From 1cdc2f5da0a78e74d8b46beb8ce5cba72f73022f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 26 Jul 2009 19:33:56 +0000 Subject: [PATCH 01/95] Setup of module lxc --- .cvsignore | 0 Makefile | 21 +++++++++++++++++++++ sources | 0 3 files changed, 21 insertions(+) create mode 100644 .cvsignore create mode 100644 Makefile create mode 100644 sources diff --git a/.cvsignore b/.cvsignore new file mode 100644 index 0000000..e69de29 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..ef27b8d --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: lxc +# $Id$ +NAME := lxc +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/sources b/sources new file mode 100644 index 0000000..e69de29 From 3e09dcfbb9b2f01a1796095b9acb87ba4e4deda4 Mon Sep 17 00:00:00 2001 From: Silas Sewell Date: Tue, 28 Jul 2009 07:07:50 +0000 Subject: [PATCH 02/95] - Apply patch for rawhide kernel. Sat Jul 25 2009 Silas Sewell - 0.6.3-1 - Initial package. --- .cvsignore | 1 + import.log | 1 + lxc-0.6.3.netlink-fix.patch | 19 ++++++++ lxc.spec | 95 +++++++++++++++++++++++++++++++++++++ sources | 1 + 5 files changed, 117 insertions(+) create mode 100644 import.log create mode 100644 lxc-0.6.3.netlink-fix.patch create mode 100644 lxc.spec diff --git a/.cvsignore b/.cvsignore index e69de29..0836f7e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +lxc-0.6.3.tar.gz diff --git a/import.log b/import.log new file mode 100644 index 0000000..d0c17ff --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +lxc-0_6_3-2_fc11:HEAD:lxc-0.6.3-2.fc11.src.rpm:1248764868 diff --git a/lxc-0.6.3.netlink-fix.patch b/lxc-0.6.3.netlink-fix.patch new file mode 100644 index 0000000..e2beceb --- /dev/null +++ b/lxc-0.6.3.netlink-fix.patch @@ -0,0 +1,19 @@ +diff -up lxc-0.6.3/configure.ac.orig lxc-0.6.3/configure.ac +--- lxc-0.6.3/configure.ac.orig 2009-07-28 00:59:14.737542987 -0400 ++++ lxc-0.6.3/configure.ac 2009-07-28 01:03:22.907540449 -0400 +@@ -25,10 +25,11 @@ AS_AC_EXPAND(LOCALSTATEDIR, $localstated + AS_AC_EXPAND(LXCPATH, "${localstatedir}/lib/lxc") + AS_AC_EXPAND(LXC_GENERATE_DATE, "$(date)") + +-AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h], [], AC_MSG_ERROR([netlink headers not found. Please install the linux kernel headers.]), +-[#include +-#include +-#include ]) ++AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h], ++ [], ++ AC_MSG_ERROR([netlink headers not found. Please install the linux kernel headers.]), ++ [#include ++ ]) + + AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install libcap-devel.]), + [#include diff --git a/lxc.spec b/lxc.spec new file mode 100644 index 0000000..433bb60 --- /dev/null +++ b/lxc.spec @@ -0,0 +1,95 @@ +Name: lxc +Version: 0.6.3 +Release: 2%{?dist} +Summary: Linux Resource Containers + +Group: Applications/System +License: LGPLv2+ +URL: http://lxc.sourceforge.net +Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz +# Upstream commit 90e0a869ac5f3a889487126568f1d3c7c34b7046 +Patch0: lxc-0.6.3.netlink-fix.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: automake +BuildRequires: docbook-utils +BuildRequires: kernel-headers +BuildRequires: libcap-devel +BuildRequires: libtool + +%description +Linux Resource Containers provide process and resource isolation without the +overhead of full virtualization. + +%package libs +Summary: Runtime library files for %{name} +Group: System Environment/Libraries +Requires: %{name} = %{version}-%{release} + +%description libs +Linux Resource Containers provide process and resource isolation without the +overhead of full virtualization. + +The %{name}-libs package contains libraries for running %{name} applications. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: pkgconfig + +%description devel +Linux Resource Containers provide process and resource isolation without the +overhead of full virtualization. + +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%prep +%setup -q +%patch0 -p1 + +%build +./autogen.sh +%configure F77=no --enable-static=no +%{__make} %{?_smp_mflags} + +%install +rm -rf %{buildroot} +%{__make} DESTDIR=%{buildroot} install +find %{buildroot} -name '*.la' -delete + +%clean +rm -rf %{buildroot} + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc AUTHORS COPYING README +%dir %{_sysconfdir}/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/* +%{_bindir}/%{name}-* +%{_libexecdir}/%{name}-init +%{_mandir}/man*/%{name}* + +%files libs +%defattr(-,root,root,-) +%doc COPYING +%{_libdir}/liblxc-%{version}.so + +%files devel +%defattr(-,root,root,-) +%doc COPYING +%{_datadir}/pkgconfig/%{name}.pc +%{_includedir}/* +%{_libdir}/liblxc.so + +%changelog +* Mon Jul 27 2009 Silas Sewell - 0.6.3-2 +- Apply patch for rawhide kernel. + +* Sat Jul 25 2009 Silas Sewell - 0.6.3-1 +- Initial package. diff --git a/sources b/sources index e69de29..3e666ac 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +417bb6dd61ba0c65996df5c3adbb549f lxc-0.6.3.tar.gz From 62d984cca443d1707eaeda6e90e69b329bb24e3a Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 25 Nov 2009 23:51:39 +0000 Subject: [PATCH 03/95] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ef27b8d..6171731 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: lxc -# $Id$ +# $Id: Makefile,v 1.1 2009/07/26 19:33:56 kevin Exp $ NAME := lxc SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From a7b770e515cd3e818958dde0c361318809d87c38 Mon Sep 17 00:00:00 2001 From: Silas Sewell Date: Fri, 27 Nov 2009 22:42:04 +0000 Subject: [PATCH 04/95] - Update to latest release - Add documentation sub-package --- .cvsignore | 2 +- import.log | 1 + lxc-0.6.3.netlink-fix.patch | 19 ------------------- lxc.spec | 35 ++++++++++++++++++++++++----------- sources | 2 +- 5 files changed, 27 insertions(+), 32 deletions(-) delete mode 100644 lxc-0.6.3.netlink-fix.patch diff --git a/.cvsignore b/.cvsignore index 0836f7e..de99651 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -lxc-0.6.3.tar.gz +lxc-0.6.4.tar.gz diff --git a/import.log b/import.log index d0c17ff..7f0fbf2 100644 --- a/import.log +++ b/import.log @@ -1 +1,2 @@ lxc-0_6_3-2_fc11:HEAD:lxc-0.6.3-2.fc11.src.rpm:1248764868 +lxc-0_6_4-1_fc13:HEAD:lxc-0.6.4-1.fc13.src.rpm:1259360737 diff --git a/lxc-0.6.3.netlink-fix.patch b/lxc-0.6.3.netlink-fix.patch deleted file mode 100644 index e2beceb..0000000 --- a/lxc-0.6.3.netlink-fix.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up lxc-0.6.3/configure.ac.orig lxc-0.6.3/configure.ac ---- lxc-0.6.3/configure.ac.orig 2009-07-28 00:59:14.737542987 -0400 -+++ lxc-0.6.3/configure.ac 2009-07-28 01:03:22.907540449 -0400 -@@ -25,10 +25,11 @@ AS_AC_EXPAND(LOCALSTATEDIR, $localstated - AS_AC_EXPAND(LXCPATH, "${localstatedir}/lib/lxc") - AS_AC_EXPAND(LXC_GENERATE_DATE, "$(date)") - --AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h], [], AC_MSG_ERROR([netlink headers not found. Please install the linux kernel headers.]), --[#include --#include --#include ]) -+AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h], -+ [], -+ AC_MSG_ERROR([netlink headers not found. Please install the linux kernel headers.]), -+ [#include -+ ]) - - AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install libcap-devel.]), - [#include diff --git a/lxc.spec b/lxc.spec index 433bb60..31663a7 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,14 +1,12 @@ Name: lxc -Version: 0.6.3 -Release: 2%{?dist} +Version: 0.6.4 +Release: 1%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ URL: http://lxc.sourceforge.net Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz -# Upstream commit 90e0a869ac5f3a889487126568f1d3c7c34b7046 -Patch0: lxc-0.6.3.netlink-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: automake @@ -45,13 +43,22 @@ overhead of full virtualization. The %{name}-devel package contains libraries and header files for developing applications that use %{name}. +%package doc +Summary: Documentation for %{name} +Group: Documentation +Requires: %{name} = %{version}-%{release} + +%description doc +This package contains documentation for %{name}. + %prep %setup -q -%patch0 -p1 %build ./autogen.sh -%configure F77=no --enable-static=no +%configure F77=no +# Fix binary-or-shlib-defines-rpath error +%{__sed} -i '/AM_LDFLAGS = -Wl,-E -Wl,-rpath -Wl,$(libdir)/d' src/lxc/Makefile.in %{__make} %{?_smp_mflags} %install @@ -69,8 +76,6 @@ rm -rf %{buildroot} %files %defattr(-,root,root,-) %doc AUTHORS COPYING README -%dir %{_sysconfdir}/%{name} -%config(noreplace) %{_sysconfdir}/%{name}/* %{_bindir}/%{name}-* %{_libexecdir}/%{name}-init %{_mandir}/man*/%{name}* @@ -78,7 +83,7 @@ rm -rf %{buildroot} %files libs %defattr(-,root,root,-) %doc COPYING -%{_libdir}/liblxc-%{version}.so +%{_libdir}/liblxc.so.* %files devel %defattr(-,root,root,-) @@ -87,9 +92,17 @@ rm -rf %{buildroot} %{_includedir}/* %{_libdir}/liblxc.so +%files doc +%defattr(-,root,root,-) +%{_docdir}/%{name} + %changelog +* Fri Nov 27 2009 Silas Sewell - 0.6.4-1 +- Update to latest release +- Add documentation sub-package + * Mon Jul 27 2009 Silas Sewell - 0.6.3-2 -- Apply patch for rawhide kernel. +- Apply patch for rawhide kernel * Sat Jul 25 2009 Silas Sewell - 0.6.3-1 -- Initial package. +- Initial package diff --git a/sources b/sources index 3e666ac..6247002 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -417bb6dd61ba0c65996df5c3adbb549f lxc-0.6.3.tar.gz +6c769cc9c24f93f499c31564dc314047 lxc-0.6.4.tar.gz From 2c483498208a7d8fafa31060e46afbb75f3625c4 Mon Sep 17 00:00:00 2001 From: Silas Sewell Date: Thu, 18 Feb 2010 05:25:09 +0000 Subject: [PATCH 05/95] - Update to latest release - Add /var/lib/lxc directory - Patch for sys/stat.h --- .cvsignore | 2 +- import.log | 1 + lxc-0.6.5-fix-sys-stat.patch | 11 +++++++++++ lxc.spec | 18 ++++++++++++++---- sources | 2 +- 5 files changed, 28 insertions(+), 6 deletions(-) create mode 100644 lxc-0.6.5-fix-sys-stat.patch diff --git a/.cvsignore b/.cvsignore index de99651..3eb10b5 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -lxc-0.6.4.tar.gz +lxc-0.6.5.tar.gz diff --git a/import.log b/import.log index 7f0fbf2..e225d01 100644 --- a/import.log +++ b/import.log @@ -1,2 +1,3 @@ lxc-0_6_3-2_fc11:HEAD:lxc-0.6.3-2.fc11.src.rpm:1248764868 lxc-0_6_4-1_fc13:HEAD:lxc-0.6.4-1.fc13.src.rpm:1259360737 +lxc-0_6_5-1_fc13:HEAD:lxc-0.6.5-1.fc13.src.rpm:1266448054 diff --git a/lxc-0.6.5-fix-sys-stat.patch b/lxc-0.6.5-fix-sys-stat.patch new file mode 100644 index 0000000..68f6732 --- /dev/null +++ b/lxc-0.6.5-fix-sys-stat.patch @@ -0,0 +1,11 @@ +diff -up lxc-0.6.5/src/lxc/start.c.orig lxc-0.6.5/src/lxc/start.c +--- lxc-0.6.5/src/lxc/start.c.orig 2010-02-17 15:04:08.911409808 -0700 ++++ lxc-0.6.5/src/lxc/start.c 2010-02-17 15:04:25.480347046 -0700 +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/lxc.spec b/lxc.spec index 31663a7..fc3547e 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,5 +1,5 @@ Name: lxc -Version: 0.6.4 +Version: 0.6.5 Release: 1%{?dist} Summary: Linux Resource Containers @@ -7,6 +7,8 @@ Group: Applications/System License: LGPLv2+ URL: http://lxc.sourceforge.net Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz +# Patch submitted in bug ID #2954017 +Patch0: lxc-0.6.5-fix-sys-stat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: automake @@ -49,10 +51,11 @@ Group: Documentation Requires: %{name} = %{version}-%{release} %description doc -This package contains documentation for %{name}. +This package contains documentation for %{name}. %prep %setup -q +%patch0 -p1 %build ./autogen.sh @@ -62,12 +65,13 @@ This package contains documentation for %{name}. %{__make} %{?_smp_mflags} %install -rm -rf %{buildroot} +%{__rm} -rf %{buildroot} %{__make} DESTDIR=%{buildroot} install find %{buildroot} -name '*.la' -delete +%{__mkdir} -p %{buildroot}%{_sharedstatedir}/%{name} %clean -rm -rf %{buildroot} +%{__rm} -rf %{buildroot} %post libs -p /sbin/ldconfig @@ -79,6 +83,7 @@ rm -rf %{buildroot} %{_bindir}/%{name}-* %{_libexecdir}/%{name}-init %{_mandir}/man*/%{name}* +%{_sharedstatedir}/%{name} %files libs %defattr(-,root,root,-) @@ -97,6 +102,11 @@ rm -rf %{buildroot} %{_docdir}/%{name} %changelog +* Wed Feb 17 2010 Silas Sewell - 0.6.5-1 +- Update to latest release +- Add /var/lib/lxc directory +- Patch for sys/stat.h + * Fri Nov 27 2009 Silas Sewell - 0.6.4-1 - Update to latest release - Add documentation sub-package diff --git a/sources b/sources index 6247002..267d428 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6c769cc9c24f93f499c31564dc314047 lxc-0.6.4.tar.gz +d648bcf82541c0da6725da502ee1d111 lxc-0.6.5.tar.gz From 6b506e1a12b8f353aba978f08a8a129313272a99 Mon Sep 17 00:00:00 2001 From: Silas Sewell Date: Mon, 26 Jul 2010 17:05:45 +0000 Subject: [PATCH 06/95] - Update to 0.7.2 - Remove templates --- .cvsignore | 2 +- import.log | 1 + lxc-0.6.5-fix-sys-stat.patch | 11 ----------- lxc.spec | 21 +++++++++++++++------ sources | 2 +- 5 files changed, 18 insertions(+), 19 deletions(-) delete mode 100644 lxc-0.6.5-fix-sys-stat.patch diff --git a/.cvsignore b/.cvsignore index 3eb10b5..45aa829 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -lxc-0.6.5.tar.gz +lxc-0.7.2.tar.gz diff --git a/import.log b/import.log index e225d01..a25de3e 100644 --- a/import.log +++ b/import.log @@ -1,3 +1,4 @@ lxc-0_6_3-2_fc11:HEAD:lxc-0.6.3-2.fc11.src.rpm:1248764868 lxc-0_6_4-1_fc13:HEAD:lxc-0.6.4-1.fc13.src.rpm:1259360737 lxc-0_6_5-1_fc13:HEAD:lxc-0.6.5-1.fc13.src.rpm:1266448054 +lxc-0_7_2-1_fc14:HEAD:lxc-0.7.2-1.fc14.src.rpm:1280163913 diff --git a/lxc-0.6.5-fix-sys-stat.patch b/lxc-0.6.5-fix-sys-stat.patch deleted file mode 100644 index 68f6732..0000000 --- a/lxc-0.6.5-fix-sys-stat.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up lxc-0.6.5/src/lxc/start.c.orig lxc-0.6.5/src/lxc/start.c ---- lxc-0.6.5/src/lxc/start.c.orig 2010-02-17 15:04:08.911409808 -0700 -+++ lxc-0.6.5/src/lxc/start.c 2010-02-17 15:04:25.480347046 -0700 -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - #include - #include - #include diff --git a/lxc.spec b/lxc.spec index fc3547e..c132d7b 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,5 +1,5 @@ Name: lxc -Version: 0.6.5 +Version: 0.7.2 Release: 1%{?dist} Summary: Linux Resource Containers @@ -7,8 +7,6 @@ Group: Applications/System License: LGPLv2+ URL: http://lxc.sourceforge.net Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz -# Patch submitted in bug ID #2954017 -Patch0: lxc-0.6.5-fix-sys-stat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: automake @@ -55,7 +53,6 @@ This package contains documentation for %{name}. %prep %setup -q -%patch0 -p1 %build ./autogen.sh @@ -64,11 +61,16 @@ This package contains documentation for %{name}. %{__sed} -i '/AM_LDFLAGS = -Wl,-E -Wl,-rpath -Wl,$(libdir)/d' src/lxc/Makefile.in %{__make} %{?_smp_mflags} +%check +%{__make} check + %install -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} %{__make} DESTDIR=%{buildroot} install find %{buildroot} -name '*.la' -delete %{__mkdir} -p %{buildroot}%{_sharedstatedir}/%{name} +# Remove templates +rm -f %{buildroot}%{_libdir}/lxc/templates/lxc-* %clean %{__rm} -rf %{buildroot} @@ -81,7 +83,6 @@ find %{buildroot} -name '*.la' -delete %defattr(-,root,root,-) %doc AUTHORS COPYING README %{_bindir}/%{name}-* -%{_libexecdir}/%{name}-init %{_mandir}/man*/%{name}* %{_sharedstatedir}/%{name} @@ -89,6 +90,7 @@ find %{buildroot} -name '*.la' -delete %defattr(-,root,root,-) %doc COPYING %{_libdir}/liblxc.so.* +%{_libdir}/lxc %files devel %defattr(-,root,root,-) @@ -102,6 +104,13 @@ find %{buildroot} -name '*.la' -delete %{_docdir}/%{name} %changelog +* Mon Jul 26 2010 Silas Sewell - 0.7.2-1 +- Update to 0.7.2 +- Remove templates + +* Tue Jul 06 2010 Silas Sewell - 0.7.1-1 +- Update to 0.7.1 + * Wed Feb 17 2010 Silas Sewell - 0.6.5-1 - Update to latest release - Add /var/lib/lxc directory diff --git a/sources b/sources index 267d428..337e2df 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d648bcf82541c0da6725da502ee1d111 lxc-0.6.5.tar.gz +5c9c6889ba1255217078ea5d1aaf0c82 lxc-0.7.2.tar.gz From b88450e0843d679b9afcadd1f696d354ef10f50f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 02:41:24 +0000 Subject: [PATCH 07/95] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- import.log | 4 ---- 3 files changed, 25 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 import.log diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 6171731..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: lxc -# $Id: Makefile,v 1.1 2009/07/26 19:33:56 kevin Exp $ -NAME := lxc -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/import.log b/import.log deleted file mode 100644 index a25de3e..0000000 --- a/import.log +++ /dev/null @@ -1,4 +0,0 @@ -lxc-0_6_3-2_fc11:HEAD:lxc-0.6.3-2.fc11.src.rpm:1248764868 -lxc-0_6_4-1_fc13:HEAD:lxc-0.6.4-1.fc13.src.rpm:1259360737 -lxc-0_6_5-1_fc13:HEAD:lxc-0.6.5-1.fc13.src.rpm:1266448054 -lxc-0_7_2-1_fc14:HEAD:lxc-0.7.2-1.fc14.src.rpm:1280163913 From a50e5693fcae18196ff061eac5be4abf487217ab Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Tue, 8 Feb 2011 08:32:36 -0600 Subject: [PATCH 08/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index c132d7b..19aec1b 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,6 +1,6 @@ Name: lxc Version: 0.7.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -104,6 +104,9 @@ rm -f %{buildroot}%{_libdir}/lxc/templates/lxc-* %{_docdir}/%{name} %changelog +* Tue Feb 08 2011 Fedora Release Engineering - 0.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + * Mon Jul 26 2010 Silas Sewell - 0.7.2-1 - Update to 0.7.2 - Remove templates From c94275e825dbaf7ada9af4517e83e23c83ff18d4 Mon Sep 17 00:00:00 2001 From: Silas Sewell Date: Sun, 27 Mar 2011 23:00:01 -0400 Subject: [PATCH 09/95] Update to 0.7.4.1 --- .gitignore | 1 + lxc.spec | 37 +++++++++++++++++++++++++++++++------ sources | 1 + 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 45aa829..b2e9b25 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ lxc-0.7.2.tar.gz +/lxc-0.7.4.1.tar.gz diff --git a/lxc.spec b/lxc.spec index c132d7b..6894377 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,5 +1,5 @@ Name: lxc -Version: 0.7.2 +Version: 0.7.4.1 Release: 1%{?dist} Summary: Linux Resource Containers @@ -30,6 +30,18 @@ overhead of full virtualization. The %{name}-libs package contains libraries for running %{name} applications. +%package templates +Summary: Templates for %{name} +Group: System Environment/Libraries +Requires: %{name} = %{version}-%{release} +Requires: debootstrap + +%description templates +Linux Resource Containers provide process and resource isolation without the +overhead of full virtualization. + +The %{name}-template package contains templates for creating containers. + %package devel Summary: Development files for %{name} Group: Development/Libraries @@ -69,8 +81,12 @@ rm -rf %{buildroot} %{__make} DESTDIR=%{buildroot} install find %{buildroot} -name '*.la' -delete %{__mkdir} -p %{buildroot}%{_sharedstatedir}/%{name} -# Remove templates -rm -f %{buildroot}%{_libdir}/lxc/templates/lxc-* + +find %{buildroot}%{_libdir}/lxc/templates \ + -type f \ + -not -name lxc-maverick \ + -not -name lxc-sshd \ + -delete %clean %{__rm} -rf %{buildroot} @@ -88,13 +104,19 @@ rm -f %{buildroot}%{_libdir}/lxc/templates/lxc-* %files libs %defattr(-,root,root,-) -%doc COPYING +%doc AUTHORS COPYING +%dir %{_libdir}/lxc +%dir %{_libdir}/lxc/templates %{_libdir}/liblxc.so.* -%{_libdir}/lxc +%{_libdir}/lxc/lxc-init +%{_libdir}/lxc/rootfs + +%files templates +%defattr(-,root,root,-) +%{_libdir}/lxc/templates/lxc-* %files devel %defattr(-,root,root,-) -%doc COPYING %{_datadir}/pkgconfig/%{name}.pc %{_includedir}/* %{_libdir}/liblxc.so @@ -104,6 +126,9 @@ rm -f %{buildroot}%{_libdir}/lxc/templates/lxc-* %{_docdir}/%{name} %changelog +* Fri Mar 25 2011 Silas Sewell - 0.7.4.1-1 +- Update to 0.7.4.1 + * Mon Jul 26 2010 Silas Sewell - 0.7.2-1 - Update to 0.7.2 - Remove templates diff --git a/sources b/sources index 337e2df..2d4c3b3 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ 5c9c6889ba1255217078ea5d1aaf0c82 lxc-0.7.2.tar.gz +f0a5345c8d9cb927cf15043a3cc1f413 lxc-0.7.4.1.tar.gz From 4f5631a9f8c48cf38bc74e4fdb1d94d15eb000d7 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 29 Jul 2011 18:48:40 +0200 Subject: [PATCH 10/95] Update to upstream 0.7.4.2 --- .gitignore | 1 + lxc.spec | 6 +++++- sources | 3 +-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index b2e9b25..42930ff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ lxc-0.7.2.tar.gz /lxc-0.7.4.1.tar.gz +/lxc-0.7.4.2.tar.gz diff --git a/lxc.spec b/lxc.spec index 88e4678..bbc1803 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,5 +1,5 @@ Name: lxc -Version: 0.7.4.1 +Version: 0.7.4.2 Release: 1%{?dist} Summary: Linux Resource Containers @@ -126,6 +126,9 @@ find %{buildroot}%{_libdir}/lxc/templates \ %{_docdir}/%{name} %changelog +* Wed Jul 06 2011 Adam Miller - 0.7.4.2-1 +- Update to upstream 0.7.4.2 + * Fri Mar 25 2011 Silas Sewell - 0.7.4.1-1 - Update to 0.7.4.1 @@ -153,3 +156,4 @@ find %{buildroot}%{_libdir}/lxc/templates \ * Sat Jul 25 2009 Silas Sewell - 0.6.3-1 - Initial package + diff --git a/sources b/sources index 2d4c3b3..56a49c8 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -5c9c6889ba1255217078ea5d1aaf0c82 lxc-0.7.2.tar.gz -f0a5345c8d9cb927cf15043a3cc1f413 lxc-0.7.4.1.tar.gz +36fcb0f6a39d2f55130421f342f24ef3 lxc-0.7.4.2.tar.gz From b6b0609aa7dcabdf817446113aa2928fc0b272f3 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 13 Jan 2012 03:07:42 -0600 Subject: [PATCH 11/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index bbc1803..23b07a5 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,6 +1,6 @@ Name: lxc Version: 0.7.4.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -126,6 +126,9 @@ find %{buildroot}%{_libdir}/lxc/templates \ %{_docdir}/%{name} %changelog +* Fri Jan 13 2012 Fedora Release Engineering - 0.7.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + * Wed Jul 06 2011 Adam Miller - 0.7.4.2-1 - Update to upstream 0.7.4.2 From cdfe863a5e828c3bdba423a5e1825a3f4a5c35fb Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Mon, 26 Mar 2012 17:23:35 +0200 Subject: [PATCH 12/95] Update to upstream 0.7.5 - No need to run autogen.sh - Fix: kernel header asm/unistd.h was not found - Specfile cleanups --- .gitignore | 1 + lxc.spec | 28 +++++++++++++++++----------- sources | 2 +- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 42930ff..2f380e4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ lxc-0.7.2.tar.gz /lxc-0.7.4.1.tar.gz /lxc-0.7.4.2.tar.gz +/lxc-0.7.5.tar.gz diff --git a/lxc.spec b/lxc.spec index 23b07a5..2919dee 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,6 +1,6 @@ Name: lxc -Version: 0.7.4.2 -Release: 2%{?dist} +Version: 0.7.5 +Release: 1%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -9,7 +9,6 @@ URL: http://lxc.sourceforge.net Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: automake BuildRequires: docbook-utils BuildRequires: kernel-headers BuildRequires: libcap-devel @@ -67,20 +66,21 @@ This package contains documentation for %{name}. %setup -q %build -./autogen.sh -%configure F77=no # Fix binary-or-shlib-defines-rpath error -%{__sed} -i '/AM_LDFLAGS = -Wl,-E -Wl,-rpath -Wl,$(libdir)/d' src/lxc/Makefile.in -%{__make} %{?_smp_mflags} +sed -i '/AM_LDFLAGS = -Wl,-E -Wl,-rpath -Wl,$(libdir)/d' src/lxc/Makefile.in +# We know the exact location of asm/unistd.h +sed -i 's,\$(LINUX_DIR)/arch/\$(LINUX_SRCARCH),/usr,' src/lxc/Makefile.in +%configure --disable-rpath F77=no +make %{?_smp_mflags} %check -%{__make} check +make check %install rm -rf %{buildroot} -%{__make} DESTDIR=%{buildroot} install +make DESTDIR=%{buildroot} install find %{buildroot} -name '*.la' -delete -%{__mkdir} -p %{buildroot}%{_sharedstatedir}/%{name} +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} find %{buildroot}%{_libdir}/lxc/templates \ -type f \ @@ -89,7 +89,7 @@ find %{buildroot}%{_libdir}/lxc/templates \ -delete %clean -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} %post libs -p /sbin/ldconfig @@ -126,6 +126,12 @@ find %{buildroot}%{_libdir}/lxc/templates \ %{_docdir}/%{name} %changelog +* Mon Mar 26 2012 Thomas Moschny - 0.7.5-1 +- Update to upstream 0.7.5 +- No need to run autogen.sh +- Fix: kernel header asm/unistd.h was not found +- Specfile cleanups + * Fri Jan 13 2012 Fedora Release Engineering - 0.7.4.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild diff --git a/sources b/sources index 56a49c8..63e7057 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -36fcb0f6a39d2f55130421f342f24ef3 lxc-0.7.4.2.tar.gz +04949900ff56898f4353b130929c09d1 lxc-0.7.5.tar.gz From f5157c72f0ab3d7ebf23fcd511d0742f6a79b5b4 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 19 Jul 2012 17:45:36 -0500 Subject: [PATCH 13/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 2919dee..9cce304 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,6 +1,6 @@ Name: lxc Version: 0.7.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -126,6 +126,9 @@ rm -rf %{buildroot} %{_docdir}/%{name} %changelog +* Thu Jul 19 2012 Fedora Release Engineering - 0.7.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + * Mon Mar 26 2012 Thomas Moschny - 0.7.5-1 - Update to upstream 0.7.5 - No need to run autogen.sh From 38c5590ce1a944930ac1849730d6b178bd330d50 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 14 Feb 2013 00:06:16 -0600 Subject: [PATCH 14/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 9cce304..ff44470 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,6 +1,6 @@ Name: lxc Version: 0.7.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -126,6 +126,9 @@ rm -rf %{buildroot} %{_docdir}/%{name} %changelog +* Thu Feb 14 2013 Fedora Release Engineering - 0.7.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + * Thu Jul 19 2012 Fedora Release Engineering - 0.7.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild From c3b47dbd1e3ea5f0cf07facb787be35b69c005fb Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 15 Feb 2013 21:37:35 +0100 Subject: [PATCH 15/95] Update to 0.8.0. - Modernize spec file. - Include more templates. --- .gitignore | 1 + lxc.spec | 83 +++++++++++++++++++++++++++++++++--------------------- sources | 2 +- 3 files changed, 53 insertions(+), 33 deletions(-) diff --git a/.gitignore b/.gitignore index 2f380e4..dcabd0e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ lxc-0.7.2.tar.gz /lxc-0.7.4.1.tar.gz /lxc-0.7.4.2.tar.gz /lxc-0.7.5.tar.gz +/lxc-0.8.0.tar.gz diff --git a/lxc.spec b/lxc.spec index ff44470..e680941 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,14 +1,11 @@ Name: lxc -Version: 0.7.5 -Release: 3%{?dist} +Version: 0.8.0 +Release: 1%{?dist} Summary: Linux Resource Containers - Group: Applications/System License: LGPLv2+ URL: http://lxc.sourceforge.net Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - BuildRequires: docbook-utils BuildRequires: kernel-headers BuildRequires: libcap-devel @@ -18,6 +15,7 @@ BuildRequires: libtool Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. + %package libs Summary: Runtime library files for %{name} Group: System Environment/Libraries @@ -29,11 +27,20 @@ overhead of full virtualization. The %{name}-libs package contains libraries for running %{name} applications. + %package templates Summary: Templates for %{name} Group: System Environment/Libraries Requires: %{name} = %{version}-%{release} +# needed for lxc-busybox +Requires: busybox +# needed for lxc-debian +Requires: dpkg +# needed for lxc-debian, lxc-ubuntu: Requires: debootstrap +# needed for lxc-sshd +Requires: openssh-server dhclient + %description templates Linux Resource Containers provide process and resource isolation without the @@ -41,6 +48,7 @@ overhead of full virtualization. The %{name}-template package contains templates for creating containers. + %package devel Summary: Development files for %{name} Group: Development/Libraries @@ -54,6 +62,7 @@ overhead of full virtualization. The %{name}-devel package contains libraries and header files for developing applications that use %{name}. + %package doc Summary: Documentation for %{name} Group: Documentation @@ -62,70 +71,80 @@ Requires: %{name} = %{version}-%{release} %description doc This package contains documentation for %{name}. + %prep %setup -q + %build -# Fix binary-or-shlib-defines-rpath error -sed -i '/AM_LDFLAGS = -Wl,-E -Wl,-rpath -Wl,$(libdir)/d' src/lxc/Makefile.in -# We know the exact location of asm/unistd.h -sed -i 's,\$(LINUX_DIR)/arch/\$(LINUX_SRCARCH),/usr,' src/lxc/Makefile.in -%configure --disable-rpath F77=no +%configure --enable-doc --disable-rpath --disable-apparmor make %{?_smp_mflags} -%check -make check %install -rm -rf %{buildroot} +%{make_install} make DESTDIR=%{buildroot} install -find %{buildroot} -name '*.la' -delete mkdir -p %{buildroot}%{_sharedstatedir}/%{name} -find %{buildroot}%{_libdir}/lxc/templates \ - -type f \ - -not -name lxc-maverick \ - -not -name lxc-sshd \ - -delete -%clean -rm -rf %{buildroot} +%check +make check + %post libs -p /sbin/ldconfig + %postun libs -p /sbin/ldconfig + %files -%defattr(-,root,root,-) %doc AUTHORS COPYING README %{_bindir}/%{name}-* %{_mandir}/man*/%{name}* %{_sharedstatedir}/%{name} + %files libs -%defattr(-,root,root,-) %doc AUTHORS COPYING -%dir %{_libdir}/lxc -%dir %{_libdir}/lxc/templates +%dir %{_datadir}/lxc +%dir %{_datadir}/lxc/templates %{_libdir}/liblxc.so.* -%{_libdir}/lxc/lxc-init +%dir %{_libdir}/lxc %{_libdir}/lxc/rootfs +%dir %{_libexecdir}/lxc +%{_libexecdir}/lxc/lxc-init + %files templates -%defattr(-,root,root,-) -%{_libdir}/lxc/templates/lxc-* +%{_datadir}/lxc/templates/lxc-* +# needs apt +%exclude %{_datadir}/lxc/templates/lxc-altlinux +# needs pacman +%exclude %{_datadir}/lxc/templates/lxc-archlinux +# probably outdated +%exclude %{_datadir}/lxc/templates/lxc-lenny +# needs zypper +%exclude %{_datadir}/lxc/templates/lxc-opensuse +# needs ubuntu-cloudimg-query +%exclude %{_datadir}/lxc/templates/lxc-ubuntu-cloud + %files devel -%defattr(-,root,root,-) -%{_datadir}/pkgconfig/%{name}.pc -%{_includedir}/* +%{_libdir}/pkgconfig/%{name}.pc +%{_includedir}/lxc %{_libdir}/liblxc.so + %files doc -%defattr(-,root,root,-) %{_docdir}/%{name} + %changelog +* Fri Feb 15 2013 Thomas Moschny - 0.8.0-1 +- Update to 0.8.0. +- Modernize spec file. +- Include more templates. + * Thu Feb 14 2013 Fedora Release Engineering - 0.7.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild diff --git a/sources b/sources index 63e7057..64e11a1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -04949900ff56898f4353b130929c09d1 lxc-0.7.5.tar.gz +7304fa57146ce687f749b5df876bb20d lxc-0.8.0.tar.gz From c1ca5e5bdeb4f9cab58a8281f65c4745694cfa3f Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 2 Mar 2013 14:29:47 +0100 Subject: [PATCH 16/95] Add upstream patch fixing the release url in the Fedora template. --- lxc-0.8.0-fedora-template.patch | 28 ++++++++++++++++++++++++++++ lxc.spec | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 lxc-0.8.0-fedora-template.patch diff --git a/lxc-0.8.0-fedora-template.patch b/lxc-0.8.0-fedora-template.patch new file mode 100644 index 0000000..dd2b928 --- /dev/null +++ b/lxc-0.8.0-fedora-template.patch @@ -0,0 +1,28 @@ +commit 29e18143a07ffab7e85cb8db4dc39d394f0c6ea0 +Author: Maximilian Seesslen +Date: Fri Jan 4 16:36:07 2013 +0100 + + fixed RELEASE_URL for fedora releases higher than 16 + + The Url for the fedora-release RPM changed in release 17. + + Signed-off-by: Maximilian Seesslen + Acked-by: Serge E. Hallyn + +diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in +index 366e776..684bb9c 100644 +--- a/templates/lxc-fedora.in ++++ b/templates/lxc-fedora.in +@@ -149,7 +149,11 @@ download_fedora() + echo "Failed to get a mirror" + continue + fi +- RELEASE_URL="$MIRROR_URL/Packages/fedora-release-$release-1.noarch.rpm" ++ if [ "$release" -gt "16" ]; then ++ RELEASE_URL="$MIRROR_URL/Packages/f/fedora-release-$release-1.noarch.rpm" ++ else ++ RELEASE_URL="$MIRROR_URL/Packages/fedora-release-$release-1.noarch.rpm" ++ fi + echo "Fetching from $RELEASE_URL" + curl -f "$RELEASE_URL" > $INSTALL_ROOT/fedora-release-$release.noarch.rpm + if [ $? -ne 0 ]; then diff --git a/lxc.spec b/lxc.spec index e680941..3e2f6de 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,11 +1,12 @@ Name: lxc Version: 0.8.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ URL: http://lxc.sourceforge.net Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz +Patch0: lxc-0.8.0-fedora-template.patch BuildRequires: docbook-utils BuildRequires: kernel-headers BuildRequires: libcap-devel @@ -74,6 +75,7 @@ This package contains documentation for %{name}. %prep %setup -q +%patch0 -p1 %build @@ -140,6 +142,9 @@ make check %changelog +* Sat Mar 2 2013 Thomas Moschny - 0.8.0-2 +- Add upstream patch fixing the release url in the Fedora template. + * Fri Feb 15 2013 Thomas Moschny - 0.8.0-1 - Update to 0.8.0. - Modernize spec file. From 98d2d401d03f04bd57bd60871b719ff0f94e5cea Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 3 Aug 2013 03:38:39 -0500 Subject: [PATCH 17/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 3e2f6de..680e752 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,6 +1,6 @@ Name: lxc Version: 0.8.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ @@ -142,6 +142,9 @@ make check %changelog +* Sat Aug 03 2013 Fedora Release Engineering - 0.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + * Sat Mar 2 2013 Thomas Moschny - 0.8.0-2 - Add upstream patch fixing the release url in the Fedora template. From 6eecaff69c8a63e029b46c79b744d629e5f75f5b Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Mon, 2 Sep 2013 00:04:53 +0200 Subject: [PATCH 18/95] Update to 0.9.0. - Make the -libs subpackage installable on its own: - Move files needed by the libraries to the subpackage. - Let packages depend on -libs. - Add rsync as dependency to the templates package. - Add (optional) subpackages for Python3 and Lua bindings. - Add upstream patches for the Fedora template. - Define and use the _pkgdocdir macro, also fixing rhbz#1001235. - Update License tag. --- .gitignore | 1 + lxc-0.8.0-fedora-template.patch | 28 --- lxc-0.9.0-fedora-template.patch | 385 ++++++++++++++++++++++++++++++++ lxc-0.9.0-lua-5.2.patch | 39 ++++ lxc.spec | 189 +++++++++++++--- sources | 2 +- 6 files changed, 588 insertions(+), 56 deletions(-) delete mode 100644 lxc-0.8.0-fedora-template.patch create mode 100644 lxc-0.9.0-fedora-template.patch create mode 100644 lxc-0.9.0-lua-5.2.patch diff --git a/.gitignore b/.gitignore index dcabd0e..fca6aaf 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ lxc-0.7.2.tar.gz /lxc-0.7.4.2.tar.gz /lxc-0.7.5.tar.gz /lxc-0.8.0.tar.gz +/lxc-0.9.0.tar.gz diff --git a/lxc-0.8.0-fedora-template.patch b/lxc-0.8.0-fedora-template.patch deleted file mode 100644 index dd2b928..0000000 --- a/lxc-0.8.0-fedora-template.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 29e18143a07ffab7e85cb8db4dc39d394f0c6ea0 -Author: Maximilian Seesslen -Date: Fri Jan 4 16:36:07 2013 +0100 - - fixed RELEASE_URL for fedora releases higher than 16 - - The Url for the fedora-release RPM changed in release 17. - - Signed-off-by: Maximilian Seesslen - Acked-by: Serge E. Hallyn - -diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in -index 366e776..684bb9c 100644 ---- a/templates/lxc-fedora.in -+++ b/templates/lxc-fedora.in -@@ -149,7 +149,11 @@ download_fedora() - echo "Failed to get a mirror" - continue - fi -- RELEASE_URL="$MIRROR_URL/Packages/fedora-release-$release-1.noarch.rpm" -+ if [ "$release" -gt "16" ]; then -+ RELEASE_URL="$MIRROR_URL/Packages/f/fedora-release-$release-1.noarch.rpm" -+ else -+ RELEASE_URL="$MIRROR_URL/Packages/fedora-release-$release-1.noarch.rpm" -+ fi - echo "Fetching from $RELEASE_URL" - curl -f "$RELEASE_URL" > $INSTALL_ROOT/fedora-release-$release.noarch.rpm - if [ $? -ne 0 ]; then diff --git a/lxc-0.9.0-fedora-template.patch b/lxc-0.9.0-fedora-template.patch new file mode 100644 index 0000000..48eff32 --- /dev/null +++ b/lxc-0.9.0-fedora-template.patch @@ -0,0 +1,385 @@ +diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in +index 684bb9c..841af16 100644 +--- a/templates/lxc-fedora.in ++++ b/templates/lxc-fedora.in +@@ -26,18 +26,69 @@ + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + #Configurations +-arch=$(arch) ++arch=$(uname -m) + cache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$arch + default_path=@LXCPATH@ + root_password=root + + # is this fedora? +-[ -f /etc/fedora-release ] && is_fedora=true ++# Alow for weird remixes like the Raspberry Pi ++# ++# Use the Mitre standard CPE identifier for the release ID if possible... ++# This may be in /etc/os-release or /etc/system-release-cpe. We ++# should be able to use EITHER. Give preference to /etc/os-release for now. ++ ++if [ -e /etc/os-release ] ++then ++# This is a shell friendly configuration file. We can just source it. ++# What we're looking for in here is the ID, VERSION_ID and the CPE_NAME ++ . /etc/os-release ++ echo "Host CPE ID from /etc/os-release: ${CPE_NAME}" ++fi ++ ++if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ] ++then ++ CPE_NAME=$(head -n1 /etc/system-release-cpe) ++ CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)') ++ if [ "${CPE_URI}" != "cpe:/o" ] ++ then ++ CPE_NAME= ++ else ++ echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}" ++ # Probably a better way to do this but sill remain posix ++ # compatible but this works, shrug... ++ # Must be nice and not introduce convenient bashisms here. ++ ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)') ++ VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)') ++ fi ++fi + +-if [ "$arch" = "i686" ]; then +- arch=i386 ++if [ ${CPE_NAME} != "" -a ${ID} = "fedora" -a ${VERSION_ID} != "" ] ++then ++ fedora_host_ver=${VERSION_ID} ++ is_fedora=true ++elif [ -e /etc/redhat-release ] ++then ++ # Only if all other methods fail, try to parse the redhat-release file. ++ fedora_host_ver=$( sed -e '/^Fedora /!d' -e 's/Fedora.*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release ) ++ if [ "$fedora_host_ver" != "" ] ++ then ++ is_fedora=true ++ fi + fi + ++# Map a few architectures to their generic Fedora repository archs. ++# The two ARM archs are a bit of a guesstimate for the v5 and v6 ++# archs. V6 should have hardware floating point (Rasberry Pi). ++# The "arm" arch is safer (no hardware floating point). So ++# there may be cases where we "get it wrong" for some v6 other ++# than RPi. ++case "$arch" in ++i686) arch=i386 ;; ++armv3l|armv4l|armv5l) arch=arm ;; ++armv6l|armv7l|armv8l) arch=armhfp ;; ++esac ++ + configure_fedora() + { + +@@ -50,7 +101,7 @@ configure_fedora() + DEVICE=eth0 + BOOTPROTO=dhcp + ONBOOT=yes +-HOSTNAME=${name} ++HOSTNAME=${utsname} + NM_CONTROLLED=no + TYPE=Ethernet + MTU=${MTU} +@@ -59,12 +110,18 @@ EOF + # set the hostname + cat < ${rootfs_path}/etc/sysconfig/network + NETWORKING=yes +-HOSTNAME=${name} ++HOSTNAME=${utsname} + EOF + ++ # set hostname on systemd Fedora systems ++ if [ $release -gt 14 ]; then ++ echo "${utsname}" > ${rootfs_path}/etc/hostname ++ fi ++ + # set minimal hosts + cat < $rootfs_path/etc/hosts +-127.0.0.1 localhost $name ++127.0.0.1 localhost.localdomain localhost $utsname ++::1 localhost6.localdomain6 localhost6 + EOF + + dev_path="${rootfs_path}/dev" +@@ -118,10 +175,27 @@ configure_fedora_systemd() + { + unlink ${rootfs_path}/etc/systemd/system/default.target + touch ${rootfs_path}/etc/fstab +- chroot ${rootfs_path} ln -s /dev/null //etc/systemd/system/udev.service ++ chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service + chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + #dependency on a device unit fails it specially that we disabled udev +- sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service ++ # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service ++ # ++ # Actually, the After=dev-%i.device line does not appear in the ++ # Fedora 17 or Fedora 18 systemd getty\@.service file. It may be left ++ # over from an earlier version and it's not doing any harm. We do need ++ # to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are ++ # started on the ttys in the container. Lets do it in an override copy of ++ # the service so it can still pass rpm verifies and not be automatically ++ # updated by a new systemd version. -- mhw /\/\|=mhw=|\/\/ ++ ++ sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \ ++ -e 's/After=dev-%i.device/After=/' \ ++ < ${rootfs_path}/lib/systemd/system/getty\@.service \ ++ > ${rootfs_path}/etc/systemd/system/getty\@.service ++ # Setup getty service on the 4 ttys we are going to allow in the ++ # default config. Number should match lxc.tty ++ ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants ++ for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done ) + } + + download_fedora() +@@ -142,27 +216,53 @@ download_fedora() + MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch" + + DOWNLOAD_OK=no +- for trynumber in 1 2 3; do ++ ++ # We're splitting the old loop into two loops plus a directory retrival. ++ # First loop... Try and retrive a mirror list with retries and a slight ++ # delay between attempts... ++ for trynumber in 1 2 3 4; do + [ $trynumber != 1 ] && echo "Trying again..." +- MIRROR_URL=$(curl -s -S -f "$MIRRORLIST_URL" | head -n2 | tail -n1) +- if [ $? -ne 0 ] || [ -z "$MIRROR_URL" ]; then +- echo "Failed to get a mirror" +- continue +- fi ++ # This code is mildly "brittle" in that it assumes a certain ++ # page format and parsing HTML. I've done worse. :-P ++ MIRROR_URLS=$(curl -s -S -f "$MIRRORLIST_URL" | sed -e '/^http:/!d' -e '2,6!d') ++ if [ $? -eq 0 ] && [ -n "$MIRROR_URLS" ] ++ then ++ break ++ fi ++ ++ echo "Failed to get a mirror on try $trynumber" ++ sleep 3 ++ done ++ ++ # This will fall through if we didn't get any URLS above ++ for MIRROR_URL in ${MIRROR_URLS} ++ do + if [ "$release" -gt "16" ]; then +- RELEASE_URL="$MIRROR_URL/Packages/f/fedora-release-$release-1.noarch.rpm" ++ RELEASE_URL="$MIRROR_URL/Packages/f" + else +- RELEASE_URL="$MIRROR_URL/Packages/fedora-release-$release-1.noarch.rpm" ++ RELEASE_URL="$MIRROR_URL/Packages/" + fi +- echo "Fetching from $RELEASE_URL" +- curl -f "$RELEASE_URL" > $INSTALL_ROOT/fedora-release-$release.noarch.rpm ++ ++ echo "Fetching rpm name from $RELEASE_URL..." ++ # This code is mildly "brittle" in that it assumes a certain directory ++ # page format and parsing HTML. I've done worse. :-P ++ RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*.*//' ) ++ if [ $? -ne 0 -o "${RELEASE_RPM}" = "" ]; then ++ echo "Failed to identify fedora release rpm." ++ continue ++ fi ++ ++ echo "Fetching fedora release rpm from ${RELEASE_URL}/${RELEASE_RPM}......" ++ curl -L -f "${RELEASE_URL}/${RELEASE_RPM}" > ${INSTALL_ROOT}/${RELEASE_RPM} + if [ $? -ne 0 ]; then +- echo "Failed to download fedora release rpm" ++ echo "Failed to download fedora release rpm ${RELEASE_RPM}." + continue + fi ++ + DOWNLOAD_OK=yes + break + done ++ + if [ $DOWNLOAD_OK != yes ]; then + echo "Aborting" + return 1 +@@ -170,7 +270,7 @@ download_fedora() + + mkdir -p $INSTALL_ROOT/var/lib/rpm + rpm --root $INSTALL_ROOT --initdb +- rpm --root $INSTALL_ROOT -ivh $INSTALL_ROOT/fedora-release-$release.noarch.rpm ++ rpm --root $INSTALL_ROOT -ivh ${INSTALL_ROOT}/${RELEASE_RPM} + $YUM install $PKG_LIST + + if [ $? -ne 0 ]; then +@@ -248,10 +348,13 @@ copy_configuration() + mkdir -p $config_path + grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "lxc.rootfs = $rootfs_path" >> $config_path/config + cat <> $config_path/config +-lxc.utsname = $name ++lxc.utsname = $utsname + lxc.tty = 4 + lxc.pts = 1024 + lxc.mount = $config_path/fstab ++lxc.cap.drop = sys_module mac_admin mac_override sys_time ++ ++lxc.autodev = $auto_dev + + # When using LXC with apparmor, uncomment the next line to run unconfined: + #lxc.aa_profile = unconfined +@@ -272,7 +375,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm + lxc.cgroup.devices.allow = c 136:* rwm + lxc.cgroup.devices.allow = c 5:2 rwm + # rtc +-lxc.cgroup.devices.allow = c 254:0 rwm ++lxc.cgroup.devices.allow = c 254:0 rm + EOF + + cat < $config_path/fstab +@@ -313,21 +416,23 @@ usage() + cat < +- [-p|--path=] [-c|--clean] [-R|--release=] [-A|--arch=] ++ [-p|--path=] [-c|--clean] [-R|--release=] [--fqdn=] [-A|--arch=] + [-h|--help] + Mandatory args: + -n,--name container name, used to as an identifier for that container from now on + Optional args: +- -p,--path path to where the container rootfs will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case ++ -p,--path path to where the container will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case ++ --rootfs path for actual rootfs. + -c,--clean clean the cache +- -R,--release Fedora release for the new container. if the host is Fedora, then it will defaultto the host's release. ++ -R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release. ++ --fqdn fully qualified domain name (FQDN) for DNS and system naming + -A,--arch NOT USED YET. Define what arch the container will be [i686,x86_64] + -h,--help print this help + EOF + return 0 + } + +-options=$(getopt -o hp:n:cR: -l help,path:,name:,clean,release: -- "$@") ++options=$(getopt -o hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,fqdn: -- "$@") + if [ $? -ne 0 ]; then + usage $(basename $0) + exit 1 +@@ -339,9 +444,11 @@ do + case "$1" in + -h|--help) usage $0 && exit 0;; + -p|--path) path=$2; shift 2;; ++ --rootfs) rootfs=$2; shift 2;; + -n|--name) name=$2; shift 2;; + -c|--clean) clean=$2; shift 2;; + -R|--release) release=$2; shift 2;; ++ --fqdn) utsname=$2; shift 2;; + --) shift 1; break ;; + *) break ;; + esac +@@ -352,6 +459,29 @@ if [ ! -z "$clean" -a -z "$path" ]; then + exit 0 + fi + ++if [ -z "${utsname}" ]; then ++ utsname=${name} ++fi ++ ++# This follows a standard "resolver" convention that an FQDN must have ++# at least two dots or it is considered a local relative host name. ++# If it doesn't, append the dns domain name of the host system. ++# ++# This changes one significant behavior when running ++# "lxc_create -n Container_Name" without using the ++# --fqdn option. ++# ++# Old behavior: ++# utsname and hostname = Container_Name ++# New behavior: ++# utsname and hostname = Container_Name.Domain_Name ++ ++if [ $(expr "$utsname" : '.*\..*\.') = 0 ]; then ++ if [ -n "$(dnsdomainname)" ]; then ++ utsname=${utsname}.$(dnsdomainname) ++ fi ++fi ++ + needed_pkgs="" + type yum >/dev/null 2>&1 + if [ $? -ne 0 ]; then +@@ -365,33 +495,43 @@ fi + + if [ -n "$needed_pkgs" ]; then + echo "Missing commands: $needed_pkgs" +- echo "Please install these using \"sudo apt-get install $needed_pkgs\"" ++ echo "Please install these using \"sudo yum install $needed_pkgs\"" + exit 1 + fi + + if [ -z "$path" ]; then +- path=$default_path ++ path=$default_path/$name + fi + + if [ -z "$release" ]; then +- if [ "$is_fedora" ]; then +- release=$(cat /etc/fedora-release |awk '/^Fedora/ {print $3}') ++ if [ "$is_fedora" -a "$fedora_host_ver" ]; then ++ release=$fedora_host_ver + else +- echo "This is not a fedora host and release missing, defaulting to 14. use -R|--release to specify release" +- release=14 ++ echo "This is not a fedora host and release missing, defaulting to 18. use -R|--release to specify release" ++ release=18 + fi + fi + ++# Fedora 15 and above run systemd. We need autodev enabled to keep ++# systemd from causing problems. ++if [ $release -gt 14 ]; then ++ auto_dev="1" ++else ++ auto_dev="0" ++fi ++ + if [ "$(id -u)" != "0" ]; then + echo "This script should be run as 'root'" + exit 1 + fi + + +-rootfs_path=$path/$name/rootfs +-# check for 'lxc.rootfs' passed in through default config by lxc-create +-if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then +- rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'` ++if [ -z "$rootfs_path" ]; then ++ rootfs_path=$path/rootfs ++ # check for 'lxc.rootfs' passed in through default config by lxc-create ++ if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then ++ rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'` ++ fi + fi + config_path=$default_path/$name + cache=$cache_base/$release +@@ -427,13 +567,20 @@ if [ $? -ne 0 ]; then + exit 1 + fi + +-type /bin/systemd >/dev/null 2>&1 +-if [ $? -ne 0 ]; then +- configure_fedora_init +-else ++# If the systemd configuration directory exists - set it up for what we need. ++if [ -d ${rootfs_path}/etc/systemd/system ] ++then + configure_fedora_systemd + fi + ++# This configuration (rc.sysinit) is not inconsistent with the systemd stuff ++# above and may actually coexist on some upgraded systems. Let's just make ++# sure that, if it exists, we update this file, even if it's not used... ++if [ -f ${rootfs_path}/etc/rc.sysinit ] ++then ++ configure_fedora_init ++fi ++ + if [ ! -z $clean ]; then + clean || exit 1 + exit 0 diff --git a/lxc-0.9.0-lua-5.2.patch b/lxc-0.9.0-lua-5.2.patch new file mode 100644 index 0000000..e48a1c2 --- /dev/null +++ b/lxc-0.9.0-lua-5.2.patch @@ -0,0 +1,39 @@ +diff -up lxc-0.9.0/src/lua-lxc/lxc.lua.orig lxc-0.9.0/src/lua-lxc/lxc.lua +--- lxc-0.9.0/src/lua-lxc/lxc.lua.orig 2013-02-18 08:47:43.000000000 +0100 ++++ lxc-0.9.0/src/lua-lxc/lxc.lua 2013-09-01 23:51:05.582938966 +0200 +@@ -282,7 +282,7 @@ function container:stat_get_ints(control + table.insert(result, val) + end + end +- return unpack(result) ++ return table.unpack(result) + end + + -- read an integer from a cgroup file +diff -up lxc-0.9.0/src/lua-lxc/Makefile.am.orig lxc-0.9.0/src/lua-lxc/Makefile.am +--- lxc-0.9.0/src/lua-lxc/Makefile.am.orig 2013-04-05 11:45:22.000000000 +0200 ++++ lxc-0.9.0/src/lua-lxc/Makefile.am 2013-09-01 23:51:05.581938980 +0200 +@@ -1,7 +1,7 @@ + if ENABLE_LUA + +-luadir=$(datadir)/lua/5.1 +-sodir=$(libdir)/lua/5.1/lxc ++luadir=$(datadir)/lua/5.2 ++sodir=$(libdir)/lua/5.2/lxc + + lua_SCRIPTS=lxc.lua + +diff -up lxc-0.9.0/src/lua-lxc/Makefile.in.orig lxc-0.9.0/src/lua-lxc/Makefile.in +--- lxc-0.9.0/src/lua-lxc/Makefile.in.orig 2013-04-05 11:48:20.000000000 +0200 ++++ lxc-0.9.0/src/lua-lxc/Makefile.in 2013-09-01 23:51:18.384762328 +0200 +@@ -230,8 +230,8 @@ target_alias = @target_alias@ + top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ +-@ENABLE_LUA_TRUE@luadir = $(datadir)/lua/5.1 +-@ENABLE_LUA_TRUE@sodir = $(libdir)/lua/5.1/lxc ++@ENABLE_LUA_TRUE@luadir = $(datadir)/lua/5.2 ++@ENABLE_LUA_TRUE@sodir = $(libdir)/lua/5.2/lxc + @ENABLE_LUA_TRUE@lua_SCRIPTS = lxc.lua + @ENABLE_LUA_TRUE@core_so_SOURCES = core.c + @ENABLE_LUA_TRUE@AM_CFLAGS = -I$(top_srcdir)/src $(LUA_CFLAGS) -DVERSION=\"$(VERSION)\" -DLXCPATH=\"$(LXCPATH)\" diff --git a/lxc.spec b/lxc.spec index 680e752..060a725 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,16 +1,40 @@ +%if 0%{?fedora} || 0%{?rhel} > 6 +%global with_python3 1 +%endif + +%global with_lua 1 +%if 0%{?fedora} > 19 +%global luaver 5.2 +%else +%global luaver 5.1 +%endif +%global lualibdir %{_libdir}/lua/%{luaver} +%global luapkgdir %{_datadir}/lua/%{luaver} + Name: lxc -Version: 0.8.0 -Release: 3%{?dist} +Version: 0.9.0 +Release: 1%{?dist} Summary: Linux Resource Containers Group: Applications/System -License: LGPLv2+ +License: LGPLv2+ and GPLv2 URL: http://lxc.sourceforge.net Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz -Patch0: lxc-0.8.0-fedora-template.patch +Patch0: lxc-0.9.0-fedora-template.patch +# only used on Fedora > 19 +Patch1: lxc-0.9.0-lua-5.2.patch BuildRequires: docbook-utils +Buildrequires: docbook2X BuildRequires: kernel-headers BuildRequires: libcap-devel BuildRequires: libtool +%if 0%{?with_python3} +BuildRequires: python3-devel >= 3.2 +%endif +%if 0%{?with_lua} +BuildRequires: lua-devel +%endif + +%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} %description Linux Resource Containers provide process and resource isolation without the @@ -20,7 +44,6 @@ overhead of full virtualization. %package libs Summary: Runtime library files for %{name} Group: System Environment/Libraries -Requires: %{name} = %{version}-%{release} %description libs Linux Resource Containers provide process and resource isolation without the @@ -29,16 +52,59 @@ overhead of full virtualization. The %{name}-libs package contains libraries for running %{name} applications. +%if 0%{?with_python3} +%package -n python3-%{name} +Summary: Python binding for %{name} +Group: System Environment/Libraries + +%description -n python3-%{name} +Linux Resource Containers provide process and resource isolation without the +overhead of full virtualization. + +The python3-%{name} package contains the Python3 binding for %{name}. + +%global __provides_exclude %{?__provides_exclude:%__provides_exclude|}_lxc\\..*\\.so + + +%package extra +Summary: Extra tools for %{name} +Group: Applications/System +Requires: python3-%{name}%{?_isa} = %{version}-%{release} + +%description extra +Linux Resource Containers provide process and resource isolation without the +overhead of full virtualization. + +This package contains tools needing the Python3 bindings. +%endif + + +%if 0%{?with_lua} +%package -n lua-%{name} +Summary: Lua binding for %{name} +Group: System Environment/Libraries +Requires: lua-filesystem + +%description -n lua-%{name} +Linux Resource Containers provide process and resource isolation without the +overhead of full virtualization. + +The lua-%{name} package contains the Lua binding for %{name}. + +%global __provides_exclude %{?__provides_exclude:%__provides_exclude|}core\\.so\\.0 +%endif + + %package templates Summary: Templates for %{name} Group: System Environment/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} # needed for lxc-busybox Requires: busybox # needed for lxc-debian Requires: dpkg # needed for lxc-debian, lxc-ubuntu: -Requires: debootstrap +Requires: debootstrap rsync # needed for lxc-sshd Requires: openssh-server dhclient @@ -47,13 +113,13 @@ Requires: openssh-server dhclient Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. -The %{name}-template package contains templates for creating containers. +The %{name}-templates package contains templates for creating containers. %package devel Summary: Development files for %{name} Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: pkgconfig %description devel @@ -67,19 +133,32 @@ developing applications that use %{name}. %package doc Summary: Documentation for %{name} Group: Documentation -Requires: %{name} = %{version}-%{release} +BuildArch: noarch %description doc This package contains documentation for %{name}. %prep -%setup -q +%setup -q -n %{name}-%{version} %patch0 -p1 - +%if 0%{?with_lua} && 0%{?fedora} > 19 +%patch1 -p1 +%endif %build -%configure --enable-doc --disable-rpath --disable-apparmor +%configure --with-distro=fedora \ + --enable-doc \ + --docdir=%{_pkgdocdir} \ + --disable-rpath \ + --disable-apparmor \ +%if 0%{?with_python3} + --enable-python \ +%endif +%if 0%{?with_lua} + --enable-lua \ +%endif +# intentionally blank line make %{?_smp_mflags} @@ -87,6 +166,12 @@ make %{?_smp_mflags} %{make_install} make DESTDIR=%{buildroot} install mkdir -p %{buildroot}%{_sharedstatedir}/%{name} +%if 0%{?with_lua} +chmod -x %{buildroot}%{luapkgdir}/lxc.lua +%endif + +mkdir -p %{buildroot}%{_pkgdocdir} +cp -a AUTHORS COPYING README %{buildroot}%{_pkgdocdir} %check @@ -100,21 +185,60 @@ make check %files -%doc AUTHORS COPYING README %{_bindir}/%{name}-* -%{_mandir}/man*/%{name}* -%{_sharedstatedir}/%{name} +%{_mandir}/man1/%{name}* +%{_datadir}/%{name}/lxc.functions +%if 0%{?with_python3} +%exclude %{_bindir}/%{name}-device +%exclude %{_bindir}/%{name}-ls +%exclude %{_bindir}/%{name}-start-ephemeral +%exclude %{_mandir}/man1/%{name}-device* +%exclude %{_mandir}/man1/%{name}-ls* +%exclude %{_mandir}/man1/%{name}-start-ephemeral* +%else +%{_bindir}/%{name}-ls +%{_mandir}/man1/%{name}-ls* +%endif %files libs -%doc AUTHORS COPYING -%dir %{_datadir}/lxc -%dir %{_datadir}/lxc/templates +%dir %{_datadir}/%{name} +%dir %{_datadir}/%{name}/templates +%{_datadir}/%{name}/hooks %{_libdir}/liblxc.so.* -%dir %{_libdir}/lxc -%{_libdir}/lxc/rootfs -%dir %{_libexecdir}/lxc -%{_libexecdir}/lxc/lxc-init +%{_libdir}/%{name} +%{_libexecdir}/%{name} +%{_sharedstatedir}/%{name} +%dir %{_sysconfdir}/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/default.conf +%{_mandir}/man5/%{name}* +%{_mandir}/man7/%{name}* +%dir %{_pkgdocdir} +%{_pkgdocdir}/AUTHORS +%{_pkgdocdir}/COPYING +%{_pkgdocdir}/README + + +%if 0%{?with_python3} +%files -n python3-%{name} +%{python3_sitearch}/* + + +%files extra +%{_bindir}/%{name}-device +%{_bindir}/%{name}-ls +%{_bindir}/%{name}-start-ephemeral +%{_mandir}/man1/%{name}-device* +%{_mandir}/man1/%{name}-ls* +%{_mandir}/man1/%{name}-start-ephemeral* +%endif + + +%if 0%{?with_lua} +%files -n lua-%{name} +%{lualibdir}/%{name} +%{luapkgdir}/%{name}.lua +%endif %files templates @@ -123,8 +247,6 @@ make check %exclude %{_datadir}/lxc/templates/lxc-altlinux # needs pacman %exclude %{_datadir}/lxc/templates/lxc-archlinux -# probably outdated -%exclude %{_datadir}/lxc/templates/lxc-lenny # needs zypper %exclude %{_datadir}/lxc/templates/lxc-opensuse # needs ubuntu-cloudimg-query @@ -138,10 +260,24 @@ make check %files doc -%{_docdir}/%{name} +%dir %{_pkgdocdir} +# README, AUTHORS and COPYING intentionally duplicated because -doc +# can be installed on its own. +%{_pkgdocdir}/* %changelog +* Sun Sep 1 2013 Thomas Moschny - 0.9.0-1 +- Update to 0.9.0. +- Make the -libs subpackage installable on its own: + - Move files needed by the libraries to the subpackage. + - Let packages depend on -libs. +- Add rsync as dependency to the templates package. +- Add (optional) subpackages for Python3 and Lua bindings. +- Add upstream patches for the Fedora template. +- Define and use the _pkgdocdir macro, also fixing rhbz#1001235. +- Update License tag. + * Sat Aug 03 2013 Fedora Release Engineering - 0.8.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild @@ -198,4 +334,3 @@ make check * Sat Jul 25 2009 Silas Sewell - 0.6.3-1 - Initial package - diff --git a/sources b/sources index 64e11a1..f960493 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7304fa57146ce687f749b5df876bb20d lxc-0.8.0.tar.gz +8552a4479090616f4bc04d8473765fc9 lxc-0.9.0.tar.gz From 3864361ea2732bfcf24d99bdbe9a781229a19287 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Wed, 4 Sep 2013 18:34:14 +0200 Subject: [PATCH 19/95] Small fix to the included Fedora template. --- lxc-0.9.0-fedora-template.patch | 4 ++-- lxc.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lxc-0.9.0-fedora-template.patch b/lxc-0.9.0-fedora-template.patch index 48eff32..aa23da2 100644 --- a/lxc-0.9.0-fedora-template.patch +++ b/lxc-0.9.0-fedora-template.patch @@ -1,5 +1,5 @@ diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in -index 684bb9c..841af16 100644 +index 684bb9c..922563d 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -26,18 +26,69 @@ @@ -47,7 +47,7 @@ index 684bb9c..841af16 100644 -if [ "$arch" = "i686" ]; then - arch=i386 -+if [ ${CPE_NAME} != "" -a ${ID} = "fedora" -a ${VERSION_ID} != "" ] ++if [ "${CPE_NAME}" != "" -a "${ID}" = "fedora" -a "${VERSION_ID}" != "" ] +then + fedora_host_ver=${VERSION_ID} + is_fedora=true diff --git a/lxc.spec b/lxc.spec index 060a725..ba127f4 100644 --- a/lxc.spec +++ b/lxc.spec @@ -13,7 +13,7 @@ Name: lxc Version: 0.9.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -267,6 +267,9 @@ make check %changelog +* Wed Sep 4 2013 Thomas Moschny - 0.9.0-2 +- Small fix to the included Fedora template. + * Sun Sep 1 2013 Thomas Moschny - 0.9.0-1 - Update to 0.9.0. - Make the -libs subpackage installable on its own: From d8fa1e3d41ff68ed9bd8bfac4431837ce0f63a3e Mon Sep 17 00:00:00 2001 From: Marek Goldmann Date: Thu, 30 Jan 2014 16:14:01 +0100 Subject: [PATCH 20/95] There is still no Python 3 available in EPEL 7 --- lxc.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index ba127f4..d02ed44 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,4 +1,4 @@ -%if 0%{?fedora} || 0%{?rhel} > 6 +%if 0%{?fedora} || 0%{?rhel} > 7 %global with_python3 1 %endif @@ -13,7 +13,7 @@ Name: lxc Version: 0.9.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -267,6 +267,9 @@ make check %changelog +* Thu Jan 30 2014 Marek Goldmann - 0.9.0-3 +- There is still no Python 3 available in EPEL 7 + * Wed Sep 4 2013 Thomas Moschny - 0.9.0-2 - Small fix to the included Fedora template. From 8b406eb2dacd1dddd2f5e63a4a2aa59949045380 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Wed, 28 May 2014 12:13:58 +0200 Subject: [PATCH 21/95] Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index d02ed44..9a83d7d 100644 --- a/lxc.spec +++ b/lxc.spec @@ -13,7 +13,7 @@ Name: lxc Version: 0.9.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -267,6 +267,9 @@ make check %changelog +* Wed May 28 2014 Kalev Lember - 0.9.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + * Thu Jan 30 2014 Marek Goldmann - 0.9.0-3 - There is still no Python 3 available in EPEL 7 From de0c86a03dbfe4cd1d232be6abb373da8d366445 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Thu, 5 Jun 2014 00:42:43 +0200 Subject: [PATCH 22/95] Update to 1.0.3. - Remove obsolete patches. - Add systemd support. - Lua bindings are not optional (needed e.g. for lxc-top). --- .gitignore | 1 + lxc-0.9.0-fedora-template.patch | 385 -------------------------------- lxc-0.9.0-lua-5.2.patch | 39 ---- lxc.spec | 93 +++++--- sources | 2 +- 5 files changed, 61 insertions(+), 459 deletions(-) delete mode 100644 lxc-0.9.0-fedora-template.patch delete mode 100644 lxc-0.9.0-lua-5.2.patch diff --git a/.gitignore b/.gitignore index fca6aaf..1040811 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ lxc-0.7.2.tar.gz /lxc-0.7.5.tar.gz /lxc-0.8.0.tar.gz /lxc-0.9.0.tar.gz +/lxc-1.0.3.tar.gz diff --git a/lxc-0.9.0-fedora-template.patch b/lxc-0.9.0-fedora-template.patch deleted file mode 100644 index aa23da2..0000000 --- a/lxc-0.9.0-fedora-template.patch +++ /dev/null @@ -1,385 +0,0 @@ -diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in -index 684bb9c..922563d 100644 ---- a/templates/lxc-fedora.in -+++ b/templates/lxc-fedora.in -@@ -26,18 +26,69 @@ - # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - #Configurations --arch=$(arch) -+arch=$(uname -m) - cache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$arch - default_path=@LXCPATH@ - root_password=root - - # is this fedora? --[ -f /etc/fedora-release ] && is_fedora=true -+# Alow for weird remixes like the Raspberry Pi -+# -+# Use the Mitre standard CPE identifier for the release ID if possible... -+# This may be in /etc/os-release or /etc/system-release-cpe. We -+# should be able to use EITHER. Give preference to /etc/os-release for now. -+ -+if [ -e /etc/os-release ] -+then -+# This is a shell friendly configuration file. We can just source it. -+# What we're looking for in here is the ID, VERSION_ID and the CPE_NAME -+ . /etc/os-release -+ echo "Host CPE ID from /etc/os-release: ${CPE_NAME}" -+fi -+ -+if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ] -+then -+ CPE_NAME=$(head -n1 /etc/system-release-cpe) -+ CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)') -+ if [ "${CPE_URI}" != "cpe:/o" ] -+ then -+ CPE_NAME= -+ else -+ echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}" -+ # Probably a better way to do this but sill remain posix -+ # compatible but this works, shrug... -+ # Must be nice and not introduce convenient bashisms here. -+ ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)') -+ VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)') -+ fi -+fi - --if [ "$arch" = "i686" ]; then -- arch=i386 -+if [ "${CPE_NAME}" != "" -a "${ID}" = "fedora" -a "${VERSION_ID}" != "" ] -+then -+ fedora_host_ver=${VERSION_ID} -+ is_fedora=true -+elif [ -e /etc/redhat-release ] -+then -+ # Only if all other methods fail, try to parse the redhat-release file. -+ fedora_host_ver=$( sed -e '/^Fedora /!d' -e 's/Fedora.*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release ) -+ if [ "$fedora_host_ver" != "" ] -+ then -+ is_fedora=true -+ fi - fi - -+# Map a few architectures to their generic Fedora repository archs. -+# The two ARM archs are a bit of a guesstimate for the v5 and v6 -+# archs. V6 should have hardware floating point (Rasberry Pi). -+# The "arm" arch is safer (no hardware floating point). So -+# there may be cases where we "get it wrong" for some v6 other -+# than RPi. -+case "$arch" in -+i686) arch=i386 ;; -+armv3l|armv4l|armv5l) arch=arm ;; -+armv6l|armv7l|armv8l) arch=armhfp ;; -+esac -+ - configure_fedora() - { - -@@ -50,7 +101,7 @@ configure_fedora() - DEVICE=eth0 - BOOTPROTO=dhcp - ONBOOT=yes --HOSTNAME=${name} -+HOSTNAME=${utsname} - NM_CONTROLLED=no - TYPE=Ethernet - MTU=${MTU} -@@ -59,12 +110,18 @@ EOF - # set the hostname - cat < ${rootfs_path}/etc/sysconfig/network - NETWORKING=yes --HOSTNAME=${name} -+HOSTNAME=${utsname} - EOF - -+ # set hostname on systemd Fedora systems -+ if [ $release -gt 14 ]; then -+ echo "${utsname}" > ${rootfs_path}/etc/hostname -+ fi -+ - # set minimal hosts - cat < $rootfs_path/etc/hosts --127.0.0.1 localhost $name -+127.0.0.1 localhost.localdomain localhost $utsname -+::1 localhost6.localdomain6 localhost6 - EOF - - dev_path="${rootfs_path}/dev" -@@ -118,10 +175,27 @@ configure_fedora_systemd() - { - unlink ${rootfs_path}/etc/systemd/system/default.target - touch ${rootfs_path}/etc/fstab -- chroot ${rootfs_path} ln -s /dev/null //etc/systemd/system/udev.service -+ chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service - chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target - #dependency on a device unit fails it specially that we disabled udev -- sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service -+ # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service -+ # -+ # Actually, the After=dev-%i.device line does not appear in the -+ # Fedora 17 or Fedora 18 systemd getty\@.service file. It may be left -+ # over from an earlier version and it's not doing any harm. We do need -+ # to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are -+ # started on the ttys in the container. Lets do it in an override copy of -+ # the service so it can still pass rpm verifies and not be automatically -+ # updated by a new systemd version. -- mhw /\/\|=mhw=|\/\/ -+ -+ sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \ -+ -e 's/After=dev-%i.device/After=/' \ -+ < ${rootfs_path}/lib/systemd/system/getty\@.service \ -+ > ${rootfs_path}/etc/systemd/system/getty\@.service -+ # Setup getty service on the 4 ttys we are going to allow in the -+ # default config. Number should match lxc.tty -+ ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants -+ for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done ) - } - - download_fedora() -@@ -142,27 +216,53 @@ download_fedora() - MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch" - - DOWNLOAD_OK=no -- for trynumber in 1 2 3; do -+ -+ # We're splitting the old loop into two loops plus a directory retrival. -+ # First loop... Try and retrive a mirror list with retries and a slight -+ # delay between attempts... -+ for trynumber in 1 2 3 4; do - [ $trynumber != 1 ] && echo "Trying again..." -- MIRROR_URL=$(curl -s -S -f "$MIRRORLIST_URL" | head -n2 | tail -n1) -- if [ $? -ne 0 ] || [ -z "$MIRROR_URL" ]; then -- echo "Failed to get a mirror" -- continue -- fi -+ # This code is mildly "brittle" in that it assumes a certain -+ # page format and parsing HTML. I've done worse. :-P -+ MIRROR_URLS=$(curl -s -S -f "$MIRRORLIST_URL" | sed -e '/^http:/!d' -e '2,6!d') -+ if [ $? -eq 0 ] && [ -n "$MIRROR_URLS" ] -+ then -+ break -+ fi -+ -+ echo "Failed to get a mirror on try $trynumber" -+ sleep 3 -+ done -+ -+ # This will fall through if we didn't get any URLS above -+ for MIRROR_URL in ${MIRROR_URLS} -+ do - if [ "$release" -gt "16" ]; then -- RELEASE_URL="$MIRROR_URL/Packages/f/fedora-release-$release-1.noarch.rpm" -+ RELEASE_URL="$MIRROR_URL/Packages/f" - else -- RELEASE_URL="$MIRROR_URL/Packages/fedora-release-$release-1.noarch.rpm" -+ RELEASE_URL="$MIRROR_URL/Packages/" - fi -- echo "Fetching from $RELEASE_URL" -- curl -f "$RELEASE_URL" > $INSTALL_ROOT/fedora-release-$release.noarch.rpm -+ -+ echo "Fetching rpm name from $RELEASE_URL..." -+ # This code is mildly "brittle" in that it assumes a certain directory -+ # page format and parsing HTML. I've done worse. :-P -+ RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*.*//' ) -+ if [ $? -ne 0 -o "${RELEASE_RPM}" = "" ]; then -+ echo "Failed to identify fedora release rpm." -+ continue -+ fi -+ -+ echo "Fetching fedora release rpm from ${RELEASE_URL}/${RELEASE_RPM}......" -+ curl -L -f "${RELEASE_URL}/${RELEASE_RPM}" > ${INSTALL_ROOT}/${RELEASE_RPM} - if [ $? -ne 0 ]; then -- echo "Failed to download fedora release rpm" -+ echo "Failed to download fedora release rpm ${RELEASE_RPM}." - continue - fi -+ - DOWNLOAD_OK=yes - break - done -+ - if [ $DOWNLOAD_OK != yes ]; then - echo "Aborting" - return 1 -@@ -170,7 +270,7 @@ download_fedora() - - mkdir -p $INSTALL_ROOT/var/lib/rpm - rpm --root $INSTALL_ROOT --initdb -- rpm --root $INSTALL_ROOT -ivh $INSTALL_ROOT/fedora-release-$release.noarch.rpm -+ rpm --root $INSTALL_ROOT -ivh ${INSTALL_ROOT}/${RELEASE_RPM} - $YUM install $PKG_LIST - - if [ $? -ne 0 ]; then -@@ -248,10 +348,13 @@ copy_configuration() - mkdir -p $config_path - grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "lxc.rootfs = $rootfs_path" >> $config_path/config - cat <> $config_path/config --lxc.utsname = $name -+lxc.utsname = $utsname - lxc.tty = 4 - lxc.pts = 1024 - lxc.mount = $config_path/fstab -+lxc.cap.drop = sys_module mac_admin mac_override sys_time -+ -+lxc.autodev = $auto_dev - - # When using LXC with apparmor, uncomment the next line to run unconfined: - #lxc.aa_profile = unconfined -@@ -272,7 +375,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm - lxc.cgroup.devices.allow = c 136:* rwm - lxc.cgroup.devices.allow = c 5:2 rwm - # rtc --lxc.cgroup.devices.allow = c 254:0 rwm -+lxc.cgroup.devices.allow = c 254:0 rm - EOF - - cat < $config_path/fstab -@@ -313,21 +416,23 @@ usage() - cat < -- [-p|--path=] [-c|--clean] [-R|--release=] [-A|--arch=] -+ [-p|--path=] [-c|--clean] [-R|--release=] [--fqdn=] [-A|--arch=] - [-h|--help] - Mandatory args: - -n,--name container name, used to as an identifier for that container from now on - Optional args: -- -p,--path path to where the container rootfs will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case -+ -p,--path path to where the container will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case -+ --rootfs path for actual rootfs. - -c,--clean clean the cache -- -R,--release Fedora release for the new container. if the host is Fedora, then it will defaultto the host's release. -+ -R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release. -+ --fqdn fully qualified domain name (FQDN) for DNS and system naming - -A,--arch NOT USED YET. Define what arch the container will be [i686,x86_64] - -h,--help print this help - EOF - return 0 - } - --options=$(getopt -o hp:n:cR: -l help,path:,name:,clean,release: -- "$@") -+options=$(getopt -o hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,fqdn: -- "$@") - if [ $? -ne 0 ]; then - usage $(basename $0) - exit 1 -@@ -339,9 +444,11 @@ do - case "$1" in - -h|--help) usage $0 && exit 0;; - -p|--path) path=$2; shift 2;; -+ --rootfs) rootfs=$2; shift 2;; - -n|--name) name=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; - -R|--release) release=$2; shift 2;; -+ --fqdn) utsname=$2; shift 2;; - --) shift 1; break ;; - *) break ;; - esac -@@ -352,6 +459,29 @@ if [ ! -z "$clean" -a -z "$path" ]; then - exit 0 - fi - -+if [ -z "${utsname}" ]; then -+ utsname=${name} -+fi -+ -+# This follows a standard "resolver" convention that an FQDN must have -+# at least two dots or it is considered a local relative host name. -+# If it doesn't, append the dns domain name of the host system. -+# -+# This changes one significant behavior when running -+# "lxc_create -n Container_Name" without using the -+# --fqdn option. -+# -+# Old behavior: -+# utsname and hostname = Container_Name -+# New behavior: -+# utsname and hostname = Container_Name.Domain_Name -+ -+if [ $(expr "$utsname" : '.*\..*\.') = 0 ]; then -+ if [ -n "$(dnsdomainname)" ]; then -+ utsname=${utsname}.$(dnsdomainname) -+ fi -+fi -+ - needed_pkgs="" - type yum >/dev/null 2>&1 - if [ $? -ne 0 ]; then -@@ -365,33 +495,43 @@ fi - - if [ -n "$needed_pkgs" ]; then - echo "Missing commands: $needed_pkgs" -- echo "Please install these using \"sudo apt-get install $needed_pkgs\"" -+ echo "Please install these using \"sudo yum install $needed_pkgs\"" - exit 1 - fi - - if [ -z "$path" ]; then -- path=$default_path -+ path=$default_path/$name - fi - - if [ -z "$release" ]; then -- if [ "$is_fedora" ]; then -- release=$(cat /etc/fedora-release |awk '/^Fedora/ {print $3}') -+ if [ "$is_fedora" -a "$fedora_host_ver" ]; then -+ release=$fedora_host_ver - else -- echo "This is not a fedora host and release missing, defaulting to 14. use -R|--release to specify release" -- release=14 -+ echo "This is not a fedora host and release missing, defaulting to 18. use -R|--release to specify release" -+ release=18 - fi - fi - -+# Fedora 15 and above run systemd. We need autodev enabled to keep -+# systemd from causing problems. -+if [ $release -gt 14 ]; then -+ auto_dev="1" -+else -+ auto_dev="0" -+fi -+ - if [ "$(id -u)" != "0" ]; then - echo "This script should be run as 'root'" - exit 1 - fi - - --rootfs_path=$path/$name/rootfs --# check for 'lxc.rootfs' passed in through default config by lxc-create --if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then -- rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'` -+if [ -z "$rootfs_path" ]; then -+ rootfs_path=$path/rootfs -+ # check for 'lxc.rootfs' passed in through default config by lxc-create -+ if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then -+ rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'` -+ fi - fi - config_path=$default_path/$name - cache=$cache_base/$release -@@ -427,13 +567,20 @@ if [ $? -ne 0 ]; then - exit 1 - fi - --type /bin/systemd >/dev/null 2>&1 --if [ $? -ne 0 ]; then -- configure_fedora_init --else -+# If the systemd configuration directory exists - set it up for what we need. -+if [ -d ${rootfs_path}/etc/systemd/system ] -+then - configure_fedora_systemd - fi - -+# This configuration (rc.sysinit) is not inconsistent with the systemd stuff -+# above and may actually coexist on some upgraded systems. Let's just make -+# sure that, if it exists, we update this file, even if it's not used... -+if [ -f ${rootfs_path}/etc/rc.sysinit ] -+then -+ configure_fedora_init -+fi -+ - if [ ! -z $clean ]; then - clean || exit 1 - exit 0 diff --git a/lxc-0.9.0-lua-5.2.patch b/lxc-0.9.0-lua-5.2.patch deleted file mode 100644 index e48a1c2..0000000 --- a/lxc-0.9.0-lua-5.2.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up lxc-0.9.0/src/lua-lxc/lxc.lua.orig lxc-0.9.0/src/lua-lxc/lxc.lua ---- lxc-0.9.0/src/lua-lxc/lxc.lua.orig 2013-02-18 08:47:43.000000000 +0100 -+++ lxc-0.9.0/src/lua-lxc/lxc.lua 2013-09-01 23:51:05.582938966 +0200 -@@ -282,7 +282,7 @@ function container:stat_get_ints(control - table.insert(result, val) - end - end -- return unpack(result) -+ return table.unpack(result) - end - - -- read an integer from a cgroup file -diff -up lxc-0.9.0/src/lua-lxc/Makefile.am.orig lxc-0.9.0/src/lua-lxc/Makefile.am ---- lxc-0.9.0/src/lua-lxc/Makefile.am.orig 2013-04-05 11:45:22.000000000 +0200 -+++ lxc-0.9.0/src/lua-lxc/Makefile.am 2013-09-01 23:51:05.581938980 +0200 -@@ -1,7 +1,7 @@ - if ENABLE_LUA - --luadir=$(datadir)/lua/5.1 --sodir=$(libdir)/lua/5.1/lxc -+luadir=$(datadir)/lua/5.2 -+sodir=$(libdir)/lua/5.2/lxc - - lua_SCRIPTS=lxc.lua - -diff -up lxc-0.9.0/src/lua-lxc/Makefile.in.orig lxc-0.9.0/src/lua-lxc/Makefile.in ---- lxc-0.9.0/src/lua-lxc/Makefile.in.orig 2013-04-05 11:48:20.000000000 +0200 -+++ lxc-0.9.0/src/lua-lxc/Makefile.in 2013-09-01 23:51:18.384762328 +0200 -@@ -230,8 +230,8 @@ target_alias = @target_alias@ - top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ --@ENABLE_LUA_TRUE@luadir = $(datadir)/lua/5.1 --@ENABLE_LUA_TRUE@sodir = $(libdir)/lua/5.1/lxc -+@ENABLE_LUA_TRUE@luadir = $(datadir)/lua/5.2 -+@ENABLE_LUA_TRUE@sodir = $(libdir)/lua/5.2/lxc - @ENABLE_LUA_TRUE@lua_SCRIPTS = lxc.lua - @ENABLE_LUA_TRUE@core_so_SOURCES = core.c - @ENABLE_LUA_TRUE@AM_CFLAGS = -I$(top_srcdir)/src $(LUA_CFLAGS) -DVERSION=\"$(VERSION)\" -DLXCPATH=\"$(LXCPATH)\" diff --git a/lxc.spec b/lxc.spec index 9a83d7d..9ec1618 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,8 +1,7 @@ -%if 0%{?fedora} || 0%{?rhel} > 7 +%if 0%{?fedora} %global with_python3 1 %endif -%global with_lua 1 %if 0%{?fedora} > 19 %global luaver 5.2 %else @@ -12,27 +11,24 @@ %global luapkgdir %{_datadir}/lua/%{luaver} Name: lxc -Version: 0.9.0 -Release: 4%{?dist} +Version: 1.0.3 +Release: 1%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 -URL: http://lxc.sourceforge.net -Source0: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz -Patch0: lxc-0.9.0-fedora-template.patch -# only used on Fedora > 19 -Patch1: lxc-0.9.0-lua-5.2.patch +URL: http://linuxcontainers.org +Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz BuildRequires: docbook-utils Buildrequires: docbook2X BuildRequires: kernel-headers BuildRequires: libcap-devel BuildRequires: libtool +BuildRequires: lua-devel %if 0%{?with_python3} BuildRequires: python3-devel >= 3.2 %endif -%if 0%{?with_lua} -BuildRequires: lua-devel -%endif +BuildRequires: systemd + %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -44,6 +40,9 @@ overhead of full virtualization. %package libs Summary: Runtime library files for %{name} Group: System Environment/Libraries +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd %description libs Linux Resource Containers provide process and resource isolation without the @@ -79,7 +78,6 @@ This package contains tools needing the Python3 bindings. %endif -%if 0%{?with_lua} %package -n lua-%{name} Summary: Lua binding for %{name} Group: System Environment/Libraries @@ -92,7 +90,6 @@ overhead of full virtualization. The lua-%{name} package contains the Lua binding for %{name}. %global __provides_exclude %{?__provides_exclude:%__provides_exclude|}core\\.so\\.0 -%endif %package templates @@ -141,10 +138,7 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{version} -%patch0 -p1 -%if 0%{?with_lua} && 0%{?fedora} > 19 -%patch1 -p1 -%endif + %build %configure --with-distro=fedora \ @@ -152,12 +146,10 @@ This package contains documentation for %{name}. --docdir=%{_pkgdocdir} \ --disable-rpath \ --disable-apparmor \ + --enable-lua \ %if 0%{?with_python3} --enable-python \ %endif -%if 0%{?with_lua} - --enable-lua \ -%endif # intentionally blank line make %{?_smp_mflags} @@ -173,20 +165,43 @@ chmod -x %{buildroot}%{luapkgdir}/lxc.lua mkdir -p %{buildroot}%{_pkgdocdir} cp -a AUTHORS COPYING README %{buildroot}%{_pkgdocdir} +# cache dir +mkdir -p %{buildroot}%{_localstatedir}/cache/%{name} + +# move templates with extra dependencies +# - lxc-altlinux needs apt +# - lxc-archlinux needs pacman +# - lxc-opensuse needs zypper +# - lxc-ubuntu-cloud needs ubuntu-cloudimg-query +mkdir -p %{buildroot}%{_pkgdocdir}/templates +for t in altlinux archlinux opensuse ubuntu-cloud ; do + mv %{buildroot}%{_datadir}/%{name}/templates/%{name}-$t \ + %{buildroot}%{_pkgdocdir}/templates +done + %check make check -%post libs -p /sbin/ldconfig +%post libs +/sbin/ldconfig +%systemd_post %{name}.service -%postun libs -p /sbin/ldconfig +%preun libs +%systemd_preun %{name}.service + + +%postun libs +/sbin/ldconfig +%systemd_postun %{name}.service %files %{_bindir}/%{name}-* %{_mandir}/man1/%{name}* +%{_mandir}/*/man1/%{name}* %{_datadir}/%{name}/lxc.functions %if 0%{?with_python3} %exclude %{_bindir}/%{name}-device @@ -199,24 +214,35 @@ make check %{_bindir}/%{name}-ls %{_mandir}/man1/%{name}-ls* %endif +%dir %{_sysconfdir}/bash_completion.d/ +%{_sysconfdir}/bash_completion.d/%{name} %files libs %dir %{_datadir}/%{name} %dir %{_datadir}/%{name}/templates +%dir %{_datadir}/%{name}/config %{_datadir}/%{name}/hooks %{_libdir}/liblxc.so.* %{_libdir}/%{name} %{_libexecdir}/%{name} +# fixme: should be in libexecdir? +%{_sbindir}/init.%{name} %{_sharedstatedir}/%{name} %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/default.conf %{_mandir}/man5/%{name}* %{_mandir}/man7/%{name}* +%{_mandir}/*/man5/%{name}* +%{_mandir}/*/man7/%{name}* %dir %{_pkgdocdir} %{_pkgdocdir}/AUTHORS %{_pkgdocdir}/COPYING %{_pkgdocdir}/README +%{_unitdir}/%{name}.service +%dir %{_localstatedir}/cache/%{name} +# fixme: +%exclude %{_datadir}/%{name}/%{name}-patch.py* %if 0%{?with_python3} @@ -234,23 +260,15 @@ make check %endif -%if 0%{?with_lua} %files -n lua-%{name} %{lualibdir}/%{name} %{luapkgdir}/%{name}.lua -%endif %files templates -%{_datadir}/lxc/templates/lxc-* -# needs apt -%exclude %{_datadir}/lxc/templates/lxc-altlinux -# needs pacman -%exclude %{_datadir}/lxc/templates/lxc-archlinux -# needs zypper -%exclude %{_datadir}/lxc/templates/lxc-opensuse -# needs ubuntu-cloudimg-query -%exclude %{_datadir}/lxc/templates/lxc-ubuntu-cloud +%{_datadir}/%{name}/templates/lxc-* +%{_datadir}/%{name}/config/* +%{_pkgdocdir}/templates %files devel @@ -264,9 +282,16 @@ make check # README, AUTHORS and COPYING intentionally duplicated because -doc # can be installed on its own. %{_pkgdocdir}/* +%exclude %{_pkgdocdir}/templates %changelog +* Wed Jun 4 2014 Thomas Moschny - 1.0.3-1 +- Update to 1.0.3. +- Remove obsolete patches. +- Add systemd support. +- Lua bindings are not optional (needed e.g. for lxc-top). + * Wed May 28 2014 Kalev Lember - 0.9.0-4 - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 diff --git a/sources b/sources index f960493..dc8983a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8552a4479090616f4bc04d8473765fc9 lxc-0.9.0.tar.gz +55873b1411a606397309aa6c4c4263b3 lxc-1.0.3.tar.gz From ebe757a80cdf0f646d465e03cd8c37a1d3b0f284 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 7 Jun 2014 02:29:55 -0500 Subject: [PATCH 23/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 9ec1618..ad4ed90 100644 --- a/lxc.spec +++ b/lxc.spec @@ -12,7 +12,7 @@ Name: lxc Version: 1.0.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -286,6 +286,9 @@ make check %changelog +* Sat Jun 07 2014 Fedora Release Engineering - 1.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + * Wed Jun 4 2014 Thomas Moschny - 1.0.3-1 - Update to 1.0.3. - Remove obsolete patches. From b414f891d95d9f20ce14e4f524186209d79cc652 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Aug 2014 09:17:53 +0100 Subject: [PATCH 24/95] 1.0.5 --- .gitignore | 1 + lxc.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 1040811..1f81d93 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ lxc-0.7.2.tar.gz /lxc-0.8.0.tar.gz /lxc-0.9.0.tar.gz /lxc-1.0.3.tar.gz +/lxc-1.0.5.tar.gz diff --git a/lxc.spec b/lxc.spec index ad4ed90..c844b02 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,8 +11,8 @@ %global luapkgdir %{_datadir}/lua/%{luaver} Name: lxc -Version: 1.0.3 -Release: 2%{?dist} +Version: 1.0.5 +Release: 1%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -137,7 +137,7 @@ This package contains documentation for %{name}. %prep -%setup -q -n %{name}-%{version} +%setup -q %build @@ -286,6 +286,9 @@ make check %changelog +* Fri Aug 8 2014 Peter Robinson 1.0.5-1 +- Update to 1.0.5 + * Sat Jun 07 2014 Fedora Release Engineering - 1.0.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild diff --git a/sources b/sources index dc8983a..6bc09a7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -55873b1411a606397309aa6c4c4263b3 lxc-1.0.3.tar.gz +9d9af9e9e69a831cd50b58d91c786013 lxc-1.0.5.tar.gz From e82df9eb330ad69429429dac7ab8addc82366136 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 8 Aug 2014 11:12:32 +0200 Subject: [PATCH 25/95] General packaging improvements. - Include sysvinit resp. systemd support for autostart of containers. - Do not list explicit requirements for templates. - Add missing dependency on lxc-lua for lxc-top. - Include apidocs. --- .gitignore | 1 + lxc-1.0.4-fix-init.patch | 22 +++++++ lxc.spec | 136 ++++++++++++++++++++++++++++----------- 3 files changed, 123 insertions(+), 36 deletions(-) create mode 100644 lxc-1.0.4-fix-init.patch diff --git a/.gitignore b/.gitignore index 1f81d93..7a2e347 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,5 @@ lxc-0.7.2.tar.gz /lxc-0.8.0.tar.gz /lxc-0.9.0.tar.gz /lxc-1.0.3.tar.gz +/lxc-1.0.4.tar.gz /lxc-1.0.5.tar.gz diff --git a/lxc-1.0.4-fix-init.patch b/lxc-1.0.4-fix-init.patch new file mode 100644 index 0000000..340ff76 --- /dev/null +++ b/lxc-1.0.4-fix-init.patch @@ -0,0 +1,22 @@ +diff -up lxc-1.0.4/config/init/sysvinit/lxc.in.orig lxc-1.0.4/config/init/sysvinit/lxc.in +--- lxc-1.0.4/config/init/sysvinit/lxc.in.orig 2014-07-05 17:47:14.143145522 +0200 ++++ lxc-1.0.4/config/init/sysvinit/lxc.in 2014-07-05 18:01:40.053721615 +0200 +@@ -2,13 +2,15 @@ + # + # lxc Start/Stop LXC autoboot containers + # +-# chkconfig: 345 99 01 ++# chkconfig: - 99 01 + # description: Starts/Stops all LXC containers configured for autostart. + # + ### BEGIN INIT INFO + # Provides: lxc +-# Default-Start: 3 4 5 +-# Default-Stop: 0 1 6 ++# Required-Start: $local_fs $network ++# Required-Stop: $local_fs $network ++# Default-Start: ++# Default-Stop: + # Short-Description: Bring up/down LXC autostart containers + # Description: Bring up/down LXC autostart containers + ### END INIT INFO diff --git a/lxc.spec b/lxc.spec index c844b02..274add5 100644 --- a/lxc.spec +++ b/lxc.spec @@ -2,6 +2,14 @@ %global with_python3 1 %endif +%if 0%{?fedora} || 0%{?rhel} >= 7 +%global with_systemd 1 +%endif + +%if 0%{?fedora} || ( 0%{?rhel} >= 7 && %{_arch} != ppc64 ) +%global with_seccomp 1 +%endif + %if 0%{?fedora} > 19 %global luaver 5.2 %else @@ -12,23 +20,32 @@ Name: lxc Version: 1.0.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz +Patch0: lxc-1.0.4-fix-init.patch BuildRequires: docbook-utils Buildrequires: docbook2X +Buildrequires: doxygen BuildRequires: kernel-headers +BuildRequires: libselinux-devel +%if 0%{?with_seccomp} +BuildRequires: libseccomp-devel +%endif # with_seccomp BuildRequires: libcap-devel BuildRequires: libtool BuildRequires: lua-devel %if 0%{?with_python3} BuildRequires: python3-devel >= 3.2 -%endif +%endif # with_python3 +%if 0%{?with_systemd} BuildRequires: systemd - +%endif # with_systemd +# for lxc-top +Requires: lua-%{name}%{?_isa} = %{version}-%{release} %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -40,9 +57,16 @@ overhead of full virtualization. %package libs Summary: Runtime library files for %{name} Group: System Environment/Libraries +%if 0%{?with_systemd} Requires(post): systemd Requires(preun): systemd Requires(postun): systemd +%else +Requires(post): chkconfig +Requires(preun): initscripts, chkconfig +Requires(postun): initscripts +%endif # with_systemd + %description libs Linux Resource Containers provide process and resource isolation without the @@ -75,7 +99,7 @@ Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. This package contains tools needing the Python3 bindings. -%endif +%endif # with_python3 %package -n lua-%{name} @@ -96,14 +120,14 @@ The lua-%{name} package contains the Lua binding for %{name}. Summary: Templates for %{name} Group: System Environment/Libraries Requires: %{name}-libs%{?_isa} = %{version}-%{release} -# needed for lxc-busybox -Requires: busybox -# needed for lxc-debian -Requires: dpkg -# needed for lxc-debian, lxc-ubuntu: -Requires: debootstrap rsync -# needed for lxc-sshd -Requires: openssh-server dhclient +# Note: Requirements for the template scripts (busybox, dpkg, +# debootstrap, rsync, openssh-server, dhclient, apt, pacman, zypper, +# ubuntu-cloudimg-query etc...) are not explicitly mentioned here: +# their presence varies wildly on supported Fedora/EPEL releases and +# archs, and they are in most cases needed for a single template +# only. Also, the templates normally fail graciously when such a tool +# is missing. Moving each template to its own subpackage on the other +# hand would be overkill. %description templates @@ -137,19 +161,32 @@ This package contains documentation for %{name}. %prep -%setup -q +%setup -q -n %{name}-%{version} +%patch0 -p1 %build %configure --with-distro=fedora \ --enable-doc \ + --enable-api-docs \ + --disable-silent-rules \ --docdir=%{_pkgdocdir} \ --disable-rpath \ --disable-apparmor \ + --disable-cgmanager \ + --enable-selinux \ +%if 0%{?with_seccomp} + --enable-seccomp \ +%endif # with_seccomp --enable-lua \ %if 0%{?with_python3} --enable-python \ -%endif +%endif # with_python3 +%if 0%{?with_systemd} + --with-init-script=systemd \ +%else + --with-init-script=sysvinit \ +%endif # with_systemd # intentionally blank line make %{?_smp_mflags} @@ -158,27 +195,16 @@ make %{?_smp_mflags} %{make_install} make DESTDIR=%{buildroot} install mkdir -p %{buildroot}%{_sharedstatedir}/%{name} -%if 0%{?with_lua} chmod -x %{buildroot}%{luapkgdir}/lxc.lua -%endif mkdir -p %{buildroot}%{_pkgdocdir} cp -a AUTHORS COPYING README %{buildroot}%{_pkgdocdir} +mkdir -p %{buildroot}%{_pkgdocdir}/api +cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/ # cache dir mkdir -p %{buildroot}%{_localstatedir}/cache/%{name} -# move templates with extra dependencies -# - lxc-altlinux needs apt -# - lxc-archlinux needs pacman -# - lxc-opensuse needs zypper -# - lxc-ubuntu-cloud needs ubuntu-cloudimg-query -mkdir -p %{buildroot}%{_pkgdocdir}/templates -for t in altlinux archlinux opensuse ubuntu-cloud ; do - mv %{buildroot}%{_datadir}/%{name}/templates/%{name}-$t \ - %{buildroot}%{_pkgdocdir}/templates -done - %check make check @@ -186,23 +212,46 @@ make check %post libs /sbin/ldconfig +%if 0%{?with_systemd} %systemd_post %{name}.service +%else +/sbin/chkconfig --add %{name} +%endif # with_systemd %preun libs +%if 0%{?with_systemd} %systemd_preun %{name}.service +%else +if [ $1 -eq 0 ]; then + /sbin/service %{name} stop > /dev/null 2>&1 + /sbin/chkconfig --del %{name} +fi +%endif # with_systemd %postun libs /sbin/ldconfig +%if 0%{?with_systemd} %systemd_postun %{name}.service +%else +if [ $1 -ge 1 ]; then + /sbin/service %{name} condrestart > /dev/null 2>&1 || : +fi +%endif # with_systemd %files %{_bindir}/%{name}-* %{_mandir}/man1/%{name}* %{_mandir}/*/man1/%{name}* -%{_datadir}/%{name}/lxc.functions +# in lxc-libs: +%exclude %{_bindir}/%{name}-autostart +%exclude %{_mandir}/man1/%{name}-autostart* +%exclude %{_mandir}/*/man1/%{name}-autostart* +%exclude %{_mandir}/man1/%{name}-user-nic* +%exclude %{_mandir}/*/man1/%{name}-user-nic* +%{_datadir}/%{name}/%{name}.functions %if 0%{?with_python3} %exclude %{_bindir}/%{name}-device %exclude %{_bindir}/%{name}-ls @@ -210,9 +259,9 @@ make check %exclude %{_mandir}/man1/%{name}-device* %exclude %{_mandir}/man1/%{name}-ls* %exclude %{_mandir}/man1/%{name}-start-ephemeral* -%else -%{_bindir}/%{name}-ls -%{_mandir}/man1/%{name}-ls* +%exclude %{_mandir}/*/man1/%{name}-device* +%exclude %{_mandir}/*/man1/%{name}-ls* +%exclude %{_mandir}/*/man1/%{name}-start-ephemeral* %endif %dir %{_sysconfdir}/bash_completion.d/ %{_sysconfdir}/bash_completion.d/%{name} @@ -223,14 +272,20 @@ make check %dir %{_datadir}/%{name}/templates %dir %{_datadir}/%{name}/config %{_datadir}/%{name}/hooks +%{_datadir}/%{name}/%{name}-patch.py* %{_libdir}/liblxc.so.* %{_libdir}/%{name} %{_libexecdir}/%{name} # fixme: should be in libexecdir? %{_sbindir}/init.%{name} +%{_bindir}/%{name}-autostart %{_sharedstatedir}/%{name} %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/default.conf +%{_mandir}/man1/%{name}-autostart* +%{_mandir}/*/man1/%{name}-autostart* +%{_mandir}/man1/%{name}-user-nic* +%{_mandir}/*/man1/%{name}-user-nic* %{_mandir}/man5/%{name}* %{_mandir}/man7/%{name}* %{_mandir}/*/man5/%{name}* @@ -239,10 +294,12 @@ make check %{_pkgdocdir}/AUTHORS %{_pkgdocdir}/COPYING %{_pkgdocdir}/README +%if 0%{?with_systemd} %{_unitdir}/%{name}.service +%else +%{_sysconfdir}/rc.d/init.d/%{name} +%endif # with_systemd %dir %{_localstatedir}/cache/%{name} -# fixme: -%exclude %{_datadir}/%{name}/%{name}-patch.py* %if 0%{?with_python3} @@ -257,7 +314,10 @@ make check %{_mandir}/man1/%{name}-device* %{_mandir}/man1/%{name}-ls* %{_mandir}/man1/%{name}-start-ephemeral* -%endif +%{_mandir}/*/man1/%{name}-device* +%{_mandir}/*/man1/%{name}-ls* +%{_mandir}/*/man1/%{name}-start-ephemeral* +%endif # with_python3 %files -n lua-%{name} @@ -268,7 +328,6 @@ make check %files templates %{_datadir}/%{name}/templates/lxc-* %{_datadir}/%{name}/config/* -%{_pkgdocdir}/templates %files devel @@ -282,10 +341,15 @@ make check # README, AUTHORS and COPYING intentionally duplicated because -doc # can be installed on its own. %{_pkgdocdir}/* -%exclude %{_pkgdocdir}/templates %changelog +* Fri Aug 8 2014 Thomas Moschny - 1.0.5-2 +- Include sysvinit resp. systemd support for autostart of containers. +- Do not list explicit requirements for templates. +- Add missing dependency on lxc-lua for lxc-top. +- Include apidocs. + * Fri Aug 8 2014 Peter Robinson 1.0.5-1 - Update to 1.0.5 From 0473dc0805ff123c3cadb03ba625268c865b0952 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 10 Aug 2014 13:00:47 +0200 Subject: [PATCH 26/95] Update to 1.1.0.alpha1. --- .gitignore | 1 + lxc.spec | 24 +++++++++++++++++++++--- sources | 2 +- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 7a2e347..3b8f0f3 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ lxc-0.7.2.tar.gz /lxc-1.0.3.tar.gz /lxc-1.0.4.tar.gz /lxc-1.0.5.tar.gz +/lxc-e75a5c5c76c649435bd9171d5ea457fe727f5388.tar.gz diff --git a/lxc.spec b/lxc.spec index 274add5..0c2a12f 100644 --- a/lxc.spec +++ b/lxc.spec @@ -18,14 +18,23 @@ %global lualibdir %{_libdir}/lua/%{luaver} %global luapkgdir %{_datadir}/lua/%{luaver} +# for pre-releases +%global prerel alpha1 +%global commit e75a5c5c76c649435bd9171d5ea457fe727f5388 +%global shortcommit %(c=%{commit}; echo ${c:0:7}) + Name: lxc -Version: 1.0.5 -Release: 2%{?dist} +Version: 1.1.0 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org +%if 0%{?prerel:1} +Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.tar.gz +%else Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz +%endif Patch0: lxc-1.0.4-fix-init.patch BuildRequires: docbook-utils Buildrequires: docbook2X @@ -44,6 +53,9 @@ BuildRequires: python3-devel >= 3.2 %if 0%{?with_systemd} BuildRequires: systemd %endif # with_systemd +%if 0%{?prerel:1} +BuildRequires: autoconf automake +%endif # for lxc-top Requires: lua-%{name}%{?_isa} = %{version}-%{release} @@ -161,11 +173,14 @@ This package contains documentation for %{name}. %prep -%setup -q -n %{name}-%{version} +%setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 %build +%if 0%{?prerel:1} +./autogen.sh +%endif %configure --with-distro=fedora \ --enable-doc \ --enable-api-docs \ @@ -344,6 +359,9 @@ fi %changelog +* Sun Aug 10 2014 Thomas Moschny - 1.1.0-0.1.alpha1 +- Update to 1.1.0.alpha1. + * Fri Aug 8 2014 Thomas Moschny - 1.0.5-2 - Include sysvinit resp. systemd support for autostart of containers. - Do not list explicit requirements for templates. diff --git a/sources b/sources index 6bc09a7..c4eed80 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -9d9af9e9e69a831cd50b58d91c786013 lxc-1.0.5.tar.gz +8e62a6f6a452a868ad0d7d4e7870a234 lxc-e75a5c5c76c649435bd9171d5ea457fe727f5388.tar.gz From abe6bbd7dc510f5c7b4f2aa59d87e700c3a5b1c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20=C4=8Cajka?= Date: Thu, 14 Aug 2014 01:37:00 +0200 Subject: [PATCH 27/95] Fixed build dependencies on s390(x) and ppc(64(le)). --- lxc.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index 0c2a12f..5ce7136 100644 --- a/lxc.spec +++ b/lxc.spec @@ -6,9 +6,11 @@ %global with_systemd 1 %endif -%if 0%{?fedora} || ( 0%{?rhel} >= 7 && %{_arch} != ppc64 ) +%if 0%{?fedora} || 0%{?rhel} >= 7 +%ifarch %{ix86} x86_64 %{arm} %global with_seccomp 1 %endif +%endif %if 0%{?fedora} > 19 %global luaver 5.2 @@ -25,7 +27,7 @@ Name: lxc Version: 1.1.0 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -359,6 +361,9 @@ fi %changelog +* Mon Aug 11 2014 Jakub Čajka - 1.1.0-0.2.alpha1 +- Fixed build dependencies on s390(x) and ppc(64(le)) + * Sun Aug 10 2014 Thomas Moschny - 1.1.0-0.1.alpha1 - Update to 1.1.0.alpha1. From fe0bcd19a40a824264f9f9724301697e350bc4c2 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 17 Aug 2014 08:14:17 +0000 Subject: [PATCH 28/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 5ce7136..a47fd6d 100644 --- a/lxc.spec +++ b/lxc.spec @@ -27,7 +27,7 @@ Name: lxc Version: 1.1.0 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -361,6 +361,9 @@ fi %changelog +* Sun Aug 17 2014 Fedora Release Engineering - 1.1.0-0.2.alpha1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + * Mon Aug 11 2014 Jakub Čajka - 1.1.0-0.2.alpha1 - Fixed build dependencies on s390(x) and ppc(64(le)) From ffce302422eb9195eb09ede73baae276735fd85f Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 30 Aug 2014 13:04:46 +0200 Subject: [PATCH 29/95] Add missing dependency on lua-alt-getopt (rhbz#1131707). --- lxc.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index a47fd6d..c39ee8e 100644 --- a/lxc.spec +++ b/lxc.spec @@ -27,7 +27,7 @@ Name: lxc Version: 1.1.0 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 +Release: %{?prerel:0.}3%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -60,6 +60,7 @@ BuildRequires: autoconf automake %endif # for lxc-top Requires: lua-%{name}%{?_isa} = %{version}-%{release} +Requires: lua-alt-getopt %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -361,6 +362,9 @@ fi %changelog +* Sat Aug 30 2014 Thomas Moschny - 1.1.0-0.3.alpha1 +- Add missing dependency on lua-alt-getopt (rhbz#1131707). + * Sun Aug 17 2014 Fedora Release Engineering - 1.1.0-0.2.alpha1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild From 731a8f8e34cc6dcb57b1e6216f799228c37dd783 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 8 Feb 2015 12:22:19 +0100 Subject: [PATCH 30/95] Update to 1.1.0. --- .gitignore | 1 + lxc-1.0.4-fix-init.patch | 22 ------------------- lxc-1.1.0-fix-init.patch | 46 ++++++++++++++++++++++++++++++++++++++++ lxc.spec | 30 +++++++++++++++++++++----- sources | 2 +- 5 files changed, 73 insertions(+), 28 deletions(-) delete mode 100644 lxc-1.0.4-fix-init.patch create mode 100644 lxc-1.1.0-fix-init.patch diff --git a/.gitignore b/.gitignore index 3b8f0f3..b7328fb 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ lxc-0.7.2.tar.gz /lxc-1.0.4.tar.gz /lxc-1.0.5.tar.gz /lxc-e75a5c5c76c649435bd9171d5ea457fe727f5388.tar.gz +/lxc-1.1.0.tar.gz diff --git a/lxc-1.0.4-fix-init.patch b/lxc-1.0.4-fix-init.patch deleted file mode 100644 index 340ff76..0000000 --- a/lxc-1.0.4-fix-init.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up lxc-1.0.4/config/init/sysvinit/lxc.in.orig lxc-1.0.4/config/init/sysvinit/lxc.in ---- lxc-1.0.4/config/init/sysvinit/lxc.in.orig 2014-07-05 17:47:14.143145522 +0200 -+++ lxc-1.0.4/config/init/sysvinit/lxc.in 2014-07-05 18:01:40.053721615 +0200 -@@ -2,13 +2,15 @@ - # - # lxc Start/Stop LXC autoboot containers - # --# chkconfig: 345 99 01 -+# chkconfig: - 99 01 - # description: Starts/Stops all LXC containers configured for autostart. - # - ### BEGIN INIT INFO - # Provides: lxc --# Default-Start: 3 4 5 --# Default-Stop: 0 1 6 -+# Required-Start: $local_fs $network -+# Required-Stop: $local_fs $network -+# Default-Start: -+# Default-Stop: - # Short-Description: Bring up/down LXC autostart containers - # Description: Bring up/down LXC autostart containers - ### END INIT INFO diff --git a/lxc-1.1.0-fix-init.patch b/lxc-1.1.0-fix-init.patch new file mode 100644 index 0000000..1739c48 --- /dev/null +++ b/lxc-1.1.0-fix-init.patch @@ -0,0 +1,46 @@ +diff --git a/config/init/sysvinit/lxc-containers.in b/config/init/sysvinit/lxc-containers.in +index bc93322..06ca8f4 100644 +--- a/config/init/sysvinit/lxc-containers.in ++++ b/config/init/sysvinit/lxc-containers.in +@@ -2,13 +2,15 @@ + # + # lxc Start/Stop LXC autoboot containers + # +-# chkconfig: 345 99 01 ++# chkconfig: - 99 01 + # description: Starts/Stops all LXC containers configured for autostart. + # + ### BEGIN INIT INFO + # Provides: lxc +-# Default-Start: 2 3 4 5 +-# Default-Stop: 0 1 6 ++# Required-Start: $local_fs $network ++# Required-Stop: $local_fs $network ++# Default-Start: ++# Default-Stop: + # Short-Description: Bring up/down LXC autostart containers + # Description: Bring up/down LXC autostart containers + ### END INIT INFO +diff --git a/config/init/sysvinit/lxc-net.in b/config/init/sysvinit/lxc-net.in +index f6892c1..362469c 100644 +--- a/config/init/sysvinit/lxc-net.in ++++ b/config/init/sysvinit/lxc-net.in +@@ -2,13 +2,15 @@ + # + # lxc-net Start/Stop LXC Networking + # +-# chkconfig: 345 98 01 ++# chkconfig: - 98 01 + # description: Starts/Stops LXC Network Bridge + # + ### BEGIN INIT INFO + # Provides: lxc-net +-# Default-Start: 2 3 4 5 +-# Default-Stop: 1 ++# Required-Start: $local_fs $network ++# Required-Stop: $local_fs $network ++# Default-Start: ++# Default-Stop: + # Short-Description: Bring up/down LXC Network Bridge + # Description: Bring up/down LXC Network Bridge + ### END INIT INFO diff --git a/lxc.spec b/lxc.spec index c39ee8e..82b0b6c 100644 --- a/lxc.spec +++ b/lxc.spec @@ -12,22 +12,26 @@ %endif %endif -%if 0%{?fedora} > 19 +%if 0%{?fedora} >= 22 +%global luaver 5.3 +%else +%if 0%{?fedora} >= 20 %global luaver 5.2 %else %global luaver 5.1 %endif +%endif %global lualibdir %{_libdir}/lua/%{luaver} %global luapkgdir %{_datadir}/lua/%{luaver} # for pre-releases -%global prerel alpha1 -%global commit e75a5c5c76c649435bd9171d5ea457fe727f5388 +#global prerel +%global commit 62ed104940747d135ffd71f513e51bf3d912d1d9 %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc Version: 1.1.0 -Release: %{?prerel:0.}3%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -37,7 +41,7 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t %else Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif -Patch0: lxc-1.0.4-fix-init.patch +Patch0: lxc-1.1.0-fix-init.patch BuildRequires: docbook-utils Buildrequires: docbook2X Buildrequires: doxygen @@ -231,17 +235,22 @@ make check %post libs /sbin/ldconfig %if 0%{?with_systemd} +%systemd_post %{name}-net.service %systemd_post %{name}.service %else +/sbin/chkconfig --add %{name}-net /sbin/chkconfig --add %{name} %endif # with_systemd %preun libs %if 0%{?with_systemd} +%systemd_preun %{name}-net.service %systemd_preun %{name}.service %else if [ $1 -eq 0 ]; then + /sbin/service %{name}-net stop > /dev/null 2>&1 + /sbin/chkconfig --del %{name}-net /sbin/service %{name} stop > /dev/null 2>&1 /sbin/chkconfig --del %{name} fi @@ -251,9 +260,11 @@ fi %postun libs /sbin/ldconfig %if 0%{?with_systemd} +%systemd_postun %{name}-net.service %systemd_postun %{name}.service %else if [ $1 -ge 1 ]; then + /sbin/service %{name}-net condrestart > /dev/null 2>&1 || : /sbin/service %{name} condrestart > /dev/null 2>&1 || : fi %endif # with_systemd @@ -291,6 +302,9 @@ fi %dir %{_datadir}/%{name}/config %{_datadir}/%{name}/hooks %{_datadir}/%{name}/%{name}-patch.py* +%{_datadir}/%{name}/selinux +# fixme: should be in libexecdir? +%{_datadir}/%{name}/%{name}-restore-net %{_libdir}/liblxc.so.* %{_libdir}/%{name} %{_libexecdir}/%{name} @@ -300,6 +314,7 @@ fi %{_sharedstatedir}/%{name} %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/default.conf +%config(noreplace) %{_sysconfdir}/sysconfig/%{name} %{_mandir}/man1/%{name}-autostart* %{_mandir}/*/man1/%{name}-autostart* %{_mandir}/man1/%{name}-user-nic* @@ -314,8 +329,10 @@ fi %{_pkgdocdir}/README %if 0%{?with_systemd} %{_unitdir}/%{name}.service +%{_unitdir}/%{name}-net.service %else %{_sysconfdir}/rc.d/init.d/%{name} +%{_sysconfdir}/rc.d/init.d/%{name}-net %endif # with_systemd %dir %{_localstatedir}/cache/%{name} @@ -362,6 +379,9 @@ fi %changelog +* Sun Feb 8 2015 Thomas Moschny - 1.1.0-1 +- Update to 1.1.0. + * Sat Aug 30 2014 Thomas Moschny - 1.1.0-0.3.alpha1 - Add missing dependency on lua-alt-getopt (rhbz#1131707). diff --git a/sources b/sources index c4eed80..7ad6b30 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8e62a6f6a452a868ad0d7d4e7870a234 lxc-e75a5c5c76c649435bd9171d5ea457fe727f5388.tar.gz +ab1cbabf859abc15165050c854979c5c lxc-1.1.0.tar.gz From 39ccc3c1460e118252c2a0493a57cb54c40a58a4 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Tue, 10 Feb 2015 19:16:03 +0100 Subject: [PATCH 31/95] lxc-top no longer relies on the lua bindings. --- lxc.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lxc.spec b/lxc.spec index 82b0b6c..18c643d 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.0 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -62,9 +62,6 @@ BuildRequires: systemd %if 0%{?prerel:1} BuildRequires: autoconf automake %endif -# for lxc-top -Requires: lua-%{name}%{?_isa} = %{version}-%{release} -Requires: lua-alt-getopt %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -379,6 +376,9 @@ fi %changelog +* Tue Feb 10 2015 Thomas Moschny - 1.1.0-2 +- lxc-top no longer relies on the lua bindings. + * Sun Feb 8 2015 Thomas Moschny - 1.1.0-1 - Update to 1.1.0. From 48b9d0c54ef9273d17df7f0d41768498aaafd1c0 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Tue, 10 Feb 2015 19:16:46 +0100 Subject: [PATCH 32/95] lxc-device no longer relies on the python3 bindings. --- lxc.spec | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lxc.spec b/lxc.spec index 18c643d..df8e0ed 100644 --- a/lxc.spec +++ b/lxc.spec @@ -279,13 +279,10 @@ fi %exclude %{_mandir}/*/man1/%{name}-user-nic* %{_datadir}/%{name}/%{name}.functions %if 0%{?with_python3} -%exclude %{_bindir}/%{name}-device %exclude %{_bindir}/%{name}-ls %exclude %{_bindir}/%{name}-start-ephemeral -%exclude %{_mandir}/man1/%{name}-device* %exclude %{_mandir}/man1/%{name}-ls* %exclude %{_mandir}/man1/%{name}-start-ephemeral* -%exclude %{_mandir}/*/man1/%{name}-device* %exclude %{_mandir}/*/man1/%{name}-ls* %exclude %{_mandir}/*/man1/%{name}-start-ephemeral* %endif @@ -340,13 +337,10 @@ fi %files extra -%{_bindir}/%{name}-device %{_bindir}/%{name}-ls %{_bindir}/%{name}-start-ephemeral -%{_mandir}/man1/%{name}-device* %{_mandir}/man1/%{name}-ls* %{_mandir}/man1/%{name}-start-ephemeral* -%{_mandir}/*/man1/%{name}-device* %{_mandir}/*/man1/%{name}-ls* %{_mandir}/*/man1/%{name}-start-ephemeral* %endif # with_python3 @@ -378,6 +372,7 @@ fi %changelog * Tue Feb 10 2015 Thomas Moschny - 1.1.0-2 - lxc-top no longer relies on the lua bindings. +- lxc-device no longer relies on the python3 bindings. * Sun Feb 8 2015 Thomas Moschny - 1.1.0-1 - Update to 1.1.0. From d0303c0a5ef72150393c99ce8d51ee9582fd1cb1 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Tue, 10 Feb 2015 19:17:05 +0100 Subject: [PATCH 33/95] Spec file cleanups. --- lxc.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index df8e0ed..bddd1e3 100644 --- a/lxc.spec +++ b/lxc.spec @@ -43,8 +43,8 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch BuildRequires: docbook-utils -Buildrequires: docbook2X -Buildrequires: doxygen +BuildRequires: docbook2X +BuildRequires: doxygen BuildRequires: kernel-headers BuildRequires: libselinux-devel %if 0%{?with_seccomp} @@ -200,6 +200,8 @@ This package contains documentation for %{name}. --enable-lua \ %if 0%{?with_python3} --enable-python \ +%else + --disable-python \ %endif # with_python3 %if 0%{?with_systemd} --with-init-script=systemd \ @@ -373,6 +375,7 @@ fi * Tue Feb 10 2015 Thomas Moschny - 1.1.0-2 - lxc-top no longer relies on the lua bindings. - lxc-device no longer relies on the python3 bindings. +- Spec file cleanups. * Sun Feb 8 2015 Thomas Moschny - 1.1.0-1 - Update to 1.1.0. From 183bd2b78e7325c70280cfb58f72dd238808fdb5 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 16 Feb 2015 15:24:08 +0000 Subject: [PATCH 34/95] aarch64 now has seccomp support --- lxc.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index bddd1e3..f0b19f9 100644 --- a/lxc.spec +++ b/lxc.spec @@ -7,7 +7,7 @@ %endif %if 0%{?fedora} || 0%{?rhel} >= 7 -%ifarch %{ix86} x86_64 %{arm} +%ifarch %{ix86} x86_64 %{arm} aarch64 %global with_seccomp 1 %endif %endif @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.0 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}3%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -372,6 +372,9 @@ fi %changelog +* Mon Feb 16 2015 Peter Robinson 1.1.0-3 +- aarch64 now has seccomp support + * Tue Feb 10 2015 Thomas Moschny - 1.1.0-2 - lxc-top no longer relies on the lua bindings. - lxc-device no longer relies on the python3 bindings. From 4f5288e8a1fea29c0ed612da27bffdf26b82025b Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Tue, 17 Mar 2015 11:22:06 +0100 Subject: [PATCH 35/95] Update to 1.1.1. - Add dependency on rsync (rhbz#1177981). - Tag COPYING with %licence. --- .gitignore | 1 + lxc.spec | 16 ++++++++++++---- sources | 2 +- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index b7328fb..1a0e79e 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ lxc-0.7.2.tar.gz /lxc-1.0.5.tar.gz /lxc-e75a5c5c76c649435bd9171d5ea457fe727f5388.tar.gz /lxc-1.1.0.tar.gz +/lxc-1.1.1.tar.gz diff --git a/lxc.spec b/lxc.spec index f0b19f9..52ba35d 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,8 +30,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 1.1.0 -Release: %{?prerel:0.}3%{?prerel:.%{prerel}}%{?dist} +Version: 1.1.1 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -73,6 +73,8 @@ overhead of full virtualization. %package libs Summary: Runtime library files for %{name} Group: System Environment/Libraries +# rsync is called in bdev.c, e.g. by lxc-clone +Requires: rsync %if 0%{?with_systemd} Requires(post): systemd Requires(preun): systemd @@ -219,7 +221,7 @@ mkdir -p %{buildroot}%{_sharedstatedir}/%{name} chmod -x %{buildroot}%{luapkgdir}/lxc.lua mkdir -p %{buildroot}%{_pkgdocdir} -cp -a AUTHORS COPYING README %{buildroot}%{_pkgdocdir} +cp -a AUTHORS README %{buildroot}%{_pkgdocdir} mkdir -p %{buildroot}%{_pkgdocdir}/api cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/ @@ -321,8 +323,8 @@ fi %{_mandir}/*/man7/%{name}* %dir %{_pkgdocdir} %{_pkgdocdir}/AUTHORS -%{_pkgdocdir}/COPYING %{_pkgdocdir}/README +%license COPYING %if 0%{?with_systemd} %{_unitdir}/%{name}.service %{_unitdir}/%{name}-net.service @@ -369,9 +371,15 @@ fi # README, AUTHORS and COPYING intentionally duplicated because -doc # can be installed on its own. %{_pkgdocdir}/* +%license COPYING %changelog +* Tue Mar 17 2015 Thomas Moschny - 1.1.1-1 +- Update to 1.1.1. +- Add dependency on rsync (rhbz#1177981). +- Tag COPYING with %%licence. + * Mon Feb 16 2015 Peter Robinson 1.1.0-3 - aarch64 now has seccomp support diff --git a/sources b/sources index 7ad6b30..bb9c336 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ab1cbabf859abc15165050c854979c5c lxc-1.1.0.tar.gz +d80cb08f0edf36f0887e32c96aec8c13 lxc-1.1.1.tar.gz From 9ec775f7da952b71290bd8479b4b074cb31b4d75 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Wed, 18 Mar 2015 09:45:16 +0100 Subject: [PATCH 36/95] Use %license only where possible. --- lxc.spec | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index 52ba35d..241026a 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.1 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -221,7 +221,7 @@ mkdir -p %{buildroot}%{_sharedstatedir}/%{name} chmod -x %{buildroot}%{luapkgdir}/lxc.lua mkdir -p %{buildroot}%{_pkgdocdir} -cp -a AUTHORS README %{buildroot}%{_pkgdocdir} +cp -a AUTHORS README %{!?_licensedir:COPYING} %{buildroot}%{_pkgdocdir} mkdir -p %{buildroot}%{_pkgdocdir}/api cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/ @@ -324,7 +324,11 @@ fi %dir %{_pkgdocdir} %{_pkgdocdir}/AUTHORS %{_pkgdocdir}/README +%if 0%{?_licensedir:1} %license COPYING +%else +%{_pkgdocdir}/COPYING +%endif %if 0%{?with_systemd} %{_unitdir}/%{name}.service %{_unitdir}/%{name}-net.service @@ -371,10 +375,15 @@ fi # README, AUTHORS and COPYING intentionally duplicated because -doc # can be installed on its own. %{_pkgdocdir}/* +%if 0%{?_licensedir:1} %license COPYING +%endif %changelog +* Tue Mar 17 2015 Thomas Moschny - 1.1.1-2 +- Use %%license only where possible. + * Tue Mar 17 2015 Thomas Moschny - 1.1.1-1 - Update to 1.1.1. - Add dependency on rsync (rhbz#1177981). From 94ee2a0a3f37c4abc30fa14250055168806c9723 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Mon, 20 Apr 2015 18:22:05 +0200 Subject: [PATCH 37/95] Update to 1.1.2. --- .gitignore | 1 + lxc.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 1a0e79e..5f0fb6f 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ lxc-0.7.2.tar.gz /lxc-e75a5c5c76c649435bd9171d5ea457fe727f5388.tar.gz /lxc-1.1.0.tar.gz /lxc-1.1.1.tar.gz +/lxc-1.1.2.tar.gz diff --git a/lxc.spec b/lxc.spec index 241026a..4dfbec9 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,8 +30,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 1.1.1 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Version: 1.1.2 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -381,6 +381,9 @@ fi %changelog +* Mon Apr 20 2015 Thomas Moschny - 1.1.2-1 +- Update to 1.1.2. + * Tue Mar 17 2015 Thomas Moschny - 1.1.1-2 - Use %%license only where possible. diff --git a/sources b/sources index bb9c336..ab8155f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d80cb08f0edf36f0887e32c96aec8c13 lxc-1.1.1.tar.gz +3ebadacf5fe8bfe689fd7a09812b682c lxc-1.1.2.tar.gz From 015266f6425792bc4c8e04f32e6a36d2916df9ce Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Thu, 23 Apr 2015 21:01:23 +0200 Subject: [PATCH 38/95] Add patch to fix building of the lua bindings. --- lxc-1.1.2-fix-lua-compat.patch | 15 +++++++++++++++ lxc.spec | 3 +++ 2 files changed, 18 insertions(+) create mode 100644 lxc-1.1.2-fix-lua-compat.patch diff --git a/lxc-1.1.2-fix-lua-compat.patch b/lxc-1.1.2-fix-lua-compat.patch new file mode 100644 index 0000000..fc4108d --- /dev/null +++ b/lxc-1.1.2-fix-lua-compat.patch @@ -0,0 +1,15 @@ +diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c +index 630a3e4..34180a7 100644 +--- a/src/lua-lxc/core.c ++++ b/src/lua-lxc/core.c +@@ -39,8 +39,10 @@ + #endif + + #if LUA_VERSION_NUM >= 503 ++#ifndef luaL_checkunsigned + #define luaL_checkunsigned(L,n) ((lua_Unsigned)luaL_checkinteger(L,n)) + #endif ++#endif + + #ifdef NO_CHECK_UDATA + #define checkudata(L,i,tname) lua_touserdata(L, i) diff --git a/lxc.spec b/lxc.spec index 4dfbec9..b9ef570 100644 --- a/lxc.spec +++ b/lxc.spec @@ -42,6 +42,7 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch +Patch1: lxc-1.1.2-fix-lua-compat.patch BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen @@ -181,6 +182,7 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 +%patch1 -p1 %build @@ -383,6 +385,7 @@ fi %changelog * Mon Apr 20 2015 Thomas Moschny - 1.1.2-1 - Update to 1.1.2. +- Add patch to fix building of the lua bindings. * Tue Mar 17 2015 Thomas Moschny - 1.1.1-2 - Use %%license only where possible. From 2c3c1292cbbd5d4f2c82269dfff7810620b354f3 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Wed, 17 Jun 2015 19:14:01 +0000 Subject: [PATCH 39/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index b9ef570..97e5856 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.2 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -383,6 +383,9 @@ fi %changelog +* Wed Jun 17 2015 Fedora Release Engineering - 1.1.2-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + * Mon Apr 20 2015 Thomas Moschny - 1.1.2-1 - Update to 1.1.2. - Add patch to fix building of the lua bindings. From cf3c9ccc091c41af48139b7586993cc4e45c1b61 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 2 Aug 2015 15:11:36 +0200 Subject: [PATCH 40/95] Add security fixes, see rhbz#1245939 and rhbz#1245941. --- lxc-1.1.2-fix-CVE-2015-1331.patch | 113 ++++++++++++++++++ lxc-1.1.2-fix-CVE-2015-1334.patch | 184 ++++++++++++++++++++++++++++++ lxc.spec | 11 +- 3 files changed, 307 insertions(+), 1 deletion(-) create mode 100644 lxc-1.1.2-fix-CVE-2015-1331.patch create mode 100644 lxc-1.1.2-fix-CVE-2015-1334.patch diff --git a/lxc-1.1.2-fix-CVE-2015-1331.patch b/lxc-1.1.2-fix-CVE-2015-1331.patch new file mode 100644 index 0000000..a963b64 --- /dev/null +++ b/lxc-1.1.2-fix-CVE-2015-1331.patch @@ -0,0 +1,113 @@ +From f50da74a71f2c33f869e6da15f131bf5c9174c12 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Fri, 3 Jul 2015 09:26:17 -0500 +Subject: [PATCH 1/2] CVE-2015-1331: lxclock: use /run/lxc/lock rather than + /run/lock/lxc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This prevents an unprivileged user to use LXC to create arbitrary file +on the filesystem. + +Signed-off-by: Serge Hallyn +Signed-off-by: Tyler Hicks +Acked-by: Stéphane Graber +--- + src/lxc/lxclock.c | 47 ++++++++++------------------------------------- + src/tests/locktests.c | 2 +- + 2 files changed, 11 insertions(+), 38 deletions(-) + +diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c +index fe13898..e9e95f7 100644 +--- a/src/lxc/lxclock.c ++++ b/src/lxc/lxclock.c +@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n) + char *rundir; + + /* lockfile will be: +- * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root ++ * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root + * or +- * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root ++ * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root + */ + +- /* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */ +- len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3; ++ /* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */ ++ len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3; + rundir = get_rundir(); + if (!rundir) + return NULL; +@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n) + return NULL; + } + +- ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p); ++ ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p); + if (ret < 0 || ret >= len) { + free(dest); + free(rundir); +@@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n) + } + ret = mkdir_p(dest, 0755); + if (ret < 0) { +- /* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0' +- * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1) +- * * lxcpath always starts with '/' +- */ +- int l2 = 22 + strlen(n) + strlen(p); +- if (l2 > len) { +- char *d; +- d = realloc(dest, l2); +- if (!d) { +- free(dest); +- free(rundir); +- return NULL; +- } +- len = l2; +- dest = d; +- } +- ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p); +- if (ret < 0 || ret >= len) { +- free(dest); +- free(rundir); +- return NULL; +- } +- ret = mkdir_p(dest, 0755); +- if (ret < 0) { +- free(dest); +- free(rundir); +- return NULL; +- } +- ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n); +- } else +- ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n); ++ free(dest); ++ free(rundir); ++ return NULL; ++ } + ++ ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n); + free(rundir); +- + if (ret < 0 || ret >= len) { + free(dest); + return NULL; +diff --git a/src/tests/locktests.c b/src/tests/locktests.c +index dd3393a..233ca12 100644 +--- a/src/tests/locktests.c ++++ b/src/tests/locktests.c +@@ -122,7 +122,7 @@ int main(int argc, char *argv[]) + exit(1); + } + struct stat sb; +- char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/"; ++ char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/"; + ret = stat(pathname, &sb); + if (ret != 0) { + fprintf(stderr, "%d: filename %s not created\n", __LINE__, +-- +2.4.3 + diff --git a/lxc-1.1.2-fix-CVE-2015-1334.patch b/lxc-1.1.2-fix-CVE-2015-1334.patch new file mode 100644 index 0000000..0f69d87 --- /dev/null +++ b/lxc-1.1.2-fix-CVE-2015-1334.patch @@ -0,0 +1,184 @@ +From ef62305193a5bb7ec00ccf00451be4ff0efac3ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?St=C3=A9phane=20Graber?= +Date: Thu, 16 Jul 2015 16:37:51 -0400 +Subject: [PATCH 2/2] CVE-2015-1334: Don't use the container's /proc during + attach +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A user could otherwise over-mount /proc and prevent the apparmor profile +or selinux label from being written which combined with a modified +/bin/sh or other commonly used binary would lead to unconfined code +execution. + +Reported-by: Roman Fiedler +Signed-off-by: Stéphane Graber +--- + src/lxc/attach.c | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 93 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 69dafd4..436ae7a 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -76,6 +76,82 @@ + + lxc_log_define(lxc_attach, lxc); + ++int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) { ++ int labelfd = -1; ++ int ret = 0; ++ const char* name; ++ char* command = NULL; ++ ++ name = lsm_name(); ++ ++ if (strcmp(name, "nop") == 0) ++ goto out; ++ ++ if (strcmp(name, "none") == 0) ++ goto out; ++ ++ /* We don't support on-exec with AppArmor */ ++ if (strcmp(name, "AppArmor") == 0) ++ on_exec = 0; ++ ++ if (on_exec) { ++ labelfd = openat(procfd, "self/attr/exec", O_RDWR); ++ } ++ else { ++ labelfd = openat(procfd, "self/attr/current", O_RDWR); ++ } ++ ++ if (labelfd < 0) { ++ SYSERROR("Unable to open LSM label"); ++ ret = -1; ++ goto out; ++ } ++ ++ if (strcmp(name, "AppArmor") == 0) { ++ int size; ++ ++ command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); ++ if (!command) { ++ SYSERROR("Failed to write apparmor profile"); ++ ret = -1; ++ goto out; ++ } ++ ++ size = sprintf(command, "changeprofile %s", lsm_label); ++ if (size < 0) { ++ SYSERROR("Failed to write apparmor profile"); ++ ret = -1; ++ goto out; ++ } ++ ++ if (write(labelfd, command, size + 1) < 0) { ++ SYSERROR("Unable to set LSM label"); ++ ret = -1; ++ goto out; ++ } ++ } ++ else if (strcmp(name, "SELinux") == 0) { ++ if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { ++ SYSERROR("Unable to set LSM label"); ++ ret = -1; ++ goto out; ++ } ++ } ++ else { ++ ERROR("Unable to restore label for unknown LSM: %s", name); ++ ret = -1; ++ goto out; ++ } ++ ++out: ++ free(command); ++ ++ if (labelfd != -1) ++ close(labelfd); ++ ++ return ret; ++} ++ + static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid) + { + struct lxc_proc_context_info *info = calloc(1, sizeof(*info)); +@@ -570,6 +646,7 @@ struct attach_clone_payload { + struct lxc_proc_context_info* init_ctx; + lxc_attach_exec_t exec_function; + void* exec_payload; ++ int procfd; + }; + + static int attach_child_main(void* data); +@@ -622,6 +699,7 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun + char* cwd; + char* new_cwd; + int ipc_sockets[2]; ++ int procfd; + signed long personality; + + if (!options) +@@ -833,6 +911,13 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun + rexit(-1); + } + ++ procfd = open("/proc", O_DIRECTORY | O_RDONLY); ++ if (procfd < 0) { ++ SYSERROR("Unable to open /proc"); ++ shutdown(ipc_sockets[1], SHUT_RDWR); ++ rexit(-1); ++ } ++ + /* attach now, create another subprocess later, since pid namespaces + * only really affect the children of the current process + */ +@@ -860,7 +945,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun + .options = options, + .init_ctx = init_ctx, + .exec_function = exec_function, +- .exec_payload = exec_payload ++ .exec_payload = exec_payload, ++ .procfd = procfd + }; + /* We use clone_parent here to make this subprocess a direct child of + * the initial process. Then this intermediate process can exit and +@@ -898,6 +984,7 @@ static int attach_child_main(void* data) + { + struct attach_clone_payload* payload = (struct attach_clone_payload*)data; + int ipc_socket = payload->ipc_socket; ++ int procfd = payload->procfd; + lxc_attach_options_t* options = payload->options; + struct lxc_proc_context_info* init_ctx = payload->init_ctx; + #if HAVE_SYS_PERSONALITY_H +@@ -1038,13 +1125,11 @@ static int attach_child_main(void* data) + close(ipc_socket); + + /* set new apparmor profile/selinux context */ +- if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) { ++ if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { + int on_exec; + + on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; +- ret = lsm_process_label_set(init_ctx->lsm_label, +- init_ctx->container->lxc_conf, 0, on_exec); +- if (ret < 0) { ++ if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) { + rexit(-1); + } + } +@@ -1095,6 +1180,9 @@ static int attach_child_main(void* data) + } + } + ++ /* we don't need proc anymore */ ++ close(procfd); ++ + /* we're done, so we can now do whatever the user intended us to do */ + rexit(payload->exec_function(payload->exec_payload)); + } +-- +2.4.3 + diff --git a/lxc.spec b/lxc.spec index 97e5856..5df3757 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.2 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -43,6 +43,10 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch Patch1: lxc-1.1.2-fix-lua-compat.patch +# upstream commit 61ecf69 +Patch2: lxc-1.1.2-fix-CVE-2015-1331.patch +# based on upstream commit 659e807 +Patch3: lxc-1.1.2-fix-CVE-2015-1334.patch BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen @@ -183,6 +187,8 @@ This package contains documentation for %{name}. %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build @@ -383,6 +389,9 @@ fi %changelog +* Sun Aug 2 2015 Thomas Moschny - 1.1.2-2 +- Add security fixes, see rhbz#1245939 and rhbz#1245941. + * Wed Jun 17 2015 Fedora Release Engineering - 1.1.2-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild From 4283bef6979fb35ffde13e59b4ce7d7526971a4f Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 16 Aug 2015 14:54:39 +0200 Subject: [PATCH 41/95] Update to 1.1.3. - Remove patches applied upstream. --- .gitignore | 1 + lxc-1.1.2-fix-CVE-2015-1331.patch | 113 ------------------ lxc-1.1.2-fix-CVE-2015-1334.patch | 184 ------------------------------ lxc-1.1.2-fix-lua-compat.patch | 15 --- lxc.spec | 18 +-- sources | 2 +- 6 files changed, 8 insertions(+), 325 deletions(-) delete mode 100644 lxc-1.1.2-fix-CVE-2015-1331.patch delete mode 100644 lxc-1.1.2-fix-CVE-2015-1334.patch delete mode 100644 lxc-1.1.2-fix-lua-compat.patch diff --git a/.gitignore b/.gitignore index 5f0fb6f..3bffdde 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ lxc-0.7.2.tar.gz /lxc-1.1.0.tar.gz /lxc-1.1.1.tar.gz /lxc-1.1.2.tar.gz +/lxc-1.1.3.tar.gz diff --git a/lxc-1.1.2-fix-CVE-2015-1331.patch b/lxc-1.1.2-fix-CVE-2015-1331.patch deleted file mode 100644 index a963b64..0000000 --- a/lxc-1.1.2-fix-CVE-2015-1331.patch +++ /dev/null @@ -1,113 +0,0 @@ -From f50da74a71f2c33f869e6da15f131bf5c9174c12 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Fri, 3 Jul 2015 09:26:17 -0500 -Subject: [PATCH 1/2] CVE-2015-1331: lxclock: use /run/lxc/lock rather than - /run/lock/lxc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This prevents an unprivileged user to use LXC to create arbitrary file -on the filesystem. - -Signed-off-by: Serge Hallyn -Signed-off-by: Tyler Hicks -Acked-by: Stéphane Graber ---- - src/lxc/lxclock.c | 47 ++++++++++------------------------------------- - src/tests/locktests.c | 2 +- - 2 files changed, 11 insertions(+), 38 deletions(-) - -diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c -index fe13898..e9e95f7 100644 ---- a/src/lxc/lxclock.c -+++ b/src/lxc/lxclock.c -@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n) - char *rundir; - - /* lockfile will be: -- * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root -+ * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root - * or -- * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root -+ * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root - */ - -- /* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */ -- len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3; -+ /* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */ -+ len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3; - rundir = get_rundir(); - if (!rundir) - return NULL; -@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n) - return NULL; - } - -- ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p); -+ ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p); - if (ret < 0 || ret >= len) { - free(dest); - free(rundir); -@@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n) - } - ret = mkdir_p(dest, 0755); - if (ret < 0) { -- /* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0' -- * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1) -- * * lxcpath always starts with '/' -- */ -- int l2 = 22 + strlen(n) + strlen(p); -- if (l2 > len) { -- char *d; -- d = realloc(dest, l2); -- if (!d) { -- free(dest); -- free(rundir); -- return NULL; -- } -- len = l2; -- dest = d; -- } -- ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p); -- if (ret < 0 || ret >= len) { -- free(dest); -- free(rundir); -- return NULL; -- } -- ret = mkdir_p(dest, 0755); -- if (ret < 0) { -- free(dest); -- free(rundir); -- return NULL; -- } -- ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n); -- } else -- ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n); -+ free(dest); -+ free(rundir); -+ return NULL; -+ } - -+ ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n); - free(rundir); -- - if (ret < 0 || ret >= len) { - free(dest); - return NULL; -diff --git a/src/tests/locktests.c b/src/tests/locktests.c -index dd3393a..233ca12 100644 ---- a/src/tests/locktests.c -+++ b/src/tests/locktests.c -@@ -122,7 +122,7 @@ int main(int argc, char *argv[]) - exit(1); - } - struct stat sb; -- char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/"; -+ char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/"; - ret = stat(pathname, &sb); - if (ret != 0) { - fprintf(stderr, "%d: filename %s not created\n", __LINE__, --- -2.4.3 - diff --git a/lxc-1.1.2-fix-CVE-2015-1334.patch b/lxc-1.1.2-fix-CVE-2015-1334.patch deleted file mode 100644 index 0f69d87..0000000 --- a/lxc-1.1.2-fix-CVE-2015-1334.patch +++ /dev/null @@ -1,184 +0,0 @@ -From ef62305193a5bb7ec00ccf00451be4ff0efac3ca Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?St=C3=A9phane=20Graber?= -Date: Thu, 16 Jul 2015 16:37:51 -0400 -Subject: [PATCH 2/2] CVE-2015-1334: Don't use the container's /proc during - attach -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -A user could otherwise over-mount /proc and prevent the apparmor profile -or selinux label from being written which combined with a modified -/bin/sh or other commonly used binary would lead to unconfined code -execution. - -Reported-by: Roman Fiedler -Signed-off-by: Stéphane Graber ---- - src/lxc/attach.c | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 93 insertions(+), 5 deletions(-) - -diff --git a/src/lxc/attach.c b/src/lxc/attach.c -index 69dafd4..436ae7a 100644 ---- a/src/lxc/attach.c -+++ b/src/lxc/attach.c -@@ -76,6 +76,82 @@ - - lxc_log_define(lxc_attach, lxc); - -+int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) { -+ int labelfd = -1; -+ int ret = 0; -+ const char* name; -+ char* command = NULL; -+ -+ name = lsm_name(); -+ -+ if (strcmp(name, "nop") == 0) -+ goto out; -+ -+ if (strcmp(name, "none") == 0) -+ goto out; -+ -+ /* We don't support on-exec with AppArmor */ -+ if (strcmp(name, "AppArmor") == 0) -+ on_exec = 0; -+ -+ if (on_exec) { -+ labelfd = openat(procfd, "self/attr/exec", O_RDWR); -+ } -+ else { -+ labelfd = openat(procfd, "self/attr/current", O_RDWR); -+ } -+ -+ if (labelfd < 0) { -+ SYSERROR("Unable to open LSM label"); -+ ret = -1; -+ goto out; -+ } -+ -+ if (strcmp(name, "AppArmor") == 0) { -+ int size; -+ -+ command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); -+ if (!command) { -+ SYSERROR("Failed to write apparmor profile"); -+ ret = -1; -+ goto out; -+ } -+ -+ size = sprintf(command, "changeprofile %s", lsm_label); -+ if (size < 0) { -+ SYSERROR("Failed to write apparmor profile"); -+ ret = -1; -+ goto out; -+ } -+ -+ if (write(labelfd, command, size + 1) < 0) { -+ SYSERROR("Unable to set LSM label"); -+ ret = -1; -+ goto out; -+ } -+ } -+ else if (strcmp(name, "SELinux") == 0) { -+ if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { -+ SYSERROR("Unable to set LSM label"); -+ ret = -1; -+ goto out; -+ } -+ } -+ else { -+ ERROR("Unable to restore label for unknown LSM: %s", name); -+ ret = -1; -+ goto out; -+ } -+ -+out: -+ free(command); -+ -+ if (labelfd != -1) -+ close(labelfd); -+ -+ return ret; -+} -+ - static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid) - { - struct lxc_proc_context_info *info = calloc(1, sizeof(*info)); -@@ -570,6 +646,7 @@ struct attach_clone_payload { - struct lxc_proc_context_info* init_ctx; - lxc_attach_exec_t exec_function; - void* exec_payload; -+ int procfd; - }; - - static int attach_child_main(void* data); -@@ -622,6 +699,7 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun - char* cwd; - char* new_cwd; - int ipc_sockets[2]; -+ int procfd; - signed long personality; - - if (!options) -@@ -833,6 +911,13 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun - rexit(-1); - } - -+ procfd = open("/proc", O_DIRECTORY | O_RDONLY); -+ if (procfd < 0) { -+ SYSERROR("Unable to open /proc"); -+ shutdown(ipc_sockets[1], SHUT_RDWR); -+ rexit(-1); -+ } -+ - /* attach now, create another subprocess later, since pid namespaces - * only really affect the children of the current process - */ -@@ -860,7 +945,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun - .options = options, - .init_ctx = init_ctx, - .exec_function = exec_function, -- .exec_payload = exec_payload -+ .exec_payload = exec_payload, -+ .procfd = procfd - }; - /* We use clone_parent here to make this subprocess a direct child of - * the initial process. Then this intermediate process can exit and -@@ -898,6 +984,7 @@ static int attach_child_main(void* data) - { - struct attach_clone_payload* payload = (struct attach_clone_payload*)data; - int ipc_socket = payload->ipc_socket; -+ int procfd = payload->procfd; - lxc_attach_options_t* options = payload->options; - struct lxc_proc_context_info* init_ctx = payload->init_ctx; - #if HAVE_SYS_PERSONALITY_H -@@ -1038,13 +1125,11 @@ static int attach_child_main(void* data) - close(ipc_socket); - - /* set new apparmor profile/selinux context */ -- if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) { -+ if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { - int on_exec; - - on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; -- ret = lsm_process_label_set(init_ctx->lsm_label, -- init_ctx->container->lxc_conf, 0, on_exec); -- if (ret < 0) { -+ if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) { - rexit(-1); - } - } -@@ -1095,6 +1180,9 @@ static int attach_child_main(void* data) - } - } - -+ /* we don't need proc anymore */ -+ close(procfd); -+ - /* we're done, so we can now do whatever the user intended us to do */ - rexit(payload->exec_function(payload->exec_payload)); - } --- -2.4.3 - diff --git a/lxc-1.1.2-fix-lua-compat.patch b/lxc-1.1.2-fix-lua-compat.patch deleted file mode 100644 index fc4108d..0000000 --- a/lxc-1.1.2-fix-lua-compat.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c -index 630a3e4..34180a7 100644 ---- a/src/lua-lxc/core.c -+++ b/src/lua-lxc/core.c -@@ -39,8 +39,10 @@ - #endif - - #if LUA_VERSION_NUM >= 503 -+#ifndef luaL_checkunsigned - #define luaL_checkunsigned(L,n) ((lua_Unsigned)luaL_checkinteger(L,n)) - #endif -+#endif - - #ifdef NO_CHECK_UDATA - #define checkudata(L,i,tname) lua_touserdata(L, i) diff --git a/lxc.spec b/lxc.spec index 5df3757..1020ac8 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,8 +30,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 1.1.2 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Version: 1.1.3 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -42,11 +42,6 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch -Patch1: lxc-1.1.2-fix-lua-compat.patch -# upstream commit 61ecf69 -Patch2: lxc-1.1.2-fix-CVE-2015-1331.patch -# based on upstream commit 659e807 -Patch3: lxc-1.1.2-fix-CVE-2015-1334.patch BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen @@ -186,9 +181,6 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 %build @@ -309,8 +301,6 @@ fi %{_datadir}/%{name}/hooks %{_datadir}/%{name}/%{name}-patch.py* %{_datadir}/%{name}/selinux -# fixme: should be in libexecdir? -%{_datadir}/%{name}/%{name}-restore-net %{_libdir}/liblxc.so.* %{_libdir}/%{name} %{_libexecdir}/%{name} @@ -389,6 +379,10 @@ fi %changelog +* Sat Aug 15 2015 Thomas Moschny - 1.1.3-1 +- Update to 1.1.3. +- Remove patches applied upstream. + * Sun Aug 2 2015 Thomas Moschny - 1.1.2-2 - Add security fixes, see rhbz#1245939 and rhbz#1245941. diff --git a/sources b/sources index ab8155f..1422bb9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3ebadacf5fe8bfe689fd7a09812b682c lxc-1.1.2.tar.gz +197abb5a28ab0b689c737eb1951023fb lxc-1.1.3.tar.gz From 38800e7bbe2809370a183bab645669c86153a83f Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Thu, 1 Oct 2015 16:03:05 +0200 Subject: [PATCH 42/95] Add security fix, see rhbz#1267844. --- lxc-1.1.3-fix-CVE-2015-1335.patch | 636 ++++++++++++++++++++++++++++++ lxc.spec | 14 +- 2 files changed, 647 insertions(+), 3 deletions(-) create mode 100644 lxc-1.1.3-fix-CVE-2015-1335.patch diff --git a/lxc-1.1.3-fix-CVE-2015-1335.patch b/lxc-1.1.3-fix-CVE-2015-1335.patch new file mode 100644 index 0000000..719816e --- /dev/null +++ b/lxc-1.1.3-fix-CVE-2015-1335.patch @@ -0,0 +1,636 @@ +From 1f9cc4943b640d9355709432a705e5fa6e9ad4df Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Mon, 31 Aug 2015 12:57:20 -0500 +Subject: [PATCH 1/1] Protect container mounts against symlinks + +When a container starts up, lxc sets up the container's inital fstree +by doing a bunch of mounting, guided by the container configuration +file. The container config is owned by the admin or user on the host, +so we do not try to guard against bad entries. However, since the +mount target is in the container, it's possible that the container admin +could divert the mount with symbolic links. This could bypass proper +container startup (i.e. confinement of a root-owned container by the +restrictive apparmor policy, by diverting the required write to +/proc/self/attr/current), or bypass the (path-based) apparmor policy +by diverting, say, /proc to /mnt in the container. + +To prevent this, + +1. do not allow mounts to paths containing symbolic links + +2. do not allow bind mounts from relative paths containing symbolic +links. + +Details: + +Define safe_mount which ensures that the container has not inserted any +symbolic links into any mount targets for mounts to be done during +container setup. + +The host's mount path may contain symbolic links. As it is under the +control of the administrator, that's ok. So safe_mount begins the check +for symbolic links after the rootfs->mount, by opening that directory. + +It opens each directory along the path using openat() relative to the +parent directory using O_NOFOLLOW. When the target is reached, it +mounts onto /proc/self/fd/. + +Use safe_mount() in mount_entry(), when mounting container proc, +and when needed. In particular, safe_mount() need not be used in +any case where: + +1. the mount is done in the container's namespace +2. the mount is for the container's rootfs +3. the mount is relative to a tmpfs or proc/sysfs which we have + just safe_mount()ed ourselves + +Since we were using proc/net as a temporary placeholder for /proc/sys/net +during container startup, and proc/net is a symbolic link, use proc/tty +instead. + +Update the lxc.container.conf manpage with details about the new +restrictions. + +Finally, add a testcase to test some symbolic link possibilities. + +Signed-off-by: Serge Hallyn +--- + doc/lxc.container.conf.sgml.in | 12 +++ + src/lxc/cgfs.c | 5 +- + src/lxc/cgmanager.c | 4 +- + src/lxc/conf.c | 29 ++--- + src/lxc/utils.c | 235 ++++++++++++++++++++++++++++++++++++++++- + src/lxc/utils.h | 2 + + src/tests/Makefile.am | 2 + + src/tests/lxc-test-symlink | 88 +++++++++++++++ + 8 files changed, 359 insertions(+), 18 deletions(-) + create mode 100644 src/tests/lxc-test-symlink + +diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in +index 50c6a2a..0a1ec5f 100644 +--- a/doc/lxc.container.conf.sgml.in ++++ b/doc/lxc.container.conf.sgml.in +@@ -699,6 +699,18 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + container. This is useful to mount /etc, /var or /home for + examples. + ++ ++ NOTE - LXC will generally ensure that mount targets and relative ++ bind-mount sources are properly confined under the container ++ root, to avoid attacks involving over-mounting host directories ++ and files. (Symbolic links in absolute mount sources are ignored) ++ However, if the container configuration first mounts a directory which ++ is under the control of the container user, such as /home/joe, into ++ the container at some path, and then mounts ++ under path, then a TOCTTOU attack would be ++ possible where the container user modifies a symbolic link under ++ his home directory at just the right time. ++ + + + +diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c +index fcb3cde..df2e6b2 100644 +--- a/src/lxc/cgfs.c ++++ b/src/lxc/cgfs.c +@@ -1363,7 +1363,10 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type) + if (!path) + return false; + snprintf(path, bufsz, "%s/sys/fs/cgroup", root); +- r = mount("cgroup_root", path, "tmpfs", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, "size=10240k,mode=755"); ++ r = safe_mount("cgroup_root", path, "tmpfs", ++ MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, ++ "size=10240k,mode=755", ++ root); + if (r < 0) { + SYSERROR("could not mount tmpfs to /sys/fs/cgroup in the container"); + return false; +diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c +index c143bea..779a1d8 100644 +--- a/src/lxc/cgmanager.c ++++ b/src/lxc/cgmanager.c +@@ -1477,7 +1477,7 @@ static bool cgm_bind_dir(const char *root, const char *dirname) + } + + /* mount a tmpfs there so we can create subdirs */ +- if (mount("cgroup", cgpath, "tmpfs", 0, "size=10000,mode=755")) { ++ if (safe_mount("cgroup", cgpath, "tmpfs", 0, "size=10000,mode=755", root)) { + SYSERROR("Failed to mount tmpfs at %s", cgpath); + return false; + } +@@ -1488,7 +1488,7 @@ static bool cgm_bind_dir(const char *root, const char *dirname) + return false; + } + +- if (mount(dirname, cgpath, "none", MS_BIND, 0)) { ++ if (safe_mount(dirname, cgpath, "none", MS_BIND, 0, root)) { + SYSERROR("Failed to bind mount %s to %s", dirname, cgpath); + return false; + } +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index d37112b..8cff919 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -763,10 +763,11 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha + * 2.6.32... + */ + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/net", NULL, MS_BIND, NULL }, ++ /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */ ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/net", "%r/proc/sys/net", NULL, MS_MOVE, NULL }, ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, +@@ -809,7 +810,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha + } + mflags = add_required_remount_flags(source, destination, + default_mounts[i].flags); +- r = mount(source, destination, default_mounts[i].fstype, mflags, default_mounts[i].options); ++ r = safe_mount(source, destination, default_mounts[i].fstype, mflags, default_mounts[i].options, conf->rootfs.path ? conf->rootfs.mount : NULL); + saved_errno = errno; + if (r < 0 && errno == ENOENT) { + INFO("Mount source or target for %s on %s doesn't exist. Skipping.", source, destination); +@@ -1161,7 +1162,7 @@ static int mount_autodev(const char *name, char *root, const char *lxcpath) + return 0; + } + +- if (mount("none", path, "tmpfs", 0, "size=100000,mode=755")) { ++ if (safe_mount("none", path, "tmpfs", 0, "size=100000,mode=755", root)) { + SYSERROR("Failed mounting tmpfs onto %s\n", path); + return false; + } +@@ -1246,7 +1247,7 @@ static int fill_autodev(const char *root) + return -1; + } + fclose(pathfile); +- if (mount(hostpath, path, 0, MS_BIND, NULL) != 0) { ++ if (safe_mount(hostpath, path, 0, MS_BIND, NULL, root) != 0) { + SYSERROR("Failed bind mounting device %s from host into container", + d->name); + return -1; +@@ -1499,7 +1500,7 @@ static int setup_dev_console(const struct lxc_rootfs *rootfs, + return -1; + } + +- if (mount(console->name, path, "none", MS_BIND, 0)) { ++ if (safe_mount(console->name, path, "none", MS_BIND, 0, rootfs->mount)) { + ERROR("failed to mount '%s' on '%s'", console->name, path); + return -1; + } +@@ -1554,7 +1555,7 @@ static int setup_ttydir_console(const struct lxc_rootfs *rootfs, + return 0; + } + +- if (mount(console->name, lxcpath, "none", MS_BIND, 0)) { ++ if (safe_mount(console->name, lxcpath, "none", MS_BIND, 0, rootfs->mount)) { + ERROR("failed to mount '%s' on '%s'", console->name, lxcpath); + return -1; + } +@@ -1704,13 +1705,13 @@ static char *get_field(char *src, int nfields) + + static int mount_entry(const char *fsname, const char *target, + const char *fstype, unsigned long mountflags, +- const char *data, int optional) ++ const char *data, int optional, const char *rootfs) + { + #ifdef HAVE_STATVFS + struct statvfs sb; + #endif + +- if (mount(fsname, target, fstype, mountflags & ~MS_REMOUNT, data)) { ++ if (safe_mount(fsname, target, fstype, mountflags & ~MS_REMOUNT, data, rootfs)) { + if (optional) { + INFO("failed to mount '%s' on '%s' (optional): %s", fsname, + target, strerror(errno)); +@@ -1757,7 +1758,7 @@ static int mount_entry(const char *fsname, const char *target, + #endif + + if (mount(fsname, target, fstype, +- mountflags | MS_REMOUNT, data)) { ++ mountflags | MS_REMOUNT, data) < 0) { + if (optional) { + INFO("failed to mount '%s' on '%s' (optional): %s", + fsname, target, strerror(errno)); +@@ -1843,7 +1844,7 @@ static inline int mount_entry_on_systemfs(struct mntent *mntent) + } + + ret = mount_entry(mntent->mnt_fsname, mntent->mnt_dir, +- mntent->mnt_type, mntflags, mntdata, optional); ++ mntent->mnt_type, mntflags, mntdata, optional, NULL); + + free(pathdirname); + free(mntdata); +@@ -1930,7 +1931,7 @@ skipabs: + } + + ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, +- mntflags, mntdata, optional); ++ mntflags, mntdata, optional, rootfs->mount); + + free(mntdata); + +@@ -1986,7 +1987,7 @@ static int mount_entry_on_relative_rootfs(struct mntent *mntent, + } + + ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, +- mntflags, mntdata, optional); ++ mntflags, mntdata, optional, rootfs); + + free(pathdirname); + free(mntdata); +@@ -3646,7 +3647,7 @@ void lxc_execute_bind_init(struct lxc_conf *conf) + fclose(pathfile); + } + +- ret = mount(path, destpath, "none", MS_BIND, NULL); ++ ret = safe_mount(path, destpath, "none", MS_BIND, NULL, conf->rootfs.mount); + if (ret < 0) + SYSERROR("Failed to bind lxc.init.static into container"); + INFO("lxc.init.static bound into container at %s", path); +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 7ced314..70d12d5 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1403,6 +1403,239 @@ int setproctitle(char *title) + } + + /* ++ * @path: a pathname where / replaced with '\0'. ++ * @offsetp: pointer to int showing which path segment was last seen. ++ * Updated on return to reflect the next segment. ++ * @fulllen: full original path length. ++ * Returns a pointer to the next path segment, or NULL if done. ++ */ ++static char *get_nextpath(char *path, int *offsetp, int fulllen) ++{ ++ int offset = *offsetp; ++ ++ if (offset >= fulllen) ++ return NULL; ++ ++ while (path[offset] != '\0' && offset < fulllen) ++ offset++; ++ while (path[offset] == '\0' && offset < fulllen) ++ offset++; ++ ++ *offsetp = offset; ++ return (offset < fulllen) ? &path[offset] : NULL; ++} ++ ++/* ++ * Check that @subdir is a subdir of @dir. @len is the length of ++ * @dir (to avoid having to recalculate it). ++ */ ++static bool is_subdir(const char *subdir, const char *dir, size_t len) ++{ ++ size_t subdirlen = strlen(subdir); ++ ++ if (subdirlen < len) ++ return false; ++ if (strncmp(subdir, dir, len) != 0) ++ return false; ++ if (dir[len-1] == '/') ++ return true; ++ if (subdir[len] == '/' || subdirlen == len) ++ return true; ++ return false; ++} ++ ++/* ++ * Check if the open fd is a symlink. Return -ELOOP if it is. Return ++ * -ENOENT if we couldn't fstat. Return 0 if the fd is ok. ++ */ ++static int check_symlink(int fd) ++{ ++ struct stat sb; ++ int ret = fstat(fd, &sb); ++ if (ret < 0) ++ return -ENOENT; ++ if (S_ISLNK(sb.st_mode)) ++ return -ELOOP; ++ return 0; ++} ++ ++/* ++ * Open a file or directory, provided that it contains no symlinks. ++ * ++ * CAVEAT: This function must not be used for other purposes than container ++ * setup before executing the container's init ++ */ ++static int open_if_safe(int dirfd, const char *nextpath) ++{ ++ int newfd = openat(dirfd, nextpath, O_RDONLY | O_NOFOLLOW); ++ if (newfd >= 0) // was not a symlink, all good ++ return newfd; ++ ++ if (errno == ELOOP) ++ return newfd; ++ ++ if (errno == EPERM || errno == EACCES) { ++ /* we're not root (cause we got EPERM) so ++ try opening with O_PATH */ ++ newfd = openat(dirfd, nextpath, O_PATH | O_NOFOLLOW); ++ if (newfd >= 0) { ++ /* O_PATH will return an fd for symlinks. We know ++ * nextpath wasn't a symlink at last openat, so if fd ++ * is now a link, then something * fishy is going on ++ */ ++ int ret = check_symlink(newfd); ++ if (ret < 0) { ++ close(newfd); ++ newfd = ret; ++ } ++ } ++ } ++ ++ return newfd; ++} ++ ++/* ++ * Open a path intending for mounting, ensuring that the final path ++ * is inside the container's rootfs. ++ * ++ * CAVEAT: This function must not be used for other purposes than container ++ * setup before executing the container's init ++ * ++ * @target: path to be opened ++ * @prefix_skip: a part of @target in which to ignore symbolic links. This ++ * would be the container's rootfs. ++ * ++ * Return an open fd for the path, or <0 on error. ++ */ ++static int open_without_symlink(const char *target, const char *prefix_skip) ++{ ++ int curlen = 0, dirfd, fulllen, i; ++ char *dup = NULL; ++ ++ fulllen = strlen(target); ++ ++ /* make sure prefix-skip makes sense */ ++ if (prefix_skip) { ++ curlen = strlen(prefix_skip); ++ if (!is_subdir(target, prefix_skip, curlen)) { ++ ERROR("WHOA there - target '%s' didn't start with prefix '%s'", ++ target, prefix_skip); ++ return -EINVAL; ++ } ++ /* ++ * get_nextpath() expects the curlen argument to be ++ * on a (turned into \0) / or before it, so decrement ++ * curlen to make sure that happens ++ */ ++ if (curlen) ++ curlen--; ++ } else { ++ prefix_skip = "/"; ++ curlen = 0; ++ } ++ ++ /* Make a copy of target which we can hack up, and tokenize it */ ++ if ((dup = strdup(target)) == NULL) { ++ SYSERROR("Out of memory checking for symbolic link"); ++ return -ENOMEM; ++ } ++ for (i = 0; i < fulllen; i++) { ++ if (dup[i] == '/') ++ dup[i] = '\0'; ++ } ++ ++ dirfd = open(prefix_skip, O_RDONLY); ++ if (dirfd < 0) ++ goto out; ++ while (1) { ++ int newfd, saved_errno; ++ char *nextpath; ++ ++ if ((nextpath = get_nextpath(dup, &curlen, fulllen)) == NULL) ++ goto out; ++ newfd = open_if_safe(dirfd, nextpath); ++ saved_errno = errno; ++ close(dirfd); ++ dirfd = newfd; ++ if (newfd < 0) { ++ errno = saved_errno; ++ if (errno == ELOOP) ++ SYSERROR("%s in %s was a symbolic link!", nextpath, target); ++ else ++ SYSERROR("Error examining %s in %s", nextpath, target); ++ goto out; ++ } ++ } ++ ++out: ++ free(dup); ++ return dirfd; ++} ++ ++/* ++ * Safely mount a path into a container, ensuring that the mount target ++ * is under the container's @rootfs. (If @rootfs is NULL, then the container ++ * uses the host's /) ++ * ++ * CAVEAT: This function must not be used for other purposes than container ++ * setup before executing the container's init ++ */ ++int safe_mount(const char *src, const char *dest, const char *fstype, ++ unsigned long flags, const void *data, const char *rootfs) ++{ ++ int srcfd = -1, destfd, ret, saved_errno; ++ char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ ++ const char *mntsrc = src; ++ ++ if (!rootfs) ++ rootfs = ""; ++ ++ /* todo - allow symlinks for relative paths if 'allowsymlinks' option is passed */ ++ if (flags & MS_BIND && src && src[0] != '/') { ++ INFO("this is a relative bind mount"); ++ srcfd = open_without_symlink(src, NULL); ++ if (srcfd < 0) ++ return srcfd; ++ ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); ++ if (ret < 0 || ret > 50) { ++ close(srcfd); ++ ERROR("Out of memory"); ++ return -EINVAL; ++ } ++ mntsrc = srcbuf; ++ } ++ ++ destfd = open_without_symlink(dest, rootfs); ++ if (destfd < 0) { ++ if (srcfd != -1) ++ close(srcfd); ++ return destfd; ++ } ++ ++ ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); ++ if (ret < 0 || ret > 50) { ++ if (srcfd != -1) ++ close(srcfd); ++ close(destfd); ++ ERROR("Out of memory"); ++ return -EINVAL; ++ } ++ ++ ret = mount(mntsrc, destbuf, fstype, flags, data); ++ saved_errno = errno; ++ if (srcfd != -1) ++ close(srcfd); ++ close(destfd); ++ if (ret < 0) { ++ errno = saved_errno; ++ SYSERROR("Failed to mount %s onto %s", src, dest); ++ return ret; ++ } ++ ++ return 0; ++} ++ ++/* + * Mount a proc under @rootfs if proc self points to a pid other than + * my own. This is needed to have a known-good proc mount for setting + * up LSMs both at container startup and attach. +@@ -1440,7 +1673,7 @@ int mount_proc_if_needed(const char *rootfs) + return 0; + + domount: +- if (mount("proc", path, "proc", 0, NULL)) ++ if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0) + return -1; + INFO("Mounted /proc in container for security transition"); + return 1; +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index ee12dde..059026f 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -279,6 +279,8 @@ bool switch_to_ns(pid_t pid, const char *ns); + int is_dir(const char *path); + char *get_template_path(const char *t); + int setproctitle(char *title); ++int safe_mount(const char *src, const char *dest, const char *fstype, ++ unsigned long flags, const void *data, const char *rootfs); + int mount_proc_if_needed(const char *rootfs); + int null_stdfds(void); + #endif /* __LXC_UTILS_H */ +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index 461d869..8af9baa 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -54,6 +54,7 @@ if DISTRO_UBUNTU + bin_SCRIPTS += \ + lxc-test-apparmor-mount \ + lxc-test-checkpoint-restore \ ++ lxc-test-symlink \ + lxc-test-ubuntu \ + lxc-test-unpriv \ + lxc-test-usernic +@@ -80,6 +81,7 @@ EXTRA_DIST = \ + lxc-test-checkpoint-restore \ + lxc-test-cloneconfig \ + lxc-test-createconfig \ ++ lxc-test-symlink \ + lxc-test-ubuntu \ + lxc-test-unpriv \ + may_control.c \ +diff --git a/src/tests/lxc-test-symlink b/src/tests/lxc-test-symlink +new file mode 100644 +index 0000000..37320f0 +--- /dev/null ++++ b/src/tests/lxc-test-symlink +@@ -0,0 +1,88 @@ ++#!/bin/bash ++ ++set -ex ++ ++# lxc: linux Container library ++ ++# Authors: ++# Serge Hallyn ++# ++# This is a regression test for symbolic links ++ ++dirname=`mktemp -d` ++fname=`mktemp` ++fname2=`mktemp` ++ ++lxcpath=/var/lib/lxcsym1 ++ ++cleanup() { ++ lxc-destroy -P $lxcpath -f -n symtest1 || true ++ rm -f $lxcpath ++ rmdir $dirname || true ++ rm -f $fname || true ++ rm -f $fname2 || true ++} ++ ++trap cleanup EXIT SIGHUP SIGINT SIGTERM ++ ++testrun() { ++ expected=$1 ++ run=$2 ++ pass="pass" ++ lxc-start -P $lxcpath -n symtest1 -l trace -o $lxcpath/log || pass="fail" ++ [ $pass = "pass" ] && lxc-wait -P $lxcpath -n symtest1 -t 10 -s RUNNING || pass="fail" ++ if [ "$pass" != "$expected" ]; then ++ echo "Test $run: expected $expected but container did not. Start log:" ++ cat $lxcpath/log ++ echo "FAIL: Test $run: expected $expected but container did not." ++ false ++ fi ++ lxc-stop -P $lxcpath -n symtest1 -k || true ++} ++ ++# make lxcpath a symlink - this should NOT cause failure ++ln -s /var/lib/lxc $lxcpath ++ ++lxc-destroy -P $lxcpath -f -n symtest1 || true ++lxc-create -P $lxcpath -t busybox -n symtest1 ++ ++cat >> /var/lib/lxc/symtest1/config << EOF ++lxc.mount.entry = $dirname opt/xxx/dir none bind,create=dir ++lxc.mount.entry = $fname opt/xxx/file none bind,create=file ++lxc.mount.entry = $fname2 opt/xxx/file2 none bind ++EOF ++ ++# Regular - should succeed ++mkdir -p /var/lib/lxc/symtest1/rootfs/opt/xxx ++touch /var/lib/lxc/symtest1/rootfs/opt/xxx/file2 ++testrun pass 1 ++ ++# symlink - should fail ++rm -rf /var/lib/lxc/symtest1/rootfs/opt/xxx ++mkdir -p /var/lib/lxc/symtest1/rootfs/opt/xxx2 ++ln -s /var/lib/lxc/symtest1/rootfs/opt/xxx2 /var/lib/lxc/symtest1/rootfs/opt/xxx ++touch /var/lib/lxc/symtest1/rootfs/opt/xxx/file2 ++testrun fail 2 ++ ++# final final symlink - should fail ++rm -rf $lxcpath/symtest1/rootfs/opt/xxx ++mkdir -p $lxcpath/symtest1/rootfs/opt/xxx ++mkdir -p $lxcpath/symtest1/rootfs/opt/xxx/dir ++touch $lxcpath/symtest1/rootfs/opt/xxx/file ++touch $lxcpath/symtest1/rootfs/opt/xxx/file2src ++ln -s $lxcpath/symtest1/rootfs/opt/xxx/file2src $lxcpath/symtest1/rootfs/opt/xxx/file2 ++testrun fail 3 ++ ++# Ideally we'd also try a loop device, but that won't work in nested containers ++# anyway - TODO ++ ++# what about /proc itself ++ ++rm -rf $lxcpath/symtest1/rootfs/opt/xxx ++mkdir -p $lxcpath/symtest1/rootfs/opt/xxx ++touch $lxcpath/symtest1/rootfs/opt/xxx/file2 ++mv $lxcpath/symtest1/rootfs/proc $lxcpath/symtest1/rootfs/proc1 ++ln -s $lxcpath/symtest1/rootfs/proc1 $lxcpath/symtest1/rootfs/proc ++testrun fail 4 ++ ++echo "all tests passed" +-- +2.5.0 + diff --git a/lxc.spec b/lxc.spec index 1020ac8..9c01d19 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.3 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -42,6 +42,7 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch +Patch1: lxc-1.1.3-fix-CVE-2015-1335.patch BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen @@ -59,9 +60,10 @@ BuildRequires: python3-devel >= 3.2 %if 0%{?with_systemd} BuildRequires: systemd %endif # with_systemd -%if 0%{?prerel:1} +#if 0%{?prerel:1} +# currently enabled, as patch1 changes a Makefile.am BuildRequires: autoconf automake -%endif +#endif %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -181,6 +183,9 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 +%patch1 -p1 +# patch1 changes a Makefile.am +./autogen.sh %build @@ -379,6 +384,9 @@ fi %changelog +* Thu Oct 1 2015 Thomas Moschny - 1.1.3-2 +- Add security fix, see rhbz#1267844. + * Sat Aug 15 2015 Thomas Moschny - 1.1.3-1 - Update to 1.1.3. - Remove patches applied upstream. From 8fb61d8dfb71c085d8659fab723664277aac5805 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 17 Oct 2015 19:51:08 +0200 Subject: [PATCH 43/95] Update to 1.1.4. --- .gitignore | 1 + lxc-1.1.3-fix-CVE-2015-1335.patch | 636 ------------------------------ lxc.spec | 14 +- sources | 2 +- 4 files changed, 8 insertions(+), 645 deletions(-) delete mode 100644 lxc-1.1.3-fix-CVE-2015-1335.patch diff --git a/.gitignore b/.gitignore index 3bffdde..8330c2b 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ lxc-0.7.2.tar.gz /lxc-1.1.1.tar.gz /lxc-1.1.2.tar.gz /lxc-1.1.3.tar.gz +/lxc-1.1.4.tar.gz diff --git a/lxc-1.1.3-fix-CVE-2015-1335.patch b/lxc-1.1.3-fix-CVE-2015-1335.patch deleted file mode 100644 index 719816e..0000000 --- a/lxc-1.1.3-fix-CVE-2015-1335.patch +++ /dev/null @@ -1,636 +0,0 @@ -From 1f9cc4943b640d9355709432a705e5fa6e9ad4df Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Mon, 31 Aug 2015 12:57:20 -0500 -Subject: [PATCH 1/1] Protect container mounts against symlinks - -When a container starts up, lxc sets up the container's inital fstree -by doing a bunch of mounting, guided by the container configuration -file. The container config is owned by the admin or user on the host, -so we do not try to guard against bad entries. However, since the -mount target is in the container, it's possible that the container admin -could divert the mount with symbolic links. This could bypass proper -container startup (i.e. confinement of a root-owned container by the -restrictive apparmor policy, by diverting the required write to -/proc/self/attr/current), or bypass the (path-based) apparmor policy -by diverting, say, /proc to /mnt in the container. - -To prevent this, - -1. do not allow mounts to paths containing symbolic links - -2. do not allow bind mounts from relative paths containing symbolic -links. - -Details: - -Define safe_mount which ensures that the container has not inserted any -symbolic links into any mount targets for mounts to be done during -container setup. - -The host's mount path may contain symbolic links. As it is under the -control of the administrator, that's ok. So safe_mount begins the check -for symbolic links after the rootfs->mount, by opening that directory. - -It opens each directory along the path using openat() relative to the -parent directory using O_NOFOLLOW. When the target is reached, it -mounts onto /proc/self/fd/. - -Use safe_mount() in mount_entry(), when mounting container proc, -and when needed. In particular, safe_mount() need not be used in -any case where: - -1. the mount is done in the container's namespace -2. the mount is for the container's rootfs -3. the mount is relative to a tmpfs or proc/sysfs which we have - just safe_mount()ed ourselves - -Since we were using proc/net as a temporary placeholder for /proc/sys/net -during container startup, and proc/net is a symbolic link, use proc/tty -instead. - -Update the lxc.container.conf manpage with details about the new -restrictions. - -Finally, add a testcase to test some symbolic link possibilities. - -Signed-off-by: Serge Hallyn ---- - doc/lxc.container.conf.sgml.in | 12 +++ - src/lxc/cgfs.c | 5 +- - src/lxc/cgmanager.c | 4 +- - src/lxc/conf.c | 29 ++--- - src/lxc/utils.c | 235 ++++++++++++++++++++++++++++++++++++++++- - src/lxc/utils.h | 2 + - src/tests/Makefile.am | 2 + - src/tests/lxc-test-symlink | 88 +++++++++++++++ - 8 files changed, 359 insertions(+), 18 deletions(-) - create mode 100644 src/tests/lxc-test-symlink - -diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in -index 50c6a2a..0a1ec5f 100644 ---- a/doc/lxc.container.conf.sgml.in -+++ b/doc/lxc.container.conf.sgml.in -@@ -699,6 +699,18 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - container. This is useful to mount /etc, /var or /home for - examples. - -+ -+ NOTE - LXC will generally ensure that mount targets and relative -+ bind-mount sources are properly confined under the container -+ root, to avoid attacks involving over-mounting host directories -+ and files. (Symbolic links in absolute mount sources are ignored) -+ However, if the container configuration first mounts a directory which -+ is under the control of the container user, such as /home/joe, into -+ the container at some path, and then mounts -+ under path, then a TOCTTOU attack would be -+ possible where the container user modifies a symbolic link under -+ his home directory at just the right time. -+ - - - -diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c -index fcb3cde..df2e6b2 100644 ---- a/src/lxc/cgfs.c -+++ b/src/lxc/cgfs.c -@@ -1363,7 +1363,10 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type) - if (!path) - return false; - snprintf(path, bufsz, "%s/sys/fs/cgroup", root); -- r = mount("cgroup_root", path, "tmpfs", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, "size=10240k,mode=755"); -+ r = safe_mount("cgroup_root", path, "tmpfs", -+ MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, -+ "size=10240k,mode=755", -+ root); - if (r < 0) { - SYSERROR("could not mount tmpfs to /sys/fs/cgroup in the container"); - return false; -diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c -index c143bea..779a1d8 100644 ---- a/src/lxc/cgmanager.c -+++ b/src/lxc/cgmanager.c -@@ -1477,7 +1477,7 @@ static bool cgm_bind_dir(const char *root, const char *dirname) - } - - /* mount a tmpfs there so we can create subdirs */ -- if (mount("cgroup", cgpath, "tmpfs", 0, "size=10000,mode=755")) { -+ if (safe_mount("cgroup", cgpath, "tmpfs", 0, "size=10000,mode=755", root)) { - SYSERROR("Failed to mount tmpfs at %s", cgpath); - return false; - } -@@ -1488,7 +1488,7 @@ static bool cgm_bind_dir(const char *root, const char *dirname) - return false; - } - -- if (mount(dirname, cgpath, "none", MS_BIND, 0)) { -+ if (safe_mount(dirname, cgpath, "none", MS_BIND, 0, root)) { - SYSERROR("Failed to bind mount %s to %s", dirname, cgpath); - return false; - } -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index d37112b..8cff919 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -763,10 +763,11 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha - * 2.6.32... - */ - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, -- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/net", NULL, MS_BIND, NULL }, -+ /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */ -+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, -- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/net", "%r/proc/sys/net", NULL, MS_MOVE, NULL }, -+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, -@@ -809,7 +810,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha - } - mflags = add_required_remount_flags(source, destination, - default_mounts[i].flags); -- r = mount(source, destination, default_mounts[i].fstype, mflags, default_mounts[i].options); -+ r = safe_mount(source, destination, default_mounts[i].fstype, mflags, default_mounts[i].options, conf->rootfs.path ? conf->rootfs.mount : NULL); - saved_errno = errno; - if (r < 0 && errno == ENOENT) { - INFO("Mount source or target for %s on %s doesn't exist. Skipping.", source, destination); -@@ -1161,7 +1162,7 @@ static int mount_autodev(const char *name, char *root, const char *lxcpath) - return 0; - } - -- if (mount("none", path, "tmpfs", 0, "size=100000,mode=755")) { -+ if (safe_mount("none", path, "tmpfs", 0, "size=100000,mode=755", root)) { - SYSERROR("Failed mounting tmpfs onto %s\n", path); - return false; - } -@@ -1246,7 +1247,7 @@ static int fill_autodev(const char *root) - return -1; - } - fclose(pathfile); -- if (mount(hostpath, path, 0, MS_BIND, NULL) != 0) { -+ if (safe_mount(hostpath, path, 0, MS_BIND, NULL, root) != 0) { - SYSERROR("Failed bind mounting device %s from host into container", - d->name); - return -1; -@@ -1499,7 +1500,7 @@ static int setup_dev_console(const struct lxc_rootfs *rootfs, - return -1; - } - -- if (mount(console->name, path, "none", MS_BIND, 0)) { -+ if (safe_mount(console->name, path, "none", MS_BIND, 0, rootfs->mount)) { - ERROR("failed to mount '%s' on '%s'", console->name, path); - return -1; - } -@@ -1554,7 +1555,7 @@ static int setup_ttydir_console(const struct lxc_rootfs *rootfs, - return 0; - } - -- if (mount(console->name, lxcpath, "none", MS_BIND, 0)) { -+ if (safe_mount(console->name, lxcpath, "none", MS_BIND, 0, rootfs->mount)) { - ERROR("failed to mount '%s' on '%s'", console->name, lxcpath); - return -1; - } -@@ -1704,13 +1705,13 @@ static char *get_field(char *src, int nfields) - - static int mount_entry(const char *fsname, const char *target, - const char *fstype, unsigned long mountflags, -- const char *data, int optional) -+ const char *data, int optional, const char *rootfs) - { - #ifdef HAVE_STATVFS - struct statvfs sb; - #endif - -- if (mount(fsname, target, fstype, mountflags & ~MS_REMOUNT, data)) { -+ if (safe_mount(fsname, target, fstype, mountflags & ~MS_REMOUNT, data, rootfs)) { - if (optional) { - INFO("failed to mount '%s' on '%s' (optional): %s", fsname, - target, strerror(errno)); -@@ -1757,7 +1758,7 @@ static int mount_entry(const char *fsname, const char *target, - #endif - - if (mount(fsname, target, fstype, -- mountflags | MS_REMOUNT, data)) { -+ mountflags | MS_REMOUNT, data) < 0) { - if (optional) { - INFO("failed to mount '%s' on '%s' (optional): %s", - fsname, target, strerror(errno)); -@@ -1843,7 +1844,7 @@ static inline int mount_entry_on_systemfs(struct mntent *mntent) - } - - ret = mount_entry(mntent->mnt_fsname, mntent->mnt_dir, -- mntent->mnt_type, mntflags, mntdata, optional); -+ mntent->mnt_type, mntflags, mntdata, optional, NULL); - - free(pathdirname); - free(mntdata); -@@ -1930,7 +1931,7 @@ skipabs: - } - - ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, -- mntflags, mntdata, optional); -+ mntflags, mntdata, optional, rootfs->mount); - - free(mntdata); - -@@ -1986,7 +1987,7 @@ static int mount_entry_on_relative_rootfs(struct mntent *mntent, - } - - ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, -- mntflags, mntdata, optional); -+ mntflags, mntdata, optional, rootfs); - - free(pathdirname); - free(mntdata); -@@ -3646,7 +3647,7 @@ void lxc_execute_bind_init(struct lxc_conf *conf) - fclose(pathfile); - } - -- ret = mount(path, destpath, "none", MS_BIND, NULL); -+ ret = safe_mount(path, destpath, "none", MS_BIND, NULL, conf->rootfs.mount); - if (ret < 0) - SYSERROR("Failed to bind lxc.init.static into container"); - INFO("lxc.init.static bound into container at %s", path); -diff --git a/src/lxc/utils.c b/src/lxc/utils.c -index 7ced314..70d12d5 100644 ---- a/src/lxc/utils.c -+++ b/src/lxc/utils.c -@@ -1403,6 +1403,239 @@ int setproctitle(char *title) - } - - /* -+ * @path: a pathname where / replaced with '\0'. -+ * @offsetp: pointer to int showing which path segment was last seen. -+ * Updated on return to reflect the next segment. -+ * @fulllen: full original path length. -+ * Returns a pointer to the next path segment, or NULL if done. -+ */ -+static char *get_nextpath(char *path, int *offsetp, int fulllen) -+{ -+ int offset = *offsetp; -+ -+ if (offset >= fulllen) -+ return NULL; -+ -+ while (path[offset] != '\0' && offset < fulllen) -+ offset++; -+ while (path[offset] == '\0' && offset < fulllen) -+ offset++; -+ -+ *offsetp = offset; -+ return (offset < fulllen) ? &path[offset] : NULL; -+} -+ -+/* -+ * Check that @subdir is a subdir of @dir. @len is the length of -+ * @dir (to avoid having to recalculate it). -+ */ -+static bool is_subdir(const char *subdir, const char *dir, size_t len) -+{ -+ size_t subdirlen = strlen(subdir); -+ -+ if (subdirlen < len) -+ return false; -+ if (strncmp(subdir, dir, len) != 0) -+ return false; -+ if (dir[len-1] == '/') -+ return true; -+ if (subdir[len] == '/' || subdirlen == len) -+ return true; -+ return false; -+} -+ -+/* -+ * Check if the open fd is a symlink. Return -ELOOP if it is. Return -+ * -ENOENT if we couldn't fstat. Return 0 if the fd is ok. -+ */ -+static int check_symlink(int fd) -+{ -+ struct stat sb; -+ int ret = fstat(fd, &sb); -+ if (ret < 0) -+ return -ENOENT; -+ if (S_ISLNK(sb.st_mode)) -+ return -ELOOP; -+ return 0; -+} -+ -+/* -+ * Open a file or directory, provided that it contains no symlinks. -+ * -+ * CAVEAT: This function must not be used for other purposes than container -+ * setup before executing the container's init -+ */ -+static int open_if_safe(int dirfd, const char *nextpath) -+{ -+ int newfd = openat(dirfd, nextpath, O_RDONLY | O_NOFOLLOW); -+ if (newfd >= 0) // was not a symlink, all good -+ return newfd; -+ -+ if (errno == ELOOP) -+ return newfd; -+ -+ if (errno == EPERM || errno == EACCES) { -+ /* we're not root (cause we got EPERM) so -+ try opening with O_PATH */ -+ newfd = openat(dirfd, nextpath, O_PATH | O_NOFOLLOW); -+ if (newfd >= 0) { -+ /* O_PATH will return an fd for symlinks. We know -+ * nextpath wasn't a symlink at last openat, so if fd -+ * is now a link, then something * fishy is going on -+ */ -+ int ret = check_symlink(newfd); -+ if (ret < 0) { -+ close(newfd); -+ newfd = ret; -+ } -+ } -+ } -+ -+ return newfd; -+} -+ -+/* -+ * Open a path intending for mounting, ensuring that the final path -+ * is inside the container's rootfs. -+ * -+ * CAVEAT: This function must not be used for other purposes than container -+ * setup before executing the container's init -+ * -+ * @target: path to be opened -+ * @prefix_skip: a part of @target in which to ignore symbolic links. This -+ * would be the container's rootfs. -+ * -+ * Return an open fd for the path, or <0 on error. -+ */ -+static int open_without_symlink(const char *target, const char *prefix_skip) -+{ -+ int curlen = 0, dirfd, fulllen, i; -+ char *dup = NULL; -+ -+ fulllen = strlen(target); -+ -+ /* make sure prefix-skip makes sense */ -+ if (prefix_skip) { -+ curlen = strlen(prefix_skip); -+ if (!is_subdir(target, prefix_skip, curlen)) { -+ ERROR("WHOA there - target '%s' didn't start with prefix '%s'", -+ target, prefix_skip); -+ return -EINVAL; -+ } -+ /* -+ * get_nextpath() expects the curlen argument to be -+ * on a (turned into \0) / or before it, so decrement -+ * curlen to make sure that happens -+ */ -+ if (curlen) -+ curlen--; -+ } else { -+ prefix_skip = "/"; -+ curlen = 0; -+ } -+ -+ /* Make a copy of target which we can hack up, and tokenize it */ -+ if ((dup = strdup(target)) == NULL) { -+ SYSERROR("Out of memory checking for symbolic link"); -+ return -ENOMEM; -+ } -+ for (i = 0; i < fulllen; i++) { -+ if (dup[i] == '/') -+ dup[i] = '\0'; -+ } -+ -+ dirfd = open(prefix_skip, O_RDONLY); -+ if (dirfd < 0) -+ goto out; -+ while (1) { -+ int newfd, saved_errno; -+ char *nextpath; -+ -+ if ((nextpath = get_nextpath(dup, &curlen, fulllen)) == NULL) -+ goto out; -+ newfd = open_if_safe(dirfd, nextpath); -+ saved_errno = errno; -+ close(dirfd); -+ dirfd = newfd; -+ if (newfd < 0) { -+ errno = saved_errno; -+ if (errno == ELOOP) -+ SYSERROR("%s in %s was a symbolic link!", nextpath, target); -+ else -+ SYSERROR("Error examining %s in %s", nextpath, target); -+ goto out; -+ } -+ } -+ -+out: -+ free(dup); -+ return dirfd; -+} -+ -+/* -+ * Safely mount a path into a container, ensuring that the mount target -+ * is under the container's @rootfs. (If @rootfs is NULL, then the container -+ * uses the host's /) -+ * -+ * CAVEAT: This function must not be used for other purposes than container -+ * setup before executing the container's init -+ */ -+int safe_mount(const char *src, const char *dest, const char *fstype, -+ unsigned long flags, const void *data, const char *rootfs) -+{ -+ int srcfd = -1, destfd, ret, saved_errno; -+ char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ -+ const char *mntsrc = src; -+ -+ if (!rootfs) -+ rootfs = ""; -+ -+ /* todo - allow symlinks for relative paths if 'allowsymlinks' option is passed */ -+ if (flags & MS_BIND && src && src[0] != '/') { -+ INFO("this is a relative bind mount"); -+ srcfd = open_without_symlink(src, NULL); -+ if (srcfd < 0) -+ return srcfd; -+ ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); -+ if (ret < 0 || ret > 50) { -+ close(srcfd); -+ ERROR("Out of memory"); -+ return -EINVAL; -+ } -+ mntsrc = srcbuf; -+ } -+ -+ destfd = open_without_symlink(dest, rootfs); -+ if (destfd < 0) { -+ if (srcfd != -1) -+ close(srcfd); -+ return destfd; -+ } -+ -+ ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); -+ if (ret < 0 || ret > 50) { -+ if (srcfd != -1) -+ close(srcfd); -+ close(destfd); -+ ERROR("Out of memory"); -+ return -EINVAL; -+ } -+ -+ ret = mount(mntsrc, destbuf, fstype, flags, data); -+ saved_errno = errno; -+ if (srcfd != -1) -+ close(srcfd); -+ close(destfd); -+ if (ret < 0) { -+ errno = saved_errno; -+ SYSERROR("Failed to mount %s onto %s", src, dest); -+ return ret; -+ } -+ -+ return 0; -+} -+ -+/* - * Mount a proc under @rootfs if proc self points to a pid other than - * my own. This is needed to have a known-good proc mount for setting - * up LSMs both at container startup and attach. -@@ -1440,7 +1673,7 @@ int mount_proc_if_needed(const char *rootfs) - return 0; - - domount: -- if (mount("proc", path, "proc", 0, NULL)) -+ if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0) - return -1; - INFO("Mounted /proc in container for security transition"); - return 1; -diff --git a/src/lxc/utils.h b/src/lxc/utils.h -index ee12dde..059026f 100644 ---- a/src/lxc/utils.h -+++ b/src/lxc/utils.h -@@ -279,6 +279,8 @@ bool switch_to_ns(pid_t pid, const char *ns); - int is_dir(const char *path); - char *get_template_path(const char *t); - int setproctitle(char *title); -+int safe_mount(const char *src, const char *dest, const char *fstype, -+ unsigned long flags, const void *data, const char *rootfs); - int mount_proc_if_needed(const char *rootfs); - int null_stdfds(void); - #endif /* __LXC_UTILS_H */ -diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am -index 461d869..8af9baa 100644 ---- a/src/tests/Makefile.am -+++ b/src/tests/Makefile.am -@@ -54,6 +54,7 @@ if DISTRO_UBUNTU - bin_SCRIPTS += \ - lxc-test-apparmor-mount \ - lxc-test-checkpoint-restore \ -+ lxc-test-symlink \ - lxc-test-ubuntu \ - lxc-test-unpriv \ - lxc-test-usernic -@@ -80,6 +81,7 @@ EXTRA_DIST = \ - lxc-test-checkpoint-restore \ - lxc-test-cloneconfig \ - lxc-test-createconfig \ -+ lxc-test-symlink \ - lxc-test-ubuntu \ - lxc-test-unpriv \ - may_control.c \ -diff --git a/src/tests/lxc-test-symlink b/src/tests/lxc-test-symlink -new file mode 100644 -index 0000000..37320f0 ---- /dev/null -+++ b/src/tests/lxc-test-symlink -@@ -0,0 +1,88 @@ -+#!/bin/bash -+ -+set -ex -+ -+# lxc: linux Container library -+ -+# Authors: -+# Serge Hallyn -+# -+# This is a regression test for symbolic links -+ -+dirname=`mktemp -d` -+fname=`mktemp` -+fname2=`mktemp` -+ -+lxcpath=/var/lib/lxcsym1 -+ -+cleanup() { -+ lxc-destroy -P $lxcpath -f -n symtest1 || true -+ rm -f $lxcpath -+ rmdir $dirname || true -+ rm -f $fname || true -+ rm -f $fname2 || true -+} -+ -+trap cleanup EXIT SIGHUP SIGINT SIGTERM -+ -+testrun() { -+ expected=$1 -+ run=$2 -+ pass="pass" -+ lxc-start -P $lxcpath -n symtest1 -l trace -o $lxcpath/log || pass="fail" -+ [ $pass = "pass" ] && lxc-wait -P $lxcpath -n symtest1 -t 10 -s RUNNING || pass="fail" -+ if [ "$pass" != "$expected" ]; then -+ echo "Test $run: expected $expected but container did not. Start log:" -+ cat $lxcpath/log -+ echo "FAIL: Test $run: expected $expected but container did not." -+ false -+ fi -+ lxc-stop -P $lxcpath -n symtest1 -k || true -+} -+ -+# make lxcpath a symlink - this should NOT cause failure -+ln -s /var/lib/lxc $lxcpath -+ -+lxc-destroy -P $lxcpath -f -n symtest1 || true -+lxc-create -P $lxcpath -t busybox -n symtest1 -+ -+cat >> /var/lib/lxc/symtest1/config << EOF -+lxc.mount.entry = $dirname opt/xxx/dir none bind,create=dir -+lxc.mount.entry = $fname opt/xxx/file none bind,create=file -+lxc.mount.entry = $fname2 opt/xxx/file2 none bind -+EOF -+ -+# Regular - should succeed -+mkdir -p /var/lib/lxc/symtest1/rootfs/opt/xxx -+touch /var/lib/lxc/symtest1/rootfs/opt/xxx/file2 -+testrun pass 1 -+ -+# symlink - should fail -+rm -rf /var/lib/lxc/symtest1/rootfs/opt/xxx -+mkdir -p /var/lib/lxc/symtest1/rootfs/opt/xxx2 -+ln -s /var/lib/lxc/symtest1/rootfs/opt/xxx2 /var/lib/lxc/symtest1/rootfs/opt/xxx -+touch /var/lib/lxc/symtest1/rootfs/opt/xxx/file2 -+testrun fail 2 -+ -+# final final symlink - should fail -+rm -rf $lxcpath/symtest1/rootfs/opt/xxx -+mkdir -p $lxcpath/symtest1/rootfs/opt/xxx -+mkdir -p $lxcpath/symtest1/rootfs/opt/xxx/dir -+touch $lxcpath/symtest1/rootfs/opt/xxx/file -+touch $lxcpath/symtest1/rootfs/opt/xxx/file2src -+ln -s $lxcpath/symtest1/rootfs/opt/xxx/file2src $lxcpath/symtest1/rootfs/opt/xxx/file2 -+testrun fail 3 -+ -+# Ideally we'd also try a loop device, but that won't work in nested containers -+# anyway - TODO -+ -+# what about /proc itself -+ -+rm -rf $lxcpath/symtest1/rootfs/opt/xxx -+mkdir -p $lxcpath/symtest1/rootfs/opt/xxx -+touch $lxcpath/symtest1/rootfs/opt/xxx/file2 -+mv $lxcpath/symtest1/rootfs/proc $lxcpath/symtest1/rootfs/proc1 -+ln -s $lxcpath/symtest1/rootfs/proc1 $lxcpath/symtest1/rootfs/proc -+testrun fail 4 -+ -+echo "all tests passed" --- -2.5.0 - diff --git a/lxc.spec b/lxc.spec index 9c01d19..832b4e9 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,8 +30,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 1.1.3 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Version: 1.1.4 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -42,7 +42,6 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch -Patch1: lxc-1.1.3-fix-CVE-2015-1335.patch BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen @@ -61,8 +60,7 @@ BuildRequires: python3-devel >= 3.2 BuildRequires: systemd %endif # with_systemd #if 0%{?prerel:1} -# currently enabled, as patch1 changes a Makefile.am -BuildRequires: autoconf automake +#BuildRequires: autoconf automake #endif %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -183,9 +181,6 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 -%patch1 -p1 -# patch1 changes a Makefile.am -./autogen.sh %build @@ -384,6 +379,9 @@ fi %changelog +* Sat Oct 17 2015 Thomas Moschny - 1.1.4-1 +- Update to 1.1.4. + * Thu Oct 1 2015 Thomas Moschny - 1.1.3-2 - Add security fix, see rhbz#1267844. diff --git a/sources b/sources index 1422bb9..109625d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -197abb5a28ab0b689c737eb1951023fb lxc-1.1.3.tar.gz +d33c4bd9c57755c0e2b0e2acbc3f171d lxc-1.1.4.tar.gz From d508972500c89f71475e213f4deefe5abe3e3cda Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Wed, 21 Oct 2015 16:57:13 +0200 Subject: [PATCH 44/95] Add patch to fix bootorder (rhbz#1263612). --- lxc-1.1.4-fix-bootorder.patch | 22 ++++++++++++++++++++++ lxc.spec | 8 +++++++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 lxc-1.1.4-fix-bootorder.patch diff --git a/lxc-1.1.4-fix-bootorder.patch b/lxc-1.1.4-fix-bootorder.patch new file mode 100644 index 0000000..8a8bb8c --- /dev/null +++ b/lxc-1.1.4-fix-bootorder.patch @@ -0,0 +1,22 @@ +diff -up lxc-1.1.4/config/init/systemd/lxc-net.service.in.orig lxc-1.1.4/config/init/systemd/lxc-net.service.in +--- lxc-1.1.4/config/init/systemd/lxc-net.service.in.orig 2015-10-06 16:18:16.000000000 +0200 ++++ lxc-1.1.4/config/init/systemd/lxc-net.service.in 2015-10-21 16:34:06.283178668 +0200 +@@ -1,6 +1,6 @@ + [Unit] + Description=LXC network bridge setup +-After=network.target ++After=network-online.target + Before=lxc.service + + [Service] +diff -up lxc-1.1.4/config/init/systemd/lxc.service.in.orig lxc-1.1.4/config/init/systemd/lxc.service.in +--- lxc-1.1.4/config/init/systemd/lxc.service.in.orig 2015-10-06 16:18:16.000000000 +0200 ++++ lxc-1.1.4/config/init/systemd/lxc.service.in 2015-10-21 16:33:41.193477243 +0200 +@@ -1,6 +1,6 @@ + [Unit] + Description=LXC Container Initialization and Autoboot Code +-After=syslog.target network.target lxc-net.service ++After=syslog.target network-online.target lxc-net.service + Wants=lxc-net.service + + [Service] diff --git a/lxc.spec b/lxc.spec index 832b4e9..c52ed11 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.4 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -42,6 +42,7 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch +Patch1: lxc-1.1.4-fix-bootorder.patch BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen @@ -181,6 +182,8 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 +# see rhbz#1263612 +%patch1 -p1 %build @@ -379,6 +382,9 @@ fi %changelog +* Wed Oct 21 2015 Thomas Moschny - 1.1.4-2 +- Add patch to fix bootorder (rhbz#1263612). + * Sat Oct 17 2015 Thomas Moschny - 1.1.4-1 - Update to 1.1.4. From b85bce5b1e1f07095ab6058d5b2ae9f5998d6d41 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Tue, 10 Nov 2015 14:46:02 +0000 Subject: [PATCH 45/95] - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index c52ed11..97d26f3 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.4 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -382,6 +382,9 @@ fi %changelog +* Tue Nov 10 2015 Fedora Release Engineering - 1.1.4-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + * Wed Oct 21 2015 Thomas Moschny - 1.1.4-2 - Add patch to fix bootorder (rhbz#1263612). From e172004ed36dff2220fbc90ffc04406e13a64250 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 15 Nov 2015 09:53:18 +0100 Subject: [PATCH 46/95] Update to 1.1.5. - Update patch. --- .gitignore | 1 + lxc-1.1.4-fix-bootorder.patch | 11 ----------- lxc.spec | 8 ++++++-- sources | 2 +- 4 files changed, 8 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index 8330c2b..258ef5e 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ lxc-0.7.2.tar.gz /lxc-1.1.2.tar.gz /lxc-1.1.3.tar.gz /lxc-1.1.4.tar.gz +/lxc-1.1.5.tar.gz diff --git a/lxc-1.1.4-fix-bootorder.patch b/lxc-1.1.4-fix-bootorder.patch index 8a8bb8c..cd064b4 100644 --- a/lxc-1.1.4-fix-bootorder.patch +++ b/lxc-1.1.4-fix-bootorder.patch @@ -1,14 +1,3 @@ -diff -up lxc-1.1.4/config/init/systemd/lxc-net.service.in.orig lxc-1.1.4/config/init/systemd/lxc-net.service.in ---- lxc-1.1.4/config/init/systemd/lxc-net.service.in.orig 2015-10-06 16:18:16.000000000 +0200 -+++ lxc-1.1.4/config/init/systemd/lxc-net.service.in 2015-10-21 16:34:06.283178668 +0200 -@@ -1,6 +1,6 @@ - [Unit] - Description=LXC network bridge setup --After=network.target -+After=network-online.target - Before=lxc.service - - [Service] diff -up lxc-1.1.4/config/init/systemd/lxc.service.in.orig lxc-1.1.4/config/init/systemd/lxc.service.in --- lxc-1.1.4/config/init/systemd/lxc.service.in.orig 2015-10-06 16:18:16.000000000 +0200 +++ lxc-1.1.4/config/init/systemd/lxc.service.in 2015-10-21 16:33:41.193477243 +0200 diff --git a/lxc.spec b/lxc.spec index 97d26f3..9afc3eb 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,8 +30,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 1.1.4 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 +Version: 1.1.5 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -382,6 +382,10 @@ fi %changelog +* Sun Nov 15 2015 Thomas Moschny - 1.1.5-1 +- Update to 1.1.5. +- Update patch. + * Tue Nov 10 2015 Fedora Release Engineering - 1.1.4-2.1 - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 diff --git a/sources b/sources index 109625d..c9349ce 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d33c4bd9c57755c0e2b0e2acbc3f171d lxc-1.1.4.tar.gz +dd9684dde0a58ed13f4f49c855b79a1a lxc-1.1.5.tar.gz From 10c2ab1aff80ded075082c725383144c92c5ca88 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 4 Feb 2016 04:40:14 +0000 Subject: [PATCH 47/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 9afc3eb..1f0dea7 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 1.1.5 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -382,6 +382,9 @@ fi %changelog +* Thu Feb 04 2016 Fedora Release Engineering - 1.1.5-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + * Sun Nov 15 2015 Thomas Moschny - 1.1.5-1 - Update to 1.1.5. - Update patch. From 610a5c63348ec78a6164d6922f69f2b4d52ab8a5 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Tue, 1 Mar 2016 11:36:24 +0000 Subject: [PATCH 48/95] Power64 and s390(x) now have libseccomp support --- lxc.spec | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index 1f0dea7..709afc4 100644 --- a/lxc.spec +++ b/lxc.spec @@ -6,7 +6,11 @@ %global with_systemd 1 %endif -%if 0%{?fedora} || 0%{?rhel} >= 7 +%if 0%{?fedora} +%global with_seccomp 1 +%endif + +%if 0%{?rhel} >= 7 %ifarch %{ix86} x86_64 %{arm} aarch64 %global with_seccomp 1 %endif @@ -31,7 +35,7 @@ Name: lxc Version: 1.1.5 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -382,6 +386,9 @@ fi %changelog +* Tue Mar 1 2016 Peter Robinson 1.1.5-2 +- Power64 and s390(x) now have libseccomp support + * Thu Feb 04 2016 Fedora Release Engineering - 1.1.5-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild From d12c6a9d47a22461c16d233a6fd56061512230b2 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Thu, 21 Apr 2016 08:02:04 +0200 Subject: [PATCH 49/95] Update to 2.0.0. - Obsolete the -extra subpackage. - Move the completion file to %{_datadir}. --- .gitignore | 1 + lxc-2.0.0-remove-werror.patch | 12 ++++++ lxc.spec | 71 ++++++++++++++++++----------------- sources | 2 +- 4 files changed, 50 insertions(+), 36 deletions(-) create mode 100644 lxc-2.0.0-remove-werror.patch diff --git a/.gitignore b/.gitignore index 258ef5e..b571f18 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ lxc-0.7.2.tar.gz /lxc-1.1.3.tar.gz /lxc-1.1.4.tar.gz /lxc-1.1.5.tar.gz +/lxc-2.0.0.tar.gz diff --git a/lxc-2.0.0-remove-werror.patch b/lxc-2.0.0-remove-werror.patch new file mode 100644 index 0000000..b2da700 --- /dev/null +++ b/lxc-2.0.0-remove-werror.patch @@ -0,0 +1,12 @@ +diff -up lxc-2.0.0/configure.ac.orig lxc-2.0.0/configure.ac +--- lxc-2.0.0/configure.ac.orig 2016-04-06 19:59:42.000000000 +0200 ++++ lxc-2.0.0/configure.ac 2016-04-21 07:46:29.936382133 +0200 +@@ -626,7 +626,7 @@ AC_PROG_SED + LXC_CHECK_TLS + + if test "x$GCC" = "xyes"; then +- CFLAGS="$CFLAGS -Wall -Werror" ++ CFLAGS="$CFLAGS -Wall" + fi + + # Files requiring some variable expansion diff --git a/lxc.spec b/lxc.spec index 709afc4..3260b3f 100644 --- a/lxc.spec +++ b/lxc.spec @@ -34,8 +34,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 1.1.5 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Version: 2.0.0 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -47,6 +47,7 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-1.1.0-fix-init.patch Patch1: lxc-1.1.4-fix-bootorder.patch +Patch2: lxc-2.0.0-remove-werror.patch BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen @@ -64,8 +65,13 @@ BuildRequires: python3-devel >= 3.2 %if 0%{?with_systemd} BuildRequires: systemd %endif # with_systemd +# lxc-extra subpackage not needed anymore, lxc-ls has been rewriten in +# C and does not depend on the Python3 binding anymore +Provides: lxc-extra = %{version}-%{release} +Obsoletes: lxc-extra < 1.1.5-3 #if 0%{?prerel:1} -#BuildRequires: autoconf automake +# we patch configure.ac +BuildRequires: autoconf automake #endif %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -110,18 +116,6 @@ overhead of full virtualization. The python3-%{name} package contains the Python3 binding for %{name}. %global __provides_exclude %{?__provides_exclude:%__provides_exclude|}_lxc\\..*\\.so - - -%package extra -Summary: Extra tools for %{name} -Group: Applications/System -Requires: python3-%{name}%{?_isa} = %{version}-%{release} - -%description extra -Linux Resource Containers provide process and resource isolation without the -overhead of full virtualization. - -This package contains tools needing the Python3 bindings. %endif # with_python3 @@ -188,12 +182,14 @@ This package contains documentation for %{name}. %patch0 -p1 # see rhbz#1263612 %patch1 -p1 +# -Wall with -Werror doesn't work well +%patch2 -p1 %build -%if 0%{?prerel:1} +#if 0%{?prerel:1} ./autogen.sh -%endif +#endif %configure --with-distro=fedora \ --enable-doc \ --enable-api-docs \ @@ -235,6 +231,13 @@ cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/ # cache dir mkdir -p %{buildroot}%{_localstatedir}/cache/%{name} +# on Fedora and EPEL>=7, move the completion file to %%{_datadir} +%if 0%{?fedora} || 0%{?rhel} >= 7 +install -d %{buildroot}%{_datadir}/bash-completion/completions/ +mv %{buildroot}%{_sysconfdir}/bash_completion.d/%{name} \ + %{buildroot}%{_datadir}/bash-completion/completions/%{name} +%endif + %check make check @@ -245,6 +248,7 @@ make check %if 0%{?with_systemd} %systemd_post %{name}-net.service %systemd_post %{name}.service +%systemd_post %{name}@.service %else /sbin/chkconfig --add %{name}-net /sbin/chkconfig --add %{name} @@ -255,6 +259,7 @@ make check %if 0%{?with_systemd} %systemd_preun %{name}-net.service %systemd_preun %{name}.service +%systemd_preun %{name}@.service %else if [ $1 -eq 0 ]; then /sbin/service %{name}-net stop > /dev/null 2>&1 @@ -270,6 +275,7 @@ fi %if 0%{?with_systemd} %systemd_postun %{name}-net.service %systemd_postun %{name}.service +%systemd_postun %{name}@.service %else if [ $1 -ge 1 ]; then /sbin/service %{name}-net condrestart > /dev/null 2>&1 || : @@ -289,16 +295,14 @@ fi %exclude %{_mandir}/man1/%{name}-user-nic* %exclude %{_mandir}/*/man1/%{name}-user-nic* %{_datadir}/%{name}/%{name}.functions -%if 0%{?with_python3} -%exclude %{_bindir}/%{name}-ls -%exclude %{_bindir}/%{name}-start-ephemeral -%exclude %{_mandir}/man1/%{name}-ls* -%exclude %{_mandir}/man1/%{name}-start-ephemeral* -%exclude %{_mandir}/*/man1/%{name}-ls* -%exclude %{_mandir}/*/man1/%{name}-start-ephemeral* -%endif -%dir %{_sysconfdir}/bash_completion.d/ +%if 0%{?fedora} || 0%{?rhel} >= 7 +%dir %{_datadir}/bash-completion +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/%{name} +%else +%dir %{_sysconfdir}/bash_completion.d %{_sysconfdir}/bash_completion.d/%{name} +%endif %files libs @@ -336,6 +340,7 @@ fi %endif %if 0%{?with_systemd} %{_unitdir}/%{name}.service +%{_unitdir}/%{name}@.service %{_unitdir}/%{name}-net.service %else %{_sysconfdir}/rc.d/init.d/%{name} @@ -347,15 +352,6 @@ fi %if 0%{?with_python3} %files -n python3-%{name} %{python3_sitearch}/* - - -%files extra -%{_bindir}/%{name}-ls -%{_bindir}/%{name}-start-ephemeral -%{_mandir}/man1/%{name}-ls* -%{_mandir}/man1/%{name}-start-ephemeral* -%{_mandir}/*/man1/%{name}-ls* -%{_mandir}/*/man1/%{name}-start-ephemeral* %endif # with_python3 @@ -386,6 +382,11 @@ fi %changelog +* Wed Apr 20 2016 Thomas Moschny - 2.0.0-1 +- Update to 2.0.0. +- Obsolete the -extra subpackage. +- Move the completion file to %%{_datadir}. + * Tue Mar 1 2016 Peter Robinson 1.1.5-2 - Power64 and s390(x) now have libseccomp support diff --git a/sources b/sources index c9349ce..532d2d0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -dd9684dde0a58ed13f4f49c855b79a1a lxc-1.1.5.tar.gz +04a7245a614cd3296b0ae9ceeeb83fbb lxc-2.0.0.tar.gz From 8c91a3ec1fb6f83174528775238d26d0e16214ae Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 3 Jun 2016 21:07:37 +0200 Subject: [PATCH 50/95] Update to 2.0.1. - Remove patch no longer needed. --- .gitignore | 18 +---------- lxc-1.1.4-fix-bootorder.patch | 11 ------- ...fix-init.patch => lxc-2.0.1-fix-init.patch | 32 +++++++++---------- lxc.spec | 11 ++++--- sources | 2 +- 5 files changed, 24 insertions(+), 50 deletions(-) delete mode 100644 lxc-1.1.4-fix-bootorder.patch rename lxc-1.1.0-fix-init.patch => lxc-2.0.1-fix-init.patch (50%) diff --git a/.gitignore b/.gitignore index b571f18..0f53774 100644 --- a/.gitignore +++ b/.gitignore @@ -1,17 +1 @@ -lxc-0.7.2.tar.gz -/lxc-0.7.4.1.tar.gz -/lxc-0.7.4.2.tar.gz -/lxc-0.7.5.tar.gz -/lxc-0.8.0.tar.gz -/lxc-0.9.0.tar.gz -/lxc-1.0.3.tar.gz -/lxc-1.0.4.tar.gz -/lxc-1.0.5.tar.gz -/lxc-e75a5c5c76c649435bd9171d5ea457fe727f5388.tar.gz -/lxc-1.1.0.tar.gz -/lxc-1.1.1.tar.gz -/lxc-1.1.2.tar.gz -/lxc-1.1.3.tar.gz -/lxc-1.1.4.tar.gz -/lxc-1.1.5.tar.gz -/lxc-2.0.0.tar.gz +/lxc-*.tar.gz diff --git a/lxc-1.1.4-fix-bootorder.patch b/lxc-1.1.4-fix-bootorder.patch deleted file mode 100644 index cd064b4..0000000 --- a/lxc-1.1.4-fix-bootorder.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up lxc-1.1.4/config/init/systemd/lxc.service.in.orig lxc-1.1.4/config/init/systemd/lxc.service.in ---- lxc-1.1.4/config/init/systemd/lxc.service.in.orig 2015-10-06 16:18:16.000000000 +0200 -+++ lxc-1.1.4/config/init/systemd/lxc.service.in 2015-10-21 16:33:41.193477243 +0200 -@@ -1,6 +1,6 @@ - [Unit] - Description=LXC Container Initialization and Autoboot Code --After=syslog.target network.target lxc-net.service -+After=syslog.target network-online.target lxc-net.service - Wants=lxc-net.service - - [Service] diff --git a/lxc-1.1.0-fix-init.patch b/lxc-2.0.1-fix-init.patch similarity index 50% rename from lxc-1.1.0-fix-init.patch rename to lxc-2.0.1-fix-init.patch index 1739c48..343c22c 100644 --- a/lxc-1.1.0-fix-init.patch +++ b/lxc-2.0.1-fix-init.patch @@ -1,8 +1,7 @@ -diff --git a/config/init/sysvinit/lxc-containers.in b/config/init/sysvinit/lxc-containers.in -index bc93322..06ca8f4 100644 ---- a/config/init/sysvinit/lxc-containers.in -+++ b/config/init/sysvinit/lxc-containers.in -@@ -2,13 +2,15 @@ +diff -up lxc-2.0.1/config/init/sysvinit/lxc-containers.in.orig lxc-2.0.1/config/init/sysvinit/lxc-containers.in +--- lxc-2.0.1/config/init/sysvinit/lxc-containers.in.orig 2016-05-18 20:40:05.308604928 +0200 ++++ lxc-2.0.1/config/init/sysvinit/lxc-containers.in 2016-05-18 20:42:15.855301108 +0200 +@@ -2,7 +2,7 @@ # # lxc Start/Stop LXC autoboot containers # @@ -11,21 +10,21 @@ index bc93322..06ca8f4 100644 # description: Starts/Stops all LXC containers configured for autostart. # ### BEGIN INIT INFO - # Provides: lxc +@@ -11,8 +11,8 @@ + # Required-Stop: $syslog $remote_fs + # Should-Start: + # Should-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -+# Required-Start: $local_fs $network -+# Required-Stop: $local_fs $network +# Default-Start: +# Default-Stop: # Short-Description: Bring up/down LXC autostart containers # Description: Bring up/down LXC autostart containers ### END INIT INFO -diff --git a/config/init/sysvinit/lxc-net.in b/config/init/sysvinit/lxc-net.in -index f6892c1..362469c 100644 ---- a/config/init/sysvinit/lxc-net.in -+++ b/config/init/sysvinit/lxc-net.in -@@ -2,13 +2,15 @@ +diff -up lxc-2.0.1/config/init/sysvinit/lxc-net.in.orig lxc-2.0.1/config/init/sysvinit/lxc-net.in +--- lxc-2.0.1/config/init/sysvinit/lxc-net.in.orig 2016-05-18 20:40:05.308604928 +0200 ++++ lxc-2.0.1/config/init/sysvinit/lxc-net.in 2016-05-18 20:42:29.560164233 +0200 +@@ -2,7 +2,7 @@ # # lxc-net Start/Stop LXC Networking # @@ -34,11 +33,12 @@ index f6892c1..362469c 100644 # description: Starts/Stops LXC Network Bridge # ### BEGIN INIT INFO - # Provides: lxc-net +@@ -11,8 +11,8 @@ + # Required-Stop: $syslog $remote_fs + # Should-Start: + # Should-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 1 -+# Required-Start: $local_fs $network -+# Required-Stop: $local_fs $network +# Default-Start: +# Default-Stop: # Short-Description: Bring up/down LXC Network Bridge diff --git a/lxc.spec b/lxc.spec index 3260b3f..3490a0e 100644 --- a/lxc.spec +++ b/lxc.spec @@ -34,7 +34,7 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.0 +Version: 2.0.1 Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -45,8 +45,7 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t %else Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif -Patch0: lxc-1.1.0-fix-init.patch -Patch1: lxc-1.1.4-fix-bootorder.patch +Patch0: lxc-2.0.1-fix-init.patch Patch2: lxc-2.0.0-remove-werror.patch BuildRequires: docbook-utils BuildRequires: docbook2X @@ -180,8 +179,6 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 -# see rhbz#1263612 -%patch1 -p1 # -Wall with -Werror doesn't work well %patch2 -p1 @@ -382,6 +379,10 @@ fi %changelog +* Fri Jun 3 2016 Thomas Moschny - 2.0.1-1 +- Update to 2.0.1. +- Remove patch no longer needed. + * Wed Apr 20 2016 Thomas Moschny - 2.0.0-1 - Update to 2.0.0. - Obsolete the -extra subpackage. diff --git a/sources b/sources index 532d2d0..7ded415 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -04a7245a614cd3296b0ae9ceeeb83fbb lxc-2.0.0.tar.gz +2b89f83185a82286518098ad5f42ac02 lxc-2.0.1.tar.gz From b85c8a4c854bf673cf2af998f1529b95f818eadc Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Wed, 29 Jun 2016 20:35:14 +0200 Subject: [PATCH 51/95] Update to 2.0.3. - Merge some spec file cleanups by Thierry Vignaud (tvignaud@redhat.com). --- lxc.spec | 16 +++++++++------- sources | 2 +- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/lxc.spec b/lxc.spec index 3490a0e..6ccb136 100644 --- a/lxc.spec +++ b/lxc.spec @@ -34,7 +34,7 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.1 +Version: 2.0.3 Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -47,19 +47,18 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-2.0.1-fix-init.patch Patch2: lxc-2.0.0-remove-werror.patch -BuildRequires: docbook-utils BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers BuildRequires: libselinux-devel %if 0%{?with_seccomp} -BuildRequires: libseccomp-devel +BuildRequires: pkgconfig(libseccomp) %endif # with_seccomp BuildRequires: libcap-devel BuildRequires: libtool -BuildRequires: lua-devel +BuildRequires: pkgconfig(lua) %if 0%{?with_python3} -BuildRequires: python3-devel >= 3.2 +BuildRequires: pkgconfig(python3) >= 3.2 %endif # with_python3 %if 0%{?with_systemd} BuildRequires: systemd @@ -211,12 +210,11 @@ This package contains documentation for %{name}. --with-init-script=sysvinit \ %endif # with_systemd # intentionally blank line -make %{?_smp_mflags} +%{make_build} %install %{make_install} -make DESTDIR=%{buildroot} install mkdir -p %{buildroot}%{_sharedstatedir}/%{name} chmod -x %{buildroot}%{luapkgdir}/lxc.lua @@ -379,6 +377,10 @@ fi %changelog +* Wed Jun 29 2016 Thomas Moschny - 2.0.3-1 +- Update to 2.0.3. +- Merge spec file cleanups by Thierry Vignaud (tvignaud@redhat.com). + * Fri Jun 3 2016 Thomas Moschny - 2.0.1-1 - Update to 2.0.1. - Remove patch no longer needed. diff --git a/sources b/sources index 7ded415..7507c69 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2b89f83185a82286518098ad5f42ac02 lxc-2.0.1.tar.gz +4a5654005924ec6f52eb9719520547d4 lxc-2.0.3.tar.gz From 71e03671a4afc9c0bfe2a6148be553a529934f97 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 19 Jul 2016 07:53:03 +0000 Subject: [PATCH 52/95] - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 6ccb136..1e9dc08 100644 --- a/lxc.spec +++ b/lxc.spec @@ -35,7 +35,7 @@ Name: lxc Version: 2.0.3 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -377,6 +377,9 @@ fi %changelog +* Tue Jul 19 2016 Fedora Release Engineering - 2.0.3-1.1 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + * Wed Jun 29 2016 Thomas Moschny - 2.0.3-1 - Update to 2.0.3. - Merge spec file cleanups by Thierry Vignaud (tvignaud@redhat.com). From 6e7e770af7270c3df0c2763f2fdc9bc7bae099b8 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Tue, 16 Aug 2016 11:42:45 +0200 Subject: [PATCH 53/95] Update to 2.0.4. - Remove conditional for older Fedora releases. --- lxc.spec | 16 ++++++++-------- sources | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/lxc.spec b/lxc.spec index 1e9dc08..7b04b3e 100644 --- a/lxc.spec +++ b/lxc.spec @@ -16,26 +16,22 @@ %endif %endif -%if 0%{?fedora} >= 22 +%if 0%{?fedora} %global luaver 5.3 %else -%if 0%{?fedora} >= 20 -%global luaver 5.2 -%else %global luaver 5.1 %endif -%endif %global lualibdir %{_libdir}/lua/%{luaver} %global luapkgdir %{_datadir}/lua/%{luaver} # for pre-releases #global prerel -%global commit 62ed104940747d135ffd71f513e51bf3d912d1d9 +%global commit 2c7ef9196cef03383a1b6a13628e0227736f8164 %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.3 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 +Version: 2.0.4 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -377,6 +373,10 @@ fi %changelog +* Tue Aug 16 2016 Thomas Moschny - 2.0.4-1 +- Update to 2.0.4. +- Remove conditional for eol'ed Fedora releases. + * Tue Jul 19 2016 Fedora Release Engineering - 2.0.3-1.1 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages diff --git a/sources b/sources index 7507c69..eda481c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4a5654005924ec6f52eb9719520547d4 lxc-2.0.3.tar.gz +28db4dbacf860ae742138c0ed8dbf14c lxc-2.0.4.tar.gz From b80706496044e79d78a61626ef92a282fa2fb876 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Wed, 5 Oct 2016 13:26:19 +0200 Subject: [PATCH 54/95] Update to 2.0.5. --- lxc-2.0.0-remove-werror.patch | 12 ------------ lxc.spec | 18 +++++++++--------- sources | 2 +- 3 files changed, 10 insertions(+), 22 deletions(-) delete mode 100644 lxc-2.0.0-remove-werror.patch diff --git a/lxc-2.0.0-remove-werror.patch b/lxc-2.0.0-remove-werror.patch deleted file mode 100644 index b2da700..0000000 --- a/lxc-2.0.0-remove-werror.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up lxc-2.0.0/configure.ac.orig lxc-2.0.0/configure.ac ---- lxc-2.0.0/configure.ac.orig 2016-04-06 19:59:42.000000000 +0200 -+++ lxc-2.0.0/configure.ac 2016-04-21 07:46:29.936382133 +0200 -@@ -626,7 +626,7 @@ AC_PROG_SED - LXC_CHECK_TLS - - if test "x$GCC" = "xyes"; then -- CFLAGS="$CFLAGS -Wall -Werror" -+ CFLAGS="$CFLAGS -Wall" - fi - - # Files requiring some variable expansion diff --git a/lxc.spec b/lxc.spec index 7b04b3e..0f5cd80 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,7 +30,7 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.4 +Version: 2.0.5 Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -42,7 +42,6 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-2.0.1-fix-init.patch -Patch2: lxc-2.0.0-remove-werror.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -63,10 +62,9 @@ BuildRequires: systemd # C and does not depend on the Python3 binding anymore Provides: lxc-extra = %{version}-%{release} Obsoletes: lxc-extra < 1.1.5-3 -#if 0%{?prerel:1} -# we patch configure.ac +%if 0%{?prerel:1} BuildRequires: autoconf automake -#endif +%endif %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -174,14 +172,12 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 -# -Wall with -Werror doesn't work well -%patch2 -p1 %build -#if 0%{?prerel:1} +%if 0%{?prerel:1} ./autogen.sh -#endif +%endif %configure --with-distro=fedora \ --enable-doc \ --enable-api-docs \ @@ -205,6 +201,7 @@ This package contains documentation for %{name}. %else --with-init-script=sysvinit \ %endif # with_systemd + --disable-werror \ # intentionally blank line %{make_build} @@ -373,6 +370,9 @@ fi %changelog +* Wed Oct 5 2016 Thomas Moschny - 2.0.5-1 +- Update to 2.0.5. + * Tue Aug 16 2016 Thomas Moschny - 2.0.4-1 - Update to 2.0.4. - Remove conditional for eol'ed Fedora releases. diff --git a/sources b/sources index eda481c..1789328 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -28db4dbacf860ae742138c0ed8dbf14c lxc-2.0.4.tar.gz +59792f085be451b8cf336d86ac335123 lxc-2.0.5.tar.gz From 3bf81ab2425f9b456e00cd064f36695895000bf0 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 3 Dec 2016 17:04:07 +0100 Subject: [PATCH 55/95] Update to 2.0.6. --- lxc-2.0.1-fix-init.patch | 2 +- lxc.spec | 21 ++++++++++++++------- sources | 2 +- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/lxc-2.0.1-fix-init.patch b/lxc-2.0.1-fix-init.patch index 343c22c..d0bd513 100644 --- a/lxc-2.0.1-fix-init.patch +++ b/lxc-2.0.1-fix-init.patch @@ -38,7 +38,7 @@ diff -up lxc-2.0.1/config/init/sysvinit/lxc-net.in.orig lxc-2.0.1/config/init/sy # Should-Start: # Should-Stop: -# Default-Start: 2 3 4 5 --# Default-Stop: 1 +-# Default-Stop: 0 1 6 +# Default-Start: +# Default-Stop: # Short-Description: Bring up/down LXC Network Bridge diff --git a/lxc.spec b/lxc.spec index 0f5cd80..f5ecff3 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,7 +30,7 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.5 +Version: 2.0.6 Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System @@ -58,6 +58,9 @@ BuildRequires: pkgconfig(python3) >= 3.2 %if 0%{?with_systemd} BuildRequires: systemd %endif # with_systemd +%if 0%{?fedora} || 0%{?rhel} >= 7 +BuildRequires: pkgconfig(bash-completion) +%endif # lxc-extra subpackage not needed anymore, lxc-ls has been rewriten in # C and does not depend on the Python3 binding anymore Provides: lxc-extra = %{version}-%{release} @@ -203,6 +206,11 @@ This package contains documentation for %{name}. %endif # with_systemd --disable-werror \ # intentionally blank line + +# fix rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + %{make_build} @@ -219,12 +227,8 @@ cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/ # cache dir mkdir -p %{buildroot}%{_localstatedir}/cache/%{name} -# on Fedora and EPEL>=7, move the completion file to %%{_datadir} -%if 0%{?fedora} || 0%{?rhel} >= 7 -install -d %{buildroot}%{_datadir}/bash-completion/completions/ -mv %{buildroot}%{_sysconfdir}/bash_completion.d/%{name} \ - %{buildroot}%{_datadir}/bash-completion/completions/%{name} -%endif +# remove libtool .la file +rm -rf %{buildroot}%{_libdir}/liblxc.la %check @@ -370,6 +374,9 @@ fi %changelog +* Sat Dec 3 2016 Thomas Moschny - 2.0.6-1 +- Update to 2.0.6. + * Wed Oct 5 2016 Thomas Moschny - 2.0.5-1 - Update to 2.0.5. diff --git a/sources b/sources index 1789328..1e9a2e3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -59792f085be451b8cf336d86ac335123 lxc-2.0.5.tar.gz +5fd4b7af8026e8ae20b3065ee18fe974 lxc-2.0.6.tar.gz From 1fc44c52f80caae38fade4a62af73a2afad6db7b Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 4 Dec 2016 21:58:55 +0100 Subject: [PATCH 56/95] Enable python3 on epel7 builds. - Fix dependency on network-online.target for lxc-net.service. --- lxc-2.0.6-fix-lxc-net.patch | 11 +++++++++++ lxc.spec | 18 ++++++++++++------ 2 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 lxc-2.0.6-fix-lxc-net.patch diff --git a/lxc-2.0.6-fix-lxc-net.patch b/lxc-2.0.6-fix-lxc-net.patch new file mode 100644 index 0000000..684cee3 --- /dev/null +++ b/lxc-2.0.6-fix-lxc-net.patch @@ -0,0 +1,11 @@ +diff -up lxc-2.0.6/config/init/systemd/lxc-net.service.in.orig lxc-2.0.6/config/init/systemd/lxc-net.service.in +--- lxc-2.0.6/config/init/systemd/lxc-net.service.in.orig 2016-11-23 20:15:59.000000000 +0100 ++++ lxc-2.0.6/config/init/systemd/lxc-net.service.in 2016-12-04 21:55:24.149093437 +0100 +@@ -1,6 +1,7 @@ + [Unit] + Description=LXC network bridge setup + After=network-online.target ++Wants=network-online.target + Before=lxc.service + + [Service] diff --git a/lxc.spec b/lxc.spec index f5ecff3..8a8d204 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,4 +1,4 @@ -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 7 %global with_python3 1 %endif @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.6 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -42,6 +42,7 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-2.0.1-fix-init.patch +Patch1: lxc-2.0.6-fix-lxc-net.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -100,15 +101,15 @@ The %{name}-libs package contains libraries for running %{name} applications. %if 0%{?with_python3} -%package -n python3-%{name} +%package -n python%{python3_pkgversion}-%{name} Summary: Python binding for %{name} Group: System Environment/Libraries -%description -n python3-%{name} +%description -n python%{python3_pkgversion}-%{name} Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. -The python3-%{name} package contains the Python3 binding for %{name}. +The python%{python3_pkgversion}-%{name} package contains the Python3 binding for %{name}. %global __provides_exclude %{?__provides_exclude:%__provides_exclude|}_lxc\\..*\\.so %endif # with_python3 @@ -175,6 +176,7 @@ This package contains documentation for %{name}. %prep %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 +%patch1 -p1 %build @@ -342,7 +344,7 @@ fi %if 0%{?with_python3} -%files -n python3-%{name} +%files -n python%{python3_pkgversion}-%{name} %{python3_sitearch}/* %endif # with_python3 @@ -374,6 +376,10 @@ fi %changelog +* Sun Dec 4 2016 Thomas Moschny - 2.0.6-2 +- Enable python3 on epel7 builds. +- Fix dependency on network-online.target for lxc-net.service. + * Sat Dec 3 2016 Thomas Moschny - 2.0.6-1 - Update to 2.0.6. From d56f5c924344726b1be067bb503ab4d384e8b5d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Mon, 19 Dec 2016 18:20:36 +0100 Subject: [PATCH 57/95] Rebuild for Python 3.6 --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 8a8d204..4437cc0 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.6 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -376,6 +376,9 @@ fi %changelog +* Mon Dec 19 2016 Miro Hrončok - 2.0.6-2.1 +- Rebuild for Python 3.6 + * Sun Dec 4 2016 Thomas Moschny - 2.0.6-2 - Enable python3 on epel7 builds. - Fix dependency on network-online.target for lxc-net.service. From aef41dd68f320be5d69148030649389271f15fcc Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 29 Jan 2017 13:04:07 +0100 Subject: [PATCH 58/95] Update to 2.0.7. --- ....1-fix-init.patch => lxc-2.0.7-fix-init.patch | 16 ++++++++-------- lxc.spec | 9 ++++++--- sources | 2 +- 3 files changed, 15 insertions(+), 12 deletions(-) rename lxc-2.0.1-fix-init.patch => lxc-2.0.7-fix-init.patch (60%) diff --git a/lxc-2.0.1-fix-init.patch b/lxc-2.0.7-fix-init.patch similarity index 60% rename from lxc-2.0.1-fix-init.patch rename to lxc-2.0.7-fix-init.patch index d0bd513..38f771d 100644 --- a/lxc-2.0.1-fix-init.patch +++ b/lxc-2.0.7-fix-init.patch @@ -1,6 +1,6 @@ -diff -up lxc-2.0.1/config/init/sysvinit/lxc-containers.in.orig lxc-2.0.1/config/init/sysvinit/lxc-containers.in ---- lxc-2.0.1/config/init/sysvinit/lxc-containers.in.orig 2016-05-18 20:40:05.308604928 +0200 -+++ lxc-2.0.1/config/init/sysvinit/lxc-containers.in 2016-05-18 20:42:15.855301108 +0200 +diff -up lxc-2.0.7/config/init/sysvinit/lxc-containers.in.orig lxc-2.0.7/config/init/sysvinit/lxc-containers.in +--- lxc-2.0.7/config/init/sysvinit/lxc-containers.in.orig 2017-01-23 18:45:30.000000000 +0100 ++++ lxc-2.0.7/config/init/sysvinit/lxc-containers.in 2017-01-29 13:00:23.934781187 +0100 @@ -2,7 +2,7 @@ # # lxc Start/Stop LXC autoboot containers @@ -12,8 +12,8 @@ diff -up lxc-2.0.1/config/init/sysvinit/lxc-containers.in.orig lxc-2.0.1/config/ ### BEGIN INIT INFO @@ -11,8 +11,8 @@ # Required-Stop: $syslog $remote_fs - # Should-Start: - # Should-Stop: + # Should-Start: cgroupfs-mount + # Should-Stop: cgroupfs-mount -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 +# Default-Start: @@ -21,9 +21,9 @@ diff -up lxc-2.0.1/config/init/sysvinit/lxc-containers.in.orig lxc-2.0.1/config/ # Short-Description: Bring up/down LXC autostart containers # Description: Bring up/down LXC autostart containers ### END INIT INFO -diff -up lxc-2.0.1/config/init/sysvinit/lxc-net.in.orig lxc-2.0.1/config/init/sysvinit/lxc-net.in ---- lxc-2.0.1/config/init/sysvinit/lxc-net.in.orig 2016-05-18 20:40:05.308604928 +0200 -+++ lxc-2.0.1/config/init/sysvinit/lxc-net.in 2016-05-18 20:42:29.560164233 +0200 +diff -up lxc-2.0.7/config/init/sysvinit/lxc-net.in.orig lxc-2.0.7/config/init/sysvinit/lxc-net.in +--- lxc-2.0.7/config/init/sysvinit/lxc-net.in.orig 2017-01-23 18:45:30.000000000 +0100 ++++ lxc-2.0.7/config/init/sysvinit/lxc-net.in 2017-01-29 13:00:23.935781166 +0100 @@ -2,7 +2,7 @@ # # lxc-net Start/Stop LXC Networking diff --git a/lxc.spec b/lxc.spec index 4437cc0..199afa8 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,8 +30,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.6 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 +Version: 2.0.7 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -41,7 +41,7 @@ Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t %else Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif -Patch0: lxc-2.0.1-fix-init.patch +Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch BuildRequires: docbook2X BuildRequires: doxygen @@ -376,6 +376,9 @@ fi %changelog +* Sun Jan 29 2017 Thomas Moschny - 2.0.7-1 +- Update to 2.0.7. + * Mon Dec 19 2016 Miro Hrončok - 2.0.6-2.1 - Rebuild for Python 3.6 diff --git a/sources b/sources index 1e9a2e3..311907a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -5fd4b7af8026e8ae20b3065ee18fe974 lxc-2.0.6.tar.gz +SHA512 (lxc-2.0.7.tar.gz) = 51aedd32ae108f31dac5e8e1e71c93fa5da7813a3569f4aeee79dc254fe4a8c27221de83f645e6b334048c44953a7a7dbcde64439b9161d0cb55d8207944bb7b From fe5b3bffd32c886d966b72659e3b0fcbd035f238 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 10 Feb 2017 20:14:12 +0000 Subject: [PATCH 59/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 199afa8..53ff64a 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.7 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -376,6 +376,9 @@ fi %changelog +* Fri Feb 10 2017 Fedora Release Engineering - 2.0.7-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Sun Jan 29 2017 Thomas Moschny - 2.0.7-1 - Update to 2.0.7. From edf51eb4a1efbf88174cd1864777ca9b4b1de9a3 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Wed, 15 Feb 2017 17:41:04 +0100 Subject: [PATCH 60/95] Rebuild for brp-python-bytecompile Signed-off-by: Igor Gnatenko --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 53ff64a..eb08816 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.7 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.2 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -376,6 +376,9 @@ fi %changelog +* Wed Feb 15 2017 Igor Gnatenko - 2.0.7-1.2 +- Rebuild for brp-python-bytecompile + * Fri Feb 10 2017 Fedora Release Engineering - 2.0.7-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild From 4f7014cf0c3611eb5c01024d31bbb2b673338d35 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Thu, 9 Mar 2017 18:53:07 +0100 Subject: [PATCH 61/95] Add fix for CVE-2017-5985. --- lxc-2.0.7-ensure-netns-is-caller-owned.patch | 185 +++++++++++++++++++ lxc.spec | 7 +- 2 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 lxc-2.0.7-ensure-netns-is-caller-owned.patch diff --git a/lxc-2.0.7-ensure-netns-is-caller-owned.patch b/lxc-2.0.7-ensure-netns-is-caller-owned.patch new file mode 100644 index 0000000..3b8a0e3 --- /dev/null +++ b/lxc-2.0.7-ensure-netns-is-caller-owned.patch @@ -0,0 +1,185 @@ +From d512bd5efb0e407eba350c4e649c464a65b712a3 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Sat, 28 Jan 2017 13:02:34 +0100 +Subject: [PATCH] CVE-2017-5985: Ensure target netns is caller-owned + +Before this commit, lxc-user-nic could potentially have been tricked into +operating on a network namespace over which the caller did not hold privilege. + +This commit ensures that the caller is privileged over the network namespace by +temporarily dropping privilege. + +Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676 +Reported-by: Jann Horn +Signed-off-by: Christian Brauner +--- + src/lxc/lxc_user_nic.c | 119 ++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 87 insertions(+), 32 deletions(-) + +diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c +index 409a53a..96dc398 100644 +--- a/src/lxc/lxc_user_nic.c ++++ b/src/lxc/lxc_user_nic.c +@@ -50,6 +50,14 @@ + #include "utils.h" + #include "network.h" + ++#define usernic_debug_stream(stream, format, ...) \ ++ do { \ ++ fprintf(stream, "%s: %d: %s: " format, __FILE__, __LINE__, \ ++ __func__, __VA_ARGS__); \ ++ } while (false) ++ ++#define usernic_error(format, ...) usernic_debug_stream(stderr, format, __VA_ARGS__) ++ + static void usage(char *me, bool fail) + { + fprintf(stderr, "Usage: %s lxcpath name pid type bridge nicname\n", me); +@@ -670,68 +678,115 @@ static bool create_db_dir(char *fnam) + } + + #define VETH_DEF_NAME "eth%d" +- + static int rename_in_ns(int pid, char *oldname, char **newnamep) + { +- int fd = -1, ofd = -1, ret, ifindex = -1; ++ uid_t ruid, suid, euid; ++ int fret = -1; ++ int fd = -1, ifindex = -1, ofd = -1, ret; + bool grab_newname = false; + + ofd = lxc_preserve_ns(getpid(), "net"); + if (ofd < 0) { +- fprintf(stderr, "Failed opening network namespace path for '%d'.", getpid()); +- return -1; ++ usernic_error("Failed opening network namespace path for '%d'.", getpid()); ++ return fret; + } + + fd = lxc_preserve_ns(pid, "net"); + if (fd < 0) { +- fprintf(stderr, "Failed opening network namespace path for '%d'.", pid); +- return -1; ++ usernic_error("Failed opening network namespace path for '%d'.", pid); ++ goto do_partial_cleanup; ++ } ++ ++ ret = getresuid(&ruid, &euid, &suid); ++ if (ret < 0) { ++ usernic_error("Failed to retrieve real, effective, and saved " ++ "user IDs: %s\n", ++ strerror(errno)); ++ goto do_partial_cleanup; ++ } ++ ++ ret = setns(fd, CLONE_NEWNET); ++ close(fd); ++ fd = -1; ++ if (ret < 0) { ++ usernic_error("Failed to setns() to the network namespace of " ++ "the container with PID %d: %s.\n", ++ pid, strerror(errno)); ++ goto do_partial_cleanup; + } + +- if (setns(fd, 0) < 0) { +- fprintf(stderr, "setns to container network namespace\n"); +- goto out_err; ++ ret = setresuid(ruid, ruid, 0); ++ if (ret < 0) { ++ usernic_error("Failed to drop privilege by setting effective " ++ "user id and real user id to %d, and saved user " ++ "ID to 0: %s.\n", ++ ruid, strerror(errno)); ++ // COMMENT(brauner): It's ok to jump to do_full_cleanup here ++ // since setresuid() will succeed when trying to set real, ++ // effective, and saved to values they currently have. ++ goto do_full_cleanup; + } +- close(fd); fd = -1; ++ + if (!*newnamep) { + grab_newname = true; + *newnamep = VETH_DEF_NAME; +- if (!(ifindex = if_nametoindex(oldname))) { +- fprintf(stderr, "failed to get netdev index\n"); +- goto out_err; ++ ++ ifindex = if_nametoindex(oldname); ++ if (!ifindex) { ++ usernic_error("Failed to get netdev index: %s.\n", strerror(errno)); ++ goto do_full_cleanup; + } + } +- if ((ret = lxc_netdev_rename_by_name(oldname, *newnamep)) < 0) { +- fprintf(stderr, "Error %d renaming netdev %s to %s in container\n", ret, oldname, *newnamep); +- goto out_err; ++ ++ ret = lxc_netdev_rename_by_name(oldname, *newnamep); ++ if (ret < 0) { ++ usernic_error("Error %d renaming netdev %s to %s in container.\n", ret, oldname, *newnamep); ++ goto do_full_cleanup; + } ++ + if (grab_newname) { +- char ifname[IFNAMSIZ], *namep = ifname; ++ char ifname[IFNAMSIZ]; ++ char *namep = ifname; ++ + if (!if_indextoname(ifindex, namep)) { +- fprintf(stderr, "Failed to get new netdev name\n"); +- goto out_err; ++ usernic_error("Failed to get new netdev name: %s.\n", strerror(errno)); ++ goto do_full_cleanup; + } ++ + *newnamep = strdup(namep); + if (!*newnamep) +- goto out_err; ++ goto do_full_cleanup; + } +- if (setns(ofd, 0) < 0) { +- fprintf(stderr, "Error returning to original netns\n"); +- close(ofd); +- return -1; ++ ++ fret = 0; ++ ++do_full_cleanup: ++ ret = setresuid(ruid, euid, suid); ++ if (ret < 0) { ++ usernic_error("Failed to restore privilege by setting effective " ++ "user id to %d, real user id to %d, and saved user " ++ "ID to %d: %s.\n", ++ ruid, euid, suid, strerror(errno)); ++ fret = -1; ++ // COMMENT(brauner): setns() should fail if setresuid() doesn't ++ // succeed but there's no harm in falling through; keeps the ++ // code cleaner. + } +- close(ofd); + +- return 0; ++ ret = setns(ofd, CLONE_NEWNET); ++ if (ret < 0) { ++ usernic_error("Failed to setns() to original network namespace " ++ "of PID %d: %s.\n", ++ ofd, strerror(errno)); ++ fret = -1; ++ } + +-out_err: +- if (ofd >= 0) +- close(ofd); +- if (setns(ofd, 0) < 0) +- fprintf(stderr, "Error returning to original network namespace\n"); ++do_partial_cleanup: + if (fd >= 0) + close(fd); +- return -1; ++ close(ofd); ++ ++ return fret; + } + + /* diff --git a/lxc.spec b/lxc.spec index eb08816..75fb8f9 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.7 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.2 +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -43,6 +43,7 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch +Patch2: lxc-2.0.7-ensure-netns-is-caller-owned.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -177,6 +178,7 @@ This package contains documentation for %{name}. %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build @@ -376,6 +378,9 @@ fi %changelog +* Thu Mar 9 2017 Thomas Moschny - 2.0.7-2 +- Add fix for CVE-2017-5985. + * Wed Feb 15 2017 Igor Gnatenko - 2.0.7-1.2 - Rebuild for brp-python-bytecompile From 7a57abc43f5e304fbbcc586a3ac5601a8c9a8d99 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Tue, 6 Jun 2017 19:31:53 +0200 Subject: [PATCH 62/95] Update to 2.0.8. --- lxc-2.0.7-ensure-netns-is-caller-owned.patch | 185 ------------------- lxc.spec | 11 +- sources | 2 +- 3 files changed, 7 insertions(+), 191 deletions(-) delete mode 100644 lxc-2.0.7-ensure-netns-is-caller-owned.patch diff --git a/lxc-2.0.7-ensure-netns-is-caller-owned.patch b/lxc-2.0.7-ensure-netns-is-caller-owned.patch deleted file mode 100644 index 3b8a0e3..0000000 --- a/lxc-2.0.7-ensure-netns-is-caller-owned.patch +++ /dev/null @@ -1,185 +0,0 @@ -From d512bd5efb0e407eba350c4e649c464a65b712a3 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sat, 28 Jan 2017 13:02:34 +0100 -Subject: [PATCH] CVE-2017-5985: Ensure target netns is caller-owned - -Before this commit, lxc-user-nic could potentially have been tricked into -operating on a network namespace over which the caller did not hold privilege. - -This commit ensures that the caller is privileged over the network namespace by -temporarily dropping privilege. - -Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676 -Reported-by: Jann Horn -Signed-off-by: Christian Brauner ---- - src/lxc/lxc_user_nic.c | 119 ++++++++++++++++++++++++++++++++++++------------- - 1 file changed, 87 insertions(+), 32 deletions(-) - -diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c -index 409a53a..96dc398 100644 ---- a/src/lxc/lxc_user_nic.c -+++ b/src/lxc/lxc_user_nic.c -@@ -50,6 +50,14 @@ - #include "utils.h" - #include "network.h" - -+#define usernic_debug_stream(stream, format, ...) \ -+ do { \ -+ fprintf(stream, "%s: %d: %s: " format, __FILE__, __LINE__, \ -+ __func__, __VA_ARGS__); \ -+ } while (false) -+ -+#define usernic_error(format, ...) usernic_debug_stream(stderr, format, __VA_ARGS__) -+ - static void usage(char *me, bool fail) - { - fprintf(stderr, "Usage: %s lxcpath name pid type bridge nicname\n", me); -@@ -670,68 +678,115 @@ static bool create_db_dir(char *fnam) - } - - #define VETH_DEF_NAME "eth%d" -- - static int rename_in_ns(int pid, char *oldname, char **newnamep) - { -- int fd = -1, ofd = -1, ret, ifindex = -1; -+ uid_t ruid, suid, euid; -+ int fret = -1; -+ int fd = -1, ifindex = -1, ofd = -1, ret; - bool grab_newname = false; - - ofd = lxc_preserve_ns(getpid(), "net"); - if (ofd < 0) { -- fprintf(stderr, "Failed opening network namespace path for '%d'.", getpid()); -- return -1; -+ usernic_error("Failed opening network namespace path for '%d'.", getpid()); -+ return fret; - } - - fd = lxc_preserve_ns(pid, "net"); - if (fd < 0) { -- fprintf(stderr, "Failed opening network namespace path for '%d'.", pid); -- return -1; -+ usernic_error("Failed opening network namespace path for '%d'.", pid); -+ goto do_partial_cleanup; -+ } -+ -+ ret = getresuid(&ruid, &euid, &suid); -+ if (ret < 0) { -+ usernic_error("Failed to retrieve real, effective, and saved " -+ "user IDs: %s\n", -+ strerror(errno)); -+ goto do_partial_cleanup; -+ } -+ -+ ret = setns(fd, CLONE_NEWNET); -+ close(fd); -+ fd = -1; -+ if (ret < 0) { -+ usernic_error("Failed to setns() to the network namespace of " -+ "the container with PID %d: %s.\n", -+ pid, strerror(errno)); -+ goto do_partial_cleanup; - } - -- if (setns(fd, 0) < 0) { -- fprintf(stderr, "setns to container network namespace\n"); -- goto out_err; -+ ret = setresuid(ruid, ruid, 0); -+ if (ret < 0) { -+ usernic_error("Failed to drop privilege by setting effective " -+ "user id and real user id to %d, and saved user " -+ "ID to 0: %s.\n", -+ ruid, strerror(errno)); -+ // COMMENT(brauner): It's ok to jump to do_full_cleanup here -+ // since setresuid() will succeed when trying to set real, -+ // effective, and saved to values they currently have. -+ goto do_full_cleanup; - } -- close(fd); fd = -1; -+ - if (!*newnamep) { - grab_newname = true; - *newnamep = VETH_DEF_NAME; -- if (!(ifindex = if_nametoindex(oldname))) { -- fprintf(stderr, "failed to get netdev index\n"); -- goto out_err; -+ -+ ifindex = if_nametoindex(oldname); -+ if (!ifindex) { -+ usernic_error("Failed to get netdev index: %s.\n", strerror(errno)); -+ goto do_full_cleanup; - } - } -- if ((ret = lxc_netdev_rename_by_name(oldname, *newnamep)) < 0) { -- fprintf(stderr, "Error %d renaming netdev %s to %s in container\n", ret, oldname, *newnamep); -- goto out_err; -+ -+ ret = lxc_netdev_rename_by_name(oldname, *newnamep); -+ if (ret < 0) { -+ usernic_error("Error %d renaming netdev %s to %s in container.\n", ret, oldname, *newnamep); -+ goto do_full_cleanup; - } -+ - if (grab_newname) { -- char ifname[IFNAMSIZ], *namep = ifname; -+ char ifname[IFNAMSIZ]; -+ char *namep = ifname; -+ - if (!if_indextoname(ifindex, namep)) { -- fprintf(stderr, "Failed to get new netdev name\n"); -- goto out_err; -+ usernic_error("Failed to get new netdev name: %s.\n", strerror(errno)); -+ goto do_full_cleanup; - } -+ - *newnamep = strdup(namep); - if (!*newnamep) -- goto out_err; -+ goto do_full_cleanup; - } -- if (setns(ofd, 0) < 0) { -- fprintf(stderr, "Error returning to original netns\n"); -- close(ofd); -- return -1; -+ -+ fret = 0; -+ -+do_full_cleanup: -+ ret = setresuid(ruid, euid, suid); -+ if (ret < 0) { -+ usernic_error("Failed to restore privilege by setting effective " -+ "user id to %d, real user id to %d, and saved user " -+ "ID to %d: %s.\n", -+ ruid, euid, suid, strerror(errno)); -+ fret = -1; -+ // COMMENT(brauner): setns() should fail if setresuid() doesn't -+ // succeed but there's no harm in falling through; keeps the -+ // code cleaner. - } -- close(ofd); - -- return 0; -+ ret = setns(ofd, CLONE_NEWNET); -+ if (ret < 0) { -+ usernic_error("Failed to setns() to original network namespace " -+ "of PID %d: %s.\n", -+ ofd, strerror(errno)); -+ fret = -1; -+ } - --out_err: -- if (ofd >= 0) -- close(ofd); -- if (setns(ofd, 0) < 0) -- fprintf(stderr, "Error returning to original network namespace\n"); -+do_partial_cleanup: - if (fd >= 0) - close(fd); -- return -1; -+ close(ofd); -+ -+ return fret; - } - - /* diff --git a/lxc.spec b/lxc.spec index 75fb8f9..554886b 100644 --- a/lxc.spec +++ b/lxc.spec @@ -26,12 +26,12 @@ # for pre-releases #global prerel -%global commit 2c7ef9196cef03383a1b6a13628e0227736f8164 +%global commit a467a845443054a9f75d65cf0a73bb4d5ff2ab71 %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.7 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Version: 2.0.8 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -43,7 +43,6 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch -Patch2: lxc-2.0.7-ensure-netns-is-caller-owned.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -178,7 +177,6 @@ This package contains documentation for %{name}. %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 %patch1 -p1 -%patch2 -p1 %build @@ -378,6 +376,9 @@ fi %changelog +* Tue Jun 6 2017 Thomas Moschny - 2.0.8-1 +- Update to 2.0.8. + * Thu Mar 9 2017 Thomas Moschny - 2.0.7-2 - Add fix for CVE-2017-5985. diff --git a/sources b/sources index 311907a..c652b1a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-2.0.7.tar.gz) = 51aedd32ae108f31dac5e8e1e71c93fa5da7813a3569f4aeee79dc254fe4a8c27221de83f645e6b334048c44953a7a7dbcde64439b9161d0cb55d8207944bb7b +SHA512 (lxc-2.0.8.tar.gz) = ed9fd47e92007f433695cffea659180866a5ac2778712f4eb13b6629bb18292589f5b674b734853ca196ba1f6d38bdbf3cc8a2bb28e25d3540b06b945fcf9096 From ec14f382cce8edb773d36dd535afdeba31c1f37f Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 10 Jun 2017 11:43:10 +0200 Subject: [PATCH 63/95] Fix for EL6 build failure. --- lxc-2.0.8-fix_capability_h.patch | 33 ++++++++++++++++++++++++++++++++ lxc.spec | 11 ++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 lxc-2.0.8-fix_capability_h.patch diff --git a/lxc-2.0.8-fix_capability_h.patch b/lxc-2.0.8-fix_capability_h.patch new file mode 100644 index 0000000..c5b92c8 --- /dev/null +++ b/lxc-2.0.8-fix_capability_h.patch @@ -0,0 +1,33 @@ +diff -up lxc-2.0.8/src/lxc/caps.h.orig lxc-2.0.8/src/lxc/caps.h +--- lxc-2.0.8/src/lxc/caps.h.orig 2017-05-11 17:23:06.000000000 +0000 ++++ lxc-2.0.8/src/lxc/caps.h 2017-06-10 07:04:48.702079368 +0000 +@@ -28,6 +28,7 @@ + #define __LXC_CAPS_H + + #if HAVE_LIBCAP ++#include + #include + + extern int lxc_caps_down(void); +diff -up lxc-2.0.8/src/lxc/conf.c.orig lxc-2.0.8/src/lxc/conf.c +--- lxc-2.0.8/src/lxc/conf.c.orig 2017-05-11 17:23:06.000000000 +0000 ++++ lxc-2.0.8/src/lxc/conf.c 2017-06-10 07:08:18.448806856 +0000 +@@ -90,6 +90,7 @@ + #include "lsm/lsm.h" + + #if HAVE_LIBCAP ++#include + #include + #endif + +diff -up lxc-2.0.8/src/lxc/start.c.orig lxc-2.0.8/src/lxc/start.c +--- lxc-2.0.8/src/lxc/start.c.orig 2017-05-11 17:23:06.000000000 +0000 ++++ lxc-2.0.8/src/lxc/start.c 2017-06-10 07:05:33.166293224 +0000 +@@ -47,6 +47,7 @@ + #include + + #if HAVE_LIBCAP ++#include + #include + #endif + diff --git a/lxc.spec b/lxc.spec index 554886b..9b4ffd5 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.8 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -43,6 +43,7 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz %endif Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch +Patch2: lxc-2.0.8-fix_capability_h.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -177,6 +178,11 @@ This package contains documentation for %{name}. %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 %patch1 -p1 +%if 0%{?rhel} == 6 +# fix build failure with broken sys/capabilities.h (see +# e.g. rhbz#483548) +%patch2 -p1 +%endif %build @@ -376,6 +382,9 @@ fi %changelog +* Sat Jun 10 2017 Thomas Moschny - 2.0.8-2 +- Fix for EL6 build failure. + * Tue Jun 6 2017 Thomas Moschny - 2.0.8-1 - Update to 2.0.8. From 08e37c0ba8f842e3bbd582052cefc166db06d012 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 10 Jun 2017 14:21:54 +0200 Subject: [PATCH 64/95] Fix bash completion on epel6 (rhbz#1408173). --- lxc-fix-bash-completion.patch | 10 ++++++++++ lxc.spec | 6 +++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 lxc-fix-bash-completion.patch diff --git a/lxc-fix-bash-completion.patch b/lxc-fix-bash-completion.patch new file mode 100644 index 0000000..fcbdaa4 --- /dev/null +++ b/lxc-fix-bash-completion.patch @@ -0,0 +1,10 @@ +diff --git b/config/bash/lxc.in a/config/bash/lxc.in +index 344d5cb..cbd1b79 100644 +--- b/config/bash/lxc.in ++++ a/config/bash/lxc.in +@@ -1,4 +1,4 @@ +-_have lxc-start && { ++have lxc-start && { + _lxc_names() { + COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) ) + } diff --git a/lxc.spec b/lxc.spec index 9b4ffd5..9d0fbd0 100644 --- a/lxc.spec +++ b/lxc.spec @@ -44,6 +44,7 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch Patch2: lxc-2.0.8-fix_capability_h.patch +Patch3: lxc-fix-bash-completion.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -178,10 +179,12 @@ This package contains documentation for %{name}. %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 %patch1 -p1 -%if 0%{?rhel} == 6 +%if 0%{?rhel} <= 6 # fix build failure with broken sys/capabilities.h (see # e.g. rhbz#483548) %patch2 -p1 +# revert 3db8dd39 (see rhbz#1408173) +%patch3 -p1 %endif @@ -384,6 +387,7 @@ fi %changelog * Sat Jun 10 2017 Thomas Moschny - 2.0.8-2 - Fix for EL6 build failure. +- Fix bash completion on epel6 (rhbz#1408173). * Tue Jun 6 2017 Thomas Moschny - 2.0.8-1 - Update to 2.0.8. From 5d2936af2ad706f94cce0b920c3ff4988c89d0a3 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 26 Jul 2017 20:35:58 +0000 Subject: [PATCH 65/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 9d0fbd0..7f1727a 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.8 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -385,6 +385,9 @@ fi %changelog +* Wed Jul 26 2017 Fedora Release Engineering - 2.0.8-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Sat Jun 10 2017 Thomas Moschny - 2.0.8-2 - Fix for EL6 build failure. - Fix bash completion on epel6 (rhbz#1408173). From f471cfcb224829cb64531e929c857bde704f1168 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 3 Aug 2017 02:54:43 +0000 Subject: [PATCH 66/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 7f1727a..7b79c8e 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.8 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.1 +Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.2 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -385,6 +385,9 @@ fi %changelog +* Thu Aug 03 2017 Fedora Release Engineering - 2.0.8-2.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Wed Jul 26 2017 Fedora Release Engineering - 2.0.8-2.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 3a3ea957ff7f908be520265e1f53a02b8b6ff197 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 20 Oct 2017 19:40:52 +0200 Subject: [PATCH 67/95] Update to 2.0.9. --- lxc-2.0.8-fix_capability_h.patch | 26 +++++++++++++------------- lxc.spec | 9 ++++++--- sources | 2 +- 3 files changed, 20 insertions(+), 17 deletions(-) diff --git a/lxc-2.0.8-fix_capability_h.patch b/lxc-2.0.8-fix_capability_h.patch index c5b92c8..d4843d1 100644 --- a/lxc-2.0.8-fix_capability_h.patch +++ b/lxc-2.0.8-fix_capability_h.patch @@ -1,18 +1,18 @@ -diff -up lxc-2.0.8/src/lxc/caps.h.orig lxc-2.0.8/src/lxc/caps.h ---- lxc-2.0.8/src/lxc/caps.h.orig 2017-05-11 17:23:06.000000000 +0000 -+++ lxc-2.0.8/src/lxc/caps.h 2017-06-10 07:04:48.702079368 +0000 -@@ -28,6 +28,7 @@ - #define __LXC_CAPS_H +diff -up lxc-2.0.9/src/lxc/caps.h~ lxc-2.0.9/src/lxc/caps.h +--- lxc-2.0.9/src/lxc/caps.h~ 2017-10-19 19:13:25.000000000 +0200 ++++ lxc-2.0.9/src/lxc/caps.h 2017-10-20 19:31:11.958292398 +0200 +@@ -29,6 +29,7 @@ + #if HAVE_LIBCAP +#include #include extern int lxc_caps_down(void); -diff -up lxc-2.0.8/src/lxc/conf.c.orig lxc-2.0.8/src/lxc/conf.c ---- lxc-2.0.8/src/lxc/conf.c.orig 2017-05-11 17:23:06.000000000 +0000 -+++ lxc-2.0.8/src/lxc/conf.c 2017-06-10 07:08:18.448806856 +0000 -@@ -90,6 +90,7 @@ +diff -up lxc-2.0.9/src/lxc/conf.c~ lxc-2.0.9/src/lxc/conf.c +--- lxc-2.0.9/src/lxc/conf.c~ 2017-10-19 19:13:25.000000000 +0200 ++++ lxc-2.0.9/src/lxc/conf.c 2017-10-20 19:31:54.505837167 +0200 +@@ -91,6 +91,7 @@ #include "lsm/lsm.h" #if HAVE_LIBCAP @@ -20,10 +20,10 @@ diff -up lxc-2.0.8/src/lxc/conf.c.orig lxc-2.0.8/src/lxc/conf.c #include #endif -diff -up lxc-2.0.8/src/lxc/start.c.orig lxc-2.0.8/src/lxc/start.c ---- lxc-2.0.8/src/lxc/start.c.orig 2017-05-11 17:23:06.000000000 +0000 -+++ lxc-2.0.8/src/lxc/start.c 2017-06-10 07:05:33.166293224 +0000 -@@ -47,6 +47,7 @@ +diff -up lxc-2.0.9/src/lxc/start.c~ lxc-2.0.9/src/lxc/start.c +--- lxc-2.0.9/src/lxc/start.c~ 2017-10-19 19:13:25.000000000 +0200 ++++ lxc-2.0.9/src/lxc/start.c 2017-10-20 19:32:21.793545209 +0200 +@@ -49,6 +49,7 @@ #include #if HAVE_LIBCAP diff --git a/lxc.spec b/lxc.spec index 7b79c8e..4214d13 100644 --- a/lxc.spec +++ b/lxc.spec @@ -30,8 +30,8 @@ %global shortcommit %(c=%{commit}; echo ${c:0:7}) Name: lxc -Version: 2.0.8 -Release: %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}.2 +Version: 2.0.9 +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -179,7 +179,7 @@ This package contains documentation for %{name}. %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} %patch0 -p1 %patch1 -p1 -%if 0%{?rhel} <= 6 +%if 0%{?rhel} && 0%{?rhel} <= 6 # fix build failure with broken sys/capabilities.h (see # e.g. rhbz#483548) %patch2 -p1 @@ -385,6 +385,9 @@ fi %changelog +* Fri Oct 20 2017 Thomas Moschny - 2.0.9-1 +- Update to 2.0.9. + * Thu Aug 03 2017 Fedora Release Engineering - 2.0.8-2.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index c652b1a..e697193 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-2.0.8.tar.gz) = ed9fd47e92007f433695cffea659180866a5ac2778712f4eb13b6629bb18292589f5b674b734853ca196ba1f6d38bdbf3cc8a2bb28e25d3540b06b945fcf9096 +SHA512 (lxc-2.0.9.tar.gz) = c7c595fbc6163e500700b756ae30c96b70d41b9bf297a609622b5d5b8431171ed8db70fa8368c3b9650c86452820e9da7f329f9186ae75c24a7adb15d5826102 From a45065678e8765da563072d0d9fd00c2987714a9 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 8 Feb 2018 00:33:15 +0000 Subject: [PATCH 68/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 4214d13..971081f 100644 --- a/lxc.spec +++ b/lxc.spec @@ -31,7 +31,7 @@ Name: lxc Version: 2.0.9 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist} +Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 Summary: Linux Resource Containers Group: Applications/System License: LGPLv2+ and GPLv2 @@ -385,6 +385,9 @@ fi %changelog +* Thu Feb 08 2018 Fedora Release Engineering - 2.0.9-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + * Fri Oct 20 2017 Thomas Moschny - 2.0.9-1 - Update to 2.0.9. From 5380bc1fafe011d95ff03982e5785f2fb16ea0bb Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 6 Apr 2018 17:53:44 +0200 Subject: [PATCH 69/95] Update to 3.0.0. Language bindings are separate projects now. Update spec file and remove obsolete constructs. --- lxc-2.0.8-fix_capability_h.patch | 33 ------ lxc-fix-bash-completion.patch | 10 -- lxc.spec | 183 ++++--------------------------- sources | 2 +- 4 files changed, 22 insertions(+), 206 deletions(-) delete mode 100644 lxc-2.0.8-fix_capability_h.patch delete mode 100644 lxc-fix-bash-completion.patch diff --git a/lxc-2.0.8-fix_capability_h.patch b/lxc-2.0.8-fix_capability_h.patch deleted file mode 100644 index d4843d1..0000000 --- a/lxc-2.0.8-fix_capability_h.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up lxc-2.0.9/src/lxc/caps.h~ lxc-2.0.9/src/lxc/caps.h ---- lxc-2.0.9/src/lxc/caps.h~ 2017-10-19 19:13:25.000000000 +0200 -+++ lxc-2.0.9/src/lxc/caps.h 2017-10-20 19:31:11.958292398 +0200 -@@ -29,6 +29,7 @@ - - - #if HAVE_LIBCAP -+#include - #include - - extern int lxc_caps_down(void); -diff -up lxc-2.0.9/src/lxc/conf.c~ lxc-2.0.9/src/lxc/conf.c ---- lxc-2.0.9/src/lxc/conf.c~ 2017-10-19 19:13:25.000000000 +0200 -+++ lxc-2.0.9/src/lxc/conf.c 2017-10-20 19:31:54.505837167 +0200 -@@ -91,6 +91,7 @@ - #include "lsm/lsm.h" - - #if HAVE_LIBCAP -+#include - #include - #endif - -diff -up lxc-2.0.9/src/lxc/start.c~ lxc-2.0.9/src/lxc/start.c ---- lxc-2.0.9/src/lxc/start.c~ 2017-10-19 19:13:25.000000000 +0200 -+++ lxc-2.0.9/src/lxc/start.c 2017-10-20 19:32:21.793545209 +0200 -@@ -49,6 +49,7 @@ - #include - - #if HAVE_LIBCAP -+#include - #include - #endif - diff --git a/lxc-fix-bash-completion.patch b/lxc-fix-bash-completion.patch deleted file mode 100644 index fcbdaa4..0000000 --- a/lxc-fix-bash-completion.patch +++ /dev/null @@ -1,10 +0,0 @@ -diff --git b/config/bash/lxc.in a/config/bash/lxc.in -index 344d5cb..cbd1b79 100644 ---- b/config/bash/lxc.in -+++ a/config/bash/lxc.in -@@ -1,4 +1,4 @@ --_have lxc-start && { -+have lxc-start && { - _lxc_names() { - COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) ) - } diff --git a/lxc.spec b/lxc.spec index 971081f..3e5a6e7 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,11 +1,3 @@ -%if 0%{?fedora} || 0%{?rhel} >= 7 -%global with_python3 1 -%endif - -%if 0%{?fedora} || 0%{?rhel} >= 7 -%global with_systemd 1 -%endif - %if 0%{?fedora} %global with_seccomp 1 %endif @@ -16,35 +8,15 @@ %endif %endif -%if 0%{?fedora} -%global luaver 5.3 -%else -%global luaver 5.1 -%endif -%global lualibdir %{_libdir}/lua/%{luaver} -%global luapkgdir %{_datadir}/lua/%{luaver} - -# for pre-releases -#global prerel -%global commit a467a845443054a9f75d65cf0a73bb4d5ff2ab71 -%global shortcommit %(c=%{commit}; echo ${c:0:7}) - Name: lxc -Version: 2.0.9 -Release: %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}.1 +Version: 3.0.0 +Release: 1%{?dist} Summary: Linux Resource Containers -Group: Applications/System License: LGPLv2+ and GPLv2 -URL: http://linuxcontainers.org -%if 0%{?prerel:1} -Source0: https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.tar.gz -%else +URL: http://linuxcontainers.org/lxc Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz -%endif Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch -Patch2: lxc-2.0.8-fix_capability_h.patch -Patch3: lxc-fix-bash-completion.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -54,23 +26,12 @@ BuildRequires: pkgconfig(libseccomp) %endif # with_seccomp BuildRequires: libcap-devel BuildRequires: libtool -BuildRequires: pkgconfig(lua) -%if 0%{?with_python3} -BuildRequires: pkgconfig(python3) >= 3.2 -%endif # with_python3 -%if 0%{?with_systemd} BuildRequires: systemd -%endif # with_systemd -%if 0%{?fedora} || 0%{?rhel} >= 7 BuildRequires: pkgconfig(bash-completion) -%endif # lxc-extra subpackage not needed anymore, lxc-ls has been rewriten in # C and does not depend on the Python3 binding anymore Provides: lxc-extra = %{version}-%{release} Obsoletes: lxc-extra < 1.1.5-3 -%if 0%{?prerel:1} -BuildRequires: autoconf automake -%endif %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -79,20 +40,15 @@ Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. -%package libs -Summary: Runtime library files for %{name} -Group: System Environment/Libraries +%package libs +Summary: Runtime library files for %{name} # rsync is called in bdev.c, e.g. by lxc-clone -Requires: rsync -%if 0%{?with_systemd} -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd -%else -Requires(post): chkconfig -Requires(preun): initscripts, chkconfig -Requires(postun): initscripts -%endif # with_systemd +Requires: rsync +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig %description libs @@ -102,38 +58,8 @@ overhead of full virtualization. The %{name}-libs package contains libraries for running %{name} applications. -%if 0%{?with_python3} -%package -n python%{python3_pkgversion}-%{name} -Summary: Python binding for %{name} -Group: System Environment/Libraries - -%description -n python%{python3_pkgversion}-%{name} -Linux Resource Containers provide process and resource isolation without the -overhead of full virtualization. - -The python%{python3_pkgversion}-%{name} package contains the Python3 binding for %{name}. - -%global __provides_exclude %{?__provides_exclude:%__provides_exclude|}_lxc\\..*\\.so -%endif # with_python3 - - -%package -n lua-%{name} -Summary: Lua binding for %{name} -Group: System Environment/Libraries -Requires: lua-filesystem - -%description -n lua-%{name} -Linux Resource Containers provide process and resource isolation without the -overhead of full virtualization. - -The lua-%{name} package contains the Lua binding for %{name}. - -%global __provides_exclude %{?__provides_exclude:%__provides_exclude|}core\\.so\\.0 - - %package templates Summary: Templates for %{name} -Group: System Environment/Libraries Requires: %{name}-libs%{?_isa} = %{version}-%{release} # Note: Requirements for the template scripts (busybox, dpkg, # debootstrap, rsync, openssh-server, dhclient, apt, pacman, zypper, @@ -154,7 +80,6 @@ The %{name}-templates package contains templates for creating containers. %package devel Summary: Development files for %{name} -Group: Development/Libraries Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: pkgconfig @@ -168,7 +93,6 @@ developing applications that use %{name}. %package doc Summary: Documentation for %{name} -Group: Documentation BuildArch: noarch %description doc @@ -176,22 +100,12 @@ This package contains documentation for %{name}. %prep -%setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}} +%setup -q -n %{name}-%{version} %patch0 -p1 %patch1 -p1 -%if 0%{?rhel} && 0%{?rhel} <= 6 -# fix build failure with broken sys/capabilities.h (see -# e.g. rhbz#483548) -%patch2 -p1 -# revert 3db8dd39 (see rhbz#1408173) -%patch3 -p1 -%endif %build -%if 0%{?prerel:1} -./autogen.sh -%endif %configure --with-distro=fedora \ --enable-doc \ --enable-api-docs \ @@ -199,22 +113,11 @@ This package contains documentation for %{name}. --docdir=%{_pkgdocdir} \ --disable-rpath \ --disable-apparmor \ - --disable-cgmanager \ --enable-selinux \ %if 0%{?with_seccomp} --enable-seccomp \ %endif # with_seccomp - --enable-lua \ -%if 0%{?with_python3} - --enable-python \ -%else - --disable-python \ -%endif # with_python3 -%if 0%{?with_systemd} --with-init-script=systemd \ -%else - --with-init-script=sysvinit \ -%endif # with_systemd --disable-werror \ # intentionally blank line @@ -228,11 +131,10 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool %install %{make_install} mkdir -p %{buildroot}%{_sharedstatedir}/%{name} -chmod -x %{buildroot}%{luapkgdir}/lxc.lua -mkdir -p %{buildroot}%{_pkgdocdir} -cp -a AUTHORS README %{!?_licensedir:COPYING} %{buildroot}%{_pkgdocdir} +# docs mkdir -p %{buildroot}%{_pkgdocdir}/api +cp -a AUTHORS README %{buildroot}%{_pkgdocdir} cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/ # cache dir @@ -247,44 +149,23 @@ make check %post libs -/sbin/ldconfig -%if 0%{?with_systemd} +%{ldconfig} %systemd_post %{name}-net.service %systemd_post %{name}.service %systemd_post %{name}@.service -%else -/sbin/chkconfig --add %{name}-net -/sbin/chkconfig --add %{name} -%endif # with_systemd %preun libs -%if 0%{?with_systemd} %systemd_preun %{name}-net.service %systemd_preun %{name}.service %systemd_preun %{name}@.service -%else -if [ $1 -eq 0 ]; then - /sbin/service %{name}-net stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name}-net - /sbin/service %{name} stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name} -fi -%endif # with_systemd %postun libs -/sbin/ldconfig -%if 0%{?with_systemd} +%{ldconfig} %systemd_postun %{name}-net.service %systemd_postun %{name}.service %systemd_postun %{name}@.service -%else -if [ $1 -ge 1 ]; then - /sbin/service %{name}-net condrestart > /dev/null 2>&1 || : - /sbin/service %{name} condrestart > /dev/null 2>&1 || : -fi -%endif # with_systemd %files @@ -298,14 +179,9 @@ fi %exclude %{_mandir}/man1/%{name}-user-nic* %exclude %{_mandir}/*/man1/%{name}-user-nic* %{_datadir}/%{name}/%{name}.functions -%if 0%{?fedora} || 0%{?rhel} >= 7 %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/%{name} -%else -%dir %{_sysconfdir}/bash_completion.d -%{_sysconfdir}/bash_completion.d/%{name} -%endif %files libs @@ -336,33 +212,13 @@ fi %dir %{_pkgdocdir} %{_pkgdocdir}/AUTHORS %{_pkgdocdir}/README -%if 0%{?_licensedir:1} %license COPYING -%else -%{_pkgdocdir}/COPYING -%endif -%if 0%{?with_systemd} %{_unitdir}/%{name}.service %{_unitdir}/%{name}@.service %{_unitdir}/%{name}-net.service -%else -%{_sysconfdir}/rc.d/init.d/%{name} -%{_sysconfdir}/rc.d/init.d/%{name}-net -%endif # with_systemd %dir %{_localstatedir}/cache/%{name} -%if 0%{?with_python3} -%files -n python%{python3_pkgversion}-%{name} -%{python3_sitearch}/* -%endif # with_python3 - - -%files -n lua-%{name} -%{lualibdir}/%{name} -%{luapkgdir}/%{name}.lua - - %files templates %{_datadir}/%{name}/templates/lxc-* %{_datadir}/%{name}/config/* @@ -379,12 +235,15 @@ fi # README, AUTHORS and COPYING intentionally duplicated because -doc # can be installed on its own. %{_pkgdocdir}/* -%if 0%{?_licensedir:1} %license COPYING -%endif %changelog +* Fri Apr 6 2018 Thomas Moschny - 3.0.0-1 +- Update to 3.0.0. +- Language bindings are separate projects now. +- Update spec file and remove obsolete constructs. + * Thu Feb 08 2018 Fedora Release Engineering - 2.0.9-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources index e697193..631d739 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-2.0.9.tar.gz) = c7c595fbc6163e500700b756ae30c96b70d41b9bf297a609622b5d5b8431171ed8db70fa8368c3b9650c86452820e9da7f329f9186ae75c24a7adb15d5826102 +SHA512 (lxc-3.0.0.tar.gz) = 21372e6fe4d38e2cf54707fab4133137793deff1dd500ed7ed02c03bbaa809de56c7490971594cddbdcb2b96f0c03ab5dfb43a8582a584598a12c5943b7ca490 From 08fec46fe74f87d4340cf93e8edbb40b7e692138 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 30 Jun 2018 11:33:51 +0200 Subject: [PATCH 70/95] Update to 3.0.1. --- lxc.spec | 5 ++++- sources | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index 3e5a6e7..1208211 100644 --- a/lxc.spec +++ b/lxc.spec @@ -9,7 +9,7 @@ %endif Name: lxc -Version: 3.0.0 +Version: 3.0.1 Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 @@ -239,6 +239,9 @@ make check %changelog +* Sat Jun 30 2018 Thomas Moschny - 3.0.1-1 +- Update to 3.0.1. + * Fri Apr 6 2018 Thomas Moschny - 3.0.0-1 - Update to 3.0.0. - Language bindings are separate projects now. diff --git a/sources b/sources index 631d739..2594fd5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-3.0.0.tar.gz) = 21372e6fe4d38e2cf54707fab4133137793deff1dd500ed7ed02c03bbaa809de56c7490971594cddbdcb2b96f0c03ab5dfb43a8582a584598a12c5943b7ca490 +SHA512 (lxc-3.0.1.tar.gz) = f51b0844f61f64d4efc530454eae1fa499f7f1b908bd3b40d7031e7f311a402893a7504bddbc53f2ef9da2b3154d1b047fc4d876b99f0d487d7c79de64eea505 From 669a512d86a5edacd09bc579bf8ac6ca2639b3d3 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 13 Jul 2018 09:34:25 +0000 Subject: [PATCH 71/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 1208211..2d801ea 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,7 +10,7 @@ Name: lxc Version: 3.0.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc @@ -239,6 +239,9 @@ make check %changelog +* Fri Jul 13 2018 Fedora Release Engineering - 3.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Sat Jun 30 2018 Thomas Moschny - 3.0.1-1 - Update to 3.0.1. From b51a449eca3d3fef0eba209f3483399124d45df8 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 18 Aug 2018 11:39:07 +0200 Subject: [PATCH 72/95] Update to 3.0.2. --- lxc.spec | 12 ++++++++---- sources | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lxc.spec b/lxc.spec index 2d801ea..363c885 100644 --- a/lxc.spec +++ b/lxc.spec @@ -9,8 +9,8 @@ %endif Name: lxc -Version: 3.0.1 -Release: 2%{?dist} +Version: 3.0.2 +Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc @@ -112,6 +112,7 @@ This package contains documentation for %{name}. --disable-silent-rules \ --docdir=%{_pkgdocdir} \ --disable-rpath \ + --disable-static \ --disable-apparmor \ --enable-selinux \ %if 0%{?with_seccomp} @@ -149,7 +150,7 @@ make check %post libs -%{ldconfig} +%{?ldconfig} %systemd_post %{name}-net.service %systemd_post %{name}.service %systemd_post %{name}@.service @@ -162,7 +163,7 @@ make check %postun libs -%{ldconfig} +%{?ldconfig} %systemd_postun %{name}-net.service %systemd_postun %{name}.service %systemd_postun %{name}@.service @@ -239,6 +240,9 @@ make check %changelog +* Fri Aug 17 2018 Thomas Moschny - 3.0.2-1 +- Update to 3.0.2. + * Fri Jul 13 2018 Fedora Release Engineering - 3.0.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index 2594fd5..ce43b7a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-3.0.1.tar.gz) = f51b0844f61f64d4efc530454eae1fa499f7f1b908bd3b40d7031e7f311a402893a7504bddbc53f2ef9da2b3154d1b047fc4d876b99f0d487d7c79de64eea505 +SHA512 (lxc-3.0.2.tar.gz) = d7f5e3f91e5c8800e3e092ab209158a4d3e3c2816623249aeaaf2e0950428484ac5d1432d71298787721e1419cd962c0798ba14979e62161299fa15a299efde8 From 875e623ac0bf6497ecb236d5af62dec29f0771ff Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 23 Nov 2018 10:12:54 +0100 Subject: [PATCH 73/95] Update to 3.0.3. --- lxc.spec | 5 ++++- sources | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lxc.spec b/lxc.spec index 363c885..f148177 100644 --- a/lxc.spec +++ b/lxc.spec @@ -9,7 +9,7 @@ %endif Name: lxc -Version: 3.0.2 +Version: 3.0.3 Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 @@ -240,6 +240,9 @@ make check %changelog +* Fri Nov 23 2018 Thomas Moschny - 3.0.3-1 +- Update to 3.0.3. + * Fri Aug 17 2018 Thomas Moschny - 3.0.2-1 - Update to 3.0.2. diff --git a/sources b/sources index ce43b7a..8b0502b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-3.0.2.tar.gz) = d7f5e3f91e5c8800e3e092ab209158a4d3e3c2816623249aeaaf2e0950428484ac5d1432d71298787721e1419cd962c0798ba14979e62161299fa15a299efde8 +SHA512 (lxc-3.0.3.tar.gz) = cdc411364153d7ed494bab604260f5cbdfd5bd7734a59af970b3198c7b3cb340b6736856a2189d5989e169945a817ac8b531bc3ab62217a4285dd63a851f9c8a From 6b5998804d318ced8a85d6aa3b3aea91abcf2b48 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 1 Feb 2019 09:19:59 +0000 Subject: [PATCH 74/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index f148177..60dc6da 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,7 +10,7 @@ Name: lxc Version: 3.0.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc @@ -240,6 +240,9 @@ make check %changelog +* Fri Feb 01 2019 Fedora Release Engineering - 3.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Fri Nov 23 2018 Thomas Moschny - 3.0.3-1 - Update to 3.0.3. From 7ed695dafd42be386e5fc1b840bfc542af9cc59f Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Mon, 29 Apr 2019 20:01:46 +0200 Subject: [PATCH 75/95] Add patch for CVE-2019-5736. Build and include init.lxc.static where possible (rhbz#1654366). --- lxc-3.0.3-fix-runc.patch | 401 +++++++++++++++++++++++++++++++++++++++ lxc.spec | 27 ++- 2 files changed, 420 insertions(+), 8 deletions(-) create mode 100644 lxc-3.0.3-fix-runc.patch diff --git a/lxc-3.0.3-fix-runc.patch b/lxc-3.0.3-fix-runc.patch new file mode 100644 index 0000000..cf92647 --- /dev/null +++ b/lxc-3.0.3-fix-runc.patch @@ -0,0 +1,401 @@ +From 113a0557d7651385d30e181a23c8e68e696ad67f Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Sat, 26 Jan 2019 01:19:29 +0100 +Subject: [PATCH] CVE-2019-5736 (runC): rexec callers as memfd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the +runC host binary from inside a privileged runC container. As a result, this +could be exploited to gain root access on the host. runC is used as the default +runtime for containers with Docker, containerd, Podman, and CRI-O. + +The attack can be made when attaching to a running container or when starting a +container running a specially crafted image. For example, when runC attaches +to a container the attacker can trick it into executing itself. This could be +done by replacing the target binary inside the container with a custom binary +pointing back at the runC binary itself. As an example, if the target binary +was /bin/bash, this could be replaced with an executable script specifying the +interpreter path #!/proc/self/exe (/proc/self/exec is a symbolic link created +by the kernel for every process which points to the binary that was executed +for that process). As such when /bin/bash is executed inside the container, +instead the target of /proc/self/exe will be executed - which will point to the +runc binary on the host. The attacker can then proceed to write to the target +of /proc/self/exe to try and overwrite the runC binary on the host. However in +general, this will not succeed as the kernel will not permit it to be +overwritten whilst runC is executing. To overcome this, the attacker can +instead open a file descriptor to /proc/self/exe using the O_PATH flag and then +proceed to reopen the binary as O_WRONLY through /proc/self/fd/ and try to +write to it in a busy loop from a separate process. Ultimately it will succeed +when the runC binary exits. After this the runC binary is compromised and can +be used to attack other containers or the host itself. + +This attack is only possible with privileged containers since it requires root +privilege on the host to overwrite the runC binary. Unprivileged containers +with a non-identity ID mapping do not have the permission to write to the host +binary and therefore are unaffected by this attack. + +LXC is also impacted in a similar manner by this vulnerability, however as the +LXC project considers privileged containers to be unsafe no CVE has been +assigned for this issue for LXC. Quoting from the +https://linuxcontainers.org/lxc/security/ project's Security information page: + +"As privileged containers are considered unsafe, we typically will not consider +new container escape exploits to be security issues worthy of a CVE and quick +fix. We will however try to mitigate those issues so that accidental damage to +the host is prevented." + +To prevent this attack, LXC has been patched to create a temporary copy of the +calling binary itself when it starts or attaches to containers. To do this LXC +creates an anonymous, in-memory file using the memfd_create() system call and +copies itself into the temporary in-memory file, which is then sealed to +prevent further modifications. LXC then executes this sealed, in-memory file +instead of the original on-disk binary. Any compromising write operations from +a privileged container to the host LXC binary will then write to the temporary +in-memory binary and not to the host binary on-disk, preserving the integrity +of the host LXC binary. Also as the temporary, in-memory LXC binary is sealed, +writes to this will also fail. + +Note: memfd_create() was added to the Linux kernel in the 3.17 release. + +Signed-off-by: Christian Brauner +Co-Developed-by: Aleksa Sarai +Acked-by: Serge Hallyn +--- + configure.ac | 12 +++ + src/lxc/Makefile.am | 4 + + src/lxc/file_utils.c | 41 ++++++++- + src/lxc/file_utils.h | 1 + + src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++ + src/lxc/syscall_wrappers.h | 14 +++ + 6 files changed, 252 insertions(+), 1 deletion(-) + create mode 100644 src/lxc/rexec.c + +diff --git a/configure.ac b/configure.ac +index 950c8dde..631e6070 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -706,6 +706,17 @@ AC_ARG_ENABLE([thread-safety], + [], [enable_thread_safety=yes]) + AM_CONDITIONAL([ENFORCE_THREAD_SAFETY], [test "x$enable_thread_safety" = "xyes"]) + ++AC_ARG_ENABLE([memfd-rexec], ++ [AC_HELP_STRING([--enable-memfd-rexec], [enforce liblxc as a memfd to protect against certain symlink attacks [default=yes]])], ++ [], [enable_memfd_rexec=yes]) ++AM_CONDITIONAL([ENFORCE_MEMFD_REXEC], [test "x$enable_memfd_rexec" = "xyes"]) ++if test "x$enable_memfd_rexec" = "xyes"; then ++ AC_DEFINE([ENFORCE_MEMFD_REXEC], 1, [Rexec liblxc as memfd]) ++ AC_MSG_RESULT([yes]) ++else ++ AC_MSG_RESULT([no]) ++fi ++ + # Files requiring some variable expansion + AC_CONFIG_FILES([ + Makefile +@@ -934,6 +945,7 @@ Security features: + - Linux capabilities: $enable_capabilities + - seccomp: $enable_seccomp + - SELinux: $enable_selinux ++ - memfd rexec: $enable_memfd_rexec + + PAM: + - PAM module: $enable_pam +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 08e2fab6..8bbfdaf8 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -173,6 +173,10 @@ if !HAVE_STRLCAT + liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h + endif + ++if ENFORCE_MEMFD_REXEC ++liblxc_la_SOURCES += rexec.c ++endif ++ + AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ + -DLXCPATH=\"$(LXCPATH)\" \ + -DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \ +diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c +index f89aa638..930fd738 100644 +--- a/src/lxc/file_utils.c ++++ b/src/lxc/file_utils.c +@@ -31,7 +31,7 @@ + #include "config.h" + #include "file_utils.h" + #include "macro.h" +-#include "string.h" ++#include "string_utils.h" + + int lxc_write_to_file(const char *filename, const void *buf, size_t count, + bool add_newline, mode_t mode) +@@ -327,3 +327,42 @@ again: + + return ret; + } ++ ++char *file_to_buf(char *path, size_t *length) ++{ ++ int fd; ++ char buf[PATH_MAX]; ++ char *copy = NULL; ++ ++ if (!length) ++ return NULL; ++ ++ fd = open(path, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return NULL; ++ ++ *length = 0; ++ for (;;) { ++ int n; ++ char *old = copy; ++ ++ n = lxc_read_nointr(fd, buf, sizeof(buf)); ++ if (n < 0) ++ goto on_error; ++ if (!n) ++ break; ++ ++ copy = must_realloc(old, (*length + n) * sizeof(*old)); ++ memcpy(copy + *length, buf, n); ++ *length += n; ++ } ++ ++ close(fd); ++ return copy; ++ ++on_error: ++ close(fd); ++ free(copy); ++ ++ return NULL; ++} +diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h +index 6361557a..518a61af 100644 +--- a/src/lxc/file_utils.h ++++ b/src/lxc/file_utils.h +@@ -55,5 +55,6 @@ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern FILE *fopen_cloexec(const char *path, const char *mode); + extern ssize_t lxc_sendfile_nointr(int out_fd, int in_fd, off_t *offset, + size_t count); ++extern char *file_to_buf(char *path, size_t *length); + + #endif /* __LXC_FILE_UTILS_H */ +diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c +new file mode 100644 +index 00000000..396bd617 +--- /dev/null ++++ b/src/lxc/rexec.c +@@ -0,0 +1,181 @@ ++/* liblxcapi ++ * ++ * Copyright © 2019 Christian Brauner . ++ * Copyright © 2019 Canonical Ltd. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ */ ++ ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE 1 ++#endif ++#include ++#include ++#include ++#include ++ ++#include "config.h" ++#include "file_utils.h" ++#include "raw_syscalls.h" ++#include "string_utils.h" ++#include "syscall_wrappers.h" ++ ++#define LXC_MEMFD_REXEC_SEALS \ ++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) ++ ++static int push_vargs(char *data, int data_length, char ***output) ++{ ++ int num = 0; ++ char *cur = data; ++ ++ if (!data || *output) ++ return -1; ++ ++ *output = must_realloc(NULL, sizeof(**output)); ++ ++ while (cur < data + data_length) { ++ num++; ++ *output = must_realloc(*output, (num + 1) * sizeof(**output)); ++ ++ (*output)[num - 1] = cur; ++ cur += strlen(cur) + 1; ++ } ++ (*output)[num] = NULL; ++ return num; ++} ++ ++static int parse_exec_params(char ***argv, char ***envp) ++{ ++ int ret; ++ char *cmdline = NULL, *env = NULL; ++ size_t cmdline_size, env_size; ++ ++ cmdline = file_to_buf("/proc/self/cmdline", &cmdline_size); ++ if (!cmdline) ++ goto on_error; ++ ++ env = file_to_buf("/proc/self/environ", &env_size); ++ if (!env) ++ goto on_error; ++ ++ ret = push_vargs(cmdline, cmdline_size, argv); ++ if (ret <= 0) ++ goto on_error; ++ ++ ret = push_vargs(env, env_size, envp); ++ if (ret <= 0) ++ goto on_error; ++ ++ return 0; ++ ++on_error: ++ free(env); ++ free(cmdline); ++ ++ return -1; ++} ++ ++static int is_memfd(void) ++{ ++ int fd, saved_errno, seals; ++ ++ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return -ENOTRECOVERABLE; ++ ++ seals = fcntl(fd, F_GET_SEALS); ++ saved_errno = errno; ++ close(fd); ++ errno = saved_errno; ++ if (seals < 0) ++ return -EINVAL; ++ ++ return seals == LXC_MEMFD_REXEC_SEALS; ++} ++ ++static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name) ++{ ++ int saved_errno; ++ ssize_t bytes_sent; ++ int fd = -1, memfd = -1; ++ ++ memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC); ++ if (memfd < 0) ++ return; ++ ++ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ goto on_error; ++ ++ /* sendfile() handles up to 2GB. */ ++ bytes_sent = lxc_sendfile_nointr(memfd, fd, NULL, LXC_SENDFILE_MAX); ++ saved_errno = errno; ++ close(fd); ++ errno = saved_errno; ++ if (bytes_sent < 0) ++ goto on_error; ++ ++ if (fcntl(memfd, F_ADD_SEALS, LXC_MEMFD_REXEC_SEALS)) ++ goto on_error; ++ ++ fexecve(memfd, argv, envp); ++ ++on_error: ++ saved_errno = errno; ++ close(memfd); ++ errno = saved_errno; ++} ++ ++static int lxc_rexec(const char *memfd_name) ++{ ++ int ret; ++ char **argv = NULL, **envp = NULL; ++ ++ ret = is_memfd(); ++ if (ret < 0 && ret == -ENOTRECOVERABLE) { ++ fprintf(stderr, ++ "%s - Failed to determine whether this is a memfd\n", ++ strerror(errno)); ++ return -1; ++ } else if (ret > 0) { ++ return 0; ++ } ++ ++ ret = parse_exec_params(&argv, &envp); ++ if (ret < 0) { ++ fprintf(stderr, ++ "%s - Failed to parse command line parameters\n", ++ strerror(errno)); ++ return -1; ++ } ++ ++ lxc_rexec_as_memfd(argv, envp, memfd_name); ++ fprintf(stderr, "%s - Failed to rexec as memfd\n", strerror(errno)); ++ return -1; ++} ++ ++/** ++ * This function will copy any binary that calls liblxc into a memory file and ++ * will use the memfd to rexecute the binary. This is done to prevent attacks ++ * through the /proc/self/exe symlink to corrupt the host binary when host and ++ * container are in the same user namespace or have set up an identity id ++ * mapping: CVE-2019-5736. ++ */ ++__attribute__((constructor)) static void liblxc_rexec(void) ++{ ++ if (lxc_rexec("liblxc")) { ++ fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n"); ++ _exit(EXIT_FAILURE); ++ } ++} +diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h +index 42d94db2..dca4d157 100644 +--- a/src/lxc/syscall_wrappers.h ++++ b/src/lxc/syscall_wrappers.h +@@ -58,6 +58,20 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, + #define keyctl __keyctl + #endif + ++#ifndef F_LINUX_SPECIFIC_BASE ++#define F_LINUX_SPECIFIC_BASE 1024 ++#endif ++#ifndef F_ADD_SEALS ++#define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) ++#define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) ++#endif ++#ifndef F_SEAL_SEAL ++#define F_SEAL_SEAL 0x0001 ++#define F_SEAL_SHRINK 0x0002 ++#define F_SEAL_GROW 0x0004 ++#define F_SEAL_WRITE 0x0008 ++#endif ++ + #ifndef HAVE_MEMFD_CREATE + static inline int memfd_create(const char *name, unsigned int flags) { + #ifndef __NR_memfd_create +-- +2.20.1 + diff --git a/lxc.spec b/lxc.spec index 60dc6da..ee1e069 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,5 +1,6 @@ %if 0%{?fedora} %global with_seccomp 1 +%global with_static_init 1 %endif %if 0%{?rhel} >= 7 @@ -10,13 +11,15 @@ Name: lxc Version: 3.0.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch +# upstream commit 113a0557 +Patch2: lxc-3.0.3-fix-runc.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -28,6 +31,12 @@ BuildRequires: libcap-devel BuildRequires: libtool BuildRequires: systemd BuildRequires: pkgconfig(bash-completion) +%if 0%{?with_static_init} +BuildRequires: libcap-static +BuildRequires: glibc-static +%endif # with_static_init +# we are patching configure.ac +BuildRequires: autoconf automake libtool # lxc-extra subpackage not needed anymore, lxc-ls has been rewriten in # C and does not depend on the Python3 binding anymore Provides: lxc-extra = %{version}-%{release} @@ -100,12 +109,11 @@ This package contains documentation for %{name}. %prep -%setup -q -n %{name}-%{version} -%patch0 -p1 -%patch1 -p1 +%autosetup -p1 -n %{name}-%{version} %build +autoreconf -vif %configure --with-distro=fedora \ --enable-doc \ --enable-api-docs \ @@ -122,10 +130,6 @@ This package contains documentation for %{name}. --disable-werror \ # intentionally blank line -# fix rpath -sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool -sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool - %{make_build} @@ -197,6 +201,9 @@ make check %{_libexecdir}/%{name} # fixme: should be in libexecdir? %{_sbindir}/init.%{name} +%if 0%{?with_static_init} +%{_sbindir}/init.%{name}.static +%endif # with_static_init %{_bindir}/%{name}-autostart %{_sharedstatedir}/%{name} %dir %{_sysconfdir}/%{name} @@ -240,6 +247,10 @@ make check %changelog +* Sun Apr 28 2019 Thomas Moschny - 3.0.3-3 +- Add patch for CVE-2019-5736. +- Build and include init.lxc.static where possible (rhbz#1654366). + * Fri Feb 01 2019 Fedora Release Engineering - 3.0.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild From b87456948631e770a3a9d6cbdd80449f5e7911fc Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 25 Jul 2019 15:32:56 +0000 Subject: [PATCH 76/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index ee1e069..c74d610 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,7 +11,7 @@ Name: lxc Version: 3.0.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc @@ -247,6 +247,9 @@ make check %changelog +* Thu Jul 25 2019 Fedora Release Engineering - 3.0.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Sun Apr 28 2019 Thomas Moschny - 3.0.3-3 - Add patch for CVE-2019-5736. - Build and include init.lxc.static where possible (rhbz#1654366). From 758b114705eb82c25e2a2fc68217d4dce9bd6228 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 7 Jul 2019 22:16:33 +0200 Subject: [PATCH 77/95] Update to 3.0.4. --- lxc-3.0.3-fix-runc.patch | 401 --------------------------------------- lxc.spec | 9 +- sources | 2 +- 3 files changed, 6 insertions(+), 406 deletions(-) delete mode 100644 lxc-3.0.3-fix-runc.patch diff --git a/lxc-3.0.3-fix-runc.patch b/lxc-3.0.3-fix-runc.patch deleted file mode 100644 index cf92647..0000000 --- a/lxc-3.0.3-fix-runc.patch +++ /dev/null @@ -1,401 +0,0 @@ -From 113a0557d7651385d30e181a23c8e68e696ad67f Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sat, 26 Jan 2019 01:19:29 +0100 -Subject: [PATCH] CVE-2019-5736 (runC): rexec callers as memfd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the -runC host binary from inside a privileged runC container. As a result, this -could be exploited to gain root access on the host. runC is used as the default -runtime for containers with Docker, containerd, Podman, and CRI-O. - -The attack can be made when attaching to a running container or when starting a -container running a specially crafted image. For example, when runC attaches -to a container the attacker can trick it into executing itself. This could be -done by replacing the target binary inside the container with a custom binary -pointing back at the runC binary itself. As an example, if the target binary -was /bin/bash, this could be replaced with an executable script specifying the -interpreter path #!/proc/self/exe (/proc/self/exec is a symbolic link created -by the kernel for every process which points to the binary that was executed -for that process). As such when /bin/bash is executed inside the container, -instead the target of /proc/self/exe will be executed - which will point to the -runc binary on the host. The attacker can then proceed to write to the target -of /proc/self/exe to try and overwrite the runC binary on the host. However in -general, this will not succeed as the kernel will not permit it to be -overwritten whilst runC is executing. To overcome this, the attacker can -instead open a file descriptor to /proc/self/exe using the O_PATH flag and then -proceed to reopen the binary as O_WRONLY through /proc/self/fd/ and try to -write to it in a busy loop from a separate process. Ultimately it will succeed -when the runC binary exits. After this the runC binary is compromised and can -be used to attack other containers or the host itself. - -This attack is only possible with privileged containers since it requires root -privilege on the host to overwrite the runC binary. Unprivileged containers -with a non-identity ID mapping do not have the permission to write to the host -binary and therefore are unaffected by this attack. - -LXC is also impacted in a similar manner by this vulnerability, however as the -LXC project considers privileged containers to be unsafe no CVE has been -assigned for this issue for LXC. Quoting from the -https://linuxcontainers.org/lxc/security/ project's Security information page: - -"As privileged containers are considered unsafe, we typically will not consider -new container escape exploits to be security issues worthy of a CVE and quick -fix. We will however try to mitigate those issues so that accidental damage to -the host is prevented." - -To prevent this attack, LXC has been patched to create a temporary copy of the -calling binary itself when it starts or attaches to containers. To do this LXC -creates an anonymous, in-memory file using the memfd_create() system call and -copies itself into the temporary in-memory file, which is then sealed to -prevent further modifications. LXC then executes this sealed, in-memory file -instead of the original on-disk binary. Any compromising write operations from -a privileged container to the host LXC binary will then write to the temporary -in-memory binary and not to the host binary on-disk, preserving the integrity -of the host LXC binary. Also as the temporary, in-memory LXC binary is sealed, -writes to this will also fail. - -Note: memfd_create() was added to the Linux kernel in the 3.17 release. - -Signed-off-by: Christian Brauner -Co-Developed-by: Aleksa Sarai -Acked-by: Serge Hallyn ---- - configure.ac | 12 +++ - src/lxc/Makefile.am | 4 + - src/lxc/file_utils.c | 41 ++++++++- - src/lxc/file_utils.h | 1 + - src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++ - src/lxc/syscall_wrappers.h | 14 +++ - 6 files changed, 252 insertions(+), 1 deletion(-) - create mode 100644 src/lxc/rexec.c - -diff --git a/configure.ac b/configure.ac -index 950c8dde..631e6070 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -706,6 +706,17 @@ AC_ARG_ENABLE([thread-safety], - [], [enable_thread_safety=yes]) - AM_CONDITIONAL([ENFORCE_THREAD_SAFETY], [test "x$enable_thread_safety" = "xyes"]) - -+AC_ARG_ENABLE([memfd-rexec], -+ [AC_HELP_STRING([--enable-memfd-rexec], [enforce liblxc as a memfd to protect against certain symlink attacks [default=yes]])], -+ [], [enable_memfd_rexec=yes]) -+AM_CONDITIONAL([ENFORCE_MEMFD_REXEC], [test "x$enable_memfd_rexec" = "xyes"]) -+if test "x$enable_memfd_rexec" = "xyes"; then -+ AC_DEFINE([ENFORCE_MEMFD_REXEC], 1, [Rexec liblxc as memfd]) -+ AC_MSG_RESULT([yes]) -+else -+ AC_MSG_RESULT([no]) -+fi -+ - # Files requiring some variable expansion - AC_CONFIG_FILES([ - Makefile -@@ -934,6 +945,7 @@ Security features: - - Linux capabilities: $enable_capabilities - - seccomp: $enable_seccomp - - SELinux: $enable_selinux -+ - memfd rexec: $enable_memfd_rexec - - PAM: - - PAM module: $enable_pam -diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am -index 08e2fab6..8bbfdaf8 100644 ---- a/src/lxc/Makefile.am -+++ b/src/lxc/Makefile.am -@@ -173,6 +173,10 @@ if !HAVE_STRLCAT - liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h - endif - -+if ENFORCE_MEMFD_REXEC -+liblxc_la_SOURCES += rexec.c -+endif -+ - AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ - -DLXCPATH=\"$(LXCPATH)\" \ - -DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \ -diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c -index f89aa638..930fd738 100644 ---- a/src/lxc/file_utils.c -+++ b/src/lxc/file_utils.c -@@ -31,7 +31,7 @@ - #include "config.h" - #include "file_utils.h" - #include "macro.h" --#include "string.h" -+#include "string_utils.h" - - int lxc_write_to_file(const char *filename, const void *buf, size_t count, - bool add_newline, mode_t mode) -@@ -327,3 +327,42 @@ again: - - return ret; - } -+ -+char *file_to_buf(char *path, size_t *length) -+{ -+ int fd; -+ char buf[PATH_MAX]; -+ char *copy = NULL; -+ -+ if (!length) -+ return NULL; -+ -+ fd = open(path, O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return NULL; -+ -+ *length = 0; -+ for (;;) { -+ int n; -+ char *old = copy; -+ -+ n = lxc_read_nointr(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto on_error; -+ if (!n) -+ break; -+ -+ copy = must_realloc(old, (*length + n) * sizeof(*old)); -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ -+ close(fd); -+ return copy; -+ -+on_error: -+ close(fd); -+ free(copy); -+ -+ return NULL; -+} -diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h -index 6361557a..518a61af 100644 ---- a/src/lxc/file_utils.h -+++ b/src/lxc/file_utils.h -@@ -55,5 +55,6 @@ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); - extern FILE *fopen_cloexec(const char *path, const char *mode); - extern ssize_t lxc_sendfile_nointr(int out_fd, int in_fd, off_t *offset, - size_t count); -+extern char *file_to_buf(char *path, size_t *length); - - #endif /* __LXC_FILE_UTILS_H */ -diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c -new file mode 100644 -index 00000000..396bd617 ---- /dev/null -+++ b/src/lxc/rexec.c -@@ -0,0 +1,181 @@ -+/* liblxcapi -+ * -+ * Copyright © 2019 Christian Brauner . -+ * Copyright © 2019 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2, as -+ * published by the Free Software Foundation. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License along -+ * with this program; if not, write to the Free Software Foundation, Inc., -+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+ */ -+ -+#ifndef _GNU_SOURCE -+#define _GNU_SOURCE 1 -+#endif -+#include -+#include -+#include -+#include -+ -+#include "config.h" -+#include "file_utils.h" -+#include "raw_syscalls.h" -+#include "string_utils.h" -+#include "syscall_wrappers.h" -+ -+#define LXC_MEMFD_REXEC_SEALS \ -+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) -+ -+static int push_vargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output) -+ return -1; -+ -+ *output = must_realloc(NULL, sizeof(**output)); -+ -+ while (cur < data + data_length) { -+ num++; -+ *output = must_realloc(*output, (num + 1) * sizeof(**output)); -+ -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+static int parse_exec_params(char ***argv, char ***envp) -+{ -+ int ret; -+ char *cmdline = NULL, *env = NULL; -+ size_t cmdline_size, env_size; -+ -+ cmdline = file_to_buf("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto on_error; -+ -+ env = file_to_buf("/proc/self/environ", &env_size); -+ if (!env) -+ goto on_error; -+ -+ ret = push_vargs(cmdline, cmdline_size, argv); -+ if (ret <= 0) -+ goto on_error; -+ -+ ret = push_vargs(env, env_size, envp); -+ if (ret <= 0) -+ goto on_error; -+ -+ return 0; -+ -+on_error: -+ free(env); -+ free(cmdline); -+ -+ return -1; -+} -+ -+static int is_memfd(void) -+{ -+ int fd, saved_errno, seals; -+ -+ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return -ENOTRECOVERABLE; -+ -+ seals = fcntl(fd, F_GET_SEALS); -+ saved_errno = errno; -+ close(fd); -+ errno = saved_errno; -+ if (seals < 0) -+ return -EINVAL; -+ -+ return seals == LXC_MEMFD_REXEC_SEALS; -+} -+ -+static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name) -+{ -+ int saved_errno; -+ ssize_t bytes_sent; -+ int fd = -1, memfd = -1; -+ -+ memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC); -+ if (memfd < 0) -+ return; -+ -+ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ goto on_error; -+ -+ /* sendfile() handles up to 2GB. */ -+ bytes_sent = lxc_sendfile_nointr(memfd, fd, NULL, LXC_SENDFILE_MAX); -+ saved_errno = errno; -+ close(fd); -+ errno = saved_errno; -+ if (bytes_sent < 0) -+ goto on_error; -+ -+ if (fcntl(memfd, F_ADD_SEALS, LXC_MEMFD_REXEC_SEALS)) -+ goto on_error; -+ -+ fexecve(memfd, argv, envp); -+ -+on_error: -+ saved_errno = errno; -+ close(memfd); -+ errno = saved_errno; -+} -+ -+static int lxc_rexec(const char *memfd_name) -+{ -+ int ret; -+ char **argv = NULL, **envp = NULL; -+ -+ ret = is_memfd(); -+ if (ret < 0 && ret == -ENOTRECOVERABLE) { -+ fprintf(stderr, -+ "%s - Failed to determine whether this is a memfd\n", -+ strerror(errno)); -+ return -1; -+ } else if (ret > 0) { -+ return 0; -+ } -+ -+ ret = parse_exec_params(&argv, &envp); -+ if (ret < 0) { -+ fprintf(stderr, -+ "%s - Failed to parse command line parameters\n", -+ strerror(errno)); -+ return -1; -+ } -+ -+ lxc_rexec_as_memfd(argv, envp, memfd_name); -+ fprintf(stderr, "%s - Failed to rexec as memfd\n", strerror(errno)); -+ return -1; -+} -+ -+/** -+ * This function will copy any binary that calls liblxc into a memory file and -+ * will use the memfd to rexecute the binary. This is done to prevent attacks -+ * through the /proc/self/exe symlink to corrupt the host binary when host and -+ * container are in the same user namespace or have set up an identity id -+ * mapping: CVE-2019-5736. -+ */ -+__attribute__((constructor)) static void liblxc_rexec(void) -+{ -+ if (lxc_rexec("liblxc")) { -+ fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n"); -+ _exit(EXIT_FAILURE); -+ } -+} -diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h -index 42d94db2..dca4d157 100644 ---- a/src/lxc/syscall_wrappers.h -+++ b/src/lxc/syscall_wrappers.h -@@ -58,6 +58,20 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, - #define keyctl __keyctl - #endif - -+#ifndef F_LINUX_SPECIFIC_BASE -+#define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+#define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+#define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+#define F_SEAL_SEAL 0x0001 -+#define F_SEAL_SHRINK 0x0002 -+#define F_SEAL_GROW 0x0004 -+#define F_SEAL_WRITE 0x0008 -+#endif -+ - #ifndef HAVE_MEMFD_CREATE - static inline int memfd_create(const char *name, unsigned int flags) { - #ifndef __NR_memfd_create --- -2.20.1 - diff --git a/lxc.spec b/lxc.spec index c74d610..48f6e6e 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,16 +10,14 @@ %endif Name: lxc -Version: 3.0.3 -Release: 4%{?dist} +Version: 3.0.4 +Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch -# upstream commit 113a0557 -Patch2: lxc-3.0.3-fix-runc.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -247,6 +245,9 @@ make check %changelog +* Fri Aug 16 2019 Thomas Moschny - 3.0.4-1 +- Update to 3.0.4. + * Thu Jul 25 2019 Fedora Release Engineering - 3.0.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sources b/sources index 8b0502b..7983f18 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-3.0.3.tar.gz) = cdc411364153d7ed494bab604260f5cbdfd5bd7734a59af970b3198c7b3cb340b6736856a2189d5989e169945a817ac8b531bc3ab62217a4285dd63a851f9c8a +SHA512 (lxc-3.0.4.tar.gz) = 6e58a2822abb2709c9d37aa4d741f98231a89387c48f81d4c7205648a5792f984b9d3e8e25bee530dcaf524f0c5716357d25c2b8024345a9507a2bc69134cb14 From dfa7c13d53bd90d8211806a91246647c57f0e4a8 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Mon, 9 Sep 2019 09:09:42 +0200 Subject: [PATCH 78/95] Add patches to fix cgroups cpuset initialization (rhbz#1750031). --- lxc-3.0.4-cgroups-fix-cpuset-init.patch | 60 +++++++++++++++++++++++++ lxc.spec | 8 +++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 lxc-3.0.4-cgroups-fix-cpuset-init.patch diff --git a/lxc-3.0.4-cgroups-fix-cpuset-init.patch b/lxc-3.0.4-cgroups-fix-cpuset-init.patch new file mode 100644 index 0000000..4aee19a --- /dev/null +++ b/lxc-3.0.4-cgroups-fix-cpuset-init.patch @@ -0,0 +1,60 @@ +From b9071a6dab43631d65ccf7cbb9c6f39769c86f09 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 3 Jul 2019 17:57:48 +0200 +Subject: [PATCH] cgroups: hande cpuset initialization race + +Signed-off-by: Christian Brauner +--- + src/lxc/cgroups/cgfsng.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 95a87d5aa9..a6e2d51b11 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -612,10 +612,8 @@ static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) + } + + /* Already set for us by someone else. */ +- if (v == '1') { +- DEBUG("\"cgroup.clone_children\" was already set to \"1\""); +- return true; +- } ++ if (v == '1') ++ TRACE("\"cgroup.clone_children\" was already set to \"1\""); + + /* copy parent's settings */ + if (!copy_parent_file(cgpath, "cpuset.mems")) { +From a29e5dc592481e7fc76a6c97ee62b4f9ef6f8b0e Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Sun, 28 Jul 2019 23:13:26 +0200 +Subject: [PATCH] cgroups: initialize cpuset properly + +Closes #3108. +Signed-off-by: Christian Brauner +--- + src/lxc/cgroups/cgfsng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index a6e2d51b11..f341f06332 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -496,12 +496,12 @@ static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized) + } + + if (!flipped_bit) { +- DEBUG("No isolated or offline cpus present in cpuset"); +- return true; ++ cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); ++ TRACE("No isolated or offline cpus present in cpuset"); ++ } else { ++ cpulist = move_ptr(posscpus); ++ TRACE("Removed isolated or offline cpus from cpuset"); + } +- DEBUG("Removed isolated or offline cpus from cpuset"); +- +- cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); + if (!cpulist) { + ERROR("Failed to create cpu list"); + return false; diff --git a/lxc.spec b/lxc.spec index 48f6e6e..91cf1e5 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,13 +11,16 @@ Name: lxc Version: 3.0.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch +# upstream commits b9071a6 and a29e5dc +# see also https://github.com/lxc/lxc/issues/3118 +Patch2: lxc-3.0.4-cgroups-fix-cpuset-init.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -245,6 +248,9 @@ make check %changelog +* Mon Sep 9 2019 Thomas Moschny - 3.0.4-2 +- Add patches to fix cgroups cpuset initialization (rhbz#1750031). + * Fri Aug 16 2019 Thomas Moschny - 3.0.4-1 - Update to 3.0.4. From a47399361c68e7818883bb4fe13cf923814e588a Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sun, 15 Dec 2019 12:37:51 +0100 Subject: [PATCH 79/95] Update to 3.2.1. Include pam_cgfs. Use OpenSSL. --- lxc-3.0.4-cgroups-fix-cpuset-init.patch | 60 ------------------------- lxc.spec | 18 +++++--- sources | 2 +- 3 files changed, 14 insertions(+), 66 deletions(-) delete mode 100644 lxc-3.0.4-cgroups-fix-cpuset-init.patch diff --git a/lxc-3.0.4-cgroups-fix-cpuset-init.patch b/lxc-3.0.4-cgroups-fix-cpuset-init.patch deleted file mode 100644 index 4aee19a..0000000 --- a/lxc-3.0.4-cgroups-fix-cpuset-init.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b9071a6dab43631d65ccf7cbb9c6f39769c86f09 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Wed, 3 Jul 2019 17:57:48 +0200 -Subject: [PATCH] cgroups: hande cpuset initialization race - -Signed-off-by: Christian Brauner ---- - src/lxc/cgroups/cgfsng.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index 95a87d5aa9..a6e2d51b11 100644 ---- a/src/lxc/cgroups/cgfsng.c -+++ b/src/lxc/cgroups/cgfsng.c -@@ -612,10 +612,8 @@ static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) - } - - /* Already set for us by someone else. */ -- if (v == '1') { -- DEBUG("\"cgroup.clone_children\" was already set to \"1\""); -- return true; -- } -+ if (v == '1') -+ TRACE("\"cgroup.clone_children\" was already set to \"1\""); - - /* copy parent's settings */ - if (!copy_parent_file(cgpath, "cpuset.mems")) { -From a29e5dc592481e7fc76a6c97ee62b4f9ef6f8b0e Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 28 Jul 2019 23:13:26 +0200 -Subject: [PATCH] cgroups: initialize cpuset properly - -Closes #3108. -Signed-off-by: Christian Brauner ---- - src/lxc/cgroups/cgfsng.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index a6e2d51b11..f341f06332 100644 ---- a/src/lxc/cgroups/cgfsng.c -+++ b/src/lxc/cgroups/cgfsng.c -@@ -496,12 +496,12 @@ static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized) - } - - if (!flipped_bit) { -- DEBUG("No isolated or offline cpus present in cpuset"); -- return true; -+ cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); -+ TRACE("No isolated or offline cpus present in cpuset"); -+ } else { -+ cpulist = move_ptr(posscpus); -+ TRACE("Removed isolated or offline cpus from cpuset"); - } -- DEBUG("Removed isolated or offline cpus from cpuset"); -- -- cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); - if (!cpulist) { - ERROR("Failed to create cpu list"); - return false; diff --git a/lxc.spec b/lxc.spec index 91cf1e5..7bb43d5 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,17 +10,14 @@ %endif Name: lxc -Version: 3.0.4 -Release: 2%{?dist} +Version: 3.2.1 +Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch -# upstream commits b9071a6 and a29e5dc -# see also https://github.com/lxc/lxc/issues/3118 -Patch2: lxc-3.0.4-cgroups-fix-cpuset-init.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -29,6 +26,8 @@ BuildRequires: libselinux-devel BuildRequires: pkgconfig(libseccomp) %endif # with_seccomp BuildRequires: libcap-devel +BuildRequires: pam-devel +BuildRequires: openssl-devel BuildRequires: libtool BuildRequires: systemd BuildRequires: pkgconfig(bash-completion) @@ -124,6 +123,9 @@ autoreconf -vif --disable-static \ --disable-apparmor \ --enable-selinux \ + --enable-capabilities \ + --enable-pam \ + --enable-openssl \ %if 0%{?with_seccomp} --enable-seccomp \ %endif # with_seccomp @@ -226,6 +228,7 @@ make check %{_unitdir}/%{name}@.service %{_unitdir}/%{name}-net.service %dir %{_localstatedir}/cache/%{name} +/%{_lib}/security/pam_cgfs.so %files templates @@ -248,6 +251,11 @@ make check %changelog +* Sun Dec 15 2019 Thomas Moschny - 3.2.1-1 +- Update to 3.2.1. +- Include pam_cgfs. +- Use OpenSSL. + * Mon Sep 9 2019 Thomas Moschny - 3.0.4-2 - Add patches to fix cgroups cpuset initialization (rhbz#1750031). diff --git a/sources b/sources index 7983f18..ca18116 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-3.0.4.tar.gz) = 6e58a2822abb2709c9d37aa4d741f98231a89387c48f81d4c7205648a5792f984b9d3e8e25bee530dcaf524f0c5716357d25c2b8024345a9507a2bc69134cb14 +SHA512 (lxc-3.2.1.tar.gz) = 4b3046fc6c4aa497fb26bd45839e60de503184af86d3966e796d14e619203536b9a9ed67bdcd8a108cf1a548f8d095fb46dff53094a08abd8d268c866db685c0 From 550212a7bdda8a84580fd0f7d182de7024ac59a9 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 29 Jan 2020 11:40:43 +0000 Subject: [PATCH 80/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 7bb43d5..2ce2814 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,7 +11,7 @@ Name: lxc Version: 3.2.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc @@ -251,6 +251,9 @@ make check %changelog +* Wed Jan 29 2020 Fedora Release Engineering - 3.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Sun Dec 15 2019 Thomas Moschny - 3.2.1-1 - Update to 3.2.1. - Include pam_cgfs. From 8ef31f0e2abfd9d2c4803727422cabc850f52848 Mon Sep 17 00:00:00 2001 From: Timotheus Pokorra Date: Sat, 30 May 2020 08:11:47 +0200 Subject: [PATCH 81/95] reapplying patch to fix cgroups cpuset initialization (rhbz#1816949) --- lxc-3.2.1-cgroups-fix-cpuset-init.patch | 34 +++++++++++++++++++++++++ lxc.spec | 6 ++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 lxc-3.2.1-cgroups-fix-cpuset-init.patch diff --git a/lxc-3.2.1-cgroups-fix-cpuset-init.patch b/lxc-3.2.1-cgroups-fix-cpuset-init.patch new file mode 100644 index 0000000..aa2838a --- /dev/null +++ b/lxc-3.2.1-cgroups-fix-cpuset-init.patch @@ -0,0 +1,34 @@ +From b31d62b847a3ee013613795094cce4acc12345ef Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Sun, 28 Jul 2019 23:13:26 +0200 +Subject: [PATCH] cgroups: initialize cpuset properly + +Closes #3108. +Signed-off-by: Christian Brauner +--- + src/lxc/cgroups/cgfsng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 7b8fe6736f..c29c0958e9 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -496,12 +496,12 @@ static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized) + } + + if (!flipped_bit) { +- DEBUG("No isolated or offline cpus present in cpuset"); +- return true; ++ cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); ++ TRACE("No isolated or offline cpus present in cpuset"); ++ } else { ++ cpulist = move_ptr(posscpus); ++ TRACE("Removed isolated or offline cpus from cpuset"); + } +- DEBUG("Removed isolated or offline cpus from cpuset"); +- +- cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); + if (!cpulist) { + ERROR("Failed to create cpu list"); + return false; + diff --git a/lxc.spec b/lxc.spec index 2ce2814..6785bb6 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,13 +11,14 @@ Name: lxc Version: 3.2.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-2.0.6-fix-lxc-net.patch +Patch2: lxc-3.2.1-cgroups-fix-cpuset-init.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -251,6 +252,9 @@ make check %changelog +* Sat May 30 2020 Timotheus Pokorra - 3.2.1-3 +- reapplying patch to fix cgroups cpuset initialization (rhbz#1816949) + * Wed Jan 29 2020 Fedora Release Engineering - 3.2.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From cd04e729d25b65f01c08e3904ef5da824247b258 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jul 2020 06:35:59 +0000 Subject: [PATCH 82/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 6785bb6..bc9aa5c 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,7 +11,7 @@ Name: lxc Version: 3.2.1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc @@ -252,6 +252,9 @@ make check %changelog +* Tue Jul 28 2020 Fedora Release Engineering - 3.2.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Sat May 30 2020 Timotheus Pokorra - 3.2.1-3 - reapplying patch to fix cgroups cpuset initialization (rhbz#1816949) From 81caaeb2aec9f3b5ee09500a76efbe1e0024a85f Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 14 Nov 2020 11:52:47 +0100 Subject: [PATCH 83/95] Update to 4.0.5. --- lxc-2.0.6-fix-lxc-net.patch | 11 -------- lxc-3.2.1-cgroups-fix-cpuset-init.patch | 34 ----------------------- lxc-4.0.1-fix-lxc-net.patch | 11 ++++++++ lxc.spec | 36 ++++++++++++++++--------- sources | 2 +- 5 files changed, 35 insertions(+), 59 deletions(-) delete mode 100644 lxc-2.0.6-fix-lxc-net.patch delete mode 100644 lxc-3.2.1-cgroups-fix-cpuset-init.patch create mode 100644 lxc-4.0.1-fix-lxc-net.patch diff --git a/lxc-2.0.6-fix-lxc-net.patch b/lxc-2.0.6-fix-lxc-net.patch deleted file mode 100644 index 684cee3..0000000 --- a/lxc-2.0.6-fix-lxc-net.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up lxc-2.0.6/config/init/systemd/lxc-net.service.in.orig lxc-2.0.6/config/init/systemd/lxc-net.service.in ---- lxc-2.0.6/config/init/systemd/lxc-net.service.in.orig 2016-11-23 20:15:59.000000000 +0100 -+++ lxc-2.0.6/config/init/systemd/lxc-net.service.in 2016-12-04 21:55:24.149093437 +0100 -@@ -1,6 +1,7 @@ - [Unit] - Description=LXC network bridge setup - After=network-online.target -+Wants=network-online.target - Before=lxc.service - - [Service] diff --git a/lxc-3.2.1-cgroups-fix-cpuset-init.patch b/lxc-3.2.1-cgroups-fix-cpuset-init.patch deleted file mode 100644 index aa2838a..0000000 --- a/lxc-3.2.1-cgroups-fix-cpuset-init.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b31d62b847a3ee013613795094cce4acc12345ef Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 28 Jul 2019 23:13:26 +0200 -Subject: [PATCH] cgroups: initialize cpuset properly - -Closes #3108. -Signed-off-by: Christian Brauner ---- - src/lxc/cgroups/cgfsng.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index 7b8fe6736f..c29c0958e9 100644 ---- a/src/lxc/cgroups/cgfsng.c -+++ b/src/lxc/cgroups/cgfsng.c -@@ -496,12 +496,12 @@ static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized) - } - - if (!flipped_bit) { -- DEBUG("No isolated or offline cpus present in cpuset"); -- return true; -+ cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); -+ TRACE("No isolated or offline cpus present in cpuset"); -+ } else { -+ cpulist = move_ptr(posscpus); -+ TRACE("Removed isolated or offline cpus from cpuset"); - } -- DEBUG("Removed isolated or offline cpus from cpuset"); -- -- cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); - if (!cpulist) { - ERROR("Failed to create cpu list"); - return false; - diff --git a/lxc-4.0.1-fix-lxc-net.patch b/lxc-4.0.1-fix-lxc-net.patch new file mode 100644 index 0000000..f889abe --- /dev/null +++ b/lxc-4.0.1-fix-lxc-net.patch @@ -0,0 +1,11 @@ +diff -up lxc-4.0.1/config/init/systemd/lxc-net.service.in.orig lxc-4.0.1/config/init/systemd/lxc-net.service.in +--- lxc-4.0.1/config/init/systemd/lxc-net.service.in.orig 2020-04-06 21:15:17.000000000 +0200 ++++ lxc-4.0.1/config/init/systemd/lxc-net.service.in 2020-04-10 18:31:54.277490764 +0200 +@@ -1,6 +1,7 @@ + [Unit] + Description=LXC network bridge setup + After=network-online.target ++Wants=network-online.target + Before=lxc.service + Documentation=man:lxc + diff --git a/lxc.spec b/lxc.spec index bc9aa5c..4850538 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,15 +10,15 @@ %endif Name: lxc -Version: 3.2.1 -Release: 4%{?dist} +Version: 4.0.5 +Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz +Source1: lxc-net Patch0: lxc-2.0.7-fix-init.patch -Patch1: lxc-2.0.6-fix-lxc-net.patch -Patch2: lxc-3.2.1-cgroups-fix-cpuset-init.patch +Patch1: lxc-4.0.1-fix-lxc-net.patch BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -71,14 +71,17 @@ The %{name}-libs package contains libraries for running %{name} applications. %package templates Summary: Templates for %{name} Requires: %{name}-libs%{?_isa} = %{version}-%{release} -# Note: Requirements for the template scripts (busybox, dpkg, +# Note: Not all requirements for the template scripts (busybox, dpkg, # debootstrap, rsync, openssh-server, dhclient, apt, pacman, zypper, -# ubuntu-cloudimg-query etc...) are not explicitly mentioned here: -# their presence varies wildly on supported Fedora/EPEL releases and -# archs, and they are in most cases needed for a single template -# only. Also, the templates normally fail graciously when such a tool -# is missing. Moving each template to its own subpackage on the other +# ubuntu-cloudimg-query etc...) are explicitly mentioned here: their +# presence varies wildly on supported Fedora/EPEL releases and archs, +# and they are in most cases needed for a single template only. Also, +# the templates normally fail graciously when such a tool is +# missing. Moving each template to its own subpackage on the other # hand would be overkill. +# +# Add wget, used by the 'download' template (see also #1828032) +Requires: wget %description templates @@ -152,6 +155,8 @@ mkdir -p %{buildroot}%{_localstatedir}/cache/%{name} # remove libtool .la file rm -rf %{buildroot}%{_libdir}/liblxc.la +# lxc-net config file +cp -a %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-net %check make check @@ -161,20 +166,17 @@ make check %{?ldconfig} %systemd_post %{name}-net.service %systemd_post %{name}.service -%systemd_post %{name}@.service %preun libs %systemd_preun %{name}-net.service %systemd_preun %{name}.service -%systemd_preun %{name}@.service %postun libs %{?ldconfig} %systemd_postun %{name}-net.service %systemd_postun %{name}.service -%systemd_postun %{name}@.service %files @@ -213,6 +215,7 @@ make check %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/default.conf %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-net %{_mandir}/man1/%{name}-autostart* %{_mandir}/*/man1/%{name}-autostart* %{_mandir}/man1/%{name}-user-nic* @@ -221,6 +224,8 @@ make check %{_mandir}/man7/%{name}* %{_mandir}/*/man5/%{name}* %{_mandir}/*/man7/%{name}* +%{_mandir}/man8/pam_cgfs* +%{_mandir}/*/man8/pam_cgfs* %dir %{_pkgdocdir} %{_pkgdocdir}/AUTHORS %{_pkgdocdir}/README @@ -252,6 +257,11 @@ make check %changelog +* Sat Nov 14 2020 Thomas Moschny - 4.0.5-1 +- Update to 4.0.5. +- Enable LXC bridge per default. +- Add wget dependency for the templates subpackage. + * Tue Jul 28 2020 Fedora Release Engineering - 3.2.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index ca18116..e2328f6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-3.2.1.tar.gz) = 4b3046fc6c4aa497fb26bd45839e60de503184af86d3966e796d14e619203536b9a9ed67bdcd8a108cf1a548f8d095fb46dff53094a08abd8d268c866db685c0 +SHA512 (lxc-4.0.5.tar.gz) = d536e767f4b7c1ea974469a19f89ddbcebbc3f8c7922b174b966fb2e80ae33199a8a915a962da9cbc7e075442555bc355525f2d4f8e76498b8a7e49f46dc006f From d9d2f286bd59c81e0c6460c7fe1e644b316fb47e Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 14 Nov 2020 16:13:13 +0100 Subject: [PATCH 84/95] Add missing file. --- lxc-net | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 lxc-net diff --git a/lxc-net b/lxc-net new file mode 100644 index 0000000..c41e9b8 --- /dev/null +++ b/lxc-net @@ -0,0 +1,29 @@ +# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your +# containers. Set to "false" if you'll use virbr0 or another existing +# bridge, or macvlan to your host's NIC. +USE_LXC_BRIDGE="true" + +# If you change the LXC_BRIDGE to something other than lxcbr0, then +# you will also need to update your /etc/lxc/default.conf as well as the +# configuration (/var/lib/lxc//config) for any containers +# already created using the default config to reflect the new bridge +# name. +# If you have the dnsmasq daemon installed, you'll also have to update +# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon. +#LXC_BRIDGE="lxcbr0" +#LXC_BRIDGE_MAC="00:16:3e:00:00:00" +#LXC_ADDR="10.0.3.1" +#LXC_NETMASK="255.255.255.0" +#LXC_NETWORK="10.0.3.0/24" +#LXC_DHCP_RANGE="10.0.3.2,10.0.3.254" +#LXC_DHCP_MAX="253" +# Uncomment the next line if you'd like to use a conf-file for the lxcbr0 +# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have +# container 'mail1' always get ip address 10.0.3.100. +#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf + +# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc +# domain. You can then add "server=/lxc/10.0.3.1' (or your actual $LXC_ADDR) +# to /etc/dnsmasq.conf, after which 'container1.lxc' will resolve on your +# host. +#LXC_DOMAIN="lxc" From ff54545a0eb448dee2257ab13dcb4fff8298dd3d Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Wed, 6 Jan 2021 21:11:59 +0000 Subject: [PATCH 85/95] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- lxc.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/lxc.spec b/lxc.spec index 4850538..131cedf 100644 --- a/lxc.spec +++ b/lxc.spec @@ -19,6 +19,7 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Source1: lxc-net Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-4.0.1-fix-lxc-net.patch +BuildRequires: make BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers From cb765fea5616e8fa7f2a74031aac289ca6eb96b5 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Mon, 18 Jan 2021 22:09:03 +0100 Subject: [PATCH 86/95] Update to 4.0.6. --- lxc.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lxc.spec b/lxc.spec index 131cedf..d836ef5 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,7 +10,7 @@ %endif Name: lxc -Version: 4.0.5 +Version: 4.0.6 Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 @@ -19,7 +19,7 @@ Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Source1: lxc-net Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-4.0.1-fix-lxc-net.patch -BuildRequires: make +BuildRequires: make BuildRequires: docbook2X BuildRequires: doxygen BuildRequires: kernel-headers @@ -258,6 +258,9 @@ make check %changelog +* Mon Jan 18 2021 Thomas Moschny - 4.0.6-1 +- Update to 4.0.6. + * Sat Nov 14 2020 Thomas Moschny - 4.0.5-1 - Update to 4.0.5. - Enable LXC bridge per default. diff --git a/sources b/sources index e2328f6..a279dcb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-4.0.5.tar.gz) = d536e767f4b7c1ea974469a19f89ddbcebbc3f8c7922b174b966fb2e80ae33199a8a915a962da9cbc7e075442555bc355525f2d4f8e76498b8a7e49f46dc006f +SHA512 (lxc-4.0.6.tar.gz) = 98514796ef2091a291516ed7fde737df07ccfe374a0f8b4314e0ee992837e98ed02aa9f7809f8808a2f5ee1c7ae2dcea163531cdaedbb577211eeb9beff90c15 From 6808808446e7143031f303498bf50d39b144f770 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 18:59:03 +0000 Subject: [PATCH 87/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index d836ef5..0fc6e8d 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,7 +11,7 @@ Name: lxc Version: 4.0.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: http://linuxcontainers.org/lxc @@ -258,6 +258,9 @@ make check %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 4.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Mon Jan 18 2021 Thomas Moschny - 4.0.6-1 - Update to 4.0.6. From 44ef17e9a8059177fac831ea52526ca79c56c236 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 1 May 2021 10:56:22 +0200 Subject: [PATCH 88/95] Update to 4.0.8. --- lxc.spec | 11 +++++++---- sources | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/lxc.spec b/lxc.spec index 0fc6e8d..876f1cb 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,12 +10,12 @@ %endif Name: lxc -Version: 4.0.6 -Release: 2%{?dist} +Version: 4.0.8 +Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 -URL: http://linuxcontainers.org/lxc -Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz +URL: https://linuxcontainers.org/lxc +Source0: https://linuxcontainers.org/downloads/lxc/%{name}-%{version}.tar.gz Source1: lxc-net Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-4.0.1-fix-lxc-net.patch @@ -258,6 +258,9 @@ make check %changelog +* Sat May 1 2021 Thomas Moschny - 4.0.8-1 +- Update to 4.0.8. + * Tue Jan 26 2021 Fedora Release Engineering - 4.0.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/sources b/sources index a279dcb..107017b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-4.0.6.tar.gz) = 98514796ef2091a291516ed7fde737df07ccfe374a0f8b4314e0ee992837e98ed02aa9f7809f8808a2f5ee1c7ae2dcea163531cdaedbb577211eeb9beff90c15 +SHA512 (lxc-4.0.8.tar.gz) = b2b9887c5c4646fbd873fd15779a563954ac729bfbd546ccc2b9c7e5e283b3b3189290a31cc6c549881201ff29d955b56c084a72c080f48f83240c12b46ce85e From f4d5438e3550a04fd3fd6f6af6999234e92bea6a Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Sat, 8 May 2021 14:09:36 +0200 Subject: [PATCH 89/95] Update to 4.0.9. --- lxc.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lxc.spec b/lxc.spec index 876f1cb..0a09ead 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,12 +10,12 @@ %endif Name: lxc -Version: 4.0.8 +Version: 4.0.9 Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: https://linuxcontainers.org/lxc -Source0: https://linuxcontainers.org/downloads/lxc/%{name}-%{version}.tar.gz +Source0: https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz Source1: lxc-net Patch0: lxc-2.0.7-fix-init.patch Patch1: lxc-4.0.1-fix-lxc-net.patch @@ -258,6 +258,9 @@ make check %changelog +* Sat May 8 2021 Thomas Moschny - 4.0.9-1 +- Update to 4.0.9. + * Sat May 1 2021 Thomas Moschny - 4.0.8-1 - Update to 4.0.8. diff --git a/sources b/sources index 107017b..541c892 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-4.0.8.tar.gz) = b2b9887c5c4646fbd873fd15779a563954ac729bfbd546ccc2b9c7e5e283b3b3189290a31cc6c549881201ff29d955b56c084a72c080f48f83240c12b46ce85e +SHA512 (lxc-4.0.9.tar.gz) = 4ef9d9efdd4118fdffde8b49c6ae71cf5eb060be51daaa4f4ceb804c743fbf3278e6518e6a694faefc720f2834f98ac48d67842d589a2120b8f7ec4c3b61fa84 From 5be673f894942dc165a47f7e908dd3b095c1d4dc Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 22 Jul 2021 13:27:57 +0000 Subject: [PATCH 90/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 0a09ead..3001faf 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,7 +11,7 @@ Name: lxc Version: 4.0.9 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: https://linuxcontainers.org/lxc @@ -258,6 +258,9 @@ make check %changelog +* Thu Jul 22 2021 Fedora Release Engineering - 4.0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Sat May 8 2021 Thomas Moschny - 4.0.9-1 - Update to 4.0.9. From 59fbd2512a2fd061f286b2fe2e6b91b6e3140acc Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:07:28 +0200 Subject: [PATCH 91/95] Rebuilt with OpenSSL 3.0.0 --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 3001faf..2daa9f9 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,7 +11,7 @@ Name: lxc Version: 4.0.9 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: https://linuxcontainers.org/lxc @@ -258,6 +258,9 @@ make check %changelog +* Tue Sep 14 2021 Sahana Prasad - 4.0.9-3 +- Rebuilt with OpenSSL 3.0.0 + * Thu Jul 22 2021 Fedora Release Engineering - 4.0.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From f85183c6209169a61cac0dfcffc65fea042a65bf Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Wed, 21 Jul 2021 22:06:55 +0200 Subject: [PATCH 92/95] Update to 4.0.10. --- lxc.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lxc.spec b/lxc.spec index 2daa9f9..401614e 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,8 +10,8 @@ %endif Name: lxc -Version: 4.0.9 -Release: 3%{?dist} +Version: 4.0.10 +Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: https://linuxcontainers.org/lxc @@ -258,6 +258,9 @@ make check %changelog +* Sat Sep 18 2021 Thomas Moschny - 4.0.10-1 +- Update to 4.0.10. + * Tue Sep 14 2021 Sahana Prasad - 4.0.9-3 - Rebuilt with OpenSSL 3.0.0 diff --git a/sources b/sources index 541c892..a39404c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-4.0.9.tar.gz) = 4ef9d9efdd4118fdffde8b49c6ae71cf5eb060be51daaa4f4ceb804c743fbf3278e6518e6a694faefc720f2834f98ac48d67842d589a2120b8f7ec4c3b61fa84 +SHA512 (lxc-4.0.10.tar.gz) = ec3ccf344a91b50b30985562c54ad93d2db2d29c24d31da8e3a69e801c8bd23c1560274c1850c39eb7e984940ba86d3ebae75db136320d6bbc5eb03bda4c5318 From b884a6b2dd364bc9ab15a051342585877f691f3c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 18:24:19 +0000 Subject: [PATCH 93/95] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- lxc.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lxc.spec b/lxc.spec index 401614e..d8b7e24 100644 --- a/lxc.spec +++ b/lxc.spec @@ -11,7 +11,7 @@ Name: lxc Version: 4.0.10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: https://linuxcontainers.org/lxc @@ -258,6 +258,9 @@ make check %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 4.0.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Sat Sep 18 2021 Thomas Moschny - 4.0.10-1 - Update to 4.0.10. From 5bd5e4c9f56f3abbdcd13aabf11fc4ebe28d042d Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Thu, 26 May 2022 10:25:51 +0200 Subject: [PATCH 94/95] Update to 4.0.12. --- lxc.spec | 8 ++++++-- sources | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lxc.spec b/lxc.spec index d8b7e24..92c66e3 100644 --- a/lxc.spec +++ b/lxc.spec @@ -10,8 +10,8 @@ %endif Name: lxc -Version: 4.0.10 -Release: 2%{?dist} +Version: 4.0.12 +Release: 1%{?dist} Summary: Linux Resource Containers License: LGPLv2+ and GPLv2 URL: https://linuxcontainers.org/lxc @@ -194,6 +194,7 @@ make check %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/%{name} +%{_datadir}/bash-completion/completions/%{name}-* %files libs @@ -258,6 +259,9 @@ make check %changelog +* Thu May 26 2022 Thomas Moschny - 4.0.12-1 +- Update to 4.0.12. + * Thu Jan 20 2022 Fedora Release Engineering - 4.0.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources index a39404c..88fc647 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxc-4.0.10.tar.gz) = ec3ccf344a91b50b30985562c54ad93d2db2d29c24d31da8e3a69e801c8bd23c1560274c1850c39eb7e984940ba86d3ebae75db136320d6bbc5eb03bda4c5318 +SHA512 (lxc-4.0.12.tar.gz) = 04437d9c891cd3a22f756c42f05e97398772587175d65aff9d394f0f3e810efc5c1fe7077c39573de3ec259e0605bc2a7ea51093613b2cef908372ae338df19d From bf905def49f5dc9faa85f2f32e66483f9580c5d4 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 30 Oct 2023 23:23:06 +0300 Subject: [PATCH 95/95] Remove unnecessary files --- sources | 1 - 1 file changed, 1 deletion(-) delete mode 100644 sources diff --git a/sources b/sources deleted file mode 100644 index 88fc647..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -SHA512 (lxc-4.0.12.tar.gz) = 04437d9c891cd3a22f756c42f05e97398772587175d65aff9d394f0f3e810efc5c1fe7077c39573de3ec259e0605bc2a7ea51093613b2cef908372ae338df19d