From 7c5ce99fc180d723de22873cb4dc4587b24b41bf Mon Sep 17 00:00:00 2001 From: Dominik Csapak Date: Tue, 12 Jul 2016 09:27:44 +0200 Subject: [PATCH] drop patches applied upstream Signed-off-by: Dominik Csapak --- ...add-make-rslave-to-usr.bin.lxc-start.patch | 32 --- .../0001-added-stop-hook-entries.patch | 72 ----- ...-allow-binding-run-lock-var-run-lock.patch | 32 --- .../0002-Added-lxc.monitor.unshare.patch | 131 --------- ...-between-STOPPING-and-STOPPED-states.patch | 27 -- ...s-namespace-handles-to-the-stop-hook.patch | 53 ---- .../patches/0004-document-the-stop-hook.patch | 60 ----- ...005-added-the-unmount-namespace-hook.patch | 250 ------------------ ...ut-binary-hooks-in-usr-lib-lxc-hooks.patch | 44 --- debian/patches/series | 10 - 10 files changed, 711 deletions(-) delete mode 100644 debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch delete mode 100644 debian/patches/0001-added-stop-hook-entries.patch delete mode 100644 debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch delete mode 100644 debian/patches/0002-Added-lxc.monitor.unshare.patch delete mode 100644 debian/patches/0002-run-stop-hook-between-STOPPING-and-STOPPED-states.patch delete mode 100644 debian/patches/0003-pass-namespace-handles-to-the-stop-hook.patch delete mode 100644 debian/patches/0004-document-the-stop-hook.patch delete mode 100644 debian/patches/0005-added-the-unmount-namespace-hook.patch delete mode 100644 debian/patches/0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch diff --git a/debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch b/debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch deleted file mode 100644 index 534c3a9..0000000 --- a/debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a1fd9b6b62051a05bb85fb10dd03342aa231c246 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Fri, 20 Nov 2015 09:52:39 +0100 -Subject: [PATCH v2 lxc 1/2] AppArmor: add make-rslave to usr.bin.lxc-start - -The profile already contains - mount options=(rw, make-slave) -> **, - -Which allows going through all mountpoints with make-slave, -so it seems to make sense to also allow the directly -recursive variant with "make-rslave". - -Signed-off-by: Wolfgang Bumiller ---- - config/apparmor/abstractions/start-container | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container -index b06a84d..eee0c2f 100644 ---- a/config/apparmor/abstractions/start-container -+++ b/config/apparmor/abstractions/start-container -@@ -15,6 +15,7 @@ - mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, - mount options=bind /dev/pts/** -> /dev/**, - mount options=(rw, make-slave) -> **, -+ mount options=(rw, make-rslave) -> **, - mount fstype=debugfs, - # allow pre-mount hooks to stage mounts under /var/lib/lxc// - mount -> /var/lib/lxc/{**,}, --- -2.1.4 - diff --git a/debian/patches/0001-added-stop-hook-entries.patch b/debian/patches/0001-added-stop-hook-entries.patch deleted file mode 100644 index 26a7db1..0000000 --- a/debian/patches/0001-added-stop-hook-entries.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 52492063b7865b460f5669a28027a5e17f0a5a09 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 6 Oct 2015 10:01:03 +0200 -Subject: [PATCH 1/5] added stop-hook entries - -Signed-off-by: Wolfgang Bumiller -Acked-by: Serge E. Hallyn ---- - src/lxc/conf.c | 4 +++- - src/lxc/conf.h | 2 +- - src/lxc/confile.c | 3 +++ - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 5a3209a..0e3421b 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -163,7 +163,7 @@ return -1; - #endif - - char *lxchook_names[NUM_LXC_HOOKS] = { -- "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop", "clone" }; -+ "pre-start", "pre-mount", "mount", "autodev", "start", "stop", "post-stop", "clone" }; - - typedef int (*instantiate_cb)(struct lxc_handler *, struct lxc_netdev *); - -@@ -4024,6 +4024,8 @@ int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf, - which = LXCHOOK_AUTODEV; - else if (strcmp(hook, "start") == 0) - which = LXCHOOK_START; -+ else if (strcmp(hook, "stop") == 0) -+ which = LXCHOOK_STOP; - else if (strcmp(hook, "post-stop") == 0) - which = LXCHOOK_POSTSTOP; - else if (strcmp(hook, "clone") == 0) -diff --git a/src/lxc/conf.h b/src/lxc/conf.h -index 5aebd91..1374d4a 100644 ---- a/src/lxc/conf.h -+++ b/src/lxc/conf.h -@@ -279,7 +279,7 @@ enum { - */ - enum lxchooks { - LXCHOOK_PRESTART, LXCHOOK_PREMOUNT, LXCHOOK_MOUNT, LXCHOOK_AUTODEV, -- LXCHOOK_START, LXCHOOK_POSTSTOP, LXCHOOK_CLONE, NUM_LXC_HOOKS}; -+ LXCHOOK_START, LXCHOOK_STOP, LXCHOOK_POSTSTOP, LXCHOOK_CLONE, NUM_LXC_HOOKS}; - extern char *lxchook_names[NUM_LXC_HOOKS]; - - struct saved_nic { -diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index 670d957..f7d6814 100644 ---- a/src/lxc/confile.c -+++ b/src/lxc/confile.c -@@ -137,6 +137,7 @@ static struct lxc_config_t config[] = { - { "lxc.hook.mount", config_hook }, - { "lxc.hook.autodev", config_hook }, - { "lxc.hook.start", config_hook }, -+ { "lxc.hook.stop", config_hook }, - { "lxc.hook.post-stop", config_hook }, - { "lxc.hook.clone", config_hook }, - { "lxc.hook", config_hook }, -@@ -1085,6 +1086,8 @@ static int config_hook(const char *key, const char *value, - return add_hook(lxc_conf, LXCHOOK_MOUNT, copy); - else if (strcmp(key, "lxc.hook.start") == 0) - return add_hook(lxc_conf, LXCHOOK_START, copy); -+ else if (strcmp(key, "lxc.hook.stop") == 0) -+ return add_hook(lxc_conf, LXCHOOK_STOP, copy); - else if (strcmp(key, "lxc.hook.post-stop") == 0) - return add_hook(lxc_conf, LXCHOOK_POSTSTOP, copy); - else if (strcmp(key, "lxc.hook.clone") == 0) --- -2.1.4 - diff --git a/debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch b/debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch deleted file mode 100644 index cf51641..0000000 --- a/debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 4a491a31c23e64f29152a4b5e4ff07b361074261 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 2 Feb 2016 09:13:04 +0100 -Subject: [PATCH] apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/} - -Some systems need to be able to bind-mount /run to /var/run -and /run/lock to /var/run/lock. (Tested with opensuse 13.1 -containers migrated from openvz.) - -Signed-off-by: Wolfgang Bumiller ---- - config/apparmor/abstractions/container-base.in | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in -index 1121256..3a001d8 100644 ---- a/config/apparmor/abstractions/container-base.in -+++ b/config/apparmor/abstractions/container-base.in -@@ -62,6 +62,10 @@ - # allow bind mount of /lib/init/fstab for lxcguest - mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, - -+ # allow bind mounts of /run/{,lock} to /var/run/{,lock} -+ mount options=(rw, bind) /run/ -> /var/run/, -+ mount options=(rw, bind) /run/lock/ -> /var/lock/, -+ - # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, - deny @{PROC}/sys/fs/** wklx, --- -2.1.4 - diff --git a/debian/patches/0002-Added-lxc.monitor.unshare.patch b/debian/patches/0002-Added-lxc.monitor.unshare.patch deleted file mode 100644 index 2426811..0000000 --- a/debian/patches/0002-Added-lxc.monitor.unshare.patch +++ /dev/null @@ -1,131 +0,0 @@ -From ba9a6bc839732929e89a0ebcdb268f83f0e784cb Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Fri, 20 Nov 2015 09:57:14 +0100 -Subject: [PATCH v2 lxc 2/2] Added lxc.monitor.unshare - -If manual mounting with elevated permissions is required -this can currently only be done in pre-start hooks or before -starting LXC. In both cases the mounts would appear in the -host's namespace. -With this flag the namespace is unshared before the startup -sequence, so that mounts performed in the pre-start hook -don't show up on the host. - -Signed-off-by: Wolfgang Bumiller ---- - doc/lxc.container.conf.sgml.in | 12 ++++++++++++ - src/lxc/conf.h | 3 +++ - src/lxc/confile.c | 15 +++++++++++++++ - src/lxc/lxccontainer.c | 12 ++++++++++++ - 4 files changed, 42 insertions(+) - -diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index 90ffefa..3b6f698 100644 ---- a/doc/lxc.container.conf.sgml.in -+++ b/doc/lxc.container.conf.sgml.in -@@ -1661,6 +1661,18 @@ mknod errno 0 - - - -+ -+ -+ -+ -+ If not zero the mount namespace will be unshared from the host -+ before initializing the container (before running any pre-start -+ hooks). Default is 0. -+ -+ -+ -+ -+ - - - -diff --git a/src/lxc/conf.h b/src/lxc/conf.h -index 1374d4a..b0274ec 100644 ---- a/src/lxc/conf.h -+++ b/src/lxc/conf.h -@@ -347,6 +347,9 @@ struct lxc_conf { - struct lxc_list groups; - int nbd_idx; - -+ /* unshare the mount namespace in the monitor */ -+ int monitor_unshare; -+ - /* set to true when rootfs has been setup */ - bool rootfs_setup; - -diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index c2eaaa6..ce6786c 100644 ---- a/src/lxc/confile.c -+++ b/src/lxc/confile.c -@@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *, struct lxc_conf *); - static int config_rebootsignal(const char *, const char *, struct lxc_conf *); - static int config_stopsignal(const char *, const char *, struct lxc_conf *); - static int config_start(const char *, const char *, struct lxc_conf *); -+static int config_monitor(const char *, const char *, struct lxc_conf *); - static int config_group(const char *, const char *, struct lxc_conf *); - static int config_environment(const char *, const char *, struct lxc_conf *); - static int config_init_cmd(const char *, const char *, struct lxc_conf *); -@@ -173,6 +174,7 @@ static struct lxc_config_t config[] = { - { "lxc.start.auto", config_start }, - { "lxc.start.delay", config_start }, - { "lxc.start.order", config_start }, -+ { "lxc.monitor.unshare", config_monitor }, - { "lxc.group", config_group }, - { "lxc.environment", config_environment }, - { "lxc.init_cmd", config_init_cmd }, -@@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char *value, - return -1; - } - -+static int config_monitor(const char *key, const char *value, -+ struct lxc_conf *lxc_conf) -+{ -+ if(strcmp(key, "lxc.monitor.unshare") == 0) { -+ lxc_conf->monitor_unshare = atoi(value); -+ return 0; -+ } -+ SYSERROR("Unknown key: %s", key); -+ return -1; -+} -+ - static int config_group(const char *key, const char *value, - struct lxc_conf *lxc_conf) - { -@@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv, - return lxc_get_conf_int(c, retv, inlen, c->start_delay); - else if (strcmp(key, "lxc.start.order") == 0) - return lxc_get_conf_int(c, retv, inlen, c->start_order); -+ else if (strcmp(key, "lxc.monitor.unshare") == 0) -+ return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare); - else if (strcmp(key, "lxc.group") == 0) - return lxc_get_item_groups(c, retv, inlen); - else if (strcmp(key, "lxc.seccomp") == 0) -diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c -index 69816da..2804841 100644 ---- a/src/lxc/lxccontainer.c -+++ b/src/lxc/lxccontainer.c -@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a - - conf->reboot = 0; - -+ /* Unshare the mount namespace if requested */ -+ if (conf->monitor_unshare) { -+ if (unshare(CLONE_NEWNS)) { -+ SYSERROR("failed to unshare mount namespace"); -+ return false; -+ } -+ if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) { -+ SYSERROR("Failed to make / rslave at startup"); -+ return false; -+ } -+ } -+ - reboot: - if (lxc_check_inherited(conf, daemonize, -1)) { - ERROR("Inherited fds found"); --- -2.1.4 - diff --git a/debian/patches/0002-run-stop-hook-between-STOPPING-and-STOPPED-states.patch b/debian/patches/0002-run-stop-hook-between-STOPPING-and-STOPPED-states.patch deleted file mode 100644 index d7ad389..0000000 --- a/debian/patches/0002-run-stop-hook-between-STOPPING-and-STOPPED-states.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 8438bfbda7ce927d74438d0ed3cd7df314cb0758 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 6 Oct 2015 10:01:04 +0200 -Subject: [PATCH 2/5] run stop hook between STOPPING and STOPPED states - -Signed-off-by: Wolfgang Bumiller -Acked-by: Serge E. Hallyn ---- - src/lxc/start.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/lxc/start.c b/src/lxc/start.c -index b7982b6..56fbe43 100644 ---- a/src/lxc/start.c -+++ b/src/lxc/start.c -@@ -493,6 +493,8 @@ void lxc_fini(const char *name, struct lxc_handler *handler) - */ - lxc_set_state(name, handler, STOPPING); - -+ if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, NULL)) -+ ERROR("failed to run stop hooks for container '%s'.", name); - for (i = 0; i < LXC_NS_MAX; i++) { - if (handler->nsfd[i] != -1) { - close(handler->nsfd[i]); --- -2.1.4 - diff --git a/debian/patches/0003-pass-namespace-handles-to-the-stop-hook.patch b/debian/patches/0003-pass-namespace-handles-to-the-stop-hook.patch deleted file mode 100644 index 32e6b33..0000000 --- a/debian/patches/0003-pass-namespace-handles-to-the-stop-hook.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b3286b628b2a178d2f775a6d75ef1c0e7fe75ca6 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 6 Oct 2015 10:01:05 +0200 -Subject: [PATCH 3/5] pass namespace handles to the stop hook - -Signed-off-by: Wolfgang Bumiller -Acked-by: Serge E. Hallyn ---- - src/lxc/start.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/src/lxc/start.c b/src/lxc/start.c -index 56fbe43..a294d18 100644 ---- a/src/lxc/start.c -+++ b/src/lxc/start.c -@@ -486,15 +486,32 @@ out_free: - - void lxc_fini(const char *name, struct lxc_handler *handler) - { -- int i; -+ int i, rc; -+ pid_t self = getpid(); -+ char *namespaces[LXC_NS_MAX+1]; -+ size_t namespace_count = 0; - - /* The STOPPING state is there for future cleanup code - * which can take awhile - */ - lxc_set_state(name, handler, STOPPING); - -- if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, NULL)) -+ for (i = 0; i < LXC_NS_MAX; i++) { -+ if (handler->nsfd[i] != -1) { -+ rc = asprintf(&namespaces[namespace_count], "%s:/proc/%d/fd/%d", -+ ns_info[i].proc_name, self, handler->nsfd[i]); -+ if (rc == -1) { -+ SYSERROR("failed to allocate memory"); -+ break; -+ } -+ ++namespace_count; -+ } -+ } -+ namespaces[namespace_count] = NULL; -+ if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, namespaces)) - ERROR("failed to run stop hooks for container '%s'.", name); -+ while (namespace_count--) -+ free(namespaces[namespace_count]); - for (i = 0; i < LXC_NS_MAX; i++) { - if (handler->nsfd[i] != -1) { - close(handler->nsfd[i]); --- -2.1.4 - diff --git a/debian/patches/0004-document-the-stop-hook.patch b/debian/patches/0004-document-the-stop-hook.patch deleted file mode 100644 index 58de6c1..0000000 --- a/debian/patches/0004-document-the-stop-hook.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 0a2b5ab1e79912cd6afa52c829a3444da701a828 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 6 Oct 2015 10:01:06 +0200 -Subject: [PATCH 4/5] document the stop hook - -Signed-off-by: Wolfgang Bumiller -Acked-by: Serge E. Hallyn ---- - doc/lxc.container.conf.sgml.in | 27 +++++++++++++++++++++++++-- - 1 file changed, 25 insertions(+), 2 deletions(-) - -diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index f816491..90ffefa 100644 ---- a/doc/lxc.container.conf.sgml.in -+++ b/doc/lxc.container.conf.sgml.in -@@ -1312,9 +1312,12 @@ mknod errno 0 - Container name. - Section (always 'lxc'). - The hook type (i.e. 'clone' or 'pre-mount'). -- Additional arguments In the -+ Additional arguments. In the - case of the clone hook, any extra arguments passed to -- lxc-clone will appear as further arguments to the hook. -+ lxc-clone will appear as further arguments to the hook. -+ In the case of the stop hook, paths to filedescriptors -+ for each of the container's namespaces along with their types -+ are passed. - - The following environment variables are set: - -@@ -1411,6 +1414,26 @@ mknod errno 0 - - - -+ -+ -+ -+ -+ A hook to be run in the host's namespace with references -+ to the container's namespaces after the container has been shut -+ down. For each namespace an extra argument is passed to the hook -+ containing the namespace's type and a filename that can be used to -+ obtain a file descriptor to the corresponding namespace, separated -+ by a colon. The type is the name as it would appear in the -+ /proc/PID/ns directory. -+ For instance for the mount namespace the argument usually looks -+ like mnt:/proc/PID/fd/12. -+ -+ -+ -+ -+ -+ -+ - - - --- -2.1.4 - diff --git a/debian/patches/0005-added-the-unmount-namespace-hook.patch b/debian/patches/0005-added-the-unmount-namespace-hook.patch deleted file mode 100644 index 115dfbe..0000000 --- a/debian/patches/0005-added-the-unmount-namespace-hook.patch +++ /dev/null @@ -1,250 +0,0 @@ -From b73f115f4142791d17bb51692367f2774fef0f39 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 6 Oct 2015 10:01:07 +0200 -Subject: [PATCH 5/5] added the unmount-namespace hook - -Signed-off-by: Wolfgang Bumiller -Acked-by: Serge E. Hallyn ---- - hooks/Makefile.am | 6 ++ - hooks/unmount-namespace.c | 213 ++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 219 insertions(+) - create mode 100644 hooks/unmount-namespace.c - -diff --git a/hooks/Makefile.am b/hooks/Makefile.am -index be55601..ef82083 100644 ---- a/hooks/Makefile.am -+++ b/hooks/Makefile.am -@@ -6,4 +6,10 @@ hooks_SCRIPTS = \ - ubuntu-cloud-prep \ - squid-deb-proxy-client - -+hooks_PROGRAMS = \ -+ unmount-namespace -+ -+unmount_namespace_SOURCES = \ -+ unmount-namespace.c -+ - EXTRA_DIST=$(hooks_SCRIPTS) -diff --git a/hooks/unmount-namespace.c b/hooks/unmount-namespace.c -new file mode 100644 -index 0000000..488c9cc ---- /dev/null -+++ b/hooks/unmount-namespace.c -@@ -0,0 +1,213 @@ -+/* -+ * Copyright © 2015 Wolfgang Bumiller . -+ * Copyright © 2015 Proxmox Server Solutions GmbH -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2, as -+ * published by the Free Software Foundation. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License along -+ * with this program; if not, write to the Free Software Foundation, Inc., -+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * -- -+ * -+ * This stop-hook unmounts everything in the container's namespace, and thereby -+ * waits for all calls commands to finish. This is useful when one needs to be -+ * sure that network filesystems are finished unmounting in the namespace -+ * before continuing with other tasks. Without this hook the cleanup of mounts -+ * is done by the kernel in the background after all the references to the -+ * namespaces are gone. -+ */ -+ -+#define _GNU_SOURCE /* setns */ -+#include /* fdopen, getmntent, endmntent */ -+#include /* malloc, qsort */ -+#include /* close */ -+#include /* strcmp, strncmp, strdup, strerror */ -+#include /* setns */ -+#include /* umount2 */ -+#include /* openat, open */ -+#include /* openat, open */ -+#include /* openat, open */ -+#include /* getmntent, endmntent */ -+#include /* errno */ -+ -+struct mount { -+ char *src; /* currently not used */ -+ char *dst; -+ char *fs; /* currently not used */ -+}; -+ -+static void mount_free(struct mount *mnt) { -+ free(mnt->src); -+ free(mnt->dst); -+ free(mnt->fs); -+} -+ -+static int mount_cmp_dst(const void *a_, const void *b_) { -+ struct mount *a = (struct mount*)a_; -+ struct mount *b = (struct mount*)b_; -+ return strcmp(b->dst, a->dst); /* swapped order */ -+} -+ -+/* Unmounting /dev/pts fails, and so /dev also fails, but /dev is not what -+ * we're interested in. (There might also still be /dev/cgroup mounts). -+ */ -+static int mount_should_error(const struct mount *mnt) { -+ const char *dst = mnt->dst; -+ return !(strncmp(dst, "/dev", 4) == 0 && (dst[4] == 0 || dst[4] == '/')); -+} -+ -+/* Read mounts from 'self/mounts' relative to a directory filedescriptor. -+ * Before entering the container we open a handle to /proc on the host as we -+ * need to access /proc/self/mounts and the container's /proc doesn't contain -+ * our /self. We then use openat(2) to avoid having to mount a temporary /proc. -+ */ -+static int read_mounts(int procfd, struct mount **mp, size_t *countp) { -+ int fd; -+ struct mntent *ent; -+ FILE *mf; -+ size_t capacity = 32; -+ size_t count = 0; -+ struct mount *mounts = (struct mount*)malloc(capacity * sizeof(*mounts)); -+ -+ if (!mounts) { -+ errno = ENOMEM; -+ return 0; -+ } -+ -+ *mp = NULL; -+ *countp = 0; -+ -+ fd = openat(procfd, "self/mounts", O_RDONLY); -+ if (fd < 0) -+ return 0; -+ -+ mf = fdopen(fd, "r"); -+ if (!mf) { -+ int error = errno; -+ close(fd); -+ errno = error; -+ return 0; -+ } -+ while ((ent = getmntent(mf))) { -+ struct mount *new; -+ if (count == capacity) { -+ capacity *= 2; -+ new = (struct mount*)realloc(mounts, capacity * sizeof(*mounts)); -+ if (!new) -+ goto out_alloc_entry; -+ mounts = new; -+ } -+ new = &mounts[count++]; -+ new->src = strdup(ent->mnt_fsname); -+ new->dst = strdup(ent->mnt_dir); -+ new->fs = strdup(ent->mnt_type); -+ if (!new->src || !new->dst || !new->fs) -+ goto out_alloc_entry; -+ } -+ endmntent(mf); -+ -+ *mp = mounts; -+ *countp = count; -+ -+ return 1; -+ -+out_alloc_entry: -+ endmntent(mf); -+ while (count--) { -+ free(mounts[count].src); -+ free(mounts[count].dst); -+ free(mounts[count].fs); -+ } -+ free(mounts); -+ errno = ENOMEM; -+ return 0; -+} -+ -+int main(int argc, char **argv) { -+ int i, procfd, ctmntfd; -+ struct mount *mounts; -+ size_t zi, count = 0; -+ const char *mntns = NULL; -+ -+ if (argc < 4 || strcmp(argv[2], "lxc") != 0) { -+ fprintf(stderr, "%s: usage error, expected LXC hook arguments\n", argv[0]); -+ return 2; -+ } -+ -+ if (strcmp(argv[3], "stop") != 0) -+ return 0; -+ -+ for (i = 4; i != argc; ++i) { -+ if (!strncmp(argv[i], "mnt:", 4)) { -+ mntns = argv[i] + 4; -+ break; -+ } -+ } -+ -+ if (!mntns) { -+ fprintf(stderr, "%s: no mount namespace provided\n", argv[0]); -+ return 3; -+ } -+ -+ /* Open a handle to /proc on the host as we need to access /proc/self/mounts -+ * and the container's /proc doesn't contain our /self. See read_mounts(). -+ */ -+ procfd = open("/proc", O_RDONLY | O_DIRECTORY | O_PATH); -+ if (procfd < 0) { -+ fprintf(stderr, "%s: failed to open /proc: %s\n", argv[0], strerror(errno)); -+ return 4; -+ } -+ -+ /* Open the mount namespace and enter it. */ -+ ctmntfd = open(mntns, O_RDONLY); -+ if (ctmntfd < 0) { -+ fprintf(stderr, "%s: failed to open mount namespace: %s\n", -+ argv[0], strerror(errno)); -+ close(procfd); -+ return 5; -+ } -+ -+ if (setns(ctmntfd, CLONE_NEWNS) != 0) { -+ fprintf(stderr, "%s: failed to attach to namespace: %s\n", -+ argv[0], strerror(errno)); -+ close(ctmntfd); -+ close(procfd); -+ return 6; -+ } -+ close(ctmntfd); -+ -+ /* Now read [[procfd]]/self/mounts */ -+ if (!read_mounts(procfd, &mounts, &count)) { -+ fprintf(stderr, "%s: failed to read mountpoints: %s\n", -+ argv[0], strerror(errno)); -+ close(procfd); -+ return 7; -+ } -+ close(procfd); -+ -+ /* Just sort to get a sane unmount-order... */ -+ qsort(mounts, count, sizeof(*mounts), &mount_cmp_dst); -+ -+ for (zi = 0; zi != count; ++zi) { -+ /* fprintf(stderr, "Unmount: %s\n", mounts[zi].dst); */ -+ if (umount2(mounts[zi].dst, 0) != 0) { -+ int error = errno; -+ if (mount_should_error(&mounts[zi])) { -+ fprintf(stderr, "%s: failed to unmount %s: %s\n", -+ argv[0], mounts[zi].dst, strerror(error)); -+ } -+ } -+ mount_free(&mounts[zi]); -+ } -+ free(mounts); -+ -+ return 0; -+} --- -2.1.4 - diff --git a/debian/patches/0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch b/debian/patches/0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch deleted file mode 100644 index ca915eb..0000000 --- a/debian/patches/0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9b20851c6cbe129569efaf91d1261b7369fca883 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 21 Oct 2015 09:42:52 +0200 -Subject: [PATCH] hooks: put binary hooks in /usr/lib/lxc/hooks - ---- - configure.ac | 1 + - hooks/Makefile.am | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 874b446..29706cc 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -539,6 +539,7 @@ AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path") - AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates") - AS_AC_EXPAND(LXCTEMPLATECONFIG, "$datadir/lxc/config") - AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks") -+AS_AC_EXPAND(LXCLIBHOOKDIR, "$libdir/lxc/hooks") - AS_AC_EXPAND(LXCINITDIR, "$libexecdir") - AS_AC_EXPAND(LOGPATH, "$with_log_path") - AS_AC_EXPAND(RUNTIME_PATH, "$with_runtime_path") -diff --git a/hooks/Makefile.am b/hooks/Makefile.am -index 499a2c4..263f62c 100644 ---- a/hooks/Makefile.am -+++ b/hooks/Makefile.am -@@ -1,4 +1,5 @@ - hooksdir=@LXCHOOKDIR@ -+libhooksdir=@LXCLIBHOOKDIR@ - - hooks_SCRIPTS = \ - clonehostname \ -@@ -6,7 +7,7 @@ hooks_SCRIPTS = \ - ubuntu-cloud-prep \ - squid-deb-proxy-client - --hooks_PROGRAMS = \ -+libhooks_PROGRAMS = \ - unmount-namespace - - unmount_namespace_SOURCES = \ --- -2.1.4 - diff --git a/debian/patches/series b/debian/patches/series index b881754..3737812 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,13 +6,3 @@ include-linux-sched.patch use-var-lib-vz-as-default-dir.patch #do-not-use-config-path-for-rootfs.patch run-lxcnetaddbr.patch -0001-added-stop-hook-entries.patch -0002-run-stop-hook-between-STOPPING-and-STOPPED-states.patch -0003-pass-namespace-handles-to-the-stop-hook.patch -0004-document-the-stop-hook.patch -0005-added-the-unmount-namespace-hook.patch -0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch -delete_network_show_error.diff -0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch -0002-Added-lxc.monitor.unshare.patch -0001-apparmor-allow-binding-run-lock-var-run-lock.patch