Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-16 10:50:38 +03:00
Code Releases Activity

rebase on lxc-4.0.3 tag

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2020-07-31 11:07:51 +02:00
parent 799a3fe0ff
commit 080abced1d
19 changed files with 805 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
debian/patches/extra/0001-mainloop-add-lxc_mainloop_add_handler_events.patch vendored
View File

@ -1,68 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 15 May 2020 15:06:38 +0200
Subject: [PATCH] mainloop: add lxc_mainloop_add_handler_events
in order to be able to listen for EPOLLPRI
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/mainloop.c | 15 ++++++++++++---
src/lxc/mainloop.h | 4 ++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/lxc/mainloop.c b/src/lxc/mainloop.c
index 6d4c5935a..d5ae2a67a 100644
--- a/src/lxc/mainloop.c
+++ b/src/lxc/mainloop.c
@@ -59,8 +59,10 @@ int lxc_mainloop(struct lxc_epoll_descr *descr, int timeout_ms)
}
}
-int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
- lxc_mainloop_callback_t callback, void *data)
+int lxc_mainloop_add_handler_events(struct lxc_epoll_descr *descr, int fd,
+ int events,
+ lxc_mainloop_callback_t callback,
+ void *data)
{
__do_free struct mainloop_handler *handler = NULL;
__do_free struct lxc_list *item = NULL;
@@ -77,7 +79,7 @@ int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
handler->fd = fd;
handler->data = data;
- ev.events = EPOLLIN;
+ ev.events = events;
ev.data.ptr = handler;
if (epoll_ctl(descr->epfd, EPOLL_CTL_ADD, fd, &ev) < 0)
@@ -92,6 +94,13 @@ int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
return 0;
}
+int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
+ lxc_mainloop_callback_t callback, void *data)
+{
+ return lxc_mainloop_add_handler_events(descr, fd, EPOLLIN, callback,
+ data);
+}
+
int lxc_mainloop_del_handler(struct lxc_epoll_descr *descr, int fd)
{
struct mainloop_handler *handler;
diff --git a/src/lxc/mainloop.h b/src/lxc/mainloop.h
index 8afac60d3..e6ab9a6d9 100644
--- a/src/lxc/mainloop.h
+++ b/src/lxc/mainloop.h
@@ -22,6 +22,10 @@ typedef int (*lxc_mainloop_callback_t)(int fd, uint32_t event, void *data,
extern int lxc_mainloop(struct lxc_epoll_descr *descr, int timeout_ms);
+extern int lxc_mainloop_add_handler_events(struct lxc_epoll_descr *descr,
+ int fd, int events,
+ lxc_mainloop_callback_t callback,
+ void *data);
extern int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd,
lxc_mainloop_callback_t callback,
void *data);

116
debian/patches/extra/0002-cgfsng-deduplicate-freeze-code.patch vendored
View File

@ -1,116 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 15 May 2020 15:07:07 +0200
Subject: [PATCH] cgfsng: deduplicate freeze code
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/cgroups/cgfsng.c | 65 ++++++++++++----------------------------
1 file changed, 19 insertions(+), 46 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 892fd915b..7136d27a8 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2042,7 +2042,11 @@ static int freezer_cgroup_events_cb(int fd, uint32_t events, void *cbdata,
return LXC_MAINLOOP_CONTINUE;
}
-static int cg_unified_freeze(struct cgroup_ops *ops, int timeout)
+static int cg_unified_freeze_do(struct cgroup_ops *ops, int timeout,
+ const char *state_string,
+ int state_num,
+ const char *epoll_error,
+ const char *wait_error)
{
__do_close int fd = -EBADF;
call_cleaner(lxc_mainloop_close) struct lxc_epoll_descr *descr_ptr = NULL;
@@ -2067,26 +2071,33 @@ static int cg_unified_freeze(struct cgroup_ops *ops, int timeout)
ret = lxc_mainloop_open(&descr);
if (ret)
- return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container freeze");
+ return log_error_errno(-1, errno, "%s", epoll_error);
/* automatically cleaned up now */
descr_ptr = &descr;
- ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){1}));
+ ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR(state_num));
if (ret < 0)
return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop");
}
- ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", "1", 1);
+ ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", state_string, 1);
if (ret < 0)
return log_error_errno(-1, errno, "Failed to open cgroup.freeze file");
if (timeout != 0 && lxc_mainloop(&descr, timeout))
- return log_error_errno(-1, errno, "Failed to wait for container to be frozen");
+ return log_error_errno(-1, errno, "%s", wait_error);
return 0;
}
+static int cg_unified_freeze(struct cgroup_ops *ops, int timeout)
+{
+ return cg_unified_freeze_do(ops, timeout, "1", 1,
+ "Failed to create epoll instance to wait for container freeze",
+ "Failed to wait for container to be frozen");
+}
+
__cgfsng_ops static int cgfsng_freeze(struct cgroup_ops *ops, int timeout)
{
if (!ops->hierarchies)
@@ -2112,47 +2123,9 @@ static int cg_legacy_unfreeze(struct cgroup_ops *ops)
static int cg_unified_unfreeze(struct cgroup_ops *ops, int timeout)
{
- __do_close int fd = -EBADF;
- call_cleaner(lxc_mainloop_close)struct lxc_epoll_descr *descr_ptr = NULL;
- int ret;
- struct lxc_epoll_descr descr;
- struct hierarchy *h;
-
- h = ops->unified;
- if (!h)
- return ret_set_errno(-1, ENOENT);
-
- if (!h->container_full_path)
- return ret_set_errno(-1, EEXIST);
-
- if (timeout != 0) {
- __do_free char *events_file = NULL;
-
- events_file = must_make_path(h->container_full_path, "cgroup.events", NULL);
- fd = open(events_file, O_RDONLY | O_CLOEXEC);
- if (fd < 0)
- return log_error_errno(-1, errno, "Failed to open cgroup.events file");
-
- ret = lxc_mainloop_open(&descr);
- if (ret)
- return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container unfreeze");
-
- /* automatically cleaned up now */
- descr_ptr = &descr;
-
- ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){0}));
- if (ret < 0)
- return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop");
- }
-
- ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", "0", 1);
- if (ret < 0)
- return log_error_errno(-1, errno, "Failed to open cgroup.freeze file");
-
- if (timeout != 0 && lxc_mainloop(&descr, timeout))
- return log_error_errno(-1, errno, "Failed to wait for container to be unfrozen");
-
- return 0;
+ return cg_unified_freeze_do(ops, timeout, "0", 0,
+ "Failed to create epoll instance to wait for container unfreeze",
+ "Failed to wait for container to be unfrozen");
}
__cgfsng_ops static int cgfsng_unfreeze(struct cgroup_ops *ops, int timeout)

34
debian/patches/extra/0003-cgfsng-use-EPOLLPRI-when-polling-cgroup.events.patch vendored
View File

@ -1,34 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 15 May 2020 15:07:35 +0200
Subject: [PATCH] cgfsng: use EPOLLPRI when polling cgroup.events
EPOLLIN will always be true and therefore end up
busy-looping
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/cgroups/cgfsng.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 7136d27a8..f7af7c0a5 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -27,6 +27,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/epoll.h>
#include <sys/types.h>
#include <unistd.h>
@@ -2076,7 +2077,7 @@ static int cg_unified_freeze_do(struct cgroup_ops *ops, int timeout,
/* automatically cleaned up now */
descr_ptr = &descr;
- ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR(state_num));
+ ret = lxc_mainloop_add_handler_events(&descr, fd, EPOLLPRI, freezer_cgroup_events_cb, INT_TO_PTR(state_num));
if (ret < 0)
return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop");
}

204
debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch vendored Normal file
View File

@ -0,0 +1,204 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 31 Mar 2020 15:22:42 +0200
Subject: [PATCH] allow running lxc-monitord as a system daemon
lxc-monitord instances are spawned on demand and, if this
happens from a service, the daemon is considered part of
it by systemd, as it is running in the same cgroups. This
can be avoided by leaving it running permanently.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
.gitignore | 1 +
config/init/systemd/Makefile.am | 10 ++--
config/init/systemd/lxc-monitord.service.in | 12 +++++
configure.ac | 1 +
lxc.spec.in | 1 +
src/lxc/cmd/lxc_monitord.c | 60 +++++++++++++++------
6 files changed, 64 insertions(+), 21 deletions(-)
create mode 100644 config/init/systemd/lxc-monitord.service.in
diff --git a/.gitignore b/.gitignore
index 3cff48d96..44345454f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -120,6 +120,7 @@ config/bash/lxc
config/init/common/lxc-containers
config/init/common/lxc-net
config/init/systemd/lxc-autostart-helper
+config/init/systemd/lxc-monitord.service
config/init/systemd/lxc-net.service
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
index c448850d1..4a4fde5e7 100644
--- a/config/init/systemd/Makefile.am
+++ b/config/init/systemd/Makefile.am
@@ -2,19 +2,21 @@ EXTRA_DIST = \
lxc-apparmor-load \
lxc.service.in \
lxc@.service.in \
- lxc-net.service.in
+ lxc-net.service.in \
+ lxc-monitord.service.in
if INIT_SCRIPT_SYSTEMD
-BUILT_SOURCES = lxc.service lxc@.service lxc-net.service
+BUILT_SOURCES = lxc.service lxc@.service lxc-net.service lxc-monitord.service
-install-systemd: lxc.service lxc@.service lxc-net.service lxc-apparmor-load
+install-systemd: lxc.service lxc@.service lxc-net.service lxc-monitord.service lxc-apparmor-load
$(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
- $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
+ $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service lxc-monitord.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
uninstall-systemd:
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc.service
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc@.service
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
+ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-monitord.service
rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
pkglibexec_SCRIPTS = lxc-apparmor-load
diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in
new file mode 100644
index 000000000..406351688
--- /dev/null
+++ b/config/init/systemd/lxc-monitord.service.in
@@ -0,0 +1,12 @@
+[Unit]
+Description=LXC Container Monitoring Daemon
+After=syslog.service network.target
+
+[Service]
+Type=simple
+ExecStart=@LIBEXECDIR@/lxc/lxc-monitord --daemon
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=multi-user.target
diff --git a/configure.ac b/configure.ac
index 059d57d38..c88a2f737 100644
--- a/configure.ac
+++ b/configure.ac
@@ -837,6 +837,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service
+ config/init/systemd/lxc-monitord.service
config/init/sysvinit/Makefile
config/init/sysvinit/lxc-containers
config/init/sysvinit/lxc-net
diff --git a/lxc.spec.in b/lxc.spec.in
index ec6321c33..ea6789fb6 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -251,6 +251,7 @@ fi
%{_unitdir}/lxc-net.service
%{_unitdir}/lxc.service
%{_unitdir}/lxc@.service
+%{_unitdir}/lxc-monitord.service
%else
%{_sysconfdir}/rc.d/init.d/lxc
%{_sysconfdir}/rc.d/init.d/lxc-net
diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c
index bcb289ca6..da7db2820 100644
--- a/src/lxc/cmd/lxc_monitord.c
+++ b/src/lxc/cmd/lxc_monitord.c
@@ -338,17 +338,44 @@ static void lxc_monitord_sig_handler(int sig)
int main(int argc, char *argv[])
{
- int ret, pipefd;
+ int ret, pipefd = -1;
char logpath[PATH_MAX];
sigset_t mask;
- char *lxcpath = argv[1];
+ const char *lxcpath = NULL;
bool mainloop_opened = false;
bool monitord_created = false;
+ bool persistent = false;
struct lxc_log log;
- if (argc != 3) {
+ if (argc > 1 && !strcmp(argv[1], "--daemon")) {
+ persistent = true;
+ --argc;
+ ++argv;
+ }
+
+ if (argc > 1) {
+ lxcpath = argv[1];
+ --argc;
+ ++argv;
+ } else {
+ lxcpath = lxc_global_config_value("lxc.lxcpath");
+ if (!lxcpath) {
+ ERROR("Failed to get default lxcpath");
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (argc > 1) {
+ if (lxc_safe_int(argv[1], &pipefd) < 0)
+ exit(EXIT_FAILURE);
+ --argc;
+ ++argv;
+ }
+
+ if (argc != 1 || (persistent != (pipefd == -1))) {
fprintf(stderr,
- "Usage: lxc-monitord lxcpath sync-pipe-fd\n\n"
+ "Usage: lxc-monitord lxcpath sync-pipe-fd\n"
+ " lxc-monitord --daemon lxcpath\n\n"
"NOTE: lxc-monitord is intended for use by lxc internally\n"
" and does not need to be run by hand\n\n");
exit(EXIT_FAILURE);
@@ -371,9 +398,6 @@ int main(int argc, char *argv[])
INFO("Failed to open log file %s, log will be lost", lxcpath);
lxc_log_options_no_override();
- if (lxc_safe_int(argv[2], &pipefd) < 0)
- exit(EXIT_FAILURE);
-
if (sigfillset(&mask) ||
sigdelset(&mask, SIGILL) ||
sigdelset(&mask, SIGSEGV) ||
@@ -406,15 +430,17 @@ int main(int argc, char *argv[])
goto on_error;
monitord_created = true;
- /* sync with parent, we're ignoring the return from write
- * because regardless if it works or not, the following
- * close will sync us with the parent process. the
- * if-empty-statement construct is to quiet the
- * warn-unused-result warning.
- */
- if (lxc_write_nointr(pipefd, "S", 1))
- ;
- close(pipefd);
+ if (pipefd != -1) {
+ /* sync with parent, we're ignoring the return from write
+ * because regardless if it works or not, the following
+ * close will sync us with the parent process. the
+ * if-empty-statement construct is to quiet the
+ * warn-unused-result warning.
+ */
+ if (lxc_write_nointr(pipefd, "S", 1))
+ ;
+ close(pipefd);
+ }
if (lxc_monitord_mainloop_add(&monitor)) {
ERROR("Failed to add mainloop handlers");
@@ -425,7 +451,7 @@ int main(int argc, char *argv[])
lxc_raw_getpid(), monitor.lxcpath);
for (;;) {
- ret = lxc_mainloop(&monitor.descr, 1000 * 30);
+ ret = lxc_mainloop(&monitor.descr, persistent ? -1 : 1000 * 30);
if (ret) {
ERROR("mainloop returned an error");
break;

25
debian/patches/pve/0002-systemd-Add-Documentation-key.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
Date: Wed, 1 Apr 2020 16:57:15 -0400
Subject: [PATCH] systemd: Add Documentation key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
---
config/init/systemd/lxc-monitord.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in
index 406351688..f528a6099 100644
--- a/config/init/systemd/lxc-monitord.service.in
+++ b/config/init/systemd/lxc-monitord.service.in
@@ -1,6 +1,7 @@
[Unit]
Description=LXC Container Monitoring Daemon
After=syslog.service network.target
+Documentation=man:lxc
[Service]
Type=simple

288
debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch vendored Normal file
View File

@ -0,0 +1,288 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 2 Apr 2020 10:01:37 +0200
Subject: [PATCH] introduce lxc.cgroup.dir.{monitor,container,container.inner}
This is a new approach to #1302 with a container-side
configuration instead of a global boolean flag.
Contrary to the previous PR using an optional additional
parameter for the get-cgroup command, this introduces two
new additional commands to get the limiting cgroup path and
cgroup2 file descriptor. If the limiting option is not in
use, these behave identical to their full-path counterparts.
If these variables are used the payload will end up in the
concatenation of lxc.cgroup.dir.container and
lxc.cgroup.dir.container.inner (which may be empty), and the
monitor will end up in lxc.cgruop.dir.monitor. The
directories are fixed, no retry count logic is applied,
failing to create these directories will simply be a hard
error.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
doc/lxc.container.conf.sgml.in | 47 +++++++++++++
src/lxc/commands.c | 5 +-
src/lxc/conf.c | 3 +
src/lxc/confile.c | 124 +++++++++++++++++++++++++++++++++
4 files changed, 177 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 3ed71c214..a9c87fe2a 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1571,6 +1571,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container</option>
+ </term>
+ <listitem>
+ <para>
+ This is similar to <option>lxc.cgroup.dir</option>, but must be
+ used together with <option>lxc.cgroup.dir.monitor</option> and
+ affects only the container's cgroup path. This option is mutually
+ exclusive with <option>lxc.cgroup.dir</option>.
+ Note that the final path the container attaches to may be
+ extended further by the
+ <option>lxc.cgroup.dir.container.namespace</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.monitor</option>
+ </term>
+ <listitem>
+ <para>
+ This is the monitor process counterpart to
+ <option>lxc.cgroup.dir.container</option>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container.namespace</option>
+ </term>
+ <listitem>
+ <para>
+ Specify an additional subdirectory where the cgroup namespace
+ will be created. With this option, the cgroup limits will be
+ applied to the outer path specified in
+ <option>lxc.cgroup.dir.container</option>, which is not accessible
+ from within the container, making it possible to better enforce
+ limits for privileged containers in a way they cannot override
+ them.
+ This only works in conjunction with the
+ <option>lxc.cgroup.dir.container</option> and
+ <option>lxc.cgroup.dir.monitor</option> options and has otherwise
+ no effect.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>lxc.cgroup.relative</option>
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index b6ae101fc..44714f9ba 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -622,7 +622,7 @@ static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req,
struct lxc_handler *handler,
struct lxc_epoll_descr *descr)
{
- return ret_errno(ENOSYS);
+ return lxc_cmd_get_cgroup_callback_do(fd, req, handler, descr, true);
}
/*
@@ -1472,7 +1472,8 @@ static int lxc_cmd_get_limiting_cgroup2_fd_callback(int fd,
struct lxc_handler *handler,
struct lxc_epoll_descr *descr)
{
- return ret_errno(ENOSYS);
+ return lxc_cmd_get_cgroup2_fd_callback_do(fd, req, handler, descr,
+ true);
}
static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 00789961c..4aafca3cb 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3750,6 +3750,9 @@ void lxc_conf_free(struct lxc_conf *conf)
lxc_clear_apparmor_raw(conf);
lxc_clear_namespace(conf);
free(conf->cgroup_meta.dir);
+ free(conf->cgroup_meta.monitor_dir);
+ free(conf->cgroup_meta.container_dir);
+ free(conf->cgroup_meta.namespace_dir);
free(conf->cgroup_meta.controllers);
free(conf->shmount.path_host);
free(conf->shmount.path_cont);
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 4c27e7d4b..899dcd454 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -71,6 +71,9 @@ lxc_config_define(cap_keep);
lxc_config_define(cgroup_controller);
lxc_config_define(cgroup2_controller);
lxc_config_define(cgroup_dir);
+lxc_config_define(cgroup_monitor_dir);
+lxc_config_define(cgroup_container_dir);
+lxc_config_define(cgroup_container_inner_dir);
lxc_config_define(cgroup_relative);
lxc_config_define(console_buffer_size);
lxc_config_define(console_logfile);
@@ -170,6 +173,9 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.drop", set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, },
{ "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
+ { "lxc.cgroup.dir.monitor", set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
+ { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
+ { "lxc.cgroup.dir.container.inner",set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir,},
{ "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
@@ -1725,6 +1731,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
return set_config_string_item(&lxc_conf->cgroup_meta.dir, value);
}
+static int set_config_cgroup_monitor_dir(const char *key, const char *value,
+ struct lxc_conf *lxc_conf, void *data)
+{
+ if (lxc_config_value_empty(value))
+ return clr_config_cgroup_monitor_dir(key, lxc_conf, NULL);
+
+ return set_config_string_item(&lxc_conf->cgroup_meta.monitor_dir,
+ value);
+}
+
+static int set_config_cgroup_container_dir(const char *key, const char *value,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ if (lxc_config_value_empty(value))
+ return clr_config_cgroup_container_dir(key, lxc_conf, NULL);
+
+ return set_config_string_item(&lxc_conf->cgroup_meta.container_dir,
+ value);
+}
+
+static int set_config_cgroup_container_inner_dir(const char *key,
+ const char *value,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ if (lxc_config_value_empty(value))
+ return clr_config_cgroup_container_inner_dir(key, lxc_conf,
+ NULL);
+
+ if (strchr(value, '/') ||
+ strcmp(value, ".") == 0 ||
+ strcmp(value, "..") == 0)
+ {
+ ERROR("lxc.cgroup.dir.container.inner must be a single directory name");
+ return -1;
+ }
+
+ return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir,
+ value);
+}
+
static int set_config_cgroup_relative(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
@@ -3648,6 +3696,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
return fulllen;
}
+static int get_config_cgroup_monitor_dir(const char *key, char *retv, int inlen,
+ struct lxc_conf *lxc_conf, void *data)
+{
+ int len;
+ int fulllen = 0;
+
+ if (!retv)
+ inlen = 0;
+ else
+ memset(retv, 0, inlen);
+
+ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.monitor_dir);
+
+ return fulllen;
+}
+
+static int get_config_cgroup_container_dir(const char *key, char *retv,
+ int inlen,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ int len;
+ int fulllen = 0;
+
+ if (!retv)
+ inlen = 0;
+ else
+ memset(retv, 0, inlen);
+
+ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.container_dir);
+
+ return fulllen;
+}
+
+static int get_config_cgroup_container_inner_dir(const char *key, char *retv,
+ int inlen,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ int len;
+ int fulllen = 0;
+
+ if (!retv)
+ inlen = 0;
+ else
+ memset(retv, 0, inlen);
+
+ strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.namespace_dir);
+
+ return fulllen;
+}
+
static inline int get_config_cgroup_relative(const char *key, char *retv,
int inlen, struct lxc_conf *lxc_conf,
void *data)
@@ -4462,6 +4562,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
return 0;
}
+static int clr_config_cgroup_monitor_dir(const char *key,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ free_disarm(lxc_conf->cgroup_meta.monitor_dir);
+ return 0;
+}
+
+static int clr_config_cgroup_container_dir(const char *key,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ free_disarm(lxc_conf->cgroup_meta.container_dir);
+ return 0;
+}
+
+static int clr_config_cgroup_container_inner_dir(const char *key,
+ struct lxc_conf *lxc_conf,
+ void *data)
+{
+ free_disarm(lxc_conf->cgroup_meta.namespace_dir);
+ return 0;
+}
+
static inline int clr_config_cgroup_relative(const char *key,
struct lxc_conf *lxc_conf,
void *data)

33
debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch vendored Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:08:41 +0200
Subject: [PATCH] doc:
s/lxc.cgroup.container.namespace/lxc.cgroup.container.inner/g
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
doc/lxc.container.conf.sgml.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index a9c87fe2a..338903d66 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1583,7 +1583,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
exclusive with <option>lxc.cgroup.dir</option>.
Note that the final path the container attaches to may be
extended further by the
- <option>lxc.cgroup.dir.container.namespace</option> option.
+ <option>lxc.cgroup.dir.container.inner</option> option.
</para>
</listitem>
</varlistentry>
@@ -1600,7 +1600,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</varlistentry>
<varlistentry>
<term>
- <option>lxc.cgroup.dir.container.namespace</option>
+ <option>lxc.cgroup.dir.container.inner</option>
</term>
<listitem>
<para>

38
debian/patches/pve/0005-confile-coding-style-fixes-for-set_config_cgroup_con.patch vendored Normal file
View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:10:58 +0200
Subject: [PATCH] confile: coding style fixes for
set_config_cgroup_container_inner_dir()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/confile.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 899dcd454..1abb23ef5 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1758,19 +1758,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
void *data)
{
if (lxc_config_value_empty(value))
- return clr_config_cgroup_container_inner_dir(key, lxc_conf,
- NULL);
+ return clr_config_cgroup_container_inner_dir(key, lxc_conf, NULL);
if (strchr(value, '/') ||
strcmp(value, ".") == 0 ||
strcmp(value, "..") == 0)
- {
- ERROR("lxc.cgroup.dir.container.inner must be a single directory name");
- return -1;
- }
+ return log_error_errno(-EINVAL, EINVAL, "lxc.cgroup.dir.container.inner must be a single directory name");
- return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir,
- value);
+ return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir, value);
}
static int set_config_cgroup_relative(const char *key, const char *value,

35
debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch vendored Normal file
View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 4 Apr 2020 12:07:43 +0200
Subject: [PATCH] api-extensions: add and document cgroup_advanced_isolation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
doc/api-extensions.md | 4 ++++
src/lxc/api_extensions.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 5767583af..e8b5eb089 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -118,3 +118,7 @@ This adds a new API function `init_pidfd()` which allows to retrieve a pidfd for
## pidfd
When running on kernels that support pidfds LXC will rely on them for most operations. This makes interacting with containers not just more reliable it also makes it significantly safer and eliminates various races inherent to PID-based kernel APIs. LXC will require that the running kernel at least support `pidfd_send_signal()`, `CLONE_PIDFD`, `P_PIDFD`, and pidfd polling support. Any kernel starting with `Linux 5.4` should have full support for pidfds.
+
+## cgroup\_advanced\_isolation
+
+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index 3afdc35b9..b69467f26 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -39,6 +39,7 @@ static char *api_extensions[] = {
#endif
"cgroup2",
"pidfd",
+ "cgroup_advanced_isolation",
};
static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);

81
debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch vendored Normal file
View File

@ -0,0 +1,81 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Sun, 5 Apr 2020 21:18:59 +0900
Subject: [PATCH] doc: Add lxc.cgroup.dir.{monitor,container,container.inner}
to Japanese man
Update for commit a900cba
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
---
doc/ja/lxc.container.conf.sgml.in | 57 +++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index 38b623243..7a65e3fe4 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -2099,6 +2099,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ This is similar to <option>lxc.cgroup.dir</option>, but must be
+ used together with <option>lxc.cgroup.dir.monitor</option> and
+ affects only the container's cgroup path. This option is mutually
+ exclusive with <option>lxc.cgroup.dir</option>.
+ Note that the final path the container attaches to may be
+ extended further by the
+ <option>lxc.cgroup.dir.container.inner</option> option.
+ -->
+ これは <option>lxc.cgroup.dir</option> と同様の設定ですが、かならず <option>lxc.cgroup.dir.monitor</option> と同時に使わなければなりません。そして、設定はコンテナの cgroup パスにのみ影響を与えます。このオプションは <option>lxc.cgroup.dir</option> と同時に設定できません。コンテナがアタッチされる最終的なパスは <option>lxc.cgroup.dir.container.inner</option> オプションによりさらに変更される可能性があります。
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.monitor</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ This is the monitor process counterpart to
+ <option>lxc.cgroup.dir.container</option>.
+ -->
+ このオプションは、モニタプロセスに対して<option>lxc.cgroup.dir.container</option> と同様の働きをします。
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir.container.inner</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ Specify an additional subdirectory where the cgroup namespace
+ will be created. With this option, the cgroup limits will be
+ applied to the outer path specified in
+ <option>lxc.cgroup.dir.container</option>, which is not accessible
+ from within the container, making it possible to better enforce
+ limits for privileged containers in a way they cannot override
+ them.
+ This only works in conjunction with the
+ <option>lxc.cgroup.dir.container</option> and
+ <option>lxc.cgroup.dir.monitor</option> options and has otherwise
+ no effect.
+ -->
+ cgroup 名前空間が作られる追加のサブディレクトリを指定します。このオプションを使うと、cgroup の制限は <option>lxc.cgroup.dir.container</option> で指定した外部パスに適用されます。<option>lxc.cgroup.dir.container</option> はコンテナ内部からアクセスできないため、特権コンテナに対する制限を上書きできない方法でよりよい方法で強制できます。
+ このオプションは <option>lxc.cgroup.dir.container</option> と <option>lxc.cgroup.dir.monitor</option> と同時に指定したときのみ機能し、それ以外の場合は効果がありません。
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>lxc.cgroup.relative</option>

24
debian/patches/pve/0008-confile-fix-jump-table-order.patch vendored Normal file
View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Sun, 5 Apr 2020 15:55:28 +0200
Subject: [PATCH] confile: fix jump table order
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/confile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 1abb23ef5..13ebdd059 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -174,8 +174,8 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
{ "lxc.cgroup.dir.monitor", set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
- { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
{ "lxc.cgroup.dir.container.inner",set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir,},
+ { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
{ "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },

25
debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Sun, 5 Apr 2020 16:12:45 +0200
Subject: [PATCH] get the right path in get_cgroup command
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/commands.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 44714f9ba..d735b5ff6 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -592,8 +592,8 @@ static int lxc_cmd_get_cgroup_callback_do(int fd, struct lxc_cmd_req *req,
reqdata = NULL;
}
- get_fn = (limiting_cgroup ? cgroup_ops->get_cgroup
- : cgroup_ops->get_limiting_cgroup);
+ get_fn = (limiting_cgroup ? cgroup_ops->get_limiting_cgroup
+ : cgroup_ops->get_cgroup);
path = get_fn(cgroup_ops, reqdata);

29
debian/patches/pve/0010-cgroups-adhere-to-boolean-return.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 13 Apr 2020 14:39:18 +0200
Subject: [PATCH] cgroups: adhere to boolean return
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/cgroups/cgfsng.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 603940683..6c64c996c 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1196,11 +1196,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
* line, which is not possible once a subdirectory has been
* created.
*/
- if (string_in_list(h->controllers, "devices")) {
- ret = ops->setup_limits_legacy(ops, conf, true);
- if (ret < 0)
- return ret;
- }
+ if (string_in_list(h->controllers, "devices") &&
+ !ops->setup_limits_legacy(ops, conf, true))
+ return log_error(false, "Failed to setup legacy device limits");
}
ret = mkdir_eexist_on_last(path, 0755);

2
debian/patches/pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch → debian/patches/pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:13:40 +0100
Subject: [PATCH lxc] PVE: [Config] lxc.service: start after a potential
Subject: [PATCH] PVE: [Config] lxc.service: start after a potential
syslog.service
We could add this as a snippet from pve-container instead.

2
debian/patches/pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch → debian/patches/pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc
Subject: [PATCH] PVE: [Config] deny rw mounting of /sys and /proc
Note that we don't actually make use of this anymore, since
we switched to the generated profiles which already do this.

10
debian/patches/pve/0003-PVE-Config-attach-always-use-getent.patch → debian/patches/pve/0013-PVE-Config-attach-always-use-getent.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 13 Aug 2019 13:57:22 +0200
Subject: [PATCH lxc] PVE: [Config] attach: always use getent
Subject: [PATCH] PVE: [Config] attach: always use getent
In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly.
@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 2 insertions(+), 26 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index bbf95bd5b..de3a98cf9 100644
index 38e16f2d1..34d64c196 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1456,12 +1456,8 @@ int lxc_attach_run_command(void *payload)
@@ -1452,12 +1452,8 @@ int lxc_attach_run_command(void *payload)
int lxc_attach_run_shell(void* payload)
{
@ -29,7 +29,7 @@ index bbf95bd5b..de3a98cf9 100644
int ret;
/* Ignore payload parameter. */
@@ -1469,32 +1465,13 @@ int lxc_attach_run_shell(void* payload)
@@ -1465,32 +1461,13 @@ int lxc_attach_run_shell(void* payload)
uid = getuid();
@ -63,7 +63,7 @@ index bbf95bd5b..de3a98cf9 100644
if (user_shell)
execlp(user_shell, user_shell, (char *)NULL);
@@ -1504,8 +1481,7 @@ int lxc_attach_run_shell(void* payload)
@@ -1500,8 +1477,7 @@ int lxc_attach_run_shell(void* payload)
execlp("/bin/sh", "/bin/sh", (char *)NULL);
SYSERROR("Failed to execute shell");

2
debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch → debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Wed, 22 Jul 2020 12:17:24 +0200
Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
Subject: [PATCH] apparmor: Allow ro remount of boot_id
The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
necessary mount calls for /proc/sys/kernel/random/boot_id

21
debian/patches/series vendored
View File

@ -1,7 +1,14 @@
pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0003-PVE-Config-attach-always-use-getent.patch
pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
extra/0001-mainloop-add-lxc_mainloop_add_handler_events.patch
extra/0002-cgfsng-deduplicate-freeze-code.patch
extra/0003-cgfsng-use-EPOLLPRI-when-polling-cgroup.events.patch
pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
pve/0002-systemd-Add-Documentation-key.patch
pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
pve/0005-confile-coding-style-fixes-for-set_config_cgroup_con.patch
pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch
pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
pve/0008-confile-fix-jump-table-order.patch
pve/0009-get-the-right-path-in-get_cgroup-command.patch
pve/0010-cgroups-adhere-to-boolean-return.patch
pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0013-PVE-Config-attach-always-use-getent.patch
pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch

2
lxc

@ -1 +1 @@
Subproject commit 4547e73e3e1c7f7a9fc88da6ac3276d99df1c5ec
Subproject commit 6dc1208ded87c9b3db70aa43cca61857e0d19428