diff -Nru lxc-0.7.5/debian/changelog lxc-0.7.5/debian/changelog --- lxc-0.7.5/debian/changelog 2012-04-16 17:02:41.000000000 +0000 +++ lxc-0.7.5/debian/changelog 2012-08-24 16:11:01.000000000 +0000 @@ -1,3 +1,156 @@ +lxc (0.7.5-3ubuntu63~ppa1) precise; urgency=low + + * 0201-fix-mkdir-race: don't raise an error if mkdir fails due to + EEXIST. + + -- Serge Hallyn Fri, 24 Aug 2012 11:10:19 -0500 + +lxc (0.7.5-3ubuntu62) precise-proposed; urgency=low + + * lxc.postrm: support "purge" command (LP: #1029716) + + -- Serge Hallyn Fri, 27 Jul 2012 03:31:39 +0000 + +lxc (0.7.5-3ubuntu61) precise-proposed; urgency=low + + * Fix lxc-ubuntu and lxc-ubuntu-cloud to fix the /dev/shm workaround to only + trigger when /dev/shm is not a symlink. (LP: #974584) + + -- Stéphane Graber Thu, 26 Jul 2012 13:30:48 -0400 + +lxc (0.7.5-3ubuntu60) precise-proposed; urgency=low + + * Update lxc-ubuntu template to use "dpkg --add-architecture" in containers + running dpkg >= 1.16.2. (LP: #1017862) + * Patch lxc-clone to stop messing with dhclient.conf when it contains a + placeholder ( or gethostname()). Fixes cases where dpkg will + prompt for modified config file on upgrade. (LP: #1021416) + * Allow write access to /proc/sys/kernel/shm* as these are namespaced (IPC). + (LP: #1021411) + * Allow fstype=fuse.*, for all containers. (LP: #1021421) + * Rebase lxc-list on quantal's, properly shows FROZEN containers and prints + error messages on stderr. (LP: #1021429) + * Only run dh_apparmor against the lxc package. (LP: #1021428) + * Depend on adduser as it's being used in postinst. + * Fix lintian-overrides syntax. + + -- Stéphane Graber Thu, 05 Jul 2012 12:18:47 -0400 + +lxc (0.7.5-3ubuntu59) precise-proposed; urgency=low + + [ Serge Hallyn ] + * 0085-pivot-dir: use a directory other than /mnt to put the pivot_root + old dir into (LP: #986385) + * 0086-lxc-unshare-zero-args: fix lxc-unshare segfaulting when no command + is given (LP: #1011603) + * 0087-lxc-ls-dash: fix lxc-ls for containers whose names start with a + dash (LP: #1006332) + * 0088-ubuntu-template-flock: don't fail when flock is busy, just wait, + so concurrent lxc-creates don't break. (LP: #1007483) + * debian/rules, debian/lxc.apport: install apport hook (LP: #1011644) + + [ Stéphane Graber ] + * Ship /etc/dnsmasq.d/lxc to configure an eventual system wide + dnsmasq daemon not to listen on the LXC bridge interface. (LP: #928524) + + -- Serge Hallyn Mon, 11 Jun 2012 19:56:30 -0500 + +lxc (0.7.5-3ubuntu58) precise-proposed; urgency=low + + * Fix broken logic in lxc-ubuntu template where lxc.devttydir would be + set to 'lxc' only for releases that don't support it. (LP: #1007493) + + -- Stéphane Graber Fri, 01 Jun 2012 11:46:50 -0400 + +lxc (0.7.5-3ubuntu57) precise-proposed; urgency=low + + [ Serge Hallyn ] + * 0083-always-close-all-fds.patch: Have lxc-start always run with + --close-all-fds. There is no advantage to having lxc-start fail with + inherited fds. (LP: #1003583) + * debian/lxc-net.upstart: don't put '()' after call to cleanup. + (LP: #1000174) + + [ Stéphane Graber ] + * Sync lxc-ubuntu with the one in Quantal: + - Bugfixes: + + Update list of extra packages for debootstrap to only include vim + and ssh. The others were only relevant when we were still using the + minbase variant. (LP: #996839) + + Update default /etc/hosts to match that of a regular Ubuntu system. + (adds missing ipv6 aliases) (LP: #1004108) + + Make sure /etc/resolv.conf is valid before running any apt command. + Fixes a potential race condition (no report of it at this time). + + - Improvements we get by pulling the whole patch from Quantal. + These don't contain any user behaviour change but will make + cherry-picking any further change much easier. + + Drop any hardcoded Ubuntu version check and replace by feature + checks instead. This removes the need for SRUs whenever we release + a new Ubuntu. + + Format lxc-ubuntu to consistently use 4-spaces indent instead + of mixed spaces/tabs. + + Update default /etc/network/interfaces to include the header. + + Drop support for never supported releases (gutsy on sparc). + + Update template help message for release and arch parameters. + Old string was only listing i386 and amd64, which is no longer + accurate (as of 12.04). + (This string isn't translated) + + Switch default Ubuntu version from lucid to precise for systems + that don't have lsb_release (won't affect Ubuntu) + + * Sync lxc-start-ephemeral with the one in Quantal: + - Switch lxc-start-ephemeral from unreliable parsing of DHCP lease files + to using "ip netns" to retrieve the IP from the container's network + namespace. (LP: #994752) + - Fix a race in lxc-start-ephemeral where the container isn't yet + running when trying to get its IPs. + - Update a few calls so that lxc-start-ephemeral can be called as a + user (ensure consistent usage of sudo across the script). (LP: #1004069) + + -- Stéphane Graber Thu, 24 May 2012 13:28:06 -0400 + +lxc (0.7.5-3ubuntu56) precise-proposed; urgency=low + + * Fix Ubuntu template to install the host architecture of the required + mutli-arch packages (when using qemu-user-static) instead of hardcoded + "amd64" version. (LP: #999187) + + -- Stéphane Graber Tue, 15 May 2012 12:00:18 -0400 + +lxc (0.7.5-3ubuntu55) precise-proposed; urgency=low + + * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted, + make sure that /proc/self points to 1, since we are container init. + Otherwise, assume proc is an old one, and umount it and remount our own. + If we keep the old proc mounted, apparmor transitions will by tried for + wrong task and fail. Also move check for whether apparmor is enabled so + that it is called by lxc-execute. (LP: #993706) + * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud + needs it. (LP: #995361) + * debian/lxc.upstart: load apparmor profiles before auto-starting containers. + (LP: #989853) + * debian/control: add apparmor to lxc Depends (LP: #997681) + * debian/local/lxc-start-ephemeral: quote $line so its contents don't get + expanded (LP: #997687) + + -- Serge Hallyn Thu, 10 May 2012 08:53:38 -0700 + +lxc (0.7.5-3ubuntu54) precise-proposed; urgency=low + + * lxc-clone: put quotes around $line to avoid expansion (LP: #993515) + + -- Serge Hallyn Wed, 02 May 2012 15:28:22 -0500 + +lxc (0.7.5-3ubuntu53) precise-proposed; urgency=low + + * 0074-fix-sprintfs - check return values for all sprintfs and snprintfs + which could overflow (LP: #988918) + * 0075-execute-without-rootfs: let lxc-execute succeed with no rootfs + (LP: #981955) + + -- Serge Hallyn Thu, 26 Apr 2012 10:52:47 -0500 + lxc (0.7.5-3ubuntu52) precise; urgency=low [ Ben Howard ] diff -Nru lxc-0.7.5/debian/control lxc-0.7.5/debian/control --- lxc-0.7.5/debian/control 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/control 2012-08-24 16:08:19.000000000 +0000 @@ -12,8 +12,8 @@ Package: lxc Architecture: linux-any -Depends: ${misc:Depends}, ${shlibs:Depends}, bridge-utils, dnsmasq-base, iptables, rsync -Recommends: debootstrap, libcap2-bin, cgroup-lite | cgroup-bin, openssl +Depends: ${misc:Depends}, ${shlibs:Depends}, apparmor, bridge-utils, dnsmasq-base, iptables, rsync, adduser +Recommends: debootstrap, cloud-utils, libcap2-bin, cgroup-lite | cgroup-bin, openssl Suggests: btrfs-tools, lvm2, qemu-user-static Description: Linux containers userspace tools Containers are insulated areas inside a system, which have their own namespace diff -Nru lxc-0.7.5/debian/local/lxc-list lxc-0.7.5/debian/local/lxc-list --- lxc-0.7.5/debian/local/lxc-list 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/local/lxc-list 2012-08-24 16:08:19.000000000 +0000 @@ -4,11 +4,11 @@ if [ ! -x "$(which lxc-info 2>/dev/null)" ] then - echo "E: lxc-info - no such file" + echo "E: lxc-info - no such file" >&2 exit 1 fi -for _STATUS in RUNNING STOPPED +for _STATUS in RUNNING FROZEN STOPPED do echo ${_STATUS} @@ -18,8 +18,7 @@ then echo -n " ${_CONTAINER}" - if [ -e /etc/lxc/auto/${_CONTAINER} ] || - [ -e /etc/lxc/auto/${_CONTAINER}.conf ] + if [ -e /etc/lxc/auto/${_CONTAINER} ] || [ -e /etc/lxc/auto/${_CONTAINER}.conf ] then echo " (auto)" else diff -Nru lxc-0.7.5/debian/local/lxc-start-ephemeral lxc-0.7.5/debian/local/lxc-start-ephemeral --- lxc-0.7.5/debian/local/lxc-start-ephemeral 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/local/lxc-start-ephemeral 2012-08-24 16:08:19.000000000 +0000 @@ -63,7 +63,7 @@ fi } -trap cleanup SIGTERM SIGINT SIGQUIT +trap cleanup SIGTERM SIGINT SIGQUIT getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") if [ $? != 0 ]; then @@ -180,82 +180,109 @@ fi else # Otherwise, we can pass it through unchanged. - echo $line; + echo "$line"; fi fi - done < $LXC_DIR/fstab.old > $LXC_DIR/fstab + done < $LXC_DIR/fstab.old | sudo tee $LXC_DIR/fstab >/dev/null # If LXC_BIND is defined, add it to fstab. if [ -n "$LXC_BIND" ]; then sudo mkdir -p $LXC_DIR/rootfs$LXC_BIND - echo "$LXC_BIND $LXC_DIR/rootfs$LXC_BIND none bind 0 0" >> $LXC_DIR/fstab + echo "$LXC_BIND $LXC_DIR/rootfs$LXC_BIND none bind 0 0" | sudo tee -a $LXC_DIR/fstab >/dev/null fi # update the ephemeral container's MAC address (lifted from lxc-clone) c=$LXC_DIR/config # change hwaddrs - mv ${c} ${c}.old + sudo mv ${c} ${c}.old ( while read line; do if [ "${line:0:18}" = "lxc.network.hwaddr" ]; then echo "lxc.network.hwaddr= 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" else - echo $line + echo "$line" fi done - ) < ${c}.old > ${c} - rm -f ${c}.old + ) < ${c}.old | sudo tee ${c} >/dev/null + sudo rm -f ${c}.old +} + +get_ip() +{ + # Get init's PID + PID=$(sudo lxc-info -n $1 -p | awk '{print $2}') + [ "$PID" = "-1" ] && return 1 + + # Get some unique path + DST=$(sudo mktemp -u --tmpdir=/run/netns/) + NAME=$(basename $DST) + + # Prepare the /run/netns entry for "ip netns" + sudo mkdir -p /run/netns + sudo ln -s /proc/$PID/ns/net $DST + + # Grab all the public globally routed IPv4 and IPv6 addresses + (sudo ip netns exec $NAME ip -4 addr show scope global && \ + sudo ip netns exec $NAME ip -6 addr show scope global) | grep inet | while read line; do + ip=$(echo $line | awk '{print $2}' | cut -d '/' -f1) + echo "$ip" + done - # precise is now the worst - its dhclient *uses* - # /var/lib/dhcp3/dhclient.eth0.leases but ships without that - # directory, so you get no leases file at all. - LEASES=$LXC_DIR/rootfs/var/lib/dhcp3/dhclient.eth0.leases - LEASES2=$LXC_DIR/rootfs/var/lib/dhcp/dhclient.leases - sudo mkdir -p $LXC_DIR/rootfs/var/lib/dhcp3 - sudo mkdir -p $LXC_DIR/rootfs/var/lib/dhcp - sudo truncate -c -s0 $LEASES - sudo truncate -c -s0 $LEASES2 + sudo rm $DST } start_container() { echo "Starting up the container..." sudo lxc-start -n $LXC_NAME -d + sudo lxc-wait -s RUNNING -n $LXC_NAME LXC_RUNNING=1 if [ $COMMAND_LENGTH -gt 0 ]; then - # when lxc-attach support arrives in the kernel, we can switch to - # that - delay=30 - while [ $delay -gt 0 -a ! -s $LEASES -a ! -s $LEASES2 ] - do - delay=$(( $delay - 1 )) - sleep 1 - done + # When lxc-attach support arrives in the kernel, we can switch to + # that. + # Meanwhile, we use get_ip to wait for container's network to be up + # and to obtain the ip address, then we can ssh to the lxc. + TRIES=60 + FAILED=1 + + # Repeatedly try to connect over SSH until we either succeed + # or time out. + for i in $(seq 1 $TRIES); do + # We call get_ip inside the loop to ensure the correct ip + # is retrieved even in the case the DHCP ip assignment + # changes during the process. + IP_ADDRESS=$(get_ip $LXC_NAME) + if [ -z "$IP_ADDRESS" ]; then + sleep 1 + continue + fi - [ -s $LEASES ] || LEASES=$LEASES2 - IP_ADDRESS=`sudo grep fixed-address $LEASES | tail -n 1 | sed -r 's/.* ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'` - if [ 0 -eq $? -a -n "$IP_ADDRESS" ]; then - # Repeatedly try to connect over SSH until we either succeed - # or time out. - for i in $(seq 1 30); do - ssh -n -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $LXC_KEY $LXC_USER@$IP_ADDRESS -- "$COMMAND" + # Iterate through all the addresses (if multiple) + for ip in $IP_ADDRESS; do + ssh -n -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + $LXC_KEY $LXC_USER@$IP_ADDRESS -- "$COMMAND" if [ ! 255 -eq $? ]; then # If ssh returns 255 then its connection failed. # Anything else is either success (status 0) or a # failure from whatever we ran over the SSH connection. # In those cases we want to stop looping, so we break - # here. + # here + + FAILED=0 break; fi - sleep 1 done - else + + if [ "$FAILED" = "0" ]; then + break + fi + sleep 1 + done + + if [ "$FAILED" = "1" ]; then echo "could not get IP address - aborting." >&2 - echo "content of $LEASES:" >&2 - cat $LEASES >&2 - echo "content of $LEASES2:" >&2 - cat $LEASES2 >&2 fi else sudo lxc-wait -n $LXC_NAME -s RUNNING diff -Nru lxc-0.7.5/debian/lxc-default.apparmor lxc-0.7.5/debian/lxc-default.apparmor --- lxc-0.7.5/debian/lxc-default.apparmor 2012-04-02 14:38:13.000000000 +0000 +++ lxc-0.7.5/debian/lxc-default.apparmor 2012-08-24 16:08:19.000000000 +0000 @@ -16,6 +16,9 @@ # allow mqueue mounts everywhere mount fstype=mqueue, + # allow fuse mounts everywhere + mount fstype=fuse.*, + # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). @@ -32,7 +35,8 @@ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, - deny @{PROC}/sys/kernel/** wklx, + deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, + deny @{PROC}/sys/kernel/*/** wklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) diff -Nru lxc-0.7.5/debian/lxc.apport lxc-0.7.5/debian/lxc.apport --- lxc-0.7.5/debian/lxc.apport 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/lxc.apport 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,21 @@ +'''apport package hook for lxc + +(c) 2012 Canonical Ltd. +Author: +Serge Hallyn +''' + +from apport.hookutils import * +from os import path +import re + +def add_info(report): + attach_related_packages(report, ['dnsmasq', 'dnsmasq-base', 'libvirt-bin', 'apparmor', 'libapparmor1', 'apparmor-utils', 'auditd', 'libaudit0']) + attach_mac_events(report) + attach_upstart_overrides(report, "lxc") + command_output(['ls', '-ld', '/bin/sh']) + attach_conffiles(report, 'lxc') + report["lxcsyslog"] = recent_syslog(re.compile("lxc")) + # should we attach all lxc apparmor files + #command_output(['ls', '-l', '/etc/apparmor.d/lxc'] + #command_output(['cat', '/etc/apparmor.d/lxc/*'] diff -Nru lxc-0.7.5/debian/lxc.default lxc-0.7.5/debian/lxc.default --- lxc-0.7.5/debian/lxc.default 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/lxc.default 2012-08-24 16:08:19.000000000 +0000 @@ -18,6 +18,8 @@ # configuration (/var/lib/lxc//config) for any containers # already created using the default config to reflect the new bridge # name. +# If you have the dnsmasq daemon installed, you'll also have to update +# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon. LXC_BRIDGE="lxcbr0" LXC_ADDR="10.0.3.1" LXC_NETMASK="255.255.255.0" diff -Nru lxc-0.7.5/debian/lxc.dnsmasq lxc-0.7.5/debian/lxc.dnsmasq --- lxc-0.7.5/debian/lxc.dnsmasq 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/lxc.dnsmasq 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,2 @@ +bind-interfaces +except-interface=lxcbr0 diff -Nru lxc-0.7.5/debian/lxc.lintian-overrides lxc-0.7.5/debian/lxc.lintian-overrides --- lxc-0.7.5/debian/lxc.lintian-overrides 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/lxc.lintian-overrides 2012-08-24 16:08:19.000000000 +0000 @@ -1,3 +1,3 @@ # bugs.debian.org/204975 (debhelper) -lxc: postinst-has-useless-call-to-ldconfig -lxc: postrm-has-useless-call-to-ldconfig +lxc postinst-has-useless-call-to-ldconfig +lxc postrm-has-useless-call-to-ldconfig diff -Nru lxc-0.7.5/debian/lxc.lxc-net.upstart lxc-0.7.5/debian/lxc.lxc-net.upstart --- lxc-0.7.5/debian/lxc.lxc-net.upstart 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/lxc.lxc-net.upstart 2012-08-24 16:08:19.000000000 +0000 @@ -39,7 +39,7 @@ brctl addbr ${LXC_BRIDGE} ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up iptables -A POSTROUTING -s ${LXC_NETWORK} -t nat -j MASQUERADE - dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file= --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} || cleanup() + dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file= --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} || cleanup touch ${varrun}/network_up end script diff -Nru lxc-0.7.5/debian/lxc.postinst lxc-0.7.5/debian/lxc.postinst --- lxc-0.7.5/debian/lxc.postinst 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/lxc.postinst 2012-08-24 16:08:19.000000000 +0000 @@ -53,6 +53,9 @@ configure) add_users apparmor_load + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true ;; abort-upgrade|abort-remove|abort-deconfigure) diff -Nru lxc-0.7.5/debian/lxc.postrm lxc-0.7.5/debian/lxc.postrm --- lxc-0.7.5/debian/lxc.postrm 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/lxc.postrm 2012-08-24 16:08:19.000000000 +0000 @@ -20,12 +20,13 @@ case "$1" in - purge) - rm -f /etc/apparmor.d/lxc/lxc-default || true - rmdir /etc/apparmor.d/lxc || true - rmdir /etc/apparmor.d/lxc-containers || true + remove) + rm -f /etc/dnsmasq.d/lxc 2>/dev/null || true + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true ;; - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + purge|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) diff -Nru lxc-0.7.5/debian/lxc.upstart lxc-0.7.5/debian/lxc.upstart --- lxc-0.7.5/debian/lxc.upstart 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/lxc.upstart 2012-08-24 16:08:19.000000000 +0000 @@ -12,12 +12,6 @@ [ "x$LXC_AUTO" = "xtrue" ] || { stop; exit 0; } - ls /etc/lxc/auto/* > /dev/null 2>&1 || exit 0; - for f in /etc/lxc/auto/*; do - c="$(basename $f .conf)" - lxc-info -n $c 2>/dev/null | grep state | grep -q "RUNNING" || lxc-start -n $c -f $f -d - done - # don't load profiles if mount mediation is not supported SYSF=/sys/kernel/security/apparmor/features/mount/mask if [ -f $SYSF ]; then @@ -26,6 +20,13 @@ /lib/init/apparmor-profile-load lxc-containers fi fi + + ls /etc/lxc/auto/* > /dev/null 2>&1 || exit 0; + for f in /etc/lxc/auto/*; do + c="$(basename $f .conf)" + lxc-info -n $c 2>/dev/null | grep state | grep -q "RUNNING" || lxc-start -n $c -f $f -d + done + end script post-stop script diff -Nru lxc-0.7.5/debian/patches/0074-fix-sprintfs lxc-0.7.5/debian/patches/0074-fix-sprintfs --- lxc-0.7.5/debian/patches/0074-fix-sprintfs 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0074-fix-sprintfs 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,508 @@ +Description: switch all sprintfs which can overrun to snprintfs + This will be forwarded upstream +Author: Serge Hallyn +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/988918 +Forwarded: no + +Index: lxc-0.7.5/src/lxc/commands.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/commands.c 2012-04-26 16:18:15.000000000 +0000 ++++ lxc-0.7.5/src/lxc/commands.c 2012-04-26 17:09:39.562283058 +0000 +@@ -75,8 +75,14 @@ + int sock, ret = -1; + char path[sizeof(((struct sockaddr_un *)0)->sun_path)] = { 0 }; + char *offset = &path[1]; ++ int rc, len; + +- sprintf(offset, abstractname, name); ++ len = sizeof(path)-1; ++ rc = snprintf(offset, len, abstractname, name); ++ if (rc < 0 || rc >= len) { ++ ERROR("Name too long"); ++ return -1; ++ } + + sock = lxc_af_unix_connect(path); + if (sock < 0 && errno == ECONNREFUSED) { +@@ -268,8 +274,14 @@ + int ret, fd; + char path[sizeof(((struct sockaddr_un *)0)->sun_path)] = { 0 }; + char *offset = &path[1]; ++ int rc, len; + +- sprintf(offset, abstractname, name); ++ len = sizeof(path)-1; ++ rc = snprintf(offset, len, abstractname, name); ++ if (rc < 0 || rc >= len) { ++ ERROR("Name too long"); ++ return -1; ++ } + + fd = lxc_af_unix_open(path, SOCK_STREAM, 0); + if (fd < 0) { +Index: lxc-0.7.5/src/lxc/lxc_monitor.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/lxc_monitor.c 2012-04-26 16:18:15.000000000 +0000 ++++ lxc-0.7.5/src/lxc/lxc_monitor.c 2012-04-26 16:18:15.000000000 +0000 +@@ -71,6 +71,7 @@ + struct lxc_msg msg; + regex_t preg; + int fd; ++ int len, rc; + + if (lxc_arguments_parse(&my_args, argc, argv)) + return -1; +@@ -79,12 +80,18 @@ + my_args.progname, my_args.quiet)) + return -1; + +- regexp = malloc(strlen(my_args.name) + 3); ++ len = strlen(my_args.name) + 3; ++ regexp = malloc(len + 3); + if (!regexp) { + ERROR("failed to allocate memory"); + return -1; + } +- sprintf(regexp, "^%s$", my_args.name); ++ rc = snprintf(regexp, len, "^%s$", my_args.name); ++ if (rc < 0 || rc >= len) { ++ ERROR("Name too long"); ++ free(regexp); ++ return -1; ++ } + + if (regcomp(&preg, regexp, REG_NOSUB|REG_EXTENDED)) { + ERROR("failed to compile the regex '%s'", my_args.name); +Index: lxc-0.7.5/src/lxc/conf.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/conf.c 2012-04-26 16:18:15.000000000 +0000 ++++ lxc-0.7.5/src/lxc/conf.c 2012-04-26 17:08:52.866279000 +0000 +@@ -234,11 +234,25 @@ + return -1; + } + +- ret = sprintf(buffer, "%s %s %s", script, name, section); ++ ret = snprintf(buffer, size, "%s %s %s", script, name, section); ++ if (ret < 0 || ret >= size) { ++ ERROR("Script name too long"); ++ free(buffer); ++ return -1; ++ } + + va_start(ap, script); +- while ((p = va_arg(ap, char *))) +- ret += sprintf(buffer + ret, " %s", p); ++ while ((p = va_arg(ap, char *))) { ++ int len = size-ret; ++ int rc; ++ rc = snprintf(buffer + ret, len, " %s", p); ++ if (rc < 0 || rc >= len) { ++ free(buffer); ++ ERROR("Script args too long"); ++ return -1; ++ } ++ ret += rc; ++ } + va_end(ap); + + f = popen(buffer, "r"); +@@ -384,7 +398,7 @@ + { + struct dirent dirent, *direntp; + struct loop_info64 loinfo; +- int ret = -1, fd = -1; ++ int ret = -1, fd = -1, rc; + DIR *dir; + char path[MAXPATHLEN]; + +@@ -408,7 +422,10 @@ + if (strncmp(direntp->d_name, "loop", 4)) + continue; + +- sprintf(path, "/dev/%s", direntp->d_name); ++ rc = snprintf(path, MAXPATHLEN, "/dev/%s", direntp->d_name); ++ if (rc < 0 || rc >= MAXPATHLEN) ++ continue; ++ + fd = open(path, O_RDWR); + if (fd < 0) + continue; +@@ -570,7 +587,7 @@ + } + if (ttydir) { + /* create dev/lxc/tty%d" */ +- snprintf(lxcpath, sizeof(lxcpath), "%s/dev/%s/tty%d", ++ ret = snprintf(lxcpath, sizeof(lxcpath), "%s/dev/%s/tty%d", + rootfs->mount, ttydir, i + 1); + if (ret >= sizeof(lxcpath)) { + ERROR("pathname too long for ttys"); +@@ -594,7 +611,11 @@ + continue; + } + +- snprintf(lxcpath, sizeof(lxcpath), "%s/tty%d", ttydir, i+1); ++ ret = snprintf(lxcpath, sizeof(lxcpath), "%s/tty%d", ttydir, i+1); ++ if (ret >= sizeof(lxcpath)) { ++ ERROR("tty pathname too long"); ++ return -1; ++ } + ret = symlink(lxcpath, path); + if (ret) { + SYSERROR("failed to create symlink for tty %d\n", i+1); +@@ -675,12 +696,17 @@ + void *cbparm[2]; + struct lxc_list mountlist, *iterator; + int ok, still_mounted, last_still_mounted; ++ int rc; + + /* read and parse /proc/mounts in old root fs */ + lxc_list_init(&mountlist); + + /* oldrootfs is on the top tree directory now */ +- snprintf(path, sizeof(path), "/%s", oldrootfs); ++ rc = snprintf(path, sizeof(path), "/%s", oldrootfs); ++ if (rc >= sizeof(path)) { ++ ERROR("rootfs name too long"); ++ return -1; ++ } + cbparm[0] = &mountlist; + + cbparm[1] = strdup(path); +@@ -689,7 +715,11 @@ + return -1; + } + +- snprintf(path, sizeof(path), "%s/proc/mounts", oldrootfs); ++ rc = snprintf(path, sizeof(path), "%s/proc/mounts", oldrootfs); ++ if (rc >= sizeof(path)) { ++ ERROR("container proc/mounts name too long"); ++ return -1; ++ } + + ok = lxc_file_for_each_line(path, + setup_rootfs_pivot_root_cb, &cbparm); +@@ -743,6 +773,7 @@ + { + char path[MAXPATHLEN]; + int remove_pivotdir = 0; ++ int rc; + + /* change into new root fs */ + if (chdir(rootfs)) { +@@ -754,7 +785,11 @@ + pivotdir = "mnt"; + + /* compute the full path to pivotdir under rootfs */ +- snprintf(path, sizeof(path), "%s/%s", rootfs, pivotdir); ++ rc = snprintf(path, sizeof(path), "%s/%s", rootfs, pivotdir); ++ if (rc >= sizeof(path)) { ++ ERROR("pivot dir name too long"); ++ return -1; ++ } + + if (access(path, F_OK)) { + +@@ -977,7 +1012,11 @@ + } + + /* create symlink from rootfs/dev/console to 'lxc/console' */ +- snprintf(lxcpath, sizeof(lxcpath), "%s/console", ttydir); ++ ret = snprintf(lxcpath, sizeof(lxcpath), "%s/console", ttydir); ++ if (ret >= sizeof(lxcpath)) { ++ ERROR("lxc/console path too long"); ++ return -1; ++ } + ret = symlink(lxcpath, path); + if (ret) { + SYSERROR("failed to create symlink for console"); +@@ -1171,7 +1210,7 @@ + + skipabs: + +- snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount, ++ r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount, + aux + offset); + if (r < 0 || r >= MAXPATHLEN) { + WARN("pathnme too long for '%s'", mntent->mnt_dir); +@@ -1202,7 +1241,11 @@ + } + + /* relative to root mount point */ +- snprintf(path, sizeof(path), "%s/%s", rootfs, mntent->mnt_dir); ++ ret = snprintf(path, sizeof(path), "%s/%s", rootfs, mntent->mnt_dir); ++ if (ret >= sizeof(path)) { ++ ERROR("path name too long"); ++ return -1; ++ } + + ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, + mntflags, mntdata); +@@ -1564,7 +1607,11 @@ + if (netdev->priv.veth_attr.pair) + veth1 = netdev->priv.veth_attr.pair; + else { +- snprintf(veth1buf, sizeof(veth1buf), "vethXXXXXX"); ++ err = snprintf(veth1buf, sizeof(veth1buf), "vethXXXXXX"); ++ if (err >= sizeof(veth1buf)) { /* can't *really* happen, but... */ ++ ERROR("veth1 name too long"); ++ return -1; ++ } + veth1 = mktemp(veth1buf); + } + +@@ -1642,7 +1689,9 @@ + return -1; + } + +- snprintf(peerbuf, sizeof(peerbuf), "mcXXXXXX"); ++ err = snprintf(peerbuf, sizeof(peerbuf), "mcXXXXXX"); ++ if (err >= sizeof(peerbuf)) ++ return -1; + + peer = mktemp(peerbuf); + if (!strlen(peer)) { +@@ -1689,7 +1738,11 @@ + return -1; + } + +- snprintf(peer, sizeof(peer), "vlan%d", netdev->priv.vlan_attr.vid); ++ err = snprintf(peer, sizeof(peer), "vlan%d", netdev->priv.vlan_attr.vid); ++ if (err >= sizeof(peer)) { ++ ERROR("peer name too long"); ++ return -1; ++ } + + err = lxc_vlan_create(netdev->link, peer, netdev->priv.vlan_attr.vid); + if (err) { +Index: lxc-0.7.5/src/lxc/namespace.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/namespace.c 2011-08-11 16:59:44.000000000 +0000 ++++ lxc-0.7.5/src/lxc/namespace.c 2012-04-26 16:18:15.000000000 +0000 +@@ -90,6 +90,7 @@ + int fd[size]; + int i; + ++ /* pid is pid_t, can't be > MAXPATHLEN */ + sprintf(path, "/proc/%d/ns", pid); + if (access(path, X_OK)) { + ERROR("Does this kernel version support 'attach' ?"); +Index: lxc-0.7.5/src/lxc/network.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/network.c 2011-07-24 22:27:10.000000000 +0000 ++++ lxc-0.7.5/src/lxc/network.c 2012-04-26 16:18:15.000000000 +0000 +@@ -576,12 +576,15 @@ + static int ip_forward_set(const char *ifname, int family, int flag) + { + char path[MAXPATHLEN]; ++ int rc; + + if (family != AF_INET && family != AF_INET6) + return -EINVAL; + +- snprintf(path, MAXPATHLEN, "/proc/sys/net/%s/conf/%s/forwarding", ++ rc = snprintf(path, MAXPATHLEN, "/proc/sys/net/%s/conf/%s/forwarding", + family == AF_INET?"ipv4":"ipv6" , ifname); ++ if (rc >= MAXPATHLEN) ++ return -E2BIG; + + return proc_sys_net_write(path, flag?"1":"0"); + } +@@ -599,13 +602,16 @@ + static int neigh_proxy_set(const char *ifname, int family, int flag) + { + char path[MAXPATHLEN]; ++ int ret; + + if (family != AF_INET && family != AF_INET6) + return -EINVAL; + +- sprintf(path, "/proc/sys/net/%s/conf/%s/%s", ++ ret = snprintf(path, MAXPATHLEN, "/proc/sys/net/%s/conf/%s/%s", + family == AF_INET?"ipv4":"ipv6" , ifname, + family == AF_INET?"proxy_arp":"proxy_ndp"); ++ if (ret < 0 || ret >= MAXPATHLEN) ++ return -E2BIG; + + return proc_sys_net_write(path, flag?"1":"0"); + } +Index: lxc-0.7.5/src/lxc/cgroup.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/cgroup.c 2012-04-26 16:18:15.000000000 +0000 ++++ lxc-0.7.5/src/lxc/cgroup.c 2012-04-26 16:18:15.000000000 +0000 +@@ -169,8 +169,13 @@ + static int cgroup_rename_nsgroup(const char *mnt, const char *name, pid_t pid) + { + char oldname[MAXPATHLEN]; ++ int ret; + +- snprintf(oldname, MAXPATHLEN, "%s/%d", mnt, pid); ++ ret = snprintf(oldname, MAXPATHLEN, "%s/%d", mnt, pid); ++ if (ret < 0 || ret >= MAXPATHLEN) { ++ ERROR("Name too long"); ++ return -1; ++ } + + if (rename(oldname, name)) { + SYSERROR("failed to rename cgroup %s->%s", oldname, name); +@@ -208,8 +213,11 @@ + FILE *f; + char tasks[MAXPATHLEN]; + int ret = 0; ++ int rc; + +- snprintf(tasks, MAXPATHLEN, "%s/tasks", path); ++ rc = snprintf(tasks, MAXPATHLEN, "%s/tasks", path); ++ if (rc < 0 || rc >= MAXPATHLEN) ++ return -1; + + f = fopen(tasks, "w"); + if (!f) { +@@ -400,6 +408,7 @@ + + while (!readdir_r(dir, &dirent, &direntp)) { + struct stat mystat; ++ int rc; + + if (!direntp) + break; +@@ -408,7 +417,9 @@ + !strcmp(direntp->d_name, "..")) + continue; + +- snprintf(pathname, MAXPATHLEN, "%s/%s", dirname, direntp->d_name); ++ rc = snprintf(pathname, MAXPATHLEN, "%s/%s", dirname, direntp->d_name); ++ if (rc < 0 || rc >= MAXPATHLEN) ++ continue; + ret = stat(pathname, &mystat); + if (ret) + continue; +@@ -429,9 +440,14 @@ + { + char cgname[MAXPATHLEN], initcgroup[MAXPATHLEN]; + char *cgmnt = mntent->mnt_dir; ++ int rc; + +- snprintf(cgname, MAXPATHLEN, "%s%s/lxc/%s", cgmnt, ++ rc = snprintf(cgname, MAXPATHLEN, "%s%s/lxc/%s", cgmnt, + get_init_cgroup(NULL, mntent, initcgroup), name); ++ if (rc < 0 || rc >= MAXPATHLEN) { ++ ERROR("name too long"); ++ return -1; ++ } + DEBUG("destroying %s\n", cgname); + if (recursive_rmdir(cgname)) { + SYSERROR("failed to remove cgroup '%s'", cgname); +@@ -482,11 +498,16 @@ + { + static char buf[MAXPATHLEN]; + static char retbuf[MAXPATHLEN]; ++ int rc; + + /* what lxc_cgroup_set calls subsystem is actually the filename, i.e. + 'devices.allow'. So for our purposee we trim it */ + if (subsystem) { +- snprintf(retbuf, MAXPATHLEN, "%s", subsystem); ++ rc = snprintf(retbuf, MAXPATHLEN, "%s", subsystem); ++ if (rc < 0 || rc >= MAXPATHLEN) { ++ ERROR("subsystem name too long"); ++ return -1; ++ } + char *s = index(retbuf, '.'); + if (s) + *s = '\0'; +@@ -497,7 +518,11 @@ + return -1; + } + +- snprintf(retbuf, MAXPATHLEN, "%s/%s", buf, name); ++ rc = snprintf(retbuf, MAXPATHLEN, "%s/%s", buf, name); ++ if (rc < 0 || rc >= MAXPATHLEN) { ++ ERROR("name too long"); ++ return -1; ++ } + + DEBUG("%s: returning %s for subsystem %s", __func__, retbuf, subsystem); + +@@ -510,12 +535,15 @@ + int fd, ret; + char *dirpath; + char path[MAXPATHLEN]; ++ int rc; + + ret = lxc_cgroup_path_get(&dirpath, filename, name); + if (ret) + return -1; + +- snprintf(path, MAXPATHLEN, "%s/%s", dirpath, filename); ++ rc = snprintf(path, MAXPATHLEN, "%s/%s", dirpath, filename); ++ if (rc < 0 || rc >= MAXPATHLEN) ++ return -1; + + fd = open(path, O_WRONLY); + if (fd < 0) { +@@ -541,12 +569,15 @@ + int fd, ret = -1; + char *dirpath; + char path[MAXPATHLEN]; ++ int rc; + + ret = lxc_cgroup_path_get(&dirpath, filename, name); + if (ret) + return -1; + +- snprintf(path, MAXPATHLEN, "%s/%s", dirpath, filename); ++ rc = snprintf(path, MAXPATHLEN, "%s/%s", dirpath, filename); ++ if (rc < 0 || rc >= MAXPATHLEN) ++ return -1; + + fd = open(path, O_RDONLY); + if (fd < 0) { +@@ -568,12 +599,15 @@ + char path[MAXPATHLEN]; + int pid, ret, count = 0; + FILE *file; ++ int rc; + + ret = lxc_cgroup_path_get(&dpath, NULL, name); + if (ret) + return -1; + +- snprintf(path, MAXPATHLEN, "%s/tasks", dpath); ++ rc = snprintf(path, MAXPATHLEN, "%s/tasks", dpath); ++ if (rc < 0 || rc >= MAXPATHLEN) ++ return -1; + + file = fopen(path, "r"); + if (!file) { +Index: lxc-0.7.5/src/lxc/state.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/state.c 2011-07-24 22:27:10.000000000 +0000 ++++ lxc-0.7.5/src/lxc/state.c 2012-04-26 16:18:15.000000000 +0000 +@@ -75,7 +75,9 @@ + if (err) + return -1; + +- snprintf(freezer, MAXPATHLEN, "%s/freezer.state", nsgroup); ++ err = snprintf(freezer, MAXPATHLEN, "%s/freezer.state", nsgroup); ++ if (err < 0 || err >= MAXPATHLEN) ++ return -1; + + file = fopen(freezer, "r"); + if (!file) +Index: lxc-0.7.5/src/lxc/freezer.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/freezer.c 2011-07-24 22:27:10.000000000 +0000 ++++ lxc-0.7.5/src/lxc/freezer.c 2012-04-26 16:30:20.918284521 +0000 +@@ -49,7 +49,11 @@ + if (ret) + return -1; + +- snprintf(freezer, MAXPATHLEN, "%s/freezer.state", nsgroup); ++ ret = snprintf(freezer, MAXPATHLEN, "%s/freezer.state", nsgroup); ++ if (ret >= MAXPATHLEN) { ++ ERROR("freezer.state name too long"); ++ return -1; ++ } + + fd = open(freezer, O_RDWR); + if (fd < 0) { diff -Nru lxc-0.7.5/debian/patches/0075-execute-without-rootfs lxc-0.7.5/debian/patches/0075-execute-without-rootfs --- lxc-0.7.5/debian/patches/0075-execute-without-rootfs 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0075-execute-without-rootfs 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Make lxc-execute without rootfs work. + That means, don't try to pin a null rootfs, and don't try to mount /proc + since /var/lib/lxc/root/proc doesn't exist to be mounted onto. + The apparmor patches are not yet upstream, so this patch will not go + upstream by itself. +Author: Serge Hallyn +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/981955 +Forwarded: no + +Index: lxc-0.7.5/src/lxc/conf.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/conf.c 2012-04-26 16:30:39.742283595 +0000 ++++ lxc-0.7.5/src/lxc/conf.c 2012-04-26 16:36:14.014273722 +0000 +@@ -478,6 +478,9 @@ + struct stat s; + int ret, fd; + ++ if (rootfs == NULL || strlen(rootfs) == 0) ++ return 0; ++ + if (!realpath(rootfs, absrootfs)) { + SYSERROR("failed to get real path for '%s'", rootfs); + return -1; +@@ -2012,8 +2015,15 @@ + * then (refused). aa_change_onexec will work since we're doing it + * right before the exec, so we'll just use that for now. + * In case the container fstab didn't mount /proc, we mount it. ++ * ++ * But if there is no rootfs, then don't try to mount it. + */ +- mounted = mount_proc_if_needed(lxc_conf->rootfs.mount); ++ INFO("rootfs path is .%s., mount is .%s.", lxc_conf->rootfs.path, ++ lxc_conf->rootfs.mount); ++ if (lxc_conf->rootfs.path == NULL || strlen(lxc_conf->rootfs.path) == 0) ++ mounted = 0; ++ else ++ mounted = mount_proc_if_needed(lxc_conf->rootfs.mount); + if (mounted == -1) { + SYSERROR("failed to mount /proc in the container."); + return -1; diff -Nru lxc-0.7.5/debian/patches/0078-lxc-clone-quote-line lxc-0.7.5/debian/patches/0078-lxc-clone-quote-line --- lxc-0.7.5/debian/patches/0078-lxc-clone-quote-line 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0078-lxc-clone-quote-line 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,18 @@ +Description: put $line in quotes to avoid its expansion +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/993515 +Author: Serge Hallyn +Forwarded: yes + +Index: lxc-0.7.5/src/lxc/lxc-clone.in +=================================================================== +--- lxc-0.7.5.orig/src/lxc/lxc-clone.in 2012-05-02 15:27:32.000000000 -0500 ++++ lxc-0.7.5/src/lxc/lxc-clone.in 2012-05-02 15:28:09.953663553 -0500 +@@ -228,7 +228,7 @@ + if [ "${line:0:18}" = "lxc.network.hwaddr" ]; then + echo "lxc.network.hwaddr= 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" + else +- echo $line ++ echo "$line" + fi + done + ) < ${c}.old > ${c} diff -Nru lxc-0.7.5/debian/patches/0081-fix-multiarch-install lxc-0.7.5/debian/patches/0081-fix-multiarch-install --- lxc-0.7.5/debian/patches/0081-fix-multiarch-install 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0081-fix-multiarch-install 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,23 @@ +Description: When installing a non-native architecture, the template + installs a bunch of packages of the native architecture to work around + existing limitations of qemu-user-static, mostly related to netlink. + . + The current code would install upstart of the host architecture but + force the amd64 version of the others. This was just a mistake done + while testing/developping the code. Fixing now to always install + the native architecture version of all of them. +Author: Stéphane Graber +Origin: vendor +Forwarded: no + +--- lxc-0.7.5.orig/templates/lxc-ubuntu.in ++++ lxc-0.7.5/templates/lxc-ubuntu.in +@@ -489,7 +489,7 @@ post_process() + + # Finally update the lists and install upstart using the host architecture + chroot $rootfs apt-get update +- chroot $rootfs apt-get install --force-yes -y --no-install-recommends upstart:${hostarch} mountall:amd64 iproute:amd64 isc-dhcp-client:amd64 ++ chroot $rootfs apt-get install --force-yes -y --no-install-recommends upstart:${hostarch} mountall:${hostarch} iproute:${hostarch} isc-dhcp-client:${hostarch} + fi + + # rmdir /dev/shm in precise containers. diff -Nru lxc-0.7.5/debian/patches/0082-umount-old-proc lxc-0.7.5/debian/patches/0082-umount-old-proc --- lxc-0.7.5/debian/patches/0082-umount-old-proc 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0082-umount-old-proc 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,174 @@ +Description: umount proc if it isn't ours + If /proc is already mounted, make sure that /proc/self points to 1, + since we are container init. Otherwise, assume proc is an old one, and + umount it and remount our own. If we keep the old proc mounted, + apparmor transitions will by tried for wrong task and fail. + Also move the check for whether apparmor is enabled to inside __lxc_start() + so that lxc-execute can use it. + This won't be forwarded as it's part of the apparmorization which is + not yet upstream. +Author: Serge Hallyn +Forwarded: no +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/993706 + +Index: lxc-0.7.5/src/lxc/conf.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/conf.c 2012-05-07 15:36:49.000000000 -0700 ++++ lxc-0.7.5/src/lxc/conf.c 2012-05-07 15:44:19.462879088 -0700 +@@ -1938,28 +1938,38 @@ + } + + /* +- * make sure /proc/1 exists, else mount /proc. Return 0 if proc was ++ * make sure /proc/self exists, and points to '1', since we are the ++ * container init. ++ * Else mount /proc. Return 0 if proc was + * already mounted, 1 if we mounted it, -1 if we failed. + */ +-static int mount_proc_if_needed(char *rootfs_tgt) ++static int mount_proc_if_needed(char *root_src, char *rootfs_tgt) + { +- struct stat statbuf; + char path[MAXPATHLEN]; +- int ret; ++ char link[20]; ++ int linklen, ret; + +- ret = snprintf(path, MAXPATHLEN, "%s/proc/1/cmdline", rootfs_tgt); ++ ret = snprintf(path, MAXPATHLEN, "%s/proc/self", root_src ? rootfs_tgt : ""); + if (ret < 0 || ret >= MAXPATHLEN) { + SYSERROR("proc path name too long"); + return -1; + } +- ret = stat(path, &statbuf); +- INFO("checking if proc mount needed\n"); +- if (ret == 0) { +- INFO("no proc mount needed\n"); +- return 0; ++ memset(link, 0, 20); ++ linklen = readlink(path, link, 20); ++ INFO("I am %d, /proc/self points to %s\n", getpid(), link); ++ ret = snprintf(path, MAXPATHLEN, "%s/proc", root_src ? rootfs_tgt : ""); ++ if (linklen < 0) /* /proc not mounted */ ++ goto domount; ++ /* can't be longer than rootfs/proc/1 */ ++ if (strncmp(link, "1", linklen) != 0) { ++ /* wrong /procs mounted */ ++ umount2(path, MNT_DETACH); /* ignore failure */ ++ goto domount; + } +- ret = snprintf(path, MAXPATHLEN, "%s/proc", rootfs_tgt); +- INFO("proc mount needed, mounting to %s\n", path); ++ /* the right proc is already mounted */ ++ return 0; ++ ++domount: + if (mount("proc", path, "proc", 0, NULL)) + return -1; + INFO("Mounted /proc for the container\n"); +@@ -2015,15 +2025,11 @@ + * then (refused). aa_change_onexec will work since we're doing it + * right before the exec, so we'll just use that for now. + * In case the container fstab didn't mount /proc, we mount it. +- * +- * But if there is no rootfs, then don't try to mount it. + */ + INFO("rootfs path is .%s., mount is .%s.", lxc_conf->rootfs.path, + lxc_conf->rootfs.mount); +- if (lxc_conf->rootfs.path == NULL || strlen(lxc_conf->rootfs.path) == 0) +- mounted = 0; +- else +- mounted = mount_proc_if_needed(lxc_conf->rootfs.mount); ++ ++ mounted = mount_proc_if_needed(lxc_conf->rootfs.path, lxc_conf->rootfs.mount); + if (mounted == -1) { + SYSERROR("failed to mount /proc in the container."); + return -1; +Index: lxc-0.7.5/src/lxc/start.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/start.c 2012-05-07 15:36:49.000000000 -0700 ++++ lxc-0.7.5/src/lxc/start.c 2012-05-07 15:44:19.462879088 -0700 +@@ -538,8 +538,6 @@ + #define AA_DEF_PROFILE "lxc-container-default" + static int apparmor_load(struct lxc_handler *handler) + { +- int mounted; +- + if (!apparmor_enabled) { + INFO("apparmor not enabled"); + return 0; +@@ -718,6 +716,28 @@ + return -1; + } + ++#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask" ++#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" ++static int check_apparmor_enabled(void) ++{ ++ struct stat statbuf; ++ FILE *fin; ++ char e; ++ int ret; ++ ++ ret = stat(AA_MOUNT_RESTR, &statbuf); ++ if (ret != 0) ++ return 0; ++ fin = fopen(AA_ENABLED_FILE, "r"); ++ if (!fin) ++ return 0; ++ ret = fscanf(fin, "%c", &e); ++ fclose(fin); ++ if (ret == 1 && e == 'Y') ++ return 1; ++ return 0; ++} ++ + int __lxc_start(const char *name, struct lxc_conf *conf, + struct lxc_operations* ops, void *data) + { +@@ -725,6 +745,8 @@ + int err = -1; + int status; + ++ apparmor_enabled = check_apparmor_enabled(); ++ + handler = lxc_init(name, conf); + if (!handler) { + ERROR("failed to initialize the container"); +@@ -822,36 +844,12 @@ + .post_start = post_start + }; + +-#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask" +-#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" +-static int check_apparmor_enabled(void) +-{ +- struct stat statbuf; +- FILE *fin; +- char e; +- int ret; +- +- ret = stat(AA_MOUNT_RESTR, &statbuf); +- if (ret != 0) +- return 0; +- fin = fopen(AA_ENABLED_FILE, "r"); +- if (!fin) +- return 0; +- fscanf(fin, "%c", &e); +- fclose(fin); +- if (e == 'Y') +- return 1; +- return 0; +-} +- + int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf) + { + struct start_args start_arg = { + .argv = argv, + }; + +- apparmor_enabled = check_apparmor_enabled(); +- + if (lxc_check_inherited(conf, -1)) + return -1; + diff -Nru lxc-0.7.5/debian/patches/0083-always-close-all-fds.patch lxc-0.7.5/debian/patches/0083-always-close-all-fds.patch --- lxc-0.7.5/debian/patches/0083-always-close-all-fds.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0083-always-close-all-fds.patch 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,37 @@ +Description: Always set close-all-fds in lxc-start + This is already the default behavior upstream and in quantal. +Author: Serge Hallyn +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1003583 +Forwarded: no + +Index: lxc-0.7.5/doc/lxc-start.sgml.in +=================================================================== +--- lxc-0.7.5.orig/doc/lxc-start.sgml.in 2012-05-24 07:21:49.000000000 -0500 ++++ lxc-0.7.5/doc/lxc-start.sgml.in 2012-05-24 07:40:28.893000910 -0500 +@@ -154,10 +154,8 @@ + + + +- If any file descriptors are inherited, close them. If this option +- is not specified, then lxc-start will exit with +- failure instead. Note: --daemon implies +- --close-all-fds. ++ If any file descriptors are inherited, close them. This option is ++ still accepted, but is now always set. + + + +Index: lxc-0.7.5/src/lxc/lxc_start.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/lxc_start.c 2012-05-24 07:21:49.000000000 -0500 ++++ lxc-0.7.5/src/lxc/lxc_start.c 2012-05-24 07:40:48.337000199 -0500 +@@ -204,8 +204,7 @@ + return err; + } + +- if (my_args.close_all_fds) +- conf->close_all_fds = 1; ++ conf->close_all_fds = 1; + + err = lxc_start(my_args.name, args, conf); + diff -Nru lxc-0.7.5/debian/patches/0083-ubuntu-simplify-template lxc-0.7.5/debian/patches/0083-ubuntu-simplify-template --- lxc-0.7.5/debian/patches/0083-ubuntu-simplify-template 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0083-ubuntu-simplify-template 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,341 @@ +Description: Simplify the Ubuntu template a bit + - Update list of extra packages for debootstrap to only include vim + and ssh. The others were only relevant when we were still using the + minbase variant. (LP: #996839) + - Drop any hardcoded Ubuntu version check and replace by feature + checks instead. + - Format lxc-ubuntu to consistently use 4-spaces indent instead of + mixed spaces/tabs. + - Update default /etc/network/interfaces to include the header. + - Update default /etc/hosts to match that of a regular Ubuntu system. + - Drop support for end-of-life releases (gutsy on sparc). + - Make sure /etc/resolv.conf is valid before running any apt command. + - Update template help message for release and arch parameters. + - Switch default Ubuntu version from lucid to precise. +Author: Stéphane Graber + +Origin: vendor +Forwarded: no + +Index: lxc/templates/lxc-ubuntu.in +=================================================================== +--- lxc.orig/templates/lxc-ubuntu.in 2012-05-24 14:45:34.000000000 -0400 ++++ lxc/templates/lxc-ubuntu.in 2012-06-01 11:46:24.386821281 -0400 +@@ -38,6 +38,10 @@ + + # configure the network using the dhcp + cat < $rootfs/etc/network/interfaces ++# This file describes the network interfaces available on your system ++# and how to activate them. For more information, see interfaces(5). ++ ++# The loopback network interface + auto lo + iface lo inet loopback + +@@ -51,10 +55,18 @@ + EOF + # set minimal hosts + cat < $rootfs/etc/hosts +-127.0.0.1 localhost $hostname ++127.0.0.1 localhost ++127.0.1.1 $hostname ++ ++# The following lines are desirable for IPv6 capable hosts ++::1 ip6-localhost ip6-loopback ++fe00::0 ip6-localnet ++ff00::0 ip6-mcastprefix ++ff02::1 ip6-allnodes ++ff02::2 ip6-allrouters + EOF + +- if [ "$release" != "precise" ]; then ++ if [ ! -f $rootfs/etc/init/container-detect.conf ]; then + # suppress log level output for udev + sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf + +@@ -78,7 +90,9 @@ + { + user=$1 + +- if [ "$release" = "precise" ]; then ++ sudo_version=$(chroot $rootfs dpkg-query -W -f='${Version}' sudo) ++ ++ if chroot $rootfs dpkg --compare-versions $sudo_version gt "1.8.3p1-1"; then + groups="sudo" + else + groups="sudo admin" +@@ -90,13 +104,14 @@ + done + + if [ -n "$auth_key" -a -f "$auth_key" ]; then +- u_path="/home/${user}/.ssh" +- root_u_path="$rootfs/$u_path" +- mkdir -p $root_u_path +- cp $auth_key "$root_u_path/authorized_keys" +- chroot $rootfs chown -R ${user}: "$u_path" ++ u_path="/home/${user}/.ssh" ++ root_u_path="$rootfs/$u_path" + +- echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys" ++ mkdir -p $root_u_path ++ cp $auth_key "$root_u_path/authorized_keys" ++ chroot $rootfs chown -R ${user}: "$u_path" ++ ++ echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys" + fi + return 0 + } +@@ -112,18 +127,6 @@ + MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu} + SECURITY_MIRROR=${SECURITY_MIRROR:-http://security.ubuntu.com/ubuntu} + ;; +- sparc) +- case $SUITE in +- gutsy) +- MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu} +- SECURITY_MIRROR=${SECURITY_MIRRORMIRROR:-http://security.ubuntu.com/ubuntu} +- ;; +- *) +- MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports} +- SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports} +- ;; +- esac +- ;; + *) + MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports} + SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports} +@@ -150,15 +153,7 @@ + arch=$2 + release=$3 + +- if [ $release = "lucid" ]; then +- packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg +- elif [ $release = "maverick" ]; then +- packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg,netbase +- elif [ $release = "natty" ]; then +- packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase +- else +- packages=dialog,apt,apt-utils,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase,ubuntu-keyring +- fi ++ packages=vim,ssh + echo "installing packages: $packages" + + # check the mini ubuntu was not already downloaded +@@ -232,39 +227,40 @@ + flushcache=$3 + cache="/var/cache/lxc/$release" + mkdir -p /var/lock/subsys/ ++ + ( +- flock -n -x 200 +- if [ $? -ne 0 ]; then +- echo "Cache repository is busy." +- return 1 +- fi +- +- +- if [ $flushcache -eq 1 ]; then +- echo "Flushing cache..." +- rm -rf "$cache/partial-$arch" +- rm -rf "$cache/rootfs-$arch" +- fi +- +- echo "Checking cache download in $cache/rootfs-$arch ... " +- if [ ! -e "$cache/rootfs-$arch" ]; then +- download_ubuntu $cache $arch $release +- if [ $? -ne 0 ]; then +- echo "Failed to download 'ubuntu $release base'" +- return 1 +- fi +- fi +- +- echo "Copy $cache/rootfs-$arch to $rootfs ... " +- copy_ubuntu $cache $arch $rootfs +- if [ $? -ne 0 ]; then +- echo "Failed to copy rootfs" +- return 1 +- fi ++ flock -n -x 200 ++ if [ $? -ne 0 ]; then ++ echo "Cache repository is busy." ++ return 1 ++ fi + +- return 0 + +- ) 200>/var/lock/subsys/lxc ++ if [ $flushcache -eq 1 ]; then ++ echo "Flushing cache..." ++ rm -rf "$cache/partial-$arch" ++ rm -rf "$cache/rootfs-$arch" ++ fi ++ ++ echo "Checking cache download in $cache/rootfs-$arch ... " ++ if [ ! -e "$cache/rootfs-$arch" ]; then ++ download_ubuntu $cache $arch $release ++ if [ $? -ne 0 ]; then ++ echo "Failed to download 'ubuntu $release base'" ++ return 1 ++ fi ++ fi ++ ++ echo "Copy $cache/rootfs-$arch to $rootfs ... " ++ copy_ubuntu $cache $arch $rootfs ++ if [ $? -ne 0 ]; then ++ echo "Failed to copy rootfs" ++ return 1 ++ fi ++ ++ return 0 ++ ++ ) 200>/var/lock/subsys/lxc + + return $? + } +@@ -282,7 +278,7 @@ + fi + + ttydir="" +- if [ $release = "precise" ]; then ++ if [ -f $rootfs/etc/init/container-detect.conf ]; then + ttydir=" lxc" + fi + +@@ -345,8 +341,8 @@ + EOF + + if [ $? -ne 0 ]; then +- echo "Failed to add configuration" +- return 1 ++ echo "Failed to add configuration" ++ return 1 + fi + + return 0 +@@ -423,11 +419,11 @@ + + # reconfigure some services + if [ -z "$LANG" ]; then +- chroot $rootfs locale-gen en_US.UTF-8 +- chroot $rootfs update-locale LANG=en_US.UTF-8 ++ chroot $rootfs locale-gen en_US.UTF-8 ++ chroot $rootfs update-locale LANG=en_US.UTF-8 + else +- chroot $rootfs locale-gen $LANG +- chroot $rootfs update-locale LANG=$LANG ++ chroot $rootfs locale-gen $LANG ++ chroot $rootfs update-locale LANG=$LANG + fi + + # remove pointless services in a container +@@ -453,21 +449,25 @@ + + if [ $trim_container -eq 1 ]; then + trim $rootfs $release +- elif [ $release = "lucid" -o $release = "maverick" -o $release = "natty" \ +- -o $release = "oneiric" ]; then +- # for lucid and maverick, if not trimming, then add the ubuntu-virt ++ elif [ ! -f $rootfs/etc/init/container-detect.conf ]; then ++ # Make sure we have a working resolv.conf ++ cresolvonf="${rootfs}/etc/resolv.conf" ++ mv $cresolvonf ${cresolvonf}.lxcbak ++ cat /etc/resolv.conf > ${cresolvonf} ++ ++ # for lucid, if not trimming, then add the ubuntu-virt + # ppa and install lxcguest +- if [ $release = "lucid" -o $release = "maverick" ]; then ++ if [ $release = "lucid" ]; then + chroot $rootfs apt-get install --force-yes -y python-software-properties + chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa + fi +- cresolvonf="${rootfs}/etc/resolv.conf" +- mv $cresolvonf ${cresolvonf}.lxcbak +- cat /etc/resolv.conf > ${cresolvonf} ++ + chroot $rootfs apt-get update + chroot $rootfs apt-get install --force-yes -y lxcguest +- rm -f ${cresolvonf} +- mv ${cresolvonf}.lxcbak ${cresolvonf} ++ ++ # Restore old resolv.conf ++ rm -f ${cresolvonf} ++ mv ${cresolvonf}.lxcbak ${cresolvonf} + fi + + # If the container isn't running a native architecture, setup multiarch +@@ -492,11 +492,11 @@ + chroot $rootfs apt-get install --force-yes -y --no-install-recommends upstart:${hostarch} mountall:${hostarch} iproute:${hostarch} isc-dhcp-client:${hostarch} + fi + +- # rmdir /dev/shm in precise containers. ++ # rmdir /dev/shm for containers that have /run/shm + # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did + # get bind mounted to the host's /run/shm. So try to rmdir + # it, and in case that fails move it out of the way. +- if [ $release = "precise" ]; then ++ if [ -d $rootfs/run/shm ]; then + [ -d "$rootfs/dev/shm" ] && rmdir $rootfs/dev/shm + [ -e "$rootfs/dev/shm" ] && mv $rootfs/dev/shm $rootfs/dev/shm.bak + ln -s /run/shm $rootfs/dev/shm +@@ -527,11 +527,12 @@ + # bind-mount the user's path into the container's /home + h=`getent passwd $user | cut -d: -f 6` + mkdir -p $rootfs/$h +- # use relative path in container +- h2=${h#/} +- while [ ${h2:0:1} = "/" ]; do +- h2=${h2#/} +- done ++ ++ # use relative path in container ++ h2=${h#/} ++ while [ ${h2:0:1} = "/" ]; do ++ h2=${h2#/} ++ done + echo "$h $h2 none bind 0 0" >> $path/fstab + + # Make sure the group exists in container +@@ -545,12 +546,12 @@ + cat <] [--trim] [-d|--debug] + [-F | --flush-cache] [-r|--release ] [ -S | --auth-key ] +-release: lucid | maverick | natty | oneiric | precise ++release: the ubuntu release (e.g. precise): defaults to host release on ubuntu, otherwise uses latest LTS + trim: make a minimal (faster, but not upgrade-safe) container + bindhome: bind 's home into the container + The ubuntu user will not be created, and will have +- sudo access. +-arch: amd64 or i386: defaults to host arch ++ sudo access. ++arch: the container architecture (e.g. amd64): defaults to host arch + auth-key: SSH Public key file to inject into container + EOF + return 0 +@@ -563,14 +564,12 @@ + fi + eval set -- "$options" + +-release=lucid ++release=precise # Default to the last Ubuntu LTS release for non-Ubuntu systems + if [ -f /etc/lsb-release ]; then + . /etc/lsb-release +- case "$DISTRIB_CODENAME" in +- lucid|maverick|natty|oneiric|precise) +- release=$DISTRIB_CODENAME +- ;; +- esac ++ if [ "$DISTRIB_ID" = "Ubuntu" ]; then ++ release=$DISTRIB_CODENAME ++ fi + fi + + bindhome= +@@ -615,7 +614,7 @@ + done + + if [ $debug -eq 1 ]; then +- set -x ++ set -x + fi + + if [ -n "$bindhome" ]; then diff -Nru lxc-0.7.5/debian/patches/0085-pivot-dir lxc-0.7.5/debian/patches/0085-pivot-dir --- lxc-0.7.5/debian/patches/0085-pivot-dir 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0085-pivot-dir 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,33 @@ +Description: use lxc_putold as the pivot_root put dir + By default we use mnt, but that means that lxc fstab entries do not work + when placed under the container's /mnt/. +Author: Serge Hallyn +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/986385 +Forwarded: yes + +Index: lxc-0.7.5/templates/lxc-ubuntu-cloud.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-ubuntu-cloud.in 2012-06-11 20:16:36.000000000 -0500 ++++ lxc-0.7.5/templates/lxc-ubuntu-cloud.in 2012-06-11 20:17:00.582547709 -0500 +@@ -55,6 +55,8 @@ + lxc.mount = $path/fstab + lxc.arch = $arch + lxc.cap.drop = sys_module mac_admin ++lxc.pivotdir = lxc_putold ++ + # uncomment the next line to run the container unconfined: + #lxc.aa_profile = unconfined + +Index: lxc-0.7.5/templates/lxc-ubuntu.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-ubuntu.in 2012-06-11 20:16:36.000000000 -0500 ++++ lxc-0.7.5/templates/lxc-ubuntu.in 2012-06-11 20:18:10.542549283 -0500 +@@ -301,6 +301,8 @@ + lxc.mount = $path/fstab + lxc.arch = $arch + lxc.cap.drop = sys_module mac_admin ++lxc.pivotdir = lxc_putold ++ + # uncomment the next line to run the container unconfined: + #lxc.aa_profile = unconfined + diff -Nru lxc-0.7.5/debian/patches/0086-lxc-unshare-zero-args lxc-0.7.5/debian/patches/0086-lxc-unshare-zero-args --- lxc-0.7.5/debian/patches/0086-lxc-unshare-zero-args 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0086-lxc-unshare-zero-args 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,36 @@ +Description: Require an argument for lxc-unshare + It segfaults otherwise trying to execute &NULL. +Author: Serge Hallyn +Forwarded: yes +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1011603 + +Index: lxc-0.7.5/src/lxc/lxc_unshare.c +=================================================================== +--- lxc-0.7.5.orig/src/lxc/lxc_unshare.c 2012-06-11 21:04:06.016250221 +0000 ++++ lxc-0.7.5/src/lxc/lxc_unshare.c 2012-06-11 21:04:12.192250004 +0000 +@@ -44,12 +44,11 @@ + + void usage(char *cmd) + { +- fprintf(stderr, "%s [command]\n", basename(cmd)); ++ fprintf(stderr, "%s command [command_arguments]\n", basename(cmd)); + fprintf(stderr, "Options are:\n"); + fprintf(stderr, "\t -s flags: ORed list of flags to unshare:\n" \ + "\t MOUNT, PID, UTSNAME, IPC, USER, NETWORK\n"); + fprintf(stderr, "\t -u : new id to be set if -s USER is specified\n"); +- fprintf(stderr, "\t if -s PID is specified, is mandatory)\n"); + _exit(1); + } + +@@ -184,6 +183,11 @@ + } + } + ++ if (argv[optind] == NULL) { ++ ERROR("a command to execute in the new namespace is required"); ++ return 1; ++ } ++ + args = &argv[optind]; + + ret = lxc_caps_init(); diff -Nru lxc-0.7.5/debian/patches/0087-lxc-ls-dash lxc-0.7.5/debian/patches/0087-lxc-ls-dash --- lxc-0.7.5/debian/patches/0087-lxc-ls-dash 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0087-lxc-ls-dash 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,27 @@ +Description: lxc-ls: prepend container name with -- when calling ls + Otherwise a container name with a dash confuses ls +Author: Serge Hallyn +Forwarded: yes +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1006332 + +Index: lxc-0.7.5/src/lxc/lxc-ls.in +=================================================================== +--- lxc-0.7.5.orig/src/lxc/lxc-ls.in 2012-06-11 21:04:05.988251420 +0000 ++++ lxc-0.7.5/src/lxc/lxc-ls.in 2012-06-11 21:04:14.300250001 +0000 +@@ -22,7 +22,7 @@ + mount_point=`echo "$mount_string" |cut -d' ' -f2`; + } + +-ls "$@" $lxcpath ++ls "$@" -- $lxcpath + + active=$(netstat -xa 2>/dev/null | grep $lxcpath | \ + sed -e 's#.*'"$lxcpath/"'\(.*\)/command#\1#'); +@@ -33,6 +33,6 @@ + # get cgroup for init + init_cgroup=`cat /proc/1/cgroup | awk -F: '{ print $3 }' | head -1` + cd $mount_point/$init_cgroup/lxc +- ls "$@" -d $active ++ ls "$@" -d -- $active + fi + fi diff -Nru lxc-0.7.5/debian/patches/0088-ubuntu-template-flock lxc-0.7.5/debian/patches/0088-ubuntu-template-flock --- lxc-0.7.5/debian/patches/0088-ubuntu-template-flock 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0088-ubuntu-template-flock 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,121 @@ +Description: templates: don't fail on busy flock + Just wait until the lock is available. That is a nicer behavior + for concurrent lxc-creates. +Author: Serge Hallyn +Forwarded: yes +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1007483 + +Index: lxc-0.7.5/templates/lxc-debian.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-debian.in 2012-06-11 21:04:05.960253888 +0000 ++++ lxc-0.7.5/templates/lxc-debian.in 2012-06-11 21:04:16.052249994 +0000 +@@ -170,7 +170,7 @@ + rootfs=$1 + mkdir -p @LOCALSTATEDIR@/lock/subsys/ + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? -ne 0 ]; then + echo "Cache repository is busy." + return 1 +@@ -284,7 +284,7 @@ + + # lock, so we won't purge while someone is creating a repository + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? != 0 ]; then + echo "Cache repository is busy." + exit 1 +Index: lxc-0.7.5/templates/lxc-fedora.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-fedora.in 2012-06-11 21:04:05.960253888 +0000 ++++ lxc-0.7.5/templates/lxc-fedora.in 2012-06-11 21:04:16.052249994 +0000 +@@ -190,7 +190,7 @@ + { + mkdir -p /var/lock/subsys/ + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? -ne 0 ]; then + echo "Cache repository is busy." + return 1 +@@ -281,7 +281,7 @@ + + # lock, so we won't purge while someone is creating a repository + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? != 0 ]; then + echo "Cache repository is busy." + exit 1 +Index: lxc-0.7.5/templates/lxc-lenny.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-lenny.in 2012-06-11 21:04:05.960253888 +0000 ++++ lxc-0.7.5/templates/lxc-lenny.in 2012-06-11 21:04:16.052249994 +0000 +@@ -142,7 +142,7 @@ + rootfs=$1 + mkdir -p @LOCALSTATEDIR@/lock/subsys/ + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? -ne 0 ]; then + echo "Cache repository is busy." + return 1 +@@ -225,7 +225,7 @@ + + # lock, so we won't purge while someone is creating a repository + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? != 0 ]; then + echo "Cache repository is busy." + exit 1 +Index: lxc-0.7.5/templates/lxc-opensuse.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-opensuse.in 2012-06-11 21:04:05.960253888 +0000 ++++ lxc-0.7.5/templates/lxc-opensuse.in 2012-06-11 21:04:16.052249994 +0000 +@@ -196,7 +196,7 @@ + rootfs=$1 + mkdir -p /var/lock/subsys/ + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? -ne 0 ]; then + echo "Cache repository is busy." + return 1 +@@ -284,7 +284,7 @@ + + # lock, so we won't purge while someone is creating a repository + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? != 0 ]; then + echo "Cache repository is busy." + exit 1 +Index: lxc-0.7.5/templates/lxc-ubuntu-cloud.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-ubuntu-cloud.in 2012-06-11 21:04:05.960253888 +0000 ++++ lxc-0.7.5/templates/lxc-ubuntu-cloud.in 2012-06-11 21:04:16.052249994 +0000 +@@ -292,7 +292,7 @@ + + mkdir -p /var/lock/subsys/ + ( +- flock -n -x 200 ++ flock -x 200 + + cd $cache + if [ $flushcache -eq 1 ]; then +Index: lxc-0.7.5/templates/lxc-ubuntu.in +=================================================================== +--- lxc-0.7.5.orig/templates/lxc-ubuntu.in 2012-06-11 21:04:05.960253888 +0000 ++++ lxc-0.7.5/templates/lxc-ubuntu.in 2012-06-11 21:04:16.052249994 +0000 +@@ -229,7 +229,7 @@ + mkdir -p /var/lock/subsys/ + + ( +- flock -n -x 200 ++ flock -x 200 + if [ $? -ne 0 ]; then + echo "Cache repository is busy." + return 1 diff -Nru lxc-0.7.5/debian/patches/0089-clone-no-dhclient.conf-update-when-not-hardcoded lxc-0.7.5/debian/patches/0089-clone-no-dhclient.conf-update-when-not-hardcoded --- lxc-0.7.5/debian/patches/0089-clone-no-dhclient.conf-update-when-not-hardcoded 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0089-clone-no-dhclient.conf-update-when-not-hardcoded 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Don't update the host-name field in dhclient.conf when + it doesn't contain an hardcoded value. + + On Debian and Ubuntu, the default host-name field in dhclient.conf is + set to either "" or "gethostname()" both of which get replaced + by the machine's hostname at query time. + + The sed call currently present in lxc-clone hardcodes the hostname in + dhclient.conf, causing dpkg to prompt on isc-dhcp updates. + +Author: Stéphane Graber +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1017862 +Forwarded: no + +--- lxc-0.7.5.orig/src/lxc/lxc-clone.in ++++ lxc-0.7.5/src/lxc/lxc-clone.in +@@ -216,7 +216,7 @@ fi + echo "Updating rootfs..." + + # so you can 'ssh $hostname.' or 'ssh $hostname.local' +-if [ -f $rootfs/etc/dhcp/dhclient.conf ]; then ++if [ -f $rootfs/etc/dhcp/dhclient.conf ] && ! grep -q "^send host-name.*hostname" $rootfs/etc/dhcp/dhclient.conf; then + sed -i "s/send host-name.*$/send host-name $hostname;/" $rootfs/etc/dhcp/dhclient.conf + fi + diff -Nru lxc-0.7.5/debian/patches/0090-lxc-ubuntu-use-dpkg-add-architecture lxc-0.7.5/debian/patches/0090-lxc-ubuntu-use-dpkg-add-architecture --- lxc-0.7.5/debian/patches/0090-lxc-ubuntu-use-dpkg-add-architecture 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0090-lxc-ubuntu-use-dpkg-add-architecture 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,28 @@ +Description: Use dpkg --add-architecture in lxc-ubuntu + When a container has dpkg >= 1.16.2, use dpkg --add-architecture + for multi-arch configuration on foreign architecture containers. +Author: Stéphane Graber +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1017862 + +--- +Origin: vendor +Forwarded: no + +--- lxc-0.8.0~rc1.orig/templates/lxc-ubuntu.in ++++ lxc-0.8.0~rc1/templates/lxc-ubuntu.in +@@ -474,8 +474,13 @@ post_process() + + # If the container isn't running a native architecture, setup multiarch + if [ -x "$(ls -1 ${rootfs}/usr/bin/qemu-*-static 2>/dev/null)" ]; then +- mkdir -p ${rootfs}/etc/dpkg/dpkg.cfg.d +- echo "foreign-architecture ${hostarch}" > ${rootfs}/etc/dpkg/dpkg.cfg.d/lxc-multiarch ++ dpkg_version=$(chroot $rootfs dpkg-query -W -f='${Version}' dpkg) ++ if chroot $rootfs dpkg --compare-versions $dpkg_version ge "1.16.2"; then ++ chroot $rootfs dpkg --add-architecture ${hostarch} ++ else ++ mkdir -p ${rootfs}/etc/dpkg/dpkg.cfg.d ++ echo "foreign-architecture ${hostarch}" > ${rootfs}/etc/dpkg/dpkg.cfg.d/lxc-multiarch ++ fi + + # Save existing value of MIRROR and SECURITY_MIRROR + DEFAULT_MIRROR=$MIRROR diff -Nru lxc-0.7.5/debian/patches/0091-fix-dev-shm-check lxc-0.7.5/debian/patches/0091-fix-dev-shm-check --- lxc-0.7.5/debian/patches/0091-fix-dev-shm-check 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0091-fix-dev-shm-check 2012-08-24 16:08:19.000000000 +0000 @@ -0,0 +1,44 @@ +Description: Fix /dev/shm workaround to only trigger when /dev/shm is a directory +Author: Stéphane Graber + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/launchpad/+bug/974584 +Forwarded: no + +Index: lxc/templates/lxc-ubuntu.in +=================================================================== +--- lxc.orig/templates/lxc-ubuntu.in 2012-07-26 13:07:32.000000000 -0400 ++++ lxc/templates/lxc-ubuntu.in 2012-07-26 13:11:20.604099863 -0400 +@@ -503,9 +503,8 @@ + # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did + # get bind mounted to the host's /run/shm. So try to rmdir + # it, and in case that fails move it out of the way. +- if [ -d $rootfs/run/shm ]; then +- [ -d "$rootfs/dev/shm" ] && rmdir $rootfs/dev/shm +- [ -e "$rootfs/dev/shm" ] && mv $rootfs/dev/shm $rootfs/dev/shm.bak ++ if [ ! -L $rootfs/dev/shm ] && [ -d $rootfs/run/shm ] && [ -e $rootfs/dev/shm ]; then ++ mv $rootfs/dev/shm $rootfs/dev/shm.bak + ln -s /run/shm $rootfs/dev/shm + fi + } +Index: lxc/templates/lxc-ubuntu-cloud.in +=================================================================== +--- lxc.orig/templates/lxc-ubuntu-cloud.in 2012-07-26 13:26:28.134423000 -0400 ++++ lxc/templates/lxc-ubuntu-cloud.in 2012-07-26 13:27:40.772127204 -0400 +@@ -96,13 +96,12 @@ + sysfs sys sysfs defaults 0 0 + EOF + +- # rmdir /dev/shm in precise containers. ++ # rmdir /dev/shm for containers that have /run/shm + # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did + # get bind mounted to the host's /run/shm. So try to rmdir + # it, and in case that fails move it out of the way. +- if [ $release = "precise" ]; then +- [ -d "$rootfs/dev/shm" ] && rmdir $rootfs/dev/shm +- [ -e "$rootfs/dev/shm" ] && mv $rootfs/dev/shm $rootfs/dev/shm.bak ++ if [ ! -L $rootfs/dev/shm ] && [ -d $rootfs/run/shm ] && [ -e $rootfs/dev/shm ]; then ++ mv $rootfs/dev/shm $rootfs/dev/shm.bak + ln -s /run/shm $rootfs/dev/shm + fi + diff -Nru lxc-0.7.5/debian/patches/0201-fix-mkdir-race lxc-0.7.5/debian/patches/0201-fix-mkdir-race --- lxc-0.7.5/debian/patches/0201-fix-mkdir-race 1970-01-01 00:00:00.000000000 +0000 +++ lxc-0.7.5/debian/patches/0201-fix-mkdir-race 2012-08-24 16:08:33.000000000 +0000 @@ -0,0 +1,24 @@ +Description: if mkdir fails with -EEXIST, let it be. +Author: Serge Hallyn +Forwarded: yes + +Index: lxc/src/lxc/cgroup.c +=================================================================== +--- lxc.orig/src/lxc/cgroup.c 2012-08-24 10:51:33.375144000 -0500 ++++ lxc/src/lxc/cgroup.c 2012-08-24 10:59:42.293491913 -0500 +@@ -357,9 +357,12 @@ + } + + /* if /sys/fs/cgroup///lxc does not exist, create it */ +- if (access(cgparent, F_OK) && mkdir(cgparent, 0755)) { +- SYSERROR("failed to create '%s' directory", cgparent); +- return -1; ++ if (access(cgparent, F_OK)) { ++ ret = mkdir(cgparent, 0755); ++ if (ret == -1 && errno == EEXIST) { ++ SYSERROR("failed to create '%s' directory", cgparent); ++ return -1; ++ } + } + + /* diff -Nru lxc-0.7.5/debian/patches/series lxc-0.7.5/debian/patches/series --- lxc-0.7.5/debian/patches/series 2012-04-16 16:59:22.000000000 +0000 +++ lxc-0.7.5/debian/patches/series 2012-08-24 16:08:58.000000000 +0000 @@ -84,3 +84,18 @@ 0071-ubuntu-cloud-fix-image-extraction 0072-lxc-shutdown-help 0073-lxc-destroy-waits-before-destroy +0074-fix-sprintfs +0075-execute-without-rootfs +0078-lxc-clone-quote-line +0082-umount-old-proc +0081-fix-multiarch-install +0083-always-close-all-fds.patch +0083-ubuntu-simplify-template +0085-pivot-dir +0086-lxc-unshare-zero-args +0087-lxc-ls-dash +0088-ubuntu-template-flock +0089-clone-no-dhclient.conf-update-when-not-hardcoded +0090-lxc-ubuntu-use-dpkg-add-architecture +0091-fix-dev-shm-check +0201-fix-mkdir-race diff -Nru lxc-0.7.5/debian/rules lxc-0.7.5/debian/rules --- lxc-0.7.5/debian/rules 2012-03-29 15:32:34.000000000 +0000 +++ lxc-0.7.5/debian/rules 2012-08-24 16:08:19.000000000 +0000 @@ -14,9 +14,15 @@ cp debian/lxc-containers.apparmor debian/lxc/etc/apparmor.d/lxc-containers cp debian/lxc-default.apparmor debian/lxc/etc/apparmor.d/lxc/lxc-default if [ -x /usr/bin/dh_apparmor ]; then \ - dh_apparmor --profile-name=usr.bin.lxc-start; \ + dh_apparmor -p lxc --profile-name=usr.bin.lxc-start; \ fi + # copy apport hook + mkdir -p debian/lxc/usr/share/apport/package-hooks + cp debian/lxc.apport debian/lxc/usr/share/apport/package-hooks/source_lxc.py dh_install --fail-missing + # copy dnsmasq configuration + mkdir -p debian/lxc/etc/dnsmasq.d + cp debian/lxc.dnsmasq debian/lxc/etc/dnsmasq.d/lxc # removing useless files rm -f debian/lxc/usr/lib/lxc/templates/lxc-lenny