,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
  						 void *data)
  {
  	if (lxc_config_value_empty(value))

debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch

@@ -10,25 +10,25 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
  2 files changed, 5 insertions(+)
 
 diff --git a/doc/api-extensions.md b/doc/api-extensions.md
-index 5767583af..e8b5eb089 100644
+index 4756be3dc..24dea8c9d 100644
 --- a/doc/api-extensions.md
 +++ b/doc/api-extensions.md
-@@ -118,3 +118,7 @@ This adds a new API function `init_pidfd()` which allows to retrieve a pidfd for
- ## pidfd
+@@ -135,3 +135,7 @@ Retrieve the seccomp notifier fd from a running container.
+ ## seccomp\_proxy\_send\_notify\_fd
  
- When running on kernels that support pidfds LXC will rely on them for most operations. This makes interacting with containers not just more reliable it also makes it significantly safer and eliminates various races inherent to PID-based kernel APIs. LXC will require that the running kernel at least support `pidfd_send_signal()`, `CLONE_PIDFD`, `P_PIDFD`, and pidfd polling support. Any kernel starting with `Linux 5.4` should have full support for pidfds.
+ Whether the seccomp notify proxy sends a long a notify fd file descriptor.
 +
 +## cgroup\_advanced\_isolation
 +
 +Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
 diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
-index 3afdc35b9..b69467f26 100644
+index 513b774f0..303abd631 100644
 --- a/src/lxc/api_extensions.h
 +++ b/src/lxc/api_extensions.h
-@@ -39,6 +39,7 @@ static char *api_extensions[] = {
- #endif
- 	"cgroup2",
- 	"pidfd",
+@@ -43,6 +43,7 @@ static char *api_extensions[] = {
+ 	"devpts_fd",
+ 	"seccomp_notify_fd_active",
+ 	"seccomp_proxy_send_notify_fd",
 +	"cgroup_advanced_isolation",
  };
  

debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch

@@ -12,7 +12,7 @@ Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
  1 file changed, 57 insertions(+)
 
 diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
-index 38b623243..7a65e3fe4 100644
+index fd6fb18e3..2c77d4ea3 100644
 --- a/doc/ja/lxc.container.conf.sgml.in
 +++ b/doc/ja/lxc.container.conf.sgml.in
 @@ -2099,6 +2099,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>

debian/patches/pve/0007-confile-fix-jump-table-order.patch

@@ -9,7 +9,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 1abb23ef5..13ebdd059 100644
+index 3a388fed1..34d85e788 100644
 --- a/src/lxc/confile.c
 +++ b/src/lxc/confile.c
 @@ -174,8 +174,8 @@ static struct lxc_config_t config_jump_table[] = {

debian/patches/pve/0008-cgroups-adhere-to-boolean-return.patch

@@ -9,10 +9,10 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
  1 file changed, 3 insertions(+), 5 deletions(-)
 
 diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 603940683..6c64c996c 100644
+index 303c2f6ab..56bb005de 100644
 --- a/src/lxc/cgroups/cgfsng.c
 +++ b/src/lxc/cgroups/cgfsng.c
-@@ -1196,11 +1196,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
+@@ -1195,11 +1195,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
  		 * line, which is not possible once a subdirectory has been
  		 * created.
  		 */

debian/patches/pve/0009-PVE-Config-lxc.service-start-after-a-potential-syslo.patch

@@ -12,7 +12,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
-index e3745dc2d..fbe46f1d7 100644
+index 397a6c4d0..6924374d9 100644
 --- a/config/init/systemd/lxc.service.in
 +++ b/config/init/systemd/lxc.service.in
 @@ -1,6 +1,6 @@

debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch

@@ -1,25 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Sun, 5 Apr 2020 16:12:45 +0200
-Subject: [PATCH] get the right path in get_cgroup command
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/commands.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lxc/commands.c b/src/lxc/commands.c
-index 44714f9ba..d735b5ff6 100644
---- a/src/lxc/commands.c
-+++ b/src/lxc/commands.c
-@@ -592,8 +592,8 @@ static int lxc_cmd_get_cgroup_callback_do(int fd, struct lxc_cmd_req *req,
- 		reqdata = NULL;
- 	}
- 
--	get_fn = (limiting_cgroup ? cgroup_ops->get_cgroup
--				  : cgroup_ops->get_limiting_cgroup);
-+	get_fn = (limiting_cgroup ? cgroup_ops->get_limiting_cgroup
-+				  : cgroup_ops->get_cgroup);
- 
- 	path = get_fn(cgroup_ops, reqdata);
- 

debian/patches/pve/0011-PVE-Config-attach-always-use-getent.patch

@@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  1 file changed, 2 insertions(+), 26 deletions(-)
 
 diff --git a/src/lxc/attach.c b/src/lxc/attach.c
-index 38e16f2d1..34d64c196 100644
+index befa1580e..7a325f5b1 100644
 --- a/src/lxc/attach.c
 +++ b/src/lxc/attach.c
-@@ -1452,12 +1452,8 @@ int lxc_attach_run_command(void *payload)
+@@ -1444,12 +1444,8 @@ int lxc_attach_run_command(void *payload)
  
  int lxc_attach_run_shell(void* payload)
  {
@@ -29,7 +29,7 @@ index 38e16f2d1..34d64c196 100644
  	int ret;
  
  	/* Ignore payload parameter. */
-@@ -1465,32 +1461,13 @@ int lxc_attach_run_shell(void* payload)
+@@ -1457,32 +1453,13 @@ int lxc_attach_run_shell(void* payload)
  
  	uid = getuid();
  
@@ -63,7 +63,7 @@ index 38e16f2d1..34d64c196 100644
  	if (user_shell)
  		execlp(user_shell, user_shell, (char *)NULL);
  
-@@ -1500,8 +1477,7 @@ int lxc_attach_run_shell(void* payload)
+@@ -1492,8 +1469,7 @@ int lxc_attach_run_shell(void* payload)
  	execlp("/bin/sh", "/bin/sh", (char *)NULL);
  
  	SYSERROR("Failed to execute shell");

debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch

@@ -1,26 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stoiko Ivanov <s.ivanov@proxmox.com>
-Date: Wed, 22 Jul 2020 12:17:24 +0200
-Subject: [PATCH] apparmor: Allow ro remount of boot_id
-
-The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
-necessary mount calls for /proc/sys/kernel/random/boot_id
-(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
-
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- config/apparmor/abstractions/start-container.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
-index 9998f1121..9f64c2727 100644
---- a/config/apparmor/abstractions/start-container.in
-+++ b/config/apparmor/abstractions/start-container.in
-@@ -22,6 +22,7 @@
-   mount -> /var/lib/lxc/{**,},
- 
-   mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
-+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
- 
-   # required for some pre-mount hooks
-   mount fstype=overlayfs,

debian/patches/series

@@ -1,14 +1,11 @@
 pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
-pve/0002-systemd-Add-Documentation-key.patch
-pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
-pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
-pve/0005-confile-coding-style-fixes-for-set_config_cgroup_con.patch
-pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch
-pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
-pve/0008-confile-fix-jump-table-order.patch
-pve/0009-get-the-right-path-in-get_cgroup-command.patch
-pve/0010-cgroups-adhere-to-boolean-return.patch
-pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
-pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
-pve/0013-PVE-Config-attach-always-use-getent.patch
-pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch
+pve/0002-doc-introduce-lxc.cgroup.dir.-monitor-container-cont.patch
+pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
+pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch
+pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch
+pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
+pve/0007-confile-fix-jump-table-order.patch
+pve/0008-cgroups-adhere-to-boolean-return.patch
+pve/0009-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
+pve/0010-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
+pve/0011-PVE-Config-attach-always-use-getent.patch

lxc

@@ -1 +1 @@
-Subproject commit 6dc1208ded87c9b3db70aa43cca61857e0d19428
+Subproject commit 1048d5e1f63979b76a1088eb34cf0aba8b237506