Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-23 10:50:23 +03:00
Code Releases Activity

drop patches applied upstream

Browse Source 
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2016-07-12 09:27:44 +02:00 committed by Wolfgang Bumiller
parent 8795c71491
commit 7c5ce99fc1
10 changed files with 0 additions and 711 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch vendored
View File

@ -1,32 +0,0 @@
From a1fd9b6b62051a05bb85fb10dd03342aa231c246 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 20 Nov 2015 09:52:39 +0100
Subject: [PATCH v2 lxc 1/2] AppArmor: add make-rslave to usr.bin.lxc-start
The profile already contains
mount options=(rw, make-slave) -> **,
Which allows going through all mountpoints with make-slave,
so it seems to make sense to also allow the directly
recursive variant with "make-rslave".
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
config/apparmor/abstractions/start-container | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index b06a84d..eee0c2f 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -15,6 +15,7 @@
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,
mount options=(rw, make-slave) -> **,
+ mount options=(rw, make-rslave) -> **,
mount fstype=debugfs,
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
mount -> /var/lib/lxc/{**,},
--
2.1.4

72
debian/patches/0001-added-stop-hook-entries.patch vendored
View File

@ -1,72 +0,0 @@
From 52492063b7865b460f5669a28027a5e17f0a5a09 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 6 Oct 2015 10:01:03 +0200
Subject: [PATCH 1/5] added stop-hook entries
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
src/lxc/conf.c | 4 +++-
src/lxc/conf.h | 2 +-
src/lxc/confile.c | 3 +++
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5a3209a..0e3421b 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -163,7 +163,7 @@ return -1;
#endif
char *lxchook_names[NUM_LXC_HOOKS] = {
- "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop", "clone" };
+ "pre-start", "pre-mount", "mount", "autodev", "start", "stop", "post-stop", "clone" };
typedef int (*instantiate_cb)(struct lxc_handler *, struct lxc_netdev *);
@@ -4024,6 +4024,8 @@ int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf,
which = LXCHOOK_AUTODEV;
else if (strcmp(hook, "start") == 0)
which = LXCHOOK_START;
+ else if (strcmp(hook, "stop") == 0)
+ which = LXCHOOK_STOP;
else if (strcmp(hook, "post-stop") == 0)
which = LXCHOOK_POSTSTOP;
else if (strcmp(hook, "clone") == 0)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 5aebd91..1374d4a 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -279,7 +279,7 @@ enum {
*/
enum lxchooks {
LXCHOOK_PRESTART, LXCHOOK_PREMOUNT, LXCHOOK_MOUNT, LXCHOOK_AUTODEV,
- LXCHOOK_START, LXCHOOK_POSTSTOP, LXCHOOK_CLONE, NUM_LXC_HOOKS};
+ LXCHOOK_START, LXCHOOK_STOP, LXCHOOK_POSTSTOP, LXCHOOK_CLONE, NUM_LXC_HOOKS};
extern char *lxchook_names[NUM_LXC_HOOKS];
struct saved_nic {
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 670d957..f7d6814 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -137,6 +137,7 @@ static struct lxc_config_t config[] = {
{ "lxc.hook.mount", config_hook },
{ "lxc.hook.autodev", config_hook },
{ "lxc.hook.start", config_hook },
+ { "lxc.hook.stop", config_hook },
{ "lxc.hook.post-stop", config_hook },
{ "lxc.hook.clone", config_hook },
{ "lxc.hook", config_hook },
@@ -1085,6 +1086,8 @@ static int config_hook(const char *key, const char *value,
return add_hook(lxc_conf, LXCHOOK_MOUNT, copy);
else if (strcmp(key, "lxc.hook.start") == 0)
return add_hook(lxc_conf, LXCHOOK_START, copy);
+ else if (strcmp(key, "lxc.hook.stop") == 0)
+ return add_hook(lxc_conf, LXCHOOK_STOP, copy);
else if (strcmp(key, "lxc.hook.post-stop") == 0)
return add_hook(lxc_conf, LXCHOOK_POSTSTOP, copy);
else if (strcmp(key, "lxc.hook.clone") == 0)
--
2.1.4

32
debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch vendored
View File

@ -1,32 +0,0 @@
From 4a491a31c23e64f29152a4b5e4ff07b361074261 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 2 Feb 2016 09:13:04 +0100
Subject: [PATCH] apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}
Some systems need to be able to bind-mount /run to /var/run
and /run/lock to /var/run/lock. (Tested with opensuse 13.1
containers migrated from openvz.)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
config/apparmor/abstractions/container-base.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 1121256..3a001d8 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -62,6 +62,10 @@
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+ # allow bind mounts of /run/{,lock} to /var/run/{,lock}
+ mount options=(rw, bind) /run/ -> /var/run/,
+ mount options=(rw, bind) /run/lock/ -> /var/lock/,
+
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
--
2.1.4

131
debian/patches/0002-Added-lxc.monitor.unshare.patch vendored
View File

@ -1,131 +0,0 @@
From ba9a6bc839732929e89a0ebcdb268f83f0e784cb Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 20 Nov 2015 09:57:14 +0100
Subject: [PATCH v2 lxc 2/2] Added lxc.monitor.unshare
If manual mounting with elevated permissions is required
this can currently only be done in pre-start hooks or before
starting LXC. In both cases the mounts would appear in the
host's namespace.
With this flag the namespace is unshared before the startup
sequence, so that mounts performed in the pre-start hook
don't show up on the host.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
doc/lxc.container.conf.sgml.in | 12 ++++++++++++
src/lxc/conf.h | 3 +++
src/lxc/confile.c | 15 +++++++++++++++
src/lxc/lxccontainer.c | 12 ++++++++++++
4 files changed, 42 insertions(+)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 90ffefa..3b6f698 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1661,6 +1661,18 @@ mknod errno 0
</varlistentry>
<varlistentry>
<term>
+ <option>lxc.monitor.unshare</option>
+ </term>
+ <listitem>
+ <para>
+ If not zero the mount namespace will be unshared from the host
+ before initializing the container (before running any pre-start
+ hooks). Default is 0.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>lxc.group</option>
</term>
<listitem>
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 1374d4a..b0274ec 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -347,6 +347,9 @@ struct lxc_conf {
struct lxc_list groups;
int nbd_idx;
+ /* unshare the mount namespace in the monitor */
+ int monitor_unshare;
+
/* set to true when rootfs has been setup */
bool rootfs_setup;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index c2eaaa6..ce6786c 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *, struct lxc_conf *);
static int config_rebootsignal(const char *, const char *, struct lxc_conf *);
static int config_stopsignal(const char *, const char *, struct lxc_conf *);
static int config_start(const char *, const char *, struct lxc_conf *);
+static int config_monitor(const char *, const char *, struct lxc_conf *);
static int config_group(const char *, const char *, struct lxc_conf *);
static int config_environment(const char *, const char *, struct lxc_conf *);
static int config_init_cmd(const char *, const char *, struct lxc_conf *);
@@ -173,6 +174,7 @@ static struct lxc_config_t config[] = {
{ "lxc.start.auto", config_start },
{ "lxc.start.delay", config_start },
{ "lxc.start.order", config_start },
+ { "lxc.monitor.unshare", config_monitor },
{ "lxc.group", config_group },
{ "lxc.environment", config_environment },
{ "lxc.init_cmd", config_init_cmd },
@@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char *value,
return -1;
}
+static int config_monitor(const char *key, const char *value,
+ struct lxc_conf *lxc_conf)
+{
+ if(strcmp(key, "lxc.monitor.unshare") == 0) {
+ lxc_conf->monitor_unshare = atoi(value);
+ return 0;
+ }
+ SYSERROR("Unknown key: %s", key);
+ return -1;
+}
+
static int config_group(const char *key, const char *value,
struct lxc_conf *lxc_conf)
{
@@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
return lxc_get_conf_int(c, retv, inlen, c->start_delay);
else if (strcmp(key, "lxc.start.order") == 0)
return lxc_get_conf_int(c, retv, inlen, c->start_order);
+ else if (strcmp(key, "lxc.monitor.unshare") == 0)
+ return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare);
else if (strcmp(key, "lxc.group") == 0)
return lxc_get_item_groups(c, retv, inlen);
else if (strcmp(key, "lxc.seccomp") == 0)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 69816da..2804841 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
conf->reboot = 0;
+ /* Unshare the mount namespace if requested */
+ if (conf->monitor_unshare) {
+ if (unshare(CLONE_NEWNS)) {
+ SYSERROR("failed to unshare mount namespace");
+ return false;
+ }
+ if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
+ SYSERROR("Failed to make / rslave at startup");
+ return false;
+ }
+ }
+
reboot:
if (lxc_check_inherited(conf, daemonize, -1)) {
ERROR("Inherited fds found");
--
2.1.4

27
debian/patches/0002-run-stop-hook-between-STOPPING-and-STOPPED-states.patch vendored
View File

@ -1,27 +0,0 @@
From 8438bfbda7ce927d74438d0ed3cd7df314cb0758 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 6 Oct 2015 10:01:04 +0200
Subject: [PATCH 2/5] run stop hook between STOPPING and STOPPED states
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
src/lxc/start.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index b7982b6..56fbe43 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -493,6 +493,8 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
*/
lxc_set_state(name, handler, STOPPING);
+ if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, NULL))
+ ERROR("failed to run stop hooks for container '%s'.", name);
for (i = 0; i < LXC_NS_MAX; i++) {
if (handler->nsfd[i] != -1) {
close(handler->nsfd[i]);
--
2.1.4

53
debian/patches/0003-pass-namespace-handles-to-the-stop-hook.patch vendored
View File

@ -1,53 +0,0 @@
From b3286b628b2a178d2f775a6d75ef1c0e7fe75ca6 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 6 Oct 2015 10:01:05 +0200
Subject: [PATCH 3/5] pass namespace handles to the stop hook
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
src/lxc/start.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 56fbe43..a294d18 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -486,15 +486,32 @@ out_free:
void lxc_fini(const char *name, struct lxc_handler *handler)
{
- int i;
+ int i, rc;
+ pid_t self = getpid();
+ char *namespaces[LXC_NS_MAX+1];
+ size_t namespace_count = 0;
/* The STOPPING state is there for future cleanup code
* which can take awhile
*/
lxc_set_state(name, handler, STOPPING);
- if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, NULL))
+ for (i = 0; i < LXC_NS_MAX; i++) {
+ if (handler->nsfd[i] != -1) {
+ rc = asprintf(&namespaces[namespace_count], "%s:/proc/%d/fd/%d",
+ ns_info[i].proc_name, self, handler->nsfd[i]);
+ if (rc == -1) {
+ SYSERROR("failed to allocate memory");
+ break;
+ }
+ ++namespace_count;
+ }
+ }
+ namespaces[namespace_count] = NULL;
+ if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, namespaces))
ERROR("failed to run stop hooks for container '%s'.", name);
+ while (namespace_count--)
+ free(namespaces[namespace_count]);
for (i = 0; i < LXC_NS_MAX; i++) {
if (handler->nsfd[i] != -1) {
close(handler->nsfd[i]);
--
2.1.4

60
debian/patches/0004-document-the-stop-hook.patch vendored
View File

@ -1,60 +0,0 @@
From 0a2b5ab1e79912cd6afa52c829a3444da701a828 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 6 Oct 2015 10:01:06 +0200
Subject: [PATCH 4/5] document the stop hook
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
doc/lxc.container.conf.sgml.in | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index f816491..90ffefa 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1312,9 +1312,12 @@ mknod errno 0
<listitem><para> Container name. </para></listitem>
<listitem><para> Section (always 'lxc'). </para></listitem>
<listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
- <listitem><para> Additional arguments In the
+ <listitem><para> Additional arguments. In the
case of the clone hook, any extra arguments passed to
- lxc-clone will appear as further arguments to the hook. </para></listitem>
+ lxc-clone will appear as further arguments to the hook.
+ In the case of the stop hook, paths to filedescriptors
+ for each of the container's namespaces along with their types
+ are passed. </para></listitem>
</itemizedlist>
The following environment variables are set:
<itemizedlist>
@@ -1411,6 +1414,26 @@ mknod errno 0
<variablelist>
<varlistentry>
<term>
+ <option>lxc.hook.stop</option>
+ </term>
+ <listitem>
+ <para>
+ A hook to be run in the host's namespace with references
+ to the container's namespaces after the container has been shut
+ down. For each namespace an extra argument is passed to the hook
+ containing the namespace's type and a filename that can be used to
+ obtain a file descriptor to the corresponding namespace, separated
+ by a colon. The type is the name as it would appear in the
+ <filename>/proc/PID/ns</filename> directory.
+ For instance for the mount namespace the argument usually looks
+ like <filename>mnt:/proc/PID/fd/12</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <variablelist>
+ <varlistentry>
+ <term>
<option>lxc.hook.post-stop</option>
</term>
<listitem>
--
2.1.4

250
debian/patches/0005-added-the-unmount-namespace-hook.patch vendored
View File

@ -1,250 +0,0 @@
From b73f115f4142791d17bb51692367f2774fef0f39 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 6 Oct 2015 10:01:07 +0200
Subject: [PATCH 5/5] added the unmount-namespace hook
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
hooks/Makefile.am | 6 ++
hooks/unmount-namespace.c | 213 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 219 insertions(+)
create mode 100644 hooks/unmount-namespace.c
diff --git a/hooks/Makefile.am b/hooks/Makefile.am
index be55601..ef82083 100644
--- a/hooks/Makefile.am
+++ b/hooks/Makefile.am
@@ -6,4 +6,10 @@ hooks_SCRIPTS = \
ubuntu-cloud-prep \
squid-deb-proxy-client
+hooks_PROGRAMS = \
+ unmount-namespace
+
+unmount_namespace_SOURCES = \
+ unmount-namespace.c
+
EXTRA_DIST=$(hooks_SCRIPTS)
diff --git a/hooks/unmount-namespace.c b/hooks/unmount-namespace.c
new file mode 100644
index 0000000..488c9cc
--- /dev/null
+++ b/hooks/unmount-namespace.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright © 2015 Wolfgang Bumiller <w.bumiller@proxmox.com>.
+ * Copyright © 2015 Proxmox Server Solutions GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * --
+ *
+ * This stop-hook unmounts everything in the container's namespace, and thereby
+ * waits for all calls commands to finish. This is useful when one needs to be
+ * sure that network filesystems are finished unmounting in the namespace
+ * before continuing with other tasks. Without this hook the cleanup of mounts
+ * is done by the kernel in the background after all the references to the
+ * namespaces are gone.
+ */
+
+#define _GNU_SOURCE /* setns */
+#include <stdio.h> /* fdopen, getmntent, endmntent */
+#include <stdlib.h> /* malloc, qsort */
+#include <unistd.h> /* close */
+#include <string.h> /* strcmp, strncmp, strdup, strerror */
+#include <sched.h> /* setns */
+#include <sys/mount.h> /* umount2 */
+#include <sys/types.h> /* openat, open */
+#include <sys/stat.h> /* openat, open */
+#include <fcntl.h> /* openat, open */
+#include <mntent.h> /* getmntent, endmntent */
+#include <errno.h> /* errno */
+
+struct mount {
+ char *src; /* currently not used */
+ char *dst;
+ char *fs; /* currently not used */
+};
+
+static void mount_free(struct mount *mnt) {
+ free(mnt->src);
+ free(mnt->dst);
+ free(mnt->fs);
+}
+
+static int mount_cmp_dst(const void *a_, const void *b_) {
+ struct mount *a = (struct mount*)a_;
+ struct mount *b = (struct mount*)b_;
+ return strcmp(b->dst, a->dst); /* swapped order */
+}
+
+/* Unmounting /dev/pts fails, and so /dev also fails, but /dev is not what
+ * we're interested in. (There might also still be /dev/cgroup mounts).
+ */
+static int mount_should_error(const struct mount *mnt) {
+ const char *dst = mnt->dst;
+ return !(strncmp(dst, "/dev", 4) == 0 && (dst[4] == 0 || dst[4] == '/'));
+}
+
+/* Read mounts from 'self/mounts' relative to a directory filedescriptor.
+ * Before entering the container we open a handle to /proc on the host as we
+ * need to access /proc/self/mounts and the container's /proc doesn't contain
+ * our /self. We then use openat(2) to avoid having to mount a temporary /proc.
+ */
+static int read_mounts(int procfd, struct mount **mp, size_t *countp) {
+ int fd;
+ struct mntent *ent;
+ FILE *mf;
+ size_t capacity = 32;
+ size_t count = 0;
+ struct mount *mounts = (struct mount*)malloc(capacity * sizeof(*mounts));
+
+ if (!mounts) {
+ errno = ENOMEM;
+ return 0;
+ }
+
+ *mp = NULL;
+ *countp = 0;
+
+ fd = openat(procfd, "self/mounts", O_RDONLY);
+ if (fd < 0)
+ return 0;
+
+ mf = fdopen(fd, "r");
+ if (!mf) {
+ int error = errno;
+ close(fd);
+ errno = error;
+ return 0;
+ }
+ while ((ent = getmntent(mf))) {
+ struct mount *new;
+ if (count == capacity) {
+ capacity *= 2;
+ new = (struct mount*)realloc(mounts, capacity * sizeof(*mounts));
+ if (!new)
+ goto out_alloc_entry;
+ mounts = new;
+ }
+ new = &mounts[count++];
+ new->src = strdup(ent->mnt_fsname);
+ new->dst = strdup(ent->mnt_dir);
+ new->fs = strdup(ent->mnt_type);
+ if (!new->src || !new->dst || !new->fs)
+ goto out_alloc_entry;
+ }
+ endmntent(mf);
+
+ *mp = mounts;
+ *countp = count;
+
+ return 1;
+
+out_alloc_entry:
+ endmntent(mf);
+ while (count--) {
+ free(mounts[count].src);
+ free(mounts[count].dst);
+ free(mounts[count].fs);
+ }
+ free(mounts);
+ errno = ENOMEM;
+ return 0;
+}
+
+int main(int argc, char **argv) {
+ int i, procfd, ctmntfd;
+ struct mount *mounts;
+ size_t zi, count = 0;
+ const char *mntns = NULL;
+
+ if (argc < 4 || strcmp(argv[2], "lxc") != 0) {
+ fprintf(stderr, "%s: usage error, expected LXC hook arguments\n", argv[0]);
+ return 2;
+ }
+
+ if (strcmp(argv[3], "stop") != 0)
+ return 0;
+
+ for (i = 4; i != argc; ++i) {
+ if (!strncmp(argv[i], "mnt:", 4)) {
+ mntns = argv[i] + 4;
+ break;
+ }
+ }
+
+ if (!mntns) {
+ fprintf(stderr, "%s: no mount namespace provided\n", argv[0]);
+ return 3;
+ }
+
+ /* Open a handle to /proc on the host as we need to access /proc/self/mounts
+ * and the container's /proc doesn't contain our /self. See read_mounts().
+ */
+ procfd = open("/proc", O_RDONLY | O_DIRECTORY | O_PATH);
+ if (procfd < 0) {
+ fprintf(stderr, "%s: failed to open /proc: %s\n", argv[0], strerror(errno));
+ return 4;
+ }
+
+ /* Open the mount namespace and enter it. */
+ ctmntfd = open(mntns, O_RDONLY);
+ if (ctmntfd < 0) {
+ fprintf(stderr, "%s: failed to open mount namespace: %s\n",
+ argv[0], strerror(errno));
+ close(procfd);
+ return 5;
+ }
+
+ if (setns(ctmntfd, CLONE_NEWNS) != 0) {
+ fprintf(stderr, "%s: failed to attach to namespace: %s\n",
+ argv[0], strerror(errno));
+ close(ctmntfd);
+ close(procfd);
+ return 6;
+ }
+ close(ctmntfd);
+
+ /* Now read [[procfd]]/self/mounts */
+ if (!read_mounts(procfd, &mounts, &count)) {
+ fprintf(stderr, "%s: failed to read mountpoints: %s\n",
+ argv[0], strerror(errno));
+ close(procfd);
+ return 7;
+ }
+ close(procfd);
+
+ /* Just sort to get a sane unmount-order... */
+ qsort(mounts, count, sizeof(*mounts), &mount_cmp_dst);
+
+ for (zi = 0; zi != count; ++zi) {
+ /* fprintf(stderr, "Unmount: %s\n", mounts[zi].dst); */
+ if (umount2(mounts[zi].dst, 0) != 0) {
+ int error = errno;
+ if (mount_should_error(&mounts[zi])) {
+ fprintf(stderr, "%s: failed to unmount %s: %s\n",
+ argv[0], mounts[zi].dst, strerror(error));
+ }
+ }
+ mount_free(&mounts[zi]);
+ }
+ free(mounts);
+
+ return 0;
+}
--
2.1.4

44
debian/patches/0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch vendored
View File

@ -1,44 +0,0 @@
From 9b20851c6cbe129569efaf91d1261b7369fca883 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 21 Oct 2015 09:42:52 +0200
Subject: [PATCH] hooks: put binary hooks in /usr/lib/lxc/hooks
---
configure.ac | 1 +
hooks/Makefile.am | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 874b446..29706cc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -539,6 +539,7 @@ AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
AS_AC_EXPAND(LXCTEMPLATECONFIG, "$datadir/lxc/config")
AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks")
+AS_AC_EXPAND(LXCLIBHOOKDIR, "$libdir/lxc/hooks")
AS_AC_EXPAND(LXCINITDIR, "$libexecdir")
AS_AC_EXPAND(LOGPATH, "$with_log_path")
AS_AC_EXPAND(RUNTIME_PATH, "$with_runtime_path")
diff --git a/hooks/Makefile.am b/hooks/Makefile.am
index 499a2c4..263f62c 100644
--- a/hooks/Makefile.am
+++ b/hooks/Makefile.am
@@ -1,4 +1,5 @@
hooksdir=@LXCHOOKDIR@
+libhooksdir=@LXCLIBHOOKDIR@
hooks_SCRIPTS = \
clonehostname \
@@ -6,7 +7,7 @@ hooks_SCRIPTS = \
ubuntu-cloud-prep \
squid-deb-proxy-client
-hooks_PROGRAMS = \
+libhooks_PROGRAMS = \
unmount-namespace
unmount_namespace_SOURCES = \
--
2.1.4

10
debian/patches/series vendored
View File

@ -6,13 +6,3 @@ include-linux-sched.patch
use-var-lib-vz-as-default-dir.patch
#do-not-use-config-path-for-rootfs.patch
run-lxcnetaddbr.patch
0001-added-stop-hook-entries.patch
0002-run-stop-hook-between-STOPPING-and-STOPPED-states.patch
0003-pass-namespace-handles-to-the-stop-hook.patch
0004-document-the-stop-hook.patch
0005-added-the-unmount-namespace-hook.patch
0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch
delete_network_show_error.diff
0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch
0002-Added-lxc.monitor.unshare.patch
0001-apparmor-allow-binding-run-lock-var-run-lock.patch