diff -Nru lxc-1.0.9/config/apparmor/Makefile.in lxc-1.0.10/config/apparmor/Makefile.in --- lxc-1.0.9/config/apparmor/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/apparmor/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -150,6 +150,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ @@ -399,8 +400,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@ENABLE_APPARMOR_FALSE@install-data-local: @ENABLE_APPARMOR_FALSE@uninstall-local: +@ENABLE_APPARMOR_FALSE@install-data-local: clean: clean-am clean-am: clean-generic mostlyclean-am diff -Nru lxc-1.0.9/config/bash/Makefile.in lxc-1.0.10/config/bash/Makefile.in --- lxc-1.0.9/config/bash/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/bash/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -182,6 +182,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/config/config.guess lxc-1.0.10/config/config.guess --- lxc-1.0.9/config/config.guess 2016-11-23 19:10:05.000000000 +0000 +++ lxc-1.0.10/config/config.guess 2017-05-11 17:03:27.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2015-08-20' +timestamp='2016-10-02' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -50,7 +50,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -186,9 +186,12 @@ *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. + # to ELF recently (or will in the future) and ABI. case "${UNAME_MACHINE_ARCH}" in - arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax) + earm*) + os=netbsdelf + ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ @@ -237,6 +240,10 @@ UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -268,42 +275,42 @@ ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; + UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; + UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; + UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; + UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; + UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; + UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; + UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; + UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; + UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 @@ -376,16 +383,16 @@ exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build - SUN_ARCH="i386" + SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then - SUN_ARCH="x86_64" + SUN_ARCH=x86_64 fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` @@ -410,7 +417,7 @@ exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} @@ -635,13 +642,13 @@ sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi @@ -680,11 +687,11 @@ exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = "hppa2.0w" ] + if [ ${HP_ARCH} = hppa2.0w ] then eval $set_cc_for_build @@ -697,12 +704,12 @@ # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then - HP_ARCH="hppa2.0w" + HP_ARCH=hppa2.0w else - HP_ARCH="hppa64" + HP_ARCH=hppa64 fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} @@ -807,14 +814,14 @@ echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) @@ -896,7 +903,7 @@ exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix @@ -919,7 +926,7 @@ EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) @@ -965,6 +972,9 @@ ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; + k1om:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -990,6 +1000,9 @@ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; + mips64el:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; @@ -1022,6 +1035,9 @@ ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; @@ -1120,7 +1136,7 @@ # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that + # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; @@ -1269,6 +1285,9 @@ SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; @@ -1282,9 +1301,9 @@ UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in @@ -1306,7 +1325,7 @@ exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then + if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi @@ -1337,7 +1356,7 @@ # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = "386"; then + if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" @@ -1379,7 +1398,7 @@ echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos @@ -1390,23 +1409,25 @@ x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; esac cat >&2 < in order to provide the needed -information to handle your system. +If $0 has already been updated, send the following data and any +information you think might be pertinent to config-patches@gnu.org to +provide the necessary information to handle your system. config.guess timestamp = $timestamp diff -Nru lxc-1.0.9/config/config.sub lxc-1.0.10/config/config.sub --- lxc-1.0.9/config/config.sub 2016-11-23 19:10:05.000000000 +0000 +++ lxc-1.0.10/config/config.sub 2017-05-11 17:03:27.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2015-08-20' +timestamp='2016-11-04' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -33,7 +33,7 @@ # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -53,8 +53,7 @@ me=`echo "$0" | sed -e 's,.*/,,'` usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. @@ -68,7 +67,7 @@ version="\ GNU config.sub ($timestamp) -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -118,7 +117,7 @@ nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ - kopensolaris*-gnu* | \ + kopensolaris*-gnu* | cloudabi*-eabi* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` @@ -302,6 +301,7 @@ | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pru \ | pyramid \ | riscv32 | riscv64 \ | rl78 | rx \ @@ -429,6 +429,7 @@ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pru-* \ | pyramid-* \ | riscv32-* | riscv64-* \ | rl78-* | romp-* | rs6000-* | rx-* \ @@ -521,7 +522,7 @@ basic_machine=i386-pc os=-aros ;; - asmjs) + asmjs) basic_machine=asmjs-unknown ;; aux) @@ -644,6 +645,14 @@ basic_machine=m68k-bull os=-sysv3 ;; + e500v[12]) + basic_machine=powerpc-unknown + os=$os"spe" + ;; + e500v[12]-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + os=$os"spe" + ;; ebmon29k) basic_machine=a29k-amd os=-ebmon @@ -1023,7 +1032,7 @@ ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppcle | powerpclittle | ppc-le | powerpc-little) + ppcle | powerpclittle) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) @@ -1033,7 +1042,7 @@ ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) + ppc64le | powerpc64little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) @@ -1383,14 +1392,14 @@ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ @@ -1399,7 +1408,8 @@ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ + | -onefs* | -tirtos* | -phoenix* | -fuchsia*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1531,6 +1541,8 @@ ;; -nacl*) ;; + -ios) + ;; -none) ;; *) diff -Nru lxc-1.0.9/config/etc/Makefile.in lxc-1.0.10/config/etc/Makefile.in --- lxc-1.0.9/config/etc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/etc/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -180,6 +180,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/config/init/Makefile.in lxc-1.0.10/config/init/Makefile.in --- lxc-1.0.9/config/init/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/init/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -210,6 +210,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/config/init/systemd/lxc.service lxc-1.0.10/config/init/systemd/lxc.service --- lxc-1.0.9/config/init/systemd/lxc.service 2016-11-23 19:11:18.000000000 +0000 +++ lxc-1.0.10/config/init/systemd/lxc.service 2017-05-11 17:03:31.000000000 +0000 @@ -10,6 +10,7 @@ ExecStop=/usr/local/libexec/lxc/lxc-autostart-helper stop # Environment=BOOTUP=serial # Environment=CONSOLETYPE=serial +Delegate=yes StandardOutput=syslog StandardError=syslog diff -Nru lxc-1.0.9/config/init/systemd/lxc.service.in lxc-1.0.10/config/init/systemd/lxc.service.in --- lxc-1.0.9/config/init/systemd/lxc.service.in 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/config/init/systemd/lxc.service.in 2017-05-11 17:03:26.000000000 +0000 @@ -10,6 +10,7 @@ ExecStop=@LIBEXECDIR@/lxc/lxc-autostart-helper stop # Environment=BOOTUP=serial # Environment=CONSOLETYPE=serial +Delegate=yes StandardOutput=syslog StandardError=syslog diff -Nru lxc-1.0.9/config/init/systemd/Makefile.in lxc-1.0.10/config/init/systemd/Makefile.in --- lxc-1.0.9/config/init/systemd/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/init/systemd/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -180,6 +180,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ @@ -467,8 +468,8 @@ @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -@INIT_SCRIPT_SYSTEMD_FALSE@uninstall-local: @INIT_SCRIPT_SYSTEMD_FALSE@install-data-local: +@INIT_SCRIPT_SYSTEMD_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic mostlyclean-am diff -Nru lxc-1.0.9/config/init/sysvinit/Makefile.in lxc-1.0.10/config/init/sysvinit/Makefile.in --- lxc-1.0.9/config/init/sysvinit/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/init/sysvinit/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -150,6 +150,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ @@ -389,8 +390,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@INIT_SCRIPT_SYSV_FALSE@install-data-local: @INIT_SCRIPT_SYSV_FALSE@uninstall-local: +@INIT_SCRIPT_SYSV_FALSE@install-data-local: clean: clean-am clean-am: clean-generic mostlyclean-am diff -Nru lxc-1.0.9/config/init/upstart/Makefile.in lxc-1.0.10/config/init/upstart/Makefile.in --- lxc-1.0.9/config/init/upstart/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/init/upstart/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -150,6 +150,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/config/Makefile.in lxc-1.0.10/config/Makefile.in --- lxc-1.0.9/config/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -211,6 +211,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/config/selinux/Makefile.in lxc-1.0.10/config/selinux/Makefile.in --- lxc-1.0.9/config/selinux/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/selinux/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -180,6 +180,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/config/templates/Makefile.in lxc-1.0.10/config/templates/Makefile.in --- lxc-1.0.9/config/templates/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/templates/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -204,6 +204,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/config/yum/Makefile.in lxc-1.0.10/config/yum/Makefile.in --- lxc-1.0.9/config/yum/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/config/yum/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -180,6 +180,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/configure lxc-1.0.10/configure --- lxc-1.0.9/configure 2016-11-23 19:10:05.000000000 +0000 +++ lxc-1.0.10/configure 2017-05-11 17:03:26.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for lxc 1.0.9. +# Generated by GNU Autoconf 2.69 for lxc 1.0.10. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='lxc' PACKAGE_TARNAME='lxc' -PACKAGE_VERSION='1.0.9' -PACKAGE_STRING='lxc 1.0.9' +PACKAGE_VERSION='1.0.10' +PACKAGE_STRING='lxc 1.0.10' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -705,6 +705,9 @@ SELINUX_LIBS ENABLE_SELINUX_FALSE ENABLE_SELINUX_TRUE +GNUTLS_LIBS +ENABLE_GNUTLS_FALSE +ENABLE_GNUTLS_TRUE APPARMOR_LIBS ENABLE_APPARMOR_FALSE ENABLE_APPARMOR_TRUE @@ -843,6 +846,7 @@ enable_doc enable_api_docs enable_apparmor +enable_gnutls enable_selinux enable_seccomp enable_cgmanager @@ -1443,7 +1447,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures lxc 1.0.9 to adapt to many kinds of systems. +\`configure' configures lxc 1.0.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1514,7 +1518,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of lxc 1.0.9:";; + short | recursive ) echo "Configuration of lxc 1.0.10:";; esac cat <<\_ACEOF @@ -1532,6 +1536,7 @@ --enable-doc make man pages [default=auto] --enable-api-docs make API documentation [default=auto] --enable-apparmor enable apparmor support [default=auto] + --enable-gnutls enable GnuTLS support [default=auto] --enable-selinux enable SELinux support [default=auto] --enable-seccomp enable seccomp support [default=auto] --enable-cgmanager enable cgmanager support [default=auto] @@ -1674,7 +1679,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -lxc configure 1.0.9 +lxc configure 1.0.10 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2139,7 +2144,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by lxc $as_me 1.0.9, which was +It was created by lxc $as_me 1.0.10, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2610,7 +2615,7 @@ fi fi -LXC_VERSION_BASE=1.0.9 +LXC_VERSION_BASE=1.0.10 @@ -2618,9 +2623,9 @@ LXC_VERSION_MINOR=0 -LXC_VERSION_MICRO=9 +LXC_VERSION_MICRO=10 -LXC_VERSION=1.0.9 +LXC_VERSION=1.0.10 @@ -3141,7 +3146,7 @@ # Define the identity of the package. PACKAGE='lxc' - VERSION='1.0.9' + VERSION='1.0.10' cat >>confdefs.h <<_ACEOF @@ -5395,7 +5400,77 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gnutls_hash_fast in -lgnutls" >&5 +if test -z "$ENABLE_APPARMOR_TRUE"; then : + ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_apparmor_h" = xyes; then : + +else + as_fn_error $? "You must install the AppArmor development package in order to compile lxc" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for aa_change_profile in -lapparmor" >&5 +$as_echo_n "checking for aa_change_profile in -lapparmor... " >&6; } +if ${ac_cv_lib_apparmor_aa_change_profile+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lapparmor $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char aa_change_profile (); +int +main () +{ +return aa_change_profile (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_apparmor_aa_change_profile=yes +else + ac_cv_lib_apparmor_aa_change_profile=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_apparmor_aa_change_profile" >&5 +$as_echo "$ac_cv_lib_apparmor_aa_change_profile" >&6; } +if test "x$ac_cv_lib_apparmor_aa_change_profile" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBAPPARMOR 1 +_ACEOF + + LIBS="-lapparmor $LIBS" + +else + as_fn_error $? "You must install the AppArmor development package in order to compile lxc" "$LINENO" 5 +fi + + APPARMOR_LIBS=-lapparmor + +fi + +# GnuTLS +# Check whether --enable-gnutls was given. +if test "${enable_gnutls+set}" = set; then : + enableval=$enable_gnutls; +else + enable_gnutls=auto +fi + + +if test "$enable_gnutls" = "auto" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gnutls_hash_fast in -lgnutls" >&5 $as_echo_n "checking for gnutls_hash_fast in -lgnutls... " >&6; } if ${ac_cv_lib_gnutls_gnutls_hash_fast+:} false; then : $as_echo_n "(cached) " >&6 @@ -5437,23 +5512,32 @@ enable_gnutls=no fi +fi + if test "x$enable_gnutls" = "xyes"; then + ENABLE_GNUTLS_TRUE= + ENABLE_GNUTLS_FALSE='#' +else + ENABLE_GNUTLS_TRUE='#' + ENABLE_GNUTLS_FALSE= +fi -if test -z "$ENABLE_APPARMOR_TRUE"; then : - ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default" -if test "x$ac_cv_header_sys_apparmor_h" = xyes; then : + +if test -z "$ENABLE_GNUTLS_TRUE"; then : + ac_fn_c_check_header_mongrel "$LINENO" "gnutls/gnutls.h" "ac_cv_header_gnutls_gnutls_h" "$ac_includes_default" +if test "x$ac_cv_header_gnutls_gnutls_h" = xyes; then : else - as_fn_error $? "You must install the AppArmor development package in order to compile lxc" "$LINENO" 5 + as_fn_error $? "You must install the GnuTLS development package in order to compile lxc" "$LINENO" 5 fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for aa_change_profile in -lapparmor" >&5 -$as_echo_n "checking for aa_change_profile in -lapparmor... " >&6; } -if ${ac_cv_lib_apparmor_aa_change_profile+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gnutls_hash_fast in -lgnutls" >&5 +$as_echo_n "checking for gnutls_hash_fast in -lgnutls... " >&6; } +if ${ac_cv_lib_gnutls_gnutls_hash_fast+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lapparmor $LIBS" +LIBS="-lgnutls $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -5463,38 +5547,38 @@ #ifdef __cplusplus extern "C" #endif -char aa_change_profile (); +char gnutls_hash_fast (); int main () { -return aa_change_profile (); +return gnutls_hash_fast (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_apparmor_aa_change_profile=yes + ac_cv_lib_gnutls_gnutls_hash_fast=yes else - ac_cv_lib_apparmor_aa_change_profile=no + ac_cv_lib_gnutls_gnutls_hash_fast=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_apparmor_aa_change_profile" >&5 -$as_echo "$ac_cv_lib_apparmor_aa_change_profile" >&6; } -if test "x$ac_cv_lib_apparmor_aa_change_profile" = xyes; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gnutls_gnutls_hash_fast" >&5 +$as_echo "$ac_cv_lib_gnutls_gnutls_hash_fast" >&6; } +if test "x$ac_cv_lib_gnutls_gnutls_hash_fast" = xyes; then : cat >>confdefs.h <<_ACEOF -#define HAVE_LIBAPPARMOR 1 +#define HAVE_LIBGNUTLS 1 _ACEOF - LIBS="-lapparmor $LIBS" + LIBS="-lgnutls $LIBS" else - as_fn_error $? "You must install the AppArmor development package in order to compile lxc" "$LINENO" 5 + as_fn_error $? "You must install the GnuTLS development package in order to compile lxc" "$LINENO" 5 fi - APPARMOR_LIBS=-lapparmor + GNUTLS_LIBS=-lgnutls fi @@ -8775,6 +8859,58 @@ done +# lookup major()/minor()/makedev() +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether sys/types.h defines makedev" >&5 +$as_echo_n "checking whether sys/types.h defines makedev... " >&6; } +if ${ac_cv_header_sys_types_h_makedev+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +return makedev(0, 0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_header_sys_types_h_makedev=yes +else + ac_cv_header_sys_types_h_makedev=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_sys_types_h_makedev" >&5 +$as_echo "$ac_cv_header_sys_types_h_makedev" >&6; } + +if test $ac_cv_header_sys_types_h_makedev = no; then +ac_fn_c_check_header_mongrel "$LINENO" "sys/mkdev.h" "ac_cv_header_sys_mkdev_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_mkdev_h" = xyes; then : + +$as_echo "#define MAJOR_IN_MKDEV 1" >>confdefs.h + +fi + + + + if test $ac_cv_header_sys_mkdev_h = no; then + ac_fn_c_check_header_mongrel "$LINENO" "sys/sysmacros.h" "ac_cv_header_sys_sysmacros_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_sysmacros_h" = xyes; then : + +$as_echo "#define MAJOR_IN_SYSMACROS 1" >>confdefs.h + +fi + + + fi +fi + + # Check for some syscalls functions for ac_func in setns pivot_root sethostname unshare rand_r confstr faccessat do : @@ -9410,6 +9546,10 @@ as_fn_error $? "conditional \"ENABLE_APPARMOR\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_GNUTLS_TRUE}" && test -z "${ENABLE_GNUTLS_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_GNUTLS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${ENABLE_SELINUX_TRUE}" && test -z "${ENABLE_SELINUX_FALSE}"; then as_fn_error $? "conditional \"ENABLE_SELINUX\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -9871,7 +10011,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by lxc $as_me 1.0.9, which was +This file was extended by lxc $as_me 1.0.10, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -9941,7 +10081,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -lxc config.status 1.0.9 +lxc config.status 1.0.10 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru lxc-1.0.9/configure.ac lxc-1.0.10/configure.ac --- lxc-1.0.9/configure.ac 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/configure.ac 2017-05-11 17:03:26.000000000 +0000 @@ -3,7 +3,7 @@ m4_define([lxc_version_major], 1) m4_define([lxc_version_minor], 0) -m4_define([lxc_version_micro], 9) +m4_define([lxc_version_micro], 10) m4_define([lxc_version_beta], []) m4_define([lxc_version_base], [lxc_version_major.lxc_version_minor.lxc_version_micro]) @@ -202,13 +202,26 @@ fi AM_CONDITIONAL([ENABLE_APPARMOR], [test "x$enable_apparmor" = "xyes"]) -AC_CHECK_LIB([gnutls], [gnutls_hash_fast], [enable_gnutls=yes], [enable_gnutls=no]) - AM_COND_IF([ENABLE_APPARMOR], [AC_CHECK_HEADER([sys/apparmor.h],[],[AC_MSG_ERROR([You must install the AppArmor development package in order to compile lxc])]) AC_CHECK_LIB([apparmor], [aa_change_profile],[],[AC_MSG_ERROR([You must install the AppArmor development package in order to compile lxc])]) AC_SUBST([APPARMOR_LIBS], [-lapparmor])]) +# GnuTLS +AC_ARG_ENABLE([gnutls], + [AC_HELP_STRING([--enable-gnutls], [enable GnuTLS support [default=auto]])], + [], [enable_gnutls=auto]) + +if test "$enable_gnutls" = "auto" ; then + AC_CHECK_LIB([gnutls], [gnutls_hash_fast], [enable_gnutls=yes], [enable_gnutls=no]) +fi +AM_CONDITIONAL([ENABLE_GNUTLS], [test "x$enable_gnutls" = "xyes"]) + +AM_COND_IF([ENABLE_GNUTLS], + [AC_CHECK_HEADER([gnutls/gnutls.h],[],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])]) + AC_CHECK_LIB([gnutls], [gnutls_hash_fast],[],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])]) + AC_SUBST([GNUTLS_LIBS], [-lgnutls])]) + # SELinux AC_ARG_ENABLE([selinux], [AC_HELP_STRING([--enable-selinux], [enable SELinux support [default=auto]])], @@ -552,6 +565,9 @@ # Check for some headers AC_CHECK_HEADERS([sys/signalfd.h pty.h ifaddrs.h sys/capability.h sys/personality.h utmpx.h sys/timerfd.h]) +# lookup major()/minor()/makedev() +AC_HEADER_MAJOR + # Check for some syscalls functions AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat]) diff -Nru lxc-1.0.9/debian/changelog lxc-1.0.10/debian/changelog --- lxc-1.0.9/debian/changelog 2017-01-04 17:39:09.000000000 +0000 +++ lxc-1.0.10/debian/changelog 2017-05-23 18:44:34.000000000 +0000 @@ -1,3 +1,60 @@ +lxc (1.0.10-0ubuntu1) trusty; urgency=medium + + * New upstream bugfix release. (LP: #1693002) + - Security fix for CVE-2016-10124 + - Security fix for CVE-2017-5985 + + - attach: simplify lsm_openat() + - commands: improve logging + - utils: add macro __LXC_NUMSTRLEN + - tests; Don't cause test failures on cleanup errors + - conf: clearly report to either use drop or keep + - attach: close lsm label file descriptor + - conf, attach: save errno across call to close + - templates/lxc-debian.in: Fix typo in calling dpkg with + --print-foreign-architectures option + - templates/lxc-debian.in: handle ppc hostarch -> powerpc + - Fix regression in errno handling cherry-pick + - don't try to get stuff from /usr/lib/systemd on the host + - lxc-opensuse: rm poweroff.target -> sigpwr.target copy + - Add --enable-gnutls option + - tests: skip unpriv tests on broken overlay module + - Use AC_HEADER_MAJOR to detect major()/minor()/makedev() + - Make lxc-start-ephemeral Python 3.2-compatible + - systemd: enable delegate in service file + - confile: clear lxc.network..ipv{4,6} when empty + - seccomp: allow x32 guests on amd64 hosts. + - squeeze is not a supported release anymore, drop the key + - seccomp: set SCMP_FLTATR_ATL_TSKIP if available + - lxc-checkconfig: verify new[ug]idmap are setuid-root + - python3: Deal with potential NULL char* + - lxc-download.in / allow setting keyserver from env + - lxc-download.in / Document keyserver change in help + - Change variable check to match existing style + - tests: Support running on IPv6 networks + - tests: Kill containers (don't wait for shutdown) + - Fix opening wrong file in suggest_default_idmap + - lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals + - Increased buffer length in print_stats() + - remove obsolete note about api stability + - conf: less error prone pointer access + - create ISSUE_TEMPLATE.md + - issue template: fix typo + - conf: order mount options + - commands: avoid NULL pointer dereference + - commands: non-functional changes + - lxccontainer: avoid NULL pointer dereference + + -- Stéphane Graber Tue, 23 May 2017 14:44:34 -0400 + +lxc (1.0.9-0ubuntu3) trusty-security; urgency=medium + + * SECURITY UPDATE: lxc-user-nic doesn't check netns ownership (LP: #1654676) + - Ensure target netns is caller-owned + - CVE-2017-5985 + + -- Stéphane Graber Tue, 07 Mar 2017 14:39:58 -0500 + lxc (1.0.9-0ubuntu2) trusty; urgency=medium * Cherry-pick upstream bugfix (LP: #1647016): diff -Nru lxc-1.0.9/debian/.git-dpm lxc-1.0.10/debian/.git-dpm --- lxc-1.0.9/debian/.git-dpm 2017-01-04 17:38:31.000000000 +0000 +++ lxc-1.0.10/debian/.git-dpm 2017-05-23 18:37:28.000000000 +0000 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -7f435a074b1b83a4adca9c86c80ea9a801e34c42 -7f435a074b1b83a4adca9c86c80ea9a801e34c42 -4ebaab00acc06e471c8baa87b2d8e2ec1b10904b -4ebaab00acc06e471c8baa87b2d8e2ec1b10904b -lxc_1.0.9.orig.tar.gz -3d01de9925430a0914d8df304ac31a74e0b6fbfc -851593 +747d15d0dc454f7ee5ac4e5da16424dfb4a48775 +747d15d0dc454f7ee5ac4e5da16424dfb4a48775 +747d15d0dc454f7ee5ac4e5da16424dfb4a48775 +747d15d0dc454f7ee5ac4e5da16424dfb4a48775 +lxc_1.0.10.orig.tar.gz +9d67ffc3a07ab8052aca208644c9849232576664 +846212 diff -Nru lxc-1.0.9/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch lxc-1.0.10/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch --- lxc-1.0.9/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch 2017-01-04 17:38:31.000000000 +0000 +++ lxc-1.0.10/debian/patches/0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,61 +0,0 @@ -From 7f435a074b1b83a4adca9c86c80ea9a801e34c42 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 25 Dec 2016 12:26:17 +0100 -Subject: tests: skip unpriv tests on broken overlay module - -This mainly affects Trusty. The 3.13 kernel has a broken overlay module which -does not handle symlinks correctly. This is a problem for containers that use -an overlay based rootfs since safe_mount() uses /proc//fd/ in -its calls to mount(). - -Signed-off-by: Christian Brauner ---- - src/tests/lxc-test-unpriv | 35 +++++++++++++++++++++++++++++++++++ - 1 file changed, 35 insertions(+) - -diff --git a/src/tests/lxc-test-unpriv b/src/tests/lxc-test-unpriv -index 93c91a9..54ddc66 100755 ---- a/src/tests/lxc-test-unpriv -+++ b/src/tests/lxc-test-unpriv -@@ -27,6 +27,41 @@ if [ $(id -u) -ne 0 ]; then - echo "ERROR: Must run as root." - exit 1 - fi -+ -+# Test if we're using an overlayfs module that handles symlinks correctly. If -+# not, we skip these tests since overlay clones will not work correctly. -+if modprobe -q overlayfs; then -+ TMPDIR=$(mktemp -d) -+ -+ MOUNTDIR="${TMPDIR}/ovl_symlink_test" -+ -+ mkdir ${MOUNTDIR} -+ -+ mount -t tmpfs none ${MOUNTDIR} -+ -+ mkdir "${MOUNTDIR}/lowerdir" "${MOUNTDIR}/upperdir" "${MOUNTDIR}/overlayfs" -+ mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir" none "${MOUNTDIR}/overlayfs" -+ -+ CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/dummy_file" -+ exec 9> "${CORRECT_LINK_TARGET}" -+ -+ DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9) -+ -+ # cleanup -+ exec 9>&- -+ -+ umount "${MOUNTDIR}/overlayfs" -+ umount ${MOUNTDIR} -+ -+ rmdir ${MOUNTDIR} -+ -+ # This overlay module does not correctly handle symlinks, so skip the -+ # tests. -+ if [ "${DETECTED_LINK_TARGET}" != "${CORRECT_LINK_TARGET}" ]; then -+ exit 0 -+ fi -+fi -+ - which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; } - - DONE=0 diff -Nru lxc-1.0.9/debian/patches/series lxc-1.0.10/debian/patches/series --- lxc-1.0.9/debian/patches/series 2017-01-04 17:38:31.000000000 +0000 +++ lxc-1.0.10/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -0001-tests-skip-unpriv-tests-on-broken-overlay-module.patch diff -Nru lxc-1.0.9/doc/api/Makefile.in lxc-1.0.10/doc/api/Makefile.in --- lxc-1.0.9/doc/api/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/doc/api/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -150,6 +150,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/doc/examples/Makefile.in lxc-1.0.10/doc/examples/Makefile.in --- lxc-1.0.9/doc/examples/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/doc/examples/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -186,6 +186,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/doc/ja/Makefile.in lxc-1.0.10/doc/ja/Makefile.in --- lxc-1.0.9/doc/ja/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/doc/ja/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -274,6 +274,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/doc/Makefile.in lxc-1.0.10/doc/Makefile.in --- lxc-1.0.9/doc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/doc/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -276,6 +276,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/doc/rootfs/Makefile.in lxc-1.0.10/doc/rootfs/Makefile.in --- lxc-1.0.9/doc/rootfs/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/doc/rootfs/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -180,6 +180,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/hooks/Makefile.in lxc-1.0.10/hooks/Makefile.in --- lxc-1.0.9/hooks/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/hooks/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -180,6 +180,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/lxc.spec lxc-1.0.10/lxc.spec --- lxc-1.0.9/lxc.spec 2016-11-23 19:11:17.000000000 +0000 +++ lxc-1.0.10/lxc.spec 2017-05-11 17:03:31.000000000 +0000 @@ -45,7 +45,7 @@ %endif Name: lxc -Version: 1.0.9 +Version: 1.0.10 Release: %{?beta_rel:0.1.%{beta_rel}}%{?!beta_rel:%{norm_rel}}%{?dist} URL: http://linuxcontainers.org Source: http://linuxcontainers.org/downloads/%{name}-%{version}%{?beta_dot}.tar.gz diff -Nru lxc-1.0.9/Makefile.in lxc-1.0.10/Makefile.in --- lxc-1.0.9/Makefile.in 2016-11-23 19:10:05.000000000 +0000 +++ lxc-1.0.10/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -272,6 +272,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/README lxc-1.0.10/README --- lxc-1.0.9/README 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/README 2017-05-11 17:03:26.000000000 +0000 @@ -59,9 +59,6 @@ Portability: - lxc is still in development, so the command syntax and the API can - change. The version 1.0.0 will be the frozen version. - lxc is developed and tested on Linux since kernel mainline version 2.6.27 (without network) and 2.6.29 with network isolation. It's compiled with gcc, and should work on most architectures as long as the diff -Nru lxc-1.0.9/src/config.h.in lxc-1.0.10/src/config.h.in --- lxc-1.0.9/src/config.h.in 2016-11-23 19:11:33.000000000 +0000 +++ lxc-1.0.10/src/config.h.in 2017-05-11 17:03:35.000000000 +0000 @@ -44,6 +44,9 @@ /* Define to 1 if you have the `apparmor' library (-lapparmor). */ #undef HAVE_LIBAPPARMOR +/* Define to 1 if you have the `gnutls' library (-lgnutls). */ +#undef HAVE_LIBGNUTLS + /* Define to 1 if you have the `pthread' library (-lpthread). */ #undef HAVE_LIBPTHREAD @@ -143,6 +146,14 @@ /* bionic libc */ #undef IS_BIONIC +/* Define to 1 if `major', `minor', and `makedev' are declared in . + */ +#undef MAJOR_IN_MKDEV + +/* Define to 1 if `major', `minor', and `makedev' are declared in + . */ +#undef MAJOR_IN_SYSMACROS + /* Enabling mutex debugging */ #undef MUTEX_DEBUGGING diff -Nru lxc-1.0.9/src/lua-lxc/Makefile.in lxc-1.0.10/src/lua-lxc/Makefile.in --- lxc-1.0.9/src/lua-lxc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/src/lua-lxc/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -227,6 +227,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/src/lxc/attach.c lxc-1.0.10/src/lxc/attach.c --- lxc-1.0.9/src/lxc/attach.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/attach.c 2017-05-11 17:03:26.000000000 +0000 @@ -78,12 +78,13 @@ lxc_log_define(lxc_attach, lxc); +/* /proc/pid-to-str/current\0 = (5 + 21 + 7 + 1) */ +#define __LSMATTRLEN (5 + 21 + 7 + 1) static int lsm_openat(int procfd, pid_t pid, int on_exec) { int ret = -1; int labelfd = -1; - const char* name; -#define __LSMATTRLEN /* /proc */ (5 + /* /pid-to-str */ 21 + /* /current */ 7 + /* \0 */ 1) + const char *name; char path[__LSMATTRLEN]; name = lsm_name(); @@ -98,20 +99,16 @@ if (strcmp(name, "AppArmor") == 0) on_exec = 0; - if (on_exec) { + if (on_exec) ret = snprintf(path, __LSMATTRLEN, "%d/attr/exec", pid); - if (ret < 0 || ret >= __LSMATTRLEN) - return -1; - labelfd = openat(procfd, path, O_RDWR); - } else { + else ret = snprintf(path, __LSMATTRLEN, "%d/attr/current", pid); - if (ret < 0 || ret >= __LSMATTRLEN) - return -1; - labelfd = openat(procfd, path, O_RDWR); - } + if (ret < 0 || ret >= __LSMATTRLEN) + return -1; + labelfd = openat(procfd, path, O_RDWR); if (labelfd < 0) { - SYSERROR("Unable to open LSM label"); + SYSERROR("Unable to open file descriptor to set LSM label."); return -1; } @@ -944,7 +941,8 @@ /* Open LSM fd and send it to child. */ if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { - int on_exec, labelfd; + int on_exec, saved_errno; + int labelfd = -1; on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; /* Open fd for the LSM security module. */ labelfd = lsm_openat(procfd, attached_pid, on_exec); @@ -953,13 +951,16 @@ /* Send child fd of the LSM security module to write to. */ ret = lxc_abstract_unix_send_fd(ipc_sockets[0], labelfd, NULL, 0); + saved_errno = errno; + close(labelfd); if (ret <= 0) { - ERROR("Error using IPC to send child LSM fd (4): %s.", - strerror(errno)); + ERROR("Intended to send file descriptor %d: %s.", labelfd, strerror(saved_errno)); goto cleanup_error; } } + if (procfd >= 0) + close(procfd); /* now shut down communication with child, we're done */ shutdown(ipc_sockets[0], SHUT_RDWR); close(ipc_sockets[0]); diff -Nru lxc-1.0.9/src/lxc/bdev.c lxc-1.0.10/src/lxc/bdev.c --- lxc-1.0.9/src/lxc/bdev.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/bdev.c 2017-05-11 17:03:26.000000000 +0000 @@ -54,6 +54,14 @@ #include "lxclock.h" #include "lxc-btrfs.h" +/* makedev() */ +#ifdef MAJOR_IN_MKDEV +# include +#endif +#ifdef MAJOR_IN_SYSMACROS +# include +#endif + #ifndef BLKGETSIZE64 #define BLKGETSIZE64 _IOR(0x12,114,size_t) #endif diff -Nru lxc-1.0.9/src/lxc/commands.c lxc-1.0.10/src/lxc/commands.c --- lxc-1.0.9/src/lxc/commands.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/commands.c 2017-05-11 17:03:26.000000000 +0000 @@ -74,14 +74,19 @@ lxc_log_define(lxc_commands, lxc); -static int fill_sock_name(char *path, int len, const char *name, +static int fill_sock_name(char *path, int len, const char *lxcname, const char *lxcpath, const char *hashed_sock_name) { + const char *name; char *tmppath; size_t tmplen; uint64_t hash; int ret; + name = lxcname; + if (!name) + name = ""; + if (hashed_sock_name != NULL) { ret = snprintf(path, len, "lxc/%s/command", hashed_sock_name); if (ret < 0 || ret >= len) { @@ -168,8 +173,8 @@ ret = lxc_abstract_unix_recv_fd(sock, &rspfd, rsp, sizeof(*rsp)); if (ret < 0) { - WARN("command %s failed to receive response", - lxc_cmd_str(cmd->req.cmd)); + WARN("Command %s failed to receive response: %s.", + lxc_cmd_str(cmd->req.cmd), strerror(errno)); return -1; } @@ -184,7 +189,7 @@ rspdata = malloc(sizeof(*rspdata)); if (!rspdata) { - ERROR("command %s couldn't allocate response buffer", + ERROR("Command %s couldn't allocate response buffer.", lxc_cmd_str(cmd->req.cmd)); return -1; } @@ -193,10 +198,13 @@ rsp->data = rspdata; } - if (rsp->datalen == 0) + if (rsp->datalen == 0) { + DEBUG("command %s response data length is 0", + lxc_cmd_str(cmd->req.cmd)); return ret; + } if (rsp->datalen > LXC_CMD_DATA_MAX) { - ERROR("command %s response data %d too long", + ERROR("Command %s response data %d too long.", lxc_cmd_str(cmd->req.cmd), rsp->datalen); errno = EFBIG; return -1; @@ -204,14 +212,14 @@ rsp->data = malloc(rsp->datalen); if (!rsp->data) { - ERROR("command %s unable to allocate response buffer", + ERROR("Command %s was unable to allocate response buffer.", lxc_cmd_str(cmd->req.cmd)); return -1; } ret = recv(sock, rsp->data, rsp->datalen, 0); if (ret != rsp->datalen) { - ERROR("command %s failed to receive response data", - lxc_cmd_str(cmd->req.cmd)); + ERROR("Command %s failed to receive response data: %s.", + lxc_cmd_str(cmd->req.cmd), strerror(errno)); if (ret >= 0) ret = -1; } @@ -233,7 +241,7 @@ ret = send(fd, rsp, sizeof(*rsp), 0); if (ret != sizeof(*rsp)) { - ERROR("failed to send command response %d %s", ret, + ERROR("Failed to send command response %d: %s.", ret, strerror(errno)); return -1; } @@ -241,8 +249,8 @@ if (rsp->datalen > 0) { ret = send(fd, rsp->data, rsp->datalen, 0); if (ret != rsp->datalen) { - WARN("failed to send command response data %d %s", ret, - strerror(errno)); + WARN("Failed to send command response data %d: %s.", + ret, strerror(errno)); return -1; } } @@ -274,7 +282,7 @@ int sock, ret = -1; char path[sizeof(((struct sockaddr_un *)0)->sun_path)] = { 0 }; char *offset = &path[1]; - int len; + size_t len; int stay_connected = cmd->req.cmd == LXC_CMD_CONSOLE; *stopped = 0; @@ -293,7 +301,7 @@ if (errno == ECONNREFUSED) *stopped = 1; else - SYSERROR("command %s failed to connect to '@%s'", + SYSERROR("Command %s failed to connect to \"@%s\".", lxc_cmd_str(cmd->req.cmd), offset); return -1; } @@ -302,7 +310,7 @@ if (ret != sizeof(cmd->req)) { if (errno == EPIPE) goto epipe; - SYSERROR("command %s failed to send req to '@%s' %d", + SYSERROR("Command %s failed to send req to \"@%s\" %d.", lxc_cmd_str(cmd->req.cmd), offset, ret); if (ret >=0) ret = -1; @@ -314,7 +322,7 @@ if (ret != cmd->req.datalen) { if (errno == EPIPE) goto epipe; - SYSERROR("command %s failed to send request data to '@%s' %d", + SYSERROR("Command %s failed to send request data to \"@%s\" %d.", lxc_cmd_str(cmd->req.cmd), offset, ret); if (ret >=0) ret = -1; @@ -458,14 +466,13 @@ return NULL; if (!ret) { - WARN("'%s' has stopped before sending its state", name); + WARN("Container \"%s\" has stopped before sending its state.", name); return NULL; } if (cmd.rsp.ret < 0 || cmd.rsp.datalen < 0) { - ERROR("command %s failed for '%s': %s", - lxc_cmd_str(cmd.req.cmd), name, - strerror(-cmd.rsp.ret)); + ERROR("Command %s failed for container \"%s\": %s.", + lxc_cmd_str(cmd.req.cmd), name, strerror(-cmd.rsp.ret)); return NULL; } @@ -571,11 +578,11 @@ return -1; if (!ret) { - WARN("'%s' has stopped before sending its state", name); + WARN("Container \"%s\" has stopped before sending its state.", name); return -1; } - DEBUG("'%s' is in '%s' state", name, + DEBUG("Container \"%s\" is in \"%s\" state.", name, lxc_state2str(PTR_TO_INT(cmd.rsp.data))); return PTR_TO_INT(cmd.rsp.data); } @@ -607,7 +614,7 @@ ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); if (ret < 0) { if (stopped) { - INFO("'%s' is already stopped", name); + INFO("Container \"%s\" is already stopped.", name); return 0; } return -1; @@ -617,11 +624,12 @@ * closed */ if (ret > 0) { - ERROR("failed to stop '%s': %s", name, strerror(-cmd.rsp.ret)); + ERROR("Failed to stop container \"%s\": %s.", name, + strerror(-cmd.rsp.ret)); return -1; } - INFO("'%s' has stopped", name); + INFO("Container \"%s\" has stopped.", name); return 0; } @@ -643,7 +651,7 @@ */ if (cgroup_unfreeze(handler)) return 0; - ERROR("Failed to unfreeze %s:%s", handler->lxcpath, handler->name); + ERROR("Failed to unfreeze container \"%s\".", handler->name); rsp.ret = -1; } @@ -705,27 +713,27 @@ return ret; if (cmd.rsp.ret < 0) { - ERROR("console access denied: %s", strerror(-cmd.rsp.ret)); + ERROR("Console access denied: %s.", strerror(-cmd.rsp.ret)); ret = -1; goto out; } if (ret == 0) { - ERROR("console %d invalid,busy or all consoles busy", *ttynum); + ERROR("Console %d invalid, busy or all consoles busy.", *ttynum); ret = -1; goto out; } rspdata = cmd.rsp.data; if (rspdata->masterfd < 0) { - ERROR("unable to allocate fd for tty %d", rspdata->ttynum); + ERROR("Unable to allocate fd for tty %d.", rspdata->ttynum); goto out; } ret = cmd.rsp.ret; /* sock fd */ *fd = rspdata->masterfd; *ttynum = rspdata->ttynum; - INFO("tty %d allocated fd %d sock %d", rspdata->ttynum, *fd, ret); + INFO("tty %d allocated fd %d sock %d.", rspdata->ttynum, *fd, ret); out: free(cmd.rsp.data); return ret; @@ -745,7 +753,7 @@ memset(&rsp, 0, sizeof(rsp)); rsp.data = INT_TO_PTR(ttynum); if (lxc_abstract_unix_send_fd(fd, masterfd, &rsp, sizeof(rsp)) < 0) { - ERROR("failed to send tty to client"); + ERROR("Failed to send tty to client."); lxc_console_free(handler->conf, fd); goto out_close; } @@ -854,7 +862,7 @@ }; if (req->cmd >= LXC_CMD_MAX) { - ERROR("bad cmd %d received", req->cmd); + ERROR("Undefined command id %d received.", req->cmd); return -1; } return cb[req->cmd](fd, req, handler); @@ -885,23 +893,23 @@ } if (ret < 0) { - SYSERROR("failed to receive data on command socket"); + SYSERROR("Failed to receive data on command socket."); goto out_close; } if (!ret) { - DEBUG("peer has disconnected"); + DEBUG("Peer has disconnected."); goto out_close; } if (ret != sizeof(req)) { - WARN("partial request, ignored"); + WARN("Failed to receive full command request. Ignoring request."); ret = -1; goto out_close; } if (req.datalen > LXC_CMD_DATA_MAX) { - ERROR("cmd data length %d too large", req.datalen); + ERROR("Received command data length %d is too large.", req.datalen); ret = -1; goto out_close; } @@ -912,7 +920,7 @@ reqdata = alloca(req.datalen); ret = recv(fd, reqdata, req.datalen, 0); if (ret != req.datalen) { - WARN("partial request, ignored"); + WARN("Failed to receive full command request. Ignoring request."); ret = -1; goto out_close; } @@ -940,24 +948,24 @@ connection = accept(fd, NULL, 0); if (connection < 0) { - SYSERROR("failed to accept connection"); + SYSERROR("Failed to accept connection to run command."); return -1; } if (fcntl(connection, F_SETFD, FD_CLOEXEC)) { - SYSERROR("failed to set close-on-exec on incoming connection"); + SYSERROR("Failed to set close-on-exec on incoming command connection."); goto out_close; } if (setsockopt(connection, SOL_SOCKET, SO_PASSCRED, &opt, sizeof(opt))) { - SYSERROR("failed to enable credential on socket"); + SYSERROR("Failed to enable necessary credentials on command socket."); goto out_close; } ret = lxc_mainloop_add_handler(descr, connection, lxc_cmd_handler, data); if (ret) { - ERROR("failed to add handler"); + ERROR("Failed to add command handler."); goto out_close; } @@ -982,23 +990,21 @@ * Although null termination isn't required by the API, we do it anyway * because we print the sockname out sometimes. */ - len = sizeof(path)-2; + len = sizeof(path) - 2; if (fill_sock_name(offset, len, name, lxcpath, NULL)) return -1; fd = lxc_abstract_unix_open(path, SOCK_STREAM, 0); if (fd < 0) { - ERROR("failed (%d) to create the command service point %s", errno, offset); - if (errno == EADDRINUSE) { - ERROR("##"); - ERROR("# The container appears to be already running!"); - ERROR("##"); - } + ERROR("Failed to create the command service point %s: %s.", + offset, strerror(errno)); + if (errno == EADDRINUSE) + ERROR("Container \"%s\" appears to be already running!", name); return -1; } if (fcntl(fd, F_SETFD, FD_CLOEXEC)) { - SYSERROR("failed to set sigfd to close-on-exec"); + SYSERROR("Failed to set FD_CLOEXEC on signal file descriptor."); close(fd); return -1; } @@ -1015,7 +1021,7 @@ ret = lxc_mainloop_add_handler(descr, fd, lxc_cmd_accept, handler); if (ret) { - ERROR("failed to add handler for command socket"); + ERROR("Failed to add handler for command socket."); close(fd); } diff -Nru lxc-1.0.9/src/lxc/conf.c lxc-1.0.10/src/lxc/conf.c --- lxc-1.0.9/src/lxc/conf.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/conf.c 2017-05-11 17:03:26.000000000 +0000 @@ -36,6 +36,15 @@ #include #include #include + +/* makedev() */ +#ifdef MAJOR_IN_MKDEV +# include +#endif +#ifdef MAJOR_IN_SYSMACROS +# include +#endif + #ifdef HAVE_STATVFS #include #endif @@ -216,31 +225,31 @@ }; static struct mount_opt mount_opt[] = { + { "async", 1, MS_SYNCHRONOUS }, + { "atime", 1, MS_NOATIME }, + { "bind", 0, MS_BIND }, { "defaults", 0, 0 }, - { "ro", 0, MS_RDONLY }, - { "rw", 1, MS_RDONLY }, - { "suid", 1, MS_NOSUID }, - { "nosuid", 0, MS_NOSUID }, { "dev", 1, MS_NODEV }, - { "nodev", 0, MS_NODEV }, - { "exec", 1, MS_NOEXEC }, - { "noexec", 0, MS_NOEXEC }, - { "sync", 0, MS_SYNCHRONOUS }, - { "async", 1, MS_SYNCHRONOUS }, + { "diratime", 1, MS_NODIRATIME }, { "dirsync", 0, MS_DIRSYNC }, - { "remount", 0, MS_REMOUNT }, + { "exec", 1, MS_NOEXEC }, { "mand", 0, MS_MANDLOCK }, - { "nomand", 1, MS_MANDLOCK }, - { "atime", 1, MS_NOATIME }, { "noatime", 0, MS_NOATIME }, - { "diratime", 1, MS_NODIRATIME }, + { "nodev", 0, MS_NODEV }, { "nodiratime", 0, MS_NODIRATIME }, - { "bind", 0, MS_BIND }, + { "noexec", 0, MS_NOEXEC }, + { "nomand", 1, MS_MANDLOCK }, + { "norelatime", 1, MS_RELATIME }, + { "nostrictatime", 1, MS_STRICTATIME }, + { "nosuid", 0, MS_NOSUID }, { "rbind", 0, MS_BIND|MS_REC }, { "relatime", 0, MS_RELATIME }, - { "norelatime", 1, MS_RELATIME }, + { "remount", 0, MS_REMOUNT }, + { "ro", 0, MS_RDONLY }, + { "rw", 1, MS_RDONLY }, { "strictatime", 0, MS_STRICTATIME }, - { "nostrictatime", 1, MS_STRICTATIME }, + { "suid", 1, MS_NOSUID }, + { "sync", 0, MS_SYNCHRONOUS }, { NULL, 0, 0 }, }; @@ -2655,7 +2664,7 @@ { struct sockaddr sockaddr; struct ifreq ifr; - int ret, fd; + int ret, fd, saved_errno; ret = lxc_convert_mac(hwaddr, &sockaddr); if (ret) { @@ -2675,9 +2684,10 @@ } ret = ioctl(fd, SIOCSIFHWADDR, &ifr); + saved_errno = errno; close(fd); if (ret) - ERROR("ioctl failure : %s", strerror(errno)); + ERROR("ioctl failure : %s", strerror(saved_errno)); DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifr.ifr_name); @@ -4366,7 +4376,7 @@ if (!lxc_list_empty(&lxc_conf->keepcaps)) { if (!lxc_list_empty(&lxc_conf->caps)) { - ERROR("Simultaneously requested dropping and keeping caps"); + ERROR("Container requests lxc.cap.drop and lxc.cap.keep: either use lxc.cap.drop or lxc.cap.keep, not both."); return -1; } if (dropcaps_except(&lxc_conf->keepcaps)) { @@ -4572,10 +4582,14 @@ { struct lxc_list *it,*next; bool all = false; - const char *k = key + 11; + const char *k = NULL; if (strcmp(key, "lxc.cgroup") == 0) all = true; + else if (strncmp(key, "lxc.cgroup.", sizeof("lxc.cgroup.")-1) == 0) + k = key + sizeof("lxc.cgroup.")-1; + else + return -1; lxc_list_for_each_safe(it, &c->cgroup, next) { struct lxc_cgroup *cg = it->elem; @@ -4624,11 +4638,15 @@ { struct lxc_list *it,*next; bool all = false, done = false; - const char *k = key + 9; + const char *k = NULL; int i; if (strcmp(key, "lxc.hook") == 0) all = true; + else if (strncmp(key, "lxc.hook.", sizeof("lxc.hook.")-1) == 0) + k = key + sizeof("lxc.hook.")-1; + else + return -1; for (i=0; inetwork); if (!netdev) return -1; @@ -870,6 +873,9 @@ char *slash,*valdup; char *netmask; + if (!value || !strlen(value)) + return lxc_clear_config_item(lxc_conf, key); + netdev = network_netdev(key, value, &lxc_conf->network); if (!netdev) return -1; diff -Nru lxc-1.0.9/src/lxc/console.c lxc-1.0.10/src/lxc/console.c --- lxc-1.0.9/src/lxc/console.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/console.c 2017-05-11 17:03:26.000000000 +0000 @@ -21,27 +21,28 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include +#include +#include #include #include #include +#include #include -#include -#include +#include #include -#include #include -#include "log.h" -#include "conf.h" -#include "config.h" -#include "start.h" /* for struct lxc_handler */ +#include "af_unix.h" #include "caps.h" #include "commands.h" -#include "mainloop.h" -#include "af_unix.h" +#include "conf.h" +#include "config.h" +#include "console.h" +#include "log.h" #include "lxclock.h" +#include "mainloop.h" +#include "start.h" /* for struct lxc_handler */ #include "utils.h" #if HAVE_PTY_H @@ -55,19 +56,6 @@ static struct lxc_list lxc_ttys; typedef void (*sighandler_t)(int); -struct lxc_tty_state -{ - struct lxc_list node; - int stdinfd; - int stdoutfd; - int masterfd; - int escape; - int saw_escape; - const char *winch_proxy; - const char *winch_proxy_lxcpath; - int sigfd; - sigset_t oldmask; -}; __attribute__((constructor)) void lxc_console_init(void) @@ -75,12 +63,7 @@ lxc_list_init(&lxc_ttys); } -/* lxc_console_winsz: propagte winsz from one terminal to another - * - * @srcfd : terminal to get size from (typically a slave pty) - * @dstfd : terminal to set size on (typically a master pty) - */ -static void lxc_console_winsz(int srcfd, int dstfd) +void lxc_console_winsz(int srcfd, int dstfd) { struct winsize wsz; if (isatty(srcfd) && ioctl(srcfd, TIOCGWINSZ, &wsz) == 0) { @@ -93,10 +76,8 @@ static void lxc_console_winch(struct lxc_tty_state *ts) { lxc_console_winsz(ts->stdinfd, ts->masterfd); - if (ts->winch_proxy) { - lxc_cmd_console_winch(ts->winch_proxy, - ts->winch_proxy_lxcpath); - } + if (ts->winch_proxy) + lxc_cmd_console_winch(ts->winch_proxy, ts->winch_proxy_lxcpath); } void lxc_console_sigwinch(int sig) @@ -110,13 +91,14 @@ } } -static int lxc_console_cb_sigwinch_fd(int fd, uint32_t events, void *cbdata, - struct lxc_epoll_descr *descr) +int lxc_console_cb_sigwinch_fd(int fd, uint32_t events, void *cbdata, + struct lxc_epoll_descr *descr) { struct signalfd_siginfo siginfo; struct lxc_tty_state *ts = cbdata; - if (read(fd, &siginfo, sizeof(siginfo)) < sizeof(siginfo)) { + ssize_t ret = read(fd, &siginfo, sizeof(siginfo)); + if (ret < 0 || (size_t)ret < sizeof(siginfo)) { ERROR("failed to read signal info"); return -1; } @@ -125,27 +107,7 @@ return 0; } -/* - * lxc_console_sigwinch_init: install SIGWINCH handler - * - * @srcfd : src for winsz in SIGWINCH handler - * @dstfd : dst for winsz in SIGWINCH handler - * - * Returns lxc_tty_state structure on success or NULL on failure. The sigfd - * member of the returned lxc_tty_state can be select()/poll()ed/epoll()ed - * on (ie added to a mainloop) for SIGWINCH. - * - * Must be called with process_lock held to protect the lxc_ttys list, or - * from a non-threaded context. - * - * Note that SIGWINCH isn't installed as a classic asychronous handler, - * rather signalfd(2) is used so that we can handle the signal when we're - * ready for it. This avoids deadlocks since a signal handler - * (ie lxc_console_sigwinch()) would need to take the thread mutex to - * prevent lxc_ttys list corruption, but using the fd we can provide the - * tty_state needed to the callback (lxc_console_cb_sigwinch_fd()). - */ -static struct lxc_tty_state *lxc_console_sigwinch_init(int srcfd, int dstfd) +struct lxc_tty_state *lxc_console_sigwinch_init(int srcfd, int dstfd) { sigset_t mask; struct lxc_tty_state *ts; @@ -155,9 +117,9 @@ return NULL; memset(ts, 0, sizeof(*ts)); - ts->stdinfd = srcfd; + ts->stdinfd = srcfd; ts->masterfd = dstfd; - ts->sigfd = -1; + ts->sigfd = -1; /* add tty to list to be scanned at SIGWINCH time */ lxc_list_add_elem(&ts->node, ts); @@ -166,45 +128,28 @@ sigemptyset(&mask); sigaddset(&mask, SIGWINCH); if (sigprocmask(SIG_BLOCK, &mask, &ts->oldmask)) { - SYSERROR("failed to block SIGWINCH"); - goto err1; + SYSERROR("failed to block SIGWINCH."); + ts->sigfd = -1; + return ts; } ts->sigfd = signalfd(-1, &mask, 0); if (ts->sigfd < 0) { - SYSERROR("failed to get signalfd"); - goto err2; + SYSERROR("failed to get signalfd."); + sigprocmask(SIG_SETMASK, &ts->oldmask, NULL); + ts->sigfd = -1; + return ts; } DEBUG("%d got SIGWINCH fd %d", getpid(), ts->sigfd); - goto out; - -err2: - sigprocmask(SIG_SETMASK, &ts->oldmask, NULL); -err1: - lxc_list_del(&ts->node); - free(ts); - ts = NULL; -out: return ts; } -/* - * lxc_console_sigwinch_fini: uninstall SIGWINCH handler - * - * @ts : the lxc_tty_state returned by lxc_console_sigwinch_init - * - * Restore the saved signal handler that was in effect at the time - * lxc_console_sigwinch_init() was called. - * - * Must be called with process_lock held to protect the lxc_ttys list, or - * from a non-threaded context. - */ -static void lxc_console_sigwinch_fini(struct lxc_tty_state *ts) +void lxc_console_sigwinch_fini(struct lxc_tty_state *ts) { - if (ts->sigfd >= 0) { + if (ts->sigfd >= 0) close(ts->sigfd); - } + lxc_list_del(&ts->node); sigprocmask(SIG_SETMASK, &ts->oldmask, NULL); free(ts); @@ -215,34 +160,30 @@ { struct lxc_console *console = (struct lxc_console *)data; char buf[1024]; - int r,w; - - w = r = read(fd, buf, sizeof(buf)); - if (r < 0) { - SYSERROR("failed to read"); - return 1; - } + int r, w; - if (!r) { + w = r = lxc_read_nointr(fd, buf, sizeof(buf)); + if (r <= 0) { INFO("console client on fd %d has exited", fd); lxc_mainloop_del_handler(descr, fd); close(fd); - return 0; + return 1; } if (fd == console->peer) - w = write(console->master, buf, r); + w = lxc_write_nointr(console->master, buf, r); if (fd == console->master) { if (console->log_fd >= 0) - w = write(console->log_fd, buf, r); + w = lxc_write_nointr(console->log_fd, buf, r); if (console->peer >= 0) - w = write(console->peer, buf, r); + w = lxc_write_nointr(console->peer, buf, r); } if (w != r) WARN("console short write r:%d w:%d", r, w); + return 0; } @@ -254,7 +195,7 @@ WARN("console peer not added to mainloop"); } - if (console->tty_state) { + if (console->tty_state && console->tty_state->sigfd != -1) { if (lxc_mainloop_add_handler(console->descr, console->tty_state->sigfd, lxc_console_cb_sigwinch_fd, @@ -265,10 +206,9 @@ } } -int lxc_console_mainloop_add(struct lxc_epoll_descr *descr, - struct lxc_handler *handler) +extern int lxc_console_mainloop_add(struct lxc_epoll_descr *descr, + struct lxc_conf *conf) { - struct lxc_conf *conf = handler->conf; struct lxc_console *console = &conf->console; if (conf->is_execute) { @@ -302,7 +242,7 @@ return 0; } -static int setup_tios(int fd, struct termios *oldtios) +int lxc_setup_tios(int fd, struct termios *oldtios) { struct termios newtios; @@ -317,17 +257,31 @@ return -1; } + /* ensure we don't end up in an endless loop: + * The kernel might fire SIGTTOU while an + * ioctl() in tcsetattr() is executed. When the ioctl() + * is resumed and retries, the signal handler interrupts it again. + */ + signal (SIGTTIN, SIG_IGN); + signal (SIGTTOU, SIG_IGN); + newtios = *oldtios; - /* Remove the echo characters and signal reception, the echo - * will be done with master proxying */ - newtios.c_iflag &= ~IGNBRK; - newtios.c_iflag &= BRKINT; - newtios.c_lflag &= ~(ECHO|ICANON|ISIG); + /* We use the same settings that ssh does. */ + newtios.c_iflag |= IGNPAR; + newtios.c_iflag &= ~(ISTRIP | INLCR | IGNCR | ICRNL | IXON | IXANY | IXOFF); +#ifdef IUCLC + newtios.c_iflag &= ~IUCLC; +#endif + newtios.c_lflag &= ~(TOSTOP | ISIG | ICANON | ECHO | ECHOE | ECHOK | ECHONL); +#ifdef IEXTEN + newtios.c_lflag &= ~IEXTEN; +#endif + newtios.c_oflag &= ~OPOST; newtios.c_cc[VMIN] = 1; newtios.c_cc[VTIME] = 0; - /* Set new attributes */ + /* Set new attributes. */ if (tcsetattr(fd, TCSAFLUSH, &newtios)) { ERROR("failed to set new terminal settings"); return -1; @@ -338,7 +292,7 @@ static void lxc_console_peer_proxy_free(struct lxc_console *console) { - if (console->tty_state) { + if (console->tty_state && console->tty_state->sigfd != -1) { lxc_console_sigwinch_fini(console->tty_state); console->tty_state = NULL; } @@ -382,7 +336,7 @@ return -1; } - if (setup_tios(console->peerpty.slave, &oldtermio) < 0) + if (lxc_setup_tios(console->peerpty.slave, &oldtermio) < 0) goto err1; ts = lxc_console_sigwinch_init(console->peerpty.master, console->master); @@ -402,13 +356,6 @@ return -1; } -/* lxc_console_allocate: allocate the console or a tty - * - * @conf : the configuration of the container to allocate from - * @sockfd : the socket fd whose remote side when closed, will be an - * indication that the console or tty is no longer in use - * @ttyreq : the tty requested to be opened, -1 for any, 0 for the console - */ int lxc_console_allocate(struct lxc_conf *conf, int sockfd, int *ttyreq) { int masterfd = -1, ttynum; @@ -435,9 +382,8 @@ } /* search for next available tty, fixup index tty1 => [0] */ - for (ttynum = 1; - ttynum <= tty_info->nbtty && tty_info->pty_info[ttynum - 1].busy; - ttynum++); + for (ttynum = 1; ttynum <= tty_info->nbtty && tty_info->pty_info[ttynum - 1].busy; ttynum++) + ; /* we didn't find any available slot for tty */ if (ttynum > tty_info->nbtty) @@ -452,14 +398,6 @@ return masterfd; } -/* lxc_console_free: mark the console or a tty as unallocated, free any - * resources allocated by lxc_console_allocate(). - * - * @conf : the configuration of the container whose tty was closed - * @fd : the socket fd whose remote side was closed, which indicated - * the console or tty is no longer in use. this is used to match - * which console/tty is being freed. - */ void lxc_console_free(struct lxc_conf *conf, int fd) { int i; @@ -509,9 +447,11 @@ goto err1; ts = lxc_console_sigwinch_init(console->peer, console->master); - if (!ts) - WARN("Unable to install SIGWINCH"); console->tty_state = ts; + if (!ts) { + WARN("Unable to install SIGWINCH"); + goto err1; + } lxc_console_winsz(console->peer, console->master); @@ -521,7 +461,7 @@ goto err1; } - if (setup_tios(console->peer, console->tios) < 0) + if (lxc_setup_tios(console->peer, console->tios) < 0) goto err2; return; @@ -534,6 +474,7 @@ console->peer = -1; out: DEBUG("no console peer"); + return; } void lxc_console_delete(struct lxc_console *console) @@ -611,70 +552,81 @@ return -1; } -int lxc_console_set_stdfds(struct lxc_handler *handler) +int lxc_console_set_stdfds(int fd) { - struct lxc_conf *conf = handler->conf; - struct lxc_console *console = &conf->console; - - if (console->slave < 0) + if (fd < 0) return 0; - if (dup2(console->slave, 0) < 0 || - dup2(console->slave, 1) < 0 || - dup2(console->slave, 2) < 0) - { - SYSERROR("failed to dup console"); - return -1; - } + if (isatty(STDIN_FILENO)) + if (dup2(fd, STDIN_FILENO) < 0) { + SYSERROR("failed to duplicate stdin."); + return -1; + } + + if (isatty(STDOUT_FILENO)) + if (dup2(fd, STDOUT_FILENO) < 0) { + SYSERROR("failed to duplicate stdout."); + return -1; + } + + if (isatty(STDERR_FILENO)) + if (dup2(fd, STDERR_FILENO) < 0) { + SYSERROR("failed to duplicate stderr."); + return -1; + } + return 0; } -static int lxc_console_cb_tty_stdin(int fd, uint32_t events, void *cbdata, - struct lxc_epoll_descr *descr) +int lxc_console_cb_tty_stdin(int fd, uint32_t events, void *cbdata, + struct lxc_epoll_descr *descr) { struct lxc_tty_state *ts = cbdata; char c; - assert(fd == ts->stdinfd); - if (read(ts->stdinfd, &c, 1) < 0) { - SYSERROR("failed to read"); + if (fd != ts->stdinfd) return 1; - } - - /* we want to exit the console with Ctrl+a q */ - if (c == ts->escape && !ts->saw_escape) { - ts->saw_escape = 1; - return 0; - } - if (c == 'q' && ts->saw_escape) + if (lxc_read_nointr(ts->stdinfd, &c, 1) <= 0) return 1; - ts->saw_escape = 0; - if (write(ts->masterfd, &c, 1) < 0) { - SYSERROR("failed to write"); - return 1; + if (ts->escape != -1) { + /* we want to exit the console with Ctrl+a q */ + if (c == ts->escape && !ts->saw_escape) { + ts->saw_escape = 1; + return 0; + } + + if (c == 'q' && ts->saw_escape) + return 1; + + ts->saw_escape = 0; } + if (lxc_write_nointr(ts->masterfd, &c, 1) <= 0) + return 1; + return 0; } -static int lxc_console_cb_tty_master(int fd, uint32_t events, void *cbdata, - struct lxc_epoll_descr *descr) +int lxc_console_cb_tty_master(int fd, uint32_t events, void *cbdata, + struct lxc_epoll_descr *descr) { struct lxc_tty_state *ts = cbdata; char buf[1024]; - int r,w; + int r, w; - assert(fd == ts->masterfd); - r = read(fd, buf, sizeof(buf)); - if (r < 0) { - SYSERROR("failed to read"); + if (fd != ts->masterfd) + return 1; + + r = lxc_read_nointr(fd, buf, sizeof(buf)); + if (r <= 0) return 1; - } - w = write(ts->stdoutfd, buf, r); - if (w < 0 || w != r) { + w = lxc_write_nointr(ts->stdoutfd, buf, r); + if (w <= 0) { + return 1; + } else if (w != r) { SYSERROR("failed to write"); return 1; } @@ -701,7 +653,7 @@ return -1; } - ret = setup_tios(stdinfd, &oldtios); + ret = lxc_setup_tios(stdinfd, &oldtios); if (ret) { ERROR("failed to setup tios"); return -1; @@ -741,11 +693,13 @@ goto err3; } - ret = lxc_mainloop_add_handler(&descr, ts->sigfd, - lxc_console_cb_sigwinch_fd, ts); - if (ret) { - ERROR("failed to add handler for SIGWINCH fd"); - goto err4; + if (ts->sigfd != -1) { + ret = lxc_mainloop_add_handler(&descr, ts->sigfd, + lxc_console_cb_sigwinch_fd, ts); + if (ret) { + ERROR("failed to add handler for SIGWINCH fd"); + goto err4; + } } ret = lxc_mainloop_add_handler(&descr, ts->stdinfd, @@ -773,7 +727,8 @@ err4: lxc_mainloop_close(&descr); err3: - lxc_console_sigwinch_fini(ts); + if (ts->sigfd != -1) + lxc_console_sigwinch_fini(ts); err2: close(masterfd); close(ttyfd); @@ -782,3 +737,4 @@ return ret; } + diff -Nru lxc-1.0.9/src/lxc/console.h lxc-1.0.10/src/lxc/console.h --- lxc-1.0.9/src/lxc/console.h 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/console.h 2017-05-11 17:03:26.000000000 +0000 @@ -24,21 +24,195 @@ #ifndef __LXC_CONSOLE_H #define __LXC_CONSOLE_H -struct lxc_epoll_descr; -struct lxc_container; +#include "conf.h" +#include "list.h" +struct lxc_epoll_descr; /* defined in mainloop.h */ +struct lxc_container; /* defined in lxccontainer.h */ +struct lxc_tty_state +{ + struct lxc_list node; + int stdinfd; + int stdoutfd; + int masterfd; + /* Escape sequence to use for exiting the pty. A single char can be + * specified. The pty can then exited by doing: Ctrl + specified_char + q. + * This field is checked by lxc_console_cb_tty_stdin(). Set to -1 to + * disable exiting the pty via a escape sequence. */ + int escape; + /* Used internally by lxc_console_cb_tty_stdin() to check whether an + * escape sequence has been received. */ + int saw_escape; + /* Name of the container to forward the SIGWINCH event to. */ + const char *winch_proxy; + /* Path of the container to forward the SIGWINCH event to. */ + const char *winch_proxy_lxcpath; + /* File descriptor that accepts SIGWINCH signals. If set to -1 no + * SIGWINCH handler could be installed. This also means that + * the sigset_t oldmask member is meaningless. */ + int sigfd; + sigset_t oldmask; +}; + +/* + * lxc_console_allocate: allocate the console or a tty + * + * @conf : the configuration of the container to allocate from + * @sockfd : the socket fd whose remote side when closed, will be an + * indication that the console or tty is no longer in use + * @ttyreq : the tty requested to be opened, -1 for any, 0 for the console + */ extern int lxc_console_allocate(struct lxc_conf *conf, int sockfd, int *ttynum); + +/* + * Create a new pty: + * - calls openpty() to allocate a master/slave pty pair + * - sets the FD_CLOEXEC flag on the master/slave fds + * - allocates either the current controlling pty (default) or a user specified + * pty as peer pty for the newly created master/slave pair + * - sets up SIGWINCH handler, winsz, and new terminal settings + * (Handlers for SIGWINCH and I/O are not registered in a mainloop.) + * (For an unprivileged container the created pty on the host is not + * automatically chowned to the uid/gid of the unprivileged user. For this + * ttys_shift_ids() can be called.) + */ extern int lxc_console_create(struct lxc_conf *); + +/* + * Delete a pty created via lxc_console_create(): + * - set old terminal settings + * - memory allocated via lxc_console_create() is free()ed. + * - close master/slave pty pair and allocated fd for the peer (usually + * /dev/tty) + * Registered handlers in a mainloop are not automatically deleted. + */ extern void lxc_console_delete(struct lxc_console *); + +/* + * lxc_console_free: mark the console or a tty as unallocated, free any + * resources allocated by lxc_console_allocate(). + * + * @conf : the configuration of the container whose tty was closed + * @fd : the socket fd whose remote side was closed, which indicated + * the console or tty is no longer in use. this is used to match + * which console/tty is being freed. + */ extern void lxc_console_free(struct lxc_conf *conf, int fd); -extern int lxc_console_mainloop_add(struct lxc_epoll_descr *, struct lxc_handler *); +/* + * Register pty event handlers in an open mainloop + */ +extern int lxc_console_mainloop_add(struct lxc_epoll_descr *, struct lxc_conf *); + +/* + * Handle SIGWINCH events on the allocated ptys. + */ extern void lxc_console_sigwinch(int sig); + +/* + * Connect to one of the ptys given to the container via lxc.tty. + * - allocates either the current controlling pty (default) or a user specified + * pty as peer pty for the containers tty + * - sets up SIGWINCH handler, winsz, and new terminal settings + * - opens mainloop + * - registers SIGWINCH, I/O handlers in the mainloop + * - performs all necessary cleanup operations + */ extern int lxc_console(struct lxc_container *c, int ttynum, int stdinfd, int stdoutfd, int stderrfd, int escape); + +/* + * Allocate one of the ptys given to the container via lxc.tty. Returns an open + * fd to the allocated pty. + * Set ttynum to -1 to allocate the first available pty, or to a value within + * the range specified by lxc.tty to allocate a specific pty. + */ extern int lxc_console_getfd(struct lxc_container *c, int *ttynum, int *masterfd); -extern int lxc_console_set_stdfds(struct lxc_handler *); + +/* + * Make fd a duplicate of the standard file descriptors: + * fd is made a duplicate of a specific standard file descriptor iff the + * standard file descriptor refers to a pty. + */ +extern int lxc_console_set_stdfds(int fd); + +/* + * Handler for events on the stdin fd of the pty. To be registered via the + * corresponding functions declared and defined in mainloop.{c,h} or + * lxc_console_mainloop_add(). + * This function exits the loop cleanly when an EPOLLHUP event is received. + */ +extern int lxc_console_cb_tty_stdin(int fd, uint32_t events, void *cbdata, + struct lxc_epoll_descr *descr); + +/* + * Handler for events on the master fd of the pty. To be registered via the + * corresponding functions declared and defined in mainloop.{c,h} or + * lxc_console_mainloop_add(). + * This function exits the loop cleanly when an EPOLLHUP event is received. + */ +extern int lxc_console_cb_tty_master(int fd, uint32_t events, void *cbdata, + struct lxc_epoll_descr *descr); + +/* + * Setup new terminal properties. The old terminal settings are stored in + * oldtios. + */ +extern int lxc_setup_tios(int fd, struct termios *oldtios); + + +/* + * lxc_console_winsz: propagte winsz from one terminal to another + * + * @srcfd : terminal to get size from (typically a slave pty) + * @dstfd : terminal to set size on (typically a master pty) + */ +extern void lxc_console_winsz(int srcfd, int dstfd); + +/* + * lxc_console_sigwinch_init: install SIGWINCH handler + * + * @srcfd : src for winsz in SIGWINCH handler + * @dstfd : dst for winsz in SIGWINCH handler + * + * Returns lxc_tty_state structure on success or NULL on failure. The sigfd + * member of the returned lxc_tty_state can be select()/poll()ed/epoll()ed + * on (ie added to a mainloop) for SIGWINCH. + * + * Must be called with process_lock held to protect the lxc_ttys list, or + * from a non-threaded context. + * + * Note that SIGWINCH isn't installed as a classic asychronous handler, + * rather signalfd(2) is used so that we can handle the signal when we're + * ready for it. This avoids deadlocks since a signal handler + * (ie lxc_console_sigwinch()) would need to take the thread mutex to + * prevent lxc_ttys list corruption, but using the fd we can provide the + * tty_state needed to the callback (lxc_console_cb_sigwinch_fd()). + * + * This function allocates memory. It is up to the caller to free it. + */ +extern struct lxc_tty_state *lxc_console_sigwinch_init(int srcfd, int dstfd); + +/* + * Handler for SIGWINCH events. To be registered via the corresponding functions + * declared and defined in mainloop.{c,h} or lxc_console_mainloop_add(). + */ +extern int lxc_console_cb_sigwinch_fd(int fd, uint32_t events, void *cbdata, + struct lxc_epoll_descr *descr); + +/* + * lxc_console_sigwinch_fini: uninstall SIGWINCH handler + * + * @ts : the lxc_tty_state returned by lxc_console_sigwinch_init + * + * Restore the saved signal handler that was in effect at the time + * lxc_console_sigwinch_init() was called. + * + * Must be called with process_lock held to protect the lxc_ttys list, or + * from a non-threaded context. + */ +extern void lxc_console_sigwinch_fini(struct lxc_tty_state *ts); #endif diff -Nru lxc-1.0.9/src/lxc/lxc_attach.c lxc-1.0.10/src/lxc/lxc_attach.c --- lxc-1.0.9/src/lxc/lxc_attach.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/lxc_attach.c 2017-05-11 17:03:26.000000000 +0000 @@ -21,21 +21,36 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#define _GNU_SOURCE -#include -#include -#include +#include "config.h" + +#include +#include +#include #include +#include +#include +#include +#include +#include + +#include #include "attach.h" #include "arguments.h" -#include "config.h" -#include "confile.h" -#include "namespace.h" #include "caps.h" +#include "confile.h" +#include "console.h" #include "log.h" +#include "list.h" +#include "mainloop.h" #include "utils.h" +#if HAVE_PTY_H +#include +#else +#include <../include/openpty.h> +#endif + lxc_log_define(lxc_attach_ui, lxc); static const struct option my_longopts[] = { @@ -48,6 +63,8 @@ {"keep-env", no_argument, 0, 501}, {"keep-var", required_argument, 0, 502}, {"set-var", required_argument, 0, 'v'}, + {"pty-log", required_argument, 0, 'L'}, + {"rcfile", required_argument, 0, 'f'}, LXC_COMMON_OPTIONS }; @@ -65,7 +82,8 @@ { ssize_t count = 0; - assert(array); + if (!array) + return -1; if (*array) for (; (*array)[count]; count++); @@ -81,7 +99,8 @@ *capacity = new_capacity; } - assert(*array); + if (!(*array)) + return -1; (*array)[count] = value; return 0; @@ -133,6 +152,12 @@ return -1; } break; + case 'L': + args->console_log = arg; + break; + case 'f': + args->rcfile = arg; + break; } return 0; @@ -175,41 +200,214 @@ --keep-env Keep all current environment variables. This\n\ is the current default behaviour, but is likely to\n\ change in the future.\n\ + -L, --pty-log=FILE\n\ + Log pty output to FILE\n\ -v, --set-var Set an additional variable that is seen by the\n\ attached program in the container. May be specified\n\ multiple times.\n\ --keep-var Keep an additional environment variable. Only\n\ applicable if --clear-env is specified. May be used\n\ - multiple times.\n", + multiple times.\n\ + -f, --rcfile=FILE\n\ + Load configuration file FILE\n\ +", .options = my_longopts, .parser = my_parser, .checker = NULL, }; +struct wrapargs { + lxc_attach_options_t *options; + lxc_attach_command_t *command; + struct lxc_console *console; + int ptyfd; +}; + +/* Minimalistic login_tty() implementation. */ +static int login_pty(int fd) +{ + setsid(); + if (ioctl(fd, TIOCSCTTY, NULL) < 0) + return -1; + if (lxc_console_set_stdfds(fd) < 0) + return -1; + if (fd > STDERR_FILENO) + close(fd); + return 0; +} + +static int get_pty_on_host_callback(void *p) +{ + struct wrapargs *wrap = p; + + close(wrap->console->master); + if (login_pty(wrap->console->slave) < 0) + return -1; + + if (wrap->command->program) + lxc_attach_run_command(wrap->command); + else + lxc_attach_run_shell(NULL); + return -1; +} + +static int get_pty_on_host(struct lxc_container *c, struct wrapargs *wrap, int *pid) +{ + int ret = -1; + struct wrapargs *args = wrap; + struct lxc_epoll_descr descr; + struct lxc_conf *conf; + struct lxc_tty_state *ts; + + INFO("Trying to allocate a pty on the host"); + + if (!isatty(args->ptyfd)) { + ERROR("Standard file descriptor does not refer to a pty\n."); + return -1; + } + + conf = c->lxc_conf; + free(conf->console.log_path); + if (my_args.console_log) + conf->console.log_path = strdup(my_args.console_log); + else + conf->console.log_path = NULL; + + /* In the case of lxc-attach our peer pty will always be the current + * controlling terminal. We clear whatever was set by the user for + * lxc.console.path here and set it to "/dev/tty". Doing this will (a) + * prevent segfaults when the container has been setup with + * lxc.console = none and (b) provide an easy way to ensure that we + * always do the correct thing. strdup() must be used since console.path + * is free()ed when we call lxc_container_put(). */ + free(conf->console.path); + conf->console.path = strdup("/dev/tty"); + if (!conf->console.path) + return -1; + + /* Create pty on the host. */ + if (lxc_console_create(conf) < 0) + return -1; + ts = conf->console.tty_state; + conf->console.descr = &descr; + + /* Shift ttys to container. */ + if (ttys_shift_ids(conf) < 0) { + ERROR("Failed to shift tty into container"); + goto err1; + } + + /* Send wrapper function on its way. */ + wrap->console = &conf->console; + if (c->attach(c, get_pty_on_host_callback, wrap, wrap->options, pid) < 0) + goto err1; + close(conf->console.slave); /* Close slave side. */ + + ret = lxc_mainloop_open(&descr); + if (ret) { + ERROR("failed to create mainloop"); + goto err2; + } + + if (lxc_console_mainloop_add(&descr, conf) < 0) { + ERROR("Failed to add handlers to lxc mainloop."); + goto err3; + } + + ret = lxc_mainloop(&descr, -1); + if (ret) { + ERROR("mainloop returned an error"); + goto err3; + } + ret = 0; + +err3: + lxc_mainloop_close(&descr); +err2: + if (ts && ts->sigfd != -1) + lxc_console_sigwinch_fini(ts); +err1: + lxc_console_delete(&conf->console); + + return ret; +} + +static int stdfd_is_pty(void) +{ + if (isatty(STDIN_FILENO)) + return STDIN_FILENO; + if (isatty(STDOUT_FILENO)) + return STDOUT_FILENO; + if (isatty(STDERR_FILENO)) + return STDERR_FILENO; + + return -1; +} + int main(int argc, char *argv[]) { - int ret; + int ret = -1, r; + int wexit = 0; pid_t pid; lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT; - lxc_attach_command_t command; + lxc_attach_command_t command = (lxc_attach_command_t){.program = NULL}; - ret = lxc_caps_init(); - if (ret) - return 1; - - ret = lxc_arguments_parse(&my_args, argc, argv); - if (ret) - return 1; + r = lxc_caps_init(); + if (r) + exit(EXIT_FAILURE); + + r = lxc_arguments_parse(&my_args, argc, argv); + if (r) + exit(EXIT_FAILURE); if (!my_args.log_file) my_args.log_file = "none"; - ret = lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority, + r = lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority, my_args.progname, my_args.quiet, my_args.lxcpath[0]); - if (ret) - return 1; + if (r) + exit(EXIT_FAILURE); lxc_log_options_no_override(); + if (geteuid()) { + if (access(my_args.lxcpath[0], O_RDONLY) < 0) { + if (!my_args.quiet) + fprintf(stderr, "You lack access to %s\n", my_args.lxcpath[0]); + exit(EXIT_FAILURE); + } + } + + struct lxc_container *c = lxc_container_new(my_args.name, my_args.lxcpath[0]); + if (!c) + exit(EXIT_FAILURE); + + if (my_args.rcfile) { + c->clear_config(c); + if (!c->load_config(c, my_args.rcfile)) { + ERROR("Failed to load rcfile"); + lxc_container_put(c); + exit(EXIT_FAILURE); + } + c->configfile = strdup(my_args.rcfile); + if (!c->configfile) { + ERROR("Out of memory setting new config filename"); + lxc_container_put(c); + exit(EXIT_FAILURE); + } + } + + if (!c->may_control(c)) { + fprintf(stderr, "Insufficent privileges to control %s\n", c->name); + lxc_container_put(c); + exit(EXIT_FAILURE); + } + + if (!c->is_defined(c)) { + fprintf(stderr, "Error: container %s is not defined\n", c->name); + lxc_container_put(c); + exit(EXIT_FAILURE); + } + if (remount_sys_proc) attach_options.attach_flags |= LXC_ATTACH_REMOUNT_PROC_SYS; if (elevated_privileges) @@ -220,23 +418,46 @@ attach_options.extra_env_vars = extra_env; attach_options.extra_keep_env = extra_keep; - if (my_args.argc) { + if (my_args.argc > 0) { command.program = my_args.argv[0]; command.argv = (char**)my_args.argv; - ret = lxc_attach(my_args.name, my_args.lxcpath[0], lxc_attach_run_command, &command, &attach_options, &pid); + } + + struct wrapargs wrap = (struct wrapargs){ + .command = &command, + .options = &attach_options + }; + + wrap.ptyfd = stdfd_is_pty(); + if (wrap.ptyfd >= 0) { + if ((!isatty(STDOUT_FILENO) || !isatty(STDERR_FILENO)) && my_args.console_log) { + fprintf(stderr, "-L/--pty-log can only be used when stdout and stderr refer to a pty.\n"); + goto out; + } + ret = get_pty_on_host(c, &wrap, &pid); } else { - ret = lxc_attach(my_args.name, my_args.lxcpath[0], lxc_attach_run_shell, NULL, &attach_options, &pid); + if (my_args.console_log) { + fprintf(stderr, "-L/--pty-log can only be used when stdout and stderr refer to a pty.\n"); + goto out; + } + if (command.program) + ret = c->attach(c, lxc_attach_run_command, &command, &attach_options, &pid); + else + ret = c->attach(c, lxc_attach_run_shell, NULL, &attach_options, &pid); } if (ret < 0) - return 1; + goto out; ret = lxc_wait_for_pid_status(pid); if (ret < 0) - return 1; + goto out; if (WIFEXITED(ret)) - return WEXITSTATUS(ret); - - return 1; + wexit = WEXITSTATUS(ret); +out: + lxc_container_put(c); + if (ret >= 0) + exit(wexit); + exit(EXIT_FAILURE); } diff -Nru lxc-1.0.9/src/lxc/lxc-checkconfig.in lxc-1.0.10/src/lxc/lxc-checkconfig.in --- lxc-1.0.9/src/lxc/lxc-checkconfig.in 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/lxc-checkconfig.in 2017-05-11 17:03:26.000000000 +0000 @@ -78,6 +78,24 @@ echo -n "Ipc namespace: " && is_enabled CONFIG_IPC_NS yes echo -n "Pid namespace: " && is_enabled CONFIG_PID_NS yes echo -n "User namespace: " && is_enabled CONFIG_USER_NS +if is_set CONFIG_USER_NS; then + if type newuidmap > /dev/null 2>&1; then + f=`type -P newuidmap` + if [ ! -u "${f}" ]; then + echo "Warning: newuidmap is not setuid-root" + fi + else + echo "newuidmap is not installed" + fi + if type newgidmap > /dev/null 2>&1; then + f=`type -P newgidmap` + if [ ! -u "${f}" ]; then + echo "Warning: newgidmap is not setuid-root" + fi + else + echo "newgidmap is not installed" + fi +fi echo -n "Network namespace: " && is_enabled CONFIG_NET_NS echo -n "Multiple /dev/pts instances: " && is_enabled DEVPTS_MULTIPLE_INSTANCES echo diff -Nru lxc-1.0.9/src/lxc/lxccontainer.c lxc-1.0.10/src/lxc/lxccontainer.c --- lxc-1.0.9/src/lxc/lxccontainer.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/lxccontainer.c 2017-05-11 17:03:26.000000000 +0000 @@ -56,6 +56,14 @@ #include "namespace.h" #include "lxclock.h" +/* major()/minor() */ +#ifdef MAJOR_IN_MKDEV +# include +#endif +#ifdef MAJOR_IN_SYSMACROS +# include +#endif + #if HAVE_IFADDRS_H #include #else @@ -3576,7 +3584,10 @@ *p2 = '\0'; if (is_hashed) { - if (strncmp(lxcpath, lxc_cmd_get_lxcpath(p), lxcpath_len) != 0) + char *recvpath = lxc_cmd_get_lxcpath(p); + if (!recvpath) + continue; + if (strncmp(lxcpath, recvpath, lxcpath_len) != 0) continue; p = lxc_cmd_get_name(p); } diff -Nru lxc-1.0.9/src/lxc/lxc_info.c lxc-1.0.10/src/lxc/lxc_info.c --- lxc-1.0.9/src/lxc/lxc_info.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/lxc_info.c 2017-05-11 17:03:26.000000000 +0000 @@ -203,7 +203,7 @@ static void print_stats(struct lxc_container *c) { int i, ret; - char buf[256]; + char buf[4096]; ret = c->get_cgroup_item(c, "cpuacct.usage", buf, sizeof(buf)); if (ret > 0 && ret < sizeof(buf)) { diff -Nru lxc-1.0.9/src/lxc/lxc-start-ephemeral.in lxc-1.0.10/src/lxc/lxc-start-ephemeral.in --- lxc-1.0.9/src/lxc/lxc-start-ephemeral.in 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/lxc-start-ephemeral.in 2017-05-11 17:03:26.000000000 +0000 @@ -28,6 +28,7 @@ import argparse import gettext import lxc +import locale import os import sys import subprocess @@ -337,9 +338,14 @@ if args.user: username = args.user - line = subprocess.check_output( - ["getent", "passwd", username], - universal_newlines=True).rstrip("\n") + # This should really just use universal_newlines=True, but we do + # the decoding by hand instead for compatibility with Python + # 3.2; that used locale.getpreferredencoding() internally rather + # than locale.getpreferredencoding(False), and the former breaks + # here because we can't reload codecs at this point unless the + # container has the same version of Python installed. + line = subprocess.check_output(["getent", "passwd", username]) + line = line.decode(locale.getpreferredencoding(False)).rstrip("\n") _, _, pw_uid, pw_gid, _, pw_dir, _ = line.split(":", 6) pw_uid = int(pw_uid) pw_gid = int(pw_gid) diff -Nru lxc-1.0.9/src/lxc/lxc_user_nic.c lxc-1.0.10/src/lxc/lxc_user_nic.c --- lxc-1.0.9/src/lxc/lxc_user_nic.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/lxc_user_nic.c 2017-05-11 17:03:26.000000000 +0000 @@ -49,6 +49,14 @@ #include "utils.h" #include "network.h" +#define usernic_debug_stream(stream, format, ...) \ + do { \ + fprintf(stream, "%s: %d: %s: " format, __FILE__, __LINE__, \ + __func__, __VA_ARGS__); \ + } while (false) + +#define usernic_error(format, ...) usernic_debug_stream(stderr, format, __VA_ARGS__) + static void usage(char *me, bool fail) { fprintf(stderr, "Usage: %s pid type bridge nicname\n", me); @@ -153,7 +161,7 @@ static char *find_line(char *p, char *e, char *u, char *t, char *l) { char *p1, *p2, *ret; - + while (p= MAXPATHLEN) - return -1; + goto do_partial_cleanup; + if ((ofd = open(nspath, O_RDONLY)) < 0) { - fprintf(stderr, "Opening %s\n", nspath); - return -1; + usernic_error("Failed opening network namespace path for '%d'.", getpid()); + goto do_partial_cleanup; } + ret = snprintf(nspath, MAXPATHLEN, "/proc/%d/ns/net", pid); if (ret < 0 || ret >= MAXPATHLEN) - goto out_err; + goto do_partial_cleanup; if ((fd = open(nspath, O_RDONLY)) < 0) { - fprintf(stderr, "Opening %s\n", nspath); - goto out_err; + usernic_error("Failed opening network namespace path for '%d'.", pid); + goto do_partial_cleanup; } - if (setns(fd, 0) < 0) { - fprintf(stderr, "setns to container network namespace\n"); - goto out_err; + + ret = getresuid(&ruid, &euid, &suid); + if (ret < 0) { + usernic_error("Failed to retrieve real, effective, and saved " + "user IDs: %s\n", + strerror(errno)); + goto do_partial_cleanup; + } + + ret = setns(fd, CLONE_NEWNET); + close(fd); + fd = -1; + if (ret < 0) { + usernic_error("Failed to setns() to the network namespace of " + "the container with PID %d: %s.\n", + pid, strerror(errno)); + goto do_partial_cleanup; + } + + ret = setresuid(ruid, ruid, 0); + if (ret < 0) { + usernic_error("Failed to drop privilege by setting effective " + "user id and real user id to %d, and saved user " + "ID to 0: %s.\n", + ruid, strerror(errno)); + // COMMENT(brauner): It's ok to jump to do_full_cleanup here + // since setresuid() will succeed when trying to set real, + // effective, and saved to values they currently have. + goto do_full_cleanup; } - close(fd); fd = -1; + if (!*newnamep) { grab_newname = true; *newnamep = VETH_DEF_NAME; - if (!(ifindex = if_nametoindex(oldname))) { - fprintf(stderr, "failed to get netdev index\n"); - goto out_err; + + ifindex = if_nametoindex(oldname); + if (!ifindex) { + usernic_error("Failed to get netdev index: %s.\n", + strerror(errno)); + goto do_full_cleanup; } } - if ((ret = lxc_netdev_rename_by_name(oldname, *newnamep)) < 0) { - fprintf(stderr, "Error %d renaming netdev %s to %s in container\n", ret, oldname, *newnamep); - goto out_err; + + ret = lxc_netdev_rename_by_name(oldname, *newnamep); + if (ret < 0) { + usernic_error( + "Error %d renaming netdev %s to %s in container.\n", ret, + oldname, *newnamep); + goto do_full_cleanup; } + if (grab_newname) { - char ifname[IFNAMSIZ], *namep = ifname; + char ifname[IFNAMSIZ]; + char *namep = ifname; if (!if_indextoname(ifindex, namep)) { - fprintf(stderr, "Failed to get new netdev name\n"); - goto out_err; + usernic_error("Failed to get new netdev name: %s.\n", + strerror(errno)); + goto do_full_cleanup; } *newnamep = strdup(namep); if (!*newnamep) - goto out_err; + goto do_full_cleanup; } - if (setns(ofd, 0) < 0) { - fprintf(stderr, "Error returning to original netns\n"); - close(ofd); - return -1; + + fret = 0; + +do_full_cleanup: + ret = setresuid(ruid, euid, suid); + if (ret < 0) { + usernic_error( + "Failed to restore privilege by setting effective " + "user id to %d, real user id to %d, and saved user " + "ID to %d: %s.\n", + ruid, euid, suid, strerror(errno)); + fret = -1; + // COMMENT(brauner): setns() should fail if setresuid() doesn't + // succeed but there's no harm in falling through; keeps the + // code cleaner. } - close(ofd); - return 0; + ret = setns(ofd, CLONE_NEWNET); + if (ret < 0) { + usernic_error("Failed to setns() to original network namespace " + "of PID %d: %s.\n", + ofd, strerror(errno)); + fret = -1; + } -out_err: - if (ofd >= 0) - close(ofd); - if (setns(ofd, 0) < 0) - fprintf(stderr, "Error returning to original network namespace\n"); +do_partial_cleanup: if (fd >= 0) close(fd); - return -1; + close(ofd); + + return fret; } /* diff -Nru lxc-1.0.9/src/lxc/Makefile.in lxc-1.0.10/src/lxc/Makefile.in --- lxc-1.0.9/src/lxc/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/src/lxc/Makefile.in 2017-05-11 17:03:28.000000000 +0000 @@ -440,6 +440,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/src/lxc/seccomp.c lxc-1.0.10/src/lxc/seccomp.c --- lxc-1.0.9/src/lxc/seccomp.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/seccomp.c 2017-05-11 17:03:26.000000000 +0000 @@ -119,6 +119,7 @@ lxc_seccomp_arch_all = 0, lxc_seccomp_arch_native, lxc_seccomp_arch_i386, + lxc_seccomp_arch_x32, lxc_seccomp_arch_amd64, lxc_seccomp_arch_arm, lxc_seccomp_arch_arm64, @@ -152,6 +153,7 @@ } if (strcmp(uts.machine, "i686") == 0) return lxc_seccomp_arch_i386; + // no x32 kernels else if (strcmp(uts.machine, "x86_64") == 0) return lxc_seccomp_arch_amd64; else if (strncmp(uts.machine, "armv7", 5) == 0) @@ -181,6 +183,7 @@ switch(n_arch) { case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break; + case lxc_seccomp_arch_x32: arch = SCMP_ARCH_X32; break; case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break; case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break; #ifdef SCMP_ARCH_AARCH64 @@ -218,6 +221,11 @@ seccomp_release(ctx); return NULL; } +#ifdef SCMP_FLTATR_ATL_TSKIP + if (seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1)) { + WARN("Failed to turn on seccomp nop-skip, continuing"); + } +#endif ret = seccomp_arch_add(ctx, arch); if (ret != 0) { ERROR("Seccomp error %d (%s) adding arch: %d", ret, @@ -336,7 +344,10 @@ compat_arch[0] = SCMP_ARCH_X86; compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_i386, default_policy_action); - if (!compat_ctx[0]) + compat_arch[1] = SCMP_ARCH_X32; + compat_ctx[1] = get_new_ctx(lxc_seccomp_arch_x32, + default_policy_action); + if (!compat_ctx[0] || !compat_ctx[1]) goto bad; #ifdef SCMP_ARCH_PPC } else if (native_arch == lxc_seccomp_arch_ppc64) { @@ -390,6 +401,11 @@ ERROR("Failed to turn off n-new-privs."); return -1; } +#ifdef SCMP_FLTATR_ATL_TSKIP + if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) { + WARN("Failed to turn on seccomp nop-skip, continuing"); + } +#endif } while (fgets(line, 1024, f)) { @@ -410,6 +426,13 @@ continue; } cur_rule_arch = lxc_seccomp_arch_i386; + } else if (strcmp(line, "[x32]") == 0 || + strcmp(line, "[X32]") == 0) { + if (native_arch != lxc_seccomp_arch_amd64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_x32; } else if (strcmp(line, "[X86_64]") == 0 || strcmp(line, "[x86_64]") == 0) { if (native_arch != lxc_seccomp_arch_amd64) { @@ -704,7 +727,7 @@ return -1; } -/* turn of no-new-privs. We don't want it in lxc, and it breaks +/* turn off no-new-privs. We don't want it in lxc, and it breaks * with apparmor */ #if HAVE_SCMP_FILTER_CTX check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0); @@ -715,6 +738,11 @@ ERROR("Failed to turn off n-new-privs."); return -1; } +#ifdef SCMP_FLTATR_ATL_TSKIP + if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) { + WARN("Failed to turn on seccomp nop-skip, continuing"); + } +#endif f = fopen(conf->seccomp, "r"); if (!f) { diff -Nru lxc-1.0.9/src/lxc/start.c lxc-1.0.10/src/lxc/start.c --- lxc-1.0.9/src/lxc/start.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/start.c 2017-05-11 17:03:26.000000000 +0000 @@ -339,7 +339,7 @@ goto out_mainloop_open; } - if (lxc_console_mainloop_add(&descr, handler)) { + if (lxc_console_mainloop_add(&descr, handler->conf)) { ERROR("failed to add console handler to mainloop"); goto out_mainloop_open; } @@ -751,7 +751,7 @@ * setup on its console ie. the pty allocated in lxc_console_create() * so make sure that that pty is stdin,stdout,stderr. */ - if (lxc_console_set_stdfds(handler) < 0) + if (lxc_console_set_stdfds(handler->conf->console.slave) < 0) goto out_warn_father; /* If we mounted a temporary proc, then unmount it now */ @@ -800,7 +800,7 @@ if (!am_root) return 0; - + lxc_list_for_each(iterator, &conf->network) { struct lxc_netdev *netdev = iterator->elem; diff -Nru lxc-1.0.9/src/lxc/utils.h lxc-1.0.10/src/lxc/utils.h --- lxc-1.0.9/src/lxc/utils.h 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/lxc/utils.h 2017-05-11 17:03:26.000000000 +0000 @@ -34,6 +34,10 @@ #include "config.h" #include "initutils.h" +/* Useful macros */ +/* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ +#define __LXC_NUMSTRLEN 21 + /* returns 1 on success, 0 if there were any failures */ extern int lxc_rmdir_onedev(char *path); extern int get_u16(unsigned short *val, const char *arg, int base); diff -Nru lxc-1.0.9/src/lxc/version.h lxc-1.0.10/src/lxc/version.h --- lxc-1.0.9/src/lxc/version.h 2016-11-23 19:11:20.000000000 +0000 +++ lxc-1.0.10/src/lxc/version.h 2017-05-11 17:03:33.000000000 +0000 @@ -25,7 +25,7 @@ #define LXC_VERSION_MAJOR 1 #define LXC_VERSION_MINOR 0 -#define LXC_VERSION_MICRO 9 -#define LXC_VERSION "1.0.9" +#define LXC_VERSION_MICRO 10 +#define LXC_VERSION "1.0.10" #endif diff -Nru lxc-1.0.9/src/Makefile.in lxc-1.0.10/src/Makefile.in --- lxc-1.0.9/src/Makefile.in 2016-11-23 19:10:06.000000000 +0000 +++ lxc-1.0.10/src/Makefile.in 2017-05-11 17:03:27.000000000 +0000 @@ -211,6 +211,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/src/python-lxc/lxc.c lxc-1.0.10/src/python-lxc/lxc.c --- lxc-1.0.9/src/python-lxc/lxc.c 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/python-lxc/lxc.c 2017-05-11 17:03:26.000000000 +0000 @@ -353,7 +353,14 @@ static PyObject * LXC_get_version(PyObject *self, PyObject *args) { - return PyUnicode_FromString(lxc_get_version()); + const char *rv = NULL; + + rv = lxc_get_version(); + if (!rv) { + return PyUnicode_FromString(""); + } + + return PyUnicode_FromString(rv); } static PyObject * @@ -407,6 +414,10 @@ /* Generate the tuple */ list = PyTuple_New(list_count); for (i = 0; i < list_count; i++) { + if (!names[i]) { + continue; + } + PyTuple_SET_ITEM(list, i, PyUnicode_FromString(names[i])); free(names[i]); } @@ -451,7 +462,7 @@ Py_XDECREF(fs_config_path); PyErr_Format(PyExc_RuntimeError, "%s:%s:%d: error during init for container '%s'.", - __FUNCTION__, __FILE__, __LINE__, name); + __FUNCTION__, __FILE__, __LINE__, name); return -1; } @@ -473,8 +484,14 @@ static PyObject * Container_config_file_name(Container *self, void *closure) { - return PyUnicode_FromString( - self->container->config_file_name(self->container)); + char *rv = NULL; + + rv = self->container->config_file_name(self->container); + if (!rv) { + return PyUnicode_FromString(""); + } + + return PyUnicode_FromString(rv); } static PyObject * @@ -506,6 +523,10 @@ static PyObject * Container_name(Container *self, void *closure) { + if (!self->container->name) { + return PyUnicode_FromString(""); + } + return PyUnicode_FromString(self->container->name); } @@ -522,7 +543,15 @@ static PyObject * Container_state(Container *self, void *closure) { - return PyUnicode_FromString(self->container->state(self->container)); + const char *rv = NULL; + + rv = self->container->state(self->container); + + if (!rv) { + return PyUnicode_FromString(""); + } + + return PyUnicode_FromString(rv); } /* Container Functions */ @@ -886,8 +915,15 @@ static PyObject * Container_get_config_path(Container *self, PyObject *args, PyObject *kwds) { - return PyUnicode_FromString( - self->container->get_config_path(self->container)); + const char *rv = NULL; + + rv = self->container->get_config_path(self->container); + + if (!rv) { + return PyUnicode_FromString(""); + } + + return PyUnicode_FromString(rv); } static PyObject * @@ -951,6 +987,11 @@ /* Add the entries to the tuple and free the memory */ i = 0; while (interfaces[i]) { + if (!interfaces[i]) { + i++; + continue; + } + PyObject *unicode = PyUnicode_FromString(interfaces[i]); if (!unicode) { Py_DECREF(ret); @@ -1006,6 +1047,11 @@ /* Add the entries to the tuple and free the memory */ i = 0; while (ips[i]) { + if (!ips[i]) { + i++; + continue; + } + PyObject *unicode = PyUnicode_FromString(ips[i]); if (!unicode) { Py_DECREF(ret); diff -Nru lxc-1.0.9/src/python-lxc/Makefile.in lxc-1.0.10/src/python-lxc/Makefile.in --- lxc-1.0.9/src/python-lxc/Makefile.in 2016-11-23 19:10:07.000000000 +0000 +++ lxc-1.0.10/src/python-lxc/Makefile.in 2017-05-11 17:03:28.000000000 +0000 @@ -150,6 +150,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/src/tests/lxc-test-ubuntu lxc-1.0.10/src/tests/lxc-test-ubuntu --- lxc-1.0.9/src/tests/lxc-test-ubuntu 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/tests/lxc-test-ubuntu 2017-05-11 17:03:26.000000000 +0000 @@ -61,7 +61,12 @@ done [ -n "$lxcip" ] || FAIL "to start networking in $template container" - ping -c 1 $lxcip || FAIL "to ping $template container" + if echo "${lxcip}" | grep -q ":"; then + ping6 -c 1 $lxcip || FAIL "to ping $template container" + else + ping -c 1 $lxcip || FAIL "to ping $template container" + fi + # Check apparmor lxcpid=`lxc-info -n $name -p -H` aa=`cat /proc/$lxcpid/attr/current` diff -Nru lxc-1.0.9/src/tests/lxc-test-unpriv lxc-1.0.10/src/tests/lxc-test-unpriv --- lxc-1.0.9/src/tests/lxc-test-unpriv 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/tests/lxc-test-unpriv 2017-05-11 17:03:26.000000000 +0000 @@ -27,6 +27,41 @@ echo "ERROR: Must run as root." exit 1 fi + +# Test if we're using an overlayfs module that handles symlinks correctly. If +# not, we skip these tests since overlay clones will not work correctly. +if modprobe -q overlayfs; then + TMPDIR=$(mktemp -d) + + MOUNTDIR="${TMPDIR}/ovl_symlink_test" + + mkdir ${MOUNTDIR} + + mount -t tmpfs none ${MOUNTDIR} + + mkdir "${MOUNTDIR}/lowerdir" "${MOUNTDIR}/upperdir" "${MOUNTDIR}/overlayfs" + mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir" none "${MOUNTDIR}/overlayfs" + + CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/dummy_file" + exec 9> "${CORRECT_LINK_TARGET}" + + DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9) + + # cleanup + exec 9>&- + + umount "${MOUNTDIR}/overlayfs" + umount ${MOUNTDIR} + + rmdir ${MOUNTDIR} + + # This overlay module does not correctly handle symlinks, so skip the + # tests. + if [ "${DETECTED_LINK_TARGET}" != "${CORRECT_LINK_TARGET}" ]; then + exit 0 + fi +fi + which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; } DONE=0 @@ -133,13 +168,13 @@ run_cmd lxc-info -n c1 run_cmd lxc-attach -n c1 -- /bin/true -run_cmd lxc-stop -n c1 +run_cmd lxc-stop -n c1 -k run_cmd lxc-clone -s -o c1 -n c2 run_cmd lxc-start -n c2 -d p1=$(run_cmd lxc-info -n c2 -p -H) [ "$p1" != "-1" ] || { echo "Failed to start container c2"; false; } -run_cmd lxc-stop -n c2 +run_cmd lxc-stop -n c2 -k if which cgm >/dev/null 2>&1; then echo "Testing containers under different cgroups per subsystem" diff -Nru lxc-1.0.9/src/tests/lxc-test-usernic.in lxc-1.0.10/src/tests/lxc-test-usernic.in --- lxc-1.0.9/src/tests/lxc-test-usernic.in 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/src/tests/lxc-test-usernic.in 2017-05-11 17:03:26.000000000 +0000 @@ -27,9 +27,9 @@ LXC_USER_NIC="@LIBEXECDIR@/lxc/lxc-user-nic" cleanup() { - ( - set +e + set +e + ( lxc-stop -n usernic-c1 -k lxc-destroy -n usernic-c1 diff -Nru lxc-1.0.9/src/tests/Makefile.in lxc-1.0.10/src/tests/Makefile.in --- lxc-1.0.9/src/tests/Makefile.in 2016-11-23 19:10:07.000000000 +0000 +++ lxc-1.0.10/src/tests/Makefile.in 2017-05-11 17:03:28.000000000 +0000 @@ -397,6 +397,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@ diff -Nru lxc-1.0.9/templates/lxc-debian.in lxc-1.0.10/templates/lxc-debian.in --- lxc-1.0.9/templates/lxc-debian.in 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/templates/lxc-debian.in 2017-05-11 17:03:26.000000000 +0000 @@ -272,9 +272,6 @@ if [ ! -f $releasekeyring ]; then releasekeyring="$cache/archive-key.gpg" case $release in - "squeeze") - gpgkeyname="archive-key-6.0" - ;; "wheezy") gpgkeyname="archive-key-7.0" ;; @@ -426,8 +423,8 @@ # If the container isn't running a native architecture, setup multiarch if [ "${arch}" != "${hostarch}" ]; then # Test if dpkg supports multiarch - if ! chroot $rootfs dpkg --print-foreign-architecture 2>&1; then - chroot $rootfs dpkg --add-architecture ${hostarch} + if ! chroot "$rootfs" dpkg --print-foreign-architectures 2>&1; then + chroot "$rootfs" dpkg --add-architecture "${hostarch}" fi fi @@ -518,6 +515,8 @@ arch="amd64" elif [ "$arch" = "armv7l" ]; then arch="armhf" +elif [ "$arch" = "ppc" ]; then + arch="powerpc" elif [ "$arch" = "ppc64le" ]; then arch="ppc64el" fi diff -Nru lxc-1.0.9/templates/lxc-download.in lxc-1.0.10/templates/lxc-download.in --- lxc-1.0.9/templates/lxc-download.in 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/templates/lxc-download.in 2017-05-11 17:03:26.000000000 +0000 @@ -34,7 +34,6 @@ DOWNLOAD_FORCE_CACHE="false" DOWNLOAD_INTERACTIVE="false" DOWNLOAD_KEYID="0xE7FB0CAEC8173D669066514CBAEFF88C22F6E216" -DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net" DOWNLOAD_LIST_IMAGES="false" DOWNLOAD_MODE="system" DOWNLOAD_READY_GPG="false" @@ -54,9 +53,13 @@ LXC_PATH= LXC_ROOTFS= -# Deal with GPG over http proxy -if [ -n "${http_proxy:-}" ]; then - DOWNLOAD_KEYSERVER="hkp://p80.pool.sks-keyservers.net:80" +if [ -z "${DOWNLOAD_KEYSERVER:-}" ]; then + DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net" + + # Deal with GPG over http proxy + if [ -n "${http_proxy:-}" ]; then + DOWNLOAD_KEYSERVER="hkp://p80.pool.sks-keyservers.net:80" + fi fi # Make sure the usual locations are in PATH @@ -201,7 +204,7 @@ [ --variant ]: Variant of the image (default: "default") [ --server ]: Image server (default: "images.linuxcontainers.org") [ --keyid ]: GPG keyid (default: 0x...) -[ --keyserver ]: GPG keyserver to use +[ --keyserver ]: GPG keyserver to use. Environment variable: DOWNLOAD_KEYSERVER [ --no-validate ]: Disable GPG validation (not recommended) [ --flush-cache ]: Flush the local copy (if present) [ --force-cache ]: Force the use of the local copy even if expired @@ -212,6 +215,11 @@ [ --rootfs ]: The path to the container's rootfs [ --mapped-uid ]: A uid map (user namespaces) [ --mapped-gid ]: A gid map (user namespaces) + +Environment Variables: +DOWNLOAD_KEYSERVER : The URL of the key server to use, instead of the default. + Can be further overridden by using optional argument --keyserver + EOF return 0 } diff -Nru lxc-1.0.9/templates/lxc-opensuse.in lxc-1.0.10/templates/lxc-opensuse.in --- lxc-1.0.9/templates/lxc-opensuse.in 2016-11-23 19:10:02.000000000 +0000 +++ lxc-1.0.10/templates/lxc-opensuse.in 2017-05-11 17:03:26.000000000 +0000 @@ -93,7 +93,7 @@ ln -s /dev/null $rootfs/etc/systemd/system/proc-sys-fs-binfmt_misc.automount ln -s /dev/null $rootfs/etc/systemd/system/console-shell.service ln -s /dev/null $rootfs/etc/systemd/system/systemd-vconsole-setup.service - sed -e 's/ConditionPathExists=.*//' /usr/lib/systemd/system/getty@.service > $rootfs/etc/systemd/system/getty@.service + sed -e 's/ConditionPathExists=.*//' $rootfs/usr/lib/systemd/system/getty@.service > $rootfs/etc/systemd/system/getty@.service ln -s getty@.service $rootfs/etc/systemd/system/getty@tty1.service ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@console.service ln -s -f ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@tty1.service @@ -101,10 +101,6 @@ ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@tty3.service ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@tty4.service - # copy host poweroff target as sigpwr target to make shutdown work - # see https://wiki.archlinux.org/index.php/Linux_Containers#Container_cannot_be_shutdown_if_using_systemd - cp /usr/lib/systemd/system/poweroff.target $rootfs/usr/lib/systemd/system/sigpwr.target - touch $rootfs/etc/sysconfig/kernel echo "Please change root-password !" diff -Nru lxc-1.0.9/templates/Makefile.in lxc-1.0.10/templates/Makefile.in --- lxc-1.0.9/templates/Makefile.in 2016-11-23 19:10:07.000000000 +0000 +++ lxc-1.0.10/templates/Makefile.in 2017-05-11 17:03:28.000000000 +0000 @@ -191,6 +191,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +GNUTLS_LIBS = @GNUTLS_LIBS@ GREP = @GREP@ HAVE_DOXYGEN = @HAVE_DOXYGEN@ INCLUDEDIR = @INCLUDEDIR@