diff -Nru lxc-1.0.8/aclocal.m4 lxc-1.0.9/aclocal.m4 --- lxc-1.0.8/aclocal.m4 2015-11-09 22:49:18.000000000 +0000 +++ lxc-1.0.9/aclocal.m4 2016-11-23 19:10:04.000000000 +0000 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.14.1 -*- Autoconf -*- +# generated automatically by aclocal 1.15 -*- Autoconf -*- -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,32 +20,63 @@ If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -# serial 1 (pkg-config-0.24) -# -# Copyright © 2004 Scott James Remnant . -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# PKG_PROG_PKG_CONFIG([MIN-VERSION]) -# ---------------------------------- +dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +dnl serial 11 (pkg-config-0.29.1) +dnl +dnl Copyright © 2004 Scott James Remnant . +dnl Copyright © 2012-2015 Dan Nicholson +dnl +dnl This program is free software; you can redistribute it and/or modify +dnl it under the terms of the GNU General Public License as published by +dnl the Free Software Foundation; either version 2 of the License, or +dnl (at your option) any later version. +dnl +dnl This program is distributed in the hope that it will be useful, but +dnl WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl General Public License for more details. +dnl +dnl You should have received a copy of the GNU General Public License +dnl along with this program; if not, write to the Free Software +dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +dnl 02111-1307, USA. +dnl +dnl As a special exception to the GNU General Public License, if you +dnl distribute this file as part of a program that contains a +dnl configuration script generated by Autoconf, you may include it under +dnl the same distribution terms that you use for the rest of that +dnl program. + +dnl PKG_PREREQ(MIN-VERSION) +dnl ----------------------- +dnl Since: 0.29 +dnl +dnl Verify that the version of the pkg-config macros are at least +dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's +dnl installed version of pkg-config, this checks the developer's version +dnl of pkg.m4 when generating configure. +dnl +dnl To ensure that this macro is defined, also add: +dnl m4_ifndef([PKG_PREREQ], +dnl [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])]) +dnl +dnl See the "Since" comment for each macro you use to see what version +dnl of the macros you require. +m4_defun([PKG_PREREQ], +[m4_define([PKG_MACROS_VERSION], [0.29.1]) +m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, + [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) +])dnl PKG_PREREQ + +dnl PKG_PROG_PKG_CONFIG([MIN-VERSION]) +dnl ---------------------------------- +dnl Since: 0.16 +dnl +dnl Search for the pkg-config tool and set the PKG_CONFIG variable to +dnl first found in the path. Checks that the version of pkg-config found +dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is +dnl used since that's the first version where most current features of +dnl pkg-config existed. AC_DEFUN([PKG_PROG_PKG_CONFIG], [m4_pattern_forbid([^_?PKG_[A-Z_]+$]) m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$]) @@ -67,18 +98,19 @@ PKG_CONFIG="" fi fi[]dnl -])# PKG_PROG_PKG_CONFIG +])dnl PKG_PROG_PKG_CONFIG -# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -# -# Check to see whether a particular set of modules exists. Similar -# to PKG_CHECK_MODULES(), but does not set variables or print errors. -# -# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) -# only at the first occurence in configure.ac, so if the first place -# it's called might be skipped (such as if it is within an "if", you -# have to call PKG_CHECK_EXISTS manually -# -------------------------------------------------------------- +dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +dnl ------------------------------------------------------------------- +dnl Since: 0.18 +dnl +dnl Check to see whether a particular set of modules exists. Similar to +dnl PKG_CHECK_MODULES(), but does not set variables or print errors. +dnl +dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +dnl only at the first occurence in configure.ac, so if the first place +dnl it's called might be skipped (such as if it is within an "if", you +dnl have to call PKG_CHECK_EXISTS manually AC_DEFUN([PKG_CHECK_EXISTS], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl if test -n "$PKG_CONFIG" && \ @@ -88,8 +120,10 @@ $3])dnl fi]) -# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) -# --------------------------------------------- +dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +dnl --------------------------------------------- +dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting +dnl pkg_failed based on the result. m4_define([_PKG_CONFIG], [if test -n "$$1"; then pkg_cv_[]$1="$$1" @@ -101,10 +135,11 @@ else pkg_failed=untried fi[]dnl -])# _PKG_CONFIG +])dnl _PKG_CONFIG -# _PKG_SHORT_ERRORS_SUPPORTED -# ----------------------------- +dnl _PKG_SHORT_ERRORS_SUPPORTED +dnl --------------------------- +dnl Internal check to see if pkg-config supports short errors. AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -112,19 +147,17 @@ else _pkg_short_errors_supported=no fi[]dnl -])# _PKG_SHORT_ERRORS_SUPPORTED +])dnl _PKG_SHORT_ERRORS_SUPPORTED -# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], -# [ACTION-IF-NOT-FOUND]) -# -# -# Note that if there is a possibility the first call to -# PKG_CHECK_MODULES might not happen, you should be sure to include an -# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac -# -# -# -------------------------------------------------------------- +dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +dnl [ACTION-IF-NOT-FOUND]) +dnl -------------------------------------------------------------- +dnl Since: 0.4.0 +dnl +dnl Note that if there is a possibility the first call to +dnl PKG_CHECK_MODULES might not happen, you should be sure to include an +dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac AC_DEFUN([PKG_CHECK_MODULES], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl @@ -178,9 +211,92 @@ AC_MSG_RESULT([yes]) $3 fi[]dnl -])# PKG_CHECK_MODULES +])dnl PKG_CHECK_MODULES + + +dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +dnl [ACTION-IF-NOT-FOUND]) +dnl --------------------------------------------------------------------- +dnl Since: 0.29 +dnl +dnl Checks for existence of MODULES and gathers its build flags with +dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags +dnl and VARIABLE-PREFIX_LIBS from --libs. +dnl +dnl Note that if there is a possibility the first call to +dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to +dnl include an explicit call to PKG_PROG_PKG_CONFIG in your +dnl configure.ac. +AC_DEFUN([PKG_CHECK_MODULES_STATIC], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +_save_PKG_CONFIG=$PKG_CONFIG +PKG_CONFIG="$PKG_CONFIG --static" +PKG_CHECK_MODULES($@) +PKG_CONFIG=$_save_PKG_CONFIG[]dnl +])dnl PKG_CHECK_MODULES_STATIC + + +dnl PKG_INSTALLDIR([DIRECTORY]) +dnl ------------------------- +dnl Since: 0.27 +dnl +dnl Substitutes the variable pkgconfigdir as the location where a module +dnl should install pkg-config .pc files. By default the directory is +dnl $libdir/pkgconfig, but the default can be changed by passing +dnl DIRECTORY. The user can override through the --with-pkgconfigdir +dnl parameter. +AC_DEFUN([PKG_INSTALLDIR], +[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])]) +m4_pushdef([pkg_description], + [pkg-config installation directory @<:@]pkg_default[@:>@]) +AC_ARG_WITH([pkgconfigdir], + [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],, + [with_pkgconfigdir=]pkg_default) +AC_SUBST([pkgconfigdir], [$with_pkgconfigdir]) +m4_popdef([pkg_default]) +m4_popdef([pkg_description]) +])dnl PKG_INSTALLDIR + + +dnl PKG_NOARCH_INSTALLDIR([DIRECTORY]) +dnl -------------------------------- +dnl Since: 0.27 +dnl +dnl Substitutes the variable noarch_pkgconfigdir as the location where a +dnl module should install arch-independent pkg-config .pc files. By +dnl default the directory is $datadir/pkgconfig, but the default can be +dnl changed by passing DIRECTORY. The user can override through the +dnl --with-noarch-pkgconfigdir parameter. +AC_DEFUN([PKG_NOARCH_INSTALLDIR], +[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])]) +m4_pushdef([pkg_description], + [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@]) +AC_ARG_WITH([noarch-pkgconfigdir], + [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],, + [with_noarch_pkgconfigdir=]pkg_default) +AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir]) +m4_popdef([pkg_default]) +m4_popdef([pkg_description]) +])dnl PKG_NOARCH_INSTALLDIR + + +dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, +dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +dnl ------------------------------------------- +dnl Since: 0.28 +dnl +dnl Retrieves the value of the pkg-config variable for the given module. +AC_DEFUN([PKG_CHECK_VAR], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl + +_PKG_CONFIG([$1], [variable="][$3]["], [$2]) +AS_VAR_COPY([$1], [pkg_cv_][$1]) -# Copyright (C) 2002-2013 Free Software Foundation, Inc. +AS_VAR_IF([$1], [""], [$5], [$4])dnl +])dnl PKG_CHECK_VAR + +# Copyright (C) 2002-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -192,10 +308,10 @@ # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], -[am__api_version='1.14' +[am__api_version='1.15' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.14.1], [], +m4_if([$1], [1.15], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -211,14 +327,14 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.14.1])dnl +[AM_AUTOMAKE_VERSION([1.15])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -263,15 +379,14 @@ # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], -[dnl Rely on autoconf to set up CDPATH properly. -AC_PREREQ([2.50])dnl -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # AM_COND_IF -*- Autoconf -*- -# Copyright (C) 2008-2013 Free Software Foundation, Inc. +# Copyright (C) 2008-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -308,7 +423,7 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2013 Free Software Foundation, Inc. +# Copyright (C) 1997-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -339,7 +454,7 @@ Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -530,7 +645,7 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -606,7 +721,7 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -696,8 +811,8 @@ # # AC_SUBST([mkdir_p], ['$(MKDIR_P)']) -# We need awk for the "check" target. The system "awk" is bad on -# some platforms. +# We need awk for the "check" target (and possibly the TAP driver). The +# system "awk" is bad on some platforms. AC_REQUIRE([AC_PROG_AWK])dnl AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl @@ -770,7 +885,11 @@ END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi -fi]) +fi +dnl The trailing newline in this macro's definition is deliberate, for +dnl backward compatibility and to allow trailing 'dnl'-style comments +dnl after the AM_INIT_AUTOMAKE invocation. See automake bug#16841. +]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further @@ -799,7 +918,7 @@ done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -810,7 +929,7 @@ # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -if test x"${install_sh}" != xset; then +if test x"${install_sh+set}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; @@ -820,7 +939,7 @@ fi AC_SUBST([install_sh])]) -# Copyright (C) 2003-2013 Free Software Foundation, Inc. +# Copyright (C) 2003-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -841,7 +960,7 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -891,7 +1010,7 @@ # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2013 Free Software Foundation, Inc. +# Copyright (C) 1997-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -930,7 +1049,7 @@ # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -959,7 +1078,7 @@ AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1006,7 +1125,7 @@ # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1241,7 +1360,7 @@ sys.exit(sys.hexversion < minverhex)" AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])]) -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1260,7 +1379,7 @@ # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1341,7 +1460,7 @@ rm -f conftest.file ]) -# Copyright (C) 2009-2013 Free Software Foundation, Inc. +# Copyright (C) 2009-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1401,7 +1520,7 @@ _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1429,7 +1548,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006-2013 Free Software Foundation, Inc. +# Copyright (C) 2006-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1448,7 +1567,7 @@ # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2013 Free Software Foundation, Inc. +# Copyright (C) 2004-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru lxc-1.0.8/config/apparmor/abstractions/container-base lxc-1.0.9/config/apparmor/abstractions/container-base --- lxc-1.0.8/config/apparmor/abstractions/container-base 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/apparmor/abstractions/container-base 2016-11-23 19:10:02.000000000 +0000 @@ -57,11 +57,16 @@ mount fstype=mqueue, # allow fuse mounts everywhere + mount fstype=fuse, mount fstype=fuse.*, # allow bind mount of /lib/init/fstab for lxcguest mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, + # allow bind mounts of /run/{,lock} to /var/run/{,lock} + mount options=(rw, bind) /run/ -> /var/run/, + mount options=(rw, bind) /run/lock/ -> /var/lock/, + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, deny @{PROC}/sys/fs/** wklx, @@ -83,6 +88,7 @@ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, + mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, diff -Nru lxc-1.0.8/config/apparmor/abstractions/container-base.in lxc-1.0.9/config/apparmor/abstractions/container-base.in --- lxc-1.0.8/config/apparmor/abstractions/container-base.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/apparmor/abstractions/container-base.in 2016-11-23 19:10:02.000000000 +0000 @@ -57,11 +57,16 @@ mount fstype=mqueue, # allow fuse mounts everywhere + mount fstype=fuse, mount fstype=fuse.*, # allow bind mount of /lib/init/fstab for lxcguest mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, + # allow bind mounts of /run/{,lock} to /var/run/{,lock} + mount options=(rw, bind) /run/ -> /var/run/, + mount options=(rw, bind) /run/lock/ -> /var/lock/, + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, deny @{PROC}/sys/fs/** wklx, @@ -83,6 +88,7 @@ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, + mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, diff -Nru lxc-1.0.8/config/apparmor/abstractions/start-container lxc-1.0.9/config/apparmor/abstractions/start-container --- lxc-1.0.8/config/apparmor/abstractions/start-container 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/apparmor/abstractions/start-container 2016-11-23 19:10:02.000000000 +0000 @@ -15,6 +15,7 @@ mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, mount options=(rw, make-slave) -> **, + mount options=(rw, make-rslave) -> **, mount fstype=debugfs, # allow pre-mount hooks to stage mounts under /var/lib/lxc// mount -> /var/lib/lxc/{**,}, diff -Nru lxc-1.0.8/config/apparmor/lxc-generate-aa-rules.py lxc-1.0.9/config/apparmor/lxc-generate-aa-rules.py --- lxc-1.0.8/config/apparmor/lxc-generate-aa-rules.py 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/apparmor/lxc-generate-aa-rules.py 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import sys diff -Nru lxc-1.0.8/config/apparmor/Makefile.am lxc-1.0.9/config/apparmor/Makefile.am --- lxc-1.0.8/config/apparmor/Makefile.am 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/apparmor/Makefile.am 2016-11-23 19:10:02.000000000 +0000 @@ -17,13 +17,13 @@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ - $(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ - $(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ - $(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ - $(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ - $(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ - $(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/ - $(INSTALL_DATA) usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/ + $(INSTALL_DATA) $(srcdir)/abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ + $(INSTALL_DATA) $(srcdir)/abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ + $(INSTALL_DATA) $(srcdir)/profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ + $(INSTALL_DATA) $(srcdir)/profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ + $(INSTALL_DATA) $(srcdir)/profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ + $(INSTALL_DATA) $(srcdir)/lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/ + $(INSTALL_DATA) $(srcdir)/usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/ uninstall-apparmor: rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.bin.lxc-start diff -Nru lxc-1.0.8/config/apparmor/Makefile.in lxc-1.0.9/config/apparmor/Makefile.in --- lxc-1.0.8/config/apparmor/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/apparmor/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,12 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/apparmor -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -108,6 +118,7 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in README DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -224,6 +235,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -262,6 +274,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -298,7 +311,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/apparmor/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/apparmor/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -387,8 +399,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@ENABLE_APPARMOR_FALSE@uninstall-local: @ENABLE_APPARMOR_FALSE@install-data-local: +@ENABLE_APPARMOR_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic mostlyclean-am @@ -468,18 +480,20 @@ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am uninstall-local +.PRECIOUS: Makefile + @ENABLE_APPARMOR_TRUE@install-apparmor: @ENABLE_APPARMOR_TRUE@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/ @ENABLE_APPARMOR_TRUE@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ @ENABLE_APPARMOR_TRUE@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ -@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ -@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ -@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ -@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ -@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ -@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/ -@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/ +@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) $(srcdir)/abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ +@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) $(srcdir)/abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ +@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) $(srcdir)/profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ +@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) $(srcdir)/profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ +@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) $(srcdir)/profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ +@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) $(srcdir)/lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/ +@ENABLE_APPARMOR_TRUE@ $(INSTALL_DATA) $(srcdir)/usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/ @ENABLE_APPARMOR_TRUE@uninstall-apparmor: @ENABLE_APPARMOR_TRUE@ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.bin.lxc-start diff -Nru lxc-1.0.8/config/bash/lxc lxc-1.0.9/config/bash/lxc --- lxc-1.0.8/config/bash/lxc 2015-11-09 22:49:28.000000000 +0000 +++ lxc-1.0.9/config/bash/lxc 2016-11-23 19:11:17.000000000 +0000 @@ -1,4 +1,4 @@ -have lxc-start && { +_have lxc-start && { _lxc_names() { COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) ) } diff -Nru lxc-1.0.8/config/bash/lxc.in lxc-1.0.9/config/bash/lxc.in --- lxc-1.0.8/config/bash/lxc.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/bash/lxc.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,4 @@ -have lxc-start && { +_have lxc-start && { _lxc_names() { COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) ) } diff -Nru lxc-1.0.8/config/bash/Makefile.am lxc-1.0.9/config/bash/Makefile.am --- lxc-1.0.8/config/bash/Makefile.am 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/bash/Makefile.am 2016-11-23 19:10:02.000000000 +0000 @@ -1,14 +1,5 @@ EXTRA_DIST = lxc if ENABLE_BASH -install-bash: - $(MKDIR_P) $(DESTDIR)$(sysconfdir)/bash_completion.d/ - $(INSTALL_DATA) lxc $(DESTDIR)$(sysconfdir)/bash_completion.d/ - -uninstall-bash: - rm -f $(DESTDIR)$(sysconfdir)/bash_completion.d/lxc - rmdir $(DESTDIR)$(sysconfdir)/bash_completion.d/ || : - -install-data-local: install-bash -uninstall-local: uninstall-bash +dist_bashcomp_DATA = lxc endif diff -Nru lxc-1.0.8/config/bash/Makefile.in lxc-1.0.9/config/bash/Makefile.in --- lxc-1.0.8/config/bash/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/bash/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -13,8 +13,19 @@ # PARTICULAR PURPOSE. @SET_MAKE@ + VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,13 +89,13 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/bash -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_bashcomp_DATA_DIST) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc @@ -108,7 +119,38 @@ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +am__dist_bashcomp_DATA_DIST = lxc +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(bashcompdir)" +DATA = $(dist_bashcomp_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -225,6 +267,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -263,6 +306,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -272,6 +316,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ EXTRA_DIST = lxc +@ENABLE_BASH_TRUE@dist_bashcomp_DATA = lxc all: all-am .SUFFIXES: @@ -287,7 +332,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/bash/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/bash/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -307,6 +351,27 @@ $(am__aclocal_m4_deps): lxc: $(top_builddir)/config.status $(srcdir)/lxc.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +install-dist_bashcompDATA: $(dist_bashcomp_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_bashcomp_DATA)'; test -n "$(bashcompdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(bashcompdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(bashcompdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(bashcompdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(bashcompdir)" || exit $$?; \ + done + +uninstall-dist_bashcompDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_bashcomp_DATA)'; test -n "$(bashcompdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(bashcompdir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: @@ -346,8 +411,11 @@ done check-am: all-am check: check-am -all-am: Makefile +all-am: Makefile $(DATA) installdirs: + for dir in "$(DESTDIR)$(bashcompdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done install: install-am install-exec: install-exec-am install-data: install-data-am @@ -378,8 +446,6 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@ENABLE_BASH_FALSE@install-data-local: -@ENABLE_BASH_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic mostlyclean-am @@ -400,7 +466,7 @@ info-am: -install-data-am: install-data-local +install-data-am: install-dist_bashcompDATA install-dvi: install-dvi-am @@ -444,32 +510,24 @@ ps-am: -uninstall-am: uninstall-local +uninstall-am: uninstall-dist_bashcompDATA .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic cscopelist-am \ ctags-am distclean distclean-generic distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ - install-data-am install-data-local install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ - pdf-am ps ps-am tags-am uninstall uninstall-am uninstall-local - - -@ENABLE_BASH_TRUE@install-bash: -@ENABLE_BASH_TRUE@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/bash_completion.d/ -@ENABLE_BASH_TRUE@ $(INSTALL_DATA) lxc $(DESTDIR)$(sysconfdir)/bash_completion.d/ - -@ENABLE_BASH_TRUE@uninstall-bash: -@ENABLE_BASH_TRUE@ rm -f $(DESTDIR)$(sysconfdir)/bash_completion.d/lxc -@ENABLE_BASH_TRUE@ rmdir $(DESTDIR)$(sysconfdir)/bash_completion.d/ || : + install-data-am install-dist_bashcompDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-dist_bashcompDATA + +.PRECIOUS: Makefile -@ENABLE_BASH_TRUE@install-data-local: install-bash -@ENABLE_BASH_TRUE@uninstall-local: uninstall-bash # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/config/compile lxc-1.0.9/config/compile --- lxc-1.0.8/config/compile 2015-11-09 22:49:19.000000000 +0000 +++ lxc-1.0.9/config/compile 2016-11-23 19:10:05.000000000 +0000 @@ -3,7 +3,7 @@ scriptversion=2012-10-14.11; # UTC -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify diff -Nru lxc-1.0.8/config/config.guess lxc-1.0.9/config/config.guess --- lxc-1.0.8/config/config.guess 2015-11-09 22:49:19.000000000 +0000 +++ lxc-1.0.9/config/config.guess 2016-11-23 19:10:05.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2013 Free Software Foundation, Inc. +# Copyright 1992-2015 Free Software Foundation, Inc. -timestamp='2013-06-10' +timestamp='2015-08-20' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -24,12 +24,12 @@ # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # -# Originally written by Per Bothner. +# Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD # -# Please send patches with a ChangeLog entry to config-patches@gnu.org. +# Please send patches to . me=`echo "$0" | sed -e 's,.*/,,'` @@ -50,7 +50,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -149,7 +149,7 @@ LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac @@ -168,20 +168,27 @@ # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" - UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ + /sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || \ + echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; + earmv*) + arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` + machine=${arch}${endian}-unknown + ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in - arm*|i386|m68k|ns32k|sh3*|sparc|vax) + arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ @@ -197,6 +204,13 @@ os=netbsd ;; esac + # Determine ABI tags. + case "${UNAME_MACHINE_ARCH}" in + earm*) + expr='s/^earmv[0-9]/-eabi/;s/eb$//' + abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` + ;; + esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need @@ -207,13 +221,13 @@ release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}" + echo "${machine}-${os}${release}${abi}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` @@ -235,6 +249,9 @@ *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; + *:Sortix:*:*) + echo ${UNAME_MACHINE}-unknown-sortix + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -579,8 +596,9 @@ else IBM_ARCH=powerpc fi - if [ -x /usr/bin/oslevel ] ; then - IBM_REV=`/usr/bin/oslevel` + if [ -x /usr/bin/lslpp ] ; then + IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | + awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi @@ -826,7 +844,7 @@ *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; - i*:MSYS*:*) + *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) @@ -932,6 +950,9 @@ crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; + e2k:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -969,10 +990,10 @@ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; - or1k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + openrisc*:Linux:*:*) + echo or1k-unknown-linux-${LIBC} exit ;; - or32:Linux:*:*) + or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) @@ -1020,7 +1041,7 @@ echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} @@ -1260,16 +1281,26 @@ if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac + if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # Avoid executing cc on OS X 10.9, as it ships with a stub + # that puts up a graphical alert prompting to install + # developer tools. Any system running Mac OS X 10.7 or + # later (Darwin 11 and later) is required to have a 64-bit + # processor. This is not true of the ARM version of Darwin + # that Apple uses in portable devices. + UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; @@ -1361,154 +1392,6 @@ exit ;; esac -eval $set_cc_for_build -cat >$dummy.c < -# include -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix\n"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - if (version < 4) - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - else - printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -# if !defined (ultrix) -# include -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && - { echo "$SYSTEM_NAME"; exit; } - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit ;; - c34*) - echo c34-convex-bsd - exit ;; - c38*) - echo c38-convex-bsd - exit ;; - c4*) - echo c4-convex-bsd - exit ;; - esac -fi - cat >&2 <. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. @@ -68,7 +68,7 @@ version="\ GNU config.sub ($timestamp) -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -117,7 +117,7 @@ case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ - knetbsd*-gnu* | netbsd*-gnu* | \ + knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os @@ -255,16 +255,18 @@ | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ + | ba \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ - | epiphany \ - | fido | fr30 | frv \ + | e2k | epiphany \ + | fido | fr30 | frv | ft32 \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ @@ -282,8 +284,10 @@ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ @@ -295,14 +299,14 @@ | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ - | open8 \ - | or1k | or32 \ + | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ + | riscv32 | riscv64 \ | rl78 | rx \ | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ @@ -310,6 +314,7 @@ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ + | visium \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) @@ -324,7 +329,10 @@ c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) + leon|leon[3-9]) + basic_machine=sparc-$basic_machine + ;; + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -369,18 +377,20 @@ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ + | ba-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ - | elxsi-* \ + | e2k-* | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ @@ -400,8 +410,10 @@ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ @@ -413,16 +425,18 @@ | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ + | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ + | riscv32-* | riscv64-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ @@ -430,6 +444,7 @@ | ubicom32-* \ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ + | visium-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ @@ -506,6 +521,9 @@ basic_machine=i386-pc os=-aros ;; + asmjs) + basic_machine=asmjs-unknown + ;; aux) basic_machine=m68k-apple os=-aux @@ -767,6 +785,9 @@ basic_machine=m68k-isi os=-sysv ;; + leon-*|leon[3-9]-*) + basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'` + ;; m68knommu) basic_machine=m68k-unknown os=-linux @@ -822,6 +843,10 @@ basic_machine=powerpc-unknown os=-morphos ;; + moxiebox) + basic_machine=moxie-unknown + os=-moxiebox + ;; msdos) basic_machine=i386-pc os=-msdos @@ -1354,7 +1379,7 @@ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* | -aros* \ + | -aos* | -aros* | -cloudabi* | -sortix* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ @@ -1367,14 +1392,14 @@ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* \ + | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1592,9 +1617,6 @@ mips*-*) os=-elf ;; - or1k-*) - os=-elf - ;; or32-*) os=-coff ;; diff -Nru lxc-1.0.8/config/depcomp lxc-1.0.9/config/depcomp --- lxc-1.0.8/config/depcomp 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/depcomp 2016-11-23 19:10:06.000000000 +0000 @@ -3,7 +3,7 @@ scriptversion=2013-05-30.07; # UTC -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff -Nru lxc-1.0.8/config/etc/Makefile.in lxc-1.0.9/config/etc/Makefile.in --- lxc-1.0.8/config/etc/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/etc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,12 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/etc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = default.conf @@ -138,6 +148,7 @@ am__installdirs = "$(DESTDIR)$(configdir)" DATA = $(config_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -254,6 +265,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -292,6 +304,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -318,7 +331,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/etc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/etc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -511,6 +523,8 @@ mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \ uninstall-am uninstall-configDATA +.PRECIOUS: Makefile + distclean-local: @$(RM) -f default.conf diff -Nru lxc-1.0.8/config/init/Makefile.in lxc-1.0.9/config/init/Makefile.in --- lxc-1.0.8/config/init/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/init/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,12 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/init -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -143,6 +153,7 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -284,6 +295,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -322,6 +334,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -346,7 +359,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/init/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/init/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -634,6 +646,8 @@ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/config/init/systemd/lxc.service lxc-1.0.9/config/init/systemd/lxc.service --- lxc-1.0.8/config/init/systemd/lxc.service 2015-11-09 22:49:28.000000000 +0000 +++ lxc-1.0.9/config/init/systemd/lxc.service 2016-11-23 19:11:18.000000000 +0000 @@ -1,6 +1,6 @@ [Unit] Description=LXC Container Initialization and Autoboot Code -After=syslog.target network.target +After=network.target [Service] Type=oneshot diff -Nru lxc-1.0.8/config/init/systemd/lxc.service.in lxc-1.0.9/config/init/systemd/lxc.service.in --- lxc-1.0.8/config/init/systemd/lxc.service.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/init/systemd/lxc.service.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,6 +1,6 @@ [Unit] Description=LXC Container Initialization and Autoboot Code -After=syslog.target network.target +After=network.target [Service] Type=oneshot diff -Nru lxc-1.0.8/config/init/systemd/Makefile.in lxc-1.0.9/config/init/systemd/Makefile.in --- lxc-1.0.8/config/init/systemd/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/init/systemd/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,13 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/init/systemd -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc.service.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc.service @@ -139,6 +148,7 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc.service.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -255,6 +265,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -293,6 +304,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -324,7 +336,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/init/systemd/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/init/systemd/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -456,8 +467,8 @@ @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -@INIT_SCRIPT_SYSTEMD_FALSE@install-data-local: @INIT_SCRIPT_SYSTEMD_FALSE@uninstall-local: +@INIT_SCRIPT_SYSTEMD_FALSE@install-data-local: clean: clean-am clean-am: clean-generic mostlyclean-am @@ -539,6 +550,8 @@ uninstall uninstall-am uninstall-local \ uninstall-pkglibexecSCRIPTS +.PRECIOUS: Makefile + @INIT_SCRIPT_SYSTEMD_TRUE@lxc-autostart-helper: ../sysvinit/lxc.in $(top_builddir)/config.status @INIT_SCRIPT_SYSTEMD_TRUE@ $(AM_V_GEN)sed \ diff -Nru lxc-1.0.8/config/init/sysvinit/Makefile.in lxc-1.0.9/config/init/sysvinit/Makefile.in --- lxc-1.0.8/config/init/sysvinit/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/init/sysvinit/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,13 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/init/sysvinit -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc @@ -109,6 +118,7 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -225,6 +235,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -263,6 +274,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -287,7 +299,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/init/sysvinit/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/init/sysvinit/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -459,6 +470,8 @@ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am uninstall-local +.PRECIOUS: Makefile + @INIT_SCRIPT_SYSV_TRUE@install-sysvinit: lxc @INIT_SCRIPT_SYSV_TRUE@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/rc.d/init.d diff -Nru lxc-1.0.8/config/init/upstart/Makefile.am lxc-1.0.9/config/init/upstart/Makefile.am --- lxc-1.0.8/config/init/upstart/Makefile.am 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/config/init/upstart/Makefile.am 2016-11-23 19:10:02.000000000 +0000 @@ -4,7 +4,7 @@ install-upstart: lxc.conf lxc-instance.conf lxc-net.conf $(MKDIR_P) $(DESTDIR)$(sysconfdir)/init/ $(INSTALL_DATA) lxc.conf $(DESTDIR)$(sysconfdir)/init/ - $(INSTALL_DATA) lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/ + $(INSTALL_DATA) $(srcdir)/lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/ $(INSTALL_DATA) lxc-net.conf $(DESTDIR)$(sysconfdir)/init/ uninstall-upstart: diff -Nru lxc-1.0.8/config/init/upstart/Makefile.in lxc-1.0.9/config/init/upstart/Makefile.in --- lxc-1.0.8/config/init/upstart/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/init/upstart/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,12 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/init/upstart -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -108,6 +118,7 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -224,6 +235,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -262,6 +274,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -286,7 +299,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/init/upstart/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/init/upstart/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -375,8 +387,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@INIT_SCRIPT_UPSTART_FALSE@install-data-local: @INIT_SCRIPT_UPSTART_FALSE@uninstall-local: +@INIT_SCRIPT_UPSTART_FALSE@install-data-local: clean: clean-am clean-am: clean-generic mostlyclean-am @@ -456,11 +468,13 @@ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am uninstall-local +.PRECIOUS: Makefile + @INIT_SCRIPT_UPSTART_TRUE@install-upstart: lxc.conf lxc-instance.conf lxc-net.conf @INIT_SCRIPT_UPSTART_TRUE@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/init/ @INIT_SCRIPT_UPSTART_TRUE@ $(INSTALL_DATA) lxc.conf $(DESTDIR)$(sysconfdir)/init/ -@INIT_SCRIPT_UPSTART_TRUE@ $(INSTALL_DATA) lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/ +@INIT_SCRIPT_UPSTART_TRUE@ $(INSTALL_DATA) $(srcdir)/lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/ @INIT_SCRIPT_UPSTART_TRUE@ $(INSTALL_DATA) lxc-net.conf $(DESTDIR)$(sysconfdir)/init/ @INIT_SCRIPT_UPSTART_TRUE@uninstall-upstart: diff -Nru lxc-1.0.8/config/install-sh lxc-1.0.9/config/install-sh --- lxc-1.0.8/config/install-sh 2015-11-09 22:49:19.000000000 +0000 +++ lxc-1.0.9/config/install-sh 2016-11-23 19:10:05.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2011-11-20.07; # UTC +scriptversion=2014-09-12.12; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -41,19 +41,15 @@ # This script is compatible with the BSD install script, but was written # from scratch. +tab=' ' nl=' ' -IFS=" "" $nl" +IFS=" $tab$nl" -# set DOITPROG to echo to test this script +# Set DOITPROG to "echo" to test this script. -# Don't use :- since 4.3BSD and earlier shells don't like it. doit=${DOITPROG-} -if test -z "$doit"; then - doit_exec=exec -else - doit_exec=$doit -fi +doit_exec=${doit:-exec} # Put in absolute file names if you don't have them in your path; # or use environment vars. @@ -68,17 +64,6 @@ rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} -posix_glob='?' -initialize_posix_glob=' - test "$posix_glob" != "?" || { - if (set -f) 2>/dev/null; then - posix_glob= - else - posix_glob=: - fi - } -' - posix_mkdir= # Desired mode of installed file. @@ -97,7 +82,7 @@ dst_arg= copy_on_change=false -no_target_directory= +is_target_a_directory=possibly usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE @@ -137,46 +122,57 @@ -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" - shift;; + shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 - case $mode in - *' '* | *' '* | *' -'* | *'*'* | *'?'* | *'['*) - echo "$0: invalid mode: $mode" >&2 - exit 1;; - esac - shift;; + case $mode in + *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*) + echo "$0: invalid mode: $mode" >&2 + exit 1;; + esac + shift;; -o) chowncmd="$chownprog $2" - shift;; + shift;; -s) stripcmd=$stripprog;; - -t) dst_arg=$2 - # Protect names problematic for 'test' and other utilities. - case $dst_arg in - -* | [=\(\)!]) dst_arg=./$dst_arg;; - esac - shift;; + -t) + is_target_a_directory=always + dst_arg=$2 + # Protect names problematic for 'test' and other utilities. + case $dst_arg in + -* | [=\(\)!]) dst_arg=./$dst_arg;; + esac + shift;; - -T) no_target_directory=true;; + -T) is_target_a_directory=never;; --version) echo "$0 $scriptversion"; exit $?;; - --) shift - break;; + --) shift + break;; - -*) echo "$0: invalid option: $1" >&2 - exit 1;; + -*) echo "$0: invalid option: $1" >&2 + exit 1;; *) break;; esac shift done +# We allow the use of options -d and -T together, by making -d +# take the precedence; this is for compatibility with GNU install. + +if test -n "$dir_arg"; then + if test -n "$dst_arg"; then + echo "$0: target directory not allowed when installing a directory." >&2 + exit 1 + fi +fi + if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. @@ -208,6 +204,15 @@ fi if test -z "$dir_arg"; then + if test $# -gt 1 || test "$is_target_a_directory" = always; then + if test ! -d "$dst_arg"; then + echo "$0: $dst_arg: Is not a directory." >&2 + exit 1 + fi + fi +fi + +if test -z "$dir_arg"; then do_exit='(exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 @@ -223,16 +228,16 @@ *[0-7]) if test -z "$stripcmd"; then - u_plus_rw= + u_plus_rw= else - u_plus_rw='% 200' + u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then - u_plus_rw= + u_plus_rw= else - u_plus_rw=,u+rw + u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac @@ -269,41 +274,15 @@ # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then - if test -n "$no_target_directory"; then - echo "$0: $dst_arg: Is a directory" >&2 - exit 1 + if test "$is_target_a_directory" = never; then + echo "$0: $dst_arg: Is a directory" >&2 + exit 1 fi dstdir=$dst dst=$dstdir/`basename "$src"` dstdir_status=0 else - # Prefer dirname, but fall back on a substitute if dirname fails. - dstdir=` - (dirname "$dst") 2>/dev/null || - expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$dst" : 'X\(//\)[^/]' \| \ - X"$dst" : 'X\(//\)$' \| \ - X"$dst" : 'X\(/\)' \| . 2>/dev/null || - echo X"$dst" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q' - ` - + dstdir=`dirname "$dst"` test -d "$dstdir" dstdir_status=$? fi @@ -314,74 +293,81 @@ if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *[2367][2367]) mkdir_umask=$umask;; - .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; - - *[0-7]) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - - # With -d, create the new directory with the user-specified mode. - # Otherwise, rely on $mkdir_umask. - if test -n "$dir_arg"; then - mkdir_mode=-m$mode - else - mkdir_mode= - fi - - posix_mkdir=false - case $umask in - *[123567][0-7][0-7]) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 - - if (umask $mkdir_umask && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - ls_ld_tmpdir=`ls -ld "$tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/d" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null - fi - trap '' 0;; - esac;; + # Create intermediate dirs using mode 755 as modified by the umask. + # This is like FreeBSD 'install' as of 1997-10-28. + umask=`umask` + case $stripcmd.$umask in + # Optimize common cases. + *[2367][2367]) mkdir_umask=$umask;; + .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; + + *[0-7]) + mkdir_umask=`expr $umask + 22 \ + - $umask % 100 % 40 + $umask % 20 \ + - $umask % 10 % 4 + $umask % 2 + `;; + *) mkdir_umask=$umask,go-w;; + esac + + # With -d, create the new directory with the user-specified mode. + # Otherwise, rely on $mkdir_umask. + if test -n "$dir_arg"; then + mkdir_mode=-m$mode + else + mkdir_mode= + fi + + posix_mkdir=false + case $umask in + *[123567][0-7][0-7]) + # POSIX mkdir -p sets u+wx bits regardless of umask, which + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) + # $RANDOM is not portable (e.g. dash); use it when possible to + # lower collision chance + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 + + # As "mkdir -p" follows symlinks and we work in /tmp possibly; so + # create the $tmpdir first (and fail if unsuccessful) to make sure + # that nobody tries to guess the $tmpdir name. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; + esac;; esac if $posix_mkdir && ( - umask $mkdir_umask && - $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" + umask $mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else @@ -391,53 +377,51 @@ # directory the slow way, step by step, checking for races as we go. case $dstdir in - /*) prefix='/';; - [-=\(\)!]*) prefix='./';; - *) prefix='';; + /*) prefix='/';; + [-=\(\)!]*) prefix='./';; + *) prefix='';; esac - eval "$initialize_posix_glob" - oIFS=$IFS IFS=/ - $posix_glob set -f + set -f set fnord $dstdir shift - $posix_glob set +f + set +f IFS=$oIFS prefixes= for d do - test X"$d" = X && continue + test X"$d" = X && continue - prefix=$prefix$d - if test -d "$prefix"; then - prefixes= - else - if $posix_mkdir; then - (umask=$mkdir_umask && - $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break - # Don't fail if two instances are running concurrently. - test -d "$prefix" || exit 1 - else - case $prefix in - *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; - *) qprefix=$prefix;; - esac - prefixes="$prefixes '$qprefix'" - fi - fi - prefix=$prefix/ + prefix=$prefix$d + if test -d "$prefix"; then + prefixes= + else + if $posix_mkdir; then + (umask=$mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break + # Don't fail if two instances are running concurrently. + test -d "$prefix" || exit 1 + else + case $prefix in + *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; + *) qprefix=$prefix;; + esac + prefixes="$prefixes '$qprefix'" + fi + fi + prefix=$prefix/ done if test -n "$prefixes"; then - # Don't fail if two instances are running concurrently. - (umask $mkdir_umask && - eval "\$doit_exec \$mkdirprog $prefixes") || - test -d "$dstdir" || exit 1 - obsolete_mkdir_used=true + # Don't fail if two instances are running concurrently. + (umask $mkdir_umask && + eval "\$doit_exec \$mkdirprog $prefixes") || + test -d "$dstdir" || exit 1 + obsolete_mkdir_used=true fi fi fi @@ -472,15 +456,12 @@ # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && - old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && - new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && - - eval "$initialize_posix_glob" && - $posix_glob set -f && + old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && + new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && + set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && - $posix_glob set +f && - + set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then @@ -493,24 +474,24 @@ # to itself, or perhaps because mv is so ancient that it does not # support -f. { - # Now remove or move aside any old file at destination location. - # We try this two ways since rm can't unlink itself on some - # systems and the destination file might be busy for other - # reasons. In this case, the final cleanup might fail but the new - # file should still install successfully. - { - test ! -f "$dst" || - $doit $rmcmd -f "$dst" 2>/dev/null || - { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && - { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } - } || - { echo "$0: cannot unlink or rename $dst" >&2 - (exit 1); exit 1 - } - } && + # Now remove or move aside any old file at destination location. + # We try this two ways since rm can't unlink itself on some + # systems and the destination file might be busy for other + # reasons. In this case, the final cleanup might fail but the new + # file should still install successfully. + { + test ! -f "$dst" || + $doit $rmcmd -f "$dst" 2>/dev/null || + { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && + { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + } || + { echo "$0: cannot unlink or rename $dst" >&2 + (exit 1); exit 1 + } + } && - # Now rename the file to the real destination. - $doit $mvcmd "$dsttmp" "$dst" + # Now rename the file to the real destination. + $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 diff -Nru lxc-1.0.8/config/Makefile.in lxc-1.0.9/config/Makefile.in --- lxc-1.0.8/config/Makefile.in 2015-11-09 22:49:19.000000000 +0000 +++ lxc-1.0.9/config/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,13 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am compile \ - config.guess config.sub install-sh missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -144,6 +153,8 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) +am__DIST_COMMON = $(srcdir)/Makefile.in compile config.guess \ + config.sub install-sh missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -285,6 +296,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -323,6 +335,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -347,7 +360,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -635,6 +647,8 @@ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/config/missing lxc-1.0.9/config/missing --- lxc-1.0.8/config/missing 2015-11-09 22:49:19.000000000 +0000 +++ lxc-1.0.9/config/missing 2016-11-23 19:10:05.000000000 +0000 @@ -3,7 +3,7 @@ scriptversion=2013-10-28.13; # UTC -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify diff -Nru lxc-1.0.8/config/selinux/Makefile.in lxc-1.0.9/config/selinux/Makefile.in --- lxc-1.0.8/config/selinux/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/selinux/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,12 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/selinux -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -138,6 +148,7 @@ am__installdirs = "$(DESTDIR)$(selinuxdir)" DATA = $(selinux_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -254,6 +265,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -292,6 +304,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -323,7 +336,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/selinux/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/selinux/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -516,6 +528,8 @@ pdf-am ps ps-am tags-am uninstall uninstall-am \ uninstall-selinuxDATA +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/config/templates/Makefile.in lxc-1.0.9/config/templates/Makefile.in --- lxc-1.0.8/config/templates/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/templates/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,29 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/templates -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/centos.common.conf.in \ - $(srcdir)/centos.userns.conf.in \ - $(srcdir)/debian.common.conf.in \ - $(srcdir)/debian.userns.conf.in \ - $(srcdir)/fedora.common.conf.in \ - $(srcdir)/fedora.userns.conf.in \ - $(srcdir)/gentoo.common.conf.in \ - $(srcdir)/gentoo.moresecure.conf.in \ - $(srcdir)/gentoo.userns.conf.in $(srcdir)/nesting.conf.in \ - $(srcdir)/oracle.common.conf.in \ - $(srcdir)/oracle.userns.conf.in $(srcdir)/plamo.common.conf.in \ - $(srcdir)/plamo.userns.conf.in \ - $(srcdir)/ubuntu-cloud.common.conf.in \ - $(srcdir)/ubuntu-cloud.lucid.conf.in \ - $(srcdir)/ubuntu-cloud.userns.conf.in \ - $(srcdir)/ubuntu.common.conf.in $(srcdir)/ubuntu.lucid.conf.in \ - $(srcdir)/ubuntu.userns.conf.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = centos.common.conf centos.userns.conf \ @@ -162,6 +155,24 @@ am__installdirs = "$(DESTDIR)$(templatesconfigdir)" DATA = $(templatesconfig_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(srcdir)/centos.common.conf.in \ + $(srcdir)/centos.userns.conf.in \ + $(srcdir)/debian.common.conf.in \ + $(srcdir)/debian.userns.conf.in \ + $(srcdir)/fedora.common.conf.in \ + $(srcdir)/fedora.userns.conf.in \ + $(srcdir)/gentoo.common.conf.in \ + $(srcdir)/gentoo.moresecure.conf.in \ + $(srcdir)/gentoo.userns.conf.in $(srcdir)/nesting.conf.in \ + $(srcdir)/oracle.common.conf.in \ + $(srcdir)/oracle.userns.conf.in $(srcdir)/plamo.common.conf.in \ + $(srcdir)/plamo.userns.conf.in \ + $(srcdir)/ubuntu-cloud.common.conf.in \ + $(srcdir)/ubuntu-cloud.lucid.conf.in \ + $(srcdir)/ubuntu-cloud.userns.conf.in \ + $(srcdir)/ubuntu.common.conf.in $(srcdir)/ubuntu.lucid.conf.in \ + $(srcdir)/ubuntu.userns.conf.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -278,6 +289,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -316,6 +328,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -364,7 +377,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/templates/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/templates/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -597,6 +609,8 @@ mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags-am \ uninstall uninstall-am uninstall-templatesconfigDATA +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/config/yum/Makefile.in lxc-1.0.9/config/yum/Makefile.in --- lxc-1.0.8/config/yum/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/config/yum/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,12 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = config/yum -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -138,6 +148,7 @@ am__installdirs = "$(DESTDIR)$(yumpluginsdir)" DATA = $(yumplugins_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -254,6 +265,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -292,6 +304,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -320,7 +333,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu config/yum/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu config/yum/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -513,6 +525,8 @@ pdf-am ps ps-am tags-am uninstall uninstall-am \ uninstall-yumpluginsDATA +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/configure lxc-1.0.9/configure --- lxc-1.0.8/configure 2015-11-09 22:49:19.000000000 +0000 +++ lxc-1.0.9/configure 2016-11-23 19:10:05.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for lxc 1.0.8. +# Generated by GNU Autoconf 2.69 for lxc 1.0.9. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='lxc' PACKAGE_TARNAME='lxc' -PACKAGE_VERSION='1.0.8' -PACKAGE_STRING='lxc 1.0.8' +PACKAGE_VERSION='1.0.9' +PACKAGE_STRING='lxc 1.0.9' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -658,6 +658,7 @@ USE_CONFIGPATH_LOGS_TRUE ENABLE_TESTS_FALSE ENABLE_TESTS_TRUE +bashcompdir ENABLE_BASH_FALSE ENABLE_BASH_TRUE LUA_SHAREDIR @@ -811,6 +812,7 @@ docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -889,7 +891,8 @@ PYTHON LUA_CFLAGS LUA_LIBS -LUA_VERSION' +LUA_VERSION +bashcompdir' # Initialize some variables set by options. @@ -928,6 +931,7 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1180,6 +1184,15 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1317,7 +1330,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1430,7 +1443,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures lxc 1.0.8 to adapt to many kinds of systems. +\`configure' configures lxc 1.0.9 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1470,6 +1483,7 @@ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1500,7 +1514,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of lxc 1.0.8:";; + short | recursive ) echo "Configuration of lxc 1.0.9:";; esac cat <<\_ACEOF @@ -1591,6 +1605,8 @@ LUA_CFLAGS C compiler flags for LUA, overriding pkg-config LUA_LIBS linker flags for LUA, overriding pkg-config LUA_VERSION value of V for $LUAPKGCONFIG, overriding pkg-config + bashcompdir value of completionsdir for bash-completion, overriding + pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. @@ -1658,7 +1674,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -lxc configure 1.0.8 +lxc configure 1.0.9 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2123,7 +2139,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by lxc $as_me 1.0.8, which was +It was created by lxc $as_me 1.0.9, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2594,7 +2610,7 @@ fi fi -LXC_VERSION_BASE=1.0.8 +LXC_VERSION_BASE=1.0.9 @@ -2602,9 +2618,9 @@ LXC_VERSION_MINOR=0 -LXC_VERSION_MICRO=8 +LXC_VERSION_MICRO=9 -LXC_VERSION=1.0.8 +LXC_VERSION=1.0.9 @@ -2639,7 +2655,7 @@ ac_config_headers="$ac_config_headers src/config.h" -am__api_version='1.14' +am__api_version='1.15' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or @@ -2811,8 +2827,8 @@ ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in @@ -2831,7 +2847,7 @@ $as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;} fi -if test x"${install_sh}" != xset; then +if test x"${install_sh+set}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; @@ -3125,7 +3141,7 @@ # Define the identity of the package. PACKAGE='lxc' - VERSION='1.0.8' + VERSION='1.0.9' cat >>confdefs.h <<_ACEOF @@ -3159,8 +3175,8 @@ # mkdir_p='$(MKDIR_P)' -# We need awk for the "check" target. The system "awk" is bad on -# some platforms. +# We need awk for the "check" target (and possibly the TAP driver). The +# system "awk" is bad on some platforms. # Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AMTAR='$${TAR-tar}' @@ -3217,6 +3233,7 @@ as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 fi fi + # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 @@ -7051,7 +7068,6 @@ # shell variable SOURCE. -# PKG_CHECK_VAR # Lua module and scripts @@ -7795,7 +7811,8 @@ if test -z "$ENABLE_LUA_TRUE"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: checking Lua version" >&5 $as_echo_n "checking Lua version... " >&6; } - if test -n "$LUA_VERSION"; then + +if test -n "$LUA_VERSION"; then pkg_cv_LUA_VERSION="$LUA_VERSION" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ @@ -7812,9 +7829,11 @@ else pkg_failed=untried fi - LUA_VERSION=$pkg_cv_LUA_VERSION - if test "x$LUA_VERSION" = x""; then : - if test -n "$LUA_VERSION"; then +LUA_VERSION=$pkg_cv_LUA_VERSION + +if test "x$LUA_VERSION" = x""; then : + +if test -n "$LUA_VERSION"; then pkg_cv_LUA_VERSION="$LUA_VERSION" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ @@ -7831,8 +7850,9 @@ else pkg_failed=untried fi - LUA_VERSION=$pkg_cv_LUA_VERSION - if test "x$LUA_VERSION" = x""; then : +LUA_VERSION=$pkg_cv_LUA_VERSION + +if test "x$LUA_VERSION" = x""; then : fi fi @@ -7862,6 +7882,38 @@ fi +if test -z "$ENABLE_BASH_TRUE"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking bash completion directory" >&5 +$as_echo_n "checking bash completion directory... " >&6; } + +if test -n "$bashcompdir"; then + pkg_cv_bashcompdir="$bashcompdir" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"bash-completion\""; } >&5 + ($PKG_CONFIG --exists --print-errors "bash-completion") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_bashcompdir=`$PKG_CONFIG --variable="completionsdir" "bash-completion" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +bashcompdir=$pkg_cv_bashcompdir + +if test "x$bashcompdir" = x""; then : + bashcompdir="${sysconfdir}/bash_completion.d" +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $bashcompdir" >&5 +$as_echo "$bashcompdir" >&6; } + + +fi + # Optional test binaries # Check whether --enable-tests was given. if test "${enable_tests+set}" = set; then : @@ -8298,7 +8350,7 @@ EXP_VAR=LXC_GENERATE_DATE - FROM_VAR="$(date)" + FROM_VAR="$(date --utc --date=@${SOURCE_DATE_EPOCH:-$(date +%s)} '+%Y-%m-%d')" prefix_save=$prefix exec_prefix_save=$exec_prefix @@ -9819,7 +9871,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by lxc $as_me 1.0.8, which was +This file was extended by lxc $as_me 1.0.9, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -9889,7 +9941,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -lxc config.status 1.0.8 +lxc config.status 1.0.9 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru lxc-1.0.8/configure.ac lxc-1.0.9/configure.ac --- lxc-1.0.8/configure.ac 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/configure.ac 2016-11-23 19:10:02.000000000 +0000 @@ -3,7 +3,7 @@ m4_define([lxc_version_major], 1) m4_define([lxc_version_minor], 0) -m4_define([lxc_version_micro], 8) +m4_define([lxc_version_micro], 9) m4_define([lxc_version_beta], []) m4_define([lxc_version_base], [lxc_version_major.lxc_version_minor.lxc_version_micro]) @@ -413,6 +413,14 @@ [], [enable_bash=yes]) AM_CONDITIONAL([ENABLE_BASH], [test "x$enable_bash" = "xyes"]) +AM_COND_IF([ENABLE_BASH], + [AC_MSG_CHECKING([bash completion directory]) + PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], , + bashcompdir="${sysconfdir}/bash_completion.d") + AC_MSG_RESULT([$bashcompdir]) + AC_SUBST(bashcompdir) + ]) + # Optional test binaries AC_ARG_ENABLE([tests], [AC_HELP_STRING([--enable-tests], [build test/example binaries [default=no]])], @@ -502,7 +510,7 @@ AS_AC_EXPAND(DATADIR, "$datadir") AS_AC_EXPAND(LOCALSTATEDIR, "$localstatedir") AS_AC_EXPAND(DOCDIR, "$docdir") -AS_AC_EXPAND(LXC_GENERATE_DATE, "$(date)") +AS_AC_EXPAND(LXC_GENERATE_DATE, "$(date --utc --date=@${SOURCE_DATE_EPOCH:-$(date +%s)} '+%Y-%m-%d')") AS_AC_EXPAND(LXCPATH, "$with_config_path") AS_AC_EXPAND(LXC_GLOBAL_CONF, "$with_global_conf") AS_AC_EXPAND(LXC_USERNIC_CONF, "$with_usernic_conf") diff -Nru lxc-1.0.8/debian/changelog lxc-1.0.9/debian/changelog --- lxc-1.0.8/debian/changelog 2015-12-22 00:40:10.000000000 +0000 +++ lxc-1.0.9/debian/changelog 2017-01-27 00:52:44.000000000 +0000 @@ -1,8 +1,138 @@ -lxc (1.0.8-0ubuntu0.3~ubuntu12.04.1) precise-backports; urgency=medium +lxc (1.0.9-0ubuntu2~ubuntu12.04.1) precise-backports; urgency=medium - * No-change backport to precise (LP: #1528403) + * No-change backport to precise (LP: #1647016) - -- Stéphane Graber Mon, 21 Dec 2015 19:40:10 -0500 + -- Stéphane Graber Thu, 26 Jan 2017 19:50:54 -0500 + +lxc (1.0.9-0ubuntu2) trusty; urgency=medium + + * Cherry-pick upstream bugfix (LP: #1647016): + - 0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch + + -- Stéphane Graber Wed, 04 Jan 2017 12:38:37 -0500 + +lxc (1.0.9-0ubuntu1) trusty; urgency=medium + + * New upstream bugfix release. (LP: #1647016) + - Security fix for CVE-2016-8649 + - utils: make detect_ramfs_rootfs() return bool + - tests: add test for detect_ramfs_rootfs() + - add Documentation entries to lxc and lxc@ units + - mark the python examples as having utf-8 encoding + - log: sanity check the returned value from snprintf() + - lxc-alpine: mount /dev/shm as tmpfs + - archlinux: Do DHCP on eth0 + - archlinux: Fix resolving + - Drop leftover references to lxc_strerror() + - tests: fix image download for s390x + - tools: fix coding style in lxc_attach + - tools: make overlay valid backend + - tools: better error reporting for lxc-start + - alpine: Fix installing extra packages + - lxc-alpine: do not drop setfcap + - s390x: Fix seccomp handling of personalities + - tools: correct the argument typo in lxc_copy + - Use libtool for liblxc.so + - c/r: use --external instead of --veth-pair + - c/r: remember to increment netnr + - c/r: add checkpoint/restore support for macvlan interfaces + - ubuntu: Fix package upgrades requiring proc + - c/r: drop duplicate hunk from macvlan case + - c/r: use snprintf to compute device name + - Tweak libtool handling to work with Android + - tests: add lxc_error() and lxc_debug() + - container start: clone newcgroup immediately + - use python3_sitearch for including the python code + - fix rpm build, include all built files, but only once + - cgfs: fix invalid free() + - find OpenSUSE's build also as obs-build + - improve help text for --fancy and --fancy-format + - improve wording of the help page for lxc-ls + - cgfs: add print_cgfs_init_debuginfo() + - cgfs: skip empty entries under /proc/self/cgroup + - cgfs: explicitly check for NULL + - tools: use correct exit code for lxc-stop + - c/r: explicitly emit bind mounts as criu arguments + - log: bump LXC_LOG_BUFFER_SIZE to 4096 + - conf: merge network namespace move & rename on shutdown + - c/r: save criu's stdout during dump too + - c/r: remove extra \ns from logs + - c/r: fix off-by-one error + - c/r: check state before doing a checkpoint/restore + - start: CLONE_NEWCGROUP after we have setup cgroups + - create symlink for /var/run + - utils: add lxc_append_string() + - cgroups: remove isolated cpus from cpuset.cpus + - Update Ubuntu release name: add zesty and remove wily + - templates: add squashfs support to lxc-ubuntu-cloud.in + - cgroups: skip v2 hierarchy entry + - also stop lxc-net in runlevels 0 and 6 + - add lxc.egg-info to gitignore + - install bash completion where pkg-config tells us to + - conf: do not use %m format specifier + - debian: Don't depend on libui-dialog-perl + - cgroups: use %zu format specifier to print size_t + - lxc-checkpoint: automatically detect if --external or --veth-pair + - cgroups: prevent segfault in cgfsng + - utils: add lxc_preserve_ns() + - start: add netnsfd to lxc_handler + - conf: use lxc_preserve_ns() + - attach: use lxc_preserve_ns() + - lxc_user_nic: use lxc_preserve_ns() + - conf, start: improve log output + - conf: explicitly remove veth device from host + - conf, start: be smarter when deleting networks + - start, utils: improve preserve_ns() + - start, error: improve log + non-functional changes + - start, namespace: move ns_info to namespace.{c,h} + - attach, utils: bugfixes + - attach: use ns_info[LXC_NS_MAX] struct + - namespace: always attach to user namespace first + - cgroup: improve isolcpus handling + - cgroups: handle non-existent isolcpus file + - utils: add lxc_safe_uint() + - tests: add unit tests for lxc_safe_uint() + - utils: add lxc_safe_int() + - tests: add unit tests for lxc_safe_int() + - conf/ile: get ip prefix via lxc_safe_uint() + - confile: use lxc_safe_u/int in config_init_{u,g}id + - conf/ile: use lxc_safe_uint() in config_pts() + - conf/ile: use lxc_safe_u/int() in config_start() + - conf/ile: use lxc_safe_uint() in config_monitor() + - conf/ile: use lxc_safe_uint() in config_tty() + - conf/ile: use lxc_safe_uint() in config_kmsg() + - conf/ile: avoid atoi in config_lsm_aa_incomplete() + - conf/ile: use lxc_safe_uint() in config_autodev() + - conf/ile: avoid atoi() in config_ephemeral() + - utils: use lxc_safe_int() + - lxc_monitord: use lxc_safe_int() && use exit() + - start: use lxc_safe_int() + - conf: use lxc_safe_{u}int() + - tools/lxc_execute: use lxc_safe_uint() + - tools/lxc_stop: use lxc_safe_uint() + - utils: add lxc_safe_long() + - tests: add unit tests for lxc_safe_long() + - tools/lxc_stop: use lxc_safe_long() + - tools/lxc_top: use lxc_safe_int() + - tools/lxc_ls: use lxc_safe_uint() + - tools/lxc_autostart: use lxc_safe_{int,long}() + - tools/lxc_console: use lxc_safe_uint() + - tools: replace non-standard namespace identifiers + - Configure a static MAC address on the LXC bridge + - tests: remove overflow tests + - attach: do not send procfd to attached process + * Autopkgtest: + - Restrict tests to run on standalone systems. + + -- Stéphane Graber Sat, 03 Dec 2016 00:16:35 -0500 + +lxc (1.0.8-0ubuntu0.4) trusty-security; urgency=medium + + * SECURITY UPDATE: Escape through ptrace and inherited fd (LP: #1639345) + - attach: Do not send procfd to attached process + - CVE-2016-8649 + + -- Stéphane Graber Tue, 22 Nov 2016 00:49:00 -0500 lxc (1.0.8-0ubuntu0.3) trusty; urgency=medium diff -Nru lxc-1.0.8/debian/.git-dpm lxc-1.0.9/debian/.git-dpm --- lxc-1.0.8/debian/.git-dpm 2015-11-18 18:41:56.000000000 +0000 +++ lxc-1.0.9/debian/.git-dpm 2017-01-04 17:38:31.000000000 +0000 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -3d3ff990d7ed8f30ac1fc5508cb7c81b14d5c235 -3d3ff990d7ed8f30ac1fc5508cb7c81b14d5c235 -4d4ae2d76b719cb54dbdeea8f371aedb309b820a -4d4ae2d76b719cb54dbdeea8f371aedb309b820a -lxc_1.0.8.orig.tar.gz -5ceec2289d2f25f8b6a13f8ec8731025294ef4da -807754 +7f435a074b1b83a4adca9c86c80ea9a801e34c42 +7f435a074b1b83a4adca9c86c80ea9a801e34c42 +4ebaab00acc06e471c8baa87b2d8e2ec1b10904b +4ebaab00acc06e471c8baa87b2d8e2ec1b10904b +lxc_1.0.9.orig.tar.gz +3d01de9925430a0914d8df304ac31a74e0b6fbfc +851593 diff -Nru lxc-1.0.8/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch lxc-1.0.9/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch --- lxc-1.0.8/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxc-1.0.9/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch 2017-01-04 17:38:31.000000000 +0000 @@ -0,0 +1,61 @@ +From 7f435a074b1b83a4adca9c86c80ea9a801e34c42 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Sun, 25 Dec 2016 12:26:17 +0100 +Subject: tests: skip unpriv tests on broken overlay module + +This mainly affects Trusty. The 3.13 kernel has a broken overlay module which +does not handle symlinks correctly. This is a problem for containers that use +an overlay based rootfs since safe_mount() uses /proc//fd/ in +its calls to mount(). + +Signed-off-by: Christian Brauner +--- + src/tests/lxc-test-unpriv | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/src/tests/lxc-test-unpriv b/src/tests/lxc-test-unpriv +index 93c91a9..54ddc66 100755 +--- a/src/tests/lxc-test-unpriv ++++ b/src/tests/lxc-test-unpriv +@@ -27,6 +27,41 @@ if [ $(id -u) -ne 0 ]; then + echo "ERROR: Must run as root." + exit 1 + fi ++ ++# Test if we're using an overlayfs module that handles symlinks correctly. If ++# not, we skip these tests since overlay clones will not work correctly. ++if modprobe -q overlayfs; then ++ TMPDIR=$(mktemp -d) ++ ++ MOUNTDIR="${TMPDIR}/ovl_symlink_test" ++ ++ mkdir ${MOUNTDIR} ++ ++ mount -t tmpfs none ${MOUNTDIR} ++ ++ mkdir "${MOUNTDIR}/lowerdir" "${MOUNTDIR}/upperdir" "${MOUNTDIR}/overlayfs" ++ mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir" none "${MOUNTDIR}/overlayfs" ++ ++ CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/dummy_file" ++ exec 9> "${CORRECT_LINK_TARGET}" ++ ++ DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9) ++ ++ # cleanup ++ exec 9>&- ++ ++ umount "${MOUNTDIR}/overlayfs" ++ umount ${MOUNTDIR} ++ ++ rmdir ${MOUNTDIR} ++ ++ # This overlay module does not correctly handle symlinks, so skip the ++ # tests. ++ if [ "${DETECTED_LINK_TARGET}" != "${CORRECT_LINK_TARGET}" ]; then ++ exit 0 ++ fi ++fi ++ + which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; } + + DONE=0 diff -Nru lxc-1.0.8/debian/patches/0001-Trusty-Swap-out-the-CVE-2015-1335-fix-with-the-trust.patch lxc-1.0.9/debian/patches/0001-Trusty-Swap-out-the-CVE-2015-1335-fix-with-the-trust.patch --- lxc-1.0.8/debian/patches/0001-Trusty-Swap-out-the-CVE-2015-1335-fix-with-the-trust.patch 2015-11-18 18:41:56.000000000 +0000 +++ lxc-1.0.9/debian/patches/0001-Trusty-Swap-out-the-CVE-2015-1335-fix-with-the-trust.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,369 +0,0 @@ -From 3e3c933900c23edf4e378127b6520c91e9f87546 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Wed, 28 Oct 2015 13:51:07 -0500 -Subject: Trusty: Swap out the CVE-2015-1335 fix with the - trusty-kernel-friendly one - -The upstream fix for CVE-2015-1335 exposes bugs in trusty's kernel's -overlayfs+apparmor behavior, breaking lxc-test-unpriv. In trusty we -use a separate lxc patch for CVE-2015-1335 for this reason. - -This patch against upstream stable-1.0 replaces the upstream fix with -the trusty-compatible one. - -Signed-off-by: Serge Hallyn ---- - src/lxc/utils.c | 286 +++++++++++++++------------------------------ - src/tests/lxc-test-symlink | 4 + - 2 files changed, 100 insertions(+), 190 deletions(-) - -diff --git a/src/lxc/utils.c b/src/lxc/utils.c -index 214c5a8..fb45e1f 100644 ---- a/src/lxc/utils.c -+++ b/src/lxc/utils.c -@@ -1155,234 +1155,140 @@ err: - } - - /* -- * @path: a pathname where / replaced with '\0'. -- * @offsetp: pointer to int showing which path segment was last seen. -- * Updated on return to reflect the next segment. -- * @fulllen: full original path length. -- * Returns a pointer to the next path segment, or NULL if done. -+ * ws points into an array of \0-separate path elements. -+ * ws should be pointing to one of the path elements or -+ * the next \0. It will return the first character of the -+ * next path element. - */ --static char *get_nextpath(char *path, int *offsetp, int fulllen) --{ -- int offset = *offsetp; -- -- if (offset >= fulllen) -- return NULL; -- -- while (path[offset] != '\0' && offset < fulllen) -- offset++; -- while (path[offset] == '\0' && offset < fulllen) -- offset++; -- -- *offsetp = offset; -- return (offset < fulllen) ? &path[offset] : NULL; -+static char *next_word(char *ws) { -+ while (*ws && *ws != ' ') ws++; -+ while (*ws && *ws == ' ') ws++; -+ return ws; - } - - /* -- * Check that @subdir is a subdir of @dir. @len is the length of -- * @dir (to avoid having to recalculate it). -+ * copy src to dest, collapsing multiple '/' into one and -+ * collapsing '/./' to '/' - */ --static bool is_subdir(const char *subdir, const char *dir, size_t len) -+static void copy_cleanedup(char *dest, const char *src) - { -- size_t subdirlen = strlen(subdir); -- -- if (subdirlen < len) -- return false; -- if (strncmp(subdir, dir, len) != 0) -- return false; -- if (dir[len-1] == '/') -- return true; -- if (subdir[len] == '/' || subdirlen == len) -- return true; -- return false; -+ char *orig = dest; -+ while (*src) { -+ if (*src == '/' && *(src+1) == '/') { -+ src++; -+ continue; -+ } -+ if (*src == '/' && *(src+1) == '.' && -+ (*(src+2) == '/' || *(src+2) == '\0')) { -+ src += 2; -+ continue; -+ } -+ *(dest++) = *(src++); -+ } -+ *dest = '\0'; -+ /* remove trailing / */ -+ dest--; -+ while (dest > orig && *dest == '/') -+ *(dest--) = '\0'; - } - --/* -- * Check if the open fd is a symlink. Return -ELOOP if it is. Return -- * -ENOENT if we couldn't fstat. Return 0 if the fd is ok. -- */ --static int check_symlink(int fd) -+static size_t count_mountinfo_lines(void) - { -- struct stat sb; -- int ret = fstat(fd, &sb); -- if (ret < 0) -- return -ENOENT; -- if (S_ISLNK(sb.st_mode)) -- return -ELOOP; -- return 0; --} -+ FILE *f = fopen("/proc/self/mountinfo", "r"); -+ char *line = NULL; -+ size_t len = 0, i = 0; -+ if (!f) -+ return 0; - --/* -- * Open a file or directory, provided that it contains no symlinks. -- * -- * CAVEAT: This function must not be used for other purposes than container -- * setup before executing the container's init -- */ --static int open_if_safe(int dirfd, const char *nextpath) --{ -- int newfd = openat(dirfd, nextpath, O_RDONLY | O_NOFOLLOW); -- if (newfd >= 0) // was not a symlink, all good -- return newfd; -- -- if (errno == ELOOP) -- return newfd; -- -- if (errno == EPERM || errno == EACCES) { -- /* we're not root (cause we got EPERM) so -- try opening with O_PATH */ -- newfd = openat(dirfd, nextpath, O_PATH | O_NOFOLLOW); -- if (newfd >= 0) { -- /* O_PATH will return an fd for symlinks. We know -- * nextpath wasn't a symlink at last openat, so if fd -- * is now a link, then something * fishy is going on -- */ -- int ret = check_symlink(newfd); -- if (ret < 0) { -- close(newfd); -- newfd = ret; -- } -- } -- } -+ while (getline(&line, &len, f) != -1) -+ i++; -+ fclose(f); - -- return newfd; -+ free(line); -+ return i; - } - - /* -- * Open a path intending for mounting, ensuring that the final path -- * is inside the container's rootfs. -- * -- * CAVEAT: This function must not be used for other purposes than container -- * setup before executing the container's init -- * -- * @target: path to be opened -- * @prefix_skip: a part of @target in which to ignore symbolic links. This -- * would be the container's rootfs. -- * -- * Return an open fd for the path, or <0 on error. -+ * This is only used during container startup. So we know we won't race -+ * with anyone else mounting. Check the last line in /proc/self/mountinfo -+ * to make sure the target is under the container root. - */ --static int open_without_symlink(const char *target, const char *prefix_skip) -+static bool ensure_not_symlink(const char *target, const char *croot, size_t prevlines) - { -- int curlen = 0, dirfd, fulllen, i; -- char *dup = NULL; -- -- fulllen = strlen(target); -- -- /* make sure prefix-skip makes sense */ -- if (prefix_skip) { -- curlen = strlen(prefix_skip); -- if (!is_subdir(target, prefix_skip, curlen)) { -- ERROR("WHOA there - target '%s' didn't start with prefix '%s'", -- target, prefix_skip); -- return -EINVAL; -- } -- /* -- * get_nextpath() expects the curlen argument to be -- * on a (turned into \0) / or before it, so decrement -- * curlen to make sure that happens -- */ -- if (curlen) -- curlen--; -- } else { -- prefix_skip = "/"; -- curlen = 0; -+ FILE *f = fopen("/proc/self/mountinfo", "r"); -+ char *line = NULL, *ws = NULL, *we = NULL, *tgtcopy; -+ size_t len = 0, i = 0; -+ bool ret = false; -+ -+ if (!croot || croot[0] == '\0') -+ return true; -+ -+ if (!f) { -+ ERROR("Cannot open /proc/self/mountinfo"); -+ return false; - } - -- /* Make a copy of target which we can hack up, and tokenize it */ -- if ((dup = strdup(target)) == NULL) { -- SYSERROR("Out of memory checking for symbolic link"); -- return -ENOMEM; -+ while (getline(&line, &len, f) != -1 && i < prevlines) { -+ i++; - } -- for (i = 0; i < fulllen; i++) { -- if (dup[i] == '/') -- dup[i] = '\0'; -+ fclose(f); -+ -+ if (!line) -+ return false; -+ ws = line; -+ for (i = 0; i < 4; i++) -+ ws = next_word(ws); -+ if (!*ws) -+ goto out; -+ we = ws; -+ while (*we && *we != ' ') -+ we++; -+ if (!*we) -+ goto out; -+ *we = '\0'; -+ -+ tgtcopy = alloca(strlen(target) + 1); -+ copy_cleanedup(tgtcopy, target); -+ /* now make sure that ws starts with croot and ends with rest of target */ -+ if (croot && strncmp(ws, croot, strlen(croot)) != 0) { -+ ERROR("Mount onto %s resulted in %s, does not match root %s\n", -+ target, ws, croot); -+ goto out; - } - -- dirfd = open(prefix_skip, O_RDONLY); -- if (dirfd < 0) -+ size_t start = croot ? strlen(croot) : 0; -+ if (strcmp(ws + start, tgtcopy + start) != 0) { -+ ERROR("Mount onto %s resulted in %s, not %s\n", target, ws, tgtcopy); - goto out; -- while (1) { -- int newfd, saved_errno; -- char *nextpath; -- -- if ((nextpath = get_nextpath(dup, &curlen, fulllen)) == NULL) -- goto out; -- newfd = open_if_safe(dirfd, nextpath); -- saved_errno = errno; -- close(dirfd); -- dirfd = newfd; -- if (newfd < 0) { -- errno = saved_errno; -- if (errno == ELOOP) -- SYSERROR("%s in %s was a symbolic link!", nextpath, target); -- else -- SYSERROR("Error examining %s in %s", nextpath, target); -- goto out; -- } - } - -+ ret = true; -+ - out: -- free(dup); -- return dirfd; -+ free(line); -+ return ret; - } -- - /* - * Safely mount a path into a container, ensuring that the mount target - * is under the container's @rootfs. (If @rootfs is NULL, then the container - * uses the host's /) -- * -- * CAVEAT: This function must not be used for other purposes than container -- * setup before executing the container's init - */ - int safe_mount(const char *src, const char *dest, const char *fstype, - unsigned long flags, const void *data, const char *rootfs) - { -- int srcfd = -1, destfd, ret, saved_errno; -- char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ -- const char *mntsrc = src; -- -- if (!rootfs) -- rootfs = ""; -- -- /* todo - allow symlinks for relative paths if 'allowsymlinks' option is passed */ -- if (flags & MS_BIND && src && src[0] != '/') { -- INFO("this is a relative bind mount"); -- srcfd = open_without_symlink(src, NULL); -- if (srcfd < 0) -- return srcfd; -- ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); -- if (ret < 0 || ret > 50) { -- close(srcfd); -- ERROR("Out of memory"); -- return -EINVAL; -- } -- mntsrc = srcbuf; -- } -- -- destfd = open_without_symlink(dest, rootfs); -- if (destfd < 0) { -- if (srcfd != -1) -- close(srcfd); -- return destfd; -- } -- -- ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); -- if (ret < 0 || ret > 50) { -- if (srcfd != -1) -- close(srcfd); -- close(destfd); -- ERROR("Out of memory"); -- return -EINVAL; -- } -+ int ret; -+ size_t nlines = count_mountinfo_lines(); - -- ret = mount(mntsrc, destbuf, fstype, flags, data); -- saved_errno = errno; -- if (srcfd != -1) -- close(srcfd); -- close(destfd); -+ ret = mount(src, dest, fstype, flags, data); - if (ret < 0) { -- errno = saved_errno; -- SYSERROR("Failed to mount %s onto %s", src, dest); -+ SYSERROR("Mount of '%s' onto '%s' failed", src, dest); - return ret; - } - -+ if (!ensure_not_symlink(dest, rootfs, nlines)) { -+ ERROR("Mount of '%s' onto '%s' was onto a symlink!", src, dest); -+ umount(dest); -+ return -1; -+ } - return 0; - } -diff --git a/src/tests/lxc-test-symlink b/src/tests/lxc-test-symlink -index 56b7cf6..1e32d66 100644 ---- a/src/tests/lxc-test-symlink -+++ b/src/tests/lxc-test-symlink -@@ -51,6 +51,10 @@ lxc.mount.entry = $dirname opt/xxx/dir none bind,create=dir - lxc.mount.entry = $fname opt/xxx/file none bind,create=file - lxc.mount.entry = $fname2 opt/xxx/file2 none bind - lxc.mount.entry = $dirname /var/lib/lxc/symtest1/rootfs/opt/xxx/dir2 none bind,create=dir -+lxc.mount.entry = $dirname /var/lib/lxc/symtest1/rootfs/opt/xxx//././//dir2 none bind,create=dir -+lxc.mount.entry = $dirname /var/lib/lxc/symtest1/rootfs/opt/xxx//././//dir3// none bind,create=dir -+lxc.mount.entry = $dirname /var/lib/lxc/symtest1/rootfs/opt/xxx//././//dir4/. none bind,create=dir -+ - EOF - - # Regular - should succeed diff -Nru lxc-1.0.8/debian/patches/0002-ubuntu-cloud-Various-fixes.patch lxc-1.0.9/debian/patches/0002-ubuntu-cloud-Various-fixes.patch --- lxc-1.0.8/debian/patches/0002-ubuntu-cloud-Various-fixes.patch 2015-11-18 18:41:56.000000000 +0000 +++ lxc-1.0.9/debian/patches/0002-ubuntu-cloud-Various-fixes.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -From 2452a0458c96ebbf0b14b8f9b71c581036e8fad9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?St=C3=A9phane=20Graber?= -Date: Thu, 12 Nov 2015 12:44:38 -0500 -Subject: ubuntu-cloud: Various fixes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - - - Update list of supported releases - - Make the fallback release trusty - - Don't specify the compression algorithm (use auto-detection) so that - people passing tarballs to the template don't see regressions. - -Signed-off-by: Stéphane Graber -Acked-by: Serge E. Hallyn ---- - templates/lxc-ubuntu-cloud.in | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in -index 3f30a61..d277fec 100644 ---- a/templates/lxc-ubuntu-cloud.in -+++ b/templates/lxc-ubuntu-cloud.in -@@ -25,7 +25,7 @@ STATE_DIR="@LOCALSTATEDIR@" - HOOK_DIR="@LXCHOOKDIR@" - CLONE_HOOK_FN="$HOOK_DIR/ubuntu-cloud-prep" - LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" --KNOWN_RELEASES="precise trusty utopic vivid" -+KNOWN_RELEASES="precise trusty vivid wily xenial" - skip_arch_check=${UCTEMPLATE_SKIP_ARCH_CHECK:-0} - - # Make sure the usual locations are in PATH -@@ -159,8 +159,8 @@ eval set -- "$options" - - mapped_uid=-1 - mapped_gid=-1 --# default release is precise, or the systems release if recognized --release=precise -+# default release is trusty, or the systems release if recognized -+release=trusty - if [ -f /etc/lsb-release ]; then - . /etc/lsb-release - rels=$(ubuntu-distro-info --supported 2>/dev/null) || -@@ -183,7 +183,7 @@ else - arch="amd64" - elif [ "$arch" = "armv7l" ]; then - # note: arm images don't exist before oneiric; are called armhf in -- # precise and later; and are not supported by the query, so we don't actually -+ # trusty and later; and are not supported by the query, so we don't actually - # support them yet (see check later on). When Query2 is available, - # we'll use that to enable arm images. - arch="armhf" -@@ -330,10 +330,10 @@ do_extract_rootfs() { - mkdir -p $rootfs - cd $rootfs - if [ $in_userns -eq 1 ]; then -- tar --anchored --exclude="dev/*" --numeric-owner -xpJf "$cache/$filename" -+ tar --anchored --exclude="dev/*" --numeric-owner -xpf "$cache/$filename" - mkdir -p $rootfs/dev/pts/ - else -- tar --numeric-owner -xpJf "$cache/$filename" -+ tar --numeric-owner -xpf "$cache/$filename" - fi - } - diff -Nru lxc-1.0.8/debian/patches/0003-Better-handle-preserve_ns-behavior.patch lxc-1.0.9/debian/patches/0003-Better-handle-preserve_ns-behavior.patch --- lxc-1.0.8/debian/patches/0003-Better-handle-preserve_ns-behavior.patch 2015-11-18 18:41:56.000000000 +0000 +++ lxc-1.0.9/debian/patches/0003-Better-handle-preserve_ns-behavior.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,121 +0,0 @@ -From 3d3ff990d7ed8f30ac1fc5508cb7c81b14d5c235 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Tue, 17 Nov 2015 12:59:05 -0600 -Subject: Better handle preserve_ns behavior - -Commit b6b2b194a8 preserves the container's namespaces for -possible later use in stop hook. But some kernels don't have -/proc/pid/ns/ns for all the namespaces we may be interested in. -So warn but continue if this is the case. - -Implement stgraber's suggested semantics. - - - User requests some namespaces be preserved: - - If /proc/self/ns is missing => fail (saying kernel misses setns) - - If /proc/self/ns/ entry is missing => fail (saying kernel misses setns for ) - - User doesn't request some namespaces be preserved: - - If /proc/self/ns is missing => log an INFO message (kernel misses setns) and continue - - If /proc/self/ns/ entry is missing => log an INFO message (kernel misses setns for ) and continue - -Signed-off-by: Serge Hallyn ---- - src/lxc/start.c | 47 ++++++++++++++++++++++++++++++++++------------- - 1 file changed, 34 insertions(+), 13 deletions(-) - -diff --git a/src/lxc/start.c b/src/lxc/start.c -index 3cbb049..c481630 100644 ---- a/src/lxc/start.c -+++ b/src/lxc/start.c -@@ -117,8 +117,15 @@ static void close_ns(int ns_fd[LXC_NS_MAX]) { - } - } - --static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) { -- int i, saved_errno; -+/* -+ * preserve_ns: open /proc/@pid/ns/@ns for each namespace specified -+ * in clone_flags. -+ * Return true on success, false on failure. On failure, leave an error -+ * message in *errmsg, which caller must free. -+ */ -+static -+bool preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid, char **errmsg) { -+ int i, ret; - char path[MAXPATHLEN]; - - for (i = 0; i < LXC_NS_MAX; i++) -@@ -126,8 +133,9 @@ static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) { - - snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid); - if (access(path, X_OK)) { -- WARN("Kernel does not support attach; preserve_ns ignored"); -- return 0; -+ if (asprintf(errmsg, "Kernel does not support setns.") == -1) -+ *errmsg = NULL; -+ return false; - } - - for (i = 0; i < LXC_NS_MAX; i++) { -@@ -140,14 +148,20 @@ static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) { - goto error; - } - -- return 0; -+ return true; - - error: -- saved_errno = errno; -+ if (errno == ENOENT) { -+ ret = asprintf(errmsg, "Kernel does not support setns for %s", -+ ns_info[i].proc_name); -+ } else { -+ ret = asprintf(errmsg, "Failed to open %s: %s", -+ path, strerror(errno)); -+ } -+ if (ret == -1) -+ *errmsg = NULL; - close_ns(ns_fd); -- errno = saved_errno; -- SYSERROR("failed to open '%s'", path); -- return -1; -+ return false; - } - - static int attach_ns(const int ns_fd[LXC_NS_MAX]) { -@@ -798,6 +812,7 @@ static int lxc_spawn(struct lxc_handler *handler) - { - int failed_before_rename = 0; - const char *name = handler->name; -+ char *errmsg = NULL; - bool cgroups_connected = false; - int saved_ns_fd[LXC_NS_MAX]; - int preserve_mask = 0, i; -@@ -889,8 +904,12 @@ static int lxc_spawn(struct lxc_handler *handler) - INFO("failed to pin the container's rootfs"); - } - -- if (preserve_ns(saved_ns_fd, preserve_mask, getpid()) < 0) -+ if (!preserve_ns(saved_ns_fd, preserve_mask, getpid(), &errmsg)) { -+ SYSERROR("Failed to preserve requested namespaces: %s", -+ errmsg ? errmsg : "(Out of memory)"); -+ free(errmsg); - goto out_delete_net; -+ } - if (attach_ns(handler->conf->inherit_ns_fd) < 0) - goto out_delete_net; - -@@ -910,9 +929,11 @@ static int lxc_spawn(struct lxc_handler *handler) - goto out_delete_net; - } - -- if (preserve_ns(handler->nsfd, handler->clone_flags, handler->pid) < 0) { -- ERROR("failed to store namespace references"); -- goto out_delete_net; -+ if (preserve_ns(handler->nsfd, handler->clone_flags, handler->pid, -+ &errmsg) < 0) { -+ INFO("Failed to store namespace references for stop hook: %s", -+ errmsg ? errmsg : "(Out of memory)"); -+ free(errmsg); - } - - if (attach_ns(saved_ns_fd)) diff -Nru lxc-1.0.8/debian/patches/series lxc-1.0.9/debian/patches/series --- lxc-1.0.8/debian/patches/series 2015-11-18 18:41:56.000000000 +0000 +++ lxc-1.0.9/debian/patches/series 2017-01-04 17:38:31.000000000 +0000 @@ -1,3 +1 @@ -0001-Trusty-Swap-out-the-CVE-2015-1335-fix-with-the-trust.patch -0002-ubuntu-cloud-Various-fixes.patch -0003-Better-handle-preserve_ns-behavior.patch +0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch diff -Nru lxc-1.0.8/debian/tests/control lxc-1.0.9/debian/tests/control --- lxc-1.0.8/debian/tests/control 2015-11-18 18:41:56.000000000 +0000 +++ lxc-1.0.9/debian/tests/control 2017-01-04 17:38:31.000000000 +0000 @@ -5,4 +5,4 @@ uidmap, xz-utils, @ -Restrictions: needs-root allow-stderr +Restrictions: needs-root allow-stderr isolation-machine diff -Nru lxc-1.0.8/doc/api/Doxyfile lxc-1.0.9/doc/api/Doxyfile --- lxc-1.0.8/doc/api/Doxyfile 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/api/Doxyfile 2016-11-23 19:10:02.000000000 +0000 @@ -130,7 +130,7 @@ # shortest path that makes the file name unique will be used # The default value is: YES. -FULL_PATH_NAMES = YES +FULL_PATH_NAMES = NO # The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path. # Stripping is only done if one of the specified strings matches the left-hand diff -Nru lxc-1.0.8/doc/api/Makefile.in lxc-1.0.9/doc/api/Makefile.in --- lxc-1.0.8/doc/api/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/doc/api/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,12 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = doc/api -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -108,6 +118,7 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -224,6 +235,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -262,6 +274,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -286,7 +299,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/api/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/api/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -455,6 +467,8 @@ mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \ uninstall-am +.PRECIOUS: Makefile + @ENABLE_API_DOCS_TRUE@html: Doxyfile @ENABLE_API_DOCS_TRUE@ doxygen diff -Nru lxc-1.0.8/doc/examples/Makefile.in lxc-1.0.9/doc/examples/Makefile.in --- lxc-1.0.8/doc/examples/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/doc/examples/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,16 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = doc/examples -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc-macvlan.conf.in $(srcdir)/lxc-vlan.conf.in \ - $(srcdir)/lxc-no-netns.conf.in \ - $(srcdir)/lxc-empty-netns.conf.in $(srcdir)/lxc-phys.conf.in \ - $(srcdir)/lxc-veth.conf.in $(srcdir)/lxc-complex.conf.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc-macvlan.conf lxc-vlan.conf lxc-no-netns.conf \ @@ -144,6 +150,11 @@ am__installdirs = "$(DESTDIR)$(pkgexamplesdir)" DATA = $(noinst_DATA) $(pkgexamples_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc-complex.conf.in \ + $(srcdir)/lxc-empty-netns.conf.in \ + $(srcdir)/lxc-macvlan.conf.in $(srcdir)/lxc-no-netns.conf.in \ + $(srcdir)/lxc-phys.conf.in $(srcdir)/lxc-veth.conf.in \ + $(srcdir)/lxc-vlan.conf.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -260,6 +271,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -298,6 +310,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -351,7 +364,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/examples/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/examples/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -558,6 +570,8 @@ pdf-am ps ps-am tags-am uninstall uninstall-am \ uninstall-pkgexamplesDATA +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/doc/ja/lxc-attach.sgml.in lxc-1.0.9/doc/ja/lxc-attach.sgml.in --- lxc-1.0.8/doc/ja/lxc-attach.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/ja/lxc-attach.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -152,10 +152,13 @@ CGROUP|LSM. Allowed values are CGROUP, CAP and LSM representing cgroup, capabilities and - restriction privileges respectively. + restriction privileges respectively. (The pipe symbol needs to be escaped, + e.g. CGROUP\|LSM or quoted, e.g. + "CGROUP|LSM".) --> 全ての特権の取得したくない場合は、パイプで連結したリストとして、例えば CGROUP|LSM のように、特権を指定することが可能です。 指定できる値は、それぞれ cgroup、ケーパビリティ、特権の制限を表す CGROUPCAPLSM です。 + (パイプ記号を CGROUP\|LSM のようにエスケープするか、"CGROUP|LSM" のように引用符号を付ける必要があります。) アタッチする名前空間をパイプで連結したリストで指定します。 例えば NETWORK|IPC のようにです。 ここで使用可能な値は MOUNT, PID, UTSNAME, IPC, USER , NETWORK です。 これにより指定した名前空間にプロセスのコンテキストを変更できます。 例えばコンテナのネットワーク名前空間に変更する一方で、他の名前空間はホストの名前空間のままにするというような事が可能です。 + (パイプ記号を MOUNT\|PID のようにエスケープするか、"MOUNT|PID" のように引用符号を付ける必要があります。) 設定ファイルのオプション一つを、key = value の形で一行で表します。 '#' は、その行はコメントであることを示します。 + ケーパビリティや cgroup のオプションのような、リスト形式で指定するオプションでは、value がない形式で指定できます。このように使うと、それ以前に定義した値をすべてクリアします。 @@ -291,6 +294,19 @@ そして、仮に物理ネットワークインターフェースが一つしかなくても、コンテナ内でいくつもの仮想インターフェースを使うことができます。 + + + + + + + + 値を指定せずに使い、それ以前に定義されたすべてのネットワークオプションをクリアできます。 + + + @@ -864,7 +880,7 @@ /dev to be set up as needed in the container rootfs. If lxc.autodev is set to 1, then after mounting the container's rootfs LXC will mount a fresh tmpfs under /dev - (limited to 100k) and fill in a minimal set of initial devices. + (limited to 500k) and fill in a minimal set of initial devices. This is generally required when starting a container containing a "systemd" based "init" but may be optional at other times. Additional devices in the containers /dev directory may be created through the @@ -872,7 +888,7 @@ --> デフォルトでは、lxc はコンテナの /dev 以下に fd, stdin, stdout, stderr のシンボリックリンクを作成しますが、自動的にはデバイスノードのエントリは作成しません。 これは、コンテナの rootfs で必要な設定を行えるようにするものです。 - lxc.autodev が 1 に設定されている場合、コンテナの rootfs をマウントした後、LXC は新しい tmpfs を /dev 以下にマウントします (100k 制限の)。 + lxc.autodev が 1 に設定されている場合、コンテナの rootfs をマウントした後、LXC は新しい tmpfs を /dev 以下にマウントします (500k 制限の)。 そして初期デバイスの最小限のセットを作成します。 これは、"systemd" ベースの "init" 環境のコンテナを起動する時に通常必要ですが、他の環境の場合はオプショナルなものです。 コンテナの /dev ディレクトリ内の追加デバイスは フックを使用して作成されます。 @@ -1433,6 +1449,8 @@ capabilities 7 , + If used with no value, lxc will clear any drop capabilities + specified up to this point. --> コンテナ内で削除するケーパビリティ (capability) を指定します。 一行でスペース区切りで複数のケーパビリティを指定することも可能です。 @@ -1443,6 +1461,7 @@ capabilities 7 + この設定を、値を指定しない状態で使った場合、それ以前に指定された削除対象のケーパビリティの指定をすべてクリアします (lxc.cap.drop に何も指定しない状態になります)。 diff -Nru lxc-1.0.8/doc/ja/lxc-create.sgml.in lxc-1.0.9/doc/ja/lxc-create.sgml.in --- lxc-1.0.8/doc/ja/lxc-create.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/ja/lxc-create.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -57,7 +57,7 @@ lxc-create -n name -f config_file - -t template + -t template -B backingstore -- template-options diff -Nru lxc-1.0.8/doc/ja/lxc-info.sgml.in lxc-1.0.9/doc/ja/lxc-info.sgml.in --- lxc-1.0.8/doc/ja/lxc-info.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/ja/lxc-info.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -86,7 +86,7 @@ コンテナの設定値を表示します。このオプションは複数の key = value のペアを表示したい場合には複数回指定することも可能です。 diff -Nru lxc-1.0.8/doc/ja/lxc.sgml.in lxc-1.0.9/doc/ja/lxc.sgml.in --- lxc-1.0.8/doc/ja/lxc.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/ja/lxc.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -689,7 +689,7 @@ アタッチする名前空間を、パイプでつなげたリストで指定します。 例えば NETWORK|IPC のようにです。 指定できる値は MOUNTPIDUTSNAMEIPCUSER NETWORK です。 これにより、プロセスのコンテキストを変更することができます。 例えば、コンテナのネットワーク名前空間だけを変更し、他の名前空間をホストのものと同じものに保ったままにするというようなことです。 + (パイプ記号を MOUNT\|PID のようにエスケー +プするか、"MOUNT|PID" のように引用符号を付ける必要が>あります。) diff -Nru lxc-1.0.8/doc/ja/Makefile.in lxc-1.0.9/doc/ja/Makefile.in --- lxc-1.0.8/doc/ja/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/doc/ja/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -83,30 +93,12 @@ @ENABLE_DOCBOOK_TRUE@@ENABLE_PYTHON_FALSE@am__append_2 = legacy/lxc-ls.1 @ENABLE_DOCBOOK_TRUE@@ENABLE_LUA_TRUE@am__append_3 = lxc-top.1 subdir = doc/ja -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc-attach.sgml.in $(srcdir)/lxc-autostart.sgml.in \ - $(srcdir)/lxc-cgroup.sgml.in $(srcdir)/lxc-checkconfig.sgml.in \ - $(srcdir)/lxc-clone.sgml.in $(srcdir)/lxc-config.sgml.in \ - $(srcdir)/lxc-console.sgml.in $(srcdir)/lxc-create.sgml.in \ - $(srcdir)/lxc-destroy.sgml.in $(srcdir)/lxc-device.sgml.in \ - $(srcdir)/lxc-execute.sgml.in $(srcdir)/lxc-freeze.sgml.in \ - $(srcdir)/lxc-info.sgml.in $(srcdir)/lxc-ls.sgml.in \ - $(srcdir)/lxc-monitor.sgml.in $(srcdir)/lxc-snapshot.sgml.in \ - $(srcdir)/lxc-start-ephemeral.sgml.in \ - $(srcdir)/lxc-start.sgml.in $(srcdir)/lxc-stop.sgml.in \ - $(srcdir)/lxc-top.sgml.in $(srcdir)/lxc-unfreeze.sgml.in \ - $(srcdir)/lxc-unshare.sgml.in $(srcdir)/lxc-user-nic.sgml.in \ - $(srcdir)/lxc-usernsexec.sgml.in $(srcdir)/lxc-wait.sgml.in \ - $(srcdir)/lxc.conf.sgml.in \ - $(srcdir)/lxc.container.conf.sgml.in \ - $(srcdir)/lxc.system.conf.sgml.in \ - $(srcdir)/lxc-usernet.sgml.in $(srcdir)/lxc.sgml.in \ - $(srcdir)/common_options.sgml.in $(srcdir)/see_also.sgml.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc-attach.sgml lxc-autostart.sgml \ @@ -208,6 +200,24 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(srcdir)/common_options.sgml.in $(srcdir)/lxc-attach.sgml.in \ + $(srcdir)/lxc-autostart.sgml.in $(srcdir)/lxc-cgroup.sgml.in \ + $(srcdir)/lxc-checkconfig.sgml.in $(srcdir)/lxc-clone.sgml.in \ + $(srcdir)/lxc-config.sgml.in $(srcdir)/lxc-console.sgml.in \ + $(srcdir)/lxc-create.sgml.in $(srcdir)/lxc-destroy.sgml.in \ + $(srcdir)/lxc-device.sgml.in $(srcdir)/lxc-execute.sgml.in \ + $(srcdir)/lxc-freeze.sgml.in $(srcdir)/lxc-info.sgml.in \ + $(srcdir)/lxc-ls.sgml.in $(srcdir)/lxc-monitor.sgml.in \ + $(srcdir)/lxc-snapshot.sgml.in \ + $(srcdir)/lxc-start-ephemeral.sgml.in \ + $(srcdir)/lxc-start.sgml.in $(srcdir)/lxc-stop.sgml.in \ + $(srcdir)/lxc-top.sgml.in $(srcdir)/lxc-unfreeze.sgml.in \ + $(srcdir)/lxc-unshare.sgml.in $(srcdir)/lxc-user-nic.sgml.in \ + $(srcdir)/lxc-usernet.sgml.in $(srcdir)/lxc-usernsexec.sgml.in \ + $(srcdir)/lxc-wait.sgml.in $(srcdir)/lxc.conf.sgml.in \ + $(srcdir)/lxc.container.conf.sgml.in $(srcdir)/lxc.sgml.in \ + $(srcdir)/lxc.system.conf.sgml.in $(srcdir)/see_also.sgml.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -349,6 +359,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -387,6 +398,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -427,7 +439,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/ja/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/ja/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -916,6 +927,8 @@ pdf-am ps ps-am tags tags-am uninstall uninstall-am \ uninstall-man uninstall-man1 uninstall-man5 uninstall-man7 +.PRECIOUS: Makefile + @ENABLE_DOCBOOK_TRUE@%.1 : %.sgml @ENABLE_DOCBOOK_TRUE@ $(db2xman) --encoding=UTF-8 $< diff -Nru lxc-1.0.8/doc/lxc-attach.sgml.in lxc-1.0.9/doc/lxc-attach.sgml.in --- lxc-1.0.8/doc/lxc-attach.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/lxc-attach.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -306,7 +306,7 @@ network/pid namespace context of the attached process. In order not to interfere with the host's actual filesystem, the mount namespace will be unshared (like lxc-unshare - does) before this is done, esentially giving the process a new + does) before this is done, essentially giving the process a new mount namespace, which is identical to the hosts's mount namespace except for the /proc and /sys filesystems. diff -Nru lxc-1.0.8/doc/lxc.container.conf.sgml.in lxc-1.0.9/doc/lxc.container.conf.sgml.in --- lxc-1.0.8/doc/lxc.container.conf.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/lxc.container.conf.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -72,7 +72,9 @@ Each option in the configuration file has the form key = value fitting in one line. The '#' character means - the line is a comment. + the line is a comment. List options, like capabilities and cgroups + options, can be used with no value to clear any previously + defined values of that option. @@ -215,6 +217,16 @@ + + + + + may be used without a value to clear all previous network options. + + + + + @@ -627,7 +639,7 @@ /dev to be set up as needed in the container rootfs. If lxc.autodev is set to 1, then after mounting the container's rootfs LXC will mount a fresh tmpfs under /dev - (limited to 100k) and fill in a minimal set of initial devices. + (limited to 500k) and fill in a minimal set of initial devices. This is generally required when starting a container containing a "systemd" based "init" but may be optional at other times. Additional devices in the containers /dev directory may be created through the @@ -1015,7 +1027,9 @@ capabilities 7 - , + . + If used with no value, lxc will clear any drop capabilities + specified up to this point. diff -Nru lxc-1.0.8/doc/lxc-create.sgml.in lxc-1.0.9/doc/lxc-create.sgml.in --- lxc-1.0.8/doc/lxc-create.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/lxc-create.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -51,7 +51,7 @@ lxc-create -n name -f config_file - -t template + -t template -B backingstore -- template-options diff -Nru lxc-1.0.8/doc/lxc-info.sgml.in lxc-1.0.9/doc/lxc-info.sgml.in --- lxc-1.0.8/doc/lxc-info.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/lxc-info.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -76,7 +76,7 @@ Print a configuration key from the container. This option - may be given mulitple times to print out multiple key = value pairs. + may be given multiple times to print out multiple key = value pairs. diff -Nru lxc-1.0.8/doc/lxc.sgml.in lxc-1.0.9/doc/lxc.sgml.in --- lxc-1.0.8/doc/lxc.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/lxc.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -457,7 +457,7 @@ Here is an example on how the combination of these commands - allow to list all the containers and retrieve their state. + allows one to list all the containers and retrieve their state. for i in $(lxc-ls -1); do lxc-info -n $i diff -Nru lxc-1.0.8/doc/lxc-unshare.sgml.in lxc-1.0.9/doc/lxc-unshare.sgml.in --- lxc-1.0.8/doc/lxc-unshare.sgml.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/doc/lxc-unshare.sgml.in 2016-11-23 19:10:02.000000000 +0000 @@ -93,7 +93,9 @@ NETWORK. This allows one to change the context of the process to e.g. the network namespace of the container while retaining the other namespaces as those of the - host. + host. (The pipe symbol needs to be escaped, e.g. + MOUNT\|PID or quoted, e.g. + "MOUNT|PID".) diff -Nru lxc-1.0.8/doc/Makefile.in lxc-1.0.9/doc/Makefile.in --- lxc-1.0.8/doc/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/doc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,30 +95,12 @@ @ENABLE_DOCBOOK_TRUE@@ENABLE_PYTHON_FALSE@am__append_4 = legacy/lxc-ls.1 @ENABLE_DOCBOOK_TRUE@@ENABLE_LUA_TRUE@am__append_5 = lxc-top.1 subdir = doc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc-attach.sgml.in $(srcdir)/lxc-autostart.sgml.in \ - $(srcdir)/lxc-cgroup.sgml.in $(srcdir)/lxc-checkconfig.sgml.in \ - $(srcdir)/lxc-clone.sgml.in $(srcdir)/lxc-config.sgml.in \ - $(srcdir)/lxc-console.sgml.in $(srcdir)/lxc-create.sgml.in \ - $(srcdir)/lxc-destroy.sgml.in $(srcdir)/lxc-device.sgml.in \ - $(srcdir)/lxc-execute.sgml.in $(srcdir)/lxc-freeze.sgml.in \ - $(srcdir)/lxc-info.sgml.in $(srcdir)/lxc-ls.sgml.in \ - $(srcdir)/lxc-monitor.sgml.in $(srcdir)/lxc-snapshot.sgml.in \ - $(srcdir)/lxc-start-ephemeral.sgml.in \ - $(srcdir)/lxc-start.sgml.in $(srcdir)/lxc-stop.sgml.in \ - $(srcdir)/lxc-top.sgml.in $(srcdir)/lxc-unfreeze.sgml.in \ - $(srcdir)/lxc-unshare.sgml.in $(srcdir)/lxc-user-nic.sgml.in \ - $(srcdir)/lxc-usernsexec.sgml.in $(srcdir)/lxc-wait.sgml.in \ - $(srcdir)/lxc.conf.sgml.in \ - $(srcdir)/lxc.container.conf.sgml.in \ - $(srcdir)/lxc.system.conf.sgml.in \ - $(srcdir)/lxc-usernet.sgml.in $(srcdir)/lxc.sgml.in \ - $(srcdir)/common_options.sgml.in $(srcdir)/see_also.sgml.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc-attach.sgml lxc-autostart.sgml \ @@ -210,6 +202,24 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(srcdir)/common_options.sgml.in $(srcdir)/lxc-attach.sgml.in \ + $(srcdir)/lxc-autostart.sgml.in $(srcdir)/lxc-cgroup.sgml.in \ + $(srcdir)/lxc-checkconfig.sgml.in $(srcdir)/lxc-clone.sgml.in \ + $(srcdir)/lxc-config.sgml.in $(srcdir)/lxc-console.sgml.in \ + $(srcdir)/lxc-create.sgml.in $(srcdir)/lxc-destroy.sgml.in \ + $(srcdir)/lxc-device.sgml.in $(srcdir)/lxc-execute.sgml.in \ + $(srcdir)/lxc-freeze.sgml.in $(srcdir)/lxc-info.sgml.in \ + $(srcdir)/lxc-ls.sgml.in $(srcdir)/lxc-monitor.sgml.in \ + $(srcdir)/lxc-snapshot.sgml.in \ + $(srcdir)/lxc-start-ephemeral.sgml.in \ + $(srcdir)/lxc-start.sgml.in $(srcdir)/lxc-stop.sgml.in \ + $(srcdir)/lxc-top.sgml.in $(srcdir)/lxc-unfreeze.sgml.in \ + $(srcdir)/lxc-unshare.sgml.in $(srcdir)/lxc-user-nic.sgml.in \ + $(srcdir)/lxc-usernet.sgml.in $(srcdir)/lxc-usernsexec.sgml.in \ + $(srcdir)/lxc-wait.sgml.in $(srcdir)/lxc.conf.sgml.in \ + $(srcdir)/lxc.container.conf.sgml.in $(srcdir)/lxc.sgml.in \ + $(srcdir)/lxc.system.conf.sgml.in $(srcdir)/see_also.sgml.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -351,6 +361,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -389,6 +400,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -431,7 +443,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -920,6 +931,8 @@ pdf-am ps ps-am tags tags-am uninstall uninstall-am \ uninstall-man uninstall-man1 uninstall-man5 uninstall-man7 +.PRECIOUS: Makefile + @ENABLE_DOCBOOK_TRUE@%.1 : %.sgml @ENABLE_DOCBOOK_TRUE@ $(db2xman) $< diff -Nru lxc-1.0.8/doc/rootfs/Makefile.in lxc-1.0.9/doc/rootfs/Makefile.in --- lxc-1.0.8/doc/rootfs/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/doc/rootfs/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,12 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = doc/rootfs -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -138,6 +148,7 @@ am__installdirs = "$(DESTDIR)$(READMEdir)" DATA = $(README_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in README DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -254,6 +265,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -292,6 +304,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -317,7 +330,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/rootfs/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/rootfs/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -510,6 +522,8 @@ pdf-am ps ps-am tags-am uninstall uninstall-READMEDATA \ uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/hooks/Makefile.in lxc-1.0.9/hooks/Makefile.in --- lxc-1.0.8/hooks/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/hooks/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,12 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = hooks -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -138,6 +148,7 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -254,6 +265,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -292,6 +304,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -323,7 +336,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu hooks/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu hooks/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -530,6 +542,8 @@ mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \ uninstall-am uninstall-hooksSCRIPTS +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/lxc.pc.in lxc-1.0.9/lxc.pc.in --- lxc-1.0.8/lxc.pc.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/lxc.pc.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,7 +1,8 @@ +prefix=@prefix@ bindir=@BINDIR@ -libdir=@LIBDIR@ +libdir=${prefix}/@LIBDIR@ localstatedir=@LOCALSTATEDIR@ -includedir=@INCLUDEDIR@ +includedir=${prefix}/@INCLUDEDIR@ rootfsmountdir=@LXCROOTFSMOUNT@ Name: lxc diff -Nru lxc-1.0.8/lxc.spec lxc-1.0.9/lxc.spec --- lxc-1.0.8/lxc.spec 2015-11-09 22:49:28.000000000 +0000 +++ lxc-1.0.9/lxc.spec 2016-11-23 19:11:17.000000000 +0000 @@ -45,7 +45,7 @@ %endif Name: lxc -Version: 1.0.8 +Version: 1.0.9 Release: %{?beta_rel:0.1.%{beta_rel}}%{?!beta_rel:%{norm_rel}}%{?dist} URL: http://linuxcontainers.org Source: http://linuxcontainers.org/downloads/%{name}-%{version}%{?beta_dot}.tar.gz @@ -147,9 +147,6 @@ %{_sbindir}/* %{_libdir}/*.so.* %{_libdir}/%{name} -%if %{with_python} -%{_libdir}/python* -%endif %{_localstatedir}/* %{_libexecdir}/%{name} %attr(4111,root,root) %{_libexecdir}/%{name}/lxc-user-nic @@ -159,8 +156,7 @@ %endif %if %{with_python} -%{_libdir}/python3.3/site-packages/_lxc* -%{_libdir}/python3.3/site-packages/lxc/* +%{python3_sitearch}/* %endif %if %{with_lua} diff -Nru lxc-1.0.8/lxc.spec.in lxc-1.0.9/lxc.spec.in --- lxc-1.0.8/lxc.spec.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/lxc.spec.in 2016-11-23 19:10:02.000000000 +0000 @@ -147,9 +147,6 @@ %{_sbindir}/* %{_libdir}/*.so.* %{_libdir}/%{name} -%if %{with_python} -%{_libdir}/python* -%endif %{_localstatedir}/* %{_libexecdir}/%{name} %attr(4111,root,root) %{_libexecdir}/%{name}/lxc-user-nic @@ -159,8 +156,7 @@ %endif %if %{with_python} -%{_libdir}/python3.3/site-packages/_lxc* -%{_libdir}/python3.3/site-packages/lxc/* +%{python3_sitearch}/* %endif %if %{with_lua} diff -Nru lxc-1.0.8/MAINTAINERS lxc-1.0.9/MAINTAINERS --- lxc-1.0.8/MAINTAINERS 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/MAINTAINERS 2016-11-23 19:10:02.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer ---------- -Committers : Daniel Lezcano (inactive), Serge Hallyn, Stéphane Graber and Dwight Engen +Committers : Serge Hallyn, Stéphane Graber, Dwight Engen and Christian Brauner Mail patches to : lxc-devel@lists.linuxcontainers.org Send pull requests at : https://github.com/lxc/lxc Mailing lists : lxc-devel@lists.linuxcontainers.org, lxc-users@lists.linuxcontainers.org diff -Nru lxc-1.0.8/Makefile.in lxc-1.0.9/Makefile.in --- lxc-1.0.8/Makefile.in 2015-11-09 22:49:19.000000000 +0000 +++ lxc-1.0.9/Makefile.in 2016-11-23 19:10:05.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -17,7 +17,17 @@ # Makefile.am VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -83,21 +93,13 @@ @ENABLE_LUA_TRUE@am__append_1 = --with lua @ENABLE_PYTHON_TRUE@am__append_2 = --with python subdir = . -DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \ - $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/configure $(am__configure_deps) \ - $(srcdir)/lxc.pc.in $(srcdir)/lxc.spec.in \ - $(top_srcdir)/doc/legacy/lxc-ls.sgml.in \ - $(top_srcdir)/doc/ja/legacy/lxc-ls.sgml.in \ - $(top_srcdir)/src/lxc/legacy/lxc-ls.in COPYING \ - $(top_srcdir)/config/compile $(top_srcdir)/config/config.guess \ - $(top_srcdir)/config/config.sub \ - $(top_srcdir)/config/install-sh $(top_srcdir)/config/missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \ + $(am__configure_deps) $(am__DIST_COMMON) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d @@ -189,6 +191,15 @@ ETAGS = etags CTAGS = ctags CSCOPE = cscope +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc.pc.in \ + $(srcdir)/lxc.spec.in $(top_srcdir)/config/compile \ + $(top_srcdir)/config/config.guess \ + $(top_srcdir)/config/config.sub \ + $(top_srcdir)/config/install-sh $(top_srcdir)/config/missing \ + $(top_srcdir)/doc/ja/legacy/lxc-ls.sgml.in \ + $(top_srcdir)/doc/legacy/lxc-ls.sgml.in \ + $(top_srcdir)/src/lxc/legacy/lxc-ls.in AUTHORS COPYING \ + ChangeLog INSTALL NEWS README DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) @@ -346,6 +357,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -384,6 +396,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -422,7 +435,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -660,15 +672,15 @@ $(am__post_remove_distdir) dist-tarZ: distdir - @echo WARNING: "Support for shar distribution archives is" \ - "deprecated." >&2 + @echo WARNING: "Support for distribution archives compressed with" \ + "legacy program 'compress' is deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__post_remove_distdir) dist-shar: distdir - @echo WARNING: "Support for distribution archives compressed with" \ - "legacy program 'compress' is deprecated." >&2 + @echo WARNING: "Support for shar distribution archives is" \ + "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz $(am__post_remove_distdir) @@ -704,17 +716,17 @@ esac chmod -R a-w $(distdir) chmod u+w $(distdir) - mkdir $(distdir)/_build $(distdir)/_inst + mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ - && $(am__cd) $(distdir)/_build \ - && ../configure \ + && $(am__cd) $(distdir)/_build/sub \ + && ../../configure \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ - --srcdir=.. --prefix="$$dc_install_base" \ + --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ @@ -892,6 +904,8 @@ mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags \ tags-am uninstall uninstall-am uninstall-pcdataDATA +.PRECIOUS: Makefile + install-data-local: $(MKDIR_P) $(DESTDIR)$(LXCPATH) diff -Nru lxc-1.0.8/src/include/ifaddrs.c lxc-1.0.9/src/include/ifaddrs.c --- lxc-1.0.8/src/include/ifaddrs.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/include/ifaddrs.c 2016-11-23 19:10:02.000000000 +0000 @@ -473,7 +473,9 @@ { l_mask[i] = 0xff; } - l_mask[i] = 0xff << (8 - (l_prefix % 8)); + if (l_prefix % 8) { + l_mask[i] = 0xff << (8 - (l_prefix % 8)); + } makeSockaddr(l_entry->ifa_addr->sa_family, (struct sockaddr *)l_addr, l_mask, l_maxPrefix / 8); l_entry->ifa_netmask = (struct sockaddr *)l_addr; diff -Nru lxc-1.0.8/src/include/lxcmntent.h lxc-1.0.9/src/include/lxcmntent.h --- lxc-1.0.8/src/include/lxcmntent.h 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/include/lxcmntent.h 2016-11-23 19:10:02.000000000 +0000 @@ -38,15 +38,15 @@ extern struct mntent *getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz); #endif -#ifndef HAVE_SETMNTENT +#if !defined(HAVE_SETMNTENT) || IS_BIONIC FILE *setmntent (const char *file, const char *mode); #endif -#ifndef HAVE_ENDMNTENT +#if !defined(HAVE_ENDMNTENT) || IS_BIONIC int endmntent (FILE *stream); #endif -#ifndef HAVE_HASMNTOPT +#if !defined(HAVE_HASMNTOPT) || IS_BIONIC extern char *hasmntopt (const struct mntent *mnt, const char *opt); #endif diff -Nru lxc-1.0.8/src/lua-lxc/Makefile.in lxc-1.0.9/src/lua-lxc/Makefile.in --- lxc-1.0.8/src/lua-lxc/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/src/lua-lxc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -16,7 +16,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -81,13 +91,12 @@ host_triplet = @host@ @ENABLE_LUA_TRUE@so_PROGRAMS = core.so$(EXEEXT) subdir = src/lua-lxc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/config/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = @@ -186,6 +195,7 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/config/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -302,6 +312,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -340,6 +351,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -382,7 +394,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/lua-lxc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/lua-lxc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -710,6 +721,8 @@ ps ps-am tags tags-am uninstall uninstall-am uninstall-luaDATA \ uninstall-soPROGRAMS +.PRECIOUS: Makefile + @ENABLE_LUA_TRUE@lxc.lua: diff -Nru lxc-1.0.8/src/lxc/arguments.h lxc-1.0.9/src/lxc/arguments.h --- lxc-1.0.8/src/lxc/arguments.h 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/arguments.h 2016-11-23 19:10:02.000000000 +0000 @@ -121,8 +121,6 @@ extern int lxc_arguments_str_to_int(struct lxc_arguments *args, const char *str); -extern const char *lxc_strerror(int errnum); - #define lxc_error(arg, fmt, args...) if (!(arg)->quiet) \ fprintf(stderr, "%s: " fmt "\n", (arg)->progname, ## args) diff -Nru lxc-1.0.8/src/lxc/attach.c lxc-1.0.9/src/lxc/attach.c --- lxc-1.0.8/src/lxc/attach.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/attach.c 2016-11-23 19:10:02.000000000 +0000 @@ -22,41 +22,43 @@ */ #define _GNU_SOURCE -#include -#include -#include -#include -#include #include #include #include +#include +#include +#include +#include +#include +#include +#include +#include #include #include -#include #include #include #include -#include -#include #if !HAVE_DECL_PR_CAPBSET_DROP #define PR_CAPBSET_DROP 24 #endif -#include "namespace.h" -#include "log.h" +#include "af_unix.h" #include "attach.h" #include "caps.h" -#include "config.h" -#include "utils.h" -#include "commands.h" #include "cgroup.h" -#include "lxclock.h" +#include "commands.h" #include "conf.h" +#include "config.h" +#include "confile.h" +#include "log.h" +#include "lxclock.h" #include "lxcseccomp.h" -#include +#include "namespace.h" +#include "utils.h" #include "lsm/lsm.h" -#include "confile.h" + +#include #if HAVE_SYS_PERSONALITY_H #include @@ -76,80 +78,103 @@ lxc_log_define(lxc_attach, lxc); -int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) { +static int lsm_openat(int procfd, pid_t pid, int on_exec) +{ + int ret = -1; int labelfd = -1; - int ret = 0; const char* name; - char* command = NULL; +#define __LSMATTRLEN /* /proc */ (5 + /* /pid-to-str */ 21 + /* /current */ 7 + /* \0 */ 1) + char path[__LSMATTRLEN]; name = lsm_name(); if (strcmp(name, "nop") == 0) - goto out; + return 0; if (strcmp(name, "none") == 0) - goto out; + return 0; /* We don't support on-exec with AppArmor */ if (strcmp(name, "AppArmor") == 0) on_exec = 0; if (on_exec) { - labelfd = openat(procfd, "self/attr/exec", O_RDWR); - } - else { - labelfd = openat(procfd, "self/attr/current", O_RDWR); + ret = snprintf(path, __LSMATTRLEN, "%d/attr/exec", pid); + if (ret < 0 || ret >= __LSMATTRLEN) + return -1; + labelfd = openat(procfd, path, O_RDWR); + } else { + ret = snprintf(path, __LSMATTRLEN, "%d/attr/current", pid); + if (ret < 0 || ret >= __LSMATTRLEN) + return -1; + labelfd = openat(procfd, path, O_RDWR); } if (labelfd < 0) { SYSERROR("Unable to open LSM label"); - ret = -1; - goto out; + return -1; } + return labelfd; +} + +static int lsm_set_label_at(int lsm_labelfd, int on_exec, char *lsm_label) +{ + int fret = -1; + const char* name; + char *command = NULL; + + name = lsm_name(); + + if (strcmp(name, "nop") == 0) + return 0; + + if (strcmp(name, "none") == 0) + return 0; + + /* We don't support on-exec with AppArmor */ + if (strcmp(name, "AppArmor") == 0) + on_exec = 0; + if (strcmp(name, "AppArmor") == 0) { int size; command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); if (!command) { SYSERROR("Failed to write apparmor profile"); - ret = -1; goto out; } size = sprintf(command, "changeprofile %s", lsm_label); if (size < 0) { SYSERROR("Failed to write apparmor profile"); - ret = -1; goto out; } - if (write(labelfd, command, size + 1) < 0) { - SYSERROR("Unable to set LSM label"); - ret = -1; + if (write(lsm_labelfd, command, size + 1) < 0) { + SYSERROR("Unable to set LSM label: %s.", command); goto out; } - } - else if (strcmp(name, "SELinux") == 0) { - if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { + INFO("Set LSM label to: %s.", command); + } else if (strcmp(name, "SELinux") == 0) { + if (write(lsm_labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { SYSERROR("Unable to set LSM label"); - ret = -1; goto out; } - } - else { + INFO("Set LSM label to: %s.", lsm_label); + } else { ERROR("Unable to restore label for unknown LSM: %s", name); - ret = -1; goto out; } + fret = 0; out: free(command); - if (labelfd != -1) - close(labelfd); + if (lsm_labelfd != -1) + close(lsm_labelfd); - return ret; + return fret; } static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid) @@ -646,7 +671,6 @@ struct lxc_proc_context_info* init_ctx; lxc_attach_exec_t exec_function; void* exec_payload; - int procfd; }; static int attach_child_main(void* data); @@ -661,6 +685,7 @@ struct lxc_proc_context_info *i, lxc_attach_options_t *options) { struct lxc_container *c; + char *path; if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) return true; @@ -669,8 +694,26 @@ if (!c) return false; i->container = c; - if (!c->lxc_conf) + + /* Initialize an empty lxc_conf */ + if (!c->set_config_item(c, "lxc.seccomp", "")) { + return false; + } + + /* Fetch the current profile path over the cmd interface */ + path = c->get_running_config_item(c, "lxc.seccomp"); + if (!path) { + return true; + } + + /* Copy the value into the new lxc_conf */ + if (!c->set_config_item(c, "lxc.seccomp", path)) { + free(path); return false; + } + free(path); + + /* Attempt to parse the resulting config */ if (lxc_read_seccomp_config(c->lxc_conf) < 0) { ERROR("Error reading seccomp policy"); return false; @@ -699,7 +742,6 @@ char* cwd; char* new_cwd; int ipc_sockets[2]; - int procfd; signed long personality; if (!options) @@ -769,9 +811,15 @@ * X <------------------------------------ send 1 * [add to cgroup, ...] * send 2 ------------------------------------> X + * [set LXC_ATTACH_NO_NEW_PRIVS] + * X <------------------------------------ send 3 + * [open LSM label fd] + * send 4 ------------------------------------> X + * [set LSM label] * close socket close socket * run program */ + ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, ipc_sockets); if (ret < 0) { SYSERROR("could not set up required IPC mechanism for attaching"); @@ -802,6 +850,7 @@ } if (pid) { + int procfd = -1; pid_t to_cleanup_pid = pid; /* initial thread, we close the socket that is for the @@ -816,6 +865,15 @@ goto cleanup_error; } + /* Open /proc before setns() to the containers namespace so we + * don't rely on any information from inside the container. + */ + procfd = open("/proc", O_DIRECTORY | O_RDONLY | O_CLOEXEC); + if (procfd < 0) { + SYSERROR("Unable to open /proc."); + goto cleanup_error; + } + /* Let the child process know to go ahead */ status = 0; ret = lxc_write_nointr(ipc_sockets[0], &status, sizeof(status)); @@ -828,7 +886,8 @@ ret = lxc_read_nointr_expect(ipc_sockets[0], &attached_pid, sizeof(attached_pid), NULL); if (ret <= 0) { if (ret != 0) - ERROR("error using IPC to receive pid of attached process"); + ERROR("error using IPC to receive notification " + "from attached process (1)"); goto cleanup_error; } @@ -867,10 +926,40 @@ status = 2; ret = lxc_write_nointr(ipc_sockets[0], &status, sizeof(status)); if (ret <= 0) { - ERROR("error using IPC to notify attached process for initialization (2)"); + ERROR("Error using IPC to notify attached process for " + "initialization (2): %s.", strerror(errno)); + goto cleanup_error; + } + + /* Wait for the (grand)child to tell us that it's ready to set + * up its LSM labels. + */ + expected = 3; + ret = lxc_read_nointr_expect(ipc_sockets[0], &status, sizeof(status), &expected); + if (ret <= 0) { + ERROR("Error using IPC for the child to tell us to open LSM fd (3): %s.", + strerror(errno)); goto cleanup_error; } + /* Open LSM fd and send it to child. */ + if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { + int on_exec, labelfd; + on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; + /* Open fd for the LSM security module. */ + labelfd = lsm_openat(procfd, attached_pid, on_exec); + if (labelfd < 0) + goto cleanup_error; + + /* Send child fd of the LSM security module to write to. */ + ret = lxc_abstract_unix_send_fd(ipc_sockets[0], labelfd, NULL, 0); + if (ret <= 0) { + ERROR("Error using IPC to send child LSM fd (4): %s.", + strerror(errno)); + goto cleanup_error; + } + } + /* now shut down communication with child, we're done */ shutdown(ipc_sockets[0], SHUT_RDWR); close(ipc_sockets[0]); @@ -888,6 +977,8 @@ /* first shut down the socket, then wait for the pid, * otherwise the pid we're waiting for may never exit */ + if (procfd >= 0) + close(procfd); shutdown(ipc_sockets[0], SHUT_RDWR); close(ipc_sockets[0]); if (to_cleanup_pid) @@ -911,13 +1002,6 @@ rexit(-1); } - procfd = open("/proc", O_DIRECTORY | O_RDONLY); - if (procfd < 0) { - SYSERROR("Unable to open /proc"); - shutdown(ipc_sockets[1], SHUT_RDWR); - rexit(-1); - } - /* attach now, create another subprocess later, since pid namespaces * only really affect the children of the current process */ @@ -945,8 +1029,7 @@ .options = options, .init_ctx = init_ctx, .exec_function = exec_function, - .exec_payload = exec_payload, - .procfd = procfd + .exec_payload = exec_payload }; /* We use clone_parent here to make this subprocess a direct child of * the initial process. Then this intermediate process can exit and @@ -984,7 +1067,6 @@ { struct attach_clone_payload* payload = (struct attach_clone_payload*)data; int ipc_socket = payload->ipc_socket; - int procfd = payload->procfd; lxc_attach_options_t* options = payload->options; struct lxc_proc_context_info* init_ctx = payload->init_ctx; #if HAVE_SYS_PERSONALITY_H @@ -995,6 +1077,7 @@ int expected; long flags; int fd; + int lsm_labelfd; uid_t new_uid; gid_t new_gid; @@ -1005,7 +1088,7 @@ status = -1; ret = lxc_read_nointr_expect(ipc_socket, &status, sizeof(status), &expected); if (ret <= 0) { - ERROR("error using IPC to receive notification from initial process (0)"); + ERROR("Error using IPC to receive notification from initial process (0): %s.", strerror(errno)); shutdown(ipc_socket, SHUT_RDWR); rexit(-1); } @@ -1104,7 +1187,7 @@ status = 1; ret = lxc_write_nointr(ipc_socket, &status, sizeof(status)); if (ret != sizeof(status)) { - ERROR("error using IPC to notify initial process for initialization (1)"); + ERROR("Error using IPC to notify initial process for initialization (1): %s.", strerror(errno)); shutdown(ipc_socket, SHUT_RDWR); rexit(-1); } @@ -1116,30 +1199,52 @@ status = -1; ret = lxc_read_nointr_expect(ipc_socket, &status, sizeof(status), &expected); if (ret <= 0) { - ERROR("error using IPC to receive final notification from initial process (2)"); + ERROR("Error using IPC to receive message from initial process " + "that it is done pre-initializing (2): %s", + strerror(errno)); shutdown(ipc_socket, SHUT_RDWR); rexit(-1); } - shutdown(ipc_socket, SHUT_RDWR); - close(ipc_socket); + /* Tell the (grand)parent to send us LSM label fd. */ + status = 3; + ret = lxc_write_nointr(ipc_socket, &status, sizeof(status)); + if (ret <= 0) { + ERROR("Error using IPC to tell parent to set up LSM labels (3): %s.", strerror(errno)); + shutdown(ipc_socket, SHUT_RDWR); + rexit(-1); + } - /* set new apparmor profile/selinux context */ if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { int on_exec; + /* Receive fd for LSM security module. */ + ret = lxc_abstract_unix_recv_fd(ipc_socket, &lsm_labelfd, NULL, 0); + if (ret <= 0) { + ERROR("Error using IPC for parent to tell us LSM label fd (4): %s.", strerror(errno)); + shutdown(ipc_socket, SHUT_RDWR); + rexit(-1); + } + /* Change into our new LSM profile. */ on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; - if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) { + if (lsm_set_label_at(lsm_labelfd, on_exec, init_ctx->lsm_label) < 0) { + SYSERROR("Failed to set LSM label."); + shutdown(ipc_socket, SHUT_RDWR); + close(lsm_labelfd); rexit(-1); } + close(lsm_labelfd); } if (init_ctx->container && init_ctx->container->lxc_conf && lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) { ERROR("Loading seccomp policy"); + shutdown(ipc_socket, SHUT_RDWR); rexit(-1); } + shutdown(ipc_socket, SHUT_RDWR); + close(ipc_socket); lxc_proc_put_context_info(init_ctx); /* The following is done after the communication socket is @@ -1180,9 +1285,6 @@ } } - /* we don't need proc anymore */ - close(procfd); - /* we're done, so we can now do whatever the user intended us to do */ rexit(payload->exec_function(payload->exec_payload)); } diff -Nru lxc-1.0.8/src/lxc/bdev.c lxc-1.0.9/src/lxc/bdev.c --- lxc-1.0.8/src/lxc/bdev.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/bdev.c 2016-11-23 19:10:02.000000000 +0000 @@ -102,7 +102,7 @@ s[l-2] = '/'; s[l-1] = '\0'; - execlp("rsync", "rsync", "-aHX", "--delete", s, dest, (char *)NULL); + execlp("rsync", "rsync", "-aHXS", "--delete", s, dest, (char *)NULL); exit(1); } @@ -660,6 +660,9 @@ if ((pid = fork()) < 0) return -1; if (!pid) { + int dev0 = open("/dev/null", O_WRONLY); + if (dev0 >= 0) + dup2(dev0, STDERR_FILENO); execlp("zfs", "zfs", "destroy", path1, NULL); exit(1); } @@ -740,7 +743,7 @@ return -1; *p = '\0'; - execlp("zfs", "zfs", "destroy", output, NULL); + execlp("zfs", "zfs", "destroy", "-r", output, NULL); exit(1); } @@ -1720,7 +1723,7 @@ struct btrfs_ioctl_search_header *sh; struct btrfs_root_ref *ref; struct my_btrfs_tree *tree; - int ret, i; + int ret, e, i; unsigned long off = 0; int name_len; char *name; @@ -1733,8 +1736,9 @@ } if (btrfs_list_get_path_rootid(fd, &root_id)) { + e = errno; close(fd); - if (errno == EPERM || errno == EACCES) { + if (e == EPERM || e == EACCES) { WARN("Will simply try removing"); goto ignore_search; } @@ -1765,10 +1769,16 @@ while(1) { ret = ioctl(fd, BTRFS_IOC_TREE_SEARCH, &args); + e = errno; if (ret < 0) { close(fd); - ERROR("Error: can't perform the search under %s\n", path); free_btrfs_tree(tree); + if (e == EPERM || e == EACCES) { + WARN("Warn: can't perform the search under %s. Will simply try removing", path); + goto ignore_search; + } + + ERROR("Error: can't perform the search under %s\n", path); return -1; } if (sk->nr_items == 0) @@ -1887,7 +1897,7 @@ static int find_free_loopdev_no_control(int *retfd, char *namep) { - struct dirent dirent, *direntp; + struct dirent *direntp; struct loop_info64 lo; DIR *dir; int fd = -1; @@ -1897,8 +1907,8 @@ SYSERROR("Error opening /dev"); return -1; } - while (!readdir_r(dir, &dirent, &direntp)) { + while ((direntp = readdir(dir))) { if (!direntp) break; if (strncmp(direntp->d_name, "loop", 4) != 0) diff -Nru lxc-1.0.8/src/lxc/cgfs.c lxc-1.0.9/src/lxc/cgfs.c --- lxc-1.0.8/src/lxc/cgfs.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/cgfs.c 2016-11-23 19:10:02.000000000 +0000 @@ -155,7 +155,7 @@ static int cgroup_rmdir(char *dirname) { - struct dirent dirent, *direntp; + struct dirent *direntp; int saved_errno = 0; DIR *dir; int ret, failed=0; @@ -167,7 +167,7 @@ return -1; } - while (!readdir_r(dir, &dirent, &direntp)) { + while ((direntp = readdir(dir))) { struct stat mystat; int rc; @@ -348,6 +348,14 @@ *colon2 = '\0'; colon2 = NULL; + + /* With cgroupv2 /proc/self/cgroup can contain entries of the + * form: 0::/ + * These entries need to be skipped. + */ + if (!strcmp(colon1, "")) + continue; + hierarchy_number = strtoul(line, &colon2, 10); if (!colon2 || *colon2) continue; @@ -432,6 +440,7 @@ struct cgroup_mount_point *mount_point; struct cgroup_hierarchy *h; char **subsystems; + bool is_lxcfs = false; if (line[0] && line[strlen(line) - 1] == '\n') line[strlen(line) - 1] = '\0'; @@ -470,15 +479,23 @@ continue; /* not a cgroup filesystem */ - if (strcmp(tokens[j + 1], "cgroup") != 0) - continue; - - subsystems = subsystems_from_mount_options(tokens[j + 3], kernel_subsystems); + if (strcmp(tokens[j + 1], "cgroup") != 0) { + if (strcmp(tokens[j + 1], "fuse.lxcfs") != 0) + continue; + if (strncmp(tokens[4], "/sys/fs/cgroup/", 15) != 0) + continue; + is_lxcfs = true; + char *curtok = tokens[4] + 15; + subsystems = subsystems_from_mount_options(curtok, + kernel_subsystems); + } else + subsystems = subsystems_from_mount_options(tokens[j + 3], + kernel_subsystems); if (!subsystems) goto out; h = NULL; - for (k = 1; k <= meta_data->maximum_hierarchy; k++) { + for (k = 0; k <= meta_data->maximum_hierarchy; k++) { if (meta_data->hierarchies[k] && meta_data->hierarchies[k]->subsystems[0] && lxc_string_in_array(meta_data->hierarchies[k]->subsystems[0], (const char **)subsystems)) { @@ -502,8 +519,11 @@ meta_data->mount_points[mount_point_count++] = mount_point; mount_point->hierarchy = h; + if (is_lxcfs) + mount_point->mount_prefix = strdup("/"); + else + mount_point->mount_prefix = strdup(tokens[3]); mount_point->mount_point = strdup(tokens[4]); - mount_point->mount_prefix = strdup(tokens[3]); if (!mount_point->mount_point || !mount_point->mount_prefix) goto out; mount_point->read_only = !lxc_string_in_list("rw", tokens[5], ','); @@ -603,10 +623,10 @@ if (--meta_data->ref > 0) return meta_data; lxc_free_array((void **)meta_data->mount_points, (lxc_free_fn)lxc_cgroup_mount_point_free); - if (meta_data->hierarchies) { + if (meta_data->hierarchies) for (i = 0; i <= meta_data->maximum_hierarchy; i++) - lxc_cgroup_hierarchy_free(meta_data->hierarchies[i]); - } + if (meta_data->hierarchies[i]) + lxc_cgroup_hierarchy_free(meta_data->hierarchies[i]); free(meta_data->hierarchies); free(meta_data); return NULL; @@ -617,12 +637,19 @@ size_t i; for (i = 0; i <= meta_data->maximum_hierarchy; i++) { struct cgroup_hierarchy *h = meta_data->hierarchies[i]; + if (!h) + continue; if (h && lxc_string_in_array(subsystem, (const char **)h->subsystems)) return h; } return NULL; } +static bool mountpoint_is_accessible(struct cgroup_mount_point *mp) +{ + return mp && access(mp->mount_point, F_OK) == 0; +} + static struct cgroup_mount_point *lxc_cgroup_find_mount_point(struct cgroup_hierarchy *hierarchy, const char *group, bool should_be_writable) { struct cgroup_mount_point **mps; @@ -630,9 +657,9 @@ ssize_t quality = -1; /* trivial case */ - if (hierarchy->rw_absolute_mount_point) + if (mountpoint_is_accessible(hierarchy->rw_absolute_mount_point)) return hierarchy->rw_absolute_mount_point; - if (!should_be_writable && hierarchy->ro_absolute_mount_point) + if (!should_be_writable && mountpoint_is_accessible(hierarchy->ro_absolute_mount_point)) return hierarchy->ro_absolute_mount_point; for (mps = hierarchy->all_mount_points; mps && *mps; mps++) { @@ -642,6 +669,9 @@ if (prefix_len == 1 && mp->mount_prefix[0] == '/') prefix_len = 0; + if (!mountpoint_is_accessible(mp)) + continue; + if (should_be_writable && mp->read_only) continue; @@ -836,6 +866,8 @@ /* find mount points we can use */ for (info_ptr = base_info; info_ptr; info_ptr = info_ptr->next) { h = info_ptr->hierarchy; + if (!h) + continue; mp = lxc_cgroup_find_mount_point(h, info_ptr->cgroup_path, true); if (!mp) { ERROR("Could not find writable mount point for cgroup hierarchy %d while trying to create cgroup.", h->index); @@ -923,6 +955,9 @@ for (i = 0, info_ptr = base_info; info_ptr; info_ptr = info_ptr->next, i++) { char *parts2[3]; + if (!info_ptr->hierarchy) + continue; + if (lxc_string_in_array("ns", (const char **)info_ptr->hierarchy->subsystems)) continue; current_entire_path = NULL; @@ -1017,6 +1052,8 @@ /* we're done, now update the paths */ for (i = 0, info_ptr = base_info; info_ptr; info_ptr = info_ptr->next, i++) { + if (!info_ptr->hierarchy) + continue; /* ignore legacy 'ns' subsystem here, lxc_cgroup_create_legacy * will take care of it * Since we do a continue in above loop, new_cgroup_paths[i] is @@ -1054,6 +1091,9 @@ int r; for (info_ptr = base_info; info_ptr; info_ptr = info_ptr->next) { + if (!info_ptr->hierarchy) + continue; + if (!lxc_string_in_array("ns", (const char **)info_ptr->hierarchy->subsystems)) continue; /* @@ -1097,7 +1137,6 @@ path = lxc_cmd_get_cgroup_path(name, lxcpath, h->subsystems[0]); if (!path) { h->used = false; - WARN("Not attaching to cgroup %s unknown to %s %s", h->subsystems[0], lxcpath, name); continue; } @@ -1139,6 +1178,9 @@ snprintf(pid_buf, 32, "%lu", (unsigned long)pid); for (info_ptr = info; info_ptr; info_ptr = info_ptr->next) { + if (!info_ptr->hierarchy) + continue; + char *cgroup_path = (enter_sub && info_ptr->cgroup_path_sub) ? info_ptr->cgroup_path_sub : info_ptr->cgroup_path; @@ -1284,10 +1326,13 @@ if ((p = strchr(subsystem, '.')) != NULL) *p = '\0'; + errno = ENOENT; path = lxc_cgroup_get_hierarchy_abs_path_data(subsystem, d); if (path) { ret = do_cgroup_set(path, filename, value); + int saved_errno = errno; free(path); + errno = saved_errno; } return ret; } @@ -1377,8 +1422,13 @@ for (info = base_info; info; info = info->next) { size_t subsystem_count, i; struct cgroup_mount_point *mp = info->designated_mount_point; - if (!mp) + + if (!info->hierarchy) + continue; + + if (!mountpoint_is_accessible(mp)) mp = lxc_cgroup_find_mount_point(info->hierarchy, info->cgroup_path, true); + if (!mp) { SYSERROR("could not find original mount point for cgroup hierarchy while trying to mount cgroup filesystem"); goto out_error; @@ -1625,6 +1675,14 @@ *colon2++ = '\0'; endptr = NULL; + + /* With cgroupv2 /proc/self/cgroup can contain entries of the + * form: 0::/ + * These entries need to be skipped. + */ + if (!strcmp(colon1, "")) + continue; + hierarchy_number = strtoul(line, &endptr, 10); if (!endptr || *endptr) continue; @@ -1661,6 +1719,7 @@ entry->cgroup_path = strdup(colon2); if (!entry->cgroup_path) goto out_error; + prune_init_scope(entry->cgroup_path); *cptr = entry; cptr = &entry->next; @@ -1699,16 +1758,20 @@ * subsystems provided by the kernel OR if it starts * with name= for named hierarchies */ - if (!strncmp(token, "name=", 5) || lxc_string_in_array(token, (const char **)kernel_list)) { - r = lxc_grow_array((void ***)&result, &result_capacity, result_count + 1, 12); - if (r < 0) - goto out_free; - result[result_count + 1] = NULL; + r = lxc_grow_array((void ***)&result, &result_capacity, result_count + 1, 12); + if (r < 0) + goto out_free; + result[result_count + 1] = NULL; + if (strncmp(token, "name=", 5) && !lxc_string_in_array(token, (const char **)kernel_list)) { + // this is eg 'systemd' but the mount will be 'name=systemd' + result[result_count] = malloc(strlen(token) + 6); + if (result[result_count]) + sprintf(result[result_count], "name=%s", token); + } else result[result_count] = strdup(token); - if (!result[result_count]) - goto out_free; - result_count++; - } + if (!result[result_count]) + goto out_free; + result_count++; } return result; @@ -1733,9 +1796,16 @@ { if (!h) return; - lxc_free_array((void **)h->subsystems, free); - free(h->all_mount_points); + if (h->subsystems) { + lxc_free_array((void **)h->subsystems, free); + h->subsystems = NULL; + } + if (h->all_mount_points) { + free(h->all_mount_points); + h->all_mount_points = NULL; + } free(h); + h = NULL; } static bool is_valid_cgroup(const char *name) @@ -1836,6 +1906,8 @@ struct cgroup_process_info *info_ptr; for (info_ptr = info; info_ptr; info_ptr = info_ptr->next) { struct cgroup_hierarchy *h = info_ptr->hierarchy; + if (!h) + continue; if (lxc_string_in_array(subsystem, (const char **)h->subsystems)) return info_ptr; } @@ -1913,7 +1985,12 @@ cgroup_devices_has_allow_or_deny(d, cg->value, true)) continue; if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) { - ERROR("Error setting %s to %s for %s", + if (do_devices && (errno == EACCES || errno == EPERM)) { + WARN("Error setting %s to %s for %s", + cg->subsystem, cg->value, d->name); + continue; + } + SYSERROR("Error setting %s to %s for %s", cg->subsystem, cg->value, d->name); goto out; } @@ -1991,26 +2068,14 @@ static int cgroup_recursive_task_count(const char *cgroup_path) { DIR *d; - struct dirent *dent_buf; struct dirent *dent; - ssize_t name_max; int n = 0, r; - /* see man readdir_r(3) */ - name_max = pathconf(cgroup_path, _PC_NAME_MAX); - if (name_max <= 0) - name_max = 255; - dent_buf = malloc(offsetof(struct dirent, d_name) + name_max + 1); - if (!dent_buf) - return -1; - d = opendir(cgroup_path); - if (!d) { - free(dent_buf); + if (!d) return 0; - } - while (readdir_r(d, dent_buf, &dent) == 0 && dent) { + while ((dent = readdir(d))) { const char *parts[3] = { cgroup_path, dent->d_name, @@ -2024,13 +2089,11 @@ sub_path = lxc_string_join("/", parts, false); if (!sub_path) { closedir(d); - free(dent_buf); return -1; } r = stat(sub_path, &st); if (r < 0) { closedir(d); - free(dent_buf); free(sub_path); return -1; } @@ -2046,7 +2109,6 @@ free(sub_path); } closedir(d); - free(dent_buf); return n; } @@ -2221,6 +2283,33 @@ do_init_cpuset_file(mp, path, "/cpuset.mems") ); } +static void print_cgfs_init_debuginfo(struct cgfs_data *d) +{ + int i; + + if (!getenv("LXC_DEBUG_CGFS")) + return; + + DEBUG("Cgroup information:"); + DEBUG(" container name: %s", d->name); + if (!d->meta || !d->meta->hierarchies) { + DEBUG(" No hierarchies found."); + return; + } + DEBUG(" Controllers:"); + for (i = 0; i <= d->meta->maximum_hierarchy; i++) { + char **p; + struct cgroup_hierarchy *h = d->meta->hierarchies[i]; + if (!h) { + DEBUG(" Empty hierarchy number %d.", i); + continue; + } + for (p = h->subsystems; p && *p; p++) { + DEBUG(" %2d: %s", i, *p); + } + } +} + struct cgroup_ops *cgfs_ops_init(void) { return &cgfs_ops; @@ -2246,6 +2335,9 @@ ERROR("cgroupfs failed to detect cgroup metadata"); goto err2; } + + print_cgfs_init_debuginfo(d); + return d; err2: diff -Nru lxc-1.0.8/src/lxc/cgmanager.c lxc-1.0.9/src/lxc/cgmanager.c --- lxc-1.0.8/src/lxc/cgmanager.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/cgmanager.c 2016-11-23 19:10:02.000000000 +0000 @@ -502,9 +502,9 @@ for (i = 0; slist[i]; i++) { if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "", 0775)) return false; - if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "tasks", 0775)) + if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "tasks", 0664)) return false; - if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "cgroup.procs", 0775)) + if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "cgroup.procs", 0664)) return false; } @@ -766,8 +766,8 @@ NihError *nerr; nerr = nih_error_get(); nih_free(nerr); - } - prune_init_scope(cgroup); + } else + prune_init_scope(cgroup); return cgroup; } @@ -1375,6 +1375,14 @@ d->cgroup_path, cg->subsystem, cg->value) != 0) { NihError *nerr; nerr = nih_error_get(); + if (do_devices) { + WARN("call to cgmanager_set_value_sync failed: %s", nerr->message); + nih_free(nerr); + WARN("Error setting cgroup %s:%s limit type %s", controller, + d->cgroup_path, cg->subsystem); + continue; + } + ERROR("call to cgmanager_set_value_sync failed: %s", nerr->message); nih_free(nerr); ERROR("Error setting cgroup %s:%s limit type %s", controller, diff -Nru lxc-1.0.8/src/lxc/cgroup.c lxc-1.0.9/src/lxc/cgroup.c --- lxc-1.0.8/src/lxc/cgroup.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/cgroup.c 2016-11-23 19:10:02.000000000 +0000 @@ -177,7 +177,12 @@ #define INIT_SCOPE "/init.scope" void prune_init_scope(char *cg) { - char *point = cg + strlen(cg) - strlen(INIT_SCOPE); + char *point; + + if (!cg) + return; + + point = cg + strlen(cg) - strlen(INIT_SCOPE); if (point < cg) return; if (strcmp(point, INIT_SCOPE) == 0) { diff -Nru lxc-1.0.8/src/lxc/conf.c lxc-1.0.9/src/lxc/conf.c --- lxc-1.0.8/src/lxc/conf.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/conf.c 2016-11-23 19:10:02.000000000 +0000 @@ -590,7 +590,7 @@ static int mount_rootfs_file(const char *rootfs, const char *target, const char *options) { - struct dirent dirent, *direntp; + struct dirent *direntp; struct loop_info64 loinfo; int ret = -1, fd = -1, rc; DIR *dir; @@ -602,8 +602,7 @@ return -1; } - while (!readdir_r(dir, &dirent, &direntp)) { - + while ((direntp = readdir(dir))) { if (!direntp) break; @@ -790,6 +789,7 @@ } if (!default_mounts[i].destination) { ERROR("BUG: auto mounts destination %d was NULL", i); + free(source); return -1; } /* will act like strdup if %r is not present */ @@ -1271,13 +1271,13 @@ if (!f) return 0; while (fgets(buf, LINELEN, f)) { - p = index(buf, ' '); + p = strchr(buf, ' '); if( !p ) continue; *p = '\0'; p2 = p + 1; - p = index(p2, ' '); + p = strchr(p2, ' '); if( !p ) continue; *p = '\0'; @@ -1288,7 +1288,7 @@ } p2 = p + 1; - p = index( p2, ' '); + p = strchr( p2, ' '); if( !p ) continue; *p = '\0'; @@ -1461,7 +1461,7 @@ /* Only mount a tmpfs on here if we don't already a mount */ if ( ! mount_check_fs( host_path, NULL ) ) { DEBUG("Mounting tmpfs to %s", host_path ); - ret = safe_mount("none", path, "tmpfs", 0, "size=100000,mode=755", rootfs->path ? rootfs->mount : NULL); + ret = safe_mount("none", path, "tmpfs", 0, "size=500000,mode=755", rootfs->path ? rootfs->mount : NULL); } else { /* This allows someone to manually set up a mount */ DEBUG("Bind mounting %s to %s", host_path, path ); @@ -2513,7 +2513,7 @@ file = tmpfile(); if (!file) { - ERROR("tmpfile error: %m"); + ERROR("Could not create temporary file: %s.", strerror(errno)); return -1; } @@ -2933,14 +2933,17 @@ } /* try to move physical nics to the init netns */ -void restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf) +void lxc_restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf) { int i, ret, oldfd; char path[MAXPATHLEN]; + char ifname[IFNAMSIZ]; - if (netnsfd < 0) + if (netnsfd < 0 || conf->num_savednics == 0) return; + INFO("running to reset %d nic names", conf->num_savednics); + ret = snprintf(path, MAXPATHLEN, "/proc/self/ns/net"); if (ret < 0 || ret >= MAXPATHLEN) { WARN("Failed to open monitor netns fd"); @@ -2957,33 +2960,22 @@ } for (i=0; inum_savednics; i++) { struct saved_nic *s = &conf->saved_nics[i]; - if (lxc_netdev_move_by_index(s->ifindex, 1, NULL)) - WARN("Error moving nic index:%d back to host netns", - s->ifindex); + /* retrieve the name of the interface */ + if (!if_indextoname(s->ifindex, ifname)) { + WARN("no interface corresponding to index '%d'", s->ifindex); + continue; + } + if (lxc_netdev_move_by_name(ifname, 1, s->orig_name)) + WARN("Error moving nic name:%s back to host netns", ifname); + free(s->orig_name); } + conf->num_savednics = 0; + if (setns(oldfd, 0) != 0) SYSERROR("Failed to re-enter monitor's netns"); close(oldfd); } -void lxc_rename_phys_nics_on_shutdown(int netnsfd, struct lxc_conf *conf) -{ - int i; - - if (conf->num_savednics == 0) - return; - - INFO("running to reset %d nic names", conf->num_savednics); - restore_phys_nics_to_netns(netnsfd, conf); - for (i=0; inum_savednics; i++) { - struct saved_nic *s = &conf->saved_nics[i]; - INFO("resetting nic %d to %s", s->ifindex, s->orig_name); - lxc_netdev_rename_by_index(s->ifindex, s->orig_name); - free(s->orig_name); - } - conf->num_savednics = 0; -} - static char *default_rootfs_mount = LXCROOTFSMOUNT; struct lxc_conf *lxc_conf_init(void) @@ -3257,6 +3249,15 @@ DEBUG("instantiated vlan '%s', ifindex is '%d'", " vlan1000", netdev->ifindex); + if (netdev->mtu) { + err = lxc_netdev_set_mtu(peer, atoi(netdev->mtu)); + if (err) { + ERROR("failed to set mtu '%s' for %s : %s", + netdev->mtu, peer, strerror(-err)); + lxc_netdev_delete_by_name(peer); + return -1; + } + } return 0; } @@ -3420,7 +3421,9 @@ */ if (netdev->ifindex != 0 && lxc_netdev_delete_by_index(netdev->ifindex)) - WARN("failed to remove interface '%s'", netdev->name); + WARN("failed to remove interface %d '%s'", + netdev->ifindex, + netdev->name ? netdev->name : "(null)"); } } @@ -3517,6 +3520,7 @@ { struct lxc_list *iterator; struct lxc_netdev *netdev; + char ifname[IFNAMSIZ]; int am_root = (getuid() == 0); int err; @@ -3537,7 +3541,13 @@ if (!netdev->ifindex) continue; - err = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL); + /* retrieve the name of the interface */ + if (!if_indextoname(netdev->ifindex, ifname)) { + ERROR("no interface corresponding to index '%d'", netdev->ifindex); + return -1; + } + + err = lxc_netdev_move_by_name(ifname, pid, NULL); if (err) { ERROR("failed to move '%s' to the container : %s", netdev->link, strerror(-err)); @@ -3816,6 +3826,7 @@ } free(tty_info->pty_info); + tty_info->pty_info = NULL; tty_info->nbtty = 0; } diff -Nru lxc-1.0.8/src/lxc/conf.h lxc-1.0.9/src/lxc/conf.h --- lxc-1.0.8/src/lxc/conf.h 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/conf.h 2016-11-23 19:10:02.000000000 +0000 @@ -389,7 +389,7 @@ struct cgroup_process_info; extern int lxc_setup(struct lxc_handler *handler); -extern void lxc_rename_phys_nics_on_shutdown(int netnsfd, struct lxc_conf *conf); +extern void lxc_restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf); extern int find_unmapped_nsuid(struct lxc_conf *conf, enum idtype idtype); extern int mapped_hostid(unsigned id, struct lxc_conf *conf, enum idtype idtype); diff -Nru lxc-1.0.8/src/lxc/confile.c lxc-1.0.9/src/lxc/confile.c --- lxc-1.0.8/src/lxc/confile.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/confile.c 2016-11-23 19:10:02.000000000 +0000 @@ -483,6 +483,7 @@ else memset(retv, 0, inlen); + strprint(retv, inlen, "type\n"); strprint(retv, inlen, "script.up\n"); strprint(retv, inlen, "script.down\n"); if (netdev->type != LXC_NET_EMPTY) { @@ -932,7 +933,7 @@ free(netdev->ipv6_gateway); if (!value || strlen(value) == 0) { - netdev->ipv4_gateway = NULL; + netdev->ipv6_gateway = NULL; } else if (!strcmp(value, "auto")) { netdev->ipv6_gateway = NULL; netdev->ipv6_gateway_auto = true; @@ -1006,7 +1007,7 @@ struct lxc_conf *lxc_conf) { char *copy; - + if (!value || strlen(value) == 0) return lxc_clear_hooks(lxc_conf, key); @@ -1706,6 +1707,14 @@ value += lxc_char_left_gc(value, strlen(value)); value[lxc_char_right_gc(value, strlen(value))] = '\0'; + if (*value == '\'' || *value == '\"') { + size_t len = strlen(value); + if (len > 1 && value[len-1] == *value) { + value[len-1] = '\0'; + value++; + } + } + config = lxc_getconfig(key); if (!config) { ERROR("unknown key %s", key); @@ -1782,9 +1791,26 @@ { "i586", PER_LINUX32 }, { "i686", PER_LINUX32 }, { "athlon", PER_LINUX32 }, + { "mips", PER_LINUX32 }, + { "mipsel", PER_LINUX32 }, + { "ppc", PER_LINUX32 }, + { "arm", PER_LINUX32 }, + { "armv7l", PER_LINUX32 }, + { "armhf", PER_LINUX32 }, + { "armel", PER_LINUX32 }, + { "powerpc", PER_LINUX32 }, { "linux64", PER_LINUX }, { "x86_64", PER_LINUX }, { "amd64", PER_LINUX }, + { "mips64", PER_LINUX }, + { "mips64el", PER_LINUX }, + { "ppc64", PER_LINUX }, + { "ppc64le", PER_LINUX }, + { "ppc64el", PER_LINUX }, + { "powerpc64", PER_LINUX }, + { "s390x", PER_LINUX }, + { "aarch64", PER_LINUX }, + { "arm64", PER_LINUX }, }; size_t len = sizeof(pername) / sizeof(pername[0]); @@ -2252,7 +2278,7 @@ return lxc_clear_config_keepcaps(c); else if (strncmp(key, "lxc.cgroup", 10) == 0) return lxc_clear_cgroups(c, key); - else if (strcmp(key, "lxc.mount.entries") == 0) + else if (strcmp(key, "lxc.mount.entry") == 0) return lxc_clear_mount_entries(c); else if (strcmp(key, "lxc.mount.auto") == 0) return lxc_clear_automounts(c); diff -Nru lxc-1.0.8/src/lxc/console.c lxc-1.0.9/src/lxc/console.c --- lxc-1.0.8/src/lxc/console.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/console.c 2016-11-23 19:10:02.000000000 +0000 @@ -50,7 +50,7 @@ #include <../include/openpty.h> #endif -lxc_log_define(lxc_console, lxc); +lxc_log_define(console, lxc); static struct lxc_list lxc_ttys; diff -Nru lxc-1.0.8/src/lxc/initutils.c lxc-1.0.9/src/lxc/initutils.c --- lxc-1.0.8/src/lxc/initutils.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/initutils.c 2016-11-23 19:10:02.000000000 +0000 @@ -47,6 +47,10 @@ if (mount_fs("proc", "/proc", "proc")) INFO("failed to remount proc"); + /* if /dev has been populated by us, /dev/shm does not exist */ + if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777)) + INFO("failed to create /dev/shm"); + /* if we can't mount /dev/shm, continue anyway */ if (mount_fs("shmfs", "/dev/shm", "tmpfs")) INFO("failed to mount /dev/shm"); diff -Nru lxc-1.0.8/src/lxc/log.c lxc-1.0.9/src/lxc/log.c --- lxc-1.0.8/src/lxc/log.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/log.c 2016-11-23 19:10:02.000000000 +0000 @@ -20,6 +20,7 @@ * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include #include #include #include @@ -100,10 +101,13 @@ event->locinfo->file, event->locinfo->func, event->locinfo->line); - n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt, - *event->vap); + if (n < 0) + return n; - if (n >= sizeof(buffer) - 1) { + if (n < sizeof(buffer) - 1) + n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt, + *event->vap); + else { WARN("truncated next event from %d to %zd bytes", n, sizeof(buffer)); n = sizeof(buffer) - 1; @@ -250,6 +254,16 @@ return p; } +extern void lxc_log_close(void) +{ + if (lxc_log_fd == -1) + return; + close(lxc_log_fd); + lxc_log_fd = -1; + free(log_fname); + log_fname = NULL; +} + /* * This can be called: * 1. when a program calls lxc_log_init with no logfile parameter (in which @@ -262,11 +276,12 @@ { if (lxc_log_fd != -1) { // we are overriding the default. - close(lxc_log_fd); - free(log_fname); + lxc_log_close(); } - if (!fname || strlen(fname) == 0) { + assert(fname != NULL); + + if (strlen(fname) == 0) { log_fname = NULL; return 0; } @@ -375,16 +390,6 @@ return ret; } -extern void lxc_log_close(void) -{ - if (lxc_log_fd == -1) - return; - close(lxc_log_fd); - lxc_log_fd = -1; - free(log_fname); - log_fname = NULL; -} - /* * This is called when we read a lxc.loglevel entry in a lxc.conf file. This * happens after processing command line arguments, which override the .conf diff -Nru lxc-1.0.8/src/lxc/lsm/apparmor.c lxc-1.0.9/src/lxc/lsm/apparmor.c --- lxc-1.0.8/src/lxc/lsm/apparmor.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lsm/apparmor.c 2016-11-23 19:10:02.000000000 +0000 @@ -38,6 +38,7 @@ #define AA_DEF_PROFILE "lxc-container-default" #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask" #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" +#define AA_UNCHANGED "unchanged" /* aa_getcon is not working right now. Use our hand-rolled version below */ static int apparmor_enabled(void) @@ -108,12 +109,33 @@ return buf; } -static int apparmor_am_unconfined(void) +/* + * Probably makes sense to reorganize these to only read + * the label once + */ +static bool apparmor_am_unconfined(void) { char *p = apparmor_process_label_get(getpid()); - int ret = 0; + bool ret = false; if (!p || strcmp(p, "unconfined") == 0) - ret = 1; + ret = true; + free(p); + return ret; +} + +/* aa stacking is not yet supported */ +static bool aa_stacking_supported(void) { + return false; +} + +/* are we in a confined container? */ +static bool in_aa_confined_container(void) { + char *p = apparmor_process_label_get(getpid()); + bool ret = false; + if (p && strcmp(p, "/usr/bin/lxc-start") != 0 && strcmp(p, "unconfined") != 0) { + INFO("Already apparmor-confined under %s", p); + ret = true; + } free(p); return ret; } @@ -135,6 +157,24 @@ if (!aa_enabled) return 0; + /* user may request that we just ignore apparmor */ + if (label && strcmp(label, AA_UNCHANGED) == 0) { + INFO("apparmor profile unchanged per user request"); + return 0; + } + + /* + * If we are already confined and no profile was requested, + * then default to unchanged + */ + if (in_aa_confined_container() && !aa_stacking_supported()) { + if (label) { + ERROR("already apparmor confined, but new label requested."); + return -1; + } + return 0; + } + if (!label) { if (use_default) label = AA_DEF_PROFILE; diff -Nru lxc-1.0.8/src/lxc/lxc-checkconfig.in lxc-1.0.9/src/lxc/lxc-checkconfig.in --- lxc-1.0.8/src/lxc/lxc-checkconfig.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc-checkconfig.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,17 +1,25 @@ #!/bin/sh -# Allow environment variables to override grep and config +# Allow environment variables to override config : ${CONFIG:=/proc/config.gz} -: ${GREP:=zgrep} : ${MODNAME:=configs} -SETCOLOR_SUCCESS="printf \\033[1;32m" -SETCOLOR_FAILURE="printf \\033[1;31m" -SETCOLOR_WARNING="printf \\033[1;33m" -SETCOLOR_NORMAL="printf \\033[0;39m" +CAT="cat" + +if [ -t 1 ]; then + SETCOLOR_SUCCESS="printf \\033[1;32m" + SETCOLOR_FAILURE="printf \\033[1;31m" + SETCOLOR_WARNING="printf \\033[1;33m" + SETCOLOR_NORMAL="printf \\033[0;39m" +else + SETCOLOR_SUCCESS=":" + SETCOLOR_FAILURE=":" + SETCOLOR_WARNING=":" + SETCOLOR_NORMAL=":" +fi is_set() { - $GREP "$1=[y|m]" $CONFIG > /dev/null + $CAT $CONFIG | grep "$1=[y|m]" > /dev/null return $? } @@ -45,7 +53,6 @@ # although scripts/extract-ikconfig could be used to extract contents without loading kernel module # http://svn.pld-linux.org/trac/svn/browser/geninitrd/trunk/geninitrd?rev=12696#L327 fi - GREP=grep if [ ! -f $CONFIG ]; then echo "$(basename $0): unable to retrieve kernel configuration" >&2 echo >&2 @@ -61,6 +68,10 @@ fi fi +if gunzip -tq < $CONFIG 2>/dev/null; then + CAT="zcat" +fi + echo "--- Namespaces ---" echo -n "Namespaces: " && is_enabled CONFIG_NAMESPACES yes echo -n "Utsname namespace: " && is_enabled CONFIG_UTS_NS @@ -78,13 +89,13 @@ } CGROUP_MNT_PATH=`print_cgroups cgroup /proc/self/mounts | head -n 1` -KVER_MAJOR=$($GREP '^# Linux.*Kernel Configuration' $CONFIG | \ +KVER_MAJOR=$($CAT $CONFIG | grep '^# Linux.*Kernel Configuration' | \ sed -r 's/.* ([0-9])\.[0-9]{1,2}\.[0-9]{1,3}.*/\1/') if [ "$KVER_MAJOR" = "2" ]; then -KVER_MINOR=$($GREP '^# Linux.*Kernel Configuration' $CONFIG | \ +KVER_MINOR=$($CAT $CONFIG | grep '^# Linux.*Kernel Configuration' | \ sed -r 's/.* 2.6.([0-9]{2}).*/\1/') else -KVER_MINOR=$($GREP '^# Linux.*Kernel Configuration' $CONFIG | \ +KVER_MINOR=$($CAT $CONFIG | grep '^# Linux.*Kernel Configuration' | \ sed -r 's/.* [0-9]\.([0-9]{1,3})\.[0-9]{1,3}.*/\1/') fi diff -Nru lxc-1.0.8/src/lxc/lxccontainer.c lxc-1.0.9/src/lxc/lxccontainer.c --- lxc-1.0.8/src/lxc/lxccontainer.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxccontainer.c 2016-11-23 19:10:02.000000000 +0000 @@ -161,7 +161,7 @@ return -1; } if ((fd=open(path, O_RDWR | O_CREAT | O_EXCL, 0755)) < 0) { - SYSERROR("Erorr creating partial file"); + SYSERROR("Error creating partial file"); return -1; } lk.l_type = F_WRLCK; @@ -509,7 +509,7 @@ static bool am_single_threaded(void) { - struct dirent dirent, *direntp; + struct dirent *direntp; DIR *dir; int count=0; @@ -519,7 +519,7 @@ return false; } - while (!readdir_r(dir, &dirent, &direntp)) { + while ((direntp = readdir(dir))) { if (!direntp) break; @@ -2988,7 +2988,7 @@ { char snappath[MAXPATHLEN], path2[MAXPATHLEN]; int dirlen, count = 0, ret; - struct dirent dirent, *direntp; + struct dirent *direntp; struct lxc_snapshot *snaps =NULL, *nsnaps; DIR *dir; @@ -3007,7 +3007,7 @@ return 0; } - while (!readdir_r(dir, &dirent, &direntp)) { + while ((direntp = readdir(dir))) { if (!direntp) break; @@ -3439,7 +3439,7 @@ { DIR *dir; int i, cfound = 0, nfound = 0; - struct dirent dirent, *direntp; + struct dirent *direntp; struct lxc_container *c; if (!lxcpath) @@ -3456,12 +3456,12 @@ if (names) *names = NULL; - while (!readdir_r(dir, &dirent, &direntp)) { + while ((direntp = readdir(dir))) { if (!direntp) break; - if (!strcmp(direntp->d_name, ".")) - continue; - if (!strcmp(direntp->d_name, "..")) + + // Ignore '.', '..' and any hidden directory + if (!strncmp(direntp->d_name, ".", 1)) continue; if (!config_file_exists(lxcpath, direntp->d_name)) diff -Nru lxc-1.0.8/src/lxc/lxccontainer.h lxc-1.0.9/src/lxc/lxccontainer.h --- lxc-1.0.8/src/lxc/lxccontainer.h 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxccontainer.h 2016-11-23 19:10:02.000000000 +0000 @@ -51,6 +51,10 @@ /*! * An LXC container. + * + * Note that changing the order of struct members is an API change, as callers + * will end up having the wrong offset when calling a function. So when making + * changes, whenever possible stick to simply appending new members. */ struct lxc_container { // private fields @@ -216,25 +220,24 @@ bool (*stop)(struct lxc_container *c); /*! - * \brief Determine if the container wants to run disconnected + * \brief Change whether the container wants to run disconnected * from the terminal. * * \param c Container. * \param state Value for the daemonize bit (0 or 1). * - * \return \c true if container wants to be daemonised, else \c false. + * \return \c true on success, else \c false. */ bool (*want_daemonize)(struct lxc_container *c, bool state); /*! - * \brief Determine whether container wishes all file descriptors + * \brief Change whether the container wishes all file descriptors * to be closed on startup. * * \param c Container. * \param state Value for the close_all_fds bit (0 or 1). * - * \return \c true if container wants all file descriptors closed, - * else \c false. + * \return \c true on success, else \c false. */ bool (*want_close_all_fds)(struct lxc_container *c, bool state); diff -Nru lxc-1.0.8/src/lxc/lxc_create.c lxc-1.0.9/src/lxc/lxc_create.c --- lxc-1.0.8/src/lxc/lxc_create.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc_create.c 2016-11-23 19:10:02.000000000 +0000 @@ -225,7 +225,7 @@ } if (strcmp(my_args.bdevtype, "dir") && strcmp(my_args.bdevtype, "_unset") && strcmp(my_args.bdevtype, "btrfs")) { - fprintf(stderr, "Unprivileged users cannot create %s containers", my_args.bdevtype); + fprintf(stderr, "Unprivileged users cannot create %s containers\n", my_args.bdevtype); exit(1); } } diff -Nru lxc-1.0.8/src/lxc/lxc.h lxc-1.0.9/src/lxc/lxc.h --- lxc-1.0.8/src/lxc/lxc.h 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc.h 2016-11-23 19:10:02.000000000 +0000 @@ -115,14 +115,6 @@ extern int lxc_cgroup_get(const char *filename, char *value, size_t len, const char *name, const char *lxcpath); /* - * Retrieve the error string associated with the error returned by - * the function. - * @error : the value of the error - * Returns a string on success or NULL otherwise. - */ -extern const char *lxc_strerror(int error); - -/* * Create and return a new lxccontainer struct. */ extern struct lxc_container *lxc_container_new(const char *name, const char *configpath); diff -Nru lxc-1.0.8/src/lxc/lxc-ls lxc-1.0.9/src/lxc/lxc-ls --- lxc-1.0.8/src/lxc/lxc-ls 2015-11-09 22:49:31.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc-ls 2016-11-23 19:11:20.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 # # lxc-ls: List containers # @@ -284,8 +284,10 @@ memory_ram = 0 try: - memory_swap = int(container.get_cgroup_item( - "memory.memsw.usage_in_bytes")) - memory_ram + memory_stat = container.get_cgroup_item("memory.stat") + beg = memory_stat.find("\nswap ") + 6 + end = memory_stat[beg:].find("\n") + len(memory_stat[:beg]) + memory_swap = int(memory_stat[beg:end]) except: memory_swap = 0 else: @@ -351,7 +353,7 @@ else: def clear_lock(): try: - lock_path = "%s/lock/lxc/%s/%s" % (RUNTIME_PATH, + lock_path = "%s/lxc/lock/%s/%s" % (RUNTIME_PATH, path, entry['name']) if os.path.exists(lock_path): diff -Nru lxc-1.0.8/src/lxc/lxc-ls.in lxc-1.0.9/src/lxc/lxc-ls.in --- lxc-1.0.8/src/lxc/lxc-ls.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc-ls.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 # # lxc-ls: List containers # @@ -284,8 +284,10 @@ memory_ram = 0 try: - memory_swap = int(container.get_cgroup_item( - "memory.memsw.usage_in_bytes")) - memory_ram + memory_stat = container.get_cgroup_item("memory.stat") + beg = memory_stat.find("\nswap ") + 6 + end = memory_stat[beg:].find("\n") + len(memory_stat[:beg]) + memory_swap = int(memory_stat[beg:end]) except: memory_swap = 0 else: @@ -351,7 +353,7 @@ else: def clear_lock(): try: - lock_path = "%s/lock/lxc/%s/%s" % (RUNTIME_PATH, + lock_path = "%s/lxc/lock/%s/%s" % (RUNTIME_PATH, path, entry['name']) if os.path.exists(lock_path): diff -Nru lxc-1.0.8/src/lxc/lxc-start-ephemeral.in lxc-1.0.9/src/lxc/lxc-start-ephemeral.in --- lxc-1.0.8/src/lxc/lxc-start-ephemeral.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc-start-ephemeral.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 # # lxc-start-ephemeral: Start a copy of a container using an overlay # diff -Nru lxc-1.0.8/src/lxc/lxc_stop.c lxc-1.0.9/src/lxc/lxc_stop.c --- lxc-1.0.8/src/lxc/lxc_stop.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc_stop.c 2016-11-23 19:10:02.000000000 +0000 @@ -210,6 +210,9 @@ if (!c->is_running(c)) { fprintf(stderr, "%s is not running\n", c->name); + /* Per our manpage we need to exit with exit code: + * 2: The specified container exists but was not running. + */ ret = 2; goto out; } diff -Nru lxc-1.0.8/src/lxc/lxc_user_nic.c lxc-1.0.9/src/lxc/lxc_user_nic.c --- lxc-1.0.8/src/lxc/lxc_user_nic.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc_user_nic.c 2016-11-23 19:10:02.000000000 +0000 @@ -40,7 +40,6 @@ #include #include #include -#include #include #include #include diff -Nru lxc-1.0.8/src/lxc/lxc_usernsexec.c lxc-1.0.9/src/lxc/lxc_usernsexec.c --- lxc-1.0.8/src/lxc/lxc_usernsexec.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/lxc_usernsexec.c 2016-11-23 19:10:02.000000000 +0000 @@ -291,7 +291,7 @@ } ret = readlink("/proc/self/fd/2", ttyname2, sizeof(ttyname2)); if (ret < 0) { - printf("Warning: unable to open stderr, continueing."); + printf("Warning: unable to open stderr, continuing."); memset(ttyname2, '\0', sizeof(ttyname2)); } } diff -Nru lxc-1.0.8/src/lxc/Makefile.in lxc-1.0.9/src/lxc/Makefile.in --- lxc-1.0.8/src/lxc/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/src/lxc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -17,7 +17,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -119,16 +129,13 @@ pkglibexec_PROGRAMS = lxc-monitord$(EXEEXT) lxc-user-nic$(EXEEXT) @ENABLE_RPATH_TRUE@am__append_19 = -Wl,-rpath -Wl,$(libdir) subdir = src/lxc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc-checkconfig.in $(srcdir)/lxc-ls.in \ - $(srcdir)/lxc-start-ephemeral.in $(srcdir)/lxc.functions.in \ - $(srcdir)/version.h.in $(top_srcdir)/config/depcomp \ - $(am__noinst_HEADERS_DIST) $(pkginclude_HEADERS) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__noinst_HEADERS_DIST) \ + $(pkginclude_HEADERS) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc-checkconfig lxc-ls lxc-start-ephemeral \ @@ -398,6 +405,10 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc-checkconfig.in \ + $(srcdir)/lxc-ls.in $(srcdir)/lxc-start-ephemeral.in \ + $(srcdir)/lxc.functions.in $(srcdir)/version.h.in \ + $(top_srcdir)/config/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -514,6 +525,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -552,6 +564,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -652,7 +665,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/lxc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/lxc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1909,6 +1921,8 @@ uninstall-pkgincludeHEADERS uninstall-pkglibexecPROGRAMS \ uninstall-sbinPROGRAMS uninstall-soPROGRAMS +.PRECIOUS: Makefile + install-exec-local: install-soPROGRAMS mkdir -p $(DESTDIR)$(datadir)/lxc diff -Nru lxc-1.0.8/src/lxc/network.c lxc-1.0.9/src/lxc/network.c --- lxc-1.0.8/src/lxc/network.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/network.c 2016-11-23 19:10:02.000000000 +0000 @@ -108,6 +108,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) + goto out; ifi->ifi_family = AF_UNSPEC; ifi->ifi_index = ifindex; @@ -164,6 +166,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_DELLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) + goto out; ifi->ifi_family = AF_UNSPEC; ifi->ifi_index = ifindex; @@ -214,6 +218,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) + goto out; ifi->ifi_family = AF_UNSPEC; ifi->ifi_index = ifindex; @@ -277,6 +283,10 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) { + err = -ENOMEM; + goto out; + } ifi->ifi_family = AF_UNSPEC; ifi->ifi_index = index; ifi->ifi_change |= IFF_UP; @@ -327,6 +337,10 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) { + err = -ENOMEM; + goto out; + } ifi->ifi_family = AF_UNSPEC; ifi->ifi_index = index; @@ -401,6 +415,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) + goto out; ifi->ifi_family = AF_UNSPEC; /* Send the request for addresses, which returns all addresses @@ -512,6 +528,10 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) { + err = -ENOMEM; + goto out; + } ifi->ifi_family = AF_UNSPEC; ifi->ifi_index = index; @@ -571,6 +591,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) + goto out; ifi->ifi_family = AF_UNSPEC; err = -EINVAL; @@ -590,8 +612,10 @@ goto out; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); - if (!ifi) + if (!ifi) { + err = -ENOMEM; goto out; + } if (nla_put_string(nlmsg, IFLA_IFNAME, name2)) goto out; @@ -654,6 +678,10 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) { + err = -ENOMEM; + goto err1; + } ifi->ifi_family = AF_UNSPEC; nest = nla_begin_nested(nlmsg, IFLA_LINKINFO); @@ -730,6 +758,10 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK; ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg)); + if (!ifi) { + err = -ENOMEM; + goto out; + } ifi->ifi_family = AF_UNSPEC; nest = nla_begin_nested(nlmsg, IFLA_LINKINFO); @@ -911,6 +943,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWADDR; ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg)); + if (!ifa) + goto out; ifa->ifa_prefixlen = prefix; ifa->ifa_index = ifindex; ifa->ifa_family = family; @@ -1032,6 +1066,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_GETADDR; ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg)); + if (!ifa) + goto out; ifa->ifa_family = family; /* Send the request for addresses, which returns all addresses @@ -1146,6 +1182,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE; rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg)); + if (!rt) + goto out; rt->rtm_family = family; rt->rtm_table = RT_TABLE_MAIN; rt->rtm_scope = RT_SCOPE_UNIVERSE; @@ -1210,6 +1248,8 @@ nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE; rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg)); + if (!rt) + goto out; rt->rtm_family = family; rt->rtm_table = RT_TABLE_MAIN; rt->rtm_scope = RT_SCOPE_LINK; diff -Nru lxc-1.0.8/src/lxc/nl.c lxc-1.0.9/src/lxc/nl.c --- lxc-1.0.8/src/lxc/nl.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/nl.c 2016-11-23 19:10:02.000000000 +0000 @@ -265,6 +265,7 @@ socklen_t socklen; int sndbuf = 32768; int rcvbuf = 32768; + int err; memset(handler, 0, sizeof(*handler)); @@ -274,11 +275,11 @@ if (setsockopt(handler->fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf)) < 0) - return -errno; + goto err_with_errno; if (setsockopt(handler->fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf,sizeof(rcvbuf)) < 0) - return -errno; + goto err_with_errno; memset(&handler->local, 0, sizeof(handler->local)); handler->local.nl_family = AF_NETLINK; @@ -286,22 +287,31 @@ if (bind(handler->fd, (struct sockaddr*)&handler->local, sizeof(handler->local)) < 0) - return -errno; + goto err_with_errno; socklen = sizeof(handler->local); if (getsockname(handler->fd, (struct sockaddr*)&handler->local, &socklen) < 0) - return -errno; - - if (socklen != sizeof(handler->local)) - return -EINVAL; + goto err_with_errno; - if (handler->local.nl_family != AF_NETLINK) - return -EINVAL; + if (socklen != sizeof(handler->local)) { + err = -EINVAL; + goto errclose; + } + + if (handler->local.nl_family != AF_NETLINK) { + err = -EINVAL; + goto errclose; + } handler->seq = time(NULL); return 0; +err_with_errno: + err = -errno; +errclose: + close(handler->fd); + return err; } extern int netlink_close(struct nl_handler *handler) diff -Nru lxc-1.0.8/src/lxc/seccomp.c lxc-1.0.9/src/lxc/seccomp.c --- lxc-1.0.8/src/lxc/seccomp.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/seccomp.c 2016-11-23 19:10:02.000000000 +0000 @@ -22,17 +22,16 @@ */ #define _GNU_SOURCE +#include #include #include #include -#include -#include -#include #include +#include #include "config.h" -#include "lxcseccomp.h" #include "log.h" +#include "lxcseccomp.h" lxc_log_define(lxc_seccomp, lxc); @@ -48,11 +47,11 @@ return -1; ret = seccomp_rule_add( #if HAVE_SCMP_FILTER_CTX - conf->seccomp_ctx, + conf->seccomp_ctx, #endif - SCMP_ACT_ALLOW, nr, 0); + SCMP_ACT_ALLOW, nr, 0); if (ret < 0) { - ERROR("failed loading allow rule for %d", nr); + ERROR("Failed loading allow rule for %d.", nr); return ret; } } @@ -74,14 +73,15 @@ { uint32_t ret_action = -1; - while (*line == ' ') line++; + while (*line == ' ') + line++; // after 'whitelist' or 'blacklist' comes default behavior if (strncmp(line, "kill", 4) == 0) ret_action = SCMP_ACT_KILL; else if (strncmp(line, "errno", 5) == 0) { int e; - if (sscanf(line+5, "%d", &e) != 1) { - ERROR("Bad errno value in %s", line); + if (sscanf(line + 5, "%d", &e) != 1) { + ERROR("Bad errno value in %s.", line); return -2; } ret_action = SCMP_ACT_ERRNO(e); @@ -125,14 +125,29 @@ lxc_seccomp_arch_ppc64, lxc_seccomp_arch_ppc64le, lxc_seccomp_arch_ppc, + lxc_seccomp_arch_mips, + lxc_seccomp_arch_mips64, + lxc_seccomp_arch_mips64n32, + lxc_seccomp_arch_mipsel, + lxc_seccomp_arch_mipsel64, + lxc_seccomp_arch_mipsel64n32, + lxc_seccomp_arch_s390x, lxc_seccomp_arch_unknown = 999, }; +#ifdef __MIPSEL__ +# define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel +# define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64 +#else +# define MIPS_ARCH_O32 lxc_seccomp_arch_mips +# define MIPS_ARCH_N64 lxc_seccomp_arch_mips64 +#endif + int get_hostarch(void) { struct utsname uts; if (uname(&uts) < 0) { - SYSERROR("Failed to read host arch"); + SYSERROR("Failed to read host arch."); return -1; } if (strcmp(uts.machine, "i686") == 0) @@ -149,6 +164,12 @@ return lxc_seccomp_arch_ppc64; else if (strncmp(uts.machine, "ppc", 3) == 0) return lxc_seccomp_arch_ppc; + else if (strncmp(uts.machine, "mips64", 6) == 0) + return MIPS_ARCH_N64; + else if (strncmp(uts.machine, "mips", 4) == 0) + return MIPS_ARCH_O32; + else if (strncmp(uts.machine, "s390x", 5) == 0) + return lxc_seccomp_arch_s390x; return lxc_seccomp_arch_unknown; } @@ -174,22 +195,33 @@ #ifdef SCMP_ARCH_PPC case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break; #endif +#ifdef SCMP_ARCH_MIPS + case lxc_seccomp_arch_mips: arch = SCMP_ARCH_MIPS; break; + case lxc_seccomp_arch_mips64: arch = SCMP_ARCH_MIPS64; break; + case lxc_seccomp_arch_mips64n32: arch = SCMP_ARCH_MIPS64N32; break; + case lxc_seccomp_arch_mipsel: arch = SCMP_ARCH_MIPSEL; break; + case lxc_seccomp_arch_mipsel64: arch = SCMP_ARCH_MIPSEL64; break; + case lxc_seccomp_arch_mipsel64n32: arch = SCMP_ARCH_MIPSEL64N32; break; +#endif +#ifdef SCMP_ARCH_S390X + case lxc_seccomp_arch_s390x: arch = SCMP_ARCH_S390X; break; +#endif default: return NULL; } if ((ctx = seccomp_init(default_policy_action)) == NULL) { - ERROR("Error initializing seccomp context"); + ERROR("Error initializing seccomp context."); return NULL; } if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) { - ERROR("failed to turn off n-new-privs"); + ERROR("Failed to turn off n-new-privs."); seccomp_release(ctx); return NULL; } ret = seccomp_arch_add(ctx, arch); if (ret != 0) { ERROR("Seccomp error %d (%s) adding arch: %d", ret, - strerror(ret), (int)n_arch); + strerror(-ret), (int)n_arch); seccomp_release(ctx); return NULL; } @@ -207,17 +239,22 @@ { int nr, ret; - if (arch && seccomp_arch_exist(ctx, arch) != 0) { - ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch); + ret = seccomp_arch_exist(ctx, arch); + if (arch && ret != 0) { + ERROR("BUG: Seccomp: rule and context arch do not match (arch " + "%d): %s.", + arch, strerror(-ret)); return false; } if (strncmp(line, "reject_force_umount", 19) == 0) { - INFO("Setting seccomp rule to reject force umounts\n"); + INFO("Setting Seccomp rule to reject force umounts."); ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2), 1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE )); if (ret < 0) { - ERROR("failed (%d) loading rule to reject force umount", ret); + ERROR("Failed (%d) loading rule to reject force " + "umount: %s.", + ret, strerror(-ret)); return false; } return true; @@ -225,18 +262,19 @@ nr = seccomp_syscall_resolve_name(line); if (nr == __NR_SCMP_ERROR) { - WARN("Seccomp: failed to resolve syscall: %s", line); - WARN("This syscall will NOT be blacklisted"); + WARN("Seccomp: failed to resolve syscall: %s.", line); + WARN("This syscall will NOT be blacklisted."); return true; } if (nr < 0) { - WARN("Seccomp: got negative # for syscall: %s", line); - WARN("This syscall will NOT be blacklisted"); + WARN("Seccomp: got negative for syscall: %d: %s.", nr, line); + WARN("This syscall will NOT be blacklisted."); return true; } ret = seccomp_rule_add_exact(ctx, action, nr, 0); if (ret < 0) { - ERROR("failed (%d) loading rule for %s (nr %d action %d)", ret, line, nr, action); + ERROR("Failed (%d) loading rule for %s (nr %d action %d): %s.", + ret, line, nr, action, strerror(-ret)); return false; } return true; @@ -260,22 +298,22 @@ { char *p; int ret; - scmp_filter_ctx compat_ctx = NULL; + scmp_filter_ctx compat_ctx[2] = {NULL, NULL}; bool blacklist = false; uint32_t default_policy_action = -1, default_rule_action = -1, action; enum lxc_hostarch_t native_arch = get_hostarch(), cur_rule_arch = native_arch; - uint32_t compat_arch = SCMP_ARCH_NATIVE; + uint32_t compat_arch[2] = {SCMP_ARCH_NATIVE, SCMP_ARCH_NATIVE}; if (strncmp(line, "blacklist", 9) == 0) blacklist = true; else if (strncmp(line, "whitelist", 9) != 0) { - ERROR("Bad seccomp policy style: %s", line); + ERROR("Bad seccomp policy style: %s.", line); return -1; } if ((p = strchr(line, ' '))) { - default_policy_action = get_v2_default_action(p+1); + default_policy_action = get_v2_default_action(p + 1); if (default_policy_action == -2) return -1; } @@ -295,21 +333,61 @@ if (native_arch == lxc_seccomp_arch_amd64) { cur_rule_arch = lxc_seccomp_arch_all; - compat_arch = SCMP_ARCH_X86; - compat_ctx = get_new_ctx(lxc_seccomp_arch_i386, + compat_arch[0] = SCMP_ARCH_X86; + compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_i386, + default_policy_action); + if (!compat_ctx[0]) + goto bad; +#ifdef SCMP_ARCH_PPC + } else if (native_arch == lxc_seccomp_arch_ppc64) { + cur_rule_arch = lxc_seccomp_arch_all; + compat_arch[0] = SCMP_ARCH_PPC; + compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_ppc, + default_policy_action); + if (!compat_ctx[0]) + goto bad; +#endif +#ifdef SCMP_ARCH_ARM + } else if (native_arch == lxc_seccomp_arch_arm64) { + cur_rule_arch = lxc_seccomp_arch_all; + compat_arch[0] = SCMP_ARCH_ARM; + compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_arm, + default_policy_action); + if (!compat_ctx[0]) + goto bad; +#endif +#ifdef SCMP_ARCH_MIPS + } else if (native_arch == lxc_seccomp_arch_mips64) { + cur_rule_arch = lxc_seccomp_arch_all; + compat_arch[0] = SCMP_ARCH_MIPS; + compat_arch[1] = SCMP_ARCH_MIPS64N32; + compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_mips, + default_policy_action); + compat_ctx[1] = get_new_ctx(lxc_seccomp_arch_mips64n32, + default_policy_action); + if (!compat_ctx[0] || !compat_ctx[1]) + goto bad; + } else if (native_arch == lxc_seccomp_arch_mipsel64) { + cur_rule_arch = lxc_seccomp_arch_all; + compat_arch[0] = SCMP_ARCH_MIPSEL; + compat_arch[1] = SCMP_ARCH_MIPSEL64N32; + compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_mipsel, + default_policy_action); + compat_ctx[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32, default_policy_action); - if (!compat_ctx) + if (!compat_ctx[0] || !compat_ctx[1]) goto bad; +#endif } if (default_policy_action != SCMP_ACT_KILL) { ret = seccomp_reset(conf->seccomp_ctx, default_policy_action); if (ret != 0) { - ERROR("Error re-initializing seccomp"); + ERROR("Error re-initializing Seccomp."); return -1; } if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) { - ERROR("failed to turn off n-new-privs"); + ERROR("Failed to turn off n-new-privs."); return -1; } } @@ -325,28 +403,29 @@ if (line[0] == '[') { // read the architecture for next set of rules if (strcmp(line, "[x86]") == 0 || - strcmp(line, "[X86]") == 0) { + strcmp(line, "[X86]") == 0) { if (native_arch != lxc_seccomp_arch_i386 && - native_arch != lxc_seccomp_arch_amd64) { + native_arch != lxc_seccomp_arch_amd64) { cur_rule_arch = lxc_seccomp_arch_unknown; continue; } cur_rule_arch = lxc_seccomp_arch_i386; } else if (strcmp(line, "[X86_64]") == 0 || - strcmp(line, "[x86_64]") == 0) { + strcmp(line, "[x86_64]") == 0) { if (native_arch != lxc_seccomp_arch_amd64) { cur_rule_arch = lxc_seccomp_arch_unknown; continue; } cur_rule_arch = lxc_seccomp_arch_amd64; } else if (strcmp(line, "[all]") == 0 || - strcmp(line, "[ALL]") == 0) { + strcmp(line, "[ALL]") == 0) { cur_rule_arch = lxc_seccomp_arch_all; } #ifdef SCMP_ARCH_ARM else if (strcmp(line, "[arm]") == 0 || - strcmp(line, "[ARM]") == 0) { - if (native_arch != lxc_seccomp_arch_arm) { + strcmp(line, "[ARM]") == 0) { + if (native_arch != lxc_seccomp_arch_arm && + native_arch != lxc_seccomp_arch_arm64) { cur_rule_arch = lxc_seccomp_arch_unknown; continue; } @@ -355,7 +434,7 @@ #endif #ifdef SCMP_ARCH_AARCH64 else if (strcmp(line, "[arm64]") == 0 || - strcmp(line, "[ARM64]") == 0) { + strcmp(line, "[ARM64]") == 0) { if (native_arch != lxc_seccomp_arch_arm64) { cur_rule_arch = lxc_seccomp_arch_unknown; continue; @@ -365,7 +444,7 @@ #endif #ifdef SCMP_ARCH_PPC64LE else if (strcmp(line, "[ppc64le]") == 0 || - strcmp(line, "[PPC64LE]") == 0) { + strcmp(line, "[PPC64LE]") == 0) { if (native_arch != lxc_seccomp_arch_ppc64le) { cur_rule_arch = lxc_seccomp_arch_unknown; continue; @@ -375,7 +454,7 @@ #endif #ifdef SCMP_ARCH_PPC64 else if (strcmp(line, "[ppc64]") == 0 || - strcmp(line, "[PPC64]") == 0) { + strcmp(line, "[PPC64]") == 0) { if (native_arch != lxc_seccomp_arch_ppc64) { cur_rule_arch = lxc_seccomp_arch_unknown; continue; @@ -385,14 +464,72 @@ #endif #ifdef SCMP_ARCH_PPC else if (strcmp(line, "[ppc]") == 0 || - strcmp(line, "[PPC]") == 0) { - if (native_arch != lxc_seccomp_arch_ppc) { + strcmp(line, "[PPC]") == 0) { + if (native_arch != lxc_seccomp_arch_ppc && + native_arch != lxc_seccomp_arch_ppc64) { cur_rule_arch = lxc_seccomp_arch_unknown; continue; } cur_rule_arch = lxc_seccomp_arch_ppc; } #endif +#ifdef SCMP_ARCH_MIPS + else if (strcmp(line, "[mips64]") == 0 || + strcmp(line, "[MIPS64]") == 0) { + if (native_arch != lxc_seccomp_arch_mips64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_mips64; + } else if (strcmp(line, "[mips64n32]") == 0 || + strcmp(line, "[MIPS64N32]") == 0) { + if (native_arch != lxc_seccomp_arch_mips64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_mips64n32; + } else if (strcmp(line, "[mips]") == 0 || + strcmp(line, "[MIPS]") == 0) { + if (native_arch != lxc_seccomp_arch_mips && + native_arch != lxc_seccomp_arch_mips64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_mips; + } else if (strcmp(line, "[mipsel64]") == 0 || + strcmp(line, "[MIPSEL64]") == 0) { + if (native_arch != lxc_seccomp_arch_mipsel64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_mipsel64; + } else if (strcmp(line, "[mipsel64n32]") == 0 || + strcmp(line, "[MIPSEL64N32]") == 0) { + if (native_arch != lxc_seccomp_arch_mipsel64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_mipsel64n32; + } else if (strcmp(line, "[mipsel]") == 0 || + strcmp(line, "[MIPSEL]") == 0) { + if (native_arch != lxc_seccomp_arch_mipsel && + native_arch != lxc_seccomp_arch_mipsel64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_mipsel; + } +#endif +#ifdef SCMP_ARCH_S390X + else if (strcmp(line, "[s390x]") == 0 || + strcmp(line, "[S390X]") == 0) { + if (native_arch != lxc_seccomp_arch_s390x) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_s390x; + } +#endif else goto bad_arch; @@ -406,36 +543,44 @@ /* read optional action which follows the syscall */ action = get_and_clear_v2_action(line, default_rule_action); if (action == -1) { - ERROR("Failed to interpret action"); + ERROR("Failed to interpret action."); goto bad_rule; } if (cur_rule_arch == native_arch || cur_rule_arch == lxc_seccomp_arch_native || - compat_arch == SCMP_ARCH_NATIVE) { - INFO("Adding native rule for %s action %d", line, action); + compat_arch[0] == SCMP_ARCH_NATIVE) { + INFO("Adding native rule for %s action %d.", line, action); if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action)) goto bad_rule; } else if (cur_rule_arch != lxc_seccomp_arch_all) { - INFO("Adding compat-only rule for %s action %d", line, action); - if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action)) + int arch_index = + cur_rule_arch == lxc_seccomp_arch_mips64n32 || + cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0; + + INFO("Adding compat-only rule for %s action %d.", line, action); + if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], action)) goto bad_rule; } else { - INFO("Adding native rule for %s action %d", line, action); + INFO("Adding native rule for %s action %d.", line, action); if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action)) goto bad_rule; - INFO("Adding compat rule for %s action %d", line, action); - if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action)) + INFO("Adding compat rule for %s action %d.", line, action); + if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], action)) + goto bad_rule; + if (compat_arch[1] != SCMP_ARCH_NATIVE && + !do_resolve_add_rule(compat_arch[1], line, compat_ctx[1], action)) goto bad_rule; } } - if (compat_ctx) { - INFO("Merging in the compat seccomp ctx into the main one"); - if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) { - ERROR("Error merging i386 seccomp contexts"); + if (compat_ctx[0]) { + INFO("Merging in the compat Seccomp ctx into the main one."); + if (seccomp_merge(conf->seccomp_ctx, compat_ctx[0]) != 0 || + (compat_ctx[1] != NULL && seccomp_merge(conf->seccomp_ctx, compat_ctx[1]) != 0)) { + ERROR("Error merging compat Seccomp contexts."); goto bad; } } @@ -443,11 +588,13 @@ return 0; bad_arch: - ERROR("Unsupported arch: %s", line); + ERROR("Unsupported arch: %s.", line); bad_rule: bad: - if (compat_ctx) - seccomp_release(compat_ctx); + if (compat_ctx[0]) + seccomp_release(compat_ctx[0]); + if (compat_ctx[1]) + seccomp_release(compat_ctx[1]); return -1; } #else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */ @@ -472,20 +619,20 @@ ret = fscanf(f, "%d\n", &version); if (ret != 1 || (version != 1 && version != 2)) { - ERROR("invalid version"); + ERROR("Invalid version."); return -1; } if (!fgets(line, 1024, f)) { - ERROR("invalid config file"); + ERROR("Invalid config file."); return -1; } if (version == 1 && !strstr(line, "whitelist")) { - ERROR("only whitelist policy is supported"); + ERROR("Only whitelist policy is supported."); return -1; } if (strstr(line, "debug")) { - ERROR("debug not yet implemented"); + ERROR("Debug not yet implemented."); return -1; } @@ -515,7 +662,7 @@ while (fgets(line, 1024, f)) { if (strncmp(line, "Seccomp:", 8) == 0) { found = true; - ret = sscanf(line+8, "%d", &v); + ret = sscanf(line + 8, "%d", &v); if (ret == 1 && v != 0) already_enabled = true; break; @@ -523,12 +670,12 @@ } fclose(f); - if (!found) { /* no Seccomp line, no seccomp in kernel */ - INFO("Seccomp is not enabled in the kernel"); + if (!found) { /* no Seccomp line, no seccomp in kernel */ + INFO("Seccomp is not enabled in the kernel."); return false; } - if (already_enabled) { /* already seccomp-confined */ - INFO("Already seccomp-confined, not loading new policy"); + if (already_enabled) { /* already seccomp-confined */ + INFO("Already seccomp-confined, not loading new policy."); return false; } return true; @@ -538,6 +685,7 @@ { FILE *f; int ret; + int check_seccomp_attr_set; if (!conf->seccomp) return 0; @@ -552,24 +700,25 @@ ret = seccomp_init(SCMP_ACT_KILL) < 0; #endif if (ret) { - ERROR("failed initializing seccomp"); + ERROR("Failed initializing seccomp."); return -1; } - /* turn of no-new-privs. We don't want it in lxc, and it breaks - * with apparmor */ - if (seccomp_attr_set( +/* turn of no-new-privs. We don't want it in lxc, and it breaks + * with apparmor */ #if HAVE_SCMP_FILTER_CTX - conf->seccomp_ctx, + check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0); +#else + check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0); #endif - SCMP_FLTATR_CTL_NNP, 0)) { - ERROR("failed to turn off n-new-privs"); + if (check_seccomp_attr_set) { + ERROR("Failed to turn off n-new-privs."); return -1; } f = fopen(conf->seccomp, "r"); if (!f) { - SYSERROR("failed to open seccomp policy file %s", conf->seccomp); + SYSERROR("Failed to open seccomp policy file %s.", conf->seccomp); return -1; } ret = parse_config(f, conf); @@ -586,17 +735,18 @@ return 0; ret = seccomp_load( #if HAVE_SCMP_FILTER_CTX - conf->seccomp_ctx + conf->seccomp_ctx #endif - ); + ); if (ret < 0) { - ERROR("Error loading the seccomp policy"); + ERROR("Error loading the seccomp policy."); return -1; } return 0; } -void lxc_seccomp_free(struct lxc_conf *conf) { +void lxc_seccomp_free(struct lxc_conf *conf) +{ free(conf->seccomp); conf->seccomp = NULL; #if HAVE_SCMP_FILTER_CTX diff -Nru lxc-1.0.8/src/lxc/start.c lxc-1.0.9/src/lxc/start.c --- lxc-1.0.8/src/lxc/start.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/start.c 2016-11-23 19:10:02.000000000 +0000 @@ -117,8 +117,15 @@ } } -static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) { - int i, saved_errno; +/* + * preserve_ns: open /proc/@pid/ns/@ns for each namespace specified + * in clone_flags. + * Return true on success, false on failure. On failure, leave an error + * message in *errmsg, which caller must free. + */ +static +bool preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid, char **errmsg) { + int i, ret; char path[MAXPATHLEN]; for (i = 0; i < LXC_NS_MAX; i++) @@ -126,8 +133,9 @@ snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid); if (access(path, X_OK)) { - WARN("Kernel does not support attach; preserve_ns ignored"); - return 0; + if (asprintf(errmsg, "Kernel does not support setns.") == -1) + *errmsg = NULL; + return false; } for (i = 0; i < LXC_NS_MAX; i++) { @@ -140,14 +148,20 @@ goto error; } - return 0; + return true; error: - saved_errno = errno; + if (errno == ENOENT) { + ret = asprintf(errmsg, "Kernel does not support setns for %s", + ns_info[i].proc_name); + } else { + ret = asprintf(errmsg, "Failed to open %s: %s", + path, strerror(errno)); + } + if (ret == -1) + *errmsg = NULL; close_ns(ns_fd); - errno = saved_errno; - SYSERROR("failed to open '%s'", path); - return -1; + return false; } static int attach_ns(const int ns_fd[LXC_NS_MAX]) { @@ -174,7 +188,7 @@ int lxc_check_inherited(struct lxc_conf *conf, int fd_to_ignore) { - struct dirent dirent, *direntp; + struct dirent *direntp; int fd, fddir; DIR *dir; @@ -187,7 +201,7 @@ fddir = dirfd(dir); - while (!readdir_r(dir, &dirent, &direntp)) { + while ((direntp = readdir(dir))) { if (!direntp) break; @@ -630,6 +644,7 @@ { struct lxc_handler *handler = data; const char *lsm_label = NULL; + int ret = 0; if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) { SYSERROR("failed to set sigprocmask"); @@ -654,6 +669,20 @@ close(handler->pinfd); } + if (lxc_sync_wait_parent(handler, LXC_SYNC_STARTUP)) + return -1; + + /* Unshare CLONE_NEWNET after CLONE_NEWUSER - see + https://github.com/lxc/lxd/issues/1978 */ + if ((handler->clone_flags & (CLONE_NEWNET | CLONE_NEWUSER)) == + (CLONE_NEWNET | CLONE_NEWUSER)) { + ret = unshare(CLONE_NEWNET); + if (ret < 0) { + SYSERROR("Error unsharing network namespace"); + goto out_warn_father; + } + } + /* Tell the parent task it can begin to configure the * container and wait for it to finish */ @@ -758,16 +787,20 @@ handler->ops->start(handler, handler->data); out_warn_father: - /* we want the parent to know something went wrong, so any - * value other than what it expects is ok. */ - lxc_sync_wake_parent(handler, LXC_SYNC_POST_CONFIGURE); + /* we want the parent to know something went wrong, so we return a special + * error code. */ + lxc_sync_wake_parent(handler, LXC_SYNC_ERROR); return -1; } static int save_phys_nics(struct lxc_conf *conf) { struct lxc_list *iterator; + int am_root = (getuid() == 0); + if (!am_root) + return 0; + lxc_list_for_each(iterator, &conf->network) { struct lxc_netdev *netdev = iterator->elem; @@ -798,9 +831,10 @@ { int failed_before_rename = 0; const char *name = handler->name; + char *errmsg = NULL; bool cgroups_connected = false; int saved_ns_fd[LXC_NS_MAX]; - int preserve_mask = 0, i; + int preserve_mask = 0, i, flags; int netpipepair[2], nveths; netpipe = -1; @@ -889,8 +923,12 @@ INFO("failed to pin the container's rootfs"); } - if (preserve_ns(saved_ns_fd, preserve_mask, getpid()) < 0) + if (!preserve_ns(saved_ns_fd, preserve_mask, getpid(), &errmsg)) { + SYSERROR("Failed to preserve requested namespaces: %s", + errmsg ? errmsg : "(Out of memory)"); + free(errmsg); goto out_delete_net; + } if (attach_ns(handler->conf->inherit_ns_fd) < 0) goto out_delete_net; @@ -904,15 +942,19 @@ } /* Create a process in a new set of namespaces */ + flags = handler->clone_flags; + if (handler->clone_flags & CLONE_NEWUSER) + flags &= ~CLONE_NEWNET; handler->pid = lxc_clone(do_start, handler, handler->clone_flags); if (handler->pid < 0) { SYSERROR("failed to fork into a new namespace"); goto out_delete_net; } - if (preserve_ns(handler->nsfd, handler->clone_flags, handler->pid) < 0) { - ERROR("failed to store namespace references"); - goto out_delete_net; + if (!preserve_ns(handler->nsfd, handler->clone_flags | preserve_mask, handler->pid, &errmsg)) { + INFO("Failed to store namespace references for stop hook: %s", + errmsg ? errmsg : "(Out of memory)"); + free(errmsg); } if (attach_ns(saved_ns_fd)) @@ -920,8 +962,25 @@ lxc_sync_fini_child(handler); - if (lxc_sync_wait_child(handler, LXC_SYNC_CONFIGURE)) + /* map the container uids - the container became an invalid + * userid the moment it was cloned with CLONE_NEWUSER - this + * call doesn't change anything immediately, but allows the + * container to setuid(0) (0 being mapped to something else on + * the host) later to become a valid uid again */ + if (lxc_map_ids(&handler->conf->id_map, handler->pid)) { + ERROR("failed to set up id mapping"); + goto out_delete_net; + } + + if (lxc_sync_wake_child(handler, LXC_SYNC_STARTUP)) { + failed_before_rename = 1; + goto out_delete_net; + } + + if (lxc_sync_wait_child(handler, LXC_SYNC_CONFIGURE)) { failed_before_rename = 1; + goto out_delete_net; + } if (!cgroup_create_legacy(handler)) { ERROR("failed to setup the legacy cgroups for %s", name); @@ -966,16 +1025,6 @@ close(netpipepair[1]); } - /* map the container uids - the container became an invalid - * userid the moment it was cloned with CLONE_NEWUSER - this - * call doesn't change anything immediately, but allows the - * container to setuid(0) (0 being mapped to something else on - * the host) later to become a valid uid again */ - if (lxc_map_ids(&handler->conf->id_map, handler->pid)) { - ERROR("failed to set up id mapping"); - goto out_delete_net; - } - /* Tell the child to continue its initialization. we'll get * LXC_SYNC_CGROUP when it is ready for us to setup cgroups */ @@ -1141,7 +1190,7 @@ } DEBUG("Pushing physical nics back to host namespace"); - lxc_rename_phys_nics_on_shutdown(netnsfd, handler->conf); + lxc_restore_phys_nics_to_netns(netnsfd, handler->conf); DEBUG("Tearing down virtual network devices used by container"); lxc_delete_network(handler); diff -Nru lxc-1.0.8/src/lxc/sync.c lxc-1.0.9/src/lxc/sync.c --- lxc-1.0.8/src/lxc/sync.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/sync.c 2016-11-23 19:10:02.000000000 +0000 @@ -27,6 +27,7 @@ #include #include +#include "sync.h" #include "log.h" #include "start.h" @@ -35,7 +36,7 @@ static int __sync_wait(int fd, int sequence) { int sync = -1; - int ret; + ssize_t ret; ret = read(fd, &sync, sizeof(sync)); if (ret < 0) { @@ -46,6 +47,17 @@ if (!ret) return 0; + if ((size_t)ret != sizeof(sync)) { + ERROR("unexpected sync size: %zu expected %zu", (size_t)ret, sizeof(sync)); + return -1; + } + + if (sync == LXC_SYNC_ERROR) { + ERROR("An error occurred in another process " + "(expected sequence number %d)", sequence); + return -1; + } + if (sync != sequence) { ERROR("invalid sequence number %d. expected %d", sync, sequence); @@ -87,6 +99,11 @@ return __sync_wake(handler->sv[0], sequence); } +int lxc_sync_wait_parent(struct lxc_handler *handler, int sequence) +{ + return __sync_wait(handler->sv[0], sequence); +} + int lxc_sync_wait_child(struct lxc_handler *handler, int sequence) { return __sync_wait(handler->sv[1], sequence); diff -Nru lxc-1.0.8/src/lxc/sync.h lxc-1.0.9/src/lxc/sync.h --- lxc-1.0.8/src/lxc/sync.h 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/sync.h 2016-11-23 19:10:02.000000000 +0000 @@ -26,12 +26,14 @@ struct lxc_handler; enum { + LXC_SYNC_STARTUP, LXC_SYNC_CONFIGURE, LXC_SYNC_POST_CONFIGURE, LXC_SYNC_CGROUP, LXC_SYNC_POST_CGROUP, LXC_SYNC_RESTART, LXC_SYNC_POST_RESTART, + LXC_SYNC_ERROR = -1 /* Used to report errors from another process */ }; int lxc_sync_init(struct lxc_handler *handler); @@ -41,6 +43,7 @@ int lxc_sync_wake_child(struct lxc_handler *, int); int lxc_sync_wait_child(struct lxc_handler *, int); int lxc_sync_wake_parent(struct lxc_handler *, int); +int lxc_sync_wait_parent(struct lxc_handler *, int); int lxc_sync_barrier_parent(struct lxc_handler *, int); int lxc_sync_barrier_child(struct lxc_handler *, int); diff -Nru lxc-1.0.8/src/lxc/utils.c lxc-1.0.9/src/lxc/utils.c --- lxc-1.0.8/src/lxc/utils.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/utils.c 2016-11-23 19:10:02.000000000 +0000 @@ -62,7 +62,7 @@ static int _recursive_rmdir(char *dirname, dev_t pdev, bool onedev) { - struct dirent dirent, *direntp; + struct dirent *direntp; DIR *dir; int ret, failed=0; char pathname[MAXPATHLEN]; @@ -73,7 +73,7 @@ return -1; } - while (!readdir_r(dir, &dirent, &direntp)) { + while ((direntp = readdir(dir))) { struct stat mystat; int rc; @@ -705,8 +705,8 @@ char **lxc_string_split(const char *string, char _sep) { char *token, *str, *saveptr = NULL; - char sep[2] = { _sep, '\0' }; - char **result = NULL; + char sep[2] = {_sep, '\0'}; + char **tmp = NULL, **result = NULL; size_t result_capacity = 0; size_t result_count = 0; int r, saved_errno; @@ -714,7 +714,7 @@ if (!string) return calloc(1, sizeof(char *)); - str = alloca(strlen(string)+1); + str = alloca(strlen(string) + 1); strcpy(str, string); for (; (token = strtok_r(str, sep, &saveptr)); str = NULL) { r = lxc_grow_array((void ***)&result, &result_capacity, result_count + 1, 16); @@ -727,7 +727,14 @@ } /* if we allocated too much, reduce it */ - return realloc(result, (result_count + 1) * sizeof(char *)); + tmp = realloc(result, (result_count + 1) * sizeof(char *)); + if (!tmp) + goto error_out; + result = tmp; + /* Make sure we don't return uninitialized memory. */ + if (result_count == 0) + *result = NULL; + return result; error_out: saved_errno = errno; lxc_free_array((void **)result, free); @@ -1267,7 +1274,7 @@ fulllen = strlen(target); /* make sure prefix-skip makes sense */ - if (prefix_skip) { + if (prefix_skip && strlen(prefix_skip) > 0) { curlen = strlen(prefix_skip); if (!is_subdir(target, prefix_skip, curlen)) { ERROR("WHOA there - target '%s' didn't start with prefix '%s'", @@ -1313,8 +1320,6 @@ errno = saved_errno; if (errno == ELOOP) SYSERROR("%s in %s was a symbolic link!", nextpath, target); - else - SYSERROR("Error examining %s in %s", nextpath, target); goto out; } } @@ -1359,8 +1364,11 @@ destfd = open_without_symlink(dest, rootfs); if (destfd < 0) { - if (srcfd != -1) + if (srcfd != -1) { + saved_errno = errno; close(srcfd); + errno = saved_errno; + } return destfd; } diff -Nru lxc-1.0.8/src/lxc/utils.h lxc-1.0.9/src/lxc/utils.h --- lxc-1.0.8/src/lxc/utils.h 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/lxc/utils.h 2016-11-23 19:10:02.000000000 +0000 @@ -116,6 +116,12 @@ # define __NR_signalfd4 322 # elif __arm__ # define __NR_signalfd4 355 +# elif __mips__ && _MIPS_SIM == _ABIO32 +# define __NR_signalfd4 4324 +# elif __mips__ && _MIPS_SIM == _ABI64 +# define __NR_signalfd4 5283 +# elif __mips__ && _MIPS_SIM == _ABIN32 +# define __NR_signalfd4 6287 # endif #endif @@ -131,6 +137,12 @@ # define __NR_signalfd 316 # elif __arm__ # define __NR_signalfd 349 +# elif __mips__ && _MIPS_SIM == _ABIO32 +# define __NR_signalfd 4317 +# elif __mips__ && _MIPS_SIM == _ABI64 +# define __NR_signalfd 5276 +# elif __mips__ && _MIPS_SIM == _ABIN32 +# define __NR_signalfd 6280 # endif #endif diff -Nru lxc-1.0.8/src/lxc/version.h lxc-1.0.9/src/lxc/version.h --- lxc-1.0.8/src/lxc/version.h 2015-11-09 22:49:31.000000000 +0000 +++ lxc-1.0.9/src/lxc/version.h 2016-11-23 19:11:20.000000000 +0000 @@ -25,7 +25,7 @@ #define LXC_VERSION_MAJOR 1 #define LXC_VERSION_MINOR 0 -#define LXC_VERSION_MICRO 8 -#define LXC_VERSION "1.0.8" +#define LXC_VERSION_MICRO 9 +#define LXC_VERSION "1.0.9" #endif diff -Nru lxc-1.0.8/src/Makefile.in lxc-1.0.9/src/Makefile.in --- lxc-1.0.8/src/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/src/Makefile.in 2016-11-23 19:10:06.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,13 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = src -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/config.h.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = config.h CONFIG_CLEAN_FILES = @@ -145,6 +154,7 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -286,6 +296,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -324,6 +335,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -349,7 +361,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -653,6 +664,8 @@ mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags \ tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/src/python-lxc/examples/api_test.py lxc-1.0.9/src/python-lxc/examples/api_test.py --- lxc-1.0.8/src/python-lxc/examples/api_test.py 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/python-lxc/examples/api_test.py 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,5 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- # # api_test.py: Test/demo of the python3-lxc API # diff -Nru lxc-1.0.8/src/python-lxc/examples/pyconsole.py lxc-1.0.9/src/python-lxc/examples/pyconsole.py --- lxc-1.0.8/src/python-lxc/examples/pyconsole.py 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/python-lxc/examples/pyconsole.py 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,5 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- # # pyconsole: Example program showing use of console functions # in the lxc python binding diff -Nru lxc-1.0.8/src/python-lxc/examples/pyconsole-vte.py lxc-1.0.9/src/python-lxc/examples/pyconsole-vte.py --- lxc-1.0.8/src/python-lxc/examples/pyconsole-vte.py 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/python-lxc/examples/pyconsole-vte.py 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,5 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- # # pyconsole-vte: Example program showing use of console functions # in the lxc python binding diff -Nru lxc-1.0.8/src/python-lxc/lxc.c lxc-1.0.9/src/python-lxc/lxc.c --- lxc-1.0.8/src/python-lxc/lxc.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/python-lxc/lxc.c 2016-11-23 19:10:02.000000000 +0000 @@ -117,6 +117,12 @@ static int lxc_attach_python_exec(void* _payload) { + /* This function is the first one to be called after attaching to a + * container. As lxc_attach() calls fork() PyOS_AfterFork should be called + * in the new process if the Python interpreter will continue to be used. + */ + PyOS_AfterFork(); + struct lxc_attach_python_payload *payload = (struct lxc_attach_python_payload *)_payload; PyObject *result = PyObject_CallFunctionObjArgs(payload->fn, @@ -443,7 +449,9 @@ self->container = lxc_container_new(name, config_path); if (!self->container) { Py_XDECREF(fs_config_path); - fprintf(stderr, "%d: error creating container %s\n", __LINE__, name); + + PyErr_Format(PyExc_RuntimeError, "%s:%s:%d: error during init for container '%s'.", + __FUNCTION__, __FILE__, __LINE__, name); return -1; } diff -Nru lxc-1.0.8/src/python-lxc/Makefile.in lxc-1.0.9/src/python-lxc/Makefile.in --- lxc-1.0.8/src/python-lxc/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/src/python-lxc/Makefile.in 2016-11-23 19:10:07.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,13 +88,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = src/python-lxc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/setup.py.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = setup.py @@ -109,6 +118,7 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/setup.py.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -225,6 +235,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -263,6 +274,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -295,7 +307,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/python-lxc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/python-lxc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -466,6 +477,8 @@ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am +.PRECIOUS: Makefile + @ENABLE_PYTHON_TRUE@all: @ENABLE_PYTHON_TRUE@ $(PYTHON) setup.py build diff -Nru lxc-1.0.8/src/python-lxc/setup.py.in lxc-1.0.9/src/python-lxc/setup.py.in --- lxc-1.0.8/src/python-lxc/setup.py.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/python-lxc/setup.py.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 # # python-lxc: Python bindings for LXC # diff -Nru lxc-1.0.8/src/tests/get_item.c lxc-1.0.9/src/tests/get_item.c --- lxc-1.0.8/src/tests/get_item.c 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/src/tests/get_item.c 2016-11-23 19:10:02.000000000 +0000 @@ -314,8 +314,8 @@ ret = 1; goto out; } - if (!c->clear_config_item(c, "lxc.mount.entries")) { - fprintf(stderr, "%d: failed clearing lxc.mount.entries\n", __LINE__); + if (!c->clear_config_item(c, "lxc.mount.entry")) { + fprintf(stderr, "%d: failed clearing lxc.mount.entry\n", __LINE__); ret = 1; goto out; } diff -Nru lxc-1.0.8/src/tests/Makefile.in lxc-1.0.9/src/tests/Makefile.in --- lxc-1.0.8/src/tests/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/src/tests/Makefile.in 2016-11-23 19:10:07.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -16,7 +16,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -104,13 +114,12 @@ @ENABLE_TESTS_TRUE@ lxc-test-apparmor$(EXEEXT) @DISTRO_UBUNTU_TRUE@@ENABLE_TESTS_TRUE@am__append_3 = lxc-test-usernic lxc-test-ubuntu lxc-test-unpriv subdir = src/tests -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc-test-usernic.in $(top_srcdir)/config/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc-test-usernic @@ -355,6 +364,8 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc-test-usernic.in \ + $(top_srcdir)/config/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -471,6 +482,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -509,6 +521,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -589,7 +602,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/tests/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/tests/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1019,6 +1031,8 @@ mostlyclean-generic pdf pdf-am ps ps-am tags tags-am uninstall \ uninstall-am uninstall-binPROGRAMS uninstall-binSCRIPTS +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru lxc-1.0.8/templates/lxc-alpine.in lxc-1.0.9/templates/lxc-alpine.in --- lxc-1.0.8/templates/lxc-alpine.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-alpine.in 2016-11-23 19:10:02.000000000 +0000 @@ -149,6 +149,7 @@ auto eth0 iface eth0 inet dhcp +hostname \$(hostname) EOF # set the hostname diff -Nru lxc-1.0.8/templates/lxc-archlinux.in lxc-1.0.9/templates/lxc-archlinux.in --- lxc-1.0.8/templates/lxc-archlinux.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-archlinux.in 2016-11-23 19:10:02.000000000 +0000 @@ -97,6 +97,15 @@ [ "${r#nameserver}" = "$r" ] || echo "$r" done < /etc/resolv.conf > "${rootfs_path}/etc/resolv.conf" + # network configuration + cat > "${rootfs_path}/etc/systemd/network/eth0.network" << EOF +[Match] +Name=eth0 + +[Network] +DHCP=ipv4 +EOF + # chroot and configure system arch-chroot "${rootfs_path}" /bin/bash -s << EOF mkdir /run/lock @@ -120,6 +129,11 @@ # initialize pacman keyring pacman-key --init pacman-key --populate archlinux + +# enable networkd +systemctl enable systemd-networkd +systemctl enable systemd-resolved +ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf EOF return 0 } diff -Nru lxc-1.0.8/templates/lxc-busybox.in lxc-1.0.9/templates/lxc-busybox.in --- lxc-1.0.8/templates/lxc-busybox.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-busybox.in 2016-11-23 19:10:02.000000000 +0000 @@ -179,13 +179,6 @@ return 1 fi - file -L $(which busybox) | grep -q "statically linked" - if [ $? -ne 0 ]; then - echo "warning : busybox is not statically linked." - echo "warning : The template script may not correctly" - echo "warning : setup the container environment." - fi - # copy busybox in the rootfs cp $(which busybox) $rootfs/bin if [ $? -ne 0 ]; then @@ -205,6 +198,9 @@ # relink /sbin/init ln $rootfs/bin/busybox $rootfs/sbin/init + # /etc/fstab must exist for "mount -a" + touch $rootfs/etc/fstab + # passwd exec must be setuid chmod +s $rootfs/bin/passwd touch $rootfs/etc/shadow diff -Nru lxc-1.0.8/templates/lxc-centos.in lxc-1.0.9/templates/lxc-centos.in --- lxc-1.0.8/templates/lxc-centos.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-centos.in 2016-11-23 19:10:02.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/bash # -# template script for generating centos container for LXC +# template script for generating CentOS container for LXC # # lxc: linux Container library @@ -65,7 +65,7 @@ lxc_network_type=veth lxc_network_link=lxcbr0 -# is this centos? +# is this CentOS? # Alow for weird remixes like the Raspberry Pi # # Use the Mitre standard CPE identifier for the release ID if possible... @@ -131,8 +131,9 @@ then centos_host_ver=${VERSION_ID} is_centos=true -elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -a "${VERSION_ID}" != "" ] +elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -o "${ID}" = "rhel" -a "${VERSION_ID}" != "" ] then + # RHEL 7+ /etc/os-release ID = 'rhel', which doesn't enter this elif without the added OR statement redhat_host_ver=${VERSION_ID} is_redhat=true elif [ -e /etc/centos-release ] @@ -154,7 +155,7 @@ configure_centos() { - # disable selinux in centos + # disable selinux in CentOS mkdir -p $rootfs_path/selinux echo 0 > $rootfs_path/selinux/enforce @@ -243,7 +244,7 @@ DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes -HOSTNAME=${UTSNAME} +HOSTNAME=${utsname} NM_CONTROLLED=no TYPE=Ethernet MTU=${MTU} @@ -253,7 +254,7 @@ # set the hostname cat < ${rootfs_path}/etc/sysconfig/network NETWORKING=yes -HOSTNAME=${UTSNAME} +HOSTNAME=${utsname} EOF # set minimal hosts @@ -384,7 +385,7 @@ # power-status-changed - shutdown on SIGPWR # start on power-status-changed - + exec /sbin/shutdown -h now "SIGPWR received" EOF fi @@ -393,7 +394,7 @@ download_centos() { - # check the mini centos was not already downloaded + # check the mini CentOS was not already downloaded INSTALL_ROOT=$cache/partial mkdir -p $INSTALL_ROOT if [ $? -ne 0 ]; then @@ -401,8 +402,8 @@ return 1 fi - # download a mini centos into a cache - echo "Downloading centos minimal ..." + # download a mini CentOS into a cache + echo "Downloading CentOS minimal ..." YUM0="yum --installroot $INSTALL_ROOT -y --nogpgcheck" if yum -h | grep -q 'releasever=RELEASEVER'; then @@ -440,6 +441,13 @@ $YUM install $PKG_LIST + # create symlink for /var/run -> ../run + if [ "$release" = "7" ]; then + mv $INSTALL_ROOT/var/run/* $INSTALL_ROOT/run/ + rmdir $INSTALL_ROOT/var/run + ln -sf ../run $INSTALL_ROOT/var/run + fi + if [ $? -ne 0 ]; then echo "Failed to download the rootfs, aborting." return 1 @@ -497,7 +505,7 @@ copy_centos() { - # make a local copy of the mini centos + # make a local copy of the mini CentOS echo -n "Copying rootfs to $rootfs_path ..." #cp -a $cache/rootfs-$arch $rootfs_path || return 1 # i prefer rsync (no reason really) @@ -531,14 +539,14 @@ if [ ! -e "$cache/rootfs" ]; then download_centos if [ $? -ne 0 ]; then - echo "Failed to download 'centos base'" + echo "Failed to download 'CentOS base'" return 1 fi else echo "Cache found. Updating..." update_centos if [ $? -ne 0 ]; then - echo "Failed to update 'centos base', continuing with last known good cache" + echo "Failed to update 'CentOS base', continuing with last known good cache" else echo "Update finished" fi @@ -654,7 +662,7 @@ exit 1 fi - echo -n "Purging the download cache for centos-$release..." + echo -n "Purging the download cache for CentOS-$release..." rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1 exit 0 @@ -673,7 +681,7 @@ Optional args: -p,--path path to where the container rootfs will be created, defaults to /var/lib/lxc/name. -c,--clean clean the cache - -R,--release Centos release for the new container. if the host is Centos, then it will defaultto the host's release. + -R,--release CentOS release for the new container. If the host is CentOS, then it will default to the host's release. --fqdn fully qualified domain name (FQDN) for DNS and system naming --repo repository to use (url) -a,--arch Define what arch the container will be [i686,x86_64] @@ -874,13 +882,13 @@ install_centos if [ $? -ne 0 ]; then - echo "failed to install centos" + echo "failed to install CentOS" exit 1 fi configure_centos if [ $? -ne 0 ]; then - echo "failed to configure centos for a container" + echo "failed to configure CentOS for a container" exit 1 fi diff -Nru lxc-1.0.8/templates/lxc-debian.in lxc-1.0.9/templates/lxc-debian.in --- lxc-1.0.8/templates/lxc-debian.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-debian.in 2016-11-23 19:10:02.000000000 +0000 @@ -34,7 +34,7 @@ export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin export GREP_OPTIONS="" -MIRROR=${MIRROR:-http://http.debian.net/debian} +MIRROR=${MIRROR:-http://httpredir.debian.org/debian} SECURITY_MIRROR=${SECURITY_MIRROR:-http://security.debian.org/} LOCALSTATEDIR="@LOCALSTATEDIR@" LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" @@ -98,6 +98,24 @@ # reconfigure some services + # but first reconfigure locales - so we get no noisy perl-warnings + if [ -z "$LANG" ]; then + cat >> $rootfs/etc/locale.gen << EOF +en_US.UTF-8 UTF-8 +EOF + chroot $rootfs locale-gen en_US.UTF-8 UTF-8 + chroot $rootfs update-locale LANG=en_US.UTF-8 + else + encoding=$(echo $LANG | cut -d. -f2) + chroot $rootfs sed -e "s/^# \(${LANG} ${encoding}\)/\1/" \ + -i /etc/locale.gen 2> /dev/null + cat >> $rootfs/etc/locale.gen << EOF +$LANG $encoding +EOF + chroot $rootfs locale-gen $LANG $encoding + chroot $rootfs update-locale LANG=$LANG + fi + # remove pointless services in a container chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh disable chroot $rootfs /usr/sbin/update-rc.d -f umountfs disable @@ -221,10 +239,18 @@ download_debian() { + case "$release" in + wheezy) + init=sysvinit + ;; + *) + init=init + ;; + esac packages=\ +$init,\ ifupdown,\ locales,\ -libui-dialog-perl,\ dialog,\ isc-dhcp-client,\ netbase,\ @@ -237,6 +263,28 @@ release=$3 trap cleanup EXIT SIGHUP SIGINT SIGTERM + + # Create the cache + mkdir -p "$cache" + + # If debian-archive-keyring isn't installed, fetch GPG keys directly + releasekeyring=/usr/share/keyrings/debian-archive-keyring.gpg + if [ ! -f $releasekeyring ]; then + releasekeyring="$cache/archive-key.gpg" + case $release in + "squeeze") + gpgkeyname="archive-key-6.0" + ;; + "wheezy") + gpgkeyname="archive-key-7.0" + ;; + *) + gpgkeyname="archive-key-8" + ;; + esac + wget https://ftp-master.debian.org/keys/${gpgkeyname}.asc -O - --quiet \ + | gpg --import --no-default-keyring --keyring=${releasekeyring} + fi # check the mini debian was not already downloaded mkdir -p "$cache/partial-$release-$arch" if [ $? -ne 0 ]; then @@ -247,7 +295,7 @@ # download a mini debian into a cache echo "Downloading debian minimal ..." debootstrap --verbose --variant=minbase --arch=$arch \ - --include=$packages \ + --include=$packages --keyring=${releasekeyring} \ "$release" "$cache/partial-$release-$arch" $MIRROR if [ $? -ne 0 ]; then echo "Failed to download the rootfs, aborting." @@ -394,23 +442,6 @@ # Re-enable service startup rm ${rootfs}/usr/sbin/policy-rc.d - # reconfigure locales - if [ -z "$LANG" ]; then - cat >> $rootfs/etc/locale.gen << EOF -en_US.UTF-8 UTF-8 -EOF - chroot $rootfs locale-gen en_US.UTF-8 UTF-8 - chroot $rootfs update-locale LANG=en_US.UTF-8 - else - encoding=$(echo $LANG | cut -d. -f2) - chroot $rootfs sed -e "s/^# \(${LANG} ${encoding}\)/\1/" \ - -i /etc/locale.gen 2> /dev/null - cat >> $rootfs/etc/locale.gen << EOF -$LANG $encoding -EOF - chroot $rootfs locale-gen $LANG $encoding - chroot $rootfs update-locale LANG=$LANG - fi # end } @@ -453,7 +484,7 @@ -p, --path=PATH directory where config and rootfs of this VM will be kept -a, --arch=ARCH The container architecture. Can be one of: i686, x86_64, amd64, armhf, armel, powerpc. Defaults to host arch. - -r, --release=RELEASE Debian release. Can be one of: squeeze, wheezy, jessie, sid. + -r, --release=RELEASE Debian release. Can be one of: wheezy, jessie, stretch, sid. Defaults to current stable. --mirror=MIRROR Debian mirror to use during installation. Overrides the MIRROR environment variable (see below). @@ -487,6 +518,8 @@ arch="amd64" elif [ "$arch" = "armv7l" ]; then arch="armhf" +elif [ "$arch" = "ppc64le" ]; then + arch="ppc64el" fi hostarch=$arch @@ -555,7 +588,7 @@ current_release=`wget ${MIRROR}/dists/stable/Release -O - 2> /dev/null | head |awk '/^Codename: (.*)$/ { print $2; }'` release=${release:-${current_release}} -valid_releases=('squeeze' 'wheezy' 'jessie' 'stretch' 'sid') +valid_releases=('wheezy' 'jessie' 'stretch' 'sid') if [[ ! "${valid_releases[*]}" =~ (^|[^[:alpha:]])$release([^[:alpha:]]|$) ]]; then echo "Invalid release ${release}, valid ones are: ${valid_releases[*]}" exit 1 diff -Nru lxc-1.0.8/templates/lxc-download.in lxc-1.0.9/templates/lxc-download.in --- lxc-1.0.8/templates/lxc-download.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-download.in 2016-11-23 19:10:02.000000000 +0000 @@ -33,7 +33,7 @@ DOWNLOAD_FLUSH_CACHE="false" DOWNLOAD_FORCE_CACHE="false" DOWNLOAD_INTERACTIVE="false" -DOWNLOAD_KEYID="0xBAEFF88C22F6E216" +DOWNLOAD_KEYID="0xE7FB0CAEC8173D669066514CBAEFF88C22F6E216" DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net" DOWNLOAD_LIST_IMAGES="false" DOWNLOAD_MODE="system" @@ -575,7 +575,7 @@ sed -i "s#LXC_HOOK_DIR#$LXC_HOOK_DIR#g" $file done -# prevent mingetty from calling vhangup(2) since it fails with userns on Centos / Oracle +# prevent mingetty from calling vhangup(2) since it fails with userns on CentOS / Oracle if [ -f ${LXC_ROOTFS}/etc/init/tty.conf ]; then sed -i 's|mingetty|mingetty --nohangup|' ${LXC_ROOTFS}/etc/init/tty.conf fi diff -Nru lxc-1.0.8/templates/lxc-fedora.in lxc-1.0.9/templates/lxc-fedora.in --- lxc-1.0.8/templates/lxc-fedora.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-fedora.in 2016-11-23 19:10:02.000000000 +0000 @@ -560,8 +560,8 @@ # mount image to "squashfs" # mount contained LiveOS to stage0 -# We're going to use the kernel.org mirror for the initial stages... -# 1 - It's generally up to date and comnplete +# We're going to use the archives.fedoraproject.org mirror for the initial stages... +# 1 - It's generally up to date and complete # 2 - It's has high bandwidth access # 3 - It supports rsync and wildcarding (and we need both) # 4 - Not all the mirrors carry the LiveOS images @@ -569,7 +569,7 @@ if [[ ! -f ../LiveOS/squashfs.img ]] then echo " -Downloading stage 0 LiveOS squashfs file system from mirrors.kernel.org... +Downloading stage 0 LiveOS squashfs file system from archives.fedoraproject.org... Have a beer or a cup of coffee. This will take a bit (~300MB). " sleep 3 # let him read it... @@ -1336,6 +1336,10 @@ if [ $? -ne 0 ]; then needed_pkgs="curl $needed_pkgs" fi +type openssl >/dev/null 2>&1 +if [ $? -ne 0 ]; then + needed_pkgs="openssl $needed_pkgs" +fi if [ -n "$needed_pkgs" ]; then echo "Missing commands: $needed_pkgs" diff -Nru lxc-1.0.8/templates/lxc-plamo.in lxc-1.0.9/templates/lxc-plamo.in --- lxc-1.0.8/templates/lxc-plamo.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-plamo.in 2016-11-23 19:10:02.000000000 +0000 @@ -49,7 +49,7 @@ CATEGORIES=${CATEGORIES-"00_base 01_minimum"} EXTRACTGRS=${EXTRACTGRS-""} IGNOREPKGS=${IGNOREPKGS-"grub kernel lilo linux_firmware microcode_ctl - cpufreqd cpufrequtils gpm"} + cpufreqd cpufrequtils gpm ntp kmod"} ADDONPKGS=${ADDONPKGS-"`echo contrib/Hamradio/{morse,qrq}`"} download_plamo() { @@ -240,6 +240,14 @@ sh /tmp/netconfig.rconly rm -f /tmp/netconfig.rconly sed -i '/cmdline/s/if/& false \&\&/' $rootfs/etc/rc.d/rc.inet1.tradnet + # /etc/rc.d/rc.inet2 + sed -i '/rpc.mountd/s/^/#/' $rootfs/etc/rc.d/rc.inet2 + sed -i '/modprobe/s/^/#/' $rootfs/etc/rc.d/rc.inet2 + # configure to start only the minimum of service + chmod 644 $rootfs/etc/rc.d/init.d/saslauthd + chmod 644 $rootfs/etc/rc.d/init.d/open-iscsi + rm -f $rootfs/etc/rc.d/init.d/postfix + rm -f $rootfs/var/log/initpkg/shadow return 0 } diff -Nru lxc-1.0.8/templates/lxc-ubuntu-cloud.in lxc-1.0.9/templates/lxc-ubuntu-cloud.in --- lxc-1.0.8/templates/lxc-ubuntu-cloud.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-ubuntu-cloud.in 2016-11-23 19:10:02.000000000 +0000 @@ -25,7 +25,7 @@ HOOK_DIR="@LXCHOOKDIR@" CLONE_HOOK_FN="$HOOK_DIR/ubuntu-cloud-prep" LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" -KNOWN_RELEASES="precise trusty utopic vivid" +KNOWN_RELEASES="precise trusty vivid wily xenial" skip_arch_check=${UCTEMPLATE_SKIP_ARCH_CHECK:-0} # Make sure the usual locations are in PATH @@ -159,8 +159,8 @@ mapped_uid=-1 mapped_gid=-1 -# default release is precise, or the systems release if recognized -release=precise +# default release is trusty, or the systems release if recognized +release=trusty if [ -f /etc/lsb-release ]; then . /etc/lsb-release rels=$(ubuntu-distro-info --supported 2>/dev/null) || @@ -183,7 +183,7 @@ arch="amd64" elif [ "$arch" = "armv7l" ]; then # note: arm images don't exist before oneiric; are called armhf in - # precise and later; and are not supported by the query, so we don't actually + # trusty and later; and are not supported by the query, so we don't actually # support them yet (see check later on). When Query2 is available, # we'll use that to enable arm images. arch="armhf" @@ -299,7 +299,11 @@ [ "$stream" = "daily" ] || echo "You may try with '--stream=daily'" exit 1 fi - url2=`echo $url1 | sed -e 's/.tar.gz/-root\0/' -e 's/.tar.gz/.tar.xz/'` + if [ "$release" = "precise" ] || [ "$release" = "trusty" ]; then + url2=`echo $url1 | sed -e 's/.tar.gz/-root\0/' -e 's/.tar.gz/.tar.xz/'` + else + url2=`echo $url1 | sed -e 's/.tar.gz/.squashfs/'` + fi fi filename=`basename $url2` @@ -329,11 +333,15 @@ echo "Extracting container rootfs" mkdir -p $rootfs cd $rootfs - if [ $in_userns -eq 1 ]; then - tar --anchored --exclude="dev/*" --numeric-owner -xpJf "$cache/$filename" - mkdir -p $rootfs/dev/pts/ + if [ "${filename##*.}" = "squashfs" ]; then + unsquashfs -n -f -d "$rootfs" "$cache/$filename" else - tar --numeric-owner -xpJf "$cache/$filename" + if [ $in_userns -eq 1 ]; then + tar --anchored --exclude="dev/*" --numeric-owner -xpf "$cache/$filename" + mkdir -p $rootfs/dev/pts/ + else + tar --numeric-owner -xpf "$cache/$filename" + fi fi } diff -Nru lxc-1.0.8/templates/lxc-ubuntu.in lxc-1.0.9/templates/lxc-ubuntu.in --- lxc-1.0.8/templates/lxc-ubuntu.in 2015-11-09 22:49:15.000000000 +0000 +++ lxc-1.0.9/templates/lxc-ubuntu.in 2016-11-23 19:10:02.000000000 +0000 @@ -294,6 +294,17 @@ arch=$2 release=$3 + case $2 in + amd64|i386) + MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu} + SECURITY_MIRROR=${SECURITY_MIRROR:-http://security.ubuntu.com/ubuntu} + ;; + *) + MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports} + SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports} + ;; + esac + packages_template=${packages_template:-"ssh,vim"} # Try to guess a list of langpacks to install @@ -348,7 +359,13 @@ EOF chmod +x "$1/partial-${arch}"/usr/sbin/policy-rc.d - lxc-unshare -s MOUNT -- chroot "$1/partial-${arch}" apt-get dist-upgrade -y || { suggest_flush; false; } + ( + cat << EOF + mount -t proc proc "${1}/partial-${arch}/proc" + chroot "${1}/partial-${arch}" apt-get dist-upgrade -y +EOF + ) | lxc-unshare -s MOUNT -- sh -eu || (suggest_flush; false) + rm -f "$1/partial-${arch}"/usr/sbin/policy-rc.d chroot "$1/partial-${arch}" apt-get clean diff -Nru lxc-1.0.8/templates/Makefile.in lxc-1.0.9/templates/Makefile.in --- lxc-1.0.8/templates/Makefile.in 2015-11-09 22:49:20.000000000 +0000 +++ lxc-1.0.9/templates/Makefile.in 2016-11-23 19:10:07.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -79,21 +89,12 @@ build_triplet = @build@ host_triplet = @host@ subdir = templates -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/lxc-alpine.in $(srcdir)/lxc-altlinux.in \ - $(srcdir)/lxc-archlinux.in $(srcdir)/lxc-busybox.in \ - $(srcdir)/lxc-centos.in $(srcdir)/lxc-cirros.in \ - $(srcdir)/lxc-debian.in $(srcdir)/lxc-download.in \ - $(srcdir)/lxc-fedora.in $(srcdir)/lxc-gentoo.in \ - $(srcdir)/lxc-openmandriva.in $(srcdir)/lxc-opensuse.in \ - $(srcdir)/lxc-oracle.in $(srcdir)/lxc-plamo.in \ - $(srcdir)/lxc-sshd.in $(srcdir)/lxc-ubuntu.in \ - $(srcdir)/lxc-ubuntu-cloud.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/config/acinclude.m4 \ $(top_srcdir)/config/tls.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = lxc-alpine lxc-altlinux lxc-archlinux lxc-busybox \ @@ -150,6 +151,15 @@ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/lxc-alpine.in \ + $(srcdir)/lxc-altlinux.in $(srcdir)/lxc-archlinux.in \ + $(srcdir)/lxc-busybox.in $(srcdir)/lxc-centos.in \ + $(srcdir)/lxc-cirros.in $(srcdir)/lxc-debian.in \ + $(srcdir)/lxc-download.in $(srcdir)/lxc-fedora.in \ + $(srcdir)/lxc-gentoo.in $(srcdir)/lxc-openmandriva.in \ + $(srcdir)/lxc-opensuse.in $(srcdir)/lxc-oracle.in \ + $(srcdir)/lxc-plamo.in $(srcdir)/lxc-sshd.in \ + $(srcdir)/lxc-ubuntu-cloud.in $(srcdir)/lxc-ubuntu.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -266,6 +276,7 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +bashcompdir = @bashcompdir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -304,6 +315,7 @@ psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -347,7 +359,6 @@ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu templates/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu templates/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -588,6 +599,8 @@ mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags-am \ uninstall uninstall-am uninstall-templatesSCRIPTS +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded.