From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C10B660B48 for ; Thu, 10 Sep 2020 14:41:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BA1101C167 for ; Thu, 10 Sep 2020 14:41:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 545B91C0FF for ; Thu, 10 Sep 2020 14:41:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1E56044AF5 for ; Thu, 10 Sep 2020 14:41:07 +0200 (CEST) From: Stoiko Ivanov To: pve-devel@lists.proxmox.com Cc: Wolfgang Bumiller Date: Thu, 10 Sep 2020 14:40:49 +0200 Message-Id: <20200910124050.23874-2-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200910124050.23874-1-s.ivanov@proxmox.com> References: <20200910124050.23874-1-s.ivanov@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.112 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LOTSOFHASH 0.25 Emails with lots of hash-like gibberish RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [start-container.in, configure.ac, sgml.in, api-extensions.md, email.ne.jp, multi-user.target] Subject: [pve-devel] [PATCH lxc 1/2] update upstream to 4.0.4 and rebase patches X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2020 12:41:11 -0000 Signed-off-by: Stoiko Ivanov --- ...ning-lxc-monitord-as-a-system-daemon.patch | 4 +-- ...roup.dir.-monitor-container-containe.patch | 8 +++--- ....container.namespace-lxc.cgroup.cont.patch | 2 +- ...dd-and-document-cgroup_advanced_isol.patch | 14 +++++----- ...up.dir.-monitor-container-container..patch | 2 +- ...09-cgroups-adhere-to-boolean-return.patch} | 4 +-- ...the-right-path-in-get_cgroup-command.patch | 25 ------------------ ...rvice-start-after-a-potential-syslo.patch} | 0 ...ig-deny-rw-mounting-of-sys-and-proc.patch} | 0 ...PVE-Config-attach-always-use-getent.patch} | 8 +++--- ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 ------------------- debian/patches/series | 10 +++---- lxc | 2 +- 13 files changed, 26 insertions(+), 79 deletions(-) rename debian/patches/pve/{0010-cgroups-adhere-to-boolean-return.patch => 0009-cgroups-adhere-to-boolean-return.patch} (90%) delete mode 100644 debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch rename debian/patches/pve/{0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch => 0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch} (100%) rename debian/patches/pve/{0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch => 0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch} (100%) rename debian/patches/pve/{0013-PVE-Config-attach-always-use-getent.patch => 0012-PVE-Config-attach-always-use-getent.patch} (89%) delete mode 100644 debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch diff --git a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch index a2b423a..3889e1e 100644 --- a/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch +++ b/debian/patches/pve/0001-allow-running-lxc-monitord-as-a-system-daemon.patch @@ -80,10 +80,10 @@ index 000000000..406351688 +[Install] +WantedBy=multi-user.target diff --git a/configure.ac b/configure.ac -index 059d57d38..c88a2f737 100644 +index f5e9e909e..5b224d2bc 100644 --- a/configure.ac +++ b/configure.ac -@@ -837,6 +837,7 @@ AC_CONFIG_FILES([ +@@ -841,6 +841,7 @@ AC_CONFIG_FILES([ config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service diff --git a/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch b/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch index fcd5220..98b1aa3 100644 --- a/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch +++ b/debian/patches/pve/0003-introduce-lxc.cgroup.dir.-monitor-container-containe.patch @@ -29,7 +29,7 @@ Signed-off-by: Wolfgang Bumiller 4 files changed, 177 insertions(+), 2 deletions(-) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index 3ed71c214..a9c87fe2a 100644 +index 3e0e55cee..4011f5734 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1571,6 +1571,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA @@ -87,7 +87,7 @@ index 3ed71c214..a9c87fe2a 100644 diff --git a/src/lxc/commands.c b/src/lxc/commands.c -index b6ae101fc..44714f9ba 100644 +index 3c1ca03a1..726d57ae0 100644 --- a/src/lxc/commands.c +++ b/src/lxc/commands.c @@ -622,7 +622,7 @@ static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req, @@ -110,10 +110,10 @@ index b6ae101fc..44714f9ba 100644 static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 00789961c..4aafca3cb 100644 +index 25e58a06f..613bbffbb 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c -@@ -3750,6 +3750,9 @@ void lxc_conf_free(struct lxc_conf *conf) +@@ -3758,6 +3758,9 @@ void lxc_conf_free(struct lxc_conf *conf) lxc_clear_apparmor_raw(conf); lxc_clear_namespace(conf); free(conf->cgroup_meta.dir); diff --git a/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch b/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch index e677343..efdf2bc 100644 --- a/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch +++ b/debian/patches/pve/0004-doc-s-lxc.cgroup.container.namespace-lxc.cgroup.cont.patch @@ -10,7 +10,7 @@ Signed-off-by: Christian Brauner 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index a9c87fe2a..338903d66 100644 +index 4011f5734..006dcad92 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1583,7 +1583,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA diff --git a/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch b/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch index 90d336c..b8b91a1 100644 --- a/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch +++ b/debian/patches/pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch @@ -10,25 +10,25 @@ Signed-off-by: Christian Brauner 2 files changed, 5 insertions(+) diff --git a/doc/api-extensions.md b/doc/api-extensions.md -index 5767583af..e8b5eb089 100644 +index f2a28239b..f815e8362 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md -@@ -118,3 +118,7 @@ This adds a new API function `init_pidfd()` which allows to retrieve a pidfd for - ## pidfd +@@ -122,3 +122,7 @@ When running on kernels that support pidfds LXC will rely on them for most opera + ## seccomp\_allow\_deny\_syntax - When running on kernels that support pidfds LXC will rely on them for most operations. This makes interacting with containers not just more reliable it also makes it significantly safer and eliminates various races inherent to PID-based kernel APIs. LXC will require that the running kernel at least support `pidfd_send_signal()`, `CLONE_PIDFD`, `P_PIDFD`, and pidfd polling support. Any kernel starting with `Linux 5.4` should have full support for pidfds. + This adds the ability to use "denylist" and "allowlist" in seccomp v2 policies. + +## cgroup\_advanced\_isolation + +Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits. diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h -index 3afdc35b9..b69467f26 100644 +index ef2b14085..b930c9cd5 100644 --- a/src/lxc/api_extensions.h +++ b/src/lxc/api_extensions.h -@@ -39,6 +39,7 @@ static char *api_extensions[] = { - #endif +@@ -40,6 +40,7 @@ static char *api_extensions[] = { "cgroup2", "pidfd", + "seccomp_allow_deny_syntax", + "cgroup_advanced_isolation", }; diff --git a/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch b/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch index 263adbd..afc5cb8 100644 --- a/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch +++ b/debian/patches/pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch @@ -12,7 +12,7 @@ Signed-off-by: KATOH Yasufumi 1 file changed, 57 insertions(+) diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in -index 38b623243..7a65e3fe4 100644 +index fd6fb18e3..2c77d4ea3 100644 --- a/doc/ja/lxc.container.conf.sgml.in +++ b/doc/ja/lxc.container.conf.sgml.in @@ -2099,6 +2099,63 @@ by KATOH Yasufumi diff --git a/debian/patches/pve/0010-cgroups-adhere-to-boolean-return.patch b/debian/patches/pve/0009-cgroups-adhere-to-boolean-return.patch similarity index 90% rename from debian/patches/pve/0010-cgroups-adhere-to-boolean-return.patch rename to debian/patches/pve/0009-cgroups-adhere-to-boolean-return.patch index 5bf3fe2..e650dc1 100644 --- a/debian/patches/pve/0010-cgroups-adhere-to-boolean-return.patch +++ b/debian/patches/pve/0009-cgroups-adhere-to-boolean-return.patch @@ -9,10 +9,10 @@ Signed-off-by: Christian Brauner 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index 603940683..6c64c996c 100644 +index 12646f21f..8d9e3d511 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c -@@ -1196,11 +1196,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, +@@ -1195,11 +1195,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf, * line, which is not possible once a subdirectory has been * created. */ diff --git a/debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch b/debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch deleted file mode 100644 index e41735b..0000000 --- a/debian/patches/pve/0009-get-the-right-path-in-get_cgroup-command.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Sun, 5 Apr 2020 16:12:45 +0200 -Subject: [PATCH] get the right path in get_cgroup command - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/commands.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/lxc/commands.c b/src/lxc/commands.c -index 44714f9ba..d735b5ff6 100644 ---- a/src/lxc/commands.c -+++ b/src/lxc/commands.c -@@ -592,8 +592,8 @@ static int lxc_cmd_get_cgroup_callback_do(int fd, struct lxc_cmd_req *req, - reqdata = NULL; - } - -- get_fn = (limiting_cgroup ? cgroup_ops->get_cgroup -- : cgroup_ops->get_limiting_cgroup); -+ get_fn = (limiting_cgroup ? cgroup_ops->get_limiting_cgroup -+ : cgroup_ops->get_cgroup); - - path = get_fn(cgroup_ops, reqdata); - diff --git a/debian/patches/pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch b/debian/patches/pve/0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch similarity index 100% rename from debian/patches/pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch rename to debian/patches/pve/0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch diff --git a/debian/patches/pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/pve/0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch similarity index 100% rename from debian/patches/pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch rename to debian/patches/pve/0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch diff --git a/debian/patches/pve/0013-PVE-Config-attach-always-use-getent.patch b/debian/patches/pve/0012-PVE-Config-attach-always-use-getent.patch similarity index 89% rename from debian/patches/pve/0013-PVE-Config-attach-always-use-getent.patch rename to debian/patches/pve/0012-PVE-Config-attach-always-use-getent.patch index 073eacd..a9f9346 100644 --- a/debian/patches/pve/0013-PVE-Config-attach-always-use-getent.patch +++ b/debian/patches/pve/0012-PVE-Config-attach-always-use-getent.patch @@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c -index 38e16f2d1..34d64c196 100644 +index ad25aada9..816b0325b 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c -@@ -1452,12 +1452,8 @@ int lxc_attach_run_command(void *payload) +@@ -1453,12 +1453,8 @@ int lxc_attach_run_command(void *payload) int lxc_attach_run_shell(void* payload) { @@ -29,7 +29,7 @@ index 38e16f2d1..34d64c196 100644 int ret; /* Ignore payload parameter. */ -@@ -1465,32 +1461,13 @@ int lxc_attach_run_shell(void* payload) +@@ -1466,32 +1462,13 @@ int lxc_attach_run_shell(void* payload) uid = getuid(); @@ -63,7 +63,7 @@ index 38e16f2d1..34d64c196 100644 if (user_shell) execlp(user_shell, user_shell, (char *)NULL); -@@ -1500,8 +1477,7 @@ int lxc_attach_run_shell(void* payload) +@@ -1501,8 +1478,7 @@ int lxc_attach_run_shell(void* payload) execlp("/bin/sh", "/bin/sh", (char *)NULL); SYSERROR("Failed to execute shell"); diff --git a/debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch deleted file mode 100644 index ee49687..0000000 --- a/debian/patches/pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Stoiko Ivanov -Date: Wed, 22 Jul 2020 12:17:24 +0200 -Subject: [PATCH] apparmor: Allow ro remount of boot_id - -The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all -necessary mount calls for /proc/sys/kernel/random/boot_id -(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. - -Signed-off-by: Stoiko Ivanov ---- - config/apparmor/abstractions/start-container.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in -index 9998f1121..9f64c2727 100644 ---- a/config/apparmor/abstractions/start-container.in -+++ b/config/apparmor/abstractions/start-container.in -@@ -22,6 +22,7 @@ - mount -> /var/lib/lxc/{**,}, - - mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, -+ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, - - # required for some pre-mount hooks - mount fstype=overlayfs, diff --git a/debian/patches/series b/debian/patches/series index 4d02a7e..708b74f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,9 +6,7 @@ pve/0005-confile-coding-style-fixes-for-set_config_cgroup_con.patch pve/0006-api-extensions-add-and-document-cgroup_advanced_isol.patch pve/0007-doc-Add-lxc.cgroup.dir.-monitor-container-container..patch pve/0008-confile-fix-jump-table-order.patch -pve/0009-get-the-right-path-in-get_cgroup-command.patch -pve/0010-cgroups-adhere-to-boolean-return.patch -pve/0011-PVE-Config-lxc.service-start-after-a-potential-syslo.patch -pve/0012-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch -pve/0013-PVE-Config-attach-always-use-getent.patch -pve/0014-apparmor-Allow-ro-remount-of-boot_id.patch +pve/0009-cgroups-adhere-to-boolean-return.patch +pve/0010-PVE-Config-lxc.service-start-after-a-potential-syslo.patch +pve/0011-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch +pve/0012-PVE-Config-attach-always-use-getent.patch diff --git a/lxc b/lxc index 6dc1208..531e012 160000 --- a/lxc +++ b/lxc @@ -1 +1 @@ -Subproject commit 6dc1208ded87c9b3db70aa43cca61857e0d19428 +Subproject commit 531e0128036542fb959b05eceec78e52deefafe0 -- 2.20.1