diff --git a/Makefile b/Makefile index 6c2f8ef..3f9aecb 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ PACKAGE=lxc-pve -LXCVER=2.1.1 -DEBREL=3 +LXCVER=3.0.0 +DEBREL=1 SRCDIR=lxc BUILDSRC := $(SRCDIR).tmp diff --git a/debian/changelog b/debian/changelog index f3e2d9f..b8024ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lxc (3.0.0-1) unstable; urgency=medium + + * update to lxc-3.0.0 + + -- Proxmox Support Team Wed, 28 Mar 2018 13:52:08 +0200 + lxc (2.1.1-3) unstable; urgency=medium * add pinned AppArmor feature set for pve-kernel-4.13.13-6-pve diff --git a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch index 6162efc..34d7e8e 100644 --- a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch +++ b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch @@ -1,7 +1,7 @@ -From 92f2489b28e79f7a67f45bc698f1d61785a6537d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:13:40 +0100 -Subject: [PATCH 01/13] lxc.service: start after a potential syslog.service +Subject: [PATCH] lxc.service: start after a potential syslog.service Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch b/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch index cac7bd0..f09bf8b 100644 --- a/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch +++ b/debian/patches/0002-pve-run-lxcnetaddbr-when-instantiating-veths.patch @@ -1,7 +1,7 @@ -From 6aecf604cf28c5164f3d957b0ad33bf03527fa26 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:15:37 +0100 -Subject: [PATCH 02/13] pve: run lxcnetaddbr when instantiating veths +Subject: [PATCH] pve: run lxcnetaddbr when instantiating veths FIXME: Why aren't we using regular up-scripts? @@ -11,12 +11,12 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 5 insertions(+) diff --git a/src/lxc/network.c b/src/lxc/network.c -index 909b7e58..c9b510f6 100644 +index e31066cb..d136bad1 100644 --- a/src/lxc/network.c +++ b/src/lxc/network.c -@@ -208,6 +208,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd - "veth", veth1, (char*) NULL); - if (err) +@@ -216,6 +216,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd + netdev->upscript, "up", argv); + if (err < 0) goto out_delete; + } else if (netdev->link[0] == '\0') { + err = run_script(handler->name, "net", "/usr/share/lxc/lxcnetaddbr", "up", diff --git a/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch index 3ec25b2..2ff706b 100644 --- a/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch +++ b/debian/patches/0003-deny-rw-mounting-of-sys-and-proc.patch @@ -1,7 +1,7 @@ -From 8c695baaff8d18a87233ffc119e8fd0495819dbe Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Nov 2016 09:14:26 +0100 -Subject: [PATCH 03/13] deny rw mounting of /sys and /proc +Subject: [PATCH] deny rw mounting of /sys and /proc this would allow root in a privileged container to change the permissions of /sys on the host, which could lock out diff --git a/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch b/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch index 52db64f..53f786e 100644 --- a/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch +++ b/debian/patches/0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch @@ -1,7 +1,7 @@ -From 6ebdc24c00b4dee75aebef3136469a5297e1d9ee Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller -Date: Tue, 15 Nov 2016 09:20:24 +0100 -Subject: [PATCH 04/13] separate the limiting from the namespaced cgroup root +Date: Wed, 28 Mar 2018 13:37:28 +0200 +Subject: [PATCH] separate the limiting from the namespaced cgroup root When cgroup namespaces are enabled a privileged container with mixed cgroups has full write access to its own root @@ -14,126 +14,72 @@ being used in order to combat this. Signed-off-by: Wolfgang Bumiller --- - src/lxc/cgroups/cgfs.c | 19 ++++++++--- - src/lxc/cgroups/cgfsng.c | 79 +++++++++++++++++++++++++++++++++++++-------- - src/lxc/cgroups/cgmanager.c | 19 ++++++++--- - src/lxc/cgroups/cgroup.c | 17 +++++----- - src/lxc/cgroups/cgroup.h | 22 ++++++++----- - src/lxc/commands.c | 76 ++++++++++++++++++++++++++++++++++--------- - src/lxc/commands.h | 2 ++ - src/lxc/criu.c | 4 +-- - src/lxc/start.c | 27 ++++++++++++---- - 9 files changed, 204 insertions(+), 61 deletions(-) + src/lxc/cgroups/cgfsng.c | 88 +++++++++++++++++++++++++++++++++++++++--------- + src/lxc/cgroups/cgroup.c | 17 +++++----- + src/lxc/cgroups/cgroup.h | 23 ++++++++----- + src/lxc/commands.c | 85 +++++++++++++++++++++++++++++++++++----------- + src/lxc/commands.h | 2 ++ + src/lxc/criu.c | 4 +-- + src/lxc/start.c | 28 +++++++++++---- + 7 files changed, 186 insertions(+), 61 deletions(-) -diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c -index bcbd6613..573ccb25 100644 ---- a/src/lxc/cgroups/cgfs.c -+++ b/src/lxc/cgroups/cgfs.c -@@ -2387,12 +2387,15 @@ static void cgfs_destroy(void *hdata, struct lxc_conf *conf) - free(d); - } - --static inline bool cgfs_create(void *hdata) -+static inline bool cgfs_create(void *hdata, bool inner) - { - struct cgfs_data *d = hdata; - struct cgroup_process_info *i; - struct cgroup_meta_data *md; - -+ if (inner) -+ return true; -+ - if (!d) - return false; - md = d->meta; -@@ -2403,12 +2406,15 @@ static inline bool cgfs_create(void *hdata) - return true; - } - --static inline bool cgfs_enter(void *hdata, pid_t pid) -+static inline bool cgfs_enter(void *hdata, pid_t pid, bool inner) - { - struct cgfs_data *d = hdata; - struct cgroup_process_info *i; - int ret; - -+ if (inner) -+ return true; -+ - if (!d) - return false; - i = d->info; -@@ -2432,10 +2438,12 @@ static inline bool cgfs_create_legacy(void *hdata, pid_t pid) - return true; - } - --static const char *cgfs_get_cgroup(void *hdata, const char *subsystem) -+static const char *cgfs_get_cgroup(void *hdata, const char *subsystem, bool inner) - { - struct cgfs_data *d = hdata; - -+ (void)inner; -+ - if (!d) - return NULL; - return lxc_cgroup_get_hierarchy_path_data(subsystem, d); -@@ -2651,13 +2659,16 @@ static bool do_cgfs_chown(char *cgroup_path, struct lxc_conf *conf) - return true; - } - --static bool cgfs_chown(void *hdata, struct lxc_conf *conf) -+static bool cgfs_chown(void *hdata, struct lxc_conf *conf, bool inner) - { - struct cgfs_data *d = hdata; - struct cgroup_process_info *info_ptr; - char *cgpath; - bool r = true; - -+ if (inner) -+ return true; -+ - if (!d) - return false; - diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index 897336f0..81c589e0 100644 +index 10c7ab2c..b48f997f 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c -@@ -77,6 +77,7 @@ struct hierarchy { +@@ -101,6 +101,7 @@ struct hierarchy { char *mountpoint; char *base_cgroup; char *fullcgpath; + char *innercgpath; - bool is_cgroup_v2; + int version; }; -@@ -813,6 +814,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup) +@@ -955,6 +956,7 @@ static struct hierarchy *add_hierarchy(char **clist, char *mountpoint, new->mountpoint = mountpoint; new->base_cgroup = base_cgroup; new->fullcgpath = NULL; + new->innercgpath = NULL; + new->version = type; - /* record if this is the cgroup v2 hierarchy */ - if (!strcmp(base_cgroup, "cgroup2")) -@@ -1302,6 +1304,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) - free(h->fullcgpath); - h->fullcgpath = NULL; - } -+ free(h->innercgpath); -+ h->innercgpath = NULL; - } + newentry = append_null_to_list((void ***)&hierarchies); +@@ -1587,6 +1589,8 @@ static int cgroup_rmdir(char *container_cgroup) + + free(h->fullcgpath); + h->fullcgpath = NULL; ++ free(h->innercgpath); ++ h->innercgpath = NULL; } -@@ -1319,18 +1323,25 @@ struct cgroup_ops *cgfsng_ops_init(void) - return &cgfsng_ops; + return 0; +@@ -1597,6 +1601,7 @@ struct generic_userns_exec_data { + struct lxc_conf *conf; + uid_t origuid; /* target uid in parent namespace */ + char *path; ++ bool inner; + }; + + static int cgroup_rmdir_wrapper(void *data) +@@ -1641,6 +1646,7 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) + wrap.origuid = 0; + wrap.d = hdata; + wrap.conf = conf; ++ wrap.inner = false; + + if (conf && !lxc_list_empty(&conf->id_map)) + ret = userns_exec_1(conf, cgroup_rmdir_wrapper, &wrap, +@@ -1730,22 +1736,29 @@ on_error: + return bret; } -static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname) +static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, bool inner) { + int ret; + - h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL); -- if (dir_exists(h->fullcgpath)) { /* it must not already exist */ -- ERROR("Path \"%s\" already existed.", h->fullcgpath); +- if (dir_exists(h->fullcgpath)) { +- ERROR("The cgroup \"%s\" already existed", h->fullcgpath); + char *path; + if (inner) { + path = must_make_path(h->fullcgpath, CGROUP_NAMESPACE_SUBDIR, NULL); @@ -146,17 +92,19 @@ index 897336f0..81c589e0 100644 + ERROR("Path \"%s\" already existed.", path); return false; } -- if (!handle_cpuset_hierarchy(h, cgname)) { -+ if (!inner && !handle_cpuset_hierarchy(h, cgname)) { - ERROR("Failed to handle cgroupfs v1 cpuset controller."); + +- if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) { ++ if (!inner && !cg_legacy_handle_cpuset_hierarchy(h, cgname)) { + ERROR("Failed to handle legacy cpuset controller"); return false; } -- return mkdir_p(h->fullcgpath, 0755) == 0; -+ return mkdir_p(path, 0755) == 0; - } - static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) -@@ -1341,11 +1352,27 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) +- ret = mkdir_p(h->fullcgpath, 0755); ++ ret = mkdir_p(path, 0755); + if (ret < 0) { + ERROR("Failed to create cgroup \"%s\"", h->fullcgpath); + return false; +@@ -1766,10 +1779,26 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) h->fullcgpath = NULL; } @@ -176,16 +124,15 @@ index 897336f0..81c589e0 100644 + return ret; +} + - /* - * Try to create the same cgroup in all hierarchies. - * Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999 + /* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern; + * next cgroup_pattern-1, -2, ..., -999. */ -static inline bool cgfsng_create(void *hdata) +static inline bool cgfsng_create(void *hdata, bool inner) { int i; size_t len; -@@ -1357,9 +1384,15 @@ static inline bool cgfsng_create(void *hdata) +@@ -1781,10 +1810,17 @@ static inline bool cgfsng_create(void *hdata) return false; if (d->container_cgroup) { @@ -194,78 +141,82 @@ index 897336f0..81c589e0 100644 WARN("cgfsng_create called a second time"); return false; } + + if (inner) { + ERROR("cgfsng_create called twice for innner cgroup"); + return false; + } - ++ if (d->cgroup_meta.dir) tmp = lxc_string_join("/", (const char *[]){d->cgroup_meta.dir, d->name, NULL}, false); -@@ -1395,7 +1428,7 @@ again: - } + else +@@ -1821,7 +1857,7 @@ again: } + for (i = 0; hierarchies[i]; i++) { -- if (!create_path_for_hierarchy(hierarchies[i], cgname)) { -+ if (!create_path_for_hierarchy(hierarchies[i], cgname, false)) { +- if (!create_path_for_hierarchy(hierarchies[i], container_cgroup)) { ++ if (!create_path_for_hierarchy(hierarchies[i], container_cgroup, false)) { int j; - ERROR("Failed to create \"%s\"", hierarchies[i]->fullcgpath); + ERROR("Failed to create cgroup \"%s\"", hierarchies[i]->fullcgpath); free(hierarchies[i]->fullcgpath); -@@ -1415,7 +1448,7 @@ out_free: +@@ -1843,7 +1879,7 @@ out_free: return false; } -static bool cgfsng_enter(void *hdata, pid_t pid) +static bool cgfsng_enter(void *hdata, pid_t pid, bool inner) { - char pidstr[25]; int i, len; -@@ -1425,7 +1458,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid) - return false; + char pidstr[25]; +@@ -1856,8 +1892,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid) + int ret; + char *fullpath; - for (i = 0; hierarchies[i]; i++) { -- char *fullpath = must_make_path(hierarchies[i]->fullcgpath, -+ char *fullpath; +- fullpath = must_make_path(hierarchies[i]->fullcgpath, +- "cgroup.procs", NULL); + if (inner) + fullpath = must_make_path(hierarchies[i]->fullcgpath, -+ CGROUP_NAMESPACE_SUBDIR, -+ "cgroup.procs", NULL); ++ CGROUP_NAMESPACE_SUBDIR, ++ "cgroup.procs", NULL); + else + fullpath = must_make_path(hierarchies[i]->fullcgpath, - "cgroup.procs", NULL); - if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) { - SYSERROR("Failed to enter %s", fullpath); -@@ -1441,6 +1480,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid) - struct chown_data { - struct cgfsng_handler_data *d; - uid_t origuid; /* target uid in parent namespace */ -+ bool inner; - }; - - /* -@@ -1469,13 +1509,20 @@ static int chown_cgroup_wrapper(void *data) - for (i = 0; hierarchies[i]; i++) { - char *fullpath, *path = hierarchies[i]->fullcgpath; ++ "cgroup.procs", NULL); + ret = lxc_write_to_file(fullpath, pidstr, len, false); + if (ret != 0) { + SYSERROR("Failed to enter cgroup \"%s\"", fullpath); +@@ -1933,9 +1974,15 @@ static int chown_cgroup_wrapper(void *data) + char *fullpath; + char *path = hierarchies[i]->fullcgpath; + if (arg->inner) + path = must_make_path(path, CGROUP_NAMESPACE_SUBDIR, NULL); + - if (chown(path, destuid, 0) < 0) { - SYSERROR("Error chowning %s to %d", path, (int) destuid); + ret = chowmod(path, destuid, nsgid, 0775); +- if (ret < 0) ++ if (ret < 0) { + if (arg->inner) + free(path); return -1; - } ++ } - if (chmod(path, 0775) < 0) { - SYSERROR("Error chmoding %s", path); + /* Failures to chown() these are inconvenient but not + * detrimental We leave these owned by the container launcher, +@@ -1954,8 +2001,11 @@ static int chown_cgroup_wrapper(void *data) + (void)chowmod(fullpath, destuid, 0, 0664); + free(fullpath); + +- if (hierarchies[i]->version != CGROUP2_SUPER_MAGIC) ++ if (hierarchies[i]->version != CGROUP2_SUPER_MAGIC) { + if (arg->inner) + free(path); - return -1; - } + continue; ++ } -@@ -1501,12 +1548,14 @@ static int chown_cgroup_wrapper(void *data) - if (chmod(fullpath, 0664) < 0) - WARN("Error chmoding %s: %s", path, strerror(errno)); + fullpath = must_make_path(path, "cgroup.subtree_control", NULL); + (void)chowmod(fullpath, destuid, nsgid, 0664); +@@ -1964,12 +2014,14 @@ static int chown_cgroup_wrapper(void *data) + fullpath = must_make_path(path, "cgroup.threads", NULL); + (void)chowmod(fullpath, destuid, nsgid, 0664); free(fullpath); + if (arg->inner) + free(path); @@ -274,29 +225,31 @@ index 897336f0..81c589e0 100644 return 0; } --static bool cgfsns_chown(void *hdata, struct lxc_conf *conf) -+static bool cgfsns_chown(void *hdata, struct lxc_conf *conf, bool inner) +-static bool cgfsng_chown(void *hdata, struct lxc_conf *conf) ++static bool cgfsng_chown(void *hdata, struct lxc_conf *conf, bool inner) { struct cgfsng_handler_data *d = hdata; - struct chown_data wrap; -@@ -1519,6 +1568,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf) - + struct generic_userns_exec_data wrap; +@@ -1984,6 +2036,7 @@ static bool cgfsng_chown(void *hdata, struct lxc_conf *conf) + wrap.path = NULL; wrap.d = d; - wrap.origuid = geteuid(); + wrap.conf = conf; + wrap.inner = inner; if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, "chown_cgroup_wrapper") < 0) { -@@ -1815,12 +1865,15 @@ static bool cgfsng_unfreeze(void *hdata) +@@ -2366,7 +2419,7 @@ static bool cgfsng_unfreeze(void *hdata) return true; } --static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem) -+static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem, bool inner) +-static const char *cgfsng_get_cgroup(void *hdata, const char *controller) ++static const char *cgfsng_get_cgroup(void *hdata, const char *controller, bool inner) { - struct hierarchy *h = get_hierarchy(subsystem); - if (!h) + struct hierarchy *h; + +@@ -2377,6 +2430,9 @@ static const char *cgfsng_get_cgroup(void *hdata, const char *controller) return NULL; + } + if (inner && h->innercgpath) + return h->innercgpath + strlen(h->mountpoint); @@ -304,90 +257,20 @@ index 897336f0..81c589e0 100644 return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL; } -@@ -1848,7 +1901,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid) - char *path, *fullpath; - struct hierarchy *h = hierarchies[i]; +@@ -2408,7 +2464,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name, + int fret = -1, idx = 0; + char *base_path = NULL, *container_cgroup = NULL, *full_path = NULL; -- path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]); -+ path = lxc_cmd_get_attach_cgroup_path(name, lxcpath, h->controllers[0]); - if (!path) /* not running */ - continue; - -diff --git a/src/lxc/cgroups/cgmanager.c b/src/lxc/cgroups/cgmanager.c -index 054eb171..04ae3a16 100644 ---- a/src/lxc/cgroups/cgmanager.c -+++ b/src/lxc/cgroups/cgmanager.c -@@ -610,7 +610,7 @@ static inline void cleanup_cgroups(char *path) - cgm_remove_cgroup(slist[i], path); - } - --static inline bool cgm_create(void *hdata) -+static inline bool cgm_create(void *hdata, bool inner) - { - struct cgm_data *d = hdata; - char **slist = subsystems; -@@ -618,6 +618,9 @@ static inline bool cgm_create(void *hdata) - int32_t existed; - char result[MAXPATHLEN], *tmp, *cgroup_path; - -+ if (inner) -+ return true; -+ - if (!d) - return false; - -@@ -710,13 +713,16 @@ static bool lxc_cgmanager_enter(pid_t pid, const char *controller, - return true; - } - --static inline bool cgm_enter(void *hdata, pid_t pid) -+static inline bool cgm_enter(void *hdata, pid_t pid, bool inner) - { - struct cgm_data *d = hdata; - char **slist = subsystems; - bool ret = false; - int i; - -+ if (inner) -+ return true; -+ - if (!d || !d->cgroup_path) - return false; - -@@ -738,10 +744,12 @@ out: - return ret; - } - --static const char *cgm_get_cgroup(void *hdata, const char *subsystem) -+static const char *cgm_get_cgroup(void *hdata, const char *subsystem, bool inner) - { - struct cgm_data *d = hdata; - -+ (void)inner; -+ - if (!d || !d->cgroup_path) - return NULL; - return d->cgroup_path; -@@ -1542,10 +1550,13 @@ out: - return ret; - } - --static bool cgm_chown(void *hdata, struct lxc_conf *conf) -+static bool cgm_chown(void *hdata, struct lxc_conf *conf, bool inner) - { - struct cgm_data *d = hdata; - -+ if (inner) -+ return true; -+ - if (!d || !d->cgroup_path) - return false; - if (!cgm_dbus_connect()) { +- container_cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); ++ container_cgroup = lxc_cmd_get_attach_cgroup_path(name, lxcpath, controller); + /* not running */ + if (!container_cgroup) + return 0; diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c -index 674e3090..6f0d2fe8 100644 +index 9e7b26e0..ec45dd39 100644 --- a/src/lxc/cgroups/cgroup.c +++ b/src/lxc/cgroups/cgroup.c -@@ -80,19 +80,19 @@ void cgroup_destroy(struct lxc_handler *handler) +@@ -73,19 +73,19 @@ void cgroup_destroy(struct lxc_handler *handler) } /* Create the container cgroups for all requested controllers. */ @@ -411,7 +294,7 @@ index 674e3090..6f0d2fe8 100644 return false; } -@@ -106,10 +106,11 @@ bool cgroup_create_legacy(struct lxc_handler *handler) +@@ -99,10 +99,11 @@ bool cgroup_create_legacy(struct lxc_handler *handler) } const char *cgroup_get_cgroup(struct lxc_handler *handler, @@ -425,7 +308,7 @@ index 674e3090..6f0d2fe8 100644 return NULL; } -@@ -155,10 +156,10 @@ bool cgroup_setup_limits(struct lxc_handler *handler, bool with_devices) +@@ -148,10 +149,10 @@ bool cgroup_setup_limits(struct lxc_handler *handler, bool with_devices) return false; } @@ -439,7 +322,7 @@ index 674e3090..6f0d2fe8 100644 return true; } diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h -index f17a6abe..f05fda4e 100644 +index 0f04e8b7..3a63133d 100644 --- a/src/lxc/cgroups/cgroup.h +++ b/src/lxc/cgroups/cgroup.h @@ -28,6 +28,12 @@ @@ -455,7 +338,7 @@ index f17a6abe..f05fda4e 100644 struct lxc_handler; struct lxc_conf; struct lxc_list; -@@ -43,10 +49,10 @@ struct cgroup_ops { +@@ -45,10 +51,10 @@ struct cgroup_ops { void *(*init)(struct lxc_handler *handler); void (*destroy)(void *hdata, struct lxc_conf *conf); @@ -469,16 +352,16 @@ index f17a6abe..f05fda4e 100644 bool (*escape)(); int (*num_hierarchies)(); bool (*get_hierarchies)(int n, char ***out); -@@ -54,7 +60,7 @@ struct cgroup_ops { +@@ -56,7 +62,7 @@ struct cgroup_ops { int (*get)(const char *filename, char *value, size_t len, const char *name, const char *lxcpath); bool (*unfreeze)(void *hdata); - bool (*setup_limits)(void *hdata, struct lxc_list *cgroup_conf, bool with_devices); + bool (*setup_limits)(void *hdata, struct lxc_conf *conf, bool with_devices); - bool (*chown)(void *hdata, struct lxc_conf *conf); + bool (*chown)(void *hdata, struct lxc_conf *conf, bool inner); bool (*attach)(const char *name, const char *lxcpath, pid_t pid); bool (*mount_cgroup)(void *hdata, const char *root, int type); int (*nrtasks)(void *hdata); -@@ -66,14 +72,14 @@ extern bool cgroup_attach(const char *name, const char *lxcpath, pid_t pid); +@@ -67,15 +73,16 @@ extern bool cgroup_attach(const char *name, const char *lxcpath, pid_t pid); extern bool cgroup_mount(const char *root, struct lxc_handler *handler, int type); extern void cgroup_destroy(struct lxc_handler *handler); extern bool cgroup_init(struct lxc_handler *handler); @@ -492,16 +375,18 @@ index f17a6abe..f05fda4e 100644 extern void cgroup_cleanup(struct lxc_handler *handler); extern bool cgroup_create_legacy(struct lxc_handler *handler); extern int cgroup_nrtasks(struct lxc_handler *handler); --extern const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem); -+extern const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem, bool inner); + extern const char *cgroup_get_cgroup(struct lxc_handler *handler, +- const char *subsystem); ++ const char *subsystem, ++ bool inner); extern bool cgroup_escape(); extern int cgroup_num_hierarchies(); extern bool cgroup_get_hierarchies(int i, char ***out); diff --git a/src/lxc/commands.c b/src/lxc/commands.c -index 68fbd387..ccdbeeba 100644 +index 54e9f75c..df5a9907 100644 --- a/src/lxc/commands.c +++ b/src/lxc/commands.c -@@ -410,30 +410,29 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, +@@ -426,20 +426,8 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, return lxc_cmd_rsp_send(fd, &rsp); } @@ -518,35 +403,34 @@ index 68fbd387..ccdbeeba 100644 - * returned path. - */ -char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, -- const char *subsystem) -+static char *do_lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, -+ const char *subsystem, -+ bool inner) +- const char *subsystem) ++char *do_lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, ++ const char *subsystem, bool inner) { int ret, stopped; -+ size_t subsyslen = strlen(subsystem); -+ struct lxc_cmd_rr cmd = { - .req = { - .cmd = LXC_CMD_GET_CGROUP, -- .datalen = strlen(subsystem)+1, -+ .datalen = subsyslen+1, - .data = subsystem, - }, - }; +@@ -452,8 +440,18 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, -+ if (inner) { -+ char *data = alloca(subsyslen+2); -+ memcpy(data, subsystem, subsyslen+1); -+ data[subsyslen+1] = 1; -+ cmd.req.datalen = subsyslen+2, -+ cmd.req.data = data; + cmd.req.data = subsystem; + cmd.req.datalen = 0; +- if (subsystem) +- cmd.req.datalen = strlen(subsystem) + 1; ++ if (subsystem) { ++ size_t subsyslen = strlen(subsystem); ++ if (inner) { ++ char *data = alloca(subsyslen+2); ++ memcpy(data, subsystem, subsyslen+1); ++ data[subsyslen+1] = 1; ++ cmd.req.datalen = subsyslen+2, ++ cmd.req.data = data; ++ } else { ++ cmd.req.datalen = subsyslen+1; ++ } + } -+ + ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); - if (ret < 0) { - TRACE("command %s failed for container \"%s\": %s.", -@@ -458,16 +457,61 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, + if (ret < 0) +@@ -468,16 +466,63 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, return cmd.rsp.data; } @@ -585,35 +469,40 @@ index 68fbd387..ccdbeeba 100644 +{ + return do_lxc_cmd_get_cgroup_path(name, lxcpath, subsystem, true); +} -+ + static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, struct lxc_handler *handler) { - struct lxc_cmd_rsp rsp; const char *path; -+ const char *subsystem; -+ size_t subsyslen; -+ bool inner = false; + struct lxc_cmd_rsp rsp; - if (req->datalen < 1) - return -1; - -- path = cgroup_get_cgroup(handler, req->data); -+ subsystem = req->data; -+ subsyslen = strlen(subsystem); -+ if (req->datalen == subsyslen+2) -+ inner = (subsystem[subsyslen+1] == 1); +- if (req->datalen > 0) +- path = cgroup_get_cgroup(handler, req->data); +- else +- path = cgroup_get_cgroup(handler, NULL); ++ if (req->datalen > 0) { ++ const char *subsystem; ++ size_t subsyslen; ++ bool inner = false; ++ subsystem = req->data; ++ subsyslen = strlen(subsystem); ++ if (req->datalen == subsyslen+2) ++ inner = (subsystem[subsyslen+1] == 1); + -+ path = cgroup_get_cgroup(handler, req->data, inner); ++ path = cgroup_get_cgroup(handler, req->data, inner); ++ } else { ++ // FIXME: cgroup separation for cgroup v2 cannot be handled ++ // like we used to do v1 here... need to figure this out... ++ path = cgroup_get_cgroup(handler, NULL, false); ++ } if (!path) return -1; - rsp.datalen = strlen(path) + 1, + diff --git a/src/lxc/commands.h b/src/lxc/commands.h -index 28428c77..9557dcaa 100644 +index 816cd748..e16c0d79 100644 --- a/src/lxc/commands.h +++ b/src/lxc/commands.h -@@ -82,6 +82,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd, +@@ -93,6 +93,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd, */ extern char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, const char *subsystem); @@ -623,7 +512,7 @@ index 28428c77..9557dcaa 100644 extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath); extern char *lxc_cmd_get_name(const char *hashed_sock); diff --git a/src/lxc/criu.c b/src/lxc/criu.c -index 96688edc..539ae8bd 100644 +index f60a6e15..7c8a8aee 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -324,7 +324,7 @@ static void exec_criu(struct criu_opts *opts) @@ -635,7 +524,7 @@ index 96688edc..539ae8bd 100644 if (!p) { ERROR("failed to get cgroup path for %s", controllers[0]); goto err; -@@ -857,7 +857,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ +@@ -958,7 +958,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ goto out_fini_handler; } @@ -645,19 +534,19 @@ index 96688edc..539ae8bd 100644 goto out_fini_handler; } diff --git a/src/lxc/start.c b/src/lxc/start.c -index a6a40c72..920f3c23 100644 +index f66f50a7..772eacc2 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1217,7 +1217,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1556,7 +1556,7 @@ static int lxc_spawn(struct lxc_handler *handler) cgroups_connected = true; - if (!cgroup_create(handler)) { + if (!cgroup_create(handler, false)) { - ERROR("Failed creating cgroups."); + ERROR("Failed creating cgroups"); goto out_delete_net; } -@@ -1292,10 +1292,10 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1650,10 +1650,10 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } @@ -669,19 +558,20 @@ index a6a40c72..920f3c23 100644 + if (!cgroup_chown(handler, false)) goto out_delete_net; - handler->netnsfd = lxc_preserve_ns(handler->pid, "net"); -@@ -1338,15 +1338,30 @@ static int lxc_spawn(struct lxc_handler *handler) - goto out_delete_net; + /* Now we're ready to preserve the network namespace */ +@@ -1714,16 +1714,30 @@ static int lxc_spawn(struct lxc_handler *handler) + } } -- if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE)) +- ret = lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE); +- if (ret < 0) - goto out_delete_net; - if (!cgroup_setup_limits(handler, true)) { - ERROR("Failed to setup the devices cgroup for container \"%s\".", name); + ERROR("Failed to setup legacy device cgroup controller limits"); goto out_delete_net; } - TRACE("Set up cgroup device limits"); + TRACE("Set up legacy device cgroup controller limits"); + if (cgns_supported()) { + if (!cgroup_create(handler, true)) { diff --git a/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch b/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch index 4beb179..e672b53 100644 --- a/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch +++ b/debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch @@ -1,8 +1,7 @@ -From ef58cfcf70fbe666acee0c407f77a22eeb1eec4f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller -Date: Wed, 16 Nov 2016 09:53:42 +0100 -Subject: [PATCH 05/13] start/initutils: make cgroupns separation level - configurable +Date: Wed, 28 Mar 2018 13:41:46 +0200 +Subject: [PATCH] start/initutils: make cgroupns separation level configurable Adds a new global config variable `lxc.cgroup.separate` which controls whether a separation directory for cgroup @@ -17,10 +16,10 @@ Signed-off-by: Wolfgang Bumiller 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c -index c190d6d5..97650e67 100644 +index 56926fb5..c5f19ca8 100644 --- a/src/lxc/initutils.c +++ b/src/lxc/initutils.c -@@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p) +@@ -49,14 +49,15 @@ static char *copy_global_config_value(char *p) const char *lxc_global_config_value(const char *option_name) { static const char * const options[][2] = { @@ -45,23 +44,23 @@ index c190d6d5..97650e67 100644 }; diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h -index c021fd61..443ad026 100644 +index ec44554e..6532f301 100644 --- a/src/lxc/initutils.h +++ b/src/lxc/initutils.h -@@ -43,6 +43,7 @@ +@@ -42,6 +42,7 @@ #define DEFAULT_THIN_POOL "lxc" #define DEFAULT_ZFSROOT "lxc" #define DEFAULT_RBDPOOL "lxc" +#define DEFAULT_CGPROTECT "privileged" - extern void lxc_setup_fs(void); - extern const char *lxc_global_config_value(const char *option_name); + #ifndef PR_SET_MM + #define PR_SET_MM 35 diff --git a/src/lxc/start.c b/src/lxc/start.c -index 920f3c23..89e9be96 100644 +index 772eacc2..ae13aae9 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1345,17 +1345,20 @@ static int lxc_spawn(struct lxc_handler *handler) - TRACE("Set up cgroup device limits"); +@@ -1721,17 +1721,20 @@ static int lxc_spawn(struct lxc_handler *handler) + TRACE("Set up legacy device cgroup controller limits"); if (cgns_supported()) { - if (!cgroup_create(handler, true)) { diff --git a/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch b/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch index 9a570bc..7a5bf96 100644 --- a/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch +++ b/debian/patches/0006-rename-cgroup-namespace-directory-to-ns.patch @@ -1,7 +1,7 @@ -From 1341290e8af87aab15e844abb1a1451cb21ec275 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 23 Dec 2016 15:57:24 +0100 -Subject: [PATCH 06/13] rename cgroup namespace directory to ns +Subject: [PATCH] rename cgroup namespace directory to ns Signed-off-by: Wolfgang Bumiller --- @@ -9,7 +9,7 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h -index f05fda4e..34c9d89c 100644 +index 3a63133d..544742df 100644 --- a/src/lxc/cgroups/cgroup.h +++ b/src/lxc/cgroups/cgroup.h @@ -32,7 +32,7 @@ diff --git a/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch b/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch index 1eb458e..411830c 100644 --- a/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch +++ b/debian/patches/0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch @@ -1,7 +1,7 @@ -From 6811fb42be10c4eaf026be35914c546a95520b9e Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 20 Nov 2017 10:49:41 +0100 -Subject: [PATCH 07/13] possibility to run lxc-monitord as a regular daemon +Subject: [PATCH] possibility to run lxc-monitord as a regular daemon lxc-monitord instances are spawned on demand and, if this happens from a service, the daemon is considered part of @@ -14,7 +14,7 @@ Signed-off-by: Wolfgang Bumiller config/init/systemd/lxc-monitord.service.in | 12 ++++++ configure.ac | 1 + lxc.spec.in | 1 + - src/lxc/lxc_monitord.c | 60 +++++++++++++++++++++-------- + src/lxc/cmd/lxc_monitord.c | 60 +++++++++++++++++++++-------- 5 files changed, 63 insertions(+), 21 deletions(-) create mode 100644 config/init/systemd/lxc-monitord.service.in @@ -67,10 +67,10 @@ index 00000000..40635168 +[Install] +WantedBy=multi-user.target diff --git a/configure.ac b/configure.ac -index 5566d298..31822e58 100644 +index 50c99836..efe56991 100644 --- a/configure.ac +++ b/configure.ac -@@ -709,6 +709,7 @@ AC_CONFIG_FILES([ +@@ -658,6 +658,7 @@ AC_CONFIG_FILES([ config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service @@ -79,10 +79,10 @@ index 5566d298..31822e58 100644 config/init/sysvinit/lxc-containers config/init/sysvinit/lxc-net diff --git a/lxc.spec.in b/lxc.spec.in -index e31115de..36ab7d9d 100644 +index 004ced26..1adbb6bd 100644 --- a/lxc.spec.in +++ b/lxc.spec.in -@@ -260,6 +260,7 @@ fi +@@ -235,6 +235,7 @@ fi %{_unitdir}/lxc-net.service %{_unitdir}/lxc.service %{_unitdir}/lxc@.service @@ -90,11 +90,11 @@ index e31115de..36ab7d9d 100644 %else %{_sysconfdir}/rc.d/init.d/lxc %{_sysconfdir}/rc.d/init.d/lxc-net -diff --git a/src/lxc/lxc_monitord.c b/src/lxc/lxc_monitord.c -index c4c2ba0d..c3534e3d 100644 ---- a/src/lxc/lxc_monitord.c -+++ b/src/lxc/lxc_monitord.c -@@ -345,17 +345,44 @@ static void lxc_monitord_sig_handler(int sig) +diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c +index 99f2bdb8..2bc44dea 100644 +--- a/src/lxc/cmd/lxc_monitord.c ++++ b/src/lxc/cmd/lxc_monitord.c +@@ -346,17 +346,44 @@ static void lxc_monitord_sig_handler(int sig) int main(int argc, char *argv[]) { @@ -143,7 +143,7 @@ index c4c2ba0d..c3534e3d 100644 "NOTE: lxc-monitord is intended for use by lxc internally\n" " and does not need to be run by hand\n\n"); exit(EXIT_FAILURE); -@@ -377,9 +404,6 @@ int main(int argc, char *argv[]) +@@ -378,9 +405,6 @@ int main(int argc, char *argv[]) INFO("Failed to open log file %s, log will be lost.", lxcpath); lxc_log_options_no_override(); @@ -153,7 +153,7 @@ index c4c2ba0d..c3534e3d 100644 if (sigfillset(&mask) || sigdelset(&mask, SIGILL) || sigdelset(&mask, SIGSEGV) || -@@ -411,15 +435,17 @@ int main(int argc, char *argv[]) +@@ -412,15 +436,17 @@ int main(int argc, char *argv[]) goto on_error; monitord_created = true; @@ -180,9 +180,9 @@ index c4c2ba0d..c3534e3d 100644 if (lxc_monitord_mainloop_add(&mon)) { ERROR("Failed to add mainloop handlers."); -@@ -429,7 +455,7 @@ int main(int argc, char *argv[]) +@@ -430,7 +456,7 @@ int main(int argc, char *argv[]) NOTICE("lxc-monitord with pid %d is now monitoring lxcpath %s.", - getpid(), mon.lxcpath); + lxc_raw_getpid(), mon.lxcpath); for (;;) { - ret = lxc_mainloop(&mon.descr, 1000 * 30); + ret = lxc_mainloop(&mon.descr, persistent ? -1 : 1000 * 30); diff --git a/debian/patches/0008-Make-lxc-.service-forking.patch b/debian/patches/0008-Make-lxc-.service-forking.patch index 32e7b70..558cb90 100644 --- a/debian/patches/0008-Make-lxc-.service-forking.patch +++ b/debian/patches/0008-Make-lxc-.service-forking.patch @@ -1,7 +1,7 @@ -From 2001f560675efca7d6dcabe8fb8b376442d5d6d0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 20 Nov 2017 10:51:36 +0100 -Subject: [PATCH 08/13] Make lxc@.service forking +Subject: [PATCH] Make lxc@.service forking Previously the init process' output was dumped into the log files since the service used Type=simple and diff --git a/debian/patches/0009-console-non-functional-changes.patch b/debian/patches/0009-console-non-functional-changes.patch deleted file mode 100644 index 13c2cab..0000000 --- a/debian/patches/0009-console-non-functional-changes.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 105ec17dbcad4fc48183a824df13b825974848bb Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Mon, 23 Oct 2017 13:41:33 +0200 -Subject: [PATCH 09/13] console: non-functional changes - -Signed-off-by: Christian Brauner ---- - src/lxc/console.c | 39 +++++++++++++++++++++++---------------- - 1 file changed, 23 insertions(+), 16 deletions(-) - -diff --git a/src/lxc/console.c b/src/lxc/console.c -index c8e545eb..3592662b 100644 ---- a/src/lxc/console.c -+++ b/src/lxc/console.c -@@ -498,9 +498,13 @@ out: - - void lxc_console_delete(struct lxc_console *console) - { -- if (console->tios && console->peer >= 0 && -- tcsetattr(console->peer, TCSAFLUSH, console->tios)) -- WARN("failed to set old terminal settings"); -+ int ret; -+ -+ if (console->tios && console->peer >= 0) { -+ ret = tcsetattr(console->peer, TCSAFLUSH, console->tios); -+ if (ret < 0) -+ WARN("%s - Failed to set old terminal settings", strerror(errno)); -+ } - free(console->tios); - console->tios = NULL; - -@@ -509,7 +513,6 @@ void lxc_console_delete(struct lxc_console *console) - close(console->slave); - if (console->log_fd >= 0) - close(console->log_fd); -- - console->peer = -1; - console->master = -1; - console->slave = -1; -@@ -518,57 +521,61 @@ void lxc_console_delete(struct lxc_console *console) - - int lxc_console_create(struct lxc_conf *conf) - { -+ int ret, saved_errno; - struct lxc_console *console = &conf->console; -- int ret; - - if (!conf->rootfs.path) { -- INFO("container does not have a rootfs, console device will be shared with the host"); -+ INFO("Container does not have a rootfs. The console will be " -+ "shared with the host"); - return 0; - } - - if (console->path && !strcmp(console->path, "none")) { -- INFO("no console requested"); -+ INFO("No console was requested"); - return 0; - } - - process_lock(); - ret = openpty(&console->master, &console->slave, console->name, NULL, NULL); -+ saved_errno = errno; - process_unlock(); - if (ret < 0) { -- SYSERROR("failed to allocate a pty"); -+ ERROR("%s - Failed to allocate a pty", strerror(saved_errno)); - return -1; - } - -- if (fcntl(console->master, F_SETFD, FD_CLOEXEC)) { -- SYSERROR("failed to set console master to close-on-exec"); -+ ret = fcntl(console->master, F_SETFD, FD_CLOEXEC); -+ if (ret < 0) { -+ SYSERROR("Failed to set FD_CLOEXEC flag on console master"); - goto err; - } - -- if (fcntl(console->slave, F_SETFD, FD_CLOEXEC)) { -- SYSERROR("failed to set console slave to close-on-exec"); -+ ret = fcntl(console->slave, F_SETFD, FD_CLOEXEC); -+ if (ret < 0) { -+ SYSERROR("Failed to set FD_CLOEXEC flag on console slave"); - goto err; - } - - ret = lxc_console_peer_default(console); - if (ret < 0) { -- ERROR("failed to allocate peer tty device"); -+ ERROR("Failed to allocate a peer pty device"); - goto err; - } - - if (console->log_path) { - console->log_fd = lxc_unpriv(open(console->log_path, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0600)); - if (console->log_fd < 0) { -- SYSERROR("failed to open console log file \"%s\"", console->log_path); -+ SYSERROR("Failed to open console log file \"%s\"", console->log_path); - goto err; - } -- DEBUG("using \"%s\" as console log file", console->log_path); -+ DEBUG("Using \"%s\" as console log file", console->log_path); - } - - return 0; - - err: - lxc_console_delete(console); -- return -1; -+ return -ENODEV; - } - - int lxc_console_set_stdfds(int fd) --- -2.11.0 - diff --git a/debian/patches/0010-console-non-functional-changes.patch b/debian/patches/0010-console-non-functional-changes.patch deleted file mode 100644 index ff2724a..0000000 --- a/debian/patches/0010-console-non-functional-changes.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 7394b5c772b562f239b4138b11ecc8493b4c30b4 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Thu, 26 Oct 2017 17:33:10 +0200 -Subject: [PATCH 10/13] console: non-functional changes - -Signed-off-by: Christian Brauner ---- - src/lxc/console.c | 61 +++++++++++++++++++++++++++++-------------------------- - 1 file changed, 32 insertions(+), 29 deletions(-) - -diff --git a/src/lxc/console.c b/src/lxc/console.c -index 3592662b..eda5be62 100644 ---- a/src/lxc/console.c -+++ b/src/lxc/console.c -@@ -678,18 +678,16 @@ int lxc_console(struct lxc_container *c, int ttynum, - istty = isatty(stdinfd); - if (istty) { - ret = lxc_setup_tios(stdinfd, &oldtios); -- if (ret) { -- ERROR("failed to setup terminal properties"); -+ if (ret < 0) - return -1; -- } - } else { -- INFO("fd %d does not refer to a tty device", stdinfd); -+ INFO("File descriptor %d does not refer to a tty device", stdinfd); - } - - ttyfd = lxc_cmd_console(c->name, &ttynum, &masterfd, c->config_path); - if (ttyfd < 0) { - ret = ttyfd; -- goto err1; -+ goto restore_tios; - } - - fprintf(stderr, "\n" -@@ -699,13 +697,13 @@ int lxc_console(struct lxc_container *c, int ttynum, - ttynum, 'a' + escape - 1); - - ret = setsid(); -- if (ret) -- INFO("already group leader"); -+ if (ret < 0) -+ TRACE("Process is already group leader"); - - ts = lxc_console_sigwinch_init(stdinfd, masterfd); - if (!ts) { - ret = -1; -- goto err2; -+ goto close_fds; - } - ts->escape = escape; - ts->winch_proxy = c->name; -@@ -719,52 +717,57 @@ int lxc_console(struct lxc_container *c, int ttynum, - - ret = lxc_mainloop_open(&descr); - if (ret) { -- ERROR("failed to create mainloop"); -- goto err3; -+ ERROR("Failed to create mainloop"); -+ goto sigwinch_fini; - } - - if (ts->sigfd != -1) { - ret = lxc_mainloop_add_handler(&descr, ts->sigfd, -- lxc_console_cb_sigwinch_fd, ts); -- if (ret) { -- ERROR("failed to add handler for SIGWINCH fd"); -- goto err4; -+ lxc_console_cb_sigwinch_fd, ts); -+ if (ret < 0) { -+ ERROR("Failed to add SIGWINCH handler"); -+ goto close_mainloop; - } - } - - ret = lxc_mainloop_add_handler(&descr, ts->stdinfd, - lxc_console_cb_tty_stdin, ts); -- if (ret) { -- ERROR("failed to add handler for stdinfd"); -- goto err4; -+ if (ret < 0) { -+ ERROR("Failed to add stdin handler"); -+ goto close_mainloop; - } - - ret = lxc_mainloop_add_handler(&descr, ts->masterfd, - lxc_console_cb_tty_master, ts); -- if (ret) { -- ERROR("failed to add handler for masterfd"); -- goto err4; -+ if (ret < 0) { -+ ERROR("Failed to add master handler"); -+ goto close_mainloop; - } - - ret = lxc_mainloop(&descr, -1); -- if (ret) { -- ERROR("mainloop returned an error"); -- goto err4; -+ if (ret < 0) { -+ ERROR("The mainloop returned an error"); -+ goto close_mainloop; - } - - ret = 0; - --err4: -+close_mainloop: - lxc_mainloop_close(&descr); --err3: -+ -+sigwinch_fini: - lxc_console_sigwinch_fini(ts); --err2: -+ -+close_fds: - close(masterfd); - close(ttyfd); --err1: -+ -+restore_tios: - if (istty) { -- if (tcsetattr(stdinfd, TCSAFLUSH, &oldtios) < 0) -- WARN("failed to reset terminal properties: %s.", strerror(errno)); -+ istty = tcsetattr(stdinfd, TCSAFLUSH, &oldtios); -+ if (istty < 0) -+ WARN("%s - Failed to restore terminal properties", -+ strerror(errno)); - } - - return ret; --- -2.11.0 - diff --git a/debian/patches/0011-console-fix-console-info-message.patch b/debian/patches/0011-console-fix-console-info-message.patch deleted file mode 100644 index ace2a38..0000000 --- a/debian/patches/0011-console-fix-console-info-message.patch +++ /dev/null @@ -1,121 +0,0 @@ -From c8a9c9c9f6c189164a2eedd0d1e99905cb0a8672 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Fri, 10 Nov 2017 19:07:38 +0100 -Subject: [PATCH 11/13] console: fix console info message - -Now it will be displayed nicely formatted: - -a1 login: chb@conventiont|~ -> lxc console a1 - -Connected to tty 0 -Type to exit the console, to enter Ctrl+a itself - -Ubuntu 17.10 a1 console - -a1 login: - -Signed-off-by: Christian Brauner ---- - src/lxc/console.c | 54 ++++++++++++++++++++++++++---------------------------- - 1 file changed, 26 insertions(+), 28 deletions(-) - -diff --git a/src/lxc/console.c b/src/lxc/console.c -index eda5be62..e95f5c54 100644 ---- a/src/lxc/console.c -+++ b/src/lxc/console.c -@@ -675,26 +675,9 @@ int lxc_console(struct lxc_container *c, int ttynum, - struct lxc_tty_state *ts; - int istty = 0; - -- istty = isatty(stdinfd); -- if (istty) { -- ret = lxc_setup_tios(stdinfd, &oldtios); -- if (ret < 0) -- return -1; -- } else { -- INFO("File descriptor %d does not refer to a tty device", stdinfd); -- } -- - ttyfd = lxc_cmd_console(c->name, &ttynum, &masterfd, c->config_path); -- if (ttyfd < 0) { -- ret = ttyfd; -- goto restore_tios; -- } -- -- fprintf(stderr, "\n" -- "Connected to tty %1$d\n" -- "Type to exit the console, " -- " to enter Ctrl+%2$c itself\n", -- ttynum, 'a' + escape - 1); -+ if (ttyfd < 0) -+ return -1; - - ret = setsid(); - if (ret < 0) -@@ -710,9 +693,12 @@ int lxc_console(struct lxc_container *c, int ttynum, - ts->winch_proxy_lxcpath = c->config_path; - ts->stdoutfd = stdoutfd; - -+ istty = isatty(stdinfd); - if (istty) { - lxc_console_winsz(stdinfd, masterfd); - lxc_cmd_console_winch(ts->winch_proxy, ts->winch_proxy_lxcpath); -+ } else { -+ INFO("File descriptor %d does not refer to a tty device", stdinfd); - } - - ret = lxc_mainloop_open(&descr); -@@ -744,14 +730,34 @@ int lxc_console(struct lxc_container *c, int ttynum, - goto close_mainloop; - } - -+ fprintf(stderr, "\n" -+ "Connected to tty %1$d\n" -+ "Type to exit the console, " -+ " to enter Ctrl+%2$c itself\n", -+ ttynum, 'a' + escape - 1); -+ -+ if (istty) { -+ ret = lxc_setup_tios(stdinfd, &oldtios); -+ if (ret < 0) -+ goto close_mainloop; -+ } -+ - ret = lxc_mainloop(&descr, -1); - if (ret < 0) { - ERROR("The mainloop returned an error"); -- goto close_mainloop; -+ goto restore_tios; - } - - ret = 0; - -+restore_tios: -+ if (istty) { -+ istty = tcsetattr(stdinfd, TCSAFLUSH, &oldtios); -+ if (istty < 0) -+ WARN("%s - Failed to restore terminal properties", -+ strerror(errno)); -+ } -+ - close_mainloop: - lxc_mainloop_close(&descr); - -@@ -762,13 +768,5 @@ close_fds: - close(masterfd); - close(ttyfd); - --restore_tios: -- if (istty) { -- istty = tcsetattr(stdinfd, TCSAFLUSH, &oldtios); -- if (istty < 0) -- WARN("%s - Failed to restore terminal properties", -- strerror(errno)); -- } -- - return ret; - } --- -2.11.0 - diff --git a/debian/patches/0012-console-report-detach-message-on-demand.patch b/debian/patches/0012-console-report-detach-message-on-demand.patch deleted file mode 100644 index 2765a1a..0000000 --- a/debian/patches/0012-console-report-detach-message-on-demand.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 1e47ecd9a9367e6cf166c872d3cec26eb4c77aba Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Fri, 10 Nov 2017 19:51:57 +0100 -Subject: [PATCH 12/13] console: report detach message on demand - -When users pass -1 there's there won't be an escape sequence to exit the -console so no need to print a misleading info message about how to detach. - -Signed-off-by: Christian Brauner ---- - src/lxc/console.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/lxc/console.c b/src/lxc/console.c -index e95f5c54..8f6203f0 100644 ---- a/src/lxc/console.c -+++ b/src/lxc/console.c -@@ -730,11 +730,14 @@ int lxc_console(struct lxc_container *c, int ttynum, - goto close_mainloop; - } - -- fprintf(stderr, "\n" -+ if (ts->escape >= 1) { -+ fprintf(stderr, -+ "\n" - "Connected to tty %1$d\n" - "Type to exit the console, " - " to enter Ctrl+%2$c itself\n", - ttynum, 'a' + escape - 1); -+ } - - if (istty) { - ret = lxc_setup_tios(stdinfd, &oldtios); --- -2.11.0 - diff --git a/debian/patches/0013-console-use-correct-escape-sequence-check.patch b/debian/patches/0013-console-use-correct-escape-sequence-check.patch deleted file mode 100644 index 4885de4..0000000 --- a/debian/patches/0013-console-use-correct-escape-sequence-check.patch +++ /dev/null @@ -1,26 +0,0 @@ -From b50f5a815258541b6da0c772388d93ea303a4f3d Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sat, 11 Nov 2017 23:05:33 +0100 -Subject: [PATCH 13/13] console: use correct escape sequence check - -Signed-off-by: Christian Brauner ---- - src/lxc/console.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lxc/console.c b/src/lxc/console.c -index 8f6203f0..72c01b19 100644 ---- a/src/lxc/console.c -+++ b/src/lxc/console.c -@@ -616,7 +616,7 @@ int lxc_console_cb_tty_stdin(int fd, uint32_t events, void *cbdata, - if (lxc_read_nointr(ts->stdinfd, &c, 1) <= 0) - return 1; - -- if (ts->escape != -1) { -+ if (ts->escape >= 1) { - /* we want to exit the console with Ctrl+a q */ - if (c == ts->escape && !ts->saw_escape) { - ts->saw_escape = 1; --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index c5af9e5..3ff7181 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,8 +6,3 @@ 0006-rename-cgroup-namespace-directory-to-ns.patch 0007-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch 0008-Make-lxc-.service-forking.patch -0009-console-non-functional-changes.patch -0010-console-non-functional-changes.patch -0011-console-fix-console-info-message.patch -0012-console-report-detach-message-on-demand.patch -0013-console-use-correct-escape-sequence-check.patch diff --git a/lxc b/lxc index 31546ce..5b66b6e 160000 --- a/lxc +++ b/lxc @@ -1 +1 @@ -Subproject commit 31546ced8a4cbed1455568934b59e3ba64bfcb63 +Subproject commit 5b66b6ee3e3cd2575a4b9b2eb8190b2b05ab4b42