Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-22 06:50:41 +03:00
Code Releases Activity

switch to git-patch workflow; add lxc-monitord.service

Browse Source
This commit is contained in:
Wolfgang Bumiller 2017-02-10 10:28:26 +01:00
parent d62021ec40
commit ade16ee611
14 changed files with 356 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From 10bc10054434f20870f812bb710eef5b5e22040b Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:13:40 +0100
Subject: [PATCH 1/8] lxc.service: start after a potential syslog.service
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
config/init/systemd/lxc.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
index cd61996..7754191 100644
--- a/config/init/systemd/lxc.service.in
+++ b/config/init/systemd/lxc.service.in
@@ -1,6 +1,6 @@
[Unit]
Description=LXC Container Initialization and Autoboot Code
-After=network.target lxc-net.service
+After=syslog.service network.target lxc-net.service
Wants=lxc-net.service
Documentation=man:lxc-autostart man:lxc
--
2.1.4

38
debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch vendored Normal file
View File

@ -0,0 +1,38 @@
From e68a4291abec1c140fffbc8c954ff9596b17aad4 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:14:55 +0100
Subject: [PATCH 2/8] jessie/systemd: remove Delegate flag to silence warnings
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
config/init/systemd/lxc.service.in | 1 -
config/init/systemd/lxc@.service.in | 1 -
2 files changed, 2 deletions(-)
diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
index 7754191..bdd5828 100644
--- a/config/init/systemd/lxc.service.in
+++ b/config/init/systemd/lxc.service.in
@@ -12,7 +12,6 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-containers start
ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop
# Environment=BOOTUP=serial
# Environment=CONSOLETYPE=serial
-Delegate=yes
StandardOutput=syslog
StandardError=syslog
diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
index 44d11e8..6b8b5ff 100644
--- a/config/init/systemd/lxc@.service.in
+++ b/config/init/systemd/lxc@.service.in
@@ -13,7 +13,6 @@ TimeoutStopSec=120s
ExecStart=@BINDIR@/lxc-start -F -n %i
# Environment=BOOTUP=serial
# Environment=CONSOLETYPE=serial
-Delegate=yes
StandardOutput=syslog
StandardError=syslog
--
2.1.4

34
debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From 6b3de84e0654c3b0b13166d63af9961a3a757c6e Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 09:15:37 +0100
Subject: [PATCH 3/8] pve: run lxcnetaddbr when instantiating veths
FIXME: Why aren't we using regular up-scripts?
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/conf.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index a93124b..c4079bb 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2683,8 +2683,13 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd
"veth", veth1, (char*) NULL);
if (err)
goto out_delete;
+ } else if (!netdev->link) {
+ err = run_script(handler->name, "net", "/usr/share/lxc/lxcnetaddbr", "up",
+ "veth", veth1, (char*) NULL);
+ if (err)
+ goto out_delete;
}
-
+
DEBUG("instantiated veth '%s/%s', index is '%d'",
veth1, veth2, netdev->ifindex);
--
2.1.4

8
debian/patches/deny-rw-mounting-of-sys-and-proc.patch → debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch vendored
View File

@ -1,7 +1,7 @@
From 77596df581ee381896a5d9a9152c046ff164c65a Mon Sep 17 00:00:00 2001
From e7d6b0d2384070f2c34a46aaa20250ce31f96c9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH] deny rw mounting of /sys and /proc
Subject: [PATCH 4/8] deny rw mounting of /sys and /proc
this would allow root in a privileged container to change
the permissions of /sys on the host, which could lock out
@ -14,7 +14,7 @@ if a rw /sys is desired, set "lxc.mount.auto" accordingly
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 06290de..3c64c66 100644
index 06290de..779aadd 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -84,7 +84,6 @@
@ -38,7 +38,7 @@ index 06290de..3c64c66 100644
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 5bc9b28..482214e 100644
index 5bc9b28..5c8e441 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -84,7 +84,6 @@

18
debian/patches/0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch → debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch vendored
View File

@ -1,7 +1,7 @@
From 2e386b0ab03ebc04bd3b08fa3cf9aa14c596b883 Mon Sep 17 00:00:00 2001
From 6adbaea0d07553932f4cd78b5530cd5291c3b41f Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 15 Nov 2016 09:20:24 +0100
Subject: [PATCH 1/2] separate the limiting from the namespaced cgroup root
Subject: [PATCH 5/8] separate the limiting from the namespaced cgroup root
When cgroup namespaces are enabled a privileged container
with mixed cgroups has full write access to its own root
@ -679,10 +679,10 @@ index 184eefa..6430b33 100644
extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath);
extern char *lxc_cmd_get_name(const char *hashed_sock);
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 125e674..5a9e36b 100644
index 8a0702f..5843f97 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -284,7 +284,7 @@ static void exec_criu(struct criu_opts *opts)
@@ -283,7 +283,7 @@ static void exec_criu(struct criu_opts *opts)
} else {
const char *p;
@ -691,7 +691,7 @@ index 125e674..5a9e36b 100644
if (!p) {
ERROR("failed to get cgroup path for %s", controllers[0]);
goto err;
@@ -797,7 +797,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
@@ -795,7 +795,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
goto out_fini_handler;
}
@ -701,10 +701,10 @@ index 125e674..5a9e36b 100644
goto out_fini_handler;
}
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 71206e0..c9d78b7 100644
index c2c14a7..e889421 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1121,7 +1121,7 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1104,7 +1104,7 @@ static int lxc_spawn(struct lxc_handler *handler)
cgroups_connected = true;
@ -713,7 +713,7 @@ index 71206e0..c9d78b7 100644
ERROR("Failed creating cgroups.");
goto out_delete_net;
}
@@ -1208,10 +1208,10 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1191,10 +1191,10 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}
@ -726,7 +726,7 @@ index 71206e0..c9d78b7 100644
goto out_delete_net;
if (failed_before_rename)
@@ -1254,6 +1254,21 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1237,6 +1237,21 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}

14
debian/patches/0002-start-initutils-make-cgroupns-separation-level-confi.patch → debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch vendored
View File

@ -1,7 +1,7 @@
From e1fecf743d507ea7df458ed7e14222d02fe76cae Mon Sep 17 00:00:00 2001
From af72260927efd412210ec85842e1ef70ccc0c5e8 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 16 Nov 2016 09:53:42 +0100
Subject: [PATCH 2/2] start/initutils: make cgroupns separation level
Subject: [PATCH 6/8] start/initutils: make cgroupns separation level
configurable
Adds a new global config variable `lxc.cgroup.separate`
@ -17,7 +17,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 3213bd3..d07fd10 100644
index 8d9016c..0630293 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p)
@ -57,10 +57,10 @@ index c021fd6..443ad02 100644
extern void lxc_setup_fs(void);
extern const char *lxc_global_config_value(const char *option_name);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index c9d78b7..fe2e335 100644
index e889421..4217c5d 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1067,6 +1067,7 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1050,6 +1050,7 @@ static int lxc_spawn(struct lxc_handler *handler)
int saved_ns_fd[LXC_NS_MAX];
int preserve_mask = 0, i, flags;
int netpipepair[2], nveths;
@ -68,7 +68,7 @@ index c9d78b7..fe2e335 100644
netpipe = -1;
@@ -1130,7 +1131,7 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1113,7 +1114,7 @@ static int lxc_spawn(struct lxc_handler *handler)
* it readonly.
* If the container is unprivileged then skip rootfs pinning.
*/
@ -77,7 +77,7 @@ index c9d78b7..fe2e335 100644
handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
if (handler->pinfd == -1)
INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
@@ -1255,17 +1256,20 @@ static int lxc_spawn(struct lxc_handler *handler)
@@ -1238,17 +1239,20 @@ static int lxc_spawn(struct lxc_handler *handler)
}
if (cgns_supported()) {

4
debian/patches/rename-cgns-subdir-to-ns.patch → debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch vendored
View File

@ -1,7 +1,7 @@
From 9b5f49f361290267e00665ec9f0bdbfaeda39bc0 Mon Sep 17 00:00:00 2001
From 3790507952f3cda5c6dd9bb6f87c80d9b0ddadf7 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 23 Dec 2016 15:57:24 +0100
Subject: [PATCH] rename cgroup namespace directory to ns
Subject: [PATCH 7/8] rename cgroup namespace directory to ns
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

229
debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch vendored Normal file
View File

@ -0,0 +1,229 @@
From 1bdcf98811093349ca856dac4beb3f5bd0dd501b Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 10 Feb 2017 10:23:36 +0100
Subject: [PATCH 8/8] possibility to run lxc-monitord as a regular daemon
This includes an lxc-monitord.service, required by
lxc@.service which is now of Type=forking.
Previously the init process' output was dumped into the log
files since the service used Type=simple and
StandardOutput/Error=syslog. Using lxc-start's daemon mode
on the other hand used a wait call spawning an lxc-monitord
in the background which could potentially stick around
forever if there were clients connected to it. Since it was
considered part of the lxc@foo.service unit by systemd this
also meant the unit was considered active until not only the
container but also lxc-monitord exited.
This is now corrected by creating a separate lxc-monitord
unit which lxc@.service depends on.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
config/init/systemd/Makefile.am | 10 +++--
config/init/systemd/lxc-monitord.service.in | 12 ++++++
config/init/systemd/lxc@.service.in | 7 ++--
configure.ac | 1 +
lxc.spec.in | 1 +
src/lxc/lxc_monitord.c | 60 +++++++++++++++++++++--------
6 files changed, 67 insertions(+), 24 deletions(-)
create mode 100644 config/init/systemd/lxc-monitord.service.in
diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
index c448850..4a4fde5 100644
--- a/config/init/systemd/Makefile.am
+++ b/config/init/systemd/Makefile.am
@@ -2,19 +2,21 @@ EXTRA_DIST = \
lxc-apparmor-load \
lxc.service.in \
lxc@.service.in \
- lxc-net.service.in
+ lxc-net.service.in \
+ lxc-monitord.service.in
if INIT_SCRIPT_SYSTEMD
-BUILT_SOURCES = lxc.service lxc@.service lxc-net.service
+BUILT_SOURCES = lxc.service lxc@.service lxc-net.service lxc-monitord.service
-install-systemd: lxc.service lxc@.service lxc-net.service lxc-apparmor-load
+install-systemd: lxc.service lxc@.service lxc-net.service lxc-monitord.service lxc-apparmor-load
$(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
- $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
+ $(INSTALL_DATA) lxc.service lxc@.service lxc-net.service lxc-monitord.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
uninstall-systemd:
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc.service
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc@.service
rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
+ rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-monitord.service
rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
pkglibexec_SCRIPTS = lxc-apparmor-load
diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in
new file mode 100644
index 0000000..4063516
--- /dev/null
+++ b/config/init/systemd/lxc-monitord.service.in
@@ -0,0 +1,12 @@
+[Unit]
+Description=LXC Container Monitoring Daemon
+After=syslog.service network.target
+
+[Service]
+Type=simple
+ExecStart=@LIBEXECDIR@/lxc/lxc-monitord --daemon
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=multi-user.target
diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
index 6b8b5ff..ffb9136 100644
--- a/config/init/systemd/lxc@.service.in
+++ b/config/init/systemd/lxc@.service.in
@@ -1,16 +1,17 @@
[Unit]
Description=LXC Container: %i
# This pulls in apparmor, dev-setup, lxc-net
-After=lxc.service
+After=lxc.service lxc-monitord.service
Wants=lxc.service
+Requires = lxc-monitord.service
Documentation=man:lxc-start man:lxc
[Service]
-Type=simple
+Type=forking
KillMode=mixed
KillSignal=SIGPWR
TimeoutStopSec=120s
-ExecStart=@BINDIR@/lxc-start -F -n %i
+ExecStart=@BINDIR@/lxc-start -n %i
# Environment=BOOTUP=serial
# Environment=CONSOLETYPE=serial
StandardOutput=syslog
diff --git a/configure.ac b/configure.ac
index 42ece7a..c6b2a78 100644
--- a/configure.ac
+++ b/configure.ac
@@ -694,6 +694,7 @@ AC_CONFIG_FILES([
config/init/systemd/lxc.service
config/init/systemd/lxc@.service
config/init/systemd/lxc-net.service
+ config/init/systemd/lxc-monitord.service
config/init/sysvinit/Makefile
config/init/sysvinit/lxc-containers
config/init/sysvinit/lxc-net
diff --git a/lxc.spec.in b/lxc.spec.in
index 0e64907..f35d81c 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -259,6 +259,7 @@ fi
%{_unitdir}/lxc-net.service
%{_unitdir}/lxc.service
%{_unitdir}/lxc@.service
+%{_unitdir}/lxc-monitord.service
%else
%{_sysconfdir}/rc.d/init.d/lxc
%{_sysconfdir}/rc.d/init.d/lxc-net
diff --git a/src/lxc/lxc_monitord.c b/src/lxc/lxc_monitord.c
index 62e2121..ad40dbe 100644
--- a/src/lxc/lxc_monitord.c
+++ b/src/lxc/lxc_monitord.c
@@ -344,16 +344,43 @@ static void lxc_monitord_sig_handler(int sig)
int main(int argc, char *argv[])
{
- int ret, pipefd;
+ int ret, pipefd = -1;
char logpath[PATH_MAX];
sigset_t mask;
- char *lxcpath = argv[1];
+ const char *lxcpath = NULL;
bool mainloop_opened = false;
bool monitord_created = false;
+ bool persistent = false;
- if (argc != 3) {
+ if (argc > 1 && !strcmp(argv[1], "--daemon")) {
+ persistent = true;
+ --argc;
+ ++argv;
+ }
+
+ if (argc > 1) {
+ lxcpath = argv[1];
+ --argc;
+ ++argv;
+ } else {
+ lxcpath = lxc_global_config_value("lxc.lxcpath");
+ if (!lxcpath) {
+ ERROR("Out of memory getting lxcpath");
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (argc > 1) {
+ if (lxc_safe_int(argv[1], &pipefd) < 0)
+ exit(EXIT_FAILURE);
+ --argc;
+ ++argv;
+ }
+
+ if (argc != 1 || (persistent != (pipefd == -1))) {
fprintf(stderr,
- "Usage: lxc-monitord lxcpath sync-pipe-fd\n\n"
+ "Usage: lxc-monitord lxcpath sync-pipe-fd\n"
+ " lxc-monitord --daemon lxcpath\n\n"
"NOTE: lxc-monitord is intended for use by lxc internally\n"
" and does not need to be run by hand\n\n");
exit(EXIT_FAILURE);
@@ -369,9 +396,6 @@ int main(int argc, char *argv[])
INFO("Failed to open log file %s, log will be lost.", lxcpath);
lxc_log_options_no_override();
- if (lxc_safe_int(argv[2], &pipefd) < 0)
- exit(EXIT_FAILURE);
-
if (sigfillset(&mask) ||
sigdelset(&mask, SIGILL) ||
sigdelset(&mask, SIGSEGV) ||
@@ -403,15 +427,17 @@ int main(int argc, char *argv[])
goto on_error;
monitord_created = true;
- /* sync with parent, we're ignoring the return from write
- * because regardless if it works or not, the following
- * close will sync us with the parent process. the
- * if-empty-statement construct is to quiet the
- * warn-unused-result warning.
- */
- if (write(pipefd, "S", 1))
- ;
- close(pipefd);
+ if (pipefd != -1) {
+ /* sync with parent, we're ignoring the return from write
+ * because regardless if it works or not, the following
+ * close will sync us with the parent process. the
+ * if-empty-statement construct is to quiet the
+ * warn-unused-result warning.
+ */
+ if (write(pipefd, "S", 1))
+ ;
+ close(pipefd);
+ }
if (lxc_monitord_mainloop_add(&mon)) {
ERROR("Failed to add mainloop handlers.");
@@ -421,7 +447,7 @@ int main(int argc, char *argv[])
NOTICE("lxc-monitord with pid %d is now monitoring lxcpath %s.",
getpid(), mon.lxcpath);
for (;;) {
- ret = lxc_mainloop(&mon.descr, 1000 * 30);
+ ret = lxc_mainloop(&mon.descr, persistent ? -1 : 1000 * 30);
if (mon.clientfds_cnt <= 0) {
NOTICE("No remaining clients. lxc-monitord is exiting.");
break;
--
2.1.4

21
debian/patches/delete_network_show_error.diff vendored
View File

@ -1,21 +0,0 @@
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 0e3421b..91c90b1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3083,9 +3083,13 @@ void lxc_delete_network(struct lxc_handler *handler)
* namespace is destroyed but in case we did not moved the
* interface to the network namespace, we have to destroy it
*/
- if (netdev->ifindex != 0 &&
- lxc_netdev_delete_by_index(netdev->ifindex))
- WARN("failed to remove interface '%s'", netdev->name);
+ if (netdev->ifindex != 0) {
+ int err = lxc_netdev_delete_by_index(netdev->ifindex);
+ if (err) {
+ WARN("failed to remove interface '%s': %i: %s", netdev->name,
+ err, strerror(-err));
+ }
+ }
}
}

14
debian/patches/fix-systemd-service-depends.patch vendored
View File

@ -1,14 +0,0 @@
Index: new/config/init/systemd/lxc.service.in
===================================================================
--- new.orig/config/init/systemd/lxc.service.in
+++ new/config/init/systemd/lxc.service.in
@@ -1,7 +1,7 @@
[Unit]
Description=LXC Container Initialization and Autoboot Code
-After=network.target lxc-net.service
-Wants=lxc-net.service
+After=syslog.service network.target lxc-net.service
+Wants=lxc-net.service
Documentation=man:lxc-autostart man:lxc
[Service]

26
debian/patches/remove-systemd-delegate-flag.patch vendored
View File

@ -1,26 +0,0 @@
This flag requires systemd 218 or newer
Index: new/config/init/systemd/lxc.service.in
===================================================================
--- new.orig/config/init/systemd/lxc.service.in
+++ new/config/init/systemd/lxc.service.in
@@ -12,7 +12,7 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-container
ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop
# Environment=BOOTUP=serial
# Environment=CONSOLETYPE=serial
-Delegate=yes
+#Delegate=yes
StandardOutput=syslog
StandardError=syslog
--- new.orig/config/init/systemd/lxc@.service.in
+++ new/config/init/systemd/lxc@.service.in
@@ -12,7 +12,7 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-container
ExecStart=/usr/bin/lxc-start -n %i
# Environment=BOOTUP=serial
# Environment=CONSOLETYPE=serial
-Delegate=yes
+#Delegate=yes
StandardOutput=syslog
StandardError=syslog

19
debian/patches/run-lxcnetaddbr.patch vendored
View File

@ -1,19 +0,0 @@
Index: new/src/lxc/conf.c
===================================================================
--- new.orig/src/lxc/conf.c
+++ new/src/lxc/conf.c
@@ -2691,8 +2691,13 @@ static int instantiate_veth(struct lxc_h
"veth", veth1, (char*) NULL);
if (err)
goto out_delete;
+ } else if (!netdev->link) {
+ err = run_script(handler->name, "net", "/usr/share/lxc/lxcnetaddbr", "up",
+ "veth", veth1, (char*) NULL);
+ if (err)
+ goto out_delete;
}
-
+
DEBUG("instantiated veth '%s/%s', index is '%d'",
veth1, veth2, netdev->ifindex);

16
debian/patches/series vendored
View File

@ -1,8 +1,8 @@
fix-systemd-service-depends.patch
use-forking-systemd-service.patch
remove-systemd-delegate-flag.patch
run-lxcnetaddbr.patch
deny-rw-mounting-of-sys-and-proc.patch
0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
0002-start-initutils-make-cgroupns-separation-level-confi.patch
rename-cgns-subdir-to-ns.patch
0001-lxc.service-start-after-a-potential-syslog.service.patch
0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch
0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch
0004-deny-rw-mounting-of-sys-and-proc.patch
0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
0006-start-initutils-make-cgroupns-separation-level-confi.patch
0007-rename-cgroup-namespace-directory-to-ns.patch
0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch

34
debian/patches/use-forking-systemd-service.patch vendored
View File

@ -1,34 +0,0 @@
From ba028c2a3f73eec5e45842cc742a20471ee0d921 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 2 Feb 2017 11:15:22 +0100
Subject: [PATCH] init: systemd: use forking mode in lxc@.service
To avoid dumping the entire console outputs into the
logs
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
config/init/systemd/lxc@.service.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in
index 44d11e8..52c6a27 100644
--- a/config/init/systemd/lxc@.service.in
+++ b/config/init/systemd/lxc@.service.in
@@ -6,11 +6,11 @@ Wants=lxc.service
Documentation=man:lxc-start man:lxc
[Service]
-Type=simple
+Type=forking
KillMode=mixed
KillSignal=SIGPWR
TimeoutStopSec=120s
-ExecStart=@BINDIR@/lxc-start -F -n %i
+ExecStart=@BINDIR@/lxc-start -n %i
# Environment=BOOTUP=serial
# Environment=CONSOLETYPE=serial
Delegate=yes
--
2.1.4