Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-16 10:50:38 +03:00
Code Releases Activity

update patches for lxc-4.0.11

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-12-02 10:32:22 +01:00
parent a669a19aa5
commit 87c39e902a
16 changed files with 158 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 31 Mar 2020 15:22:42 +0200
Subject: [PATCH] allow running lxc-monitord as a system daemon
Subject: [PATCH lxc] allow running lxc-monitord as a system daemon
lxc-monitord instances are spawned on demand and, if this
happens from a service, the daemon is considered part of
@ -11,17 +11,17 @@ can be avoided by leaving it running permanently.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
.gitignore | 1 +
config/init/systemd/Makefile.am | 10 +++---
config/init/systemd/Makefile.am | 10 +++++----
configure.ac | 1 +
lxc.spec.in | 1 +
src/lxc/cmd/lxc_monitord.c | 60 +++++++++++++++++++++++----------
5 files changed, 52 insertions(+), 21 deletions(-)
src/lxc/cmd/lxc_monitord.c | 40 ++++++++++++++++++++++++++-------
5 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/.gitignore b/.gitignore
index 3cff48d96..44345454f 100644
index 5070196cc..9f34f9b1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -120,6 +120,7 @@ config/bash/lxc
@@ -124,6 +124,7 @@ config/bash/lxc
config/init/common/lxc-containers
config/init/common/lxc-net
config/init/systemd/lxc-autostart-helper
@ -60,10 +60,10 @@ index c448850d1..4a4fde5e7 100644
pkglibexec_SCRIPTS = lxc-apparmor-load
diff --git a/configure.ac b/configure.ac
index e30ea6f6e..16c5ab8c4 100644
index e3a0c70bd..2bbf5dd4d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -913,6 +913,7 @@ AC_CONFIG_FILES([
@@ -909,6 +909,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service
@ -72,10 +72,10 @@ index e30ea6f6e..16c5ab8c4 100644
config/init/sysvinit/lxc-containers
config/init/sysvinit/lxc-net
diff --git a/lxc.spec.in b/lxc.spec.in
index ec6321c33..ea6789fb6 100644
index a7ce2601c..7ed9685bd 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -251,6 +251,7 @@ fi
@@ -255,6 +255,7 @@ fi
%{_unitdir}/lxc-net.service
%{_unitdir}/lxc.service
%{_unitdir}/lxc@.service
@ -84,10 +84,10 @@ index ec6321c33..ea6789fb6 100644
%{_sysconfdir}/rc.d/init.d/lxc
%{_sysconfdir}/rc.d/init.d/lxc-net
diff --git a/src/lxc/cmd/lxc_monitord.c b/src/lxc/cmd/lxc_monitord.c
index bcb289ca6..da7db2820 100644
index 2b0895fc6..997d11217 100644
--- a/src/lxc/cmd/lxc_monitord.c
+++ b/src/lxc/cmd/lxc_monitord.c
@@ -338,17 +338,44 @@ static void lxc_monitord_sig_handler(int sig)
@@ -327,17 +327,44 @@ static void lxc_monitord_sig_handler(int sig)
int main(int argc, char *argv[])
{
@ -136,7 +136,7 @@ index bcb289ca6..da7db2820 100644
"NOTE: lxc-monitord is intended for use by lxc internally\n"
" and does not need to be run by hand\n\n");
exit(EXIT_FAILURE);
@@ -371,9 +398,6 @@ int main(int argc, char *argv[])
@@ -360,9 +387,6 @@ int main(int argc, char *argv[])
INFO("Failed to open log file %s, log will be lost", lxcpath);
lxc_log_options_no_override();
@ -146,34 +146,7 @@ index bcb289ca6..da7db2820 100644
if (sigfillset(&mask) ||
sigdelset(&mask, SIGILL) ||
sigdelset(&mask, SIGSEGV) ||
@@ -406,15 +430,17 @@ int main(int argc, char *argv[])
goto on_error;
monitord_created = true;
- /* sync with parent, we're ignoring the return from write
- * because regardless if it works or not, the following
- * close will sync us with the parent process. the
- * if-empty-statement construct is to quiet the
- * warn-unused-result warning.
- */
- if (lxc_write_nointr(pipefd, "S", 1))
- ;
- close(pipefd);
+ if (pipefd != -1) {
+ /* sync with parent, we're ignoring the return from write
+ * because regardless if it works or not, the following
+ * close will sync us with the parent process. the
+ * if-empty-statement construct is to quiet the
+ * warn-unused-result warning.
+ */
+ if (lxc_write_nointr(pipefd, "S", 1))
+ ;
+ close(pipefd);
+ }
if (lxc_monitord_mainloop_add(&monitor)) {
ERROR("Failed to add mainloop handlers");
@@ -425,7 +451,7 @@ int main(int argc, char *argv[])
@@ -417,7 +441,7 @@ int main(int argc, char *argv[])
lxc_raw_getpid(), monitor.lxcpath);
for (;;) {

17
debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch vendored
View File

@ -1,7 +1,8 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 2 Apr 2020 10:01:37 +0200
Subject: [PATCH] introduce lxc.cgroup.dir.{monitor,container,container.inner}
Subject: [PATCH lxc] introduce
lxc.cgroup.dir.{monitor,container,container.inner}
This is a new approach to #1302 with a container-side
configuration instead of a global boolean flag.
@ -28,10 +29,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 files changed, 171 insertions(+)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index e089fa61d..595cb3972 100644
index 6c9271130..3bf62f082 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1757,6 +1757,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</para>
</listitem>
</varlistentry>
@ -86,7 +87,7 @@ index e089fa61d..595cb3972 100644
<term>
<option>lxc.cgroup.relative</option>
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 37c38fe1e..daf8ee474 100644
index 213688060..23ed7837c 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -67,6 +67,9 @@ lxc_config_define(cap_keep);
@ -99,7 +100,7 @@ index 37c38fe1e..daf8ee474 100644
lxc_config_define(cgroup_relative);
lxc_config_define(console_buffer_size);
lxc_config_define(console_logfile);
@@ -185,6 +188,9 @@ static struct lxc_config_t config_jump_table[] = {
@@ -187,6 +190,9 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.cap.drop", true, set_config_cap_drop, get_config_cap_drop, clr_config_cap_drop, },
{ "lxc.cap.keep", true, set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", false, set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
@ -109,7 +110,7 @@ index 37c38fe1e..daf8ee474 100644
{ "lxc.cgroup.dir", true, set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.relative", true, set_config_cgroup_relative, get_config_cgroup_relative, clr_config_cgroup_relative, },
{ "lxc.cgroup", false, set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
@@ -1795,6 +1801,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
@@ -1840,6 +1846,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
return set_config_path_item(&lxc_conf->cgroup_meta.dir, value);
}
@ -158,7 +159,7 @@ index 37c38fe1e..daf8ee474 100644
static int set_config_cgroup_relative(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
@@ -3654,6 +3702,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
@@ -3707,6 +3755,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
return fulllen;
}
@ -217,7 +218,7 @@ index 37c38fe1e..daf8ee474 100644
static inline int get_config_cgroup_relative(const char *key, char *retv,
int inlen, struct lxc_conf *lxc_conf,
void *data)
@@ -4491,6 +4591,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
@@ -4568,6 +4668,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
return 0;
}

8
debian/patches/pve/0003-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:08:41 +0200
Subject: [PATCH] doc:
Subject: [PATCH lxc] doc:
s/lxc.cgroup.container.namespace/lxc.cgroup.container.inner/g
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
@ -10,10 +10,10 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 595cb3972..18bf36aaf 100644
index 3bf62f082..490793ddb 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1769,7 +1769,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -1813,7 +1813,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
exclusive with <option>lxc.cgroup.dir</option>.
Note that the final path the container attaches to may be
extended further by the
@ -22,7 +22,7 @@ index 595cb3972..18bf36aaf 100644
</para>
</listitem>
</varlistentry>
@@ -1786,7 +1786,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@@ -1830,7 +1830,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</varlistentry>
<varlistentry>
<term>

6
debian/patches/pve/0004-confile-coding-style-fixes-for-set_config_cgroup_con.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Apr 2020 20:10:58 +0200
Subject: [PATCH] confile: coding style fixes for
Subject: [PATCH lxc] confile: coding style fixes for
set_config_cgroup_container_inner_dir()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
@ -10,10 +10,10 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index daf8ee474..ae6e72c22 100644
index 23ed7837c..c7e7887f3 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1828,19 +1828,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
@@ -1873,19 +1873,14 @@ static int set_config_cgroup_container_inner_dir(const char *key,
void *data)
{
if (lxc_config_value_empty(value))

13
debian/patches/pve/0005-api-extensions-add-and-document-cgroup_advanced_isol.patch vendored
View File

@ -1,7 +1,8 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 4 Apr 2020 12:07:43 +0200
Subject: [PATCH] api-extensions: add and document cgroup_advanced_isolation
Subject: [PATCH lxc] api-extensions: add and document
cgroup_advanced_isolation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
@ -10,7 +11,7 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index ff0df50ef..13ba41a62 100644
index cdf82f937..6f9e1621d 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
@ -23,9 +24,9 @@ index ff0df50ef..13ba41a62 100644
+
## idmapped\_mounts
Whether this LXC instance can handle idmapped mounts.
Whether this LXC instance can handle idmapped mounts for the rootfs.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index 06a4130ba..6653c7299 100644
index c2509207d..ae71ff18e 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -41,6 +41,7 @@ static char *api_extensions[] = {
@ -34,5 +35,5 @@ index 06a4130ba..6653c7299 100644
"seccomp_proxy_send_notify_fd",
+ "cgroup_advanced_isolation",
"idmapped_mounts",
};
"idmapped_mounts_v2",
"core_scheduling",

8
debian/patches/pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch vendored
View File

@ -1,8 +1,8 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Sun, 5 Apr 2020 21:18:59 +0900
Subject: [PATCH] doc: Add lxc.cgroup.dir.{monitor,container,container.inner}
to Japanese man
Subject: [PATCH lxc] doc: Add
lxc.cgroup.dir.{monitor,container,container.inner} to Japanese man
Update for commit a900cba
@ -12,10 +12,10 @@ Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
1 file changed, 57 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index fd6fb18e3..2c77d4ea3 100644
index 05ae2f441..9ad6627ab 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -2099,6 +2099,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
@@ -2389,6 +2389,63 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</para>
</listitem>
</varlistentry>

2
debian/patches/pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:13:40 +0100
Subject: [PATCH] PVE: [Config] lxc.service: start after a potential
Subject: [PATCH lxc] PVE: [Config] lxc.service: start after a potential
syslog.service
We could add this as a snippet from pve-container instead.

2
debian/patches/pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH] PVE: [Config] deny rw mounting of /sys and /proc
Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc
Note that we don't actually make use of this anymore, since
we switched to the generated profiles which already do this.

14
debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 13 Aug 2019 13:57:22 +0200
Subject: [PATCH] PVE: [Config] attach: always use getent
Subject: [PATCH lxc] PVE: [Config] attach: always use getent
In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly.
@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 2 insertions(+), 26 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 97eff7f8e..01bd56f45 100644
index cd526ab6b..845270ee5 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1810,12 +1810,8 @@ int lxc_attach_run_command(void *payload)
@@ -1841,12 +1841,8 @@ int lxc_attach_run_command(void *payload)
int lxc_attach_run_shell(void* payload)
{
@ -25,16 +25,16 @@ index 97eff7f8e..01bd56f45 100644
- struct passwd pwent;
- struct passwd *pwentp = NULL;
char *user_shell;
- size_t bufsize;
- ssize_t bufsize;
int ret;
/* Ignore payload parameter. */
@@ -1823,32 +1819,13 @@ int lxc_attach_run_shell(void* payload)
@@ -1854,32 +1850,13 @@ int lxc_attach_run_shell(void* payload)
uid = getuid();
- bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
- if (bufsize == -1)
- if (bufsize < 0)
- bufsize = 1024;
-
- buf = malloc(bufsize);
@ -63,7 +63,7 @@ index 97eff7f8e..01bd56f45 100644
if (user_shell)
execlp(user_shell, user_shell, (char *)NULL);
@@ -1858,8 +1835,7 @@ int lxc_attach_run_shell(void* payload)
@@ -1889,8 +1866,7 @@ int lxc_attach_run_shell(void* payload)
execlp("/bin/sh", "/bin/sh", (char *)NULL);
SYSERROR("Failed to execute shell");

30
debian/patches/pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Sat, 13 Nov 2021 18:20:13 +0100
Subject: [PATCH lxc] Revert "initutils: use vfork() in lxc_container_init()"
This reverts commit d65e5e492f740bbb50e3005f97420c3ddae3d595.
With vfork the child process modifies the parent's memory,
so the calls to `signal`, `fprintf` and regular `exit` may
be dangerous and might cause conflicting states in the
parent.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/initutils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 24baecc88..72278c1f1 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -551,7 +551,7 @@ __noreturn int lxc_container_init(int argc, char *const *argv, bool quiet)
remove_self();
- pid = vfork();
+ pid = fork();
if (pid < 0)
exit(EXIT_FAILURE);

21
debian/patches/pve/0010-conf-userns.conf-include-userns.conf.d.patch vendored
View File

@ -1,21 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 5 Jul 2021 09:02:36 +0200
Subject: [PATCH] conf: userns.conf: include userns.conf.d
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
config/templates/userns.conf.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index 69d992680..255dd01a3 100644
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -19,3 +19,6 @@ lxc.tty.dir =
# Setup the default mounts
lxc.mount.auto = sys:rw
+
+# Lastly, include all the configs from @LXCTEMPLATECONFIG@/userns.conf.d/
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf.d/

36
debian/patches/pve/0011-confile-allow-including-nonexisting-directories.patch vendored
View File

@ -1,36 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 5 Jul 2021 10:53:41 +0200
Subject: [PATCH] confile: allow including nonexisting directories
If an include directive ends with a trailing slash, we now
always assume it is a directory and do not treat the
non-existence as an error.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/confile.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 6e2b68b1c..7f4fb13fb 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -2689,7 +2689,7 @@ static int do_includedir(const char *dirp, struct lxc_conf *lxc_conf)
dir = opendir(dirp);
if (!dir)
- return -errno;
+ return errno == ENOENT ? 0 : -errno;
while ((direntp = readdir(dir))) {
const char *fnam;
@@ -2726,7 +2726,7 @@ static int set_config_includefiles(const char *key, const char *value,
return 0;
}
- if (is_dir(value))
+ if (value[strlen(value)-1] == '/' || is_dir(value))
return do_includedir(value, lxc_conf);
return lxc_config_read(value, lxc_conf, true);

76
debian/patches/pve/0011-use-2-sysfs-instances-for-sys-mixed.patch vendored Normal file
View File

@ -0,0 +1,76 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 3 Dec 2021 09:13:11 +0100
Subject: [PATCH lxc] use 2 sysfs instances for sys:mixed
In order to facilitate this, the default mount list's
'destination' may now be NULL to mean that the source should
be unmounted instead.
Here's what we need to do:
1) Ensure the first sysfs mount point is writable.
2) Mount a read-only sysfs on /sys
3) Bind devices/virtual/net *writably* into /sys
We use /proc/sys as a staging directory for the first sysfs
mount in read-write mode, then mount /sys r/o. Afterwards we
bind the r/w devices/virtual/net and unmount the staging
/proc/sys mount point.
The staging directory would not be required with the new
mount API, but this way we can support the old API and keep
the general workflow in the `default_mounts`.
Once we drop support for the old mount API, the
default_mounts table could just get a subdirectory field to
mount subdirectories directly.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/conf.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 8e068b8ac..c9ab285d8 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -708,9 +708,11 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false },
+ /* /proc/sys is used as a temporary staging directory for the read-write sysfs mount and unmounted after binding net */
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/proc/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/proc/sys", NULL, NULL, 0, NULL, false },
{ 0, 0, NULL, NULL, NULL, 0, NULL, false }
};
struct lxc_conf *conf = handler->conf;
@@ -778,14 +780,21 @@ static int lxc_mount_auto_mounts(struct lxc_handler *handler, int flags)
return syserror_set(-ENOMEM, "Failed to create source path");
}
- if (!default_mounts[i].destination)
- return syserror_set(-EINVAL, "BUG: auto mounts destination %d was NULL", i);
-
if (!has_cap_net_admin && default_mounts[i].requires_cap_net_admin) {
TRACE("Container does not have CAP_NET_ADMIN. Skipping \"%s\" mount", default_mounts[i].source ?: "(null)");
continue;
}
+ if (!default_mounts[i].destination) {
+ ret = umount2(source, MNT_DETACH);
+ if (ret < 0)
+ return log_error_errno(-1, errno,
+ "Failed to unmount \"%s\"",
+ source);
+ TRACE("Unmounted automount \"%s\"", source);
+ continue;
+ }
+
/* will act like strdup if %r is not present */
destination = lxc_string_replace("%r", rootfs->path ? rootfs->mount : "", default_mounts[i].destination);
if (!destination)

102
debian/patches/pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch vendored
View File

@ -1,102 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Mon, 19 Jul 2021 16:55:43 +0200
Subject: [PATCH] cgroups: populate hierarchy for device cgroup
With the changes introduced in:
b7b1e3a34ce28b01206c48227930ff83d399e7b6
the hierarchy-struct did not have the path_lim set anymore, which is
needed by setup_limits_legacy to actually access the cgroup directory.
The issue can be reproduced with a container config having
```
lxc.cgroup.devices.deny = a
```
(or any lxc.cgroup.devices entry) set on a system booted with
systemd.unified_cgroup_hierarchy=0.
This affects all privileged containers on PVE (due to the default
devices.deny entry).
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/lxc/cgroups/cgfsng.c | 39 +++++++++++++++++++--------------------
1 file changed, 19 insertions(+), 20 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 9e1ece5ca..e27baa625 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -794,8 +794,12 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
if (fd_limit < 0)
return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir);
+ limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
+ h->dfd_lim = move_fd(fd_limit);
+ h->path_lim = move_ptr(limit_path);
+
TRACE("Created limit cgroup %d->%d(%s)",
- fd_limit, h->dfd_base, cgroup_limit_dir);
+ h->dfd_lim, h->dfd_base, cgroup_limit_dir);
/*
* With isolation the devices legacy cgroup needs to be
@@ -807,44 +811,39 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
!ops->setup_limits_legacy(ops, conf, true))
return log_error(false, "Failed to setup legacy device limits");
- limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
- path = must_make_path(limit_path, cgroup_leaf, NULL);
+ path = must_make_path(h->path_lim, cgroup_leaf, NULL);
/*
* If we use a separate limit cgroup, the leaf cgroup, i.e. the
* cgroup the container actually resides in, is below fd_limit.
*/
- fd_final = __cgroup_tree_create(fd_limit, cgroup_leaf, 0755, cpuset_v1, false);
+ fd_final = __cgroup_tree_create(h->dfd_lim, cgroup_leaf, 0755, cpuset_v1, false);
if (fd_final < 0) {
/* Ensure we don't leave any garbage behind. */
if (cgroup_tree_prune(h->dfd_base, cgroup_limit_dir))
SYSWARN("Failed to destroy %d(%s)", h->dfd_base, cgroup_limit_dir);
else
TRACE("Removed cgroup tree %d(%s)", h->dfd_base, cgroup_limit_dir);
+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
}
+ h->dfd_con = move_fd(fd_final);
+ h->path_con = move_ptr(path);
+
} else {
path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false);
- }
- if (fd_final < 0)
- return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
-
- if (payload) {
- h->dfd_con = move_fd(fd_final);
- h->path_con = move_ptr(path);
+ if (fd_final < 0)
+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
- if (fd_limit < 0)
+ if (payload) {
+ h->dfd_con = move_fd(fd_final);
h->dfd_lim = h->dfd_con;
- else
- h->dfd_lim = move_fd(fd_limit);
-
- if (limit_path)
- h->path_lim = move_ptr(limit_path);
- else
+ h->path_con = move_ptr(path);
h->path_lim = h->path_con;
- } else {
- h->dfd_mon = move_fd(fd_final);
+ } else {
+ h->dfd_mon = move_fd(fd_final);
+ }
}
return true;

65
debian/patches/pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch vendored
View File

@ -1,65 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Tue, 20 Jul 2021 10:30:36 +0200
Subject: [PATCH] cgroups: remove unneeded variables from cgroup_tree_create
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/lxc/cgroups/cgfsng.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index e27baa625..35ba0fb9d 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -779,7 +779,6 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
const char *cgroup_leaf, bool payload)
{
__do_close int fd_limit = -EBADF, fd_final = -EBADF;
- __do_free char *path = NULL, *limit_path = NULL;
bool cpuset_v1 = false;
/*
@@ -794,9 +793,8 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
if (fd_limit < 0)
return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir);
- limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
+ h->path_lim = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
h->dfd_lim = move_fd(fd_limit);
- h->path_lim = move_ptr(limit_path);
TRACE("Created limit cgroup %d->%d(%s)",
h->dfd_lim, h->dfd_base, cgroup_limit_dir);
@@ -811,8 +809,6 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
!ops->setup_limits_legacy(ops, conf, true))
return log_error(false, "Failed to setup legacy device limits");
- path = must_make_path(h->path_lim, cgroup_leaf, NULL);
-
/*
* If we use a separate limit cgroup, the leaf cgroup, i.e. the
* cgroup the container actually resides in, is below fd_limit.
@@ -827,11 +823,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
}
h->dfd_con = move_fd(fd_final);
- h->path_con = move_ptr(path);
+ h->path_con = must_make_path(h->path_lim, cgroup_leaf, NULL);
} else {
- path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
-
fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false);
if (fd_final < 0)
return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
@@ -839,7 +833,8 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
if (payload) {
h->dfd_con = move_fd(fd_final);
h->dfd_lim = h->dfd_con;
- h->path_con = move_ptr(path);
+ h->path_con = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
+
h->path_lim = h->path_con;
} else {
h->dfd_mon = move_fd(fd_final);

6
debian/patches/series vendored
View File

@ -7,7 +7,5 @@ pve/0006-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch
pve/0007-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0009-PVE-Config-attach-always-use-getent.patch
pve/0010-conf-userns.conf-include-userns.conf.d.patch
pve/0011-confile-allow-including-nonexisting-directories.patch
pve/0012-cgroups-populate-hierarchy-for-device-cgroup.patch
pve/0013-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch
pve/0010-Revert-initutils-use-vfork-in-lxc_container_init.patch
pve/0011-use-2-sysfs-instances-for-sys-mixed.patch