diff -Nru lxc-2.1.0/config/apparmor/abstractions/container-base lxc-2.1.1/config/apparmor/abstractions/container-base --- lxc-2.1.0/config/apparmor/abstractions/container-base 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/config/apparmor/abstractions/container-base 2017-10-19 17:08:34.000000000 +0000 @@ -72,8 +72,6 @@ # block some other dangerous paths deny @{PROC}/kcore rwklx, - deny @{PROC}/kmem rwklx, - deny @{PROC}/mem rwklx, deny @{PROC}/sysrq-trigger rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow diff -Nru lxc-2.1.0/config/apparmor/abstractions/container-base.in lxc-2.1.1/config/apparmor/abstractions/container-base.in --- lxc-2.1.0/config/apparmor/abstractions/container-base.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/config/apparmor/abstractions/container-base.in 2017-10-19 17:08:34.000000000 +0000 @@ -72,8 +72,6 @@ # block some other dangerous paths deny @{PROC}/kcore rwklx, - deny @{PROC}/kmem rwklx, - deny @{PROC}/mem rwklx, deny @{PROC}/sysrq-trigger rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow diff -Nru lxc-2.1.0/config/init/systemd/Makefile.in lxc-2.1.1/config/init/systemd/Makefile.in --- lxc-2.1.0/config/init/systemd/Makefile.in 2017-09-06 02:32:41.000000000 +0000 +++ lxc-2.1.1/config/init/systemd/Makefile.in 2017-10-19 17:08:38.000000000 +0000 @@ -513,8 +513,8 @@ @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -@INIT_SCRIPT_SYSTEMD_FALSE@uninstall-local: @INIT_SCRIPT_SYSTEMD_FALSE@install-data-local: +@INIT_SCRIPT_SYSTEMD_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am diff -Nru lxc-2.1.0/config/init/upstart/Makefile.in lxc-2.1.1/config/init/upstart/Makefile.in --- lxc-2.1.0/config/init/upstart/Makefile.in 2017-09-06 02:32:41.000000000 +0000 +++ lxc-2.1.1/config/init/upstart/Makefile.in 2017-10-19 17:08:38.000000000 +0000 @@ -432,8 +432,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@INIT_SCRIPT_UPSTART_FALSE@install-data-local: @INIT_SCRIPT_UPSTART_FALSE@uninstall-local: +@INIT_SCRIPT_UPSTART_FALSE@install-data-local: clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am diff -Nru lxc-2.1.0/configure lxc-2.1.1/configure --- lxc-2.1.0/configure 2017-09-06 02:32:41.000000000 +0000 +++ lxc-2.1.1/configure 2017-10-19 17:08:37.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for lxc 2.1.0. +# Generated by GNU Autoconf 2.69 for lxc 2.1.1. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='lxc' PACKAGE_TARNAME='lxc' -PACKAGE_VERSION='2.1.0' -PACKAGE_STRING='lxc 2.1.0' +PACKAGE_VERSION='2.1.1' +PACKAGE_STRING='lxc 2.1.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1505,7 +1505,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures lxc 2.1.0 to adapt to many kinds of systems. +\`configure' configures lxc 2.1.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1576,7 +1576,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of lxc 2.1.0:";; + short | recursive ) echo "Configuration of lxc 2.1.1:";; esac cat <<\_ACEOF @@ -1756,7 +1756,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -lxc configure 2.1.0 +lxc configure 2.1.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2221,7 +2221,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by lxc $as_me 2.1.0, which was +It was created by lxc $as_me 2.1.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2692,7 +2692,7 @@ fi fi -LXC_VERSION_BASE=2.1.0 +LXC_VERSION_BASE=2.1.1 @@ -2700,9 +2700,9 @@ LXC_VERSION_MINOR=1 -LXC_VERSION_MICRO=0 +LXC_VERSION_MICRO=1 -LXC_VERSION=2.1.0 +LXC_VERSION=2.1.1 LXC_DEVEL=0 @@ -3234,7 +3234,7 @@ # Define the identity of the package. PACKAGE='lxc' - VERSION='2.1.0' + VERSION='2.1.1' cat >>confdefs.h <<_ACEOF @@ -17474,7 +17474,7 @@ fi # Files requiring some variable expansion -ac_config_files="$ac_config_files Makefile lxc.pc lxc.spec config/Makefile config/apparmor/Makefile config/selinux/Makefile config/bash/Makefile config/bash/lxc config/init/Makefile config/init/common/Makefile config/init/common/lxc-containers config/init/common/lxc-net config/init/systemd/Makefile config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service config/init/sysvinit/Makefile config/init/sysvinit/lxc-containers config/init/sysvinit/lxc-net config/init/upstart/lxc.conf config/init/upstart/lxc-net.conf config/init/upstart/Makefile config/etc/Makefile config/templates/Makefile config/templates/alpine.common.conf config/templates/alpine.userns.conf config/templates/archlinux.common.conf config/templates/archlinux.userns.conf config/templates/centos.common.conf config/templates/centos.userns.conf config/templates/common.conf config/templates/common.conf.d/Makefile config/templates/debian.common.conf config/templates/debian.userns.conf config/templates/fedora.common.conf config/templates/fedora.userns.conf config/templates/gentoo.common.conf config/templates/gentoo.moresecure.conf config/templates/gentoo.userns.conf config/templates/nesting.conf config/templates/opensuse.common.conf config/templates/opensuse.userns.conf config/templates/oracle.common.conf config/templates/oracle.userns.conf config/templates/plamo.common.conf config/templates/plamo.userns.conf config/templates/slackware.common.conf config/templates/slackware.userns.conf config/templates/ubuntu-cloud.common.conf config/templates/ubuntu-cloud.lucid.conf config/templates/ubuntu-cloud.userns.conf config/templates/ubuntu.common.conf config/templates/ubuntu.lucid.conf config/templates/ubuntu.userns.conf config/templates/openwrt.common.conf config/templates/sparclinux.common.conf config/templates/sparclinux.userns.conf config/templates/voidlinux.common.conf config/templates/voidlinux.userns.conf config/templates/sabayon.common.conf config/templates/sabayon.userns.conf config/templates/userns.conf config/yum/Makefile config/sysconfig/Makefile config/sysconfig/lxc doc/Makefile doc/api/Makefile doc/lxc-attach.sgml doc/lxc-autostart.sgml doc/lxc-cgroup.sgml doc/lxc-checkconfig.sgml doc/lxc-checkpoint.sgml doc/lxc-clone.sgml doc/lxc-config.sgml doc/lxc-console.sgml doc/lxc-copy.sgml doc/lxc-create.sgml doc/lxc-destroy.sgml doc/lxc-device.sgml doc/lxc-execute.sgml doc/lxc-freeze.sgml doc/lxc-info.sgml doc/lxc-ls.sgml doc/lxc-monitor.sgml doc/lxc-snapshot.sgml doc/lxc-start-ephemeral.sgml doc/lxc-start.sgml doc/lxc-stop.sgml doc/lxc-top.sgml doc/lxc-unfreeze.sgml doc/lxc-unshare.sgml doc/lxc-user-nic.sgml doc/lxc-usernsexec.sgml doc/lxc-wait.sgml doc/lxc.conf.sgml doc/lxc.container.conf.sgml doc/lxc.system.conf.sgml doc/lxc-usernet.sgml doc/lxc.sgml doc/common_options.sgml doc/see_also.sgml doc/rootfs/Makefile doc/examples/Makefile doc/examples/lxc-macvlan.conf doc/examples/lxc-vlan.conf doc/examples/lxc-no-netns.conf doc/examples/lxc-empty-netns.conf doc/examples/lxc-phys.conf doc/examples/lxc-veth.conf doc/examples/lxc-complex.conf doc/ja/Makefile doc/ja/lxc-attach.sgml doc/ja/lxc-autostart.sgml doc/ja/lxc-cgroup.sgml doc/ja/lxc-checkconfig.sgml doc/ja/lxc-checkpoint.sgml doc/ja/lxc-clone.sgml doc/ja/lxc-config.sgml doc/ja/lxc-console.sgml doc/ja/lxc-copy.sgml doc/ja/lxc-create.sgml doc/ja/lxc-destroy.sgml doc/ja/lxc-device.sgml doc/ja/lxc-execute.sgml doc/ja/lxc-freeze.sgml doc/ja/lxc-info.sgml doc/ja/lxc-ls.sgml doc/ja/lxc-monitor.sgml doc/ja/lxc-snapshot.sgml doc/ja/lxc-start-ephemeral.sgml doc/ja/lxc-start.sgml doc/ja/lxc-stop.sgml doc/ja/lxc-top.sgml doc/ja/lxc-unfreeze.sgml doc/ja/lxc-unshare.sgml doc/ja/lxc-user-nic.sgml doc/ja/lxc-usernsexec.sgml doc/ja/lxc-wait.sgml doc/ja/lxc.conf.sgml doc/ja/lxc.container.conf.sgml doc/ja/lxc.system.conf.sgml doc/ja/lxc-usernet.sgml doc/ja/lxc.sgml doc/ja/common_options.sgml doc/ja/see_also.sgml doc/ko/Makefile doc/ko/lxc-attach.sgml doc/ko/lxc-autostart.sgml doc/ko/lxc-cgroup.sgml doc/ko/lxc-checkconfig.sgml doc/ko/lxc-checkpoint.sgml doc/ko/lxc-clone.sgml doc/ko/lxc-config.sgml doc/ko/lxc-console.sgml doc/ko/lxc-copy.sgml doc/ko/lxc-create.sgml doc/ko/lxc-destroy.sgml doc/ko/lxc-device.sgml doc/ko/lxc-execute.sgml doc/ko/lxc-freeze.sgml doc/ko/lxc-info.sgml doc/ko/lxc-ls.sgml doc/ko/lxc-monitor.sgml doc/ko/lxc-snapshot.sgml doc/ko/lxc-start-ephemeral.sgml doc/ko/lxc-start.sgml doc/ko/lxc-stop.sgml doc/ko/lxc-top.sgml doc/ko/lxc-unfreeze.sgml doc/ko/lxc-unshare.sgml doc/ko/lxc-user-nic.sgml doc/ko/lxc-usernsexec.sgml doc/ko/lxc-wait.sgml doc/ko/lxc.conf.sgml doc/ko/lxc.container.conf.sgml doc/ko/lxc.system.conf.sgml doc/ko/lxc-usernet.sgml doc/ko/lxc.sgml doc/ko/common_options.sgml doc/ko/see_also.sgml hooks/Makefile templates/Makefile templates/lxc-alpine templates/lxc-altlinux templates/lxc-archlinux templates/lxc-busybox templates/lxc-centos templates/lxc-cirros templates/lxc-debian templates/lxc-download templates/lxc-fedora templates/lxc-fedora-legacy templates/lxc-gentoo templates/lxc-openmandriva templates/lxc-opensuse templates/lxc-oracle templates/lxc-plamo templates/lxc-pld templates/lxc-slackware templates/lxc-sshd templates/lxc-ubuntu templates/lxc-ubuntu-cloud templates/lxc-sparclinux templates/lxc-voidlinux templates/lxc-sabayon src/Makefile src/lxc/Makefile src/lxc/lxc.functions src/lxc/tools/lxc-checkconfig src/lxc/tools/lxc-start-ephemeral src/lxc/tools/lxc-update-config src/lxc/version.h src/python-lxc/Makefile src/lua-lxc/Makefile src/tests/Makefile src/tests/lxc-test-usernic" +ac_config_files="$ac_config_files Makefile lxc.pc lxc.spec config/Makefile config/apparmor/Makefile config/selinux/Makefile config/bash/Makefile config/bash/lxc config/init/Makefile config/init/common/Makefile config/init/common/lxc-containers config/init/common/lxc-net config/init/systemd/Makefile config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service config/init/sysvinit/Makefile config/init/sysvinit/lxc-containers config/init/sysvinit/lxc-net config/init/upstart/lxc.conf config/init/upstart/lxc-net.conf config/init/upstart/Makefile config/etc/Makefile config/templates/Makefile config/templates/alpine.common.conf config/templates/alpine.userns.conf config/templates/archlinux.common.conf config/templates/archlinux.userns.conf config/templates/centos.common.conf config/templates/centos.userns.conf config/templates/common.conf config/templates/common.conf.d/Makefile config/templates/debian.common.conf config/templates/debian.userns.conf config/templates/fedora.common.conf config/templates/fedora.userns.conf config/templates/gentoo.common.conf config/templates/gentoo.moresecure.conf config/templates/gentoo.userns.conf config/templates/nesting.conf config/templates/opensuse.common.conf config/templates/opensuse.userns.conf config/templates/oracle.common.conf config/templates/oracle.userns.conf config/templates/plamo.common.conf config/templates/plamo.userns.conf config/templates/slackware.common.conf config/templates/slackware.userns.conf config/templates/ubuntu-cloud.common.conf config/templates/ubuntu-cloud.lucid.conf config/templates/ubuntu-cloud.userns.conf config/templates/ubuntu.common.conf config/templates/ubuntu.lucid.conf config/templates/ubuntu.userns.conf config/templates/openwrt.common.conf config/templates/sparclinux.common.conf config/templates/sparclinux.userns.conf config/templates/voidlinux.common.conf config/templates/voidlinux.userns.conf config/templates/sabayon.common.conf config/templates/sabayon.userns.conf config/templates/userns.conf config/yum/Makefile config/sysconfig/Makefile config/sysconfig/lxc doc/Makefile doc/api/Makefile doc/lxc-attach.sgml doc/lxc-autostart.sgml doc/lxc-cgroup.sgml doc/lxc-checkconfig.sgml doc/lxc-checkpoint.sgml doc/lxc-clone.sgml doc/lxc-config.sgml doc/lxc-console.sgml doc/lxc-copy.sgml doc/lxc-create.sgml doc/lxc-destroy.sgml doc/lxc-device.sgml doc/lxc-execute.sgml doc/lxc-freeze.sgml doc/lxc-info.sgml doc/lxc-ls.sgml doc/lxc-monitor.sgml doc/lxc-snapshot.sgml doc/lxc-start-ephemeral.sgml doc/lxc-start.sgml doc/lxc-stop.sgml doc/lxc-top.sgml doc/lxc-unfreeze.sgml doc/lxc-unshare.sgml doc/lxc-update-config.sgml doc/lxc-user-nic.sgml doc/lxc-usernsexec.sgml doc/lxc-wait.sgml doc/lxc.conf.sgml doc/lxc.container.conf.sgml doc/lxc.system.conf.sgml doc/lxc-usernet.sgml doc/lxc.sgml doc/common_options.sgml doc/see_also.sgml doc/rootfs/Makefile doc/examples/Makefile doc/examples/lxc-macvlan.conf doc/examples/lxc-vlan.conf doc/examples/lxc-no-netns.conf doc/examples/lxc-empty-netns.conf doc/examples/lxc-phys.conf doc/examples/lxc-veth.conf doc/examples/lxc-complex.conf doc/ja/Makefile doc/ja/lxc-attach.sgml doc/ja/lxc-autostart.sgml doc/ja/lxc-cgroup.sgml doc/ja/lxc-checkconfig.sgml doc/ja/lxc-checkpoint.sgml doc/ja/lxc-clone.sgml doc/ja/lxc-config.sgml doc/ja/lxc-console.sgml doc/ja/lxc-copy.sgml doc/ja/lxc-create.sgml doc/ja/lxc-destroy.sgml doc/ja/lxc-device.sgml doc/ja/lxc-execute.sgml doc/ja/lxc-freeze.sgml doc/ja/lxc-info.sgml doc/ja/lxc-ls.sgml doc/ja/lxc-monitor.sgml doc/ja/lxc-snapshot.sgml doc/ja/lxc-start-ephemeral.sgml doc/ja/lxc-start.sgml doc/ja/lxc-stop.sgml doc/ja/lxc-top.sgml doc/ja/lxc-unfreeze.sgml doc/ja/lxc-unshare.sgml doc/ja/lxc-update-config.sgml doc/ja/lxc-user-nic.sgml doc/ja/lxc-usernsexec.sgml doc/ja/lxc-wait.sgml doc/ja/lxc.conf.sgml doc/ja/lxc.container.conf.sgml doc/ja/lxc.system.conf.sgml doc/ja/lxc-usernet.sgml doc/ja/lxc.sgml doc/ja/common_options.sgml doc/ja/see_also.sgml doc/ko/Makefile doc/ko/lxc-attach.sgml doc/ko/lxc-autostart.sgml doc/ko/lxc-cgroup.sgml doc/ko/lxc-checkconfig.sgml doc/ko/lxc-checkpoint.sgml doc/ko/lxc-clone.sgml doc/ko/lxc-config.sgml doc/ko/lxc-console.sgml doc/ko/lxc-copy.sgml doc/ko/lxc-create.sgml doc/ko/lxc-destroy.sgml doc/ko/lxc-device.sgml doc/ko/lxc-execute.sgml doc/ko/lxc-freeze.sgml doc/ko/lxc-info.sgml doc/ko/lxc-ls.sgml doc/ko/lxc-monitor.sgml doc/ko/lxc-snapshot.sgml doc/ko/lxc-start-ephemeral.sgml doc/ko/lxc-start.sgml doc/ko/lxc-stop.sgml doc/ko/lxc-top.sgml doc/ko/lxc-unfreeze.sgml doc/ko/lxc-unshare.sgml doc/ko/lxc-user-nic.sgml doc/ko/lxc-usernsexec.sgml doc/ko/lxc-wait.sgml doc/ko/lxc.conf.sgml doc/ko/lxc.container.conf.sgml doc/ko/lxc.system.conf.sgml doc/ko/lxc-usernet.sgml doc/ko/lxc.sgml doc/ko/common_options.sgml doc/ko/see_also.sgml hooks/Makefile templates/Makefile templates/lxc-alpine templates/lxc-altlinux templates/lxc-archlinux templates/lxc-busybox templates/lxc-centos templates/lxc-cirros templates/lxc-debian templates/lxc-download templates/lxc-fedora templates/lxc-fedora-legacy templates/lxc-gentoo templates/lxc-openmandriva templates/lxc-opensuse templates/lxc-oracle templates/lxc-plamo templates/lxc-pld templates/lxc-slackware templates/lxc-sshd templates/lxc-ubuntu templates/lxc-ubuntu-cloud templates/lxc-sparclinux templates/lxc-voidlinux templates/lxc-sabayon src/Makefile src/lxc/Makefile src/lxc/lxc.functions src/lxc/tools/lxc-checkconfig src/lxc/tools/lxc-start-ephemeral src/lxc/tools/lxc-update-config src/lxc/version.h src/python-lxc/Makefile src/lua-lxc/Makefile src/tests/Makefile src/tests/lxc-test-usernic" ac_config_commands="$ac_config_commands default" @@ -18140,7 +18140,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by lxc $as_me 2.1.0, which was +This file was extended by lxc $as_me 2.1.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18210,7 +18210,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -lxc config.status 2.1.0 +lxc config.status 2.1.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -18718,6 +18718,7 @@ "doc/lxc-top.sgml") CONFIG_FILES="$CONFIG_FILES doc/lxc-top.sgml" ;; "doc/lxc-unfreeze.sgml") CONFIG_FILES="$CONFIG_FILES doc/lxc-unfreeze.sgml" ;; "doc/lxc-unshare.sgml") CONFIG_FILES="$CONFIG_FILES doc/lxc-unshare.sgml" ;; + "doc/lxc-update-config.sgml") CONFIG_FILES="$CONFIG_FILES doc/lxc-update-config.sgml" ;; "doc/lxc-user-nic.sgml") CONFIG_FILES="$CONFIG_FILES doc/lxc-user-nic.sgml" ;; "doc/lxc-usernsexec.sgml") CONFIG_FILES="$CONFIG_FILES doc/lxc-usernsexec.sgml" ;; "doc/lxc-wait.sgml") CONFIG_FILES="$CONFIG_FILES doc/lxc-wait.sgml" ;; @@ -18762,6 +18763,7 @@ "doc/ja/lxc-top.sgml") CONFIG_FILES="$CONFIG_FILES doc/ja/lxc-top.sgml" ;; "doc/ja/lxc-unfreeze.sgml") CONFIG_FILES="$CONFIG_FILES doc/ja/lxc-unfreeze.sgml" ;; "doc/ja/lxc-unshare.sgml") CONFIG_FILES="$CONFIG_FILES doc/ja/lxc-unshare.sgml" ;; + "doc/ja/lxc-update-config.sgml") CONFIG_FILES="$CONFIG_FILES doc/ja/lxc-update-config.sgml" ;; "doc/ja/lxc-user-nic.sgml") CONFIG_FILES="$CONFIG_FILES doc/ja/lxc-user-nic.sgml" ;; "doc/ja/lxc-usernsexec.sgml") CONFIG_FILES="$CONFIG_FILES doc/ja/lxc-usernsexec.sgml" ;; "doc/ja/lxc-wait.sgml") CONFIG_FILES="$CONFIG_FILES doc/ja/lxc-wait.sgml" ;; diff -Nru lxc-2.1.0/configure.ac lxc-2.1.1/configure.ac --- lxc-2.1.0/configure.ac 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/configure.ac 2017-10-19 17:08:34.000000000 +0000 @@ -4,7 +4,7 @@ m4_define([lxc_devel], 0) m4_define([lxc_version_major], 2) m4_define([lxc_version_minor], 1) -m4_define([lxc_version_micro], 0) +m4_define([lxc_version_micro], 1) m4_define([lxc_version_beta], []) m4_define([lxc_abi_major], 1) @@ -785,6 +785,7 @@ doc/lxc-top.sgml doc/lxc-unfreeze.sgml doc/lxc-unshare.sgml + doc/lxc-update-config.sgml doc/lxc-user-nic.sgml doc/lxc-usernsexec.sgml doc/lxc-wait.sgml @@ -833,6 +834,7 @@ doc/ja/lxc-top.sgml doc/ja/lxc-unfreeze.sgml doc/ja/lxc-unshare.sgml + doc/ja/lxc-update-config.sgml doc/ja/lxc-user-nic.sgml doc/ja/lxc-usernsexec.sgml doc/ja/lxc-wait.sgml diff -Nru lxc-2.1.0/debian/changelog lxc-2.1.1/debian/changelog --- lxc-2.1.0/debian/changelog 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/changelog 2017-10-31 22:59:59.000000000 +0000 @@ -1,3 +1,74 @@ +lxc (2.1.1-0ubuntu1) bionic; urgency=medium + + * New upstream bugfix release (LXC 2.1.1) + - apparmor: Drop useless apparmor denies + - cgfsng: Check whether we have a conf + - cgfsng: Fail when limits fail to apply + - conf: Error out on too many mappings + - conf: Ignore lxc.kmsg and lxc.pivotdir + - conf: Make update warning opt-in + - conf: Preserve newlines in configuration file + - conf: Remove dead assignments in parse_idmaps() + - conf: Remove unnecessary zeroing + - conf: Use the proper type for rlim_t, fixing build failure on x32. + - console: Clean tty state + return 0 on peer exit + - console: Remove dead assignments + - core: Introduce userns_exec_full() and port the codebase to it + - criu: Use correct check initialization check + - doc: Add lxc.cgroup.dir to Japanese lxc.container.conf(5) + - doc: Add lxc-update-config manpage + - doc: Document missing env variables + - doc: Fix regex-typo in Japanese and Korean lxc-monitor(1) + - doc: Fix regex-typo in lxc-monitor.sgml.in + - doc: Translate lxc(7) into Japanese + - doc: Translate lxc-update-config(1) into Japanese + - execute: Enable console & standard /dev symlinks + - init: Become session leader + - log: Fix a format string build failure on x32. + - log: Prevent stack smashing + - monitor: Remove dead assignment + - network: Add missing checks for empty links + - network: Clear ifindeces + - network: Non-functional changes + - network: Remove dead assignments + - network: Use single helper to delete networks + - start: Don't close inherited namespace fds + - start: Move env setup before container setup + - start: Pass LXC_LOG_LEVEL to hooks + - start: Remove dead variable + - start: Set environment variables correctly + - start: Switch ids at last possible instance + - storage: Avoid segfault on missing lxc.rootfs.path + - storage: Fix typo in error message + - storage/lvm: Fix thinpool logical volumes + - storage/overlay: Do not write to invalid memory + - storage/overlay: Fix use after free() + - storage/zfs: Return error directly when zfs creation fails + - template/alpine: Change file check to also check file size (-f => -s) + - template/archlinux: Change locale "en-US.UTF-8" to "en_US.UTF-8" + - template/debian: Don't force getty@ configuration + - template/plamo: Delete unnecessary process during container shutdown + - tests: Avoid NULL pointer dereference + - tests: Remove dead assignments + - tests: Support systemd hybrid cgroups + - tools: Print "-devel" when LXC_DEVEL is true + - tools/lxc-unshare: Do not pass NULL pointer + - tools/lxc-update-config: Remove lxc.pivotdir and lxc.kmsg entries + - tools/lxc-update-config: Strip lxc.rootfs.backend and handle IPv4 addrs + - tools/lxc-user-nic: Remove double initialization + - tools/lxc-usernsexec: Remove dead assignments + - utils: Do not write to 0 sized buffer + - utils: Duplicate stderr as well in lxc_popen() + - utils: Fix lxc_popen()/lxc_pclose() + - utils: Remove dead assignments in lxc_popen() + + * Drop all patches, now upstream. + * Use upstream manpage for lxc-update-config. + * Refresh lintian overrides. + * Bump standards to 4.1.1. + + -- Stéphane Graber Tue, 31 Oct 2017 18:59:59 -0400 + lxc (2.1.0-0ubuntu1) artful; urgency=medium * New upstream release (LXC 2.1): (LP: #1715278) diff -Nru lxc-2.1.0/debian/control lxc-2.1.1/debian/control --- lxc-2.1.0/debian/control 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/control 2017-10-31 22:59:59.000000000 +0000 @@ -5,12 +5,11 @@ Build-Depends: autotools-dev, bash-completion, debhelper (>= 9), + debhelper (>= 9.20160709) | dh-systemd, dh-apparmor, dh-autoreconf, - dh-systemd, docbook2x, dpkg-dev (>= 1.16.1~) | hardening-wrapper, - help2man, libapparmor-dev, libcap-dev, libgnutls28-dev, @@ -21,7 +20,7 @@ pkg-config, python3-all-dev (>= 3.2.3), python3-setuptools -Standards-Version: 4.0.0 +Standards-Version: 4.1.1 Homepage: https://linuxcontainers.org Vcs-Git: https://github.com/lxc/lxc-pkg-ubuntu Vcs-Browser: https://github.com/lxc/lxc-pkg-ubuntu @@ -30,7 +29,6 @@ Package: lxc Architecture: all Depends: lxc1 (>= ${source:Version}), ${misc:Depends} -Priority: extra Section: oldlibs Description: Transitional package for lxc1 This is a transitional dummy package. It can safely be removed. @@ -133,6 +131,7 @@ Package: liblxc1 Architecture: linux-any +Section: libs Pre-Depends: ${misc:Pre-Depends} Depends: cgroup-lite | systemd, lxc-common (= ${binary:Version}), diff -Nru lxc-2.1.0/debian/.git-dpm lxc-2.1.1/debian/.git-dpm --- lxc-2.1.0/debian/.git-dpm 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/.git-dpm 2017-10-31 22:59:51.000000000 +0000 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -fa8a1e7ea9decccbe884f890142dcf64a1dac9f6 -fa8a1e7ea9decccbe884f890142dcf64a1dac9f6 -d89da872d2e9f93ad7c9039b5acc39beb386352c -d89da872d2e9f93ad7c9039b5acc39beb386352c -lxc_2.1.0.orig.tar.gz -8f8c48a999dd428672a0d02fbae12aed6b812026 -1369525 +db02ded81fd6db10643db9e1bc1ee7c82d4af433 +db02ded81fd6db10643db9e1bc1ee7c82d4af433 +2d5e3a76c387a7ba17ec33b0adfa7d92bfc7b8d3 +2d5e3a76c387a7ba17ec33b0adfa7d92bfc7b8d3 +lxc_2.1.1.orig.tar.gz +81f8f45226c29dc480abebf0287d4f5f27f6346b +1378640 diff -Nru lxc-2.1.0/debian/patches/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch lxc-2.1.1/debian/patches/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch --- lxc-2.1.0/debian/patches/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch 2017-10-31 22:59:51.000000000 +0000 @@ -1,4 +1,4 @@ -From f4f2c4956d3d7719922d6d54fff99cf00509712e Mon Sep 17 00:00:00 2001 +From db02ded81fd6db10643db9e1bc1ee7c82d4af433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Tue, 3 Nov 2015 11:42:58 -0500 Subject: Allocate new lxcbr0 subnet at startup time diff -Nru lxc-2.1.0/debian/patches/0002-Fix-typo.patch lxc-2.1.1/debian/patches/0002-Fix-typo.patch --- lxc-2.1.0/debian/patches/0002-Fix-typo.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0002-Fix-typo.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,26 +0,0 @@ -From 8d16357035d33c3db9a4cc219b71532a7f43a1b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?St=C3=A9phane=20Graber?= -Date: Mon, 18 Sep 2017 19:03:48 -0400 -Subject: Fix typo -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Stéphane Graber ---- - src/lxc/storage/storage.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lxc/storage/storage.c b/src/lxc/storage/storage.c -index fee3d8df..c8909123 100644 ---- a/src/lxc/storage/storage.c -+++ b/src/lxc/storage/storage.c -@@ -374,7 +374,7 @@ struct lxc_storage *storage_copy(struct lxc_container *c, const char *cname, - if (ret < 0 && errno == ENOENT) { - ret = mkdir_p(orig->dest, 0755); - if (ret < 0) -- WARN("Failed to create directoy \"%s\"", orig->dest); -+ WARN("Failed to create directory \"%s\"", orig->dest); - } - } - diff -Nru lxc-2.1.0/debian/patches/0003-network-add-missing-checks-for-empty-links.patch lxc-2.1.1/debian/patches/0003-network-add-missing-checks-for-empty-links.patch --- lxc-2.1.0/debian/patches/0003-network-add-missing-checks-for-empty-links.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0003-network-add-missing-checks-for-empty-links.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -From d71f59a698d8fa17f19a596dab4c89b22a1253eb Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 6 Sep 2017 11:51:03 +0200 -Subject: network: add missing checks for empty links - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/network.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/lxc/network.c b/src/lxc/network.c -index a7f054e7..982f2eef 100644 ---- a/src/lxc/network.c -+++ b/src/lxc/network.c -@@ -2350,7 +2350,7 @@ bool lxc_delete_network_unpriv(struct lxc_handler *handler) - if (netdev->type != LXC_NET_VETH) - continue; - -- if (!is_ovs_bridge(netdev->link)) -+ if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) - continue; - - if (netdev->priv.veth_attr.pair[0] != '\0') -@@ -2559,7 +2559,7 @@ bool lxc_delete_network_priv(struct lxc_handler *handler) - } - INFO("Removed interface \"%s\" from \"%s\"", hostveth, netdev->link); - -- if (!is_ovs_bridge(netdev->link)) { -+ if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) { - netdev->priv.veth_attr.veth1[0] = '\0'; - continue; - } diff -Nru lxc-2.1.0/debian/patches/0004-cleanup-remove-unnecessary-zeroing.patch lxc-2.1.1/debian/patches/0004-cleanup-remove-unnecessary-zeroing.patch --- lxc-2.1.0/debian/patches/0004-cleanup-remove-unnecessary-zeroing.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0004-cleanup-remove-unnecessary-zeroing.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -From cd7fd320eeb59e1aeb857ae72f3a271588d400b3 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 6 Sep 2017 11:45:03 +0200 -Subject: cleanup: remove unnecessary zeroing - -The entire netdev is zeroed via memset() already. Unions and -all. - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/confile_legacy.c | 10 ---------- - src/lxc/confile_utils.c | 9 --------- - 2 files changed, 19 deletions(-) - -diff --git a/src/lxc/confile_legacy.c b/src/lxc/confile_legacy.c -index 80dd3851..93df4737 100644 ---- a/src/lxc/confile_legacy.c -+++ b/src/lxc/confile_legacy.c -@@ -170,16 +170,6 @@ int set_config_network_legacy_type(const char *key, const char *value, - lxc_list_init(&netdev->ipv4); - lxc_list_init(&netdev->ipv6); - -- netdev->name[0] = '\0'; -- netdev->link[0] = '\0'; -- memset(&netdev->priv, 0, sizeof(netdev->priv)); -- /* I'm not completely sure if the memset takes care to zero the arrays -- * in the union as well. So let's make extra sure and set the first byte -- * to zero so that we don't have any surprises. -- */ -- netdev->priv.veth_attr.pair[0] = '\0'; -- netdev->priv.veth_attr.veth1[0] = '\0'; -- - list = malloc(sizeof(*list)); - if (!list) { - SYSERROR("failed to allocate memory"); -diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c -index 02924fa9..d43d516d 100644 ---- a/src/lxc/confile_utils.c -+++ b/src/lxc/confile_utils.c -@@ -183,15 +183,6 @@ struct lxc_netdev *lxc_network_add(struct lxc_list *networks, int idx, bool tail - memset(netdev, 0, sizeof(*netdev)); - lxc_list_init(&netdev->ipv4); - lxc_list_init(&netdev->ipv6); -- netdev->name[0] = '\0'; -- netdev->link[0] = '\0'; -- memset(&netdev->priv, 0, sizeof(netdev->priv)); -- /* I'm not completely sure if the memset takes care to zero the arrays -- * in the union as well. So let's make extra sure and set the first byte -- * to zero so that we don't have any surprises. -- */ -- netdev->priv.veth_attr.pair[0] = '\0'; -- netdev->priv.veth_attr.veth1[0] = '\0'; - - /* give network a unique index */ - netdev->idx = idx; diff -Nru lxc-2.1.0/debian/patches/0005-console-clean-tty-state-return-0-on-peer-exit.patch lxc-2.1.1/debian/patches/0005-console-clean-tty-state-return-0-on-peer-exit.patch --- lxc-2.1.0/debian/patches/0005-console-clean-tty-state-return-0-on-peer-exit.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0005-console-clean-tty-state-return-0-on-peer-exit.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -From 3ade5336f41bb48846cf761daf3da4a508f6a49e Mon Sep 17 00:00:00 2001 -From: LiFeng -Date: Tue, 5 Sep 2017 23:16:50 +0800 -Subject: console: clean tty state + return 0 on peer exit - -In the past, if the console client exited, lxc_console_cb_con return 1. And -the lxc_poll will exit, the process will wait at waitpid. At this moment, the -process could not handle any command (For example get the container state -LXC_CMD_GET_STATE or stop the container LXC_CMD_STOP.). - -I think we should clean the tty_state and return 0 in this case. So, we can use -the lxc-console to connect the console of the container. And we will not exit -the function lxc_polland we can handle the commands by lxc_cmd_process - -Reproducer prior to this commit: -- open a new terminal, get the tty device name by command tty /dev/pts/6 -- set lxc.console.path = /dev/pts/6 -- start the container and the ouptut will print to /dev/pts/6 -- close /dev/pts/6 -- try an operation e.g. getting state with lxc-ls and lxc-ls will hang - -Closes #1787. - -Signed-off-by: LiFeng -Acked-by: Christian Brauner ---- - src/lxc/console.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/lxc/console.c b/src/lxc/console.c -index 666754d2..97ae7a16 100644 ---- a/src/lxc/console.c -+++ b/src/lxc/console.c -@@ -174,6 +174,15 @@ static int lxc_console_cb_con(int fd, uint32_t events, void *data, - if (r <= 0) { - INFO("console client on fd %d has exited", fd); - lxc_mainloop_del_handler(descr, fd); -+ if (fd == console->peer) { -+ if (console->tty_state) { -+ lxc_console_sigwinch_fini(console->tty_state); -+ console->tty_state = NULL; -+ } -+ console->peer = -1; -+ close(fd); -+ return 0; -+ } - close(fd); - return 1; - } diff -Nru lxc-2.1.0/debian/patches/0006-tools-fix-lxc-upate-config.patch lxc-2.1.1/debian/patches/0006-tools-fix-lxc-upate-config.patch --- lxc-2.1.0/debian/patches/0006-tools-fix-lxc-upate-config.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0006-tools-fix-lxc-upate-config.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -From 67cf78b53f3e647266e3f7f39cb2e2be872f2a7d Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Wed, 6 Sep 2017 12:33:19 +0200 -Subject: tools: fix lxc-upate-config - -- replace lxc.network.[i].ipv4 with lxc.net.[i].ipv4.address -- remove lxc.rootfs.backend lines - -Closes #1790. - -Signed-off-by: Christian Brauner ---- - src/lxc/tools/lxc-update-config.in | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/lxc/tools/lxc-update-config.in b/src/lxc/tools/lxc-update-config.in -index 3a9defd1..5bd55087 100644 ---- a/src/lxc/tools/lxc-update-config.in -+++ b/src/lxc/tools/lxc-update-config.in -@@ -63,8 +63,10 @@ sed -i \ - -e 's/\([[:blank:]*]\|#*\)\(lxc\.init_uid\)\([[:blank:]*]\|=\)/\1lxc\.init\.uid\3/g' \ - -e 's/\([[:blank:]*]\|#*\)\(lxc\.init_gid\)\([[:blank:]*]\|=\)/\1lxc\.init\.gid\3/g' \ - -e 's/\([[:blank:]*]\|#*\)\(lxc\.limit\)\([[:blank:]*]\|=\)/\1lxc\.prlimit\3/g' \ -+-e 's/\([[:blank:]*]\|#*\)\(lxc\.network\)\(\.[[:digit:]*]\)\(\.ipv4\)/\1lxc\.net\3\4\.address/g' \ - -e 's/\([[:blank:]*]\|#*\)\(lxc\.network\)\(\.[[:digit:]*]\)/\1lxc\.net\3/g' \ - -e 's/\([[:blank:]*]\|#*\)\(lxc\.network\)\([[:blank:]*]\|=\)/\1lxc\.net\3/g' \ -+-e '/\([[:blank:]*]\|#*\)\(lxc\.rootfs\.backend\)\([[:blank:]*]\|=\)/d' \ - "${CONFIGPATH}" - - # Finally, deal with network definitions of the following form: diff -Nru lxc-2.1.0/debian/patches/0007-criu-use-correct-check-initialization-check.patch lxc-2.1.1/debian/patches/0007-criu-use-correct-check-initialization-check.patch --- lxc-2.1.0/debian/patches/0007-criu-use-correct-check-initialization-check.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0007-criu-use-correct-check-initialization-check.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -From 0636c5b08a7c21576511d31c53b3e8b47dd3acce Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sat, 9 Sep 2017 18:45:47 +0200 -Subject: criu: use correct check initialization check - -Signed-off-by: Christian Brauner ---- - src/lxc/criu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lxc/criu.c b/src/lxc/criu.c -index 676d759d..96688edc 100644 ---- a/src/lxc/criu.c -+++ b/src/lxc/criu.c -@@ -551,7 +551,7 @@ static void exec_criu(struct criu_opts *opts) - external_not_veth = false; - } - -- if (n->name) { -+ if (n->name[0] != '\0') { - if (strlen(n->name) >= sizeof(eth)) - goto err; - strncpy(eth, n->name, sizeof(eth)); diff -Nru lxc-2.1.0/debian/patches/0008-storage-overlay-do-not-write-to-invalid-memory.patch lxc-2.1.1/debian/patches/0008-storage-overlay-do-not-write-to-invalid-memory.patch --- lxc-2.1.0/debian/patches/0008-storage-overlay-do-not-write-to-invalid-memory.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0008-storage-overlay-do-not-write-to-invalid-memory.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,106 +0,0 @@ -From 00be99431e1abb580434be8b4755f85424c0b441 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sat, 9 Sep 2017 19:29:53 +0200 -Subject: storage/overlay: do not write to invalid memory - -Closes #1802. - -Signed-off-by: Christian Brauner ---- - src/lxc/storage/overlay.c | 39 ++++++++++++++++++++------------------- - 1 file changed, 20 insertions(+), 19 deletions(-) - -diff --git a/src/lxc/storage/overlay.c b/src/lxc/storage/overlay.c -index e63a6ba5..cff355eb 100644 ---- a/src/lxc/storage/overlay.c -+++ b/src/lxc/storage/overlay.c -@@ -109,9 +109,9 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - return -1; - } - -- strncpy(delta, new->dest, lastslashidx + 1); -- strncpy(delta + lastslashidx, "delta0", sizeof("delta0") - 1); -- delta[lastslashidx + sizeof("delta0")] = '\0'; -+ memcpy(delta, new->dest, lastslashidx + 1); -+ memcpy(delta + lastslashidx, "delta0", sizeof("delta0") - 1); -+ delta[lastslashidx + sizeof("delta0") - 1] = '\0'; - - ret = mkdir(delta, 0755); - if (ret < 0 && errno != EEXIST) { -@@ -141,12 +141,13 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - return -1; - } - -- strncpy(work, new->dest, lastslashidx + 1); -- strncpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); -- work[lastslashidx + sizeof("olwork")] = '\0'; -+ memcpy(work, new->dest, lastslashidx + 1); -+ memcpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); -+ work[lastslashidx + sizeof("olwork") - 1] = '\0'; - -- if (mkdir(work, 0755) < 0) { -- SYSERROR("error: mkdir %s", work); -+ ret = mkdir(work, 0755); -+ if (ret < 0) { -+ SYSERROR("Failed to create directory \"%s\"", work); - free(delta); - free(work); - return -1; -@@ -253,9 +254,9 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - return -1; - } - -- strncpy(work, ndelta, lastslashidx + 1); -- strncpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); -- work[lastslashidx + sizeof("olwork")] = '\0'; -+ memcpy(work, ndelta, lastslashidx + 1); -+ memcpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); -+ work[lastslashidx + sizeof("olwork") - 1] = '\0'; - - ret = mkdir(work, 0755); - if (ret < 0 && errno != EEXIST) { -@@ -417,8 +418,8 @@ int ovl_create(struct lxc_storage *bdev, const char *dest, const char *n, - return -1; - } - -- strncpy(delta, dest, len); -- strncpy(delta + len - 6, "delta0", sizeof("delta0") - 1); -+ memcpy(delta, dest, len); -+ memcpy(delta + len - 6, "delta0", sizeof("delta0") - 1); - delta[len + sizeof("delta0")] = '\0'; - - ret = mkdir_p(delta, 0755); -@@ -575,9 +576,9 @@ int ovl_mount(struct lxc_storage *bdev) - return -22; - } - -- strncpy(work, upper, lastslashidx + 1); -- strncpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); -- work[lastslashidx + sizeof("olwork")] = '\0'; -+ memcpy(work, upper, lastslashidx + 1); -+ memcpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); -+ work[lastslashidx + sizeof("olwork") - 1] = '\0'; - - ret = parse_mntopts(bdev->mntopts, &mntflags, &mntdata); - if (ret < 0) { -@@ -747,8 +748,9 @@ int ovl_mkdir(const struct mntent *mntent, const struct lxc_rootfs *rootfs, - char lxcpath[MAXPATHLEN]; - char **opts; - int ret; -- size_t arrlen, dirlen, i, len, rootfslen; -+ size_t arrlen, i, len, rootfslen; - int fret = -1; -+ size_t dirlen = 0; - char *rootfs_dir = NULL, *rootfs_path = NULL, *upperdir = NULL, - *workdir = NULL; - -@@ -772,8 +774,7 @@ int ovl_mkdir(const struct mntent *mntent, const struct lxc_rootfs *rootfs, - } - - if (rootfs_path) { -- ret = -- snprintf(lxcpath, MAXPATHLEN, "%s/%s", lxc_path, lxc_name); -+ ret = snprintf(lxcpath, MAXPATHLEN, "%s/%s", lxc_path, lxc_name); - if (ret < 0 || ret >= MAXPATHLEN) - goto err; - diff -Nru lxc-2.1.0/debian/patches/0009-utils-do-not-write-to-0-sized-buffer.patch lxc-2.1.1/debian/patches/0009-utils-do-not-write-to-0-sized-buffer.patch --- lxc-2.1.0/debian/patches/0009-utils-do-not-write-to-0-sized-buffer.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0009-utils-do-not-write-to-0-sized-buffer.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -From d6c739d3ea5febad82c6fe0eb8e07d0c6ebac2bc Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 10 Sep 2017 06:42:10 +0200 -Subject: utils: do not write to 0 sized buffer - -Signed-off-by: Christian Brauner ---- - src/lxc/utils.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/lxc/utils.c b/src/lxc/utils.c -index 07257d29..656d3ca8 100644 ---- a/src/lxc/utils.c -+++ b/src/lxc/utils.c -@@ -2330,9 +2330,11 @@ int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void *args) - /* close the write-end of the pipe */ - close(pipefd[1]); - -- bytes = read(pipefd[0], buf, (buf_size > 0) ? (buf_size - 1) : 0); -- if (bytes > 0) -- buf[bytes - 1] = '\0'; -+ if (buf && buf_size > 0) { -+ bytes = read(pipefd[0], buf, buf_size - 1); -+ if (bytes > 0) -+ buf[bytes - 1] = '\0'; -+ } - - fret = wait_for_pid(child); - /* close the read-end of the pipe */ diff -Nru lxc-2.1.0/debian/patches/0010-overlay-fix-use-after-free.patch lxc-2.1.1/debian/patches/0010-overlay-fix-use-after-free.patch --- lxc-2.1.0/debian/patches/0010-overlay-fix-use-after-free.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0010-overlay-fix-use-after-free.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,77 +0,0 @@ -From d9d6dca3b34fb198276f5d41e25f2b5561242e81 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 10 Sep 2017 07:04:34 +0200 -Subject: overlay: fix use after free() - -Signed-off-by: Christian Brauner ---- - src/lxc/storage/overlay.c | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/src/lxc/storage/overlay.c b/src/lxc/storage/overlay.c -index cff355eb..e0cd5d5f 100644 ---- a/src/lxc/storage/overlay.c -+++ b/src/lxc/storage/overlay.c -@@ -201,9 +201,8 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - - nsrc = strchr(osrc, ':') + 1; - if ((nsrc != osrc + 8) && (nsrc != osrc + 10)) { -+ ERROR("Detected \":\" in \"%s\" at wrong position", osrc); - free(osrc); -- ERROR("Detected \":\" in \"%s\" at wrong position", -- osrc); - return -22; - } - -@@ -220,9 +219,9 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - - ret = mkdir(ndelta, 0755); - if (ret < 0 && errno != EEXIST) { -+ SYSERROR("Failed to create directory \"%s\"", ndelta); - free(osrc); - free(ndelta); -- SYSERROR("Failed to create directory \"%s\"", ndelta); - return -1; - } - -@@ -238,9 +237,9 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - */ - lastslash = strrchr(ndelta, '/'); - if (!lastslash) { -+ ERROR("Failed to detect \"/\" in \"%s\"", ndelta); - free(osrc); - free(ndelta); -- ERROR("Failed to detect \"/\" in \"%s\"", ndelta); - return -1; - } - lastslash++; -@@ -260,10 +259,10 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - - ret = mkdir(work, 0755); - if (ret < 0 && errno != EEXIST) { -+ SYSERROR("Failed to create directory \"%s\"", ndelta); - free(osrc); - free(ndelta); - free(work); -- SYSERROR("Failed to create directory \"%s\"", ndelta); - return -1; - } - -@@ -323,7 +322,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - - s1 = strrchr(clean_old_path, '/'); - if (!s1) { -- ERROR("Failed to detect \"/\" in string \"%s\"", s1); -+ ERROR("Failed to detect \"/\" in string \"%s\"", clean_old_path); - free(clean_old_path); - free(clean_new_path); - return -1; -@@ -331,7 +330,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char - - s2 = strrchr(clean_new_path, '/'); - if (!s2) { -- ERROR("Failed to detect \"/\" in string \"%s\"", s2); -+ ERROR("Failed to detect \"/\" in string \"%s\"", clean_new_path); - free(clean_old_path); - free(clean_new_path); - return -1; diff -Nru lxc-2.1.0/debian/patches/0011-lxc-unshare-do-not-pass-NULL-pointer.patch lxc-2.1.1/debian/patches/0011-lxc-unshare-do-not-pass-NULL-pointer.patch --- lxc-2.1.0/debian/patches/0011-lxc-unshare-do-not-pass-NULL-pointer.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0011-lxc-unshare-do-not-pass-NULL-pointer.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,24 +0,0 @@ -From 939118118a0774d79b2371560ff1473e0c9dc7a0 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 10 Sep 2017 08:01:31 +0200 -Subject: lxc-unshare: do not pass NULL pointer - -Signed-off-by: Christian Brauner ---- - src/lxc/tools/lxc_unshare.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/lxc/tools/lxc_unshare.c b/src/lxc/tools/lxc_unshare.c -index c294a608..25af9711 100644 ---- a/src/lxc/tools/lxc_unshare.c -+++ b/src/lxc/tools/lxc_unshare.c -@@ -228,6 +228,9 @@ int main(int argc, char *argv[]) - * dest: del + 1 == OUNT|PID - * src: del + 3 == NT|PID - */ -+ if (!namespaces) -+ usage(argv[0]); -+ - while ((del = strstr(namespaces, "MOUNT"))) - memmove(del + 1, del + 3, strlen(del) - 2); - diff -Nru lxc-2.1.0/debian/patches/0012-lxc-user-nic-remove-double-initialization.patch lxc-2.1.1/debian/patches/0012-lxc-user-nic-remove-double-initialization.patch --- lxc-2.1.0/debian/patches/0012-lxc-user-nic-remove-double-initialization.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0012-lxc-user-nic-remove-double-initialization.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -From d0561f69268848cc0c8818502812f0e9ab052dba Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 10 Sep 2017 08:23:36 +0200 -Subject: lxc-user-nic: remove double initialization - -Signed-off-by: Christian Brauner ---- - src/lxc/lxc_user_nic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c -index 0f79451d..6f550f0d 100644 ---- a/src/lxc/lxc_user_nic.c -+++ b/src/lxc/lxc_user_nic.c -@@ -638,7 +638,7 @@ static int count_entries(char *buf, off_t len, char *name, char *net_type, char - { - int count = 0; - bool owner = false;; -- char *buf_end = &buf[len]; -+ char *buf_end; - - buf_end = &buf[len]; - while ((buf = find_line(buf, buf_end, name, net_type, net_link, NULL, diff -Nru lxc-2.1.0/debian/patches/0013-execute-enable-console-standard-dev-symlinks.patch lxc-2.1.1/debian/patches/0013-execute-enable-console-standard-dev-symlinks.patch --- lxc-2.1.0/debian/patches/0013-execute-enable-console-standard-dev-symlinks.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0013-execute-enable-console-standard-dev-symlinks.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -From 3db3301793a9d10ded11d2efa239e165e02e7a14 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sun, 10 Sep 2017 13:49:18 +0200 -Subject: execute: enable console & standard /dev symlinks - -Signed-off-by: Christian Brauner ---- - src/lxc/conf.c | 13 ++++++++----- - src/lxc/console.c | 10 ---------- - 2 files changed, 8 insertions(+), 15 deletions(-) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 7a118816..52d66d53 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -782,7 +782,7 @@ static const struct dev_symlinks dev_symlinks[] = { - {"/proc/self/fd/2", "stderr"}, - }; - --static int setup_dev_symlinks(const struct lxc_rootfs *rootfs) -+static int lxc_setup_dev_symlinks(const struct lxc_rootfs *rootfs) - { - char path[MAXPATHLEN]; - int ret,i; -@@ -3220,13 +3220,16 @@ int lxc_setup(struct lxc_handler *handler) - } - } - -- if (!lxc_conf->is_execute && lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console, lxc_conf->ttydir)) { -- ERROR("failed to setup the console for '%s'", name); -+ ret = lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console, -+ lxc_conf->ttydir); -+ if (ret < 0) { -+ ERROR("Failed to setup console"); - return -1; - } - -- if (!lxc_conf->is_execute && setup_dev_symlinks(&lxc_conf->rootfs)) { -- ERROR("failed to setup /dev symlinks for '%s'", name); -+ ret = lxc_setup_dev_symlinks(&lxc_conf->rootfs); -+ if (ret < 0) { -+ ERROR("Failed to setup /dev symlinks"); - return -1; - } - -diff --git a/src/lxc/console.c b/src/lxc/console.c -index 97ae7a16..016b8b5b 100644 ---- a/src/lxc/console.c -+++ b/src/lxc/console.c -@@ -228,11 +228,6 @@ extern int lxc_console_mainloop_add(struct lxc_epoll_descr *descr, - { - struct lxc_console *console = &conf->console; - -- if (conf->is_execute) { -- INFO("no console for lxc-execute."); -- return 0; -- } -- - if (!conf->rootfs.path) { - INFO("no rootfs, no console."); - return 0; -@@ -528,11 +523,6 @@ int lxc_console_create(struct lxc_conf *conf) - struct lxc_console *console = &conf->console; - int ret; - -- if (conf->is_execute) { -- INFO("not allocating a console device for lxc-execute."); -- return 0; -- } -- - if (!conf->rootfs.path) { - INFO("container does not have a rootfs, console device will be shared with the host"); - return 0; diff -Nru lxc-2.1.0/debian/patches/0014-start-switch-ids-at-last-possible-instance.patch lxc-2.1.1/debian/patches/0014-start-switch-ids-at-last-possible-instance.patch --- lxc-2.1.0/debian/patches/0014-start-switch-ids-at-last-possible-instance.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0014-start-switch-ids-at-last-possible-instance.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,87 +0,0 @@ -From 0b2547e2a112efa968abbe75d3cbcc23f9b54b15 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Mon, 11 Sep 2017 03:16:06 +0200 -Subject: start: switch ids at last possible instance - -This is technically not necessary but it is a privilege sensitive operation. -Meaning if anyone wants to do something that requires privilege it should be -done before the id switch. So let's move the id switch immediately before the -exec so that it's called at the last possible moment. - -Signed-off-by: Christian Brauner ---- - src/lxc/start.c | 54 +++++++++++++++++++++++++++--------------------------- - 1 file changed, 27 insertions(+), 27 deletions(-) - -diff --git a/src/lxc/start.c b/src/lxc/start.c -index 1370d681..255638e6 100644 ---- a/src/lxc/start.c -+++ b/src/lxc/start.c -@@ -962,33 +962,6 @@ static int do_start(void *data) - goto out_warn_father; - } - -- /* The container has been setup. We can now switch to an unprivileged -- * uid/gid. -- */ -- if (handler->conf->is_execute) { -- bool have_cap_setgid; -- uid_t new_uid = handler->conf->init_uid; -- gid_t new_gid = handler->conf->init_gid; -- -- /* If we are in a new user namespace we already dropped all -- * groups when we switched to root in the new user namespace -- * further above. Only drop groups if we can, so ensure that we -- * have necessary privilege. -- */ -- #if HAVE_LIBCAP -- have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE); -- #else -- have_cap_setgid = false; -- #endif -- if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) { -- if (lxc_setgroups(0, NULL) < 0) -- goto out_warn_father; -- } -- -- if (lxc_switch_uid_gid(new_uid, new_gid) < 0) -- goto out_warn_father; -- } -- - /* The clearenv() and putenv() calls have been moved here to allow us to - * use environment variables passed to the various hooks, such as the - * start hook above. Not all of the variables like CONFIG_PATH or ROOTFS -@@ -1044,6 +1017,33 @@ static int do_start(void *data) - if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP_LIMITS)) - goto out_warn_father; - -+ /* The container has been setup. We can now switch to an unprivileged -+ * uid/gid. -+ */ -+ if (handler->conf->is_execute) { -+ bool have_cap_setgid; -+ uid_t new_uid = handler->conf->init_uid; -+ gid_t new_gid = handler->conf->init_gid; -+ -+ /* If we are in a new user namespace we already dropped all -+ * groups when we switched to root in the new user namespace -+ * further above. Only drop groups if we can, so ensure that we -+ * have necessary privilege. -+ */ -+ #if HAVE_LIBCAP -+ have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE); -+ #else -+ have_cap_setgid = false; -+ #endif -+ if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) { -+ if (lxc_setgroups(0, NULL) < 0) -+ goto out_warn_father; -+ } -+ -+ if (lxc_switch_uid_gid(new_uid, new_gid) < 0) -+ goto out_warn_father; -+ } -+ - /* After this call, we are in error because this ops should not return - * as it execs. - */ diff -Nru lxc-2.1.0/debian/patches/0015-storage-avoid-segfault.patch lxc-2.1.1/debian/patches/0015-storage-avoid-segfault.patch --- lxc-2.1.0/debian/patches/0015-storage-avoid-segfault.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0015-storage-avoid-segfault.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -From 38e133638720a784d929143b4eff8b4b8765884e Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Mon, 11 Sep 2017 03:30:00 +0200 -Subject: storage: avoid segfault - -When the "lxc.rootfs.path" property is not set and users request a container -copy we would segfault since strstr() would be called on a NULL pointer. - -Signed-off-by: Christian Brauner ---- - src/lxc/storage/storage.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/lxc/storage/storage.c b/src/lxc/storage/storage.c -index c8909123..708d070a 100644 ---- a/src/lxc/storage/storage.c -+++ b/src/lxc/storage/storage.c -@@ -337,6 +337,11 @@ struct lxc_storage *storage_copy(struct lxc_container *c, const char *cname, - struct rsync_data data = {0}; - char cmd_output[MAXPATHLEN] = {0}; - -+ if (!src) { -+ ERROR("No rootfs specified"); -+ return NULL; -+ } -+ - /* If the container name doesn't show up in the rootfs path, then we - * don't know how to come up with a new name. - */ diff -Nru lxc-2.1.0/debian/patches/0016-tests-Support-systemd-hybrid-cgroups.patch lxc-2.1.1/debian/patches/0016-tests-Support-systemd-hybrid-cgroups.patch --- lxc-2.1.0/debian/patches/0016-tests-Support-systemd-hybrid-cgroups.patch 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/0016-tests-Support-systemd-hybrid-cgroups.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -From fa8a1e7ea9decccbe884f890142dcf64a1dac9f6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?St=C3=A9phane=20Graber?= -Date: Fri, 12 May 2017 12:28:20 -0400 -Subject: tests: Support systemd hybrid cgroups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Stéphane Graber ---- - src/tests/lxc-test-apparmor-mount | 1 + - src/tests/lxc-test-unpriv | 1 + - src/tests/lxc-test-usernic.in | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/src/tests/lxc-test-apparmor-mount b/src/tests/lxc-test-apparmor-mount -index a09fd544..ddcee8a7 100755 ---- a/src/tests/lxc-test-apparmor-mount -+++ b/src/tests/lxc-test-apparmor-mount -@@ -132,6 +132,7 @@ elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then - done - else - for d in /sys/fs/cgroup/*; do -+ [ "$d" = "/sys/fs/cgroup/unified" ] && continue - [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children - [ ! -d $d/lxctest ] && mkdir $d/lxctest - chown -R $TUSER: $d/lxctest -diff --git a/src/tests/lxc-test-unpriv b/src/tests/lxc-test-unpriv -index 5fe09279..5f2a18f6 100755 ---- a/src/tests/lxc-test-unpriv -+++ b/src/tests/lxc-test-unpriv -@@ -148,6 +148,7 @@ elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then - done - else - for d in /sys/fs/cgroup/*; do -+ [ "$d" = "/sys/fs/cgroup/unified" ] && continue - [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children - [ ! -d $d/lxctest ] && mkdir $d/lxctest - chown -R $TUSER: $d/lxctest -diff --git a/src/tests/lxc-test-usernic.in b/src/tests/lxc-test-usernic.in -index f7d19a36..3e35008c 100755 ---- a/src/tests/lxc-test-usernic.in -+++ b/src/tests/lxc-test-usernic.in -@@ -105,6 +105,7 @@ elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then - done - else - for d in /sys/fs/cgroup/*; do -+ [ "$d" = "/sys/fs/cgroup/unified" ] && continue - [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children - [ ! -d $d/lxctest ] && mkdir $d/lxctest - chown -R usernic-user: $d/lxctest diff -Nru lxc-2.1.0/debian/patches/series lxc-2.1.1/debian/patches/series --- lxc-2.1.0/debian/patches/series 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/patches/series 2017-10-31 22:59:51.000000000 +0000 @@ -1,16 +1 @@ 0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch -0002-Fix-typo.patch -0003-network-add-missing-checks-for-empty-links.patch -0004-cleanup-remove-unnecessary-zeroing.patch -0005-console-clean-tty-state-return-0-on-peer-exit.patch -0006-tools-fix-lxc-upate-config.patch -0007-criu-use-correct-check-initialization-check.patch -0008-storage-overlay-do-not-write-to-invalid-memory.patch -0009-utils-do-not-write-to-0-sized-buffer.patch -0010-overlay-fix-use-after-free.patch -0011-lxc-unshare-do-not-pass-NULL-pointer.patch -0012-lxc-user-nic-remove-double-initialization.patch -0013-execute-enable-console-standard-dev-symlinks.patch -0014-start-switch-ids-at-last-possible-instance.patch -0015-storage-avoid-segfault.patch -0016-tests-Support-systemd-hybrid-cgroups.patch diff -Nru lxc-2.1.0/debian/rules lxc-2.1.1/debian/rules --- lxc-2.1.0/debian/rules 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/rules 2017-10-31 22:59:59.000000000 +0000 @@ -54,9 +54,6 @@ dh_apparmor -p lxc-common --profile-name=usr.bin.lxc-start; \ fi - # Temporary help2man - help2man -n "LXC config converter" debian/tmp/usr/bin/lxc-update-config --no-info --version-string=2.1.0 --no-discard-stderr > debian/tmp/usr/share/man/man1/lxc-update-config.1 - # cleanup .la files find debian/tmp/ -type f -name \*.la -delete diff -Nru lxc-2.1.0/debian/source.lintian-overrides lxc-2.1.1/debian/source.lintian-overrides --- lxc-2.1.0/debian/source.lintian-overrides 2017-09-18 22:32:38.000000000 +0000 +++ lxc-2.1.1/debian/source.lintian-overrides 2017-10-31 22:59:59.000000000 +0000 @@ -3,3 +3,6 @@ # Intentional lxc source: intra-source-package-circular-dependency liblxc1 lxc-common + +# Required for backports +lxc source: ored-build-depends-on-obsolete-package build-depends: dh-systemd => use debhelper (>= 9.20160709) diff -Nru lxc-2.1.0/doc/ja/lxc.container.conf.sgml.in lxc-2.1.1/doc/ja/lxc.container.conf.sgml.in --- lxc-2.1.0/doc/ja/lxc.container.conf.sgml.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/doc/ja/lxc.container.conf.sgml.in 2017-10-19 17:08:34.000000000 +0000 @@ -1561,6 +1561,31 @@ + + + + + + + + コンテナの cgroup を作成するパスやディレクトリを指定します。 + 例えば、"c1" という名前のコンテナで のように設定すると、"my-cgroup" のサブ cgroup のようにコンテナの cgroup を作成します。 + 例えば、ユーザのカレントの cgroup である "my-user" が cgroup v1 階層にある cpuset コントローラの root cgroup 内に存在する場合、この設定は "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" という cgroup をこのコンテナ向けに作成します。 + 存在しない cgroup は LXC が作成しますが、ユーザがカレントの cgroup に書き込み権を持っていることが前提となります。 + + + diff -Nru lxc-2.1.0/doc/ja/lxc-monitor.sgml.in lxc-2.1.1/doc/ja/lxc-monitor.sgml.in --- lxc-2.1.0/doc/ja/lxc-monitor.sgml.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/doc/ja/lxc-monitor.sgml.in 2017-10-19 17:08:34.000000000 +0000 @@ -148,7 +148,7 @@ - lxc-monitor -n '[f|b].*' + lxc-monitor -n '[fb].*' クイックスタート - - - 急いでいて、この man ページすら読みたくないという場合は、いいでしょう、 - 保証はないですが、あらかじめ準備されている設定テンプレートを使ったコンテナ内でシェルを動かすためのコマンドを紹介しましょう。 - @BINDIR@/lxc-execute -n foo -f - @DOCDIR@/examples/lxc-macvlan.conf /bin/bash - - - - <!-- Overview -->概要 - コンテナ技術は、メインストリームの linux kernel で活発に開発が進んでいる技術です。 - コンテナ技術は、process container という名前でも知られる control groups の機能を使って、リソース管理を提供し、名前空間を使って、リソースの隔離を提供します。 + コンテナ技術は、メインストリームの Linux Kernel で活発に開発が進んでいる技術です。コンテナ技術は、cgroup によりリソースを管理する機能を提供し、名前空間によりリソースを隔離する機能を提供します。 - linux コンテナ (lxc) は、ユーザースペースのコンテナオブジェクトを提供するための新しい機能を使う事を目指しています。 - この新しい機能とは、アプリケーションやシステムでの利用を目的とした、完全なリソースの隔離やリソースコントロールを提供する機能です。 + lxc は、アプリケーションまたはシステムのために完全なリソースの隔離やコントロールを提供する、ユーザースペースのコンテナオブジェクトを提供するためのこれらの新しい機能を使う事を目指しています。 - このプロジェクトの第一の目的は、コンテナプロジェクトに参加するカーネル開発者の作業を快適にすることと、特に新機能である Checkpoint/Restart 機能への取り組みを続ける事です。 - lxc コマンドは、シンプルなコマンドでコンテナの管理を簡単に行えるように小さく、他の目的のために使うのに充分な機能を持っています。 + lxc は、シンプルなコマンドラインでコンテナを簡単に管理できるほど軽量で、他の用途に使うのにも十分に機能がそろっています。 - <!-- Requirements -->必要条件 + <!-- Requirements -->動作条件 - lxc は、カーネルが提供するいくつかの機能に依存しており、その機能がアクティブになっている必要があります。 - 機能が足りない場合は、lxc は、いくつかの機能が制限されるか、単純に動作が失敗します。 + カーネルのバージョンが 3.10 以上のディストリビューションであれば、lxc が動作するでしょう。このバージョンは機能は少ないですが、それでも十分楽しめるでしょう。 - 以下のリストは、コンテナの全機能を有効にするために、カーネルで有効にする必要のある機能の一覧です。 + lxc はカーネルが提供する様々な機能に依存します。lxc-checkconfig がカーネルの設定や、必要な機能、足りない機能についての情報を提供してくれるでしょう。 - - * General setup - * Control Group support - -> Namespace cgroup subsystem - -> Freezer cgroup subsystem - -> Cpuset support - -> Simple CPU accounting cgroup subsystem - -> Resource counters - -> Memory resource controllers for Control Groups - * Group CPU scheduler - -> Basis for grouping tasks (Control Groups) - * Namespaces support - -> UTS namespace - -> IPC namespace - -> User namespace - -> Pid namespace - -> Network namespace - * Device Drivers - * Character devices - -> Support multiple instances of devpts - * Network device support - -> MAC-VLAN support - -> Virtual ethernet pair device - * Networking - * Networking options - -> 802.1d Ethernet Bridging - * Security options - -> File POSIX Capabilities - - - - - 3.10 以上のバージョンが採用されているディストリビューションならば、lxc は動作するでしょう。 - 機能的には若干少ない形ですが、充分に楽しめるはずです。 - ヘルパースクリプトの lxc-checkconfig を使って、あなたのカーネルの設定に関する情報を取得できるでしょう。 - - - - - control group は、どこにでもマウント可能です。 - 例えば、mount -t cgroup cgroup /cgroup のようにです。 - - しかし、cgroup の階層構造を /sys/fs/cgroup 以下にマウントするために cgmanager や cgroup-lite や systemd の使用が推奨されています。 - - <!-- Functional specification -->機能仕様 - コンテナは、コンテナ内で実行されているシステムやアプリケーションに対するホストのリソースのいくつかが、隔離されているオブジェクトです。 + コンテナは、ホストのリソースのいくつかを隔離して、内部でアプリケーションやシステムを実行します。 - アプリケーション/システムは、あらかじめ作成された設定もしくは開始コマンドのパラメータで指定された設定で、コンテナ内で実行されます。 + アプリケーションやシステムは、あらかじめ作成した設定や、コマンドへのパラメータで与えた設定で、コンテナ内で実行されます。 - どうやってコンテナ内でアプリケーションを実行するのでしょう? + How to run an application in a container + --> + コンテナ内でアプリケーションを実行する方法 - アプリケーションを実行する前に、隔離したいリソースについて知っておくべきです。 - デフォルトの設定では、pid、sysv ipc、マウントポイントが隔離されます。 - コンテナ内でシンプルなシェルを実行したい場合で、特に rootfs を共有したい場合、基本的な設定が必要です。 - もし、sshd のようなアプリケーションを実行したい場合、新しいネットワークスタックと、新しいホスト名を準備しなくてはなりません。 - もし、同じファイル (/var/run/httpd.pid 等) の衝突を避けたい場合、空の /var/run/ を再度マウントしなければなりません。 - どんな場合でも、衝突を避けたい場合、コンテナ専用の rootfs を指定することができます。 - rootfs はディレクトリツリーとなる事も可能で、前もって元の rootfs を bind マウントし、しかし、自身の /etc/homeを使って。自身のディストリビューションを使うことが可能です。 + アプリケーションを実行する前に、隔離したいリソースについて知っておくべきです。デフォルトの設定では、PID、sysv IPC、マウントポイントが隔離されます。コンテナ内でシンプルなシェルを実行したい場合で、特に rootfs を共有したい場合、基本的な設定が必要です。 + もし、sshd のようなアプリケーションを実行したい場合、新しいネットワークスタックと、新しいホスト名を準備しなくてはなりません。もし、同じファイル (/var/run/httpd.pid 等) の衝突を避けたい場合、空の /var/run/ を再度マウントしなければなりません。 + どんな場合でも衝突を避けたい場合、コンテナ専用の rootfs を指定することができます。rootfs はディレクトリツリーとする事も可能で、前もって元の rootfs を bind マウントし、/etc/homeだけは自身のディレクトリを使って、自身のディストリビューションを使えます。 - ここで、sshd のためのディレクトリツリーのサンプルを示しましょう。 - + ここで、sshd のためのディレクトリツリーのサンプルを示しましょう。 + [root@lxc sshd]$ tree -d rootfs - -rootfs -|-- bin -|-- dev + +rootfs +|-- bin +|-- dev | |-- pts | `-- shm | `-- network -|-- etc +|-- etc | `-- ssh -|-- lib +|-- lib |-- proc |-- root |-- sbin -|-- sys -|-- usr -`-- var +|-- sys +|-- usr +`-- var |-- empty | `-- sshd |-- lib @@ -316,87 +223,63 @@ そして、それに対応するマウントポイントのファイルは以下のようになります。 - [root@lxc sshd]$ cat fstab + [root@lxc sshd]$ cat fstab - /lib /home/root/sshd/rootfs/lib none ro,bind 0 0 - /bin /home/root/sshd/rootfs/bin none ro,bind 0 0 - /usr /home/root/sshd/rootfs/usr none ro,bind 0 0 - /sbin /home/root/sshd/rootfs/sbin none ro,bind 0 0 + /lib /home/root/sshd/rootfs/lib none ro,bind 0 0 + /bin /home/root/sshd/rootfs/bin none ro,bind 0 0 + /usr /home/root/sshd/rootfs/usr none ro,bind 0 0 + /sbin /home/root/sshd/rootfs/sbin none ro,bind 0 0 - コンテナ内でシステムを実行する方法は? + コンテナ内でシステムを実行する方法 + コンテナ内でシステムを実行するのは、逆説的ではありますが、アプリケーションを実行するよりも簡単です。 + それは、隔離するリソースについて考える必要がないからで、全てを隔離する必要があるからです。 + 他のリソースは、コンテナが設定を行うので、設定なしで隔離されるように指定されます。 + 例えば、IPv4 アドレスはコンテナの init スクリプトでシステムによってセットアップされるでしょう。 + 以下に、(システムを実行するときの) マウントポイントファイルを示します。 + - [root@lxc debian]$ cat fstab - - /dev /home/root/debian/rootfs/dev none bind 0 0 - /dev/pts /home/root/debian/rootfs/dev/pts none bind 0 0 - - - More information can be added to the container to facilitate the - configuration. For example, make accessible from the container - the resolv.conf file belonging to the host. - - - /etc/resolv.conf /home/root/debian/rootfs/etc/resolv.conf none bind 0 0 - - --> - コンテナ内でシステムを実行するのは、逆説的ではありますが、アプリケーションを実行するよりも簡単です。 - それは、隔離するリソースについて考える必要がないからで、全てを隔離する必要があるからです。 - 他のリソースは、コンテナが設定を行うので、設定なしで隔離されるように指定されます。 - 例えば、IPv4 アドレスはコンテナの init スクリプトでシステムによってセットアップされるでしょう。 - 以下に、(システムを実行するときの) マウントポイントファイルを示します。 - - - [root@lxc debian]$ cat fstab - - /dev /home/root/debian/rootfs/dev none bind 0 0 - /dev/pts /home/root/debian/rootfs/dev/pts none bind 0 0 - + [root@lxc debian]$ cat fstab - 設定を手助けするために、コンテナに更なる情報を追加することも可能です。 - 例えば、ホスト上に存在する resolv.conf ファイルをコンテナからアクセス可能にするには、以下のようにします。 - - - /etc/resolv.conf /home/root/debian/rootfs/etc/resolv.conf none bind 0 0 + /dev /home/root/debian/rootfs/dev none bind 0 0 + /dev/pts /home/root/debian/rootfs/dev/pts none bind 0 0 - <!-- Container life cycle -->コンテナのライフサイクル - - コンテナが作成されるとき、コンテナは設定情報を含みます。 - プロセスが生成されるとき、コンテナは開始し、実行されるでしょう。 - コンテナ内で実行されている最後のプロセスが終了したとき、コンテナは停止します。 - - - - コンテナの初期化時の失敗の場合は、(以下の図の) 中断の状態を通ります。 + + コンテナが作成されるとき、コンテナは設定情報を含みます。プロセスが生成されるとき、コンテナは開始し、実行されるでしょう。コンテナ内で実行されている最後のプロセスが終了したとき、コンテナは停止します。 + + + + コンテナの初期化時の失敗の場合は、(以下の図の) 中断の状態を通ります。 @@ -432,158 +315,133 @@ <!-- Configuration -->設定 - - コンテナは設定ファイル経由で設定します。設定の書式は以下で説明しています。 + コンテナは設定ファイル経由で設定します。設定の書式は - lxc.conf - 5 + lxc.conf + 5 + で説明しています。 - <!--Creating / Destroying container - (persistent container) -->コンテナの生成と終了 (持続性のコンテナ) + <!-- Creating / Destroying containers -->コンテナの作成と削除 - - 持続性のコンテナオブジェクトは lxc-create コマンドで作成することができます。 - コマンドにはコンテナ名をパラメータとして、オプションで設定ファイルとテンプレートを指定します。 - ここで指定する名前は、他のコマンドからこのコンテナを参照する際に使います。 - lxc-destroy コマンドはコンテナオブジェクトを破壊します。 - - lxc-create -n foo - lxc-destroy -n foo - + + 持続性のコンテナオブジェクトは lxc-create コマンドで作成できます。コマンドにはコンテナ名をパラメータとして与え、オプションで設定ファイルとテンプレートを指定します。ここで指定する名前は、他のコマンドからこのコンテナを参照する際に使います。 + lxc-destroy コマンドはコンテナオブジェクトを削除します。 + + lxc-create -n foo + lxc-destroy -n foo + - <!-- Volatile container -->揮発性のコンテナ - + <!-- Volatile container -->一時的な (揮発性の) コンテナ + - コンテナを開始する前にコンテナオブジェクトを作成する必要はありません。 - コンテナを設定ファイルのパラメータで指定して直接開始することができます。 - + It is not mandatory to create a container object before starting it. + The container can be directly started with a configuration file as + parameter. + --> + コンテナを開始する前にコンテナオブジェクトを作成する必要はありません。パラメータとして設定ファイルを指定して、コンテナを直接起動できます。 + - <!-- Starting / Stopping container -->コンテナの開始と終了 + <!-- Starting / Stopping container -->コンテナの起動と停止 - コンテナが作成されると、アプリケーションもしくはシステムとして実行することができます。 - このために使用するのが lxc-executelxc-start コマンドです。 - アプリケーションが開始する前にコンテナが作成されなかった場合、コンテナはコマンドへ与えるパラメータを取得するのに設定ファイルを使うでしょう。 - もし、このようなパラメータもない場合は、デフォルトで指定されている通りに隔離されます。 - アプリケーションが終了した場合、コンテナも停止しますが、実行中のアプリケーションを停止するには lxc-stop を使用する必要があります。 + When the container has been created, it is ready to run an application / + system. This is the purpose of the lxc-execute and + lxc-start commands. If the container was not created + before starting the application, the container will use the + configuration file passed as parameter to the command, and if there is + no such parameter either, then it will use a default isolation. If the + application ended, the container will be stopped, but if needed the + lxc-stop command can be used to stop the container. + --> + コンテナが作成されると、アプリケーションもしくはシステムを実行できます。このために使用するのが lxc-executelxc-start コマンドです。 + アプリケーションを開始する前にコンテナを作成しなかった場合、コンテナはコマンドにパラメータとして渡した設定ファイルを使用します。もし、このようなパラメータもない場合は、デフォルトで指定されている通りに隔離されます。 + アプリケーションが終了した場合、コンテナも停止します。lxc-stop コマンドを使って、実行中のアプリケーションを停止することもできます。 - コンテナ内のアプリケーションの実行は、正確にはシステムとして実行するのとは異なります。 - そのような理由で、コンテナ内でアプリケーションを実行するためのコマンドには、2 種類の違ったものがあります。 + コンテナ内でアプリケーションを実行することは、正確にはシステムとして実行するのとは異なります。このため、コンテナ内でアプリケーションを実行するためのコマンドには、2 種類の違ったものがあります。 - lxc-execute -n foo [-f config] /bin/bash - lxc-start -n foo [-f config] [/bin/bash] - + lxc-execute -n foo [-f config] /bin/bash + lxc-start -n foo [-f config] [/bin/bash] + - lxc-execute コマンドは、lxc-init プロセス経由で、コンテナ内で特定のコマンドを実行します。 + lxc-execute コマンドは、間に lxc-init プロセスを介して、コンテナ内で指定したコマンドを実行します。 lxc-init はコマンドを実行した後、(コンテナ内でのデーモンの実行をサポートするために) 実行したコマンドと生成された全てのプロセスが終了するのを待ちます。 - 言いかえると、コンテナ内では lxc-init は pid 1 を持ち、アプリケーションの最初のプロセスは pid 2 をもちます。 + 言いかえると、コンテナ内では lxc-init は PID 1 を持ち、アプリケーションの最初のプロセスは PID 2 をもちます。 - lxc-start コマンドは、コンテナ内の特定のコマンドを直接実行します。 - 最初のプロセスの pid が 1 となります。 - もし、実行するコマンドが指定されない場合は、lxc-start は lxc.init.cmd で設定されたコマンドを実行します。もし lxc.init.cmd が設定されていない場合は /sbin/init を実行します。 + lxc-start コマンドは、コンテナ内の特定のコマンドを直接実行します。最初のプロセスの PID が 1 となります。 + もし、実行するコマンドが指定されていない場合は、lxc-start は lxc.init.cmd で設定されたコマンドを実行します。もし lxc.init.cmd が設定されていない場合は /sbin/init を実行します。 まとめると、lxc-execute はアプリケーションを実行するためのコマンドであり、lxc-start はシステムを実行するのにより適したコマンドです。 - もしアプリケーションの反応がなくなった場合や、アクセスできなくなった場合、自分で終了することができない場合は、荒っぽいですが、lxc-stop コマンドがコンテナ内の全てのプロセスを容赦なく停止させてくれるでしょう。 + もしアプリケーションの反応がなくなった場合や、アクセスできなくなった場合、自分で終了できない場合は、荒っぽいですが、lxc-stop コマンドがコンテナ内の全てのプロセスを容赦なく停止させてくれるでしょう。 + + lxc-stop -n foo -k + + @@ -591,21 +449,17 @@ <!-- Connect to an available tty -->利用可能な tty への接続 コンテナが tty を持つように設定されているならば、tty を通してコンテナにアクセスすることができます。 - それは以下のコマンドが使う tty がコンテナで利用可能に設定されているか次第です。 + アクセスできるかどうかは、以下のコマンドが使う tty がコンテナで利用できるように設定されているか次第です。 tty が失われたとき、再度のログインなしでその tty に再接続することが可能です。 - - lxc-console -n foo -t 3 - + + lxc-console -n foo -t 3 + @@ -613,40 +467,40 @@ <!-- Freeze / Unfreeze container -->コンテナの凍結と解凍 ジョブスケジューリングなどで、コンテナに属する全てのプロセスを停止する事が役に立つときがあります。 コマンド - - lxc-freeze -n foo - + + lxc-freeze -n foo + は、全てのプロセスを中断不可能な状態に置きます。そして、 - - lxc-unfreeze -n foo - + + lxc-unfreeze -n foo + その全てのプロセスを再開します。 - この機能は、カーネルで cgroup freezer 機能が有効になっている場合に使用可能です。 + この機能は、カーネルで cgroup v1 の freezer コントローラが有効になっている場合に使用できます。 @@ -655,54 +509,41 @@ コンテナに関する情報の取得 - 多数のコンテナが存在する場合、それらが実行されたり破壊されたりすること、何が実行されていて、特定のコンテナ内で実行されている pid が何であるかをフォローするのは大変です。 - このような時には、以下のようなコマンドが役に立つかもしれません。 - - lxc-ls - lxc-info -n foo - + 多数のコンテナが存在する場合、それらが実行されたり削除されたりすること、何が実行されていて、特定のコンテナ内で実行されている PID が何であるかをフォローするのは大変です。このような時には、以下のようなコマンドが役に立つかもしれません。 + + lxc-ls -f + lxc-info -n foo + - lxc-ls は、システムのコンテナを一覧します。 + lxc-ls はコンテナをリスト表示します。 - lxc-info は、指定したコンテナに関する情報を取得します。 + lxc-info は、指定したコンテナに関する情報を表示します。 ここで、以上のコマンドを組み合わせて、どのようにしたら全てのコンテナのリストと、それぞれの状態が得られるかの例を示します。 - - for i in $(lxc-ls -1); do - lxc-info -n $i - done - + + for i in $(lxc-ls -1); do + lxc-info -n $i + done + @@ -711,177 +552,127 @@ <!-- Monitoring container -->コンテナのモニタリング - 時々、コンテナの状態を追跡することが出来ると便利な事があります。 - 例えば、状態をモニタリングしたり、スクリプト内で特定の状態を待ったりするような場合です。 + It is sometime useful to track the states of a container, for example to + monitor it or just to wait for a specific state in a script. + --> + 時々、コンテナの状態を追跡することが出来ると便利な事があります。例えば、状態をモニタリングしたり、スクリプト内で特定の状態を待ったりするような場合です。 - lxc-monitor コマンドは、一つもしくはいくつかのコンテナをモニタリングします。 - このコマンドのパラメータは、正規表現を受け付けます。例えば - - lxc-monitor -n "foo|bar" - + lxc-monitor command will monitor one or several + containers. The parameter of this command accepts a regular expression + for example: + --> + lxc-monitor コマンドは、一つもしくは複数のコンテナをモニタリングします。このコマンドのパラメータは、正規表現を受け付けます。例えば + + lxc-monitor -n "foo|bar" + + は 'foo' と 'bar' という名前のコンテナの状態をモニタリングします。そして、 - - lxc-monitor -n ".*" - + + lxc-monitor -n ".*" + + は全てのコンテナの状態をモニタリングします。 コンテナ 'foo' が開始され、いくつか処理を行い、終了した場合、出力は以下のようになります。 - - 'foo' changed state to [STARTING] - 'foo' changed state to [RUNNING] - 'foo' changed state to [STOPPING] - 'foo' changed state to [STOPPED] - + + 'foo' changed state to [STARTING] + 'foo' changed state to [RUNNING] + 'foo' changed state to [STOPPING] + 'foo' changed state to [STOPPED] + - lxc-wait コマンドは指定した状態を待って、終了します。 - これは、コンテナの開始や終了に同期したいスクリプトで役に立ちます。 - パラメータは、異なった状態の論理和 (OR) を指定します。 + lxc-wait コマンドは指定した状態を待って終了します。これは、コンテナの開始や終了に同期したいスクリプトで役に立ちます。パラメータは、異なった状態の論理和 (OR) を指定します。 以下の例は、バックグラウンドで実行されたコンテナをどのようにして待つかを示します。 - + - + - <!-- Setting the control group for container --> - コンテナの control group の設定 - + <!-- cgroup settings for containers -->コンテナの cgroup の設定 - コンテナは control group と結合しています。 - コンテナが開始すると control group が生成され、それと結びつけられます。 - control group のプロパティは、lxc-cgroup コマンドを使って、コンテナが実行中に読み取ったり、変更したりすることができます。 + コンテナは control group と結合しています。コンテナを開始すると cgroup が生成され、結びつけられます。 + cgroup のプロパティは、lxc-cgroup コマンドを使って、コンテナが実行中に読み取ったり変更したりできます。 - lxc-cgroup コマンドは、コンテナと結びつけられている control group サブシステムを設定したり、取得したりするのに使います。 - サブシステム名の指定はユーザが行ない、このコマンドはサブシステム名の文法チェックは一切行ないません。 - もし、指定したサブシステム名が存在しない場合は、コマンドの実行は失敗します。 + lxc-cgroup コマンドは、コンテナと結びつけられている control group サブシステムを設定したり、取得したりするのに使います。サブシステム名の指定はユーザが行ない、このコマンドはサブシステム名の文法チェックは一切行ないません。もし、指定したサブシステム名が存在しない場合は、コマンドの実行は失敗します。 + + lxc-cgroup -n foo cpuset.cpus + - - lxc-cgroup -n foo cpuset.cpus - は、このサブシステムの内容を表示します。 - - lxc-cgroup -n foo cpu.shares 512 - + + lxc-cgroup -n foo cpu.shares 512 + + は、このサブシステムに指定した値を設定します。 - - <!-- Bugs -->バグ - - - lxc はまだ開発中です。 - 従って、コマンドの文法や API は変更される可能性があります。 - バージョン 1.0.0 がそれらを凍結するバージョンとなるでしょう。 - - - &seealso; <!-- Author -->作者 Daniel Lezcano daniel.lezcano@free.fr + Christian Brauner christian.brauner@ubuntu.com + Serge Hallyn serge@hallyn.com + Stéphane Graber stgraber@ubuntu.com diff -Nru lxc-2.1.0/doc/ja/lxc-update-config.sgml.in lxc-2.1.1/doc/ja/lxc-update-config.sgml.in --- lxc-2.1.0/doc/ja/lxc-update-config.sgml.in 1970-01-01 00:00:00.000000000 +0000 +++ lxc-2.1.1/doc/ja/lxc-update-config.sgml.in 2017-10-19 17:08:34.000000000 +0000 @@ -0,0 +1,151 @@ + + + + +]> + + + @LXC_GENERATE_DATE@ + + lxc-update-config + 1 + + + + lxc-update-config + + + + LXC 2.1 より前の古い形式の設定ファイルを新しい形式に更新する + + + + + + lxc-update-config + -c config + + + + + <!-- Description -->説明 + + + + lxc-update-config は、config で指定したファイルの古い形式の設定項目を検出し、適切な新しい設定項目に置き換えます。 + + + + lxc-update-config はまず、古い config ファイルのバックアップを config.backup という名前で同じディレクトリに作成します。そして、元の config ファイルを更新します。 + 更新が失敗した場合や、コンテナの起動ができない無効な config ファイルである場合は、ユーザが configconfig.backup を比較して、手動で無効な設定項目を修正するか、config.backupconfig にコピーして以前の設定ファイルに戻せます。 + + + + lxc-update-config が使えない config ファイルを生成した場合はバグですので、開発元に報告してください。 + + + + + <!-- Options -->オプション + + + + + + + + + 更新したい設定ファイルのパス + + + + + + + + + + + + + + + + + &seealso; + + + <!-- Author -->作者 + Christian Brauner christian.brauner@ubuntu.com + + + + diff -Nru lxc-2.1.0/doc/ja/Makefile.am lxc-2.1.1/doc/ja/Makefile.am --- lxc-2.1.0/doc/ja/Makefile.am 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/doc/ja/Makefile.am 2017-10-19 17:08:34.000000000 +0000 @@ -30,6 +30,7 @@ lxc-top.1 \ lxc-unfreeze.1 \ lxc-unshare.1 \ + lxc-update-config.1 \ lxc-user-nic.1 \ lxc-usernsexec.1 \ lxc-wait.1 \ diff -Nru lxc-2.1.0/doc/ja/Makefile.in lxc-2.1.1/doc/ja/Makefile.in --- lxc-2.1.0/doc/ja/Makefile.in 2017-09-06 02:32:42.000000000 +0000 +++ lxc-2.1.1/doc/ja/Makefile.in 2017-10-19 17:08:38.000000000 +0000 @@ -110,10 +110,10 @@ lxc-execute.sgml lxc-freeze.sgml lxc-info.sgml lxc-ls.sgml \ lxc-monitor.sgml lxc-snapshot.sgml lxc-start-ephemeral.sgml \ lxc-start.sgml lxc-stop.sgml lxc-top.sgml lxc-unfreeze.sgml \ - lxc-unshare.sgml lxc-user-nic.sgml lxc-usernsexec.sgml \ - lxc-wait.sgml lxc.conf.sgml lxc.container.conf.sgml \ - lxc.system.conf.sgml lxc-usernet.sgml lxc.sgml \ - common_options.sgml see_also.sgml + lxc-unshare.sgml lxc-update-config.sgml lxc-user-nic.sgml \ + lxc-usernsexec.sgml lxc-wait.sgml lxc.conf.sgml \ + lxc.container.conf.sgml lxc.system.conf.sgml lxc-usernet.sgml \ + lxc.sgml common_options.sgml see_also.sgml CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -217,9 +217,11 @@ $(srcdir)/lxc-start-ephemeral.sgml.in \ $(srcdir)/lxc-start.sgml.in $(srcdir)/lxc-stop.sgml.in \ $(srcdir)/lxc-top.sgml.in $(srcdir)/lxc-unfreeze.sgml.in \ - $(srcdir)/lxc-unshare.sgml.in $(srcdir)/lxc-user-nic.sgml.in \ - $(srcdir)/lxc-usernet.sgml.in $(srcdir)/lxc-usernsexec.sgml.in \ - $(srcdir)/lxc-wait.sgml.in $(srcdir)/lxc.conf.sgml.in \ + $(srcdir)/lxc-unshare.sgml.in \ + $(srcdir)/lxc-update-config.sgml.in \ + $(srcdir)/lxc-user-nic.sgml.in $(srcdir)/lxc-usernet.sgml.in \ + $(srcdir)/lxc-usernsexec.sgml.in $(srcdir)/lxc-wait.sgml.in \ + $(srcdir)/lxc.conf.sgml.in \ $(srcdir)/lxc.container.conf.sgml.in $(srcdir)/lxc.sgml.in \ $(srcdir)/lxc.system.conf.sgml.in $(srcdir)/see_also.sgml.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -453,8 +455,9 @@ @ENABLE_DOCBOOK_TRUE@ lxc-freeze.1 lxc-info.1 lxc-ls.1 \ @ENABLE_DOCBOOK_TRUE@ lxc-monitor.1 lxc-snapshot.1 lxc-start.1 \ @ENABLE_DOCBOOK_TRUE@ lxc-stop.1 lxc-top.1 lxc-unfreeze.1 \ -@ENABLE_DOCBOOK_TRUE@ lxc-unshare.1 lxc-user-nic.1 \ -@ENABLE_DOCBOOK_TRUE@ lxc-usernsexec.1 lxc-wait.1 lxc.conf.5 \ +@ENABLE_DOCBOOK_TRUE@ lxc-unshare.1 lxc-update-config.1 \ +@ENABLE_DOCBOOK_TRUE@ lxc-user-nic.1 lxc-usernsexec.1 \ +@ENABLE_DOCBOOK_TRUE@ lxc-wait.1 lxc.conf.5 \ @ENABLE_DOCBOOK_TRUE@ lxc.container.conf.5 lxc.system.conf.5 \ @ENABLE_DOCBOOK_TRUE@ lxc-usernet.5 lxc.7 $(am__append_1) \ @ENABLE_DOCBOOK_TRUE@ $(am__append_2) @@ -538,6 +541,8 @@ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ lxc-unshare.sgml: $(top_builddir)/config.status $(srcdir)/lxc-unshare.sgml.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +lxc-update-config.sgml: $(top_builddir)/config.status $(srcdir)/lxc-update-config.sgml.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ lxc-user-nic.sgml: $(top_builddir)/config.status $(srcdir)/lxc-user-nic.sgml.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ lxc-usernsexec.sgml: $(top_builddir)/config.status $(srcdir)/lxc-usernsexec.sgml.in diff -Nru lxc-2.1.0/doc/ko/lxc-monitor.sgml.in lxc-2.1.1/doc/ko/lxc-monitor.sgml.in --- lxc-2.1.0/doc/ko/lxc-monitor.sgml.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/doc/ko/lxc-monitor.sgml.in 2017-10-19 17:08:34.000000000 +0000 @@ -148,7 +148,7 @@ - lxc-monitor -n '[f|b].*' + lxc-monitor -n '[fb].*' + + + +]> + + + @LXC_GENERATE_DATE@ + + lxc-update-config + 1 + + + + lxc-update-config + + + update a legacy pre LXC 2.1 configuration file + + + + + + lxc-update-config + -c config + + + + + Description + + + lxc-update-config detects any legacy + configuration keys in the given config + file and will replace them with the appropriate new configuration + keys. + + + lxc-update-config will first create a backup of + the old config file in the same directory + and name it config.backup and then update + the original config file in place. In + case the update fails to apply or leads to an invalid + config file that cannot be used to start + a container users can either compare + config with + config.backup and try to manually repair + any the invalid configuration keys or simply rollback to the legacy + configuration file by copying + config.backup to + config. + + + Any failures for lxc-update-config to generate a + useable config file are a bug and should + be reported upstream. + + + + + Options + + + + + + + + Path to the configuration file to update. + + + + + + + + + + + + + + + + + &seealso; + + + Author + Christian Brauner christian.brauner@ubuntu.com + + + + diff -Nru lxc-2.1.0/doc/Makefile.am lxc-2.1.1/doc/Makefile.am --- lxc-2.1.0/doc/Makefile.am 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/doc/Makefile.am 2017-10-19 17:08:34.000000000 +0000 @@ -38,6 +38,7 @@ lxc-top.1 \ lxc-unfreeze.1 \ lxc-unshare.1 \ + lxc-update-config.1 \ lxc-user-nic.1 \ lxc-usernsexec.1 \ lxc-wait.1 \ diff -Nru lxc-2.1.0/doc/Makefile.in lxc-2.1.1/doc/Makefile.in --- lxc-2.1.0/doc/Makefile.in 2017-09-06 02:32:42.000000000 +0000 +++ lxc-2.1.1/doc/Makefile.in 2017-10-19 17:08:38.000000000 +0000 @@ -112,10 +112,10 @@ lxc-execute.sgml lxc-freeze.sgml lxc-info.sgml lxc-ls.sgml \ lxc-monitor.sgml lxc-snapshot.sgml lxc-start-ephemeral.sgml \ lxc-start.sgml lxc-stop.sgml lxc-top.sgml lxc-unfreeze.sgml \ - lxc-unshare.sgml lxc-user-nic.sgml lxc-usernsexec.sgml \ - lxc-wait.sgml lxc.conf.sgml lxc.container.conf.sgml \ - lxc.system.conf.sgml lxc-usernet.sgml lxc.sgml \ - common_options.sgml see_also.sgml + lxc-unshare.sgml lxc-update-config.sgml lxc-user-nic.sgml \ + lxc-usernsexec.sgml lxc-wait.sgml lxc.conf.sgml \ + lxc.container.conf.sgml lxc.system.conf.sgml lxc-usernet.sgml \ + lxc.sgml common_options.sgml see_also.sgml CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -219,9 +219,11 @@ $(srcdir)/lxc-start-ephemeral.sgml.in \ $(srcdir)/lxc-start.sgml.in $(srcdir)/lxc-stop.sgml.in \ $(srcdir)/lxc-top.sgml.in $(srcdir)/lxc-unfreeze.sgml.in \ - $(srcdir)/lxc-unshare.sgml.in $(srcdir)/lxc-user-nic.sgml.in \ - $(srcdir)/lxc-usernet.sgml.in $(srcdir)/lxc-usernsexec.sgml.in \ - $(srcdir)/lxc-wait.sgml.in $(srcdir)/lxc.conf.sgml.in \ + $(srcdir)/lxc-unshare.sgml.in \ + $(srcdir)/lxc-update-config.sgml.in \ + $(srcdir)/lxc-user-nic.sgml.in $(srcdir)/lxc-usernet.sgml.in \ + $(srcdir)/lxc-usernsexec.sgml.in $(srcdir)/lxc-wait.sgml.in \ + $(srcdir)/lxc.conf.sgml.in \ $(srcdir)/lxc.container.conf.sgml.in $(srcdir)/lxc.sgml.in \ $(srcdir)/lxc.system.conf.sgml.in $(srcdir)/see_also.sgml.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -457,8 +459,9 @@ @ENABLE_DOCBOOK_TRUE@ lxc-freeze.1 lxc-info.1 lxc-ls.1 \ @ENABLE_DOCBOOK_TRUE@ lxc-monitor.1 lxc-snapshot.1 lxc-start.1 \ @ENABLE_DOCBOOK_TRUE@ lxc-stop.1 lxc-top.1 lxc-unfreeze.1 \ -@ENABLE_DOCBOOK_TRUE@ lxc-unshare.1 lxc-user-nic.1 \ -@ENABLE_DOCBOOK_TRUE@ lxc-usernsexec.1 lxc-wait.1 lxc.conf.5 \ +@ENABLE_DOCBOOK_TRUE@ lxc-unshare.1 lxc-update-config.1 \ +@ENABLE_DOCBOOK_TRUE@ lxc-user-nic.1 lxc-usernsexec.1 \ +@ENABLE_DOCBOOK_TRUE@ lxc-wait.1 lxc.conf.5 \ @ENABLE_DOCBOOK_TRUE@ lxc.container.conf.5 lxc.system.conf.5 \ @ENABLE_DOCBOOK_TRUE@ lxc-usernet.5 lxc.7 $(am__append_3) \ @ENABLE_DOCBOOK_TRUE@ $(am__append_4) @@ -542,6 +545,8 @@ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ lxc-unshare.sgml: $(top_builddir)/config.status $(srcdir)/lxc-unshare.sgml.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +lxc-update-config.sgml: $(top_builddir)/config.status $(srcdir)/lxc-update-config.sgml.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ lxc-user-nic.sgml: $(top_builddir)/config.status $(srcdir)/lxc-user-nic.sgml.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ lxc-usernsexec.sgml: $(top_builddir)/config.status $(srcdir)/lxc-usernsexec.sgml.in diff -Nru lxc-2.1.0/lxc.spec lxc-2.1.1/lxc.spec --- lxc-2.1.0/lxc.spec 2017-09-06 02:32:50.000000000 +0000 +++ lxc-2.1.1/lxc.spec 2017-10-19 17:08:44.000000000 +0000 @@ -60,7 +60,7 @@ %endif Name: lxc -Version: 2.1.0 +Version: 2.1.1 Release: %{?beta_rel:0.1.%{beta_rel}}%{?!beta_rel:%{norm_rel}}%{?dist} URL: http://linuxcontainers.org Source: http://linuxcontainers.org/downloads/%{name}-%{version}%{?beta_dot}.tar.gz diff -Nru lxc-2.1.0/src/lxc/arguments.c lxc-2.1.1/src/lxc/arguments.c --- lxc-2.1.0/src/lxc/arguments.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/arguments.c 2017-10-19 17:08:34.000000000 +0000 @@ -131,7 +131,7 @@ static void print_version() { - printf("%s\n", LXC_VERSION); + printf("%s%s\n", LXC_VERSION, LXC_DEVEL ? "-devel" : ""); exit(0); } diff -Nru lxc-2.1.0/src/lxc/cgroups/cgfsng.c lxc-2.1.1/src/lxc/cgroups/cgfsng.c --- lxc-2.1.0/src/lxc/cgroups/cgfsng.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/cgroups/cgfsng.c 2017-10-19 17:08:34.000000000 +0000 @@ -1175,8 +1175,10 @@ d->name = must_copy_string(handler->name); /* copy per-container cgroup information */ - d->cgroup_meta.dir = must_copy_string(handler->conf->cgroup_meta.dir); - d->cgroup_meta.controllers = must_copy_string(handler->conf->cgroup_meta.controllers); + if (handler->conf) { + d->cgroup_meta.dir = must_copy_string(handler->conf->cgroup_meta.dir); + d->cgroup_meta.controllers = must_copy_string(handler->conf->cgroup_meta.controllers); + } /* copy system-wide cgroup information */ cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); @@ -2009,15 +2011,16 @@ */ static int lxc_cgroup_set_data(const char *filename, const char *value, struct cgfsng_handler_data *d) { - char *subsystem = NULL, *p; - int ret = 0; - struct hierarchy *h; + char *fullpath, *p; /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */ char converted_value[50]; + struct hierarchy *h; + int ret = 0; + char *controller = NULL; - subsystem = alloca(strlen(filename) + 1); - strcpy(subsystem, filename); - if ((p = strchr(subsystem, '.')) != NULL) + controller = alloca(strlen(filename) + 1); + strcpy(controller, filename); + if ((p = strchr(controller, '.')) != NULL) *p = '\0'; if (strcmp("devices.allow", filename) == 0 && value[0] == '/') { @@ -2028,12 +2031,18 @@ } - h = get_hierarchy(subsystem); - if (h) { - char *fullpath = must_make_path(h->fullcgpath, filename, NULL); - ret = lxc_write_to_file(fullpath, value, strlen(value), false); - free(fullpath); + h = get_hierarchy(controller); + if (!h) { + ERROR("Failed to setup limits for the \"%s\" controller. " + "The controller seems to be unused by \"cgfsng\" cgroup " + "driver or not enabled on the cgroup hierarchy", + controller); + return -1; } + + fullpath = must_make_path(h->fullcgpath, filename, NULL); + ret = lxc_write_to_file(fullpath, value, strlen(value), false); + free(fullpath); return ret; } diff -Nru lxc-2.1.0/src/lxc/conf.c lxc-2.1.1/src/lxc/conf.c --- lxc-2.1.0/src/lxc/conf.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/conf.c 2017-10-19 17:08:34.000000000 +0000 @@ -782,7 +782,7 @@ {"/proc/self/fd/2", "stderr"}, }; -static int setup_dev_symlinks(const struct lxc_rootfs *rootfs) +static int lxc_setup_dev_symlinks(const struct lxc_rootfs *rootfs) { char path[MAXPATHLEN]; int ret,i; @@ -2700,9 +2700,6 @@ pos += sprintf(mapbuf, "new%cidmap %d", u_or_g, pid); lxc_list_for_each(iterator, idmap) { - /* The kernel only takes <= 4k for writes to - * /proc//[ug]id_map - */ map = iterator->elem; if (map->idtype != type) continue; @@ -2714,8 +2711,13 @@ use_shadow ? " " : "", map->nsid, map->hostid, map->range, use_shadow ? "" : "\n"); - if (fill <= 0 || fill >= left) - SYSERROR("Too many {g,u}id mappings defined."); + if (fill <= 0 || fill >= left) { + /* The kernel only takes <= 4k for writes to + * /proc//{g,u}id_map + */ + SYSERROR("Too many %cid mappings defined", u_or_g); + return -1; + } pos += fill; } @@ -3220,13 +3222,16 @@ } } - if (!lxc_conf->is_execute && lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console, lxc_conf->ttydir)) { - ERROR("failed to setup the console for '%s'", name); + ret = lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console, + lxc_conf->ttydir); + if (ret < 0) { + ERROR("Failed to setup console"); return -1; } - if (!lxc_conf->is_execute && setup_dev_symlinks(&lxc_conf->rootfs)) { - ERROR("failed to setup /dev symlinks for '%s'", name); + ret = lxc_setup_dev_symlinks(&lxc_conf->rootfs); + if (ret < 0) { + ERROR("Failed to setup /dev symlinks"); return -1; } @@ -3816,8 +3821,7 @@ ret = lxc_map_ids(idmap, pid); if (ret < 0) { ERROR("error setting up {g,u}id mappings for child process " - "\"%d\"", - pid); + "\"%d\"", pid); goto on_error; } @@ -3840,6 +3844,184 @@ if (host_uid_map && (host_uid_map != container_root_uid)) free(host_uid_map); if (host_gid_map && (host_gid_map != container_root_gid)) + free(host_gid_map); + + if (p[0] != -1) + close(p[0]); + close(p[1]); + + return ret; +} + +int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), void *data, + const char *fn_name) +{ + pid_t pid; + uid_t euid, egid; + struct userns_fn_data d; + int p[2]; + struct id_map *map; + struct lxc_list *cur; + char c = '1'; + int ret = -1; + struct lxc_list *idmap = NULL, *tmplist = NULL; + struct id_map *container_root_uid = NULL, *container_root_gid = NULL, + *host_uid_map = NULL, *host_gid_map = NULL; + + ret = pipe(p); + if (ret < 0) { + SYSERROR("opening pipe"); + return -1; + } + d.fn = fn; + d.fn_name = fn_name; + d.arg = data; + d.p[0] = p[0]; + d.p[1] = p[1]; + + /* Clone child in new user namespace. */ + pid = lxc_clone(run_userns_fn, &d, CLONE_NEWUSER); + if (pid < 0) { + ERROR("failed to clone child process in new user namespace"); + goto on_error; + } + + close(p[0]); + p[0] = -1; + + euid = geteuid(); + egid = getegid(); + + /* Allocate new {g,u}id map list. */ + idmap = malloc(sizeof(*idmap)); + if (!idmap) + goto on_error; + lxc_list_init(idmap); + + /* Find container root. */ + lxc_list_for_each(cur, &conf->id_map) { + struct id_map *tmpmap; + + tmplist = malloc(sizeof(*tmplist)); + if (!tmplist) + goto on_error; + + tmpmap = malloc(sizeof(*tmpmap)); + if (!tmpmap) { + free(tmplist); + goto on_error; + } + + memset(tmpmap, 0, sizeof(*tmpmap)); + memcpy(tmpmap, cur->elem, sizeof(*tmpmap)); + tmplist->elem = tmpmap; + + lxc_list_add_tail(idmap, tmplist); + + map = cur->elem; + + if (map->idtype == ID_TYPE_UID) + if (euid >= map->hostid && euid < map->hostid + map->range) + host_uid_map = map; + + if (map->idtype == ID_TYPE_GID) + if (egid >= map->hostid && egid < map->hostid + map->range) + host_gid_map = map; + + if (map->nsid != 0) + continue; + + if (map->idtype == ID_TYPE_UID) + if (container_root_uid == NULL) + container_root_uid = map; + + if (map->idtype == ID_TYPE_GID) + if (container_root_gid == NULL) + container_root_gid = map; + } + + if (!container_root_uid || !container_root_gid) { + ERROR("No mapping for container root found"); + goto on_error; + } + + /* Check whether the {g,u}id of the user has a mapping. */ + if (!host_uid_map) + host_uid_map = idmap_add(conf, euid, ID_TYPE_UID); + else + host_uid_map = container_root_uid; + + if (!host_gid_map) + host_gid_map = idmap_add(conf, egid, ID_TYPE_GID); + else + host_gid_map = container_root_gid; + + if (!host_uid_map) { + DEBUG("Failed to find mapping for uid %d", euid); + goto on_error; + } + + if (!host_gid_map) { + DEBUG("Failed to find mapping for gid %d", egid); + goto on_error; + } + + if (host_uid_map && (host_uid_map != container_root_uid)) { + /* Add container root to the map. */ + tmplist = malloc(sizeof(*tmplist)); + if (!tmplist) + goto on_error; + lxc_list_add_elem(tmplist, host_uid_map); + lxc_list_add_tail(idmap, tmplist); + } + /* idmap will now keep track of that memory. */ + host_uid_map = NULL; + + if (host_gid_map && (host_gid_map != container_root_gid)) { + tmplist = malloc(sizeof(*tmplist)); + if (!tmplist) + goto on_error; + lxc_list_add_elem(tmplist, host_gid_map); + lxc_list_add_tail(idmap, tmplist); + } + /* idmap will now keep track of that memory. */ + host_gid_map = NULL; + + if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE || + conf->loglevel == LXC_LOG_LEVEL_TRACE) { + lxc_list_for_each(cur, idmap) { + map = cur->elem; + TRACE("establishing %cid mapping for \"%d\" in new " + "user namespace: nsuid %lu - hostid %lu - range " + "%lu", + (map->idtype == ID_TYPE_UID) ? 'u' : 'g', pid, + map->nsid, map->hostid, map->range); + } + } + + /* Set up {g,u}id mapping for user namespace of child process. */ + ret = lxc_map_ids(idmap, pid); + if (ret < 0) { + ERROR("error setting up {g,u}id mappings for child process " + "\"%d\"", pid); + goto on_error; + } + + /* Tell child to proceed. */ + if (write(p[1], &c, 1) != 1) { + SYSERROR("failed telling child process \"%d\" to proceed", pid); + goto on_error; + } + + /* Wait for child to finish. */ + ret = wait_for_pid(pid); + +on_error: + if (idmap) + lxc_free_idmap(idmap); + if (host_uid_map && (host_uid_map != container_root_uid)) + free(host_uid_map); + if (host_gid_map && (host_gid_map != container_root_gid)) free(host_gid_map); if (p[0] != -1) diff -Nru lxc-2.1.0/src/lxc/conf.h lxc-2.1.1/src/lxc/conf.h --- lxc-2.1.0/src/lxc/conf.h 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/conf.h 2017-10-19 17:08:34.000000000 +0000 @@ -381,6 +381,8 @@ extern int lxc_ttys_shift_ids(struct lxc_conf *c); extern int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data, const char *fn_name); +extern int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), + void *data, const char *fn_name); extern int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata); extern void tmp_proc_unmount(struct lxc_conf *lxc_conf); diff -Nru lxc-2.1.0/src/lxc/confile.c lxc-2.1.1/src/lxc/confile.c --- lxc-2.1.0/src/lxc/confile.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/confile.c 2017-10-19 17:08:34.000000000 +0000 @@ -75,65 +75,66 @@ struct lxc_conf *, void *); \ static int clr_config_##name(const char *, struct lxc_conf *, void *); -lxc_config_define(personality); -lxc_config_define(pty_max); -lxc_config_define(tty_max); -lxc_config_define(tty_dir); -lxc_config_define(apparmor_profile); +lxc_config_define(autodev); lxc_config_define(apparmor_allow_incomplete); -lxc_config_define(selinux_context); +lxc_config_define(apparmor_profile); +lxc_config_define(cap_drop); +lxc_config_define(cap_keep); lxc_config_define(cgroup_controller); lxc_config_define(cgroup_dir); +lxc_config_define(console_logfile); +lxc_config_define(console_path); +lxc_config_define(environment); +lxc_config_define(ephemeral); +lxc_config_define(group); +lxc_config_define(hooks); lxc_config_define(idmaps); -lxc_config_define(log_level); +lxc_config_define(includefiles); +lxc_config_define(init_cmd); +lxc_config_define(init_gid); +lxc_config_define(init_uid); lxc_config_define(log_file); +lxc_config_define(log_level); +lxc_config_define(log_syslog); +lxc_config_define(monitor); lxc_config_define(mount); lxc_config_define(mount_auto); lxc_config_define(mount_fstab); -lxc_config_define(rootfs_mount); -lxc_config_define(rootfs_options); -lxc_config_define(rootfs_backend); -lxc_config_define(rootfs_path); -lxc_config_define(uts_name); -lxc_config_define(hooks); -lxc_config_define(net_type); +lxc_config_define(net); lxc_config_define(net_flags); -lxc_config_define(net_link); -lxc_config_define(net_name); -lxc_config_define(net_veth_pair); -lxc_config_define(net_macvlan_mode); lxc_config_define(net_hwaddr); -lxc_config_define(net_vlan_id); -lxc_config_define(net_mtu); lxc_config_define(net_ipv4_address); lxc_config_define(net_ipv4_gateway); -lxc_config_define(net_script_up); -lxc_config_define(net_script_down); lxc_config_define(net_ipv6_address); lxc_config_define(net_ipv6_gateway); +lxc_config_define(net_link); +lxc_config_define(net_macvlan_mode); +lxc_config_define(net_mtu); +lxc_config_define(net_name); lxc_config_define(net_nic); -lxc_config_define(net); -lxc_config_define(cap_drop); -lxc_config_define(cap_keep); -lxc_config_define(console_logfile); -lxc_config_define(console_path); +lxc_config_define(net_script_down); +lxc_config_define(net_script_up); +lxc_config_define(net_type); +lxc_config_define(net_veth_pair); +lxc_config_define(net_vlan_id); +lxc_config_define(no_new_privs); +lxc_config_define(noop); +lxc_config_define(personality); +lxc_config_define(prlimit); +lxc_config_define(pty_max); +lxc_config_define(rootfs_backend); +lxc_config_define(rootfs_mount); +lxc_config_define(rootfs_options); +lxc_config_define(rootfs_path); lxc_config_define(seccomp_profile); -lxc_config_define(includefiles); -lxc_config_define(autodev); +lxc_config_define(selinux_context); lxc_config_define(signal_halt); lxc_config_define(signal_reboot); lxc_config_define(signal_stop); lxc_config_define(start); -lxc_config_define(monitor); -lxc_config_define(group); -lxc_config_define(environment); -lxc_config_define(init_cmd); -lxc_config_define(init_uid); -lxc_config_define(init_gid); -lxc_config_define(ephemeral); -lxc_config_define(log_syslog); -lxc_config_define(no_new_privs); -lxc_config_define(prlimit); +lxc_config_define(tty_max); +lxc_config_define(tty_dir); +lxc_config_define(uts_name); static struct lxc_config_t config[] = { /* REMOVE in LXC 3.0 */ @@ -246,12 +247,14 @@ { "lxc.rebootsignal", true, set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, }, { "lxc.stopsignal", true, set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, }, { "lxc.syslog", true, set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, }, + { "lxc.kmsg", true, set_config_noop, get_config_noop, clr_config_noop, }, { "lxc.loglevel", true, set_config_log_level, get_config_log_level, clr_config_log_level, }, { "lxc.logfile", true, set_config_log_file, get_config_log_file, clr_config_log_file, }, { "lxc.init_cmd", true, set_config_init_cmd, get_config_init_cmd, clr_config_init_cmd, }, { "lxc.init_uid", true, set_config_init_uid, get_config_init_uid, clr_config_init_uid, }, { "lxc.init_gid", true, set_config_init_gid, get_config_init_gid, clr_config_init_gid, }, { "lxc.limit", true, set_config_limit, get_config_limit, clr_config_limit, }, + { "lxc.pivotdir", true, set_config_noop, get_config_noop, clr_config_noop, }, /* [END]: REMOVE IN LXC 3.0 */ }; @@ -1439,7 +1442,7 @@ { struct lxc_list *iter; struct rlimit limit; - unsigned long limit_value; + rlim_t limit_value; struct lxc_list *limlist = NULL; struct lxc_limit *limelem = NULL; @@ -1920,42 +1923,51 @@ static int parse_line(char *buffer, void *data) { - struct lxc_config_t *config; char *dot, *key, *line, *linep, *value; - struct parse_line_conf *plc = data; + bool empty_line; + struct lxc_config_t *config; int ret = 0; + char *dup = buffer; + struct parse_line_conf *plc = data; - if (lxc_is_line_empty(buffer)) - return 0; + /* If there are newlines in the config file we should keep them. */ + empty_line = lxc_is_line_empty(dup); + if (empty_line) + dup = "\n"; /* We have to dup the buffer otherwise, at the re-exec for reboot we * modified the original string on the stack by replacing '=' by '\0' * below. */ - linep = line = strdup(buffer); + linep = line = strdup(dup); if (!line) return -1; - if (!plc->from_include) - if ((ret = append_unexp_config_line(line, plc->conf))) - goto out; + if (!plc->from_include) { + ret = append_unexp_config_line(line, plc->conf); + if (ret < 0) + goto on_error; + } + + if (empty_line) + return 0; line += lxc_char_left_gc(line, strlen(line)); /* ignore comments */ if (line[0] == '#') - goto out; + goto on_error; /* martian option - don't add it to the config itself */ if (strncmp(line, "lxc.", 4)) - goto out; + goto on_error; ret = -1; - dot = strstr(line, "="); + dot = strchr(line, '='); if (!dot) { - ERROR("invalid configuration line: %s", line); - goto out; + ERROR("Invalid configuration line: %s", line); + goto on_error; } *dot = '\0'; @@ -1980,25 +1992,27 @@ config = lxc_get_config(key); if (!config) { ERROR("Unknown configuration key \"%s\"", key); - goto out; + goto on_error; } /* [START]: REMOVE IN LXC 3.0 */ if (config->is_legacy_key && !plc->conf->contains_legacy_key) { plc->conf->contains_legacy_key = true; - /* Warn the user once loud and clear that there is at least one - * legacy configuration item in the configuration file and then - * an update is required. - */ - fprintf(stderr, "The configuration file contains legacy " - "configuration keys.\nPlease update your " - "configuration file!\n"); + if (getenv("LXC_UPDATE_CONFIG_FORMAT")) { + /* Warn the user once loud and clear that there is at + * least one legacy configuration item in the + * configuration file and then an update is required. + */ + fprintf(stderr, "The configuration file contains " + "legacy configuration keys.\nPlease " + "update your configuration file!\n"); + } } /* [END]: REMOVE IN LXC 3.0 */ ret = config->set(key, value, plc->conf, NULL); -out: +on_error: free(linep); return ret; } @@ -2560,6 +2574,12 @@ return 0; } +static int set_config_noop(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) +{ + return 0; +} + /* Callbacks to get configuration items. */ static int get_config_personality(const char *key, char *retv, int inlen, struct lxc_conf *c, void *data) @@ -3170,6 +3190,12 @@ return fulllen; } +static int get_config_noop(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) +{ + return 0; +} + /* Callbacks to clear config items. */ static inline int clr_config_personality(const char *key, struct lxc_conf *c, void *data) @@ -3487,6 +3513,12 @@ return 0; } +static inline int clr_config_noop(const char *key, struct lxc_conf *c, + void *data) +{ + return 0; +} + static int get_config_includefiles(const char *key, char *retv, int inlen, struct lxc_conf *c, void *data) { diff -Nru lxc-2.1.0/src/lxc/confile_legacy.c lxc-2.1.1/src/lxc/confile_legacy.c --- lxc-2.1.0/src/lxc/confile_legacy.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/confile_legacy.c 2017-10-19 17:08:34.000000000 +0000 @@ -170,16 +170,6 @@ lxc_list_init(&netdev->ipv4); lxc_list_init(&netdev->ipv6); - netdev->name[0] = '\0'; - netdev->link[0] = '\0'; - memset(&netdev->priv, 0, sizeof(netdev->priv)); - /* I'm not completely sure if the memset takes care to zero the arrays - * in the union as well. So let's make extra sure and set the first byte - * to zero so that we don't have any surprises. - */ - netdev->priv.veth_attr.pair[0] = '\0'; - netdev->priv.veth_attr.veth1[0] = '\0'; - list = malloc(sizeof(*list)); if (!list) { SYSERROR("failed to allocate memory"); @@ -1091,7 +1081,7 @@ { struct lxc_list *iter; struct rlimit limit; - unsigned long limit_value; + rlim_t limit_value; struct lxc_list *limlist = NULL; struct lxc_limit *limelem = NULL; diff -Nru lxc-2.1.0/src/lxc/confile_utils.c lxc-2.1.1/src/lxc/confile_utils.c --- lxc-2.1.0/src/lxc/confile_utils.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/confile_utils.c 2017-10-19 17:08:34.000000000 +0000 @@ -92,8 +92,6 @@ /* Move beyond \0. */ slide++; - /* align */ - window = slide; /* Validate that only whitespace follows. */ slide += strspn(slide, " \t\r"); /* If there was only one whitespace then we whiped it with our \0 above. @@ -118,8 +116,6 @@ /* Move beyond \0. */ slide++; - /* align */ - window = slide; /* Validate that only whitespace follows. */ slide += strspn(slide, " \t\r"); /* If there was only one whitespace then we whiped it with our \0 above. @@ -183,15 +179,6 @@ memset(netdev, 0, sizeof(*netdev)); lxc_list_init(&netdev->ipv4); lxc_list_init(&netdev->ipv6); - netdev->name[0] = '\0'; - netdev->link[0] = '\0'; - memset(&netdev->priv, 0, sizeof(netdev->priv)); - /* I'm not completely sure if the memset takes care to zero the arrays - * in the union as well. So let's make extra sure and set the first byte - * to zero so that we don't have any surprises. - */ - netdev->priv.veth_attr.pair[0] = '\0'; - netdev->priv.veth_attr.veth1[0] = '\0'; /* give network a unique index */ netdev->idx = idx; @@ -685,7 +672,7 @@ return snprintf(retv, inlen, "%d", v); } -bool parse_limit_value(const char **value, unsigned long *res) +bool parse_limit_value(const char **value, rlim_t *res) { char *endptr = NULL; @@ -696,7 +683,7 @@ } errno = 0; - *res = strtoul(*value, &endptr, 10); + *res = strtoull(*value, &endptr, 10); if (errno || !endptr) return false; *value = endptr; diff -Nru lxc-2.1.0/src/lxc/confile_utils.h lxc-2.1.1/src/lxc/confile_utils.h --- lxc-2.1.0/src/lxc/confile_utils.h 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/confile_utils.h 2017-10-19 17:08:34.000000000 +0000 @@ -84,5 +84,5 @@ extern bool new_hwaddr(char *hwaddr); extern int lxc_get_conf_str(char *retv, int inlen, const char *value); extern int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v); -extern bool parse_limit_value(const char **value, unsigned long *res); +extern bool parse_limit_value(const char **value, rlim_t *res); #endif /* __LXC_CONFILE_UTILS_H */ diff -Nru lxc-2.1.0/src/lxc/console.c lxc-2.1.1/src/lxc/console.c --- lxc-2.1.0/src/lxc/console.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/console.c 2017-10-19 17:08:34.000000000 +0000 @@ -174,6 +174,15 @@ if (r <= 0) { INFO("console client on fd %d has exited", fd); lxc_mainloop_del_handler(descr, fd); + if (fd == console->peer) { + if (console->tty_state) { + lxc_console_sigwinch_fini(console->tty_state); + console->tty_state = NULL; + } + console->peer = -1; + close(fd); + return 0; + } close(fd); return 1; } @@ -219,11 +228,6 @@ { struct lxc_console *console = &conf->console; - if (conf->is_execute) { - INFO("no console for lxc-execute."); - return 0; - } - if (!conf->rootfs.path) { INFO("no rootfs, no console."); return 0; @@ -471,7 +475,6 @@ console->tios = malloc(sizeof(*console->tios)); if (!console->tios) { SYSERROR("failed to allocate memory"); - ret = -ENOMEM; goto on_error1; } @@ -483,7 +486,6 @@ on_error2: free(console->tios); console->tios = NULL; - ret = -ENOTTY; on_error1: close(console->peer); @@ -519,11 +521,6 @@ struct lxc_console *console = &conf->console; int ret; - if (conf->is_execute) { - INFO("not allocating a console device for lxc-execute."); - return 0; - } - if (!conf->rootfs.path) { INFO("container does not have a rootfs, console device will be shared with the host"); return 0; diff -Nru lxc-2.1.0/src/lxc/criu.c lxc-2.1.1/src/lxc/criu.c --- lxc-2.1.0/src/lxc/criu.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/criu.c 2017-10-19 17:08:34.000000000 +0000 @@ -551,7 +551,7 @@ external_not_veth = false; } - if (n->name) { + if (n->name[0] != '\0') { if (strlen(n->name) >= sizeof(eth)) goto err; strncpy(eth, n->name, sizeof(eth)); diff -Nru lxc-2.1.0/src/lxc/log.c lxc-2.1.1/src/lxc/log.c --- lxc-2.1.0/src/lxc/log.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/log.c 2017-10-19 17:08:34.000000000 +0000 @@ -222,7 +222,7 @@ seconds = (time->tv_sec - d_in_s - h_in_s - (minutes * 60)); /* Make string from nanoseconds. */ - ret = snprintf(nanosec, LXC_NUMSTRLEN64, "%ld", time->tv_nsec); + ret = snprintf(nanosec, LXC_NUMSTRLEN64, "%"PRId64, (int64_t)time->tv_nsec); if (ret < 0 || ret >= LXC_NUMSTRLEN64) return -1; @@ -297,7 +297,8 @@ if ((size_t)n < (sizeof(buffer) - 1)) n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt, *event->vap); - else + + if ((size_t)n >= sizeof(buffer)) n = sizeof(buffer) - 1; buffer[n] = '\n'; diff -Nru lxc-2.1.0/src/lxc/lxccontainer.c lxc-2.1.1/src/lxc/lxccontainer.c --- lxc-2.1.0/src/lxc/lxccontainer.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/lxccontainer.c 2017-10-19 17:08:34.000000000 +0000 @@ -2569,12 +2569,17 @@ } static bool do_destroy_container(struct lxc_conf *conf) { + int ret; + if (am_unpriv()) { - if (userns_exec_1(conf, storage_destroy_wrapper, conf, - "storage_destroy_wrapper") < 0) + ret = userns_exec_full(conf, storage_destroy_wrapper, conf, + "storage_destroy_wrapper"); + if (ret < 0) return false; + return true; } + return storage_destroy(conf); } @@ -2708,8 +2713,8 @@ if (ret < 0 || (size_t)ret >= len) goto out; if (am_unpriv()) - ret = userns_exec_1(conf, lxc_rmdir_onedev_wrapper, path, - "lxc_rmdir_onedev_wrapper"); + ret = userns_exec_full(conf, lxc_rmdir_onedev_wrapper, path, + "lxc_rmdir_onedev_wrapper"); else ret = lxc_rmdir_onedev(path, "snaps"); if (ret < 0) { @@ -3551,8 +3556,8 @@ data.flags = flags; data.hookargs = hookargs; if (am_unpriv()) - ret = userns_exec_1(c->lxc_conf, clone_update_rootfs_wrapper, - &data, "clone_update_rootfs_wrapper"); + ret = userns_exec_full(c->lxc_conf, clone_update_rootfs_wrapper, + &data, "clone_update_rootfs_wrapper"); else ret = clone_update_rootfs(&data); if (ret < 0) diff -Nru lxc-2.1.0/src/lxc/lxc_user_nic.c lxc-2.1.1/src/lxc/lxc_user_nic.c --- lxc-2.1.0/src/lxc/lxc_user_nic.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/lxc_user_nic.c 2017-10-19 17:08:34.000000000 +0000 @@ -638,7 +638,7 @@ { int count = 0; bool owner = false;; - char *buf_end = &buf[len]; + char *buf_end; buf_end = &buf[len]; while ((buf = find_line(buf, buf_end, name, net_type, net_link, NULL, diff -Nru lxc-2.1.0/src/lxc/monitor.c lxc-2.1.1/src/lxc/monitor.c --- lxc-2.1.0/src/lxc/monitor.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/monitor.c 2017-10-19 17:08:34.000000000 +0000 @@ -243,7 +243,6 @@ ERROR("Failed to connect to monitor socket: %s.", strerror(errno)); goto on_error; } - ret = 0; return fd; diff -Nru lxc-2.1.0/src/lxc/network.c lxc-2.1.1/src/lxc/network.c --- lxc-2.1.0/src/lxc/network.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/network.c 2017-10-19 17:08:34.000000000 +0000 @@ -935,7 +935,6 @@ goto out; recv_len = err; - err = 0; /* Satisfy the typing for the netlink macros */ msg = answer->nlmsghdr; @@ -1377,7 +1376,6 @@ data = (unsigned char *)sockaddr->sa_data; while ((*macaddr != '\0') && (i < ETH_ALEN)) { - val = 0; c = *macaddr++; if (isdigit(c)) val = c - '0'; @@ -2301,10 +2299,6 @@ * \0 */ char netns_path[6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1]; - bool deleted_all = true; - - if (handler->am_root) - return true; *netns_path = '\0'; @@ -2340,7 +2334,7 @@ TRACE("Renamed interface with index %d to its " "initial name \"%s\"", netdev->ifindex, netdev->link); - continue; + goto clear_ifindices; } ret = netdev_deconf[netdev->type](handler, netdev); @@ -2348,32 +2342,44 @@ WARN("Failed to deconfigure network device"); if (netdev->type != LXC_NET_VETH) - continue; + goto clear_ifindices; - if (!is_ovs_bridge(netdev->link)) - continue; + if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) + goto clear_ifindices; if (netdev->priv.veth_attr.pair[0] != '\0') hostveth = netdev->priv.veth_attr.pair; else hostveth = netdev->priv.veth_attr.veth1; if (hostveth[0] == '\0') - continue; + goto clear_ifindices; ret = lxc_delete_network_unpriv_exec(handler->lxcpath, handler->name, netdev, netns_path); if (ret < 0) { - deleted_all = false; WARN("Failed to remove port \"%s\" from openvswitch " "bridge \"%s\"", hostveth, netdev->link); - continue; + goto clear_ifindices; } INFO("Removed interface \"%s\" from \"%s\"", hostveth, netdev->link); + +clear_ifindices: + /* We need to clear any ifindeces we recorded so liblxc won't + * have cached stale data which would cause it to fail on reboot + * we're we don't re-read the on-disk config file. + */ + netdev->ifindex = 0; + if (netdev->type == LXC_NET_PHYS) { + netdev->priv.phys_attr.ifindex = 0; + } else if (netdev->type == LXC_NET_VETH) { + netdev->priv.veth_attr.veth1[0] = '\0'; + netdev->priv.veth_attr.ifindex = 0; + } } - return deleted_all; + return true; } int lxc_create_network_priv(struct lxc_handler *handler) @@ -2481,10 +2487,6 @@ int ret; struct lxc_list *iterator; struct lxc_list *network = &handler->conf->network; - bool deleted_all = true; - - if (!handler->am_root) - return true; lxc_list_for_each(iterator, network) { char *hostveth = NULL; @@ -2507,7 +2509,7 @@ "\"%s\" to its initial name \"%s\"", netdev->ifindex, netdev->name, netdev->link); - continue; + goto clear_ifindices; } ret = netdev_deconf[netdev->type](handler, netdev); @@ -2521,24 +2523,23 @@ ret = lxc_netdev_delete_by_index(netdev->ifindex); if (-ret == ENODEV) { INFO("Interface \"%s\" with index %d already " - "deleted or existing in different network " - "namespace", - netdev->name[0] != '\0' ? netdev->name : "(null)", - netdev->ifindex); + "deleted or existing in different network " + "namespace", + netdev->name[0] != '\0' ? netdev->name : "(null)", + netdev->ifindex); } else if (ret < 0) { - deleted_all = false; WARN("Failed to remove interface \"%s\" with " - "index %d: %s", - netdev->name[0] != '\0' ? netdev->name : "(null)", - netdev->ifindex, strerror(-ret)); - continue; + "index %d: %s", + netdev->name[0] != '\0' ? netdev->name : "(null)", + netdev->ifindex, strerror(-ret)); + goto clear_ifindices; } INFO("Removed interface \"%s\" with index %d", - netdev->name[0] != '\0' ? netdev->name : "(null)", - netdev->ifindex); + netdev->name[0] != '\0' ? netdev->name : "(null)", + netdev->ifindex); if (netdev->type != LXC_NET_VETH) - continue; + goto clear_ifindices; /* Explicitly delete host veth device to prevent lingering * devices. We had issues in LXD around this. @@ -2548,20 +2549,21 @@ else hostveth = netdev->priv.veth_attr.veth1; if (hostveth[0] == '\0') - continue; + goto clear_ifindices; ret = lxc_netdev_delete_by_name(hostveth); if (ret < 0) { - deleted_all = false; WARN("Failed to remove interface \"%s\" from \"%s\": %s", hostveth, netdev->link, strerror(-ret)); - continue; + goto clear_ifindices; } INFO("Removed interface \"%s\" from \"%s\"", hostveth, netdev->link); - if (!is_ovs_bridge(netdev->link)) { + if (netdev->link[0] == '\0' || !is_ovs_bridge(netdev->link)) { netdev->priv.veth_attr.veth1[0] = '\0'; - continue; + netdev->ifindex = 0; + netdev->priv.veth_attr.ifindex = 0; + goto clear_ifindices; } /* Delete the openvswitch port. */ @@ -2573,10 +2575,21 @@ INFO("Removed port \"%s\" from openvswitch bridge \"%s\"", hostveth, netdev->link); - netdev->priv.veth_attr.veth1[0] = '\0'; +clear_ifindices: + /* We need to clear any ifindeces we recorded so liblxc won't + * have cached stale data which would cause it to fail on reboot + * we're we don't re-read the on-disk config file. + */ + netdev->ifindex = 0; + if (netdev->type == LXC_NET_PHYS) { + netdev->priv.phys_attr.ifindex = 0; + } else if (netdev->type == LXC_NET_VETH) { + netdev->priv.veth_attr.veth1[0] = '\0'; + netdev->priv.veth_attr.ifindex = 0; + } } - return deleted_all; + return true; } int lxc_requests_empty_network(struct lxc_handler *handler) @@ -3096,3 +3109,17 @@ return 0; } + +void lxc_delete_network(struct lxc_handler *handler) +{ + bool bret; + + if (handler->am_root) + bret = lxc_delete_network_priv(handler); + else + bret = lxc_delete_network_unpriv(handler); + if (!bret) + DEBUG("Failed to delete network devices"); + else + DEBUG("Deleted network devices"); +} diff -Nru lxc-2.1.0/src/lxc/network.h lxc-2.1.1/src/lxc/network.h --- lxc-2.1.0/src/lxc/network.h 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/network.h 2017-10-19 17:08:34.000000000 +0000 @@ -266,8 +266,7 @@ char *lxcname, struct lxc_list *network, pid_t pid); -extern bool lxc_delete_network_priv(struct lxc_handler *handler); -extern bool lxc_delete_network_unpriv(struct lxc_handler *handler); +extern void lxc_delete_network(struct lxc_handler *handler); extern int lxc_find_gateway_addresses(struct lxc_handler *handler); extern int lxc_create_network_unpriv(const char *lxcpath, char *lxcname, struct lxc_list *network, pid_t pid); diff -Nru lxc-2.1.0/src/lxc/start.c lxc-2.1.1/src/lxc/start.c --- lxc-2.1.0/src/lxc/start.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/start.c 2017-10-19 17:08:34.000000000 +0000 @@ -236,6 +236,15 @@ (i < len_fds && fd == fds_to_ignore[i])) continue; + if (conf) { + for (i = 0; i < LXC_NS_MAX; i++) + if (conf->inherit_ns_fd[i] == fd) + break; + + if (i < LXC_NS_MAX) + continue; + } + if (current_config && fd == current_config->logfd) continue; @@ -631,6 +640,9 @@ if (setenv("LXC_CGNS_AWARE", "1", 1)) SYSERROR("Failed to set environment variable LXC_CGNS_AWARE=1."); + + if (setenv("LXC_LOG_LEVEL", lxc_log_priority_to_string(handler->conf->loglevel), 1)) + SYSERROR("Failed to set environment variable LXC_CGNS_AWARE=1."); /* End of environment variable setup for hooks. */ TRACE("set environment variables"); @@ -913,6 +925,17 @@ INFO("Unshared CLONE_NEWCGROUP."); } + /* Add the requested environment variables to the current environment to + * allow them to be used by the various hooks, such as the start hook + * above. + */ + lxc_list_for_each(iterator, &handler->conf->environment) { + if (putenv((char *)iterator->elem)) { + SYSERROR("Failed to set environment variable: %s.", (char *)iterator->elem); + goto out_warn_father; + } + } + /* Setup the container, ip, names, utsname, ... */ ret = lxc_setup(handler); close(handler->data_sock[0]); @@ -962,37 +985,34 @@ goto out_warn_father; } - /* The container has been setup. We can now switch to an unprivileged - * uid/gid. - */ - if (handler->conf->is_execute) { - bool have_cap_setgid; - uid_t new_uid = handler->conf->init_uid; - gid_t new_gid = handler->conf->init_gid; + close(handler->sigfd); - /* If we are in a new user namespace we already dropped all - * groups when we switched to root in the new user namespace - * further above. Only drop groups if we can, so ensure that we - * have necessary privilege. - */ - #if HAVE_LIBCAP - have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE); - #else - have_cap_setgid = false; - #endif - if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) { - if (lxc_setgroups(0, NULL) < 0) - goto out_warn_father; - } + if (devnull_fd < 0) { + devnull_fd = open_devnull(); - if (lxc_switch_uid_gid(new_uid, new_gid) < 0) + if (devnull_fd < 0) goto out_warn_father; } - /* The clearenv() and putenv() calls have been moved here to allow us to - * use environment variables passed to the various hooks, such as the - * start hook above. Not all of the variables like CONFIG_PATH or ROOTFS - * are valid in this context but others are. + if (handler->conf->console.slave < 0 && handler->backgrounded) + if (set_stdfds(devnull_fd) < 0) { + ERROR("Failed to redirect std{in,out,err} to " + "\"/dev/null\""); + goto out_warn_father; + } + + if (devnull_fd >= 0) { + close(devnull_fd); + devnull_fd = -1; + } + + setsid(); + + if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP_LIMITS)) + goto out_warn_father; + + /* Reset the environment variables the user requested in a clear + * environment. */ if (clearenv()) { SYSERROR("Failed to clear environment."); @@ -1018,32 +1038,33 @@ } } - close(handler->sigfd); - - if (devnull_fd < 0) { - devnull_fd = open_devnull(); - - if (devnull_fd < 0) - goto out_warn_father; - } + /* The container has been setup. We can now switch to an unprivileged + * uid/gid. + */ + if (handler->conf->is_execute) { + bool have_cap_setgid; + uid_t new_uid = handler->conf->init_uid; + gid_t new_gid = handler->conf->init_gid; - if (handler->conf->console.slave < 0 && handler->backgrounded) - if (set_stdfds(devnull_fd) < 0) { - ERROR("Failed to redirect std{in,out,err} to " - "\"/dev/null\""); - goto out_warn_father; + /* If we are in a new user namespace we already dropped all + * groups when we switched to root in the new user namespace + * further above. Only drop groups if we can, so ensure that we + * have necessary privilege. + */ + #if HAVE_LIBCAP + have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE); + #else + have_cap_setgid = false; + #endif + if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) { + if (lxc_setgroups(0, NULL) < 0) + goto out_warn_father; } - if (devnull_fd >= 0) { - close(devnull_fd); - devnull_fd = -1; + if (lxc_switch_uid_gid(new_uid, new_gid) < 0) + goto out_warn_father; } - setsid(); - - if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP_LIMITS)) - goto out_warn_father; - /* After this call, we are in error because this ops should not return * as it execs. */ @@ -1142,7 +1163,7 @@ bool wants_to_map_ids; int saved_ns_fd[LXC_NS_MAX]; struct lxc_list *id_map; - int failed_before_rename = 0, preserve_mask = 0; + int preserve_mask = 0; bool cgroups_connected = false; id_map = &handler->conf->id_map; @@ -1256,15 +1277,11 @@ goto out_delete_net; } - if (lxc_sync_wake_child(handler, LXC_SYNC_STARTUP)) { - failed_before_rename = 1; + if (lxc_sync_wake_child(handler, LXC_SYNC_STARTUP)) goto out_delete_net; - } - if (lxc_sync_wait_child(handler, LXC_SYNC_CONFIGURE)) { - failed_before_rename = 1; + if (lxc_sync_wait_child(handler, LXC_SYNC_CONFIGURE)) goto out_delete_net; - } if (!cgroup_create_legacy(handler)) { ERROR("Failed to setup legacy cgroups for container \"%s\".", name); @@ -1281,9 +1298,6 @@ if (!cgroup_chown(handler)) goto out_delete_net; - if (failed_before_rename) - goto out_delete_net; - handler->netnsfd = lxc_preserve_ns(handler->pid, "net"); if (handler->netnsfd < 0) { ERROR("Failed to preserve network namespace"); @@ -1381,14 +1395,8 @@ if (cgroups_connected) cgroup_disconnect(); - if (handler->clone_flags & CLONE_NEWNET) { - DEBUG("Tearing down network devices"); - if (!lxc_delete_network_priv(handler)) - DEBUG("Failed tearing down network devices"); - - if (!lxc_delete_network_unpriv(handler)) - DEBUG("Failed tearing down network devices"); - } + if (handler->clone_flags & CLONE_NEWNET) + lxc_delete_network(handler); out_abort: lxc_abort(name, handler); @@ -1499,17 +1507,7 @@ err = lxc_error_set_and_log(handler->pid, status); out_fini: - DEBUG("Tearing down network devices"); - if (!lxc_delete_network_priv(handler)) - DEBUG("Failed tearing down network devices"); - - if (!lxc_delete_network_unpriv(handler)) - DEBUG("Failed tearing down network devices"); - - if (handler->netnsfd >= 0) { - close(handler->netnsfd); - handler->netnsfd = -1; - } + lxc_delete_network(handler); out_detach_blockdev: detach_block_device(handler->conf); @@ -1596,8 +1594,8 @@ } if (!handler->am_root) - ret = userns_exec_1(handler->conf, lxc_rmdir_onedev_wrapper, - destroy, "lxc_rmdir_onedev_wrapper"); + ret = userns_exec_full(handler->conf, lxc_rmdir_onedev_wrapper, + destroy, "lxc_rmdir_onedev_wrapper"); else ret = lxc_rmdir_onedev(destroy, NULL); @@ -1615,9 +1613,12 @@ } static bool do_destroy_container(struct lxc_handler *handler) { + int ret; + if (!handler->am_root) { - if (userns_exec_1(handler->conf, storage_destroy_wrapper, - handler->conf, "storage_destroy_wrapper") < 0) + ret = userns_exec_full(handler->conf, storage_destroy_wrapper, + handler->conf, "storage_destroy_wrapper"); + if (ret < 0) return false; return true; diff -Nru lxc-2.1.0/src/lxc/storage/aufs.c lxc-2.1.1/src/lxc/storage/aufs.c --- lxc-2.1.0/src/lxc/storage/aufs.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/storage/aufs.c 2017-10-19 17:08:34.000000000 +0000 @@ -164,8 +164,8 @@ rdata.src = odelta; rdata.dest = ndelta; if (am_unpriv()) - ret = userns_exec_1(conf, lxc_rsync_delta_wrapper, - &rdata, "lxc_rsync_delta_wrapper"); + ret = userns_exec_full(conf, lxc_rsync_delta_wrapper, + &rdata, "lxc_rsync_delta_wrapper"); else ret = run_command(cmd_output, sizeof(cmd_output), lxc_rsync_delta_wrapper, diff -Nru lxc-2.1.0/src/lxc/storage/btrfs.c lxc-2.1.1/src/lxc/storage/btrfs.c --- lxc-2.1.0/src/lxc/storage/btrfs.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/storage/btrfs.c 2017-10-19 17:08:34.000000000 +0000 @@ -434,8 +434,8 @@ data.orig = orig; data.new = new; if (am_unpriv()) { - ret = userns_exec_1(conf, lxc_storage_rsync_exec_wrapper, &data, - "lxc_storage_rsync_exec_wrapper"); + ret = userns_exec_full(conf, lxc_storage_rsync_exec_wrapper, + &data, "lxc_storage_rsync_exec_wrapper"); if (ret < 0) { ERROR("Failed to rsync from \"%s\" into \"%s\"", orig->dest, new->dest); diff -Nru lxc-2.1.0/src/lxc/storage/lvm.c lxc-2.1.1/src/lxc/storage/lvm.c --- lxc-2.1.0/src/lxc/storage/lvm.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/storage/lvm.c 2017-10-19 17:08:34.000000000 +0000 @@ -264,17 +264,18 @@ int lvm_compare_lv_attr(const char *path, int pos, const char expected) { struct lxc_popen_FILE *f; - int ret, len, status; + int ret, status; + size_t len; char *cmd; char output[12]; - int start=0; + int start = 0; const char *lvscmd = "lvs --unbuffered --noheadings -o lv_attr %s 2>/dev/null"; - len = strlen(lvscmd) + strlen(path) - 1; + len = strlen(lvscmd) + strlen(path) + 1; cmd = alloca(len); ret = snprintf(cmd, len, lvscmd, path); - if (ret < 0 || ret >= len) + if (ret < 0 || (size_t)ret >= len) return -1; f = lxc_popen(cmd); @@ -283,6 +284,7 @@ return -1; } + ret = 0; if (!fgets(output, 12, f->f)) ret = 1; diff -Nru lxc-2.1.0/src/lxc/storage/overlay.c lxc-2.1.1/src/lxc/storage/overlay.c --- lxc-2.1.0/src/lxc/storage/overlay.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/storage/overlay.c 2017-10-19 17:08:34.000000000 +0000 @@ -109,9 +109,9 @@ return -1; } - strncpy(delta, new->dest, lastslashidx + 1); - strncpy(delta + lastslashidx, "delta0", sizeof("delta0") - 1); - delta[lastslashidx + sizeof("delta0")] = '\0'; + memcpy(delta, new->dest, lastslashidx + 1); + memcpy(delta + lastslashidx, "delta0", sizeof("delta0") - 1); + delta[lastslashidx + sizeof("delta0") - 1] = '\0'; ret = mkdir(delta, 0755); if (ret < 0 && errno != EEXIST) { @@ -141,12 +141,13 @@ return -1; } - strncpy(work, new->dest, lastslashidx + 1); - strncpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); - work[lastslashidx + sizeof("olwork")] = '\0'; + memcpy(work, new->dest, lastslashidx + 1); + memcpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); + work[lastslashidx + sizeof("olwork") - 1] = '\0'; - if (mkdir(work, 0755) < 0) { - SYSERROR("error: mkdir %s", work); + ret = mkdir(work, 0755); + if (ret < 0) { + SYSERROR("Failed to create directory \"%s\"", work); free(delta); free(work); return -1; @@ -200,9 +201,8 @@ nsrc = strchr(osrc, ':') + 1; if ((nsrc != osrc + 8) && (nsrc != osrc + 10)) { + ERROR("Detected \":\" in \"%s\" at wrong position", osrc); free(osrc); - ERROR("Detected \":\" in \"%s\" at wrong position", - osrc); return -22; } @@ -219,9 +219,9 @@ ret = mkdir(ndelta, 0755); if (ret < 0 && errno != EEXIST) { + SYSERROR("Failed to create directory \"%s\"", ndelta); free(osrc); free(ndelta); - SYSERROR("Failed to create directory \"%s\"", ndelta); return -1; } @@ -237,9 +237,9 @@ */ lastslash = strrchr(ndelta, '/'); if (!lastslash) { + ERROR("Failed to detect \"/\" in \"%s\"", ndelta); free(osrc); free(ndelta); - ERROR("Failed to detect \"/\" in \"%s\"", ndelta); return -1; } lastslash++; @@ -253,16 +253,16 @@ return -1; } - strncpy(work, ndelta, lastslashidx + 1); - strncpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); - work[lastslashidx + sizeof("olwork")] = '\0'; + memcpy(work, ndelta, lastslashidx + 1); + memcpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); + work[lastslashidx + sizeof("olwork") - 1] = '\0'; ret = mkdir(work, 0755); if (ret < 0 && errno != EEXIST) { + SYSERROR("Failed to create directory \"%s\"", ndelta); free(osrc); free(ndelta); free(work); - SYSERROR("Failed to create directory \"%s\"", ndelta); return -1; } @@ -322,7 +322,7 @@ s1 = strrchr(clean_old_path, '/'); if (!s1) { - ERROR("Failed to detect \"/\" in string \"%s\"", s1); + ERROR("Failed to detect \"/\" in string \"%s\"", clean_old_path); free(clean_old_path); free(clean_new_path); return -1; @@ -330,7 +330,7 @@ s2 = strrchr(clean_new_path, '/'); if (!s2) { - ERROR("Failed to detect \"/\" in string \"%s\"", s2); + ERROR("Failed to detect \"/\" in string \"%s\"", clean_new_path); free(clean_old_path); free(clean_new_path); return -1; @@ -417,8 +417,8 @@ return -1; } - strncpy(delta, dest, len); - strncpy(delta + len - 6, "delta0", sizeof("delta0") - 1); + memcpy(delta, dest, len); + memcpy(delta + len - 6, "delta0", sizeof("delta0") - 1); delta[len + sizeof("delta0")] = '\0'; ret = mkdir_p(delta, 0755); @@ -575,9 +575,9 @@ return -22; } - strncpy(work, upper, lastslashidx + 1); - strncpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); - work[lastslashidx + sizeof("olwork")] = '\0'; + memcpy(work, upper, lastslashidx + 1); + memcpy(work + lastslashidx, "olwork", sizeof("olwork") - 1); + work[lastslashidx + sizeof("olwork") - 1] = '\0'; ret = parse_mntopts(bdev->mntopts, &mntflags, &mntdata); if (ret < 0) { @@ -747,8 +747,9 @@ char lxcpath[MAXPATHLEN]; char **opts; int ret; - size_t arrlen, dirlen, i, len, rootfslen; + size_t arrlen, i, len, rootfslen; int fret = -1; + size_t dirlen = 0; char *rootfs_dir = NULL, *rootfs_path = NULL, *upperdir = NULL, *workdir = NULL; @@ -772,8 +773,7 @@ } if (rootfs_path) { - ret = - snprintf(lxcpath, MAXPATHLEN, "%s/%s", lxc_path, lxc_name); + ret = snprintf(lxcpath, MAXPATHLEN, "%s/%s", lxc_path, lxc_name); if (ret < 0 || ret >= MAXPATHLEN) goto err; @@ -971,8 +971,8 @@ rdata.src = (char *)src; rdata.dest = (char *)dest; if (am_unpriv()) - ret = userns_exec_1(conf, lxc_rsync_exec_wrapper, &rdata, - "lxc_rsync_exec_wrapper"); + ret = userns_exec_full(conf, lxc_rsync_exec_wrapper, &rdata, + "lxc_rsync_exec_wrapper"); else ret = run_command(cmd_output, sizeof(cmd_output), lxc_rsync_exec_wrapper, (void *)&rdata); diff -Nru lxc-2.1.0/src/lxc/storage/storage.c lxc-2.1.1/src/lxc/storage/storage.c --- lxc-2.1.0/src/lxc/storage/storage.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/storage/storage.c 2017-10-19 17:08:34.000000000 +0000 @@ -337,6 +337,11 @@ struct rsync_data data = {0}; char cmd_output[MAXPATHLEN] = {0}; + if (!src) { + ERROR("No rootfs specified"); + return NULL; + } + /* If the container name doesn't show up in the rootfs path, then we * don't know how to come up with a new name. */ @@ -374,7 +379,7 @@ if (ret < 0 && errno == ENOENT) { ret = mkdir_p(orig->dest, 0755); if (ret < 0) - WARN("Failed to create directoy \"%s\"", orig->dest); + WARN("Failed to create directory \"%s\"", orig->dest); } } @@ -502,8 +507,9 @@ data.orig = orig; data.new = new; if (am_unpriv()) - ret = userns_exec_1(c->lxc_conf, lxc_storage_rsync_exec_wrapper, - &data, "lxc_storage_rsync_exec_wrapper"); + ret = userns_exec_full(c->lxc_conf, + lxc_storage_rsync_exec_wrapper, &data, + "lxc_storage_rsync_exec_wrapper"); else ret = run_command(cmd_output, sizeof(cmd_output), lxc_storage_rsync_exec_wrapper, (void *)&data); diff -Nru lxc-2.1.0/src/lxc/storage/storage.h lxc-2.1.1/src/lxc/storage/storage.h --- lxc-2.1.0/src/lxc/storage/storage.h 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/storage/storage.h 2017-10-19 17:08:34.000000000 +0000 @@ -136,7 +136,6 @@ extern void storage_put(struct lxc_storage *bdev); extern bool storage_destroy(struct lxc_conf *conf); -/* callback function to be used with userns_exec_1() */ extern int storage_destroy_wrapper(void *data); extern bool rootfs_is_blockdev(struct lxc_conf *conf); extern char *lxc_storage_get_path(char *src, const char *prefix); diff -Nru lxc-2.1.0/src/lxc/storage/zfs.c lxc-2.1.1/src/lxc/storage/zfs.c --- lxc-2.1.0/src/lxc/storage/zfs.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/storage/zfs.c 2017-10-19 17:08:34.000000000 +0000 @@ -754,12 +754,14 @@ cmd_args.argv = argv; ret = run_command(cmd_output, sizeof(cmd_output), zfs_create_exec_wrapper, (void *)&cmd_args); - if (ret < 0) + if (ret < 0) { ERROR("Failed to create zfs dataset \"%s\": %s", bdev->src, cmd_output); - else if (cmd_output[0] != '\0') + return -1; + } else if (cmd_output[0] != '\0') { INFO("Created zfs dataset \"%s\": %s", bdev->src, cmd_output); - else + } else { TRACE("Created zfs dataset \"%s\"", bdev->src); + } ret = mkdir_p(bdev->dest, 0755); if (ret < 0 && errno != EEXIST) { diff -Nru lxc-2.1.0/src/lxc/tools/lxc_attach.c lxc-2.1.1/src/lxc/tools/lxc_attach.c --- lxc-2.1.0/src/lxc/tools/lxc_attach.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_attach.c 2017-10-19 17:08:34.000000000 +0000 @@ -406,6 +406,9 @@ } } + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + struct lxc_container *c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) exit(EXIT_FAILURE); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_autostart.c lxc-2.1.1/src/lxc/tools/lxc_autostart.c --- lxc-2.1.0/src/lxc/tools/lxc_autostart.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_autostart.c 2017-10-19 17:08:34.000000000 +0000 @@ -368,6 +368,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + count = list_defined_containers(my_args.lxcpath[0], NULL, &containers); if (count < 0) diff -Nru lxc-2.1.0/src/lxc/tools/lxc_cgroup.c lxc-2.1.1/src/lxc/tools/lxc_cgroup.c --- lxc-2.1.0/src/lxc/tools/lxc_cgroup.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_cgroup.c 2017-10-19 17:08:34.000000000 +0000 @@ -21,16 +21,17 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include #include +#include #include -#include #include #include -#include "lxc.h" -#include "log.h" #include "arguments.h" +#include "log.h" +#include "lxc.h" lxc_log_define(lxc_cgroup_ui, lxc); @@ -86,6 +87,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + state_object = my_args.argv[0]; c = lxc_container_new(my_args.name, my_args.lxcpath[0]); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_checkpoint.c lxc-2.1.1/src/lxc/tools/lxc_checkpoint.c --- lxc-2.1.0/src/lxc/tools/lxc_checkpoint.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_checkpoint.c 2017-10-19 17:08:34.000000000 +0000 @@ -255,6 +255,9 @@ lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) { fprintf(stderr, "System error loading %s\n", my_args.name); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_clone.c lxc-2.1.1/src/lxc/tools/lxc_clone.c --- lxc-2.1.0/src/lxc/tools/lxc_clone.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_clone.c 2017-10-19 17:08:34.000000000 +0000 @@ -176,6 +176,8 @@ usage(argv[0]); } + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c1 = lxc_container_new(orig, lxcpath); if (!c1) exit(EXIT_FAILURE); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_config.c lxc-2.1.1/src/lxc/tools/lxc_config.c --- lxc-2.1.0/src/lxc/tools/lxc_config.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_config.c 2017-10-19 17:08:34.000000000 +0000 @@ -62,6 +62,8 @@ struct lxc_config_items *i; const char *value; + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + if (argc < 2) usage(argv[0]); if (strcmp(argv[1], "-l") == 0) diff -Nru lxc-2.1.0/src/lxc/tools/lxc_console.c lxc-2.1.1/src/lxc/tools/lxc_console.c --- lxc-2.1.0/src/lxc/tools/lxc_console.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_console.c 2017-10-19 17:08:34.000000000 +0000 @@ -119,6 +119,9 @@ return EXIT_FAILURE; lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) { fprintf(stderr, "System error loading container\n"); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_copy.c lxc-2.1.1/src/lxc/tools/lxc_copy.c --- lxc-2.1.0/src/lxc/tools/lxc_copy.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_copy.c 2017-10-19 17:08:34.000000000 +0000 @@ -190,6 +190,9 @@ exit(ret); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + if (geteuid()) { if (access(my_args.lxcpath[0], O_RDONLY) < 0) { if (!my_args.quiet) diff -Nru lxc-2.1.0/src/lxc/tools/lxc_create.c lxc-2.1.1/src/lxc/tools/lxc_create.c --- lxc-2.1.0/src/lxc/tools/lxc_create.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_create.c 2017-10-19 17:08:34.000000000 +0000 @@ -229,6 +229,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + if (!my_args.template) { fprintf(stderr, "A template must be specified.\n"); fprintf(stderr, "Use \"none\" if you really want a container without a rootfs.\n"); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_destroy.c lxc-2.1.1/src/lxc/tools/lxc_destroy.c --- lxc-2.1.0/src/lxc/tools/lxc_destroy.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_destroy.c 2017-10-19 17:08:34.000000000 +0000 @@ -89,6 +89,9 @@ if (my_args.quiet) quiet = true; + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) { if (!quiet) @@ -278,4 +281,3 @@ return bret; } - diff -Nru lxc-2.1.0/src/lxc/tools/lxc_device.c lxc-2.1.1/src/lxc/tools/lxc_device.c --- lxc-2.1.0/src/lxc/tools/lxc_device.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_device.c 2017-10-19 17:08:34.000000000 +0000 @@ -127,6 +127,9 @@ goto err; lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) { ERROR("%s doesn't exist", my_args.name); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_execute.c lxc-2.1.1/src/lxc/tools/lxc_execute.c --- lxc-2.1.0/src/lxc/tools/lxc_execute.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_execute.c 2017-10-19 17:08:34.000000000 +0000 @@ -129,6 +129,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) { ERROR("Failed to create lxc_container"); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_freeze.c lxc-2.1.1/src/lxc/tools/lxc_freeze.c --- lxc-2.1.0/src/lxc/tools/lxc_freeze.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_freeze.c 2017-10-19 17:08:34.000000000 +0000 @@ -76,6 +76,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) { ERROR("No such container: %s:%s", my_args.lxcpath[0], my_args.name); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_info.c lxc-2.1.1/src/lxc/tools/lxc_info.c --- lxc-2.1.0/src/lxc/tools/lxc_info.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_info.c 2017-10-19 17:08:34.000000000 +0000 @@ -413,6 +413,9 @@ exit(ret); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + if (print_info(my_args.name, my_args.lxcpath[0]) == 0) ret = EXIT_SUCCESS; diff -Nru lxc-2.1.0/src/lxc/tools/lxc_init.c lxc-2.1.1/src/lxc/tools/lxc_init.c --- lxc-2.1.0/src/lxc/tools/lxc_init.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_init.c 2017-10-19 17:08:34.000000000 +0000 @@ -77,7 +77,7 @@ int main(int argc, char *argv[]) { - pid_t pid; + pid_t pid, sid; int err; char **aargv; sigset_t mask, omask; @@ -189,6 +189,10 @@ exit(EXIT_FAILURE); } + sid = setsid(); + if (sid < 0) + DEBUG("Failed to make child session leader"); + NOTICE("About to exec '%s'", aargv[0]); ret = execvp(aargv[0], aargv); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_ls.c lxc-2.1.1/src/lxc/tools/lxc_ls.c --- lxc-2.1.0/src/lxc/tools/lxc_ls.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_ls.c 2017-10-19 17:08:34.000000000 +0000 @@ -233,6 +233,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + struct lengths max_len = { /* default header length */ .name_length = 4, /* NAME */ diff -Nru lxc-2.1.0/src/lxc/tools/lxc_monitor.c lxc-2.1.1/src/lxc/tools/lxc_monitor.c --- lxc-2.1.0/src/lxc/tools/lxc_monitor.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_monitor.c 2017-10-19 17:08:34.000000000 +0000 @@ -113,6 +113,9 @@ exit(rc_main); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + if (quit_monitord) { int ret = EXIT_SUCCESS; for (i = 0; i < my_args.lxcpath_cnt; i++) { diff -Nru lxc-2.1.0/src/lxc/tools/lxc_snapshot.c lxc-2.1.1/src/lxc/tools/lxc_snapshot.c --- lxc-2.1.0/src/lxc/tools/lxc_snapshot.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_snapshot.c 2017-10-19 17:08:34.000000000 +0000 @@ -101,6 +101,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + if (geteuid()) { if (access(my_args.lxcpath[0], O_RDONLY) < 0) { fprintf(stderr, "You lack access to %s\n", @@ -304,4 +307,3 @@ free(line); fclose(f); } - diff -Nru lxc-2.1.0/src/lxc/tools/lxc_start.c lxc-2.1.1/src/lxc/tools/lxc_start.c --- lxc-2.1.0/src/lxc/tools/lxc_start.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_start.c 2017-10-19 17:08:34.000000000 +0000 @@ -241,6 +241,9 @@ const char *lxcpath = my_args.lxcpath[0]; + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + /* * rcfile possibilities: * 1. rcfile from random path specified in cli option diff -Nru lxc-2.1.0/src/lxc/tools/lxc_stop.c lxc-2.1.1/src/lxc/tools/lxc_stop.c --- lxc-2.1.0/src/lxc/tools/lxc_stop.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_stop.c 2017-10-19 17:08:34.000000000 +0000 @@ -173,6 +173,9 @@ exit(ret); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + /* Set default timeout */ if (my_args.timeout == -2) { if (my_args.hardstop) diff -Nru lxc-2.1.0/src/lxc/tools/lxc_unfreeze.c lxc-2.1.1/src/lxc/tools/lxc_unfreeze.c --- lxc-2.1.0/src/lxc/tools/lxc_unfreeze.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_unfreeze.c 2017-10-19 17:08:34.000000000 +0000 @@ -75,6 +75,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) { ERROR("No such container: %s:%s", my_args.lxcpath[0], my_args.name); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_unshare.c lxc-2.1.1/src/lxc/tools/lxc_unshare.c --- lxc-2.1.0/src/lxc/tools/lxc_unshare.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_unshare.c 2017-10-19 17:08:34.000000000 +0000 @@ -228,6 +228,9 @@ * dest: del + 1 == OUNT|PID * src: del + 3 == NT|PID */ + if (!namespaces) + usage(argv[0]); + while ((del = strstr(namespaces, "MOUNT"))) memmove(del + 1, del + 3, strlen(del) - 2); diff -Nru lxc-2.1.0/src/lxc/tools/lxc-update-config.in lxc-2.1.1/src/lxc/tools/lxc-update-config.in --- lxc-2.1.0/src/lxc/tools/lxc-update-config.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc-update-config.in 2017-10-19 17:08:34.000000000 +0000 @@ -63,8 +63,12 @@ -e 's/\([[:blank:]*]\|#*\)\(lxc\.init_uid\)\([[:blank:]*]\|=\)/\1lxc\.init\.uid\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.init_gid\)\([[:blank:]*]\|=\)/\1lxc\.init\.gid\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.limit\)\([[:blank:]*]\|=\)/\1lxc\.prlimit\3/g' \ +-e 's/\([[:blank:]*]\|#*\)\(lxc\.network\)\(\.[[:digit:]*]\)\(\.ipv4\)/\1lxc\.net\3\4\.address/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.network\)\(\.[[:digit:]*]\)/\1lxc\.net\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.network\)\([[:blank:]*]\|=\)/\1lxc\.net\3/g' \ +-e '/\([[:blank:]*]\|#*\)\(lxc\.rootfs\.backend\)\([[:blank:]*]\|=\)/d' \ +-e '/\([[:blank:]*]\|#*\)\(lxc\.pivotdir\)\([[:blank:]*]\|=\)/d' \ +-e '/\([[:blank:]*]\|#*\)\(lxc\.kmsg\)\([[:blank:]*]\|=\)/d' \ "${CONFIGPATH}" # Finally, deal with network definitions of the following form: diff -Nru lxc-2.1.0/src/lxc/tools/lxc_usernsexec.c lxc-2.1.1/src/lxc/tools/lxc_usernsexec.c --- lxc-2.1.0/src/lxc/tools/lxc_usernsexec.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_usernsexec.c 2017-10-19 17:08:34.000000000 +0000 @@ -316,10 +316,8 @@ argv = &argv[optind]; argc = argc - optind; - if (argc < 1) { + if (argc < 1) argv = default_args; - argc = 1; - } if (pipe(pipe1) < 0 || pipe(pipe2) < 0) { perror("pipe"); @@ -367,10 +365,9 @@ buf[0] = '1'; - if (lxc_map_ids(&active_map, pid)) { + if (lxc_map_ids(&active_map, pid)) fprintf(stderr, "error mapping child\n"); - ret = 0; - } + if (write(pipe2[1], buf, 1) < 0) { perror("write to pipe"); exit(EXIT_FAILURE); diff -Nru lxc-2.1.0/src/lxc/tools/lxc_wait.c lxc-2.1.1/src/lxc/tools/lxc_wait.c --- lxc-2.1.0/src/lxc/tools/lxc_wait.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/tools/lxc_wait.c 2017-10-19 17:08:34.000000000 +0000 @@ -102,6 +102,9 @@ exit(EXIT_FAILURE); lxc_log_options_no_override(); + /* REMOVE IN LXC 3.0 */ + setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0); + c = lxc_container_new(my_args.name, my_args.lxcpath[0]); if (!c) exit(EXIT_FAILURE); diff -Nru lxc-2.1.0/src/lxc/utils.c lxc-2.1.1/src/lxc/utils.c --- lxc-2.1.0/src/lxc/utils.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/utils.c 2017-10-19 17:08:34.000000000 +0000 @@ -470,137 +470,105 @@ return (const char**)lxc_va_arg_list_to_argv(ap, skip, 0); } -extern struct lxc_popen_FILE *lxc_popen(const char *command) +struct lxc_popen_FILE *lxc_popen(const char *command) { - struct lxc_popen_FILE *fp = NULL; - int parent_end = -1, child_end = -1; + int ret; int pipe_fds[2]; pid_t child_pid; + struct lxc_popen_FILE *fp = NULL; - int r = pipe2(pipe_fds, O_CLOEXEC); - - if (r < 0) { - ERROR("pipe2 failure"); + ret = pipe2(pipe_fds, O_CLOEXEC); + if (ret < 0) return NULL; - } - - parent_end = pipe_fds[0]; - child_end = pipe_fds[1]; child_pid = fork(); + if (child_pid < 0) + goto on_error; - if (child_pid == 0) { - /* child */ - int child_std_end = STDOUT_FILENO; - - close(parent_end); - parent_end = -1; - - if (child_end != child_std_end) { - /* dup2() doesn't dup close-on-exec flag */ - dup2(child_end, child_std_end); + if (!child_pid) { + sigset_t mask; - /* it's safe not to close child_end here - * as it's marked close-on-exec anyway - */ - } else { - /* - * The descriptor is already the one we will use. - * But it must not be marked close-on-exec. - * Undo the effects. - */ - if (fcntl(child_end, F_SETFD, 0) != 0) { - SYSERROR("Failed to remove FD_CLOEXEC from fd."); - exit(127); - } - } + close(pipe_fds[0]); - /* - * Unblock signals. - * This is the main/only reason - * why we do our lousy popen() emulation. - */ - { - sigset_t mask; - sigfillset(&mask); - sigprocmask(SIG_UNBLOCK, &mask, NULL); + /* duplicate stdout */ + if (pipe_fds[1] != STDOUT_FILENO) + ret = dup2(pipe_fds[1], STDOUT_FILENO); + else + ret = fcntl(pipe_fds[1], F_SETFD, 0); + if (ret < 0) { + close(pipe_fds[1]); + exit(EXIT_FAILURE); } - execl("/bin/sh", "sh", "-c", command, (char *) NULL); - exit(127); - } + /* duplicate stderr */ + if (pipe_fds[1] != STDERR_FILENO) + ret = dup2(pipe_fds[1], STDERR_FILENO); + else + ret = fcntl(pipe_fds[1], F_SETFD, 0); + close(pipe_fds[1]); + if (ret < 0) + exit(EXIT_FAILURE); - /* parent */ + /* unblock all signals */ + ret = sigfillset(&mask); + if (ret < 0) + exit(EXIT_FAILURE); - close(child_end); - child_end = -1; + ret = sigprocmask(SIG_UNBLOCK, &mask, NULL); + if (ret < 0) + exit(EXIT_FAILURE); - if (child_pid < 0) { - ERROR("fork failure"); - goto error; + execl("/bin/sh", "sh", "-c", command, (char *)NULL); + exit(127); } - fp = calloc(1, sizeof(*fp)); - if (!fp) { - ERROR("failed to allocate memory"); - goto error; - } + close(pipe_fds[1]); + pipe_fds[1] = -1; - fp->f = fdopen(parent_end, "r"); - if (!fp->f) { - ERROR("fdopen failure"); - goto error; - } + fp = malloc(sizeof(*fp)); + if (!fp) + goto on_error; fp->child_pid = child_pid; + fp->pipe = pipe_fds[0]; - return fp; - -error: + fp->f = fdopen(pipe_fds[0], "r"); + if (!fp->f) + goto on_error; - if (fp) { - if (fp->f) { - fclose(fp->f); - parent_end = -1; /* so we do not close it second time */ - } + return fp; +on_error: + if (fp) free(fp); - } - if (parent_end != -1) - close(parent_end); + if (pipe_fds[0] >= 0) + close(pipe_fds[0]); + + if (pipe_fds[1] >= 0) + close(pipe_fds[1]); return NULL; } -extern int lxc_pclose(struct lxc_popen_FILE *fp) +int lxc_pclose(struct lxc_popen_FILE *fp) { - FILE *f = NULL; - pid_t child_pid = 0; - int wstatus = 0; pid_t wait_pid; + int wstatus = 0; - if (fp) { - f = fp->f; - child_pid = fp->child_pid; - /* free memory (we still need to close file stream) */ - free(fp); - fp = NULL; - } - - if (!f || fclose(f)) { - ERROR("fclose failure"); + if (!fp) return -1; - } do { - wait_pid = waitpid(child_pid, &wstatus, 0); - } while (wait_pid == -1 && errno == EINTR); + wait_pid = waitpid(fp->child_pid, &wstatus, 0); + } while (wait_pid < 0 && errno == EINTR); + + close(fp->pipe); + fclose(fp->f); + free(fp); - if (wait_pid == -1) { - ERROR("waitpid failure"); + if (wait_pid < 0) return -1; - } return wstatus; } @@ -2330,9 +2298,11 @@ /* close the write-end of the pipe */ close(pipefd[1]); - bytes = read(pipefd[0], buf, (buf_size > 0) ? (buf_size - 1) : 0); - if (bytes > 0) - buf[bytes - 1] = '\0'; + if (buf && buf_size > 0) { + bytes = read(pipefd[0], buf, buf_size - 1); + if (bytes > 0) + buf[bytes - 1] = '\0'; + } fret = wait_for_pid(child); /* close the read-end of the pipe */ diff -Nru lxc-2.1.0/src/lxc/utils.h lxc-2.1.1/src/lxc/utils.h --- lxc-2.1.0/src/lxc/utils.h 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/lxc/utils.h 2017-10-19 17:08:34.000000000 +0000 @@ -190,6 +190,7 @@ * without additional wrappers. */ struct lxc_popen_FILE { + int pipe; FILE *f; pid_t child_pid; }; diff -Nru lxc-2.1.0/src/lxc/version.h lxc-2.1.1/src/lxc/version.h --- lxc-2.1.0/src/lxc/version.h 2017-09-06 02:32:53.000000000 +0000 +++ lxc-2.1.1/src/lxc/version.h 2017-10-19 17:08:47.000000000 +0000 @@ -26,8 +26,8 @@ #define LXC_DEVEL 0 #define LXC_VERSION_MAJOR 2 #define LXC_VERSION_MINOR 1 -#define LXC_VERSION_MICRO 0 +#define LXC_VERSION_MICRO 1 #define LXC_VERSION_ABI "1.3.0" -#define LXC_VERSION "2.1.0" +#define LXC_VERSION "2.1.1" #endif diff -Nru lxc-2.1.0/src/tests/aa.c lxc-2.1.1/src/tests/aa.c --- lxc-2.1.0/src/tests/aa.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/aa.c 2017-10-19 17:08:34.000000000 +0000 @@ -105,7 +105,7 @@ "/proc/sys/kernel/shmmax", NULL }; -char *files_to_deny[] = { "/proc/mem", "/proc/kmem", +char *files_to_deny[] = { "/sys/kernel/uevent_helper", "/proc/sys/fs/file-nr", "/sys/kernel/mm/ksm/pages_to_scan", diff -Nru lxc-2.1.0/src/tests/concurrent.c lxc-2.1.1/src/tests/concurrent.c --- lxc-2.1.0/src/tests/concurrent.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/concurrent.c 2017-10-19 17:08:34.000000000 +0000 @@ -188,7 +188,8 @@ } modes[i] = tok; } - modes[i] = NULL; + if (modes) + modes[i] = NULL; break; } default: /* '?' */ diff -Nru lxc-2.1.0/src/tests/containertests.c lxc-2.1.1/src/tests/containertests.c --- lxc-2.1.0/src/tests/containertests.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/containertests.c 2017-10-19 17:08:34.000000000 +0000 @@ -40,10 +40,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); @@ -72,10 +70,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); diff -Nru lxc-2.1.0/src/tests/destroytest.c lxc-2.1.1/src/tests/destroytest.c --- lxc-2.1.0/src/tests/destroytest.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/destroytest.c 2017-10-19 17:08:34.000000000 +0000 @@ -38,10 +38,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); diff -Nru lxc-2.1.0/src/tests/lxc-test-apparmor-mount lxc-2.1.1/src/tests/lxc-test-apparmor-mount --- lxc-2.1.0/src/tests/lxc-test-apparmor-mount 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/lxc-test-apparmor-mount 2017-10-19 17:08:34.000000000 +0000 @@ -132,6 +132,7 @@ done else for d in /sys/fs/cgroup/*; do + [ "$d" = "/sys/fs/cgroup/unified" ] && continue [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children [ ! -d $d/lxctest ] && mkdir $d/lxctest chown -R $TUSER: $d/lxctest diff -Nru lxc-2.1.0/src/tests/lxc-test-unpriv lxc-2.1.1/src/tests/lxc-test-unpriv --- lxc-2.1.0/src/tests/lxc-test-unpriv 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/lxc-test-unpriv 2017-10-19 17:08:34.000000000 +0000 @@ -148,6 +148,7 @@ done else for d in /sys/fs/cgroup/*; do + [ "$d" = "/sys/fs/cgroup/unified" ] && continue [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children [ ! -d $d/lxctest ] && mkdir $d/lxctest chown -R $TUSER: $d/lxctest diff -Nru lxc-2.1.0/src/tests/lxc-test-usernic.in lxc-2.1.1/src/tests/lxc-test-usernic.in --- lxc-2.1.0/src/tests/lxc-test-usernic.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/lxc-test-usernic.in 2017-10-19 17:08:34.000000000 +0000 @@ -105,6 +105,7 @@ done else for d in /sys/fs/cgroup/*; do + [ "$d" = "/sys/fs/cgroup/unified" ] && continue [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children [ ! -d $d/lxctest ] && mkdir $d/lxctest chown -R usernic-user: $d/lxctest diff -Nru lxc-2.1.0/src/tests/saveconfig.c lxc-2.1.1/src/tests/saveconfig.c --- lxc-2.1.0/src/tests/saveconfig.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/saveconfig.c 2017-10-19 17:08:34.000000000 +0000 @@ -38,10 +38,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); diff -Nru lxc-2.1.0/src/tests/shortlived.c lxc-2.1.1/src/tests/shortlived.c --- lxc-2.1.0/src/tests/shortlived.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/shortlived.c 2017-10-19 17:08:34.000000000 +0000 @@ -40,10 +40,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); @@ -72,10 +70,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); diff -Nru lxc-2.1.0/src/tests/startone.c lxc-2.1.1/src/tests/startone.c --- lxc-2.1.0/src/tests/startone.c 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/src/tests/startone.c 2017-10-19 17:08:34.000000000 +0000 @@ -40,10 +40,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); @@ -72,10 +70,8 @@ return -1; } if (pid == 0) { - ret = execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); - // Should not return - perror("execl"); - exit(1); + execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); } again: ret = waitpid(pid, &status, 0); diff -Nru lxc-2.1.0/templates/lxc-alpine.in lxc-2.1.1/templates/lxc-alpine.in --- lxc-2.1.0/templates/lxc-alpine.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/templates/lxc-alpine.in 2017-10-19 17:08:34.000000000 +0000 @@ -185,7 +185,7 @@ echo "$APK_KEYS_SHA256" | while read -r line; do keyname="${line##* }" - if [ ! -f "$keyname" ]; then + if [ ! -s "$keyname" ]; then fetch "$APK_KEYS_URI/$keyname" > "$keyname" fi echo "$line" | sha256sum -c - @@ -210,7 +210,7 @@ fetch "$MIRROR_URL/latest-stable/main/$arch/${pkg_name}-${pkg_ver}.apk" \ | tar -xz -C "$dest" sbin/ # --extract --gzip --directory - [ -f "$dest/sbin/apk.static" ] || die 2 'apk.static not found' + [ -s "$dest/sbin/apk.static" ] || die 2 'apk.static not found' local keyname=$(echo "$dest"/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//') openssl dgst -sha1 \ diff -Nru lxc-2.1.0/templates/lxc-archlinux.in lxc-2.1.1/templates/lxc-archlinux.in --- lxc-2.1.0/templates/lxc-archlinux.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/templates/lxc-archlinux.in 2017-10-19 17:08:34.000000000 +0000 @@ -41,7 +41,7 @@ # defaults arch=$(uname -m) default_path="@LXCPATH@" -default_locale="en-US.UTF-8" +default_locale="en_US.UTF-8" pacman_config="/etc/pacman.conf" common_config="@LXCTEMPLATECONFIG@/common.conf" shared_config="@LXCTEMPLATECONFIG@/archlinux.common.conf" diff -Nru lxc-2.1.0/templates/lxc-debian.in lxc-2.1.1/templates/lxc-debian.in --- lxc-2.1.0/templates/lxc-debian.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/templates/lxc-debian.in 2017-10-19 17:08:34.000000000 +0000 @@ -238,14 +238,6 @@ config=$3 num_tty=$4 - # this only works if we have getty@.service to manipulate - if [ -f "${rootfs}/lib/systemd/system/getty@.service" ]; then - sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \ - -e 's/After=dev-%i.device/After=/' \ - < "${rootfs}/lib/systemd/system/getty@.service" \ - > "${rootfs}/etc/systemd/system/getty@.service" - fi - # just in case systemd is not installed mkdir -p "${rootfs}/lib/systemd/system" mkdir -p "${rootfs}/etc/systemd/system/getty.target.wants" diff -Nru lxc-2.1.0/templates/lxc-plamo.in lxc-2.1.1/templates/lxc-plamo.in --- lxc-2.1.0/templates/lxc-plamo.in 2017-09-06 02:32:37.000000000 +0000 +++ lxc-2.1.1/templates/lxc-plamo.in 2017-10-19 17:08:34.000000000 +0000 @@ -186,7 +186,8 @@ # glibc configure mv $rootfs/etc/ld.so.conf{.new,} chroot $rootfs ldconfig - echo "Please change root password!" + + # delete unnecessary process from rc.S ed - $rootfs/etc/rc.d/rc.S <<- "EOF" /^mount -w -n -t proc/;/^mkdir \/dev\/shm/-1d /^mknod \/dev\/null/;/^# Clean \/etc\/mtab/-2d @@ -194,13 +195,22 @@ /^# Check the integrity/;/^# Clean up temporary/-1d w EOF - # /etc/rc.d/rc.M + + # delete unnecessary process from rc.M ed - $rootfs/etc/rc.d/rc.M <<- "EOF" /^# Screen blanks/;/^# Initialize ip6tables/-1d /^# Initialize sysctl/;/^echo "Starting services/-1d /^sync/;/^# All done/-1d w EOF + + # delete unnecessary process from rc.6 + ed - $rootfs/etc/rc.d/rc.6 <<- "EOF" + /^# Save system time/;/^# Unmount any remote filesystems/-1d + /^# Turn off swap/;/^# See if this is a powerfail situation/-1d + w + EOF + # /etc/rc.d/rc.inet1.tradnet head -n-93 $rootfs/sbin/netconfig.tradnet > /tmp/netconfig.rconly cat <<- EOF >> /tmp/netconfig.rconly