mirror of
git://git.proxmox.com/git/lxc.git
synced 2025-03-16 10:50:38 +03:00
update patches for lxc-4.0.12
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller
parent
9023f211bb
commit
545d7dec6e
@ -18,10 +18,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
5 files changed, 41 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/.gitignore b/.gitignore
|
||||
index 5070196cc..9f34f9b1e 100644
|
||||
index fbe965b04..cd78e21cd 100644
|
||||
--- a/.gitignore
|
||||
+++ b/.gitignore
|
||||
@@ -124,6 +124,7 @@ config/bash/lxc
|
||||
@@ -126,6 +126,7 @@ config/bash/lxc
|
||||
config/init/common/lxc-containers
|
||||
config/init/common/lxc-net
|
||||
config/init/systemd/lxc-autostart-helper
|
||||
@ -60,10 +60,10 @@ index c448850d1..4a4fde5e7 100644
|
||||
|
||||
pkglibexec_SCRIPTS = lxc-apparmor-load
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index e3a0c70bd..2bbf5dd4d 100644
|
||||
index f9fbd7273..079d0d990 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -909,6 +909,7 @@ AC_CONFIG_FILES([
|
||||
@@ -908,6 +908,7 @@ AC_CONFIG_FILES([
|
||||
config/init/systemd/lxc.service
|
||||
config/init/systemd/lxc@.service
|
||||
config/init/systemd/lxc-net.service
|
||||
|
||||
@ -29,7 +29,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
2 files changed, 171 insertions(+)
|
||||
|
||||
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
|
||||
index 6c9271130..3bf62f082 100644
|
||||
index c1054ddbc..0fda37b5e 100644
|
||||
--- a/doc/lxc.container.conf.sgml.in
|
||||
+++ b/doc/lxc.container.conf.sgml.in
|
||||
@@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
@ -87,7 +87,7 @@ index 6c9271130..3bf62f082 100644
|
||||
<term>
|
||||
<option>lxc.cgroup.relative</option>
|
||||
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
|
||||
index 213688060..23ed7837c 100644
|
||||
index 5cb3ecfac..0929ba165 100644
|
||||
--- a/src/lxc/confile.c
|
||||
+++ b/src/lxc/confile.c
|
||||
@@ -67,6 +67,9 @@ lxc_config_define(cap_keep);
|
||||
@ -159,7 +159,7 @@ index 213688060..23ed7837c 100644
|
||||
static int set_config_cgroup_relative(const char *key, const char *value,
|
||||
struct lxc_conf *lxc_conf, void *data)
|
||||
{
|
||||
@@ -3707,6 +3755,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
|
||||
@@ -3711,6 +3759,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
|
||||
return fulllen;
|
||||
}
|
||||
|
||||
@ -218,7 +218,7 @@ index 213688060..23ed7837c 100644
|
||||
static inline int get_config_cgroup_relative(const char *key, char *retv,
|
||||
int inlen, struct lxc_conf *lxc_conf,
|
||||
void *data)
|
||||
@@ -4568,6 +4668,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
|
||||
@@ -4572,6 +4672,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
|
||||
index 3bf62f082..490793ddb 100644
|
||||
index 0fda37b5e..988b846e4 100644
|
||||
--- a/doc/lxc.container.conf.sgml.in
|
||||
+++ b/doc/lxc.container.conf.sgml.in
|
||||
@@ -1813,7 +1813,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
|
||||
@ -10,7 +10,7 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
||||
1 file changed, 3 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
|
||||
index 23ed7837c..c7e7887f3 100644
|
||||
index 0929ba165..0fdd4fa01 100644
|
||||
--- a/src/lxc/confile.c
|
||||
+++ b/src/lxc/confile.c
|
||||
@@ -1873,19 +1873,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
|
||||
|
||||
@ -11,7 +11,7 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
|
||||
index cdf82f937..6f9e1621d 100644
|
||||
index 98686f9ed..fe1b1bdb7 100644
|
||||
--- a/doc/api-extensions.md
|
||||
+++ b/doc/api-extensions.md
|
||||
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
|
||||
@ -26,13 +26,13 @@ index cdf82f937..6f9e1621d 100644
|
||||
|
||||
Whether this LXC instance can handle idmapped mounts for the rootfs.
|
||||
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
|
||||
index c2509207d..ae71ff18e 100644
|
||||
index d99adacbe..a10f2e5f3 100644
|
||||
--- a/src/lxc/api_extensions.h
|
||||
+++ b/src/lxc/api_extensions.h
|
||||
@@ -41,6 +41,7 @@ static char *api_extensions[] = {
|
||||
"devpts_fd",
|
||||
@@ -45,6 +45,7 @@ static char *api_extensions[] = {
|
||||
"seccomp_notify_fd_active",
|
||||
"seccomp_proxy_send_notify_fd",
|
||||
#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
|
||||
+ "cgroup_advanced_isolation",
|
||||
"idmapped_mounts",
|
||||
"idmapped_mounts_v2",
|
||||
|
||||
@ -12,10 +12,10 @@ Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
|
||||
1 file changed, 57 insertions(+)
|
||||
|
||||
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
|
||||
index 05ae2f441..9ad6627ab 100644
|
||||
index c4d6c962e..0dd6dc487 100644
|
||||
--- a/doc/ja/lxc.container.conf.sgml.in
|
||||
+++ b/doc/ja/lxc.container.conf.sgml.in
|
||||
@@ -2389,6 +2389,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
|
||||
@@ -2425,6 +2425,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -13,7 +13,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
1 file changed, 2 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
|
||||
index cd526ab6b..845270ee5 100644
|
||||
index 77da7bb45..9b98d842b 100644
|
||||
--- a/src/lxc/attach.c
|
||||
+++ b/src/lxc/attach.c
|
||||
@@ -1841,12 +1841,8 @@ int lxc_attach_run_command(void *payload)
|
||||
|
||||
@ -1,30 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Sat, 13 Nov 2021 18:20:13 +0100
|
||||
Subject: [PATCH lxc] Revert "initutils: use vfork() in lxc_container_init()"
|
||||
|
||||
This reverts commit d65e5e492f740bbb50e3005f97420c3ddae3d595.
|
||||
|
||||
With vfork the child process modifies the parent's memory,
|
||||
so the calls to `signal`, `fprintf` and regular `exit` may
|
||||
be dangerous and might cause conflicting states in the
|
||||
parent.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
---
|
||||
src/lxc/initutils.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
|
||||
index 24baecc88..72278c1f1 100644
|
||||
--- a/src/lxc/initutils.c
|
||||
+++ b/src/lxc/initutils.c
|
||||
@@ -551,7 +551,7 @@ __noreturn int lxc_container_init(int argc, char *const *argv, bool quiet)
|
||||
|
||||
remove_self();
|
||||
|
||||
- pid = vfork();
|
||||
+ pid = fork();
|
||||
if (pid < 0)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
@ -1,76 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Fri, 3 Dec 2021 09:13:11 +0100
|
||||
Subject: [PATCH lxc] use 2 sysfs instances for sys:mixed
|
||||
|
||||
In order to facilitate this, the default mount list's
|
||||
'destination' may now be NULL to mean that the source should
|
||||
be unmounted instead.
|
||||
|
||||
Here's what we need to do:
|
||||
|
||||
1) Ensure the first sysfs mount point is writable.
|
||||
2) Mount a read-only sysfs on /sys
|
||||
3) Bind devices/virtual/net *writably* into /sys
|
||||
|
||||
We use /proc/sys as a staging directory for the first sysfs
|
||||
mount in read-write mode, then mount /sys r/o. Afterwards we
|
||||
bind the r/w devices/virtual/net and unmount the staging
|
||||
/proc/sys mount point.
|
||||
|
||||
The staging directory would not be required with the new
|
||||
mount API, but this way we can support the old API and keep
|
||||
the general workflow in the `default_mounts`.
|
||||
|
||||
Once we drop support for the old mount API, the
|
||||
default_mounts table could just get a subdirectory field to
|
||||
mount subdirectories directly.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
---
|
||||
src/lxc/conf.c | 19 ++++++++++++++-----
|
||||
1 file changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
|
||||
index 8e068b8ac..c9ab285d8 100644
|
||||
--- a/src/lxc/conf.c
|
||||
+++ b/src/lxc/conf.c
|
||||
@@ -708,9 +708,11 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
|
||||
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
|
||||
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false },
|
||||
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false },
|
||||
+ /* /proc/sys is used as a temporary staging directory for the read-write sysfs mount and unmounted after binding net */
|
||||
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/proc/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
|
||||
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
|
||||
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
|
||||
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
|
||||
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
|
||||
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys", NULL, NULL, 0, NULL, false },
|
||||
{ 0, 0, NULL, NULL, NULL, 0, NULL, false }
|
||||
};
|
||||
struct lxc_conf *conf = handler->conf;
|
||||
@@ -778,14 +780,21 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
|
||||
return syserror_set(-ENOMEM, "Failed to create source path");
|
||||
}
|
||||
|
||||
- if (!default_mounts[i].destination)
|
||||
- return syserror_set(-EINVAL, "BUG: auto mounts destination %d was NULL", i);
|
||||
-
|
||||
if (!has_cap_net_admin && default_mounts[i].requires_cap_net_admin) {
|
||||
TRACE("Container does not have CAP_NET_ADMIN. Skipping \"%s\" mount", default_mounts[i].source ?: "(null)");
|
||||
continue;
|
||||
}
|
||||
|
||||
+ if (!default_mounts[i].destination) {
|
||||
+ ret = umount2(source, MNT_DETACH);
|
||||
+ if (ret < 0)
|
||||
+ return log_error_errno(-1, errno,
|
||||
+ "Failed to unmount \"%s\"",
|
||||
+ source);
|
||||
+ TRACE("Unmounted automount \"%s\"", source);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
/* will act like strdup if %r is not present */
|
||||
destination = lxc_string_replace("%r", rootfs->path ? rootfs->mount : "", default_mounts[i].destination);
|
||||
if (!destination)
|
||||
2
debian/patches/series
vendored
2
debian/patches/series
vendored
@ -7,5 +7,3 @@ pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
|
||||
pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
|
||||
pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
|
||||
pve/0009-PVE-Config-attach-always-use-getent.patch
|
||||
pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch
|
||||
pve/0011-use-2-sysfs-instances-for-sys-mixed.patch
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user