Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-16 10:50:38 +03:00
Code Releases Activity

import LXC 4.0.9 and update patches

Browse Source 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2021-05-12 19:21:45 +02:00
parent f5fff959ab
commit 63e050e246
12 changed files with 47 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch vendored
View File

@ -60,10 +60,10 @@ index c448850d1..4a4fde5e7 100644
pkglibexec_SCRIPTS = lxc-apparmor-load
diff --git a/configure.ac b/configure.ac
index d32fecc06..1dd916248 100644
index e30ea6f6e..16c5ab8c4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -842,6 +842,7 @@ AC_CONFIG_FILES([
@@ -913,6 +913,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service

81
debian/patches/pve/0002-doc-introduce-lxc.cgroup.dir.-monitor-container-cont.patch → debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch vendored
View File

@ -1,8 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 2 Apr 2020 10:01:37 +0200
Subject: [PATCH] [doc] introduce
lxc.cgroup.dir.{monitor,container,container.inner}
Subject: [PATCH] introduce lxc.cgroup.dir.{monitor,container,container.inner}
This is a new approach to #1302 with a container-side
configuration instead of a global boolean flag.
@ -22,18 +21,17 @@ failing to create these directories will simply be a hard
error.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
doc/lxc.container.conf.sgml.in | 47 +++++++++++++
src/lxc/commands.c | 5 +-
src/lxc/conf.c | 3 +
src/lxc/confile.c | 124 +++++++++++++++++++++++++++++++++
4 files changed, 177 insertions(+), 2 deletions(-)
2 files changed, 171 insertions(+)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 3e0e55cee..4011f5734 100644
index e089fa61d..595cb3972 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1571,6 +1571,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -1757,6 +1757,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</para>
</listitem>
</varlistentry>
@ -87,48 +85,11 @@ index 3e0e55cee..4011f5734 100644
<varlistentry>
<term>
<option>lxc.cgroup.relative</option>
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 3046587c7..a9a03ca2c 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -719,7 +719,7 @@ static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req,
struct lxc_handler *handler,
struct lxc_epoll_descr *descr)
{
- return ret_errno(ENOSYS);
+ return lxc_cmd_get_cgroup_callback_do(fd, req, handler, descr, true);
}
/*
@@ -1569,7 +1569,8 @@ static int lxc_cmd_get_limiting_cgroup2_fd_callback(int fd,
struct lxc_handler *handler,
struct lxc_epoll_descr *descr)
{
- return ret_errno(ENOSYS);
+ return lxc_cmd_get_cgroup2_fd_callback_do(fd, req, handler, descr,
+ true);
}
static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index ae4972551..f1f01898f 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3844,6 +3844,9 @@ void lxc_conf_free(struct lxc_conf *conf)
lxc_clear_apparmor_raw(conf);
lxc_clear_namespace(conf);
free(conf->cgroup_meta.dir);
+ free(conf->cgroup_meta.monitor_dir);
+ free(conf->cgroup_meta.container_dir);
+ free(conf->cgroup_meta.namespace_dir);
free(conf->cgroup_meta.controllers);
free(conf->shmount.path_host);
free(conf->shmount.path_cont);
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index da0da5ff9..dab5aaca2 100644
index 37c38fe1e..daf8ee474 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -71,6 +71,9 @@ lxc_config_define(cap_keep);
@@ -67,6 +67,9 @@ lxc_config_define(cap_keep);
lxc_config_define(cgroup_controller);
lxc_config_define(cgroup2_controller);
lxc_config_define(cgroup_dir);
@ -138,18 +99,18 @@ index da0da5ff9..dab5aaca2 100644
lxc_config_define(cgroup_relative);
lxc_config_define(console_buffer_size);
lxc_config_define(console_logfile);
@@ -170,6 +173,9 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.drop", set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, },
{ "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
+ { "lxc.cgroup.dir.monitor", set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
+ { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
+ { "lxc.cgroup.dir.container.inner",set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir,},
{ "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
@@ -1687,6 +1693,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
return set_config_string_item(&lxc_conf->cgroup_meta.dir, value);
@@ -185,6 +188,9 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.drop", true, set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, },
{ "lxc.cap.keep", true, set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", false, set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
+ { "lxc.cgroup.dir.monitor", true, set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
+ { "lxc.cgroup.dir.container.inner", true, set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir, },
+ { "lxc.cgroup.dir.container", true, set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
{ "lxc.cgroup.dir", true, set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", true, set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", false, set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
@@ -1795,6 +1801,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
return set_config_path_item(&lxc_conf->cgroup_meta.dir, value);
}
+static int set_config_cgroup_monitor_dir(const char *key, const char *value,
@ -197,7 +158,7 @@ index da0da5ff9..dab5aaca2 100644
static int set_config_cgroup_relative(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
@@ -3498,6 +3546,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
@@ -3654,6 +3702,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
return fulllen;
}
@ -256,7 +217,7 @@ index da0da5ff9..dab5aaca2 100644
static inline int get_config_cgroup_relative(const char *key, char *retv,
int inlen, struct lxc_conf *lxc_conf,
void *data)
@@ -4308,6 +4408,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
@@ -4491,6 +4591,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
return 0;
}

6
debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch vendored
View File

@ -10,10 +10,10 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 4011f5734..006dcad92 100644
index 595cb3972..18bf36aaf 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1583,7 +1583,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -1769,7 +1769,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
exclusive with <option>lxc.cgroup.dir</option>.
Note that the final path the container attaches to may be
extended further by the
@ -22,7 +22,7 @@ index 4011f5734..006dcad92 100644
</para>
</listitem>
</varlistentry>
@@ -1600,7 +1600,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -1786,7 +1786,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</varlistentry>
<varlistentry>
<term>

4
debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch vendored
View File

@ -10,10 +10,10 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index dab5aaca2..3a388fed1 100644
index daf8ee474..ae6e72c22 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1720,19 +1720,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
@@ -1828,19 +1828,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
void *data)
{
if (lxc_config_value_empty(value))

17
debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch vendored
View File

@ -10,26 +10,29 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 4756be3dc..24dea8c9d 100644
index ff0df50ef..13ba41a62 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -135,3 +135,7 @@ Retrieve the seccomp notifier fd from a running container.
## seccomp\_proxy\_send\_notify\_fd
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
Whether the seccomp notify proxy sends a long a notify fd file descriptor.
+
+## cgroup\_advanced\_isolation
+
+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
+
## idmapped\_mounts
Whether this LXC instance can handle idmapped mounts.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index 513b774f0..303abd631 100644
index 06a4130ba..6653c7299 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -43,6 +43,7 @@ static char *api_extensions[] = {
@@ -41,6 +41,7 @@ static char *api_extensions[] = {
"devpts_fd",
"seccomp_notify_fd_active",
"seccomp_proxy_send_notify_fd",
+ "cgroup_advanced_isolation",
"idmapped_mounts",
};
static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);

0
debian/patches/pve/0009-PVE-Config-lxc.service-start-after-a-potential-syslo.patch → debian/patches/pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch vendored
View File

24
debian/patches/pve/0007-confile-fix-jump-table-order.patch vendored
View File

@ -1,24 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Sun, 5 Apr 2020 15:55:28 +0200
Subject: [PATCH] confile: fix jump table order
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/confile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 3a388fed1..34d85e788 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -174,8 +174,8 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
{ "lxc.cgroup.dir.monitor", set_config_cgroup_monitor_dir, get_config_cgroup_monitor_dir, clr_config_cgroup_monitor_dir, },
- { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
{ "lxc.cgroup.dir.container.inner",set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir,},
+ { "lxc.cgroup.dir.container", set_config_cgroup_container_dir, get_config_cgroup_container_dir, clr_config_cgroup_container_dir, },
{ "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },

0
debian/patches/pve/0010-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch → debian/patches/pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch vendored
View File

29
debian/patches/pve/0008-cgroups-adhere-to-boolean-return.patch vendored
View File

@ -1,29 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 13 Apr 2020 14:39:18 +0200
Subject: [PATCH] cgroups: adhere to boolean return
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/cgroups/cgfsng.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 303c2f6ab..56bb005de 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1195,11 +1195,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
* line, which is not possible once a subdirectory has been
* created.
*/
- if (string_in_list(h->controllers, "devices")) {
- ret = ops->setup_limits_legacy(ops, conf, true);
- if (ret < 0)
- return ret;
- }
+ if (string_in_list(h->controllers, "devices") &&
+ !ops->setup_limits_legacy(ops, conf, true))
+ return log_error(false, "Failed to setup legacy device limits");
}
ret = mkdir_eexist_on_last(path, 0755);

8
debian/patches/pve/0011-PVE-Config-attach-always-use-getent.patch → debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch vendored
View File

@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 2 insertions(+), 26 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index befa1580e..7a325f5b1 100644
index 97eff7f8e..01bd56f45 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1444,12 +1444,8 @@ int lxc_attach_run_command(void *payload)
@@ -1810,12 +1810,8 @@ int lxc_attach_run_command(void *payload)
int lxc_attach_run_shell(void* payload)
{
@ -29,7 +29,7 @@ index befa1580e..7a325f5b1 100644
int ret;
/* Ignore payload parameter. */
@@ -1457,32 +1453,13 @@ int lxc_attach_run_shell(void* payload)
@@ -1823,32 +1819,13 @@ int lxc_attach_run_shell(void* payload)
uid = getuid();
@ -63,7 +63,7 @@ index befa1580e..7a325f5b1 100644
if (user_shell)
execlp(user_shell, user_shell, (char *)NULL);
@@ -1492,8 +1469,7 @@ int lxc_attach_run_shell(void* payload)
@@ -1858,8 +1835,7 @@ int lxc_attach_run_shell(void* payload)
execlp("/bin/sh", "/bin/sh", (char *)NULL);
SYSERROR("Failed to execute shell");

10
debian/patches/series vendored
View File

@ -1,11 +1,9 @@
pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch
pve/0002-doc-introduce-lxc.cgroup.dir.-monitor-container-cont.patch
pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch
pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch
pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch
pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch
pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
pve/0007-confile-fix-jump-table-order.patch
pve/0008-cgroups-adhere-to-boolean-return.patch
pve/0009-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0010-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0011-PVE-Config-attach-always-use-getent.patch
pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0009-PVE-Config-attach-always-use-getent.patch

2
lxc

@ -1 +1 @@
Subproject commit aff7ab782e168bda7a7a422fbe6a04be2cd40a64
Subproject commit 37485abd46206ac37cb037e357b12370bbb98576