Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-26 22:50:27 +03:00
Code Releases Activity

bump version to 3.0.0-1

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2018-03-28 13:53:28 +02:00
parent dc45ad08e4
commit 1513a0b50a
17 changed files with 247 additions and 791 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -1,6 +1,6 @@
PACKAGE=lxc-pve
LXCVER=2.1.1
DEBREL=3
LXCVER=3.0.0
DEBREL=1
SRCDIR=lxc
BUILDSRC := $(SRCDIR).tmp

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
lxc (3.0.0-1) unstable; urgency=medium
* update to lxc-3.0.0
-- Proxmox Support Team <support@proxmox.com> Wed, 28 Mar 2018 13:52:08 +0200
lxc (2.1.1-3) unstable; urgency=medium
* add pinned AppArmor feature set for pve-kernel-4.13.13-6-pve

4
debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch vendored
View File

@ -1,7 +1,7 @@
From 92f2489b28e79f7a67f45bc698f1d61785a6537d Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:13:40 +0100
Subject: [PATCH 01/13] lxc.service: start after a potential syslog.service
Subject: [PATCH] lxc.service: start after a potential syslog.service
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

12
debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch vendored
View File

@ -1,7 +1,7 @@
From 6aecf604cf28c5164f3d957b0ad33bf03527fa26 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:15:37 +0100
Subject: [PATCH 02/13] pve: run lxcnetaddbr when instantiating veths
Subject: [PATCH] pve: run lxcnetaddbr when instantiating veths
FIXME: Why aren't we using regular up-scripts?
@ -11,12 +11,12 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 5 insertions(+)
diff --git a/src/lxc/network.c b/src/lxc/network.c
index 909b7e58..c9b510f6 100644
index e31066cb..d136bad1 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -208,6 +208,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd
"veth", veth1, (char*) NULL);
if (err)
@@ -216,6 +216,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd
netdev->upscript, "up", argv);
if (err < 0)
goto out_delete;
+ } else if (netdev->link[0] == '\0') {
+ err = run_script(handler->name, "net", "/usr/share/lxc/lxcnetaddbr", "up",

4
debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch vendored
View File

@ -1,7 +1,7 @@
From 8c695baaff8d18a87233ffc119e8fd0495819dbe Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH 03/13] deny rw mounting of /sys and /proc
Subject: [PATCH] deny rw mounting of /sys and /proc
this would allow root in a privileged container to change
the permissions of /sys on the host, which could lock out

500
debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch vendored
View File

@ -1,7 +1,7 @@
From 6ebdc24c00b4dee75aebef3136469a5297e1d9ee Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 15 Nov 2016 09:20:24 +0100
Subject: [PATCH 04/13] separate the limiting from the namespaced cgroup root
Date: Wed, 28 Mar 2018 13:37:28 +0200
Subject: [PATCH] separate the limiting from the namespaced cgroup root
When cgroup namespaces are enabled a privileged container
with mixed cgroups has full write access to its own root
@ -14,126 +14,72 @@ being used in order to combat this.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/cgroups/cgfs.c | 19 ++++++++---
src/lxc/cgroups/cgfsng.c | 79 +++++++++++++++++++++++++++++++++++++--------
src/lxc/cgroups/cgmanager.c | 19 ++++++++---
src/lxc/cgroups/cgroup.c | 17 +++++-----
src/lxc/cgroups/cgroup.h | 22 ++++++++-----
src/lxc/commands.c | 76 ++++++++++++++++++++++++++++++++++---------
src/lxc/commands.h | 2 ++
src/lxc/criu.c | 4 +--
src/lxc/start.c | 27 ++++++++++++----
9 files changed, 204 insertions(+), 61 deletions(-)
src/lxc/cgroups/cgfsng.c | 88 +++++++++++++++++++++++++++++++++++++++---------
src/lxc/cgroups/cgroup.c | 17 +++++-----
src/lxc/cgroups/cgroup.h | 23 ++++++++-----
src/lxc/commands.c | 85 +++++++++++++++++++++++++++++++++++-----------
src/lxc/commands.h | 2 ++
src/lxc/criu.c | 4 +--
src/lxc/start.c | 28 +++++++++++----
7 files changed, 186 insertions(+), 61 deletions(-)
diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
index bcbd6613..573ccb25 100644
--- a/src/lxc/cgroups/cgfs.c
+++ b/src/lxc/cgroups/cgfs.c
@@ -2387,12 +2387,15 @@ static void cgfs_destroy(void *hdata, struct lxc_conf *conf)
free(d);
}
-static inline bool cgfs_create(void *hdata)
+static inline bool cgfs_create(void *hdata, bool inner)
{
struct cgfs_data *d = hdata;
struct cgroup_process_info *i;
struct cgroup_meta_data *md;
+ if (inner)
+ return true;
+
if (!d)
return false;
md = d->meta;
@@ -2403,12 +2406,15 @@ static inline bool cgfs_create(void *hdata)
return true;
}
-static inline bool cgfs_enter(void *hdata, pid_t pid)
+static inline bool cgfs_enter(void *hdata, pid_t pid, bool inner)
{
struct cgfs_data *d = hdata;
struct cgroup_process_info *i;
int ret;
+ if (inner)
+ return true;
+
if (!d)
return false;
i = d->info;
@@ -2432,10 +2438,12 @@ static inline bool cgfs_create_legacy(void *hdata, pid_t pid)
return true;
}
-static const char *cgfs_get_cgroup(void *hdata, const char *subsystem)
+static const char *cgfs_get_cgroup(void *hdata, const char *subsystem, bool inner)
{
struct cgfs_data *d = hdata;
+ (void)inner;
+
if (!d)
return NULL;
return lxc_cgroup_get_hierarchy_path_data(subsystem, d);
@@ -2651,13 +2659,16 @@ static bool do_cgfs_chown(char *cgroup_path, struct lxc_conf *conf)
return true;
}
-static bool cgfs_chown(void *hdata, struct lxc_conf *conf)
+static bool cgfs_chown(void *hdata, struct lxc_conf *conf, bool inner)
{
struct cgfs_data *d = hdata;
struct cgroup_process_info *info_ptr;
char *cgpath;
bool r = true;
+ if (inner)
+ return true;
+
if (!d)
return false;
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 897336f0..81c589e0 100644
index 10c7ab2c..b48f997f 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -77,6 +77,7 @@ struct hierarchy {
@@ -101,6 +101,7 @@ struct hierarchy {
char *mountpoint;
char *base_cgroup;
char *fullcgpath;
+ char *innercgpath;
bool is_cgroup_v2;
int version;
};
@@ -813,6 +814,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup)
@@ -955,6 +956,7 @@ static struct hierarchy *add_hierarchy(char **clist, char *mountpoint,
new->mountpoint = mountpoint;
new->base_cgroup = base_cgroup;
new->fullcgpath = NULL;
+ new->innercgpath = NULL;
new->version = type;
/* record if this is the cgroup v2 hierarchy */
if (!strcmp(base_cgroup, "cgroup2"))
@@ -1302,6 +1304,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
free(h->fullcgpath);
h->fullcgpath = NULL;
}
+ free(h->innercgpath);
+ h->innercgpath = NULL;
}
newentry = append_null_to_list((void ***)&hierarchies);
@@ -1587,6 +1589,8 @@ static int cgroup_rmdir(char *container_cgroup)
free(h->fullcgpath);
h->fullcgpath = NULL;
+ free(h->innercgpath);
+ h->innercgpath = NULL;
}
@@ -1319,18 +1323,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
return &cgfsng_ops;
return 0;
@@ -1597,6 +1601,7 @@ struct generic_userns_exec_data {
struct lxc_conf *conf;
uid_t origuid; /* target uid in parent namespace */
char *path;
+ bool inner;
};
static int cgroup_rmdir_wrapper(void *data)
@@ -1641,6 +1646,7 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
wrap.origuid = 0;
wrap.d = hdata;
wrap.conf = conf;
+ wrap.inner = false;
if (conf && !lxc_list_empty(&conf->id_map))
ret = userns_exec_1(conf, cgroup_rmdir_wrapper, &wrap,
@@ -1730,22 +1736,29 @@ on_error:
return bret;
}
-static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname)
+static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, bool inner)
{
int ret;
- h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL);
- if (dir_exists(h->fullcgpath)) { /* it must not already exist */
- ERROR("Path \"%s\" already existed.", h->fullcgpath);
- if (dir_exists(h->fullcgpath)) {
- ERROR("The cgroup \"%s\" already existed", h->fullcgpath);
+ char *path;
+ if (inner) {
+ path = must_make_path(h->fullcgpath, CGROUP_NAMESPACE_SUBDIR, NULL);
@ -146,17 +92,19 @@ index 897336f0..81c589e0 100644
+ ERROR("Path \"%s\" already existed.", path);
return false;
}
- if (!handle_cpuset_hierarchy(h, cgname)) {
+ if (!inner && !handle_cpuset_hierarchy(h, cgname)) {
ERROR("Failed to handle cgroupfs v1 cpuset controller.");
- if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
+ if (!inner && !cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
ERROR("Failed to handle legacy cpuset controller");
return false;
}
- return mkdir_p(h->fullcgpath, 0755) == 0;
+ return mkdir_p(path, 0755) == 0;
}
static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
@@ -1341,11 +1352,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
- ret = mkdir_p(h->fullcgpath, 0755);
+ ret = mkdir_p(path, 0755);
if (ret < 0) {
ERROR("Failed to create cgroup \"%s\"", h->fullcgpath);
return false;
@@ -1766,10 +1779,26 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
h->fullcgpath = NULL;
}
@ -176,16 +124,15 @@ index 897336f0..81c589e0 100644
+ return ret;
+}
+
/*
* Try to create the same cgroup in all hierarchies.
* Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999
/* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern;
* next cgroup_pattern-1, -2, ..., -999.
*/
-static inline bool cgfsng_create(void *hdata)
+static inline bool cgfsng_create(void *hdata, bool inner)
{
int i;
size_t len;
@@ -1357,9 +1384,15 @@ static inline bool cgfsng_create(void *hdata)
@@ -1781,10 +1810,17 @@ static inline bool cgfsng_create(void *hdata)
return false;
if (d->container_cgroup) {
@ -194,78 +141,82 @@ index 897336f0..81c589e0 100644
WARN("cgfsng_create called a second time");
return false;
}
+ if (inner) {
+ ERROR("cgfsng_create called twice for innner cgroup");
+ return false;
+ }
+
if (d->cgroup_meta.dir)
tmp = lxc_string_join("/", (const char *[]){d->cgroup_meta.dir, d->name, NULL}, false);
@@ -1395,7 +1428,7 @@ again:
}
else
@@ -1821,7 +1857,7 @@ again:
}
for (i = 0; hierarchies[i]; i++) {
- if (!create_path_for_hierarchy(hierarchies[i], cgname)) {
+ if (!create_path_for_hierarchy(hierarchies[i], cgname, false)) {
- if (!create_path_for_hierarchy(hierarchies[i], container_cgroup)) {
+ if (!create_path_for_hierarchy(hierarchies[i], container_cgroup, false)) {
int j;
ERROR("Failed to create \"%s\"", hierarchies[i]->fullcgpath);
ERROR("Failed to create cgroup \"%s\"", hierarchies[i]->fullcgpath);
free(hierarchies[i]->fullcgpath);
@@ -1415,7 +1448,7 @@ out_free:
@@ -1843,7 +1879,7 @@ out_free:
return false;
}
-static bool cgfsng_enter(void *hdata, pid_t pid)
+static bool cgfsng_enter(void *hdata, pid_t pid, bool inner)
{
char pidstr[25];
int i, len;
@@ -1425,7 +1458,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
return false;
char pidstr[25];
@@ -1856,8 +1892,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
int ret;
char *fullpath;
for (i = 0; hierarchies[i]; i++) {
- char *fullpath = must_make_path(hierarchies[i]->fullcgpath,
+ char *fullpath;
- fullpath = must_make_path(hierarchies[i]->fullcgpath,
- "cgroup.procs", NULL);
+ if (inner)
+ fullpath = must_make_path(hierarchies[i]->fullcgpath,
+ CGROUP_NAMESPACE_SUBDIR,
+ "cgroup.procs", NULL);
+ CGROUP_NAMESPACE_SUBDIR,
+ "cgroup.procs", NULL);
+ else
+ fullpath = must_make_path(hierarchies[i]->fullcgpath,
"cgroup.procs", NULL);
if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) {
SYSERROR("Failed to enter %s", fullpath);
@@ -1441,6 +1480,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
struct chown_data {
struct cgfsng_handler_data *d;
uid_t origuid; /* target uid in parent namespace */
+ bool inner;
};
/*
@@ -1469,13 +1509,20 @@ static int chown_cgroup_wrapper(void *data)
for (i = 0; hierarchies[i]; i++) {
char *fullpath, *path = hierarchies[i]->fullcgpath;
+ "cgroup.procs", NULL);
ret = lxc_write_to_file(fullpath, pidstr, len, false);
if (ret != 0) {
SYSERROR("Failed to enter cgroup \"%s\"", fullpath);
@@ -1933,9 +1974,15 @@ static int chown_cgroup_wrapper(void *data)
char *fullpath;
char *path = hierarchies[i]->fullcgpath;
+ if (arg->inner)
+ path = must_make_path(path, CGROUP_NAMESPACE_SUBDIR, NULL);
+
if (chown(path, destuid, 0) < 0) {
SYSERROR("Error chowning %s to %d", path, (int) destuid);
ret = chowmod(path, destuid, nsgid, 0775);
- if (ret < 0)
+ if (ret < 0) {
+ if (arg->inner)
+ free(path);
return -1;
}
+ }
if (chmod(path, 0775) < 0) {
SYSERROR("Error chmoding %s", path);
/* Failures to chown() these are inconvenient but not
* detrimental We leave these owned by the container launcher,
@@ -1954,8 +2001,11 @@ static int chown_cgroup_wrapper(void *data)
(void)chowmod(fullpath, destuid, 0, 0664);
free(fullpath);
- if (hierarchies[i]->version != CGROUP2_SUPER_MAGIC)
+ if (hierarchies[i]->version != CGROUP2_SUPER_MAGIC) {
+ if (arg->inner)
+ free(path);
return -1;
}
continue;
+ }
@@ -1501,12 +1548,14 @@ static int chown_cgroup_wrapper(void *data)
if (chmod(fullpath, 0664) < 0)
WARN("Error chmoding %s: %s", path, strerror(errno));
fullpath = must_make_path(path, "cgroup.subtree_control", NULL);
(void)chowmod(fullpath, destuid, nsgid, 0664);
@@ -1964,12 +2014,14 @@ static int chown_cgroup_wrapper(void *data)
fullpath = must_make_path(path, "cgroup.threads", NULL);
(void)chowmod(fullpath, destuid, nsgid, 0664);
free(fullpath);
+ if (arg->inner)
+ free(path);
@ -274,29 +225,31 @@ index 897336f0..81c589e0 100644
return 0;
}
-static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
+static bool cgfsns_chown(void *hdata, struct lxc_conf *conf, bool inner)
-static bool cgfsng_chown(void *hdata, struct lxc_conf *conf)
+static bool cgfsng_chown(void *hdata, struct lxc_conf *conf, bool inner)
{
struct cgfsng_handler_data *d = hdata;
struct chown_data wrap;
@@ -1519,6 +1568,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
struct generic_userns_exec_data wrap;
@@ -1984,6 +2036,7 @@ static bool cgfsng_chown(void *hdata, struct lxc_conf *conf)
wrap.path = NULL;
wrap.d = d;
wrap.origuid = geteuid();
wrap.conf = conf;
+ wrap.inner = inner;
if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap,
"chown_cgroup_wrapper") < 0) {
@@ -1815,12 +1865,15 @@ static bool cgfsng_unfreeze(void *hdata)
@@ -2366,7 +2419,7 @@ static bool cgfsng_unfreeze(void *hdata)
return true;
}
-static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem)
+static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem, bool inner)
-static const char *cgfsng_get_cgroup(void *hdata, const char *controller)
+static const char *cgfsng_get_cgroup(void *hdata, const char *controller, bool inner)
{
struct hierarchy *h = get_hierarchy(subsystem);
if (!h)
struct hierarchy *h;
@@ -2377,6 +2430,9 @@ static const char *cgfsng_get_cgroup(void *hdata, const char *controller)
return NULL;
}
+ if (inner && h->innercgpath)
+ return h->innercgpath + strlen(h->mountpoint);
@ -304,90 +257,20 @@ index 897336f0..81c589e0 100644
return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL;
}
@@ -1848,7 +1901,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
char *path, *fullpath;
struct hierarchy *h = hierarchies[i];
@@ -2408,7 +2464,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name,
int fret = -1, idx = 0;
char *base_path = NULL, *container_cgroup = NULL, *full_path = NULL;
- path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]);
+ path = lxc_cmd_get_attach_cgroup_path(name, lxcpath, h->controllers[0]);
if (!path) /* not running */
continue;
diff --git a/src/lxc/cgroups/cgmanager.c b/src/lxc/cgroups/cgmanager.c
index 054eb171..04ae3a16 100644
--- a/src/lxc/cgroups/cgmanager.c
+++ b/src/lxc/cgroups/cgmanager.c
@@ -610,7 +610,7 @@ static inline void cleanup_cgroups(char *path)
cgm_remove_cgroup(slist[i], path);
}
-static inline bool cgm_create(void *hdata)
+static inline bool cgm_create(void *hdata, bool inner)
{
struct cgm_data *d = hdata;
char **slist = subsystems;
@@ -618,6 +618,9 @@ static inline bool cgm_create(void *hdata)
int32_t existed;
char result[MAXPATHLEN], *tmp, *cgroup_path;
+ if (inner)
+ return true;
+
if (!d)
return false;
@@ -710,13 +713,16 @@ static bool lxc_cgmanager_enter(pid_t pid, const char *controller,
return true;
}
-static inline bool cgm_enter(void *hdata, pid_t pid)
+static inline bool cgm_enter(void *hdata, pid_t pid, bool inner)
{
struct cgm_data *d = hdata;
char **slist = subsystems;
bool ret = false;
int i;
+ if (inner)
+ return true;
+
if (!d || !d->cgroup_path)
return false;
@@ -738,10 +744,12 @@ out:
return ret;
}
-static const char *cgm_get_cgroup(void *hdata, const char *subsystem)
+static const char *cgm_get_cgroup(void *hdata, const char *subsystem, bool inner)
{
struct cgm_data *d = hdata;
+ (void)inner;
+
if (!d || !d->cgroup_path)
return NULL;
return d->cgroup_path;
@@ -1542,10 +1550,13 @@ out:
return ret;
}
-static bool cgm_chown(void *hdata, struct lxc_conf *conf)
+static bool cgm_chown(void *hdata, struct lxc_conf *conf, bool inner)
{
struct cgm_data *d = hdata;
+ if (inner)
+ return true;
+
if (!d || !d->cgroup_path)
return false;
if (!cgm_dbus_connect()) {
- container_cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller);
+ container_cgroup = lxc_cmd_get_attach_cgroup_path(name, lxcpath, controller);
/* not running */
if (!container_cgroup)
return 0;
diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c
index 674e3090..6f0d2fe8 100644
index 9e7b26e0..ec45dd39 100644
--- a/src/lxc/cgroups/cgroup.c
+++ b/src/lxc/cgroups/cgroup.c
@@ -80,19 +80,19 @@ void cgroup_destroy(struct lxc_handler *handler)
@@ -73,19 +73,19 @@ void cgroup_destroy(struct lxc_handler *handler)
}
/* Create the container cgroups for all requested controllers. */
@ -411,7 +294,7 @@ index 674e3090..6f0d2fe8 100644
return false;
}
@@ -106,10 +106,11 @@ bool cgroup_create_legacy(struct lxc_handler *handler)
@@ -99,10 +99,11 @@ bool cgroup_create_legacy(struct lxc_handler *handler)
}
const char *cgroup_get_cgroup(struct lxc_handler *handler,
@ -425,7 +308,7 @@ index 674e3090..6f0d2fe8 100644
return NULL;
}
@@ -155,10 +156,10 @@ bool cgroup_setup_limits(struct lxc_handler *handler, bool with_devices)
@@ -148,10 +149,10 @@ bool cgroup_setup_limits(struct lxc_handler *handler, bool with_devices)
return false;
}
@ -439,7 +322,7 @@ index 674e3090..6f0d2fe8 100644
return true;
}
diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
index f17a6abe..f05fda4e 100644
index 0f04e8b7..3a63133d 100644
--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -28,6 +28,12 @@
@ -455,7 +338,7 @@ index f17a6abe..f05fda4e 100644
struct lxc_handler;
struct lxc_conf;
struct lxc_list;
@@ -43,10 +49,10 @@ struct cgroup_ops {
@@ -45,10 +51,10 @@ struct cgroup_ops {
void *(*init)(struct lxc_handler *handler);
void (*destroy)(void *hdata, struct lxc_conf *conf);
@ -469,16 +352,16 @@ index f17a6abe..f05fda4e 100644
bool (*escape)();
int (*num_hierarchies)();
bool (*get_hierarchies)(int n, char ***out);
@@ -54,7 +60,7 @@ struct cgroup_ops {
@@ -56,7 +62,7 @@ struct cgroup_ops {
int (*get)(const char *filename, char *value, size_t len, const char *name, const char *lxcpath);
bool (*unfreeze)(void *hdata);
bool (*setup_limits)(void *hdata, struct lxc_list *cgroup_conf, bool with_devices);
bool (*setup_limits)(void *hdata, struct lxc_conf *conf, bool with_devices);
- bool (*chown)(void *hdata, struct lxc_conf *conf);
+ bool (*chown)(void *hdata, struct lxc_conf *conf, bool inner);
bool (*attach)(const char *name, const char *lxcpath, pid_t pid);
bool (*mount_cgroup)(void *hdata, const char *root, int type);
int (*nrtasks)(void *hdata);
@@ -66,14 +72,14 @@ extern bool cgroup_attach(const char *name, const char *lxcpath, pid_t pid);
@@ -67,15 +73,16 @@ extern bool cgroup_attach(const char *name, const char *lxcpath, pid_t pid);
extern bool cgroup_mount(const char *root, struct lxc_handler *handler, int type);
extern void cgroup_destroy(struct lxc_handler *handler);
extern bool cgroup_init(struct lxc_handler *handler);
@ -492,16 +375,18 @@ index f17a6abe..f05fda4e 100644
extern void cgroup_cleanup(struct lxc_handler *handler);
extern bool cgroup_create_legacy(struct lxc_handler *handler);
extern int cgroup_nrtasks(struct lxc_handler *handler);
-extern const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem);
+extern const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem, bool inner);
extern const char *cgroup_get_cgroup(struct lxc_handler *handler,
- const char *subsystem);
+ const char *subsystem,
+ bool inner);
extern bool cgroup_escape();
extern int cgroup_num_hierarchies();
extern bool cgroup_get_hierarchies(int i, char ***out);
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 68fbd387..ccdbeeba 100644
index 54e9f75c..df5a9907 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -410,30 +410,29 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req,
@@ -426,20 +426,8 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req,
return lxc_cmd_rsp_send(fd, &rsp);
}
@ -518,35 +403,34 @@ index 68fbd387..ccdbeeba 100644
- * returned path.
- */
-char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
- const char *subsystem)
+static char *do_lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
+ const char *subsystem,
+ bool inner)
- const char *subsystem)
+char *do_lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
+ const char *subsystem, bool inner)
{
int ret, stopped;
+ size_t subsyslen = strlen(subsystem);
+
struct lxc_cmd_rr cmd = {
.req = {
.cmd = LXC_CMD_GET_CGROUP,
- .datalen = strlen(subsystem)+1,
+ .datalen = subsyslen+1,
.data = subsystem,
},
};
@@ -452,8 +440,18 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
+ if (inner) {
+ char *data = alloca(subsyslen+2);
+ memcpy(data, subsystem, subsyslen+1);
+ data[subsyslen+1] = 1;
+ cmd.req.datalen = subsyslen+2,
+ cmd.req.data = data;
cmd.req.data = subsystem;
cmd.req.datalen = 0;
- if (subsystem)
- cmd.req.datalen = strlen(subsystem) + 1;
+ if (subsystem) {
+ size_t subsyslen = strlen(subsystem);
+ if (inner) {
+ char *data = alloca(subsyslen+2);
+ memcpy(data, subsystem, subsyslen+1);
+ data[subsyslen+1] = 1;
+ cmd.req.datalen = subsyslen+2,
+ cmd.req.data = data;
+ } else {
+ cmd.req.datalen = subsyslen+1;
+ }
+ }
+
ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
if (ret < 0) {
TRACE("command %s failed for container \"%s\": %s.",
@@ -458,16 +457,61 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
if (ret < 0)
@@ -468,16 +466,63 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
return cmd.rsp.data;
}
@ -585,35 +469,40 @@ index 68fbd387..ccdbeeba 100644
+{
+ return do_lxc_cmd_get_cgroup_path(name, lxcpath, subsystem, true);
+}
+
+
static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
struct lxc_handler *handler)
{
struct lxc_cmd_rsp rsp;
const char *path;
+ const char *subsystem;
+ size_t subsyslen;
+ bool inner = false;
struct lxc_cmd_rsp rsp;
if (req->datalen < 1)
return -1;
- path = cgroup_get_cgroup(handler, req->data);
+ subsystem = req->data;
+ subsyslen = strlen(subsystem);
+ if (req->datalen == subsyslen+2)
+ inner = (subsystem[subsyslen+1] == 1);
- if (req->datalen > 0)
- path = cgroup_get_cgroup(handler, req->data);
- else
- path = cgroup_get_cgroup(handler, NULL);
+ if (req->datalen > 0) {
+ const char *subsystem;
+ size_t subsyslen;
+ bool inner = false;
+ subsystem = req->data;
+ subsyslen = strlen(subsystem);
+ if (req->datalen == subsyslen+2)
+ inner = (subsystem[subsyslen+1] == 1);
+
+ path = cgroup_get_cgroup(handler, req->data, inner);
+ path = cgroup_get_cgroup(handler, req->data, inner);
+ } else {
+ // FIXME: cgroup separation for cgroup v2 cannot be handled
+ // like we used to do v1 here... need to figure this out...
+ path = cgroup_get_cgroup(handler, NULL, false);
+ }
if (!path)
return -1;
rsp.datalen = strlen(path) + 1,
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
index 28428c77..9557dcaa 100644
index 816cd748..e16c0d79 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -82,6 +82,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd,
@@ -93,6 +93,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd,
*/
extern char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
const char *subsystem);
@ -623,7 +512,7 @@ index 28428c77..9557dcaa 100644
extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath);
extern char *lxc_cmd_get_name(const char *hashed_sock);
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 96688edc..539ae8bd 100644
index f60a6e15..7c8a8aee 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -324,7 +324,7 @@ static void exec_criu(struct criu_opts *opts)
@ -635,7 +524,7 @@ index 96688edc..539ae8bd 100644
if (!p) {
ERROR("failed to get cgroup path for %s", controllers[0]);
goto err;
@@ -857,7 +857,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
@@ -958,7 +958,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
goto out_fini_handler;
}
@ -645,19 +534,19 @@ index 96688edc..539ae8bd 100644
goto out_fini_handler;
}
diff --git a/src/lxc/start.c b/src/lxc/start.c
index a6a40c72..920f3c23 100644
index f66f50a7..772eacc2 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1217,7 +1217,7 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1556,7 +1556,7 @@ static int lxc_spawn(struct lxc_handler *handler)
cgroups_connected = true;
- if (!cgroup_create(handler)) {
+ if (!cgroup_create(handler, false)) {
ERROR("Failed creating cgroups.");
ERROR("Failed creating cgroups");
goto out_delete_net;
}
@@ -1292,10 +1292,10 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1650,10 +1650,10 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}
@ -669,19 +558,20 @@ index a6a40c72..920f3c23 100644
+ if (!cgroup_chown(handler, false))
goto out_delete_net;
handler->netnsfd = lxc_preserve_ns(handler->pid, "net");
@@ -1338,15 +1338,30 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
/* Now we're ready to preserve the network namespace */
@@ -1714,16 +1714,30 @@ static int lxc_spawn(struct lxc_handler *handler)
}
}
- if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
- ret = lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE);
- if (ret < 0)
- goto out_delete_net;
-
if (!cgroup_setup_limits(handler, true)) {
ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
ERROR("Failed to setup legacy device cgroup controller limits");
goto out_delete_net;
}
TRACE("Set up cgroup device limits");
TRACE("Set up legacy device cgroup controller limits");
+ if (cgns_supported()) {
+ if (!cgroup_create(handler, true)) {

25
debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch vendored
View File

@ -1,8 +1,7 @@
From ef58cfcf70fbe666acee0c407f77a22eeb1eec4f Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 16 Nov 2016 09:53:42 +0100
Subject: [PATCH 05/13] start/initutils: make cgroupns separation level
configurable
Date: Wed, 28 Mar 2018 13:41:46 +0200
Subject: [PATCH] start/initutils: make cgroupns separation level configurable
Adds a new global config variable `lxc.cgroup.separate`
which controls whether a separation directory for cgroup
@ -17,10 +16,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 files changed, 24 insertions(+), 19 deletions(-)
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index c190d6d5..97650e67 100644
index 56926fb5..c5f19ca8 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p)
@@ -49,14 +49,15 @@ static char *copy_global_config_value(char *p)
const char *lxc_global_config_value(const char *option_name)
{
static const char * const options[][2] = {
@ -45,23 +44,23 @@ index c190d6d5..97650e67 100644
};
diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
index c021fd61..443ad026 100644
index ec44554e..6532f301 100644
--- a/src/lxc/initutils.h
+++ b/src/lxc/initutils.h
@@ -43,6 +43,7 @@
@@ -42,6 +42,7 @@
#define DEFAULT_THIN_POOL "lxc"
#define DEFAULT_ZFSROOT "lxc"
#define DEFAULT_RBDPOOL "lxc"
+#define DEFAULT_CGPROTECT "privileged"
extern void lxc_setup_fs(void);
extern const char *lxc_global_config_value(const char *option_name);
#ifndef PR_SET_MM
#define PR_SET_MM 35
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 920f3c23..89e9be96 100644
index 772eacc2..ae13aae9 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1345,17 +1345,20 @@ static int lxc_spawn(struct lxc_handler *handler)
TRACE("Set up cgroup device limits");
@@ -1721,17 +1721,20 @@ static int lxc_spawn(struct lxc_handler *handler)
TRACE("Set up legacy device cgroup controller limits");
if (cgns_supported()) {
- if (!cgroup_create(handler, true)) {

6
debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch vendored
View File

@ -1,7 +1,7 @@
From 1341290e8af87aab15e844abb1a1451cb21ec275 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 23 Dec 2016 15:57:24 +0100
Subject: [PATCH 06/13] rename cgroup namespace directory to ns
Subject: [PATCH] rename cgroup namespace directory to ns
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
@ -9,7 +9,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
index f05fda4e..34c9d89c 100644
index 3a63133d..544742df 100644
--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -32,7 +32,7 @@

32
debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch vendored
View File

@ -1,7 +1,7 @@
From 6811fb42be10c4eaf026be35914c546a95520b9e Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 20 Nov 2017 10:49:41 +0100
Subject: [PATCH 07/13] possibility to run lxc-monitord as a regular daemon
Subject: [PATCH] possibility to run lxc-monitord as a regular daemon
lxc-monitord instances are spawned on demand and, if this
happens from a service, the daemon is considered part of
@ -14,7 +14,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
config/init/systemd/lxc-monitord.service.in | 12 ++++++
configure.ac | 1 +
lxc.spec.in | 1 +
src/lxc/lxc_monitord.c | 60 +++++++++++++++++++++--------
src/lxc/cmd/lxc_monitord.c | 60 +++++++++++++++++++++--------
5 files changed, 63 insertions(+), 21 deletions(-)
create mode 100644 config/init/systemd/lxc-monitord.service.in
@ -67,10 +67,10 @@ index 00000000..40635168
+[Install]
+WantedBy=multi-user.target
diff --git a/configure.ac b/configure.ac
index 5566d298..31822e58 100644
index 50c99836..efe56991 100644
--- a/configure.ac
+++ b/configure.ac
@@ -709,6 +709,7 @@ AC_CONFIG_FILES([
@@ -658,6 +658,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service
@ -79,10 +79,10 @@ index 5566d298..31822e58 100644
config/init/sysvinit/lxc-containers
config/init/sysvinit/lxc-net
diff --git a/lxc.spec.in b/lxc.spec.in
index e31115de..36ab7d9d 100644
index 004ced26..1adbb6bd 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -260,6 +260,7 @@ fi
@@ -235,6 +235,7 @@ fi
%{_unitdir}/lxc-net.service
%{_unitdir}/lxc.service
%{_unitdir}/lxc@.service
@ -90,11 +90,11 @@ index e31115de..36ab7d9d 100644
%else
%{_sysconfdir}/rc.d/init.d/lxc
%{_sysconfdir}/rc.d/init.d/lxc-net
diff --git a/src/lxc/lxc_monitord.c b/src/lxc/lxc_monitord.c
index c4c2ba0d..c3534e3d 100644
--- a/src/lxc/lxc_monitord.c
+++ b/src/lxc/lxc_monitord.c
@@ -345,17 +345,44 @@ static void lxc_monitord_sig_handler(int sig)
diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c
index 99f2bdb8..2bc44dea 100644
--- a/src/lxc/cmd/lxc_monitord.c
+++ b/src/lxc/cmd/lxc_monitord.c
@@ -346,17 +346,44 @@ static void lxc_monitord_sig_handler(int sig)
int main(int argc, char *argv[])
{
@ -143,7 +143,7 @@ index c4c2ba0d..c3534e3d 100644
"NOTE: lxc-monitord is intended for use by lxc internally\n"
" and does not need to be run by hand\n\n");
exit(EXIT_FAILURE);
@@ -377,9 +404,6 @@ int main(int argc, char *argv[])
@@ -378,9 +405,6 @@ int main(int argc, char *argv[])
INFO("Failed to open log file %s, log will be lost.", lxcpath);
lxc_log_options_no_override();
@ -153,7 +153,7 @@ index c4c2ba0d..c3534e3d 100644
if (sigfillset(&mask) ||
sigdelset(&mask, SIGILL) ||
sigdelset(&mask, SIGSEGV) ||
@@ -411,15 +435,17 @@ int main(int argc, char *argv[])
@@ -412,15 +436,17 @@ int main(int argc, char *argv[])
goto on_error;
monitord_created = true;
@ -180,9 +180,9 @@ index c4c2ba0d..c3534e3d 100644
if (lxc_monitord_mainloop_add(&mon)) {
ERROR("Failed to add mainloop handlers.");
@@ -429,7 +455,7 @@ int main(int argc, char *argv[])
@@ -430,7 +456,7 @@ int main(int argc, char *argv[])
NOTICE("lxc-monitord with pid %d is now monitoring lxcpath %s.",
getpid(), mon.lxcpath);
lxc_raw_getpid(), mon.lxcpath);
for (;;) {
- ret = lxc_mainloop(&mon.descr, 1000 * 30);
+ ret = lxc_mainloop(&mon.descr, persistent ? -1 : 1000 * 30);

4
debian/patches/0008-Make-lxc-.service-forking.patch vendored
View File

@ -1,7 +1,7 @@
From 2001f560675efca7d6dcabe8fb8b376442d5d6d0 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 20 Nov 2017 10:51:36 +0100
Subject: [PATCH 08/13] Make lxc@.service forking
Subject: [PATCH] Make lxc@.service forking
Previously the init process' output was dumped into the log
files since the service used Type=simple and

116
debian/patches/0009-console-non-functional-changes.patch vendored
View File

@ -1,116 +0,0 @@
From 105ec17dbcad4fc48183a824df13b825974848bb Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 23 Oct 2017 13:41:33 +0200
Subject: [PATCH 09/13] console: non-functional changes
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/console.c | 39 +++++++++++++++++++++++----------------
1 file changed, 23 insertions(+), 16 deletions(-)
diff --git a/src/lxc/console.c b/src/lxc/console.c
index c8e545eb..3592662b 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -498,9 +498,13 @@ out:
void lxc_console_delete(struct lxc_console *console)
{
- if (console->tios && console->peer >= 0 &&
- tcsetattr(console->peer, TCSAFLUSH, console->tios))
- WARN("failed to set old terminal settings");
+ int ret;
+
+ if (console->tios && console->peer >= 0) {
+ ret = tcsetattr(console->peer, TCSAFLUSH, console->tios);
+ if (ret < 0)
+ WARN("%s - Failed to set old terminal settings", strerror(errno));
+ }
free(console->tios);
console->tios = NULL;
@@ -509,7 +513,6 @@ void lxc_console_delete(struct lxc_console *console)
close(console->slave);
if (console->log_fd >= 0)
close(console->log_fd);
-
console->peer = -1;
console->master = -1;
console->slave = -1;
@@ -518,57 +521,61 @@ void lxc_console_delete(struct lxc_console *console)
int lxc_console_create(struct lxc_conf *conf)
{
+ int ret, saved_errno;
struct lxc_console *console = &conf->console;
- int ret;
if (!conf->rootfs.path) {
- INFO("container does not have a rootfs, console device will be shared with the host");
+ INFO("Container does not have a rootfs. The console will be "
+ "shared with the host");
return 0;
}
if (console->path && !strcmp(console->path, "none")) {
- INFO("no console requested");
+ INFO("No console was requested");
return 0;
}
process_lock();
ret = openpty(&console->master, &console->slave, console->name, NULL, NULL);
+ saved_errno = errno;
process_unlock();
if (ret < 0) {
- SYSERROR("failed to allocate a pty");
+ ERROR("%s - Failed to allocate a pty", strerror(saved_errno));
return -1;
}
- if (fcntl(console->master, F_SETFD, FD_CLOEXEC)) {
- SYSERROR("failed to set console master to close-on-exec");
+ ret = fcntl(console->master, F_SETFD, FD_CLOEXEC);
+ if (ret < 0) {
+ SYSERROR("Failed to set FD_CLOEXEC flag on console master");
goto err;
}
- if (fcntl(console->slave, F_SETFD, FD_CLOEXEC)) {
- SYSERROR("failed to set console slave to close-on-exec");
+ ret = fcntl(console->slave, F_SETFD, FD_CLOEXEC);
+ if (ret < 0) {
+ SYSERROR("Failed to set FD_CLOEXEC flag on console slave");
goto err;
}
ret = lxc_console_peer_default(console);
if (ret < 0) {
- ERROR("failed to allocate peer tty device");
+ ERROR("Failed to allocate a peer pty device");
goto err;
}
if (console->log_path) {
console->log_fd = lxc_unpriv(open(console->log_path, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0600));
if (console->log_fd < 0) {
- SYSERROR("failed to open console log file \"%s\"", console->log_path);
+ SYSERROR("Failed to open console log file \"%s\"", console->log_path);
goto err;
}
- DEBUG("using \"%s\" as console log file", console->log_path);
+ DEBUG("Using \"%s\" as console log file", console->log_path);
}
return 0;
err:
lxc_console_delete(console);
- return -1;
+ return -ENODEV;
}
int lxc_console_set_stdfds(int fd)
--
2.11.0

135
debian/patches/0010-console-non-functional-changes.patch vendored
View File

@ -1,135 +0,0 @@
From 7394b5c772b562f239b4138b11ecc8493b4c30b4 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 26 Oct 2017 17:33:10 +0200
Subject: [PATCH 10/13] console: non-functional changes
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/console.c | 61 +++++++++++++++++++++++++++++--------------------------
1 file changed, 32 insertions(+), 29 deletions(-)
diff --git a/src/lxc/console.c b/src/lxc/console.c
index 3592662b..eda5be62 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -678,18 +678,16 @@ int lxc_console(struct lxc_container *c, int ttynum,
istty = isatty(stdinfd);
if (istty) {
ret = lxc_setup_tios(stdinfd, &oldtios);
- if (ret) {
- ERROR("failed to setup terminal properties");
+ if (ret < 0)
return -1;
- }
} else {
- INFO("fd %d does not refer to a tty device", stdinfd);
+ INFO("File descriptor %d does not refer to a tty device", stdinfd);
}
ttyfd = lxc_cmd_console(c->name, &ttynum, &masterfd, c->config_path);
if (ttyfd < 0) {
ret = ttyfd;
- goto err1;
+ goto restore_tios;
}
fprintf(stderr, "\n"
@@ -699,13 +697,13 @@ int lxc_console(struct lxc_container *c, int ttynum,
ttynum, 'a' + escape - 1);
ret = setsid();
- if (ret)
- INFO("already group leader");
+ if (ret < 0)
+ TRACE("Process is already group leader");
ts = lxc_console_sigwinch_init(stdinfd, masterfd);
if (!ts) {
ret = -1;
- goto err2;
+ goto close_fds;
}
ts->escape = escape;
ts->winch_proxy = c->name;
@@ -719,52 +717,57 @@ int lxc_console(struct lxc_container *c, int ttynum,
ret = lxc_mainloop_open(&descr);
if (ret) {
- ERROR("failed to create mainloop");
- goto err3;
+ ERROR("Failed to create mainloop");
+ goto sigwinch_fini;
}
if (ts->sigfd != -1) {
ret = lxc_mainloop_add_handler(&descr, ts->sigfd,
- lxc_console_cb_sigwinch_fd, ts);
- if (ret) {
- ERROR("failed to add handler for SIGWINCH fd");
- goto err4;
+ lxc_console_cb_sigwinch_fd, ts);
+ if (ret < 0) {
+ ERROR("Failed to add SIGWINCH handler");
+ goto close_mainloop;
}
}
ret = lxc_mainloop_add_handler(&descr, ts->stdinfd,
lxc_console_cb_tty_stdin, ts);
- if (ret) {
- ERROR("failed to add handler for stdinfd");
- goto err4;
+ if (ret < 0) {
+ ERROR("Failed to add stdin handler");
+ goto close_mainloop;
}
ret = lxc_mainloop_add_handler(&descr, ts->masterfd,
lxc_console_cb_tty_master, ts);
- if (ret) {
- ERROR("failed to add handler for masterfd");
- goto err4;
+ if (ret < 0) {
+ ERROR("Failed to add master handler");
+ goto close_mainloop;
}
ret = lxc_mainloop(&descr, -1);
- if (ret) {
- ERROR("mainloop returned an error");
- goto err4;
+ if (ret < 0) {
+ ERROR("The mainloop returned an error");
+ goto close_mainloop;
}
ret = 0;
-err4:
+close_mainloop:
lxc_mainloop_close(&descr);
-err3:
+
+sigwinch_fini:
lxc_console_sigwinch_fini(ts);
-err2:
+
+close_fds:
close(masterfd);
close(ttyfd);
-err1:
+
+restore_tios:
if (istty) {
- if (tcsetattr(stdinfd, TCSAFLUSH, &oldtios) < 0)
- WARN("failed to reset terminal properties: %s.", strerror(errno));
+ istty = tcsetattr(stdinfd, TCSAFLUSH, &oldtios);
+ if (istty < 0)
+ WARN("%s - Failed to restore terminal properties",
+ strerror(errno));
}
return ret;
--
2.11.0

121
debian/patches/0011-console-fix-console-info-message.patch vendored
View File

@ -1,121 +0,0 @@
From c8a9c9c9f6c189164a2eedd0d1e99905cb0a8672 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 10 Nov 2017 19:07:38 +0100
Subject: [PATCH 11/13] console: fix console info message
Now it will be displayed nicely formatted:
a1 login: chb@conventiont|~
> lxc console a1
Connected to tty 0
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself
Ubuntu 17.10 a1 console
a1 login:
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/console.c | 54 ++++++++++++++++++++++++++----------------------------
1 file changed, 26 insertions(+), 28 deletions(-)
diff --git a/src/lxc/console.c b/src/lxc/console.c
index eda5be62..e95f5c54 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -675,26 +675,9 @@ int lxc_console(struct lxc_container *c, int ttynum,
struct lxc_tty_state *ts;
int istty = 0;
- istty = isatty(stdinfd);
- if (istty) {
- ret = lxc_setup_tios(stdinfd, &oldtios);
- if (ret < 0)
- return -1;
- } else {
- INFO("File descriptor %d does not refer to a tty device", stdinfd);
- }
-
ttyfd = lxc_cmd_console(c->name, &ttynum, &masterfd, c->config_path);
- if (ttyfd < 0) {
- ret = ttyfd;
- goto restore_tios;
- }
-
- fprintf(stderr, "\n"
- "Connected to tty %1$d\n"
- "Type <Ctrl+%2$c q> to exit the console, "
- "<Ctrl+%2$c Ctrl+%2$c> to enter Ctrl+%2$c itself\n",
- ttynum, 'a' + escape - 1);
+ if (ttyfd < 0)
+ return -1;
ret = setsid();
if (ret < 0)
@@ -710,9 +693,12 @@ int lxc_console(struct lxc_container *c, int ttynum,
ts->winch_proxy_lxcpath = c->config_path;
ts->stdoutfd = stdoutfd;
+ istty = isatty(stdinfd);
if (istty) {
lxc_console_winsz(stdinfd, masterfd);
lxc_cmd_console_winch(ts->winch_proxy, ts->winch_proxy_lxcpath);
+ } else {
+ INFO("File descriptor %d does not refer to a tty device", stdinfd);
}
ret = lxc_mainloop_open(&descr);
@@ -744,14 +730,34 @@ int lxc_console(struct lxc_container *c, int ttynum,
goto close_mainloop;
}
+ fprintf(stderr, "\n"
+ "Connected to tty %1$d\n"
+ "Type <Ctrl+%2$c q> to exit the console, "
+ "<Ctrl+%2$c Ctrl+%2$c> to enter Ctrl+%2$c itself\n",
+ ttynum, 'a' + escape - 1);
+
+ if (istty) {
+ ret = lxc_setup_tios(stdinfd, &oldtios);
+ if (ret < 0)
+ goto close_mainloop;
+ }
+
ret = lxc_mainloop(&descr, -1);
if (ret < 0) {
ERROR("The mainloop returned an error");
- goto close_mainloop;
+ goto restore_tios;
}
ret = 0;
+restore_tios:
+ if (istty) {
+ istty = tcsetattr(stdinfd, TCSAFLUSH, &oldtios);
+ if (istty < 0)
+ WARN("%s - Failed to restore terminal properties",
+ strerror(errno));
+ }
+
close_mainloop:
lxc_mainloop_close(&descr);
@@ -762,13 +768,5 @@ close_fds:
close(masterfd);
close(ttyfd);
-restore_tios:
- if (istty) {
- istty = tcsetattr(stdinfd, TCSAFLUSH, &oldtios);
- if (istty < 0)
- WARN("%s - Failed to restore terminal properties",
- strerror(errno));
- }
-
return ret;
}
--
2.11.0

36
debian/patches/0012-console-report-detach-message-on-demand.patch vendored
View File

@ -1,36 +0,0 @@
From 1e47ecd9a9367e6cf166c872d3cec26eb4c77aba Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 10 Nov 2017 19:51:57 +0100
Subject: [PATCH 12/13] console: report detach message on demand
When users pass -1 there's there won't be an escape sequence to exit the
console so no need to print a misleading info message about how to detach.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/console.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lxc/console.c b/src/lxc/console.c
index e95f5c54..8f6203f0 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -730,11 +730,14 @@ int lxc_console(struct lxc_container *c, int ttynum,
goto close_mainloop;
}
- fprintf(stderr, "\n"
+ if (ts->escape >= 1) {
+ fprintf(stderr,
+ "\n"
"Connected to tty %1$d\n"
"Type <Ctrl+%2$c q> to exit the console, "
"<Ctrl+%2$c Ctrl+%2$c> to enter Ctrl+%2$c itself\n",
ttynum, 'a' + escape - 1);
+ }
if (istty) {
ret = lxc_setup_tios(stdinfd, &oldtios);
--
2.11.0

26
debian/patches/0013-console-use-correct-escape-sequence-check.patch vendored
View File

@ -1,26 +0,0 @@
From b50f5a815258541b6da0c772388d93ea303a4f3d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 11 Nov 2017 23:05:33 +0100
Subject: [PATCH 13/13] console: use correct escape sequence check
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/console.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/console.c b/src/lxc/console.c
index 8f6203f0..72c01b19 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -616,7 +616,7 @@ int lxc_console_cb_tty_stdin(int fd, uint32_t events, void *cbdata,
if (lxc_read_nointr(ts->stdinfd, &c, 1) <= 0)
return 1;
- if (ts->escape != -1) {
+ if (ts->escape >= 1) {
/* we want to exit the console with Ctrl+a q */
if (c == ts->escape && !ts->saw_escape) {
ts->saw_escape = 1;
--
2.11.0

5
debian/patches/series vendored
View File

@ -6,8 +6,3 @@
0006-rename-cgroup-namespace-directory-to-ns.patch
0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
0008-Make-lxc-.service-forking.patch
0009-console-non-functional-changes.patch
0010-console-non-functional-changes.patch
0011-console-fix-console-info-message.patch
0012-console-report-detach-message-on-demand.patch
0013-console-use-correct-escape-sequence-check.patch

2
lxc

@ -1 +1 @@
Subproject commit 31546ced8a4cbed1455568934b59e3ba64bfcb63
Subproject commit 5b66b6ee3e3cd2575a4b9b2eb8190b2b05ab4b42