diff -pruN 1:5.0.1-1/debian/changelog 1:5.0.1-0ubuntu6/debian/changelog --- 1:5.0.1-1/debian/changelog 2022-08-01 20:46:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/changelog 2023-01-19 23:53:14.000000000 +0000 @@ -1,2149 +1,4201 @@ -lxc (1:5.0.1-1) unstable; urgency=medium +lxc (1:5.0.1-0ubuntu6) lunar; urgency=medium - * Team upload + * debian/control: add libcap-dev, libselinux1-dev, and libseccomp-dev to + depends for liblxc-dev, to fix go-lxc autopktest failure. - [ Mathias Gibbens ] - * New upstream release 5.0.1 (Closes: #1005099, #1010843, #1006353) - - Switch to meson build system and update d/rules as needed - - Update Build-Depends and Depends in d/control - - Drop patches no longer needed / applied upstream - - Add patch to fix installed location of libpam_cgfs.so - - Update d/liblxc-common.lintian-overrides - - Update d/liblxc1.symbols + -- Serge Hallyn Thu, 19 Jan 2023 17:53:14 -0600 - [ Antonio Terceiro ] - * debian/rules: drop handling of bash completion links +lxc (1:5.0.1-0ubuntu5) lunar; urgency=medium - [ Pierre-Elliott Bécue ] - * Apply Janitor's changes on d/control constraints. - * Fix debian/liblxc1.symbols - * d/p/0004: Add a patch to make systemd security features working in nesting - apparmor profile. - This can cause security risks in privileged containers, so it's only in - nesting profile. (Closes: #995350) - - -- Mathias Gibbens Mon, 01 Aug 2022 22:46:52 +0200 - -lxc (1:4.0.11-1) unstable; urgency=medium - - * Backporting changes from experimental to unstable - * d/control: Move from Conflicts + Breaks to Breaks + Replaces - - -- Pierre-Elliott Bécue Mon, 14 Feb 2022 00:22:35 +0100 - -lxc (1:4.0.11-1~exp4) experimental; urgency=medium - - * d/copyright: Clean the mess and extract as much as possible from the files - in the repo (Closes: #1004978) - * wrap-and-sort - - -- Pierre-Elliott Bécue Fri, 04 Feb 2022 23:06:35 +0100 - -lxc (1:4.0.11-1~exp3) experimental; urgency=medium - - * d/control: Update the dependency of lxc from liblxc1 to liblxc-common. - - -- Pierre-Elliott Bécue Wed, 02 Feb 2022 22:37:20 +0100 - -lxc (1:4.0.11-1~exp2) experimental; urgency=medium - - * d/control: - - Fix some architecture screwups on liblxc-common - * d/{liblxc-common,lxc}.install: Move /usr/lib/*/lxc/rootfs to the former - - -- Pierre-Elliott Bécue Sat, 29 Jan 2022 11:10:23 +0100 - -lxc (1:4.0.11-1~exp1) experimental; urgency=medium - - [ Pierre-Elliott Bécue ] - * New upstream release 4.0.11 - * d/control: - - Remove bridge-utils from lxc's dependencies and prioritize nftables over - iptables as a firewalling dependency (Closes: #908050) - - Bumps Standards-Version to 4.6.0 - * Create a new binary package liblxc-common to host the shared components - needed by both bin:lxc and a potential future bin:lxd (Closes: #1002564) - * d/liblxc1.symbols: updated - * d/README.Debian: fix a misleading comment - * d/copyright: updated years, and added missing copyright holders - - [ Antonio Terceiro ] - * d/rules: re-enable installation of lxc-top (Closes: #1003591) - - [ Diederik de Haas ] - * d/lxc.postinst: replace the use of which by a call to command -v - - -- Pierre-Elliott Bécue Fri, 28 Jan 2022 20:23:34 +0100 - -lxc (1:4.0.10-2) unstable; urgency=medium - - [ Antonio Terceiro ] - * debian/rules: re-enable installation of lxc-top (Closes: #1003591) - * Drop dependency on bridge-utils (Closes: #1004733) - * lxc-net: don't start by default inside lxc - * autopkgtest: add basic create/destroy test - - [ Diederik de Haas ] - * Replace deprecated 'which' with 'command -v' - - -- Antonio Terceiro Wed, 02 Feb 2022 15:45:10 -0300 - -lxc (1:4.0.10-1) unstable; urgency=medium - - * New upstream version 4.0.10 - - Builds fine against autoconf 2.70 (Closes: #978862) - * Refresh patches. - 0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch dropped, applied - upstream. - * Update debian/liblxc1.symbols - - -- Antonio Terceiro Fri, 27 Aug 2021 09:15:30 -0300 - -lxc (1:4.0.6-2) unstable; urgency=medium - - * d/contrib/lxc-net: Add a commented dnsmasq reference for the users to be - able to use this configuration if needed. - * d/contrib/bin/lxc-unpriv-{start,attach} helper scripts to make - unprivileged containers easier to start manually - * d/README.Debian: Added some intel about how to handle properly - unprivileged containers and systemd user sessions, and potential - filesystem ACL issues/implications - (Closes: #989317, 987293) - * d/p/0007: Makes the containers able to have /proc/sys/net rw - (Closes: #981980) - - -- Pierre-Elliott Bécue Fri, 11 Jun 2021 21:43:41 +0200 - -lxc (1:4.0.6-1) unstable; urgency=medium - - * New upstream version 4.0.6 - * Refresh patches; drop patches applied upstream - * Remove unreliable test for unprivileged containers - * Move lxc-net dependencies from Recommends to Depends - - Moved from Recommends: to Depends bridge-utils, dnsmasq-base, - iptables, iproute2 - - Recommends: drop nftables; lxc-net uses iptables only, and nothing in - lxc even references nftables. - * Document and add new autopkgtest for unprivileged containers - * Recommends: add wget, needed by the download template - - -- Antonio Terceiro Sun, 31 Jan 2021 14:29:40 -0300 - -lxc (1:4.0.5-2) unstable; urgency=medium - - * Add upstream patch to fix reboots in autopkgtest under cgroupv2 - (Closes: #978425) - - -- Antonio Terceiro Wed, 30 Dec 2020 10:17:51 -0300 - -lxc (1:4.0.5-1) unstable; urgency=medium - - * New upstream version 4.0.5 - * Refresh patches; drop patches already applied upstream - * Add upstream patch to fix container startup on Linux 5.10 (Closes: #977923) - * liblxc1.symbols: update - - -- Antonio Terceiro Tue, 22 Dec 2020 21:50:20 -0300 - -lxc (1:4.0.4-6) unstable; urgency=medium - - * autopkgtest: switch unpriv test to the new Architecture: field - - -- Antonio Terceiro Wed, 28 Oct 2020 16:59:41 -0300 - -lxc (1:4.0.4-5) unstable; urgency=medium - - * Team upload. - * d/tests/unpriv: skip on arm64 as the test (right now) only works on amd64 - - -- Johannes 'josch' Schauer Fri, 02 Oct 2020 21:34:46 +0200 - -lxc (1:4.0.4-4) unstable; urgency=medium - - * d/tests/unpriv: Adds dnsmasq-base to the qemu VM filesystem hosting the - unprivileged containers tested - - -- Pierre-Elliott Bécue Thu, 01 Oct 2020 18:54:52 +0200 - -lxc (1:4.0.4-3) unstable; urgency=medium - - * d/p/0007: patch to avoid compilers complaints regarding short writes in - the cgroup cgfsng, mitigating security risks of a buffer overrun. - * d/control: For liblxc1: demote cgroupfs-mount | systemd from Depends to - Suggests. Closes: #968404 - - -- Pierre-Elliott Bécue Fri, 25 Sep 2020 14:12:38 +0200 - -lxc (1:4.0.4-2) unstable; urgency=medium - - * d/p/0005: patch to avoid lxc_stop failure if cgroup unfreeze fails - Closes: #961584 - * d/lxc.lintian-overrides: Drop postinst-has-useless-call-to-ldconfig which - is not a valid tag anymore - - -- Pierre-Elliott Bécue Sat, 19 Sep 2020 23:18:02 +0200 - -lxc (1:4.0.4-1) unstable; urgency=medium - - * New upstream release 4.0.4-1 - Closes: #969229, #966998 - * d/p/0003: Remove obsolete configurations from lxc.service. - Closes: #968169 - * d/liblxc1.symbols: updated - * d/lxc-test.lintian-overrides updated - - -- Pierre-Elliott Bécue Sat, 05 Sep 2020 23:21:40 +0200 - -lxc (1:4.0.2-1) unstable; urgency=medium - - * Rebuild for unstable - - [ Pierre-Elliott Bécue ] - * Enable lxc-test-apparmor in autopkgtest (Closes: #958406) - * Bump debhelper-compat level to 13 - * Add a debian-branch entry in debian/gbp.conf - - [ Antonio Terceiro ] - * Enable LXC networking by default - - [ Johannes Schauer ] - * Add autopkgtest testing unprivileged containers - - [ Camaleón ] - * Add Spanish translation for the Debconf template (Closes: #959080) - - -- Pierre-Elliott Bécue Mon, 25 May 2020 18:15:10 +0200 - -lxc (1:4.0.2-1~1) experimental; urgency=medium - - * New upstream release 4.0.2 (Closes: #956014) - - CGroup2 support (Closes: #944389, #946172, #947335) - - Infrastructure for system call interception - - PIDfd support - - Improved network handling - - Hardening and refactoring throughout the codebase, fixing very many issues - - + Patches rebased accordingly - * Bump Standards-Version to 4.5.0 - * Labels liblxc1 and libpam-cgfs as Multi-Arch: same - - -- Pierre-Elliott Bécue Sun, 19 Apr 2020 00:31:46 +0200 - -lxc (1:3.1.0+really3.0.4-3) unstable; urgency=medium - - * Apply upstream patch to fix removal of containers that contain imutable - files when using the plain directory backend. - - -- Antonio Terceiro Sat, 11 Apr 2020 17:20:29 -0300 - -lxc (1:3.1.0+really3.0.4-2) unstable; urgency=medium - - * 0009-lxc-attach-make-sure-exit-status-of-command-is-retur.patch: ensure - lxc-attach returns the exit status of executed command (Closes: 934983) - * debian/rules: fix dh_fixperms exception for lxc-user-nic (Closes: #934155) - * debian/liblxc1.symbols: fix versioning information for sha1sum_file - - -- Antonio Terceiro Mon, 19 Aug 2019 21:42:25 -0300 - -lxc (1:3.1.0+really3.0.4-1.1) unstable; urgency=medium - - * Non-maintainer upload. - * cgroups: Properly handle cpuset initialization - d/p/0007: cgroups: hande cpuset initialization race - d/p/0008: cgroups: initialize cpuset properly - (Closes: #934387) - - -- Salvatore Bonaccorso Wed, 14 Aug 2019 16:40:03 +0200 - -lxc (1:3.1.0+really3.0.4-1) unstable; urgency=medium - - * New upstream release 3.0.4 - + Drop patches 0004 and 0005 as the fix for runC CVE-2019-5736 is now - upstream. - + Fixes lxc-cgroup giving no output. (Closes: #929926) - * d/p/0004: Prevent access to /proc/acpi via apparmor. (Closes: #906805) - * d/p/0005: lxc.service: starts after remote-fs.target to avoid some - failures for containers with their FS accessible via a remote fs - * d/p/0006: Strips a non-expanded tag from lxc.pc.in - * d/control: - - Bump Standards-Version to 4.4.0 - - Update debheler-compat to 12 - * d/rules: Drop dh_strip override as it's not needed anymore. - - -- Pierre-Elliott Bécue Tue, 06 Aug 2019 15:33:36 +0200 - -lxc (1:3.1.0+really3.0.3-8) unstable; urgency=medium - - * d/control: - - bin:lxc sets AppArmor as a Recommend instead of a Dependency - * d/README.Debian: - - Update the documentation to explain how to manage containers not - starting if AppArmor is missing. - - -- Pierre-Elliott Bécue Sun, 14 Apr 2019 15:46:47 +0200 - -lxc (1:3.1.0+really3.0.3-7) unstable; urgency=medium - - * d/control: - - Add a dependency to AppArmor for lxc package as the default.conf file - includes an AppArmor profile. - * d/{NEWS,README.Debian}: - - Add appropriate documentation for unprivileged containers - (Closes: #925899) - - -- Pierre-Elliott Bécue Tue, 09 Apr 2019 02:03:05 +0200 - -lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium - - * d/patches/0005: Tweaks the 0004 patch for CVE-2019-5736 (Closes: #923932) - * d/NEWS: summary of the important changes since LXC2. - - -- Pierre-Elliott Bécue Sat, 09 Mar 2019 15:49:21 +0100 - -lxc (1:3.1.0+really3.0.3-5) unstable; urgency=medium - - [ Christian Kastner ] - * /etc/default/lxc.conf Change back to lxc.net.0.type - (Closes: #923395) - - [ Frans Spiesschaert ] - * debian/po/nl.po: Add Dutch translation of debconf messages - (Closes: #923328) - - -- Antonio Terceiro Sat, 02 Mar 2019 12:33:08 -0300 - -lxc (1:3.1.0+really3.0.3-4) unstable; urgency=medium - - [ Lev Lamberov ] - * d/po/ru.po: Add russian translation for debconf templates (Closes: #920916) - - [ Américo Monteiro ] - * d/po/pt.po: Add portuguese translation for debconf templates (Closes: - #919221) - - [ Adriano Rafael Gomes ] - * d/po/pr_BR.po: Add brazilian portuguese translation for debconf templates - (Closes: #920543) - - [ Pierre-Elliott Bécue ] - * d/patches/0004: Import the fix for CVE-2019-5736. (Closes: #922169) - - -- Pierre-Elliott Bécue Sat, 16 Feb 2019 16:21:41 +0100 - -lxc (1:3.1.0+really3.0.3-3) unstable; urgency=medium - - * d/lxc.postinst: - - Add a fallback method to handle the cases where apparmor_parser may - fail while present. (nested virt or whatever else) (Closes: #921667) - * d/patches: - - Backports 3 patches from lxc 3.1 to have Apparmor confinement working - properly with systemd 240. (Closes: #916639) - * d/tests/exercise: - - Update the configuration to match lxc 3 standards - * d/contrib/default.conf: - - Provide a minimalist default.conf including appropriate apparmor - parameters. - - -- Pierre-Elliott Bécue Mon, 11 Feb 2019 23:03:53 +0100 - -lxc (1:3.1.0+really3.0.3-2) unstable; urgency=medium - - [ Chris Leick ] - * d/po/de.po: - - Added German Debconf translation (Closes: #916263) - - [ Pierre-Elliott Bécue ] - * d/lxc.postinst: - - Add a call to apparmor_parser if present to ensure lxc containers work - with apparmor after an upgrade. (Closes: #918842) - - Add a check to make sure we're on a proper upgrade or a proper install - to decide whether or not some code blocks are executed. - * d/lxc.config: - - Asks for the upgrade of configuration only when lxc is actually upgraded - and not installed. - - -- Pierre-Elliott Bécue Fri, 11 Jan 2019 01:12:41 +0100 - -lxc (1:3.1.0+really3.0.3-1) unstable; urgency=medium - - * Rollback to version 3.0.3 as this is a LTS release. - * Revert symbols file. - * d/control: - - Bump Standards-Version to 4.3.0 - - -- Pierre-Elliott Bécue Thu, 10 Jan 2019 23:26:47 +0100 - -lxc (1:3.1.0-1) unstable; urgency=medium - - [ Pierre-Elliott Bécue ] - * New upstream release 3.1.0 - - [ Shengjing Zhu ] - * d/liblxc1.symbols: Fix liblxc1 symbol version, missing the Debian epoch. - Closes: #916362 - - -- Pierre-Elliott Bécue Sat, 22 Dec 2018 22:56:16 +0100 - -lxc (1:3.0.3-1) unstable; urgency=medium - - * New upstream version: 3.0.3 - * d/liblxc1.symbols: Updated symbols table - * d/lxc.postinst: no absolute path for lxc-update-config (it's in the PATH) - * d/copyright: remove statement for src/includes/ifaddrs.{c, h} as they're - not shipped anymore - * Release to unstable. - - -- Pierre-Elliott Bécue Tue, 04 Dec 2018 08:04:18 +0100 - -lxc (1:3.0.2-1~exp+4) experimental; urgency=medium - - * d/rules: strip unnecessary DPKG_EXPORT_BUILDFLAGS and include that are not - needed since dh compat 9 - * d/templates, d/po/*: updated templates and translation - * d/lxc.config: refactor the config script a little - - -- Pierre-Elliott Bécue Thu, 29 Nov 2018 22:24:03 +0100 - -lxc (1:3.0.2-1~exp+3) experimental; urgency=medium - - * d/control: - - Update Recommends to suggest more recent tools. - Replaces iptables => nftables | iptables - Add iproute2 for more precise bridge manipulation - * d/lxc{.config,.postinst}, d/templates, d/po/* - - Implement a maintainer script allowing an auto-upgrade of lxc - configuration files - - -- Pierre-Elliott Bécue Thu, 29 Nov 2018 01:07:02 +0100 - -lxc (1:3.0.2-1~exp+2) experimental; urgency=medium - - * d/control: - - Add explicit Recommend on lxc-templates - - Version the Recommends - - Update the Breaks on liblxc1 - - Add myself to uploaders - - -- Pierre-Elliott Bécue Sun, 18 Nov 2018 23:57:26 +0100 - -lxc (1:3.0.2-1~exp+1) experimental; urgency=medium - - * Team upload - * New upstream release: 3.0.2 - * d/p/000[1-3]*: - - Dropped because Debian template got out of lxc release - * d/p/000[4-7]*: - - Upstream fixes taken into account into this release - * d/control: - - Drop packages lua-lxc and python3-lxc, as they got extracted from there - by upstream - - Raise debhelper dependency to 11 - - Bump Standards-Version to 4.2.1. No change required - - Update VCS fields - - Add libpam-cgfs that was previously in src:lxcfs - * d/compat raised to 11 - * d/copyright: - - Use HTTPS url for the copyright format link - - Updated copyrights - * d/watch: - - Updated version and regex - * d/libpam-cgfs* d/pam-cgfs.config added with pam-cgfs inclusion in the - package - * d/liblxc1.symbols added - - -- Pierre-Elliott Bécue Sat, 17 Nov 2018 09:23:20 +0100 - -lxc (1:2.0.9-7) unstable; urgency=medium - - * debian/rules: pass --disable-werror to ./configure. Fixes FTBFS against - python3 3.7 - - -- Antonio Terceiro Tue, 27 Nov 2018 14:53:56 -0200 - -lxc (1:2.0.9-6.2) unstable; urgency=medium - - * Non-maintainer upload. - * autodev: adapt to changes in Linux 4.18 (Closes: #908223) - - -- Salvatore Bonaccorso Mon, 22 Oct 2018 23:18:55 +0200 - -lxc (1:2.0.9-6.1) unstable; urgency=medium - - * Non-maintainer upload. - * utils: add LXC_PROC_PID_FD_LEN - * CVE 2018-6556: verify netns fd in lxc-user-nic (Closes: #905586) - - -- Salvatore Bonaccorso Wed, 29 Aug 2018 15:22:46 +0200 - -lxc (1:2.0.9-6) unstable; urgency=medium - - * 0004-debian-Use-iproute2-instead-of-iproute.patch: fix creation of - containers after the iproute binary has been removed. - - -- Antonio Terceiro Sat, 27 Jan 2018 12:44:36 -0200 - -lxc (1:2.0.9-5) unstable; urgency=medium - - * Drop installation of disable-apparmor.conf. The issue that prevented lxc - containers from starting with apparmor was fixed in apparmor 2.11.1-4. - * debian/rules: drop --with autotools_dev in favor of debhelper built-in - support for updating autotools files during build - * Bump Standards-Version to 4.1.2; no changes needed - * Drop debian/lxc-dev.lintian-overrides; false positive has been fixed in - lintian. - - -- Antonio Terceiro Tue, 19 Dec 2017 10:02:34 -0200 - -lxc (1:2.0.9-4) unstable; urgency=medium - - * Install disable-apparmor.conf disabling apparmor for all containers, until - we can make it work. See #880502 - - -- Antonio Terceiro Thu, 02 Nov 2017 12:49:57 -0200 - -lxc (1:2.0.9-3) unstable; urgency=medium - - * 0002-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch: don't add - C.UTF-8 to /etc/locale.gen (Closes: #879595) - * 0003-lxc-debian-don-t-hardcode-valid-releases.patch: don't hardcode list - of valid Debian releases - - -- Antonio Terceiro Sat, 28 Oct 2017 09:12:47 -0200 - -lxc (1:2.0.9-2) unstable; urgency=medium - - * Add patch 0001-lxc-debian-allow-creating-testing-and-unstable.patch to - allow creating `testing` and `unstable` containers. - - -- Antonio Terceiro Thu, 26 Oct 2017 20:50:14 -0200 - -lxc (1:2.0.9-1) unstable; urgency=medium - - [ Evgeni Golov ] - * New upstream version 2.0.9 - * track LTS release - * drop use-lxc-stop-to-stop-systemd-service.patch, applied upstream - * drop cgroups-workaround-gcc-7-bug.patch, applied upstream - * drop the symbols file again - - [ Nicholas D Steeves ] - * Update Suggests: btrfs-tools to btrfs-progs (Closes: #878908) - - -- Evgeni Golov Sat, 21 Oct 2017 17:20:45 +0200 - -lxc (1:2.0.8-3) unstable; urgency=medium - - * Rebuild against python 3.6 (Closes: #878246) - * Drop build-dependency on the deprecated dh-systemd package - * Bump Standards-Version to 4.1.1; no changes needed - * Add symbols file for liblxc1 - - -- Antonio Terceiro Wed, 11 Oct 2017 19:57:54 -0300 - -lxc (1:2.0.8-2) unstable; urgency=medium - - * Add cgroups-workaround-gcc-7-bug.patch from upstream to make lxc build - against gcc 7 (Closes: #853531) - - -- Antonio Terceiro Fri, 25 Aug 2017 18:20:29 -0300 - -lxc (1:2.0.8-1) unstable; urgency=medium - - [ Evgeni Golov ] - * New upstream version 2.0.8 - + Make lxc-net return non-zero on failure (Closes: #854591) - * drop old patches, all were cherry-picks from upstream - * Use lxc-stop to stop systemd service (Closes: #863850) - - [ Baptiste Jonglez ] - * Increase the maximum number of inotify listeners (Closes: #860974) - - -- Evgeni Golov Sun, 18 Jun 2017 15:33:06 +0200 - -lxc (1:2.0.7-2) unstable; urgency=high - - * use bash-completion's pkg-config support and don't move files around - * ignore lxc-test-cloneconfig if kernel has no overlay support - * CVE-2017-5985: Ensure target netns is caller-owned (Closes: #857295) - - -- Evgeni Golov Sat, 11 Mar 2017 09:47:20 +0100 - -lxc (1:2.0.7-1) unstable; urgency=medium - - * New upstream version 2.0.7 - + Closes: #847909, #847894, #847466 - - -- Evgeni Golov Mon, 23 Jan 2017 22:03:24 +0100 - -lxc (1:2.0.6-1) unstable; urgency=high - - * New upstream version 2.0.6 - + attach: do not send procfd to attached process - Closes: #845465 - CVE-2016-8649 - * liblxc1: add depends on cgroupfs-mount | systemd (Closes: #844086) - * drop patches applied/imported upstream - * debian/tests: add iptables to tests depends - - -- Evgeni Golov Thu, 24 Nov 2016 08:07:02 +0100 - -lxc (1:2.0.5-3) unstable; urgency=medium - - * add python3:Depends for lxc, so it gets a depends on python3 - * lxc-tests replace lxc-dev, not lxc - * add a lintian override that the tests do not have a manpage - * register lxc-dev docs with doc-base - * add lintian override for ldconfig-trigger in lua-lxc - * s/LUA/Lua/g in d/control - - -- Evgeni Golov Sun, 06 Nov 2016 14:33:14 +0100 - -lxc (1:2.0.5-2) experimental; urgency=medium - - * split lua and python3 bindings in their own packages - * split tests into their own package - * only add bash completion links for commands we actually complete - * backport two patches from Ubuntu - * kill all the .la files, we do not need them - * enable ALL the hardening flags - * autopkgtest: only reboot if the memory cgroup is not activated yet - * replace our lxc-dbg package by the autogenerated dbgsym one - - -- Evgeni Golov Sun, 30 Oct 2016 17:59:32 +0100 - -lxc (1:2.0.5-1) unstable; urgency=medium - - * New upstream version 2.0.5 - * drop cgmanager support - it's orphaned and upstream does recommend lxcfs instead - * fix execution of tests on systems which do not have overlay.ko - * add depends on lsb-base, thanks lintian - - -- Evgeni Golov Sat, 08 Oct 2016 14:03:16 +0200 - -lxc (1:2.0.4-1) unstable; urgency=medium - - [ Antonio Terceiro ] - * debian/rules: create symlinks for each lxc-* binary in - /usr/share/bash-completion/completions/ so that bash completion actually - works - - [ Evgeni Golov ] - * Imported Upstream version 2.0.4 - + Uses SIGRTMIN+3 for systemd containers (Closes: #831691, #799541) - + The debian template properly generates locaes (Closes: #806746) - * drop 0020-fix-regression-when-creating-wheezy-containers.patch - * rebase patches ontop of 2.0.4 - * add gnupg and dirmngr to recommends - * improve autopkgtest execution, making most autopkgtest run properly - - -- Evgeni Golov Thu, 25 Aug 2016 19:52:33 +0200 - -lxc (1:2.0.3-1) unstable; urgency=medium - - * Imported Upstream version 2.0.3 - - Fixes Inconsistent settings in lxc@.service (Closes: #826100) - * drop patch hunks that were applied in 2.0.3 - * document how to change passwords in the container (Closes: #829239) - - -- Evgeni Golov Sat, 16 Jul 2016 11:52:47 +0200 - -lxc (1:2.0.1-3) unstable; urgency=medium - - * 0020-lxc-debian-make-sure-init-is-installed.patch: update to fix - regression when creating wheezy containers. - - -- Antonio Terceiro Wed, 29 Jun 2016 15:10:57 -0300 - -lxc (1:2.0.1-2) unstable; urgency=medium - - * 0020-lxc-debian-make-sure-init-is-installed.patch: make sure init is - included in Debian containers, since as of 1.34 it is not Essential - anymore. - - -- Antonio Terceiro Sat, 18 Jun 2016 09:16:43 -0300 - -lxc (1:2.0.1-1) unstable; urgency=medium - - * Imported Upstream version 2.0.1 - * drop patches applied upstream: - * demote apparmor to suggests (Closes: #824120) - - -- Evgeni Golov Sun, 22 May 2016 22:04:19 +0200 - -lxc (1:2.0.0-3) unstable; urgency=medium - - * drop lxcinitdir.patch - * replace all patches by the versions accepted upstream - * cherry-pick fix for creating unpriv container on non-systemd systems - * add gbp.conf - - -- Evgeni Golov Sun, 01 May 2016 13:00:16 +0200 - -lxc (1:2.0.0-2) unstable; urgency=medium - - [ Evgeni Golov ] - * add lxcfs and libpam-cgfs to recommends - * Standards-Version: 3.9.8 - - [ Antonio Terceiro ] - * Refresh patches - * debian/patches/0018-lxc-create-fix-B-best-option.patch: Fix `-B best` - option to lxc-create - - -- Antonio Terceiro Mon, 11 Apr 2016 14:19:45 -0300 - -lxc (1:2.0.0-1) unstable; urgency=medium - - * Imported Upstream version 2.0.0 - * set Maintainer to pkg-lxc, Antonio and me as Uploaders - * re-enable seccomp on almost all arches again - - -- Evgeni Golov Wed, 06 Apr 2016 21:26:24 +0200 - -lxc (1:2.0.0~rc15-1) experimental; urgency=medium - - * Team upload. - - [ Evgeni Golov ] - * Imported Upstream version 2.0.0~rc15 - + Updates supported Debian releases in template (Closes: #816710) - + Does not enable non-free by default anymore (Closes: #793598) - + Uses httpredir.debian.org (Closes: #805085) - * add uidmap to Recommends (Closes: #817796) - * Standards-Version: 3.9.7 - - [ Reiner Herrmann ] - * use the date from the latest changelog entry when building manpages - (Closes: #807837) - - -- Evgeni Golov Sun, 03 Apr 2016 16:09:25 +0200 - -lxc (1:2.0.0~rc13-1) experimental; urgency=medium - - * Team upload. - - [ Antonio Terceiro ] - * debian/tests/control: require isolation-machine to run; the tests can't - run under lxc themselves. - * debian/control: add Vcs-* fields pointing fields to the new repository - location on https://anonscm.debian.org/cgit/pkg-lxc/lxc.git - - [ Evgeni Golov ] - * Add debian/NEWS entry about lxc.aa_allow_incomplete = 1 - Closes: #813954 - * Imported Upstream version 2.0.0~rc13 - * refresh patches for LXC 2.0.0 - * install hooks from /usr/lib too - - -- Evgeni Golov Fri, 25 Mar 2016 16:44:25 +0100 - -lxc (1:1.1.5-1) unstable; urgency=medium - - [ Evgeni Golov ] - * Imported Upstream version 1.1.5 - * drop patches either applied or obsoleted upstream - * refresh patches - * call dh_installinit for lxc-net - * drop useless lintian override - * add autopkgtests from Ubuntu - - fix up some tests for Debian - * add dnsmasq-base to test depends - * debian/watch: updated to look for all LXC releases - * use dh_apparmor - * do not restart LXC on upgrades when using systemd - * build-depend on gnutls-dev - * update Depends/Recommends/Suggests based on the packaging in Ubuntu - * properly pass the systemd unit dir to configure - - [ Antonio Terceiro ] - * 0014-Fix-520-multiple-instances-of-agetty-on-systemd.patch: add - upstream patch to avoid multiple instances of agetty on each console. - - -- Antonio Terceiro Sun, 31 Jan 2016 18:22:40 -0200 - -lxc (1:1.0.8-1) unstable; urgency=medium - - * New upstream release - - Includes fixes for CVE-2015-1335 (Closes: #800471) - - Patches dropped for being already applied upstream: - - CVE-2015-1331.patch - - CVE-2015-1334.patch - - lxc-clone-rsync-hardlinks.patch - - lxc-clone-rsync-capabilities.patch - - big-big-login-delays-in-CentOS-7-systemd.patch - - lxc-debian-skip-security-updates-for-unstable-sid.patch - - lxc-debian-support-stretch-Debian-9-images.patch - - CVE-2015-1335.patch - - Renumbered patches - - Add cgmanager do Recommends:. Without it, lxc will always print a - warning, which seems to be harmless but for example will break - autopkgtest because of the unexpected output to stderr. - * debian/watch: added - * debian/upstream/signing-key.asc: added upstream signing key. - - -- Antonio Terceiro Tue, 24 Nov 2015 19:10:28 -0200 - -lxc (1:1.0.7-12) unstable; urgency=high - - * Added 0025-CVE-2015-1335.patch from the final version of the fix for - CVE_2015-1335 from the Ubuntu package (Closes: #800471) - - -- Antonio Terceiro Fri, 13 Nov 2015 08:37:41 -0200 - -lxc (1:1.0.7-11) unstable; urgency=medium - - * New maintainer (myself) - - Thanks Daniel Baumann for his previous efforts in maintaing lxc - * Added patches (all already applied upstream): - - 0019-big-big-login-delays-in-CentOS-7-systemd.patch - - 0020-Centos7-systemd.patch - - 0022-lxc-debian-skip-security-updates-for-unstable-sid.patch - - 0023-lxc-debian-support-stretch-Debian-9-images.patch - - 0024-lxc-debian-allow-not-including-contrib-non-free.patch - - -- Antonio Terceiro Sun, 08 Nov 2015 10:52:37 -0200 - -lxc (1:1.0.7-10) unstable; urgency=low - - * Adding build-depends to dh-python. - - -- Daniel Baumann Tue, 18 Aug 2015 14:12:31 +0200 - -lxc (1:1.0.7-9) unstable; urgency=low - - * Adjusting breaks (Closes: #795799). - * Correcting email address in previous changelog entry. - - -- Daniel Baumann Mon, 17 Aug 2015 06:42:20 +0200 - -lxc (1:1.0.7-8) unstable; urgency=low - - * Adding patch from upstream to preserve hardlinks in lxc-clone. - * Adding patch from upstream to preserve capabilities in lxc-clone - (Closes: #795422). - - -- Daniel Baumann Sun, 16 Aug 2015 13:46:24 +0200 - -lxc (1:1.0.7-7) unstable; urgency=low - - * Moving shared library to dedicated package for future upload of lxd - (#768073). - * Re-adding lxc-dev which is now allowed again having the shared library - split out (Closes: #774085, #793202). - - -- Daniel Baumann Wed, 12 Aug 2015 18:03:23 +0200 - -lxc (1:1.0.7-6) unstable; urgency=low - - * Using misc:Pre-depends variable instead of hardcoding multiarch- - support. - * Moving bash-completion integration from /etc/bash-completion.d to - /usr/share/bash-completion/completions. - * Dropping obsolete syslog target from systemd service file. - * Adding patch from upstream to fix errors in lxc-debian if dbus is not - installed (Closes: #794207). - * Updating lintian overrides. - - -- Daniel Baumann Wed, 12 Aug 2015 17:25:44 +0200 - -lxc (1:1.0.7-5) unstable; urgency=low - - * Updating homepage field. - * Updating debian copyright string. - * Dropping conditionals for lua-alt-getopt, not needed anymore. - * Dropping enforcing of xz compression, not needed anymore. - * Dropping vcs fields in control for the time being. - - -- Daniel Baumann Wed, 12 Aug 2015 11:09:50 +0200 - -lxc (1:1.0.7-4) unstable; urgency=high - - * Adding backported patch from upstream to prevent an unprivileged user - to use LXC to create arbitrary file on the filesystem [CVE-2015-1331] - (Closes: #793298). - * Adding backported patch from upstream to prevent an user to use LXC - to over-mount /proc which can be used to unconfined code execution - [CVE-2015-1334] (Closes: #793298). - - -- Daniel Baumann Wed, 22 Jul 2015 18:33:48 +0200 - -lxc (1:1.0.7-3) unstable; urgency=low - - * Building with cgmanager (Closes: #773421). - - -- Daniel Baumann Tue, 28 Apr 2015 22:01:41 +0200 - -lxc (1:1.0.7-2) unstable; urgency=low - - * Dropping pre-jessie upgrade handling. - * Dropping pre-jessie conflicts/replaces. - - -- Daniel Baumann Sat, 25 Apr 2015 08:10:48 +0200 - -lxc (1:1.0.7-1) experimental; urgency=low - - * Merging upstream version 1.0.7. - * Removing apparmor.patch, not needed anymore. - * Removing lxc-create-manpage.patch, included upstream. - * Removing lxc-debian-systemd.patch, included upstream. - * Removing lxc-debian-init.patch, included upstream. - * Renumbering patches. - - -- Daniel Baumann Sat, 06 Dec 2014 13:11:57 +0100 - -lxc (1:1.0.6-5) unstable; urgency=low - - * Mounting /sys read-only in lxc-debian to prevent (one way of) escaping - containers (Closes: #770901). - * Adding patch from lxc 1.0.7 to make lxc-debian work with systemd - (Closes: #766216). - * Adding patch from lxc 1.0.7 to make lxc-debian handle switch of - initsystem better. - - -- Daniel Baumann Sat, 06 Dec 2014 13:00:36 +0100 - -lxc (1:1.0.6-4) unstable; urgency=low - - * Marking -t option in lxc-create manpage as required (Closes: #768778). - - -- Daniel Baumann Tue, 11 Nov 2014 19:57:58 +0100 - -lxc (1:1.0.6-3) unstable; urgency=low - - * Preserving setuid on lxc-user-nic (Closes: #764815). - - -- Daniel Baumann Mon, 13 Oct 2014 20:44:15 +0200 - -lxc (1:1.0.6-2) unstable; urgency=low - - * Correcting automatic lua:Suggests generation. - * Adding openssl to recommends since upstreams lxc-debian template - uses openssl for mac generation. - - -- Daniel Baumann Tue, 07 Oct 2014 09:42:36 +0200 - -lxc (1:1.0.6-1) unstable; urgency=low - - * Merging upstream version 1.0.6. - * Refreshing sysvinit-lsb-functions.patch. - * Updating to standards version 3.9.6. - * Setting options for systemd in debian.common.conf (Closes: #761196, - #761197). - - -- Daniel Baumann Mon, 29 Sep 2014 12:04:40 +0200 - -lxc (1:1.0.5-3) unstable; urgency=low - - * Dropping fixes for prefix in systemd unit file, not needed anymore. - * Moving debootstrap to recommends. - * Moving lua to suggests. - * Adding lua suggests for non-debian system. - * Showing warning when lxc is used on systemd with cgroups mounted in - /etc/fstab (Closes: #760357). - - -- Daniel Baumann Thu, 04 Sep 2014 04:30:47 +0200 - -lxc (1:1.0.5-2) unstable; urgency=low - - * Using and build-depending on dh-systemd (Closes: #758628). - * Rewording changelog entry about merging upstream version 1.0.5. - * Marking removal of lxc-top due to missing lua-alt-getopt in rules as - debian only. - * Dropping special handling of lxc-debian on progress-linux. - * Renaming debian-config.patch to lxc-debian-fuse.patch. - * Renaming lxc-sysvinit.patch to sysvinit-directory.patch. - * Renaming lsb-init-headers.patch to sysvinit-lsb-headers.patch. - * Renaming lsb-init-functions.patch to sysvinit-lsb-functions.patch. - * Renaming lxc-init-lock.patch to sysvinit-lsb-lock.patch. - * Renaming lxc-sigint.patch to lxc-attach-sigint.patch. - * Adding references to upstreams bug tracker in all patches. - * Adding patch from Ondřej Surý to change - PermitRootLogin yes to PermitRootLogin without-password in sshd_config - (Closes: #758647). - * Adding patch to set random root password in lxc-debian (Closes: - #758643). - * Removing /etc/default/lxc for upgrades of wheezy to jessie (Closes: - #758800). - - -- Daniel Baumann Thu, 21 Aug 2014 15:54:58 +0200 - -lxc (1:1.0.5-1) unstable; urgency=low - - * Due to 'popular demand', dropping Debian custom additions and shipping - an (almost) vanilla lxc package in Debian from now on. - * Removing Jonas from uploaders, thanks for your past support. - * Dropping lxc-dev, according to ftp-master this is not acceptable - anymore without having split out library package. - * Merging upstream version 1.0.5 (Closes: #757326). - * Refreshing lsb-init-functions.patch. - * Refreshing debian-config.patch. - * Adding debootstrap to suggests. - - -- Daniel Baumann Sun, 10 Aug 2014 12:55:27 +0200 - -lxc (1.1.0~alpha1-5) unstable; urgency=low - - * Updating default mirrors in preseed files. - - -- Daniel Baumann Tue, 29 Jul 2014 00:02:50 +0200 - -lxc (1.1.0~alpha1-4) unstable; urgency=low - - * Correcting syntax typo in lxc-stuff postinst. - - -- Daniel Baumann Tue, 22 Jul 2014 16:16:29 +0200 - -lxc (1.1.0~alpha1-3) unstable; urgency=low - - * Switching parent distribution for cairon to jessie. - * Adding support for LTS repos. - * Using relative mountpoints for data directories. - * Updating preseed files. - * Replacing /etc/mtab with a symlink to /proc/self/mounts. - * Refreshing manpages. - * Overwrite container config file when creating new containers. - * Adjusting lxc directory automatically in debconf handling. - - -- Daniel Baumann Tue, 22 Jul 2014 11:39:29 +0200 - -lxc (1.1.0~alpha1-2) unstable; urgency=low - - [ Daniel Baumann ] - * Adding pre-start hook to remove /run files within container. - - [ Nik Lutz ] - * Mount a tmpfs on containers /run and /dev/shm directories, newer - systemd (jessie/wheezy-backports) require these directories to be - mountpoints. - - [ Daniel Baumann ] - * Ordering mountpoints in systemd-container hook. - - [ Nik Lutz ] - * Moving execution of late-host-command from Configure_system() to - Copy_configuration() to be able to adjust the config file via late- - host-command. - - [ Daniel Baumann ] - * Trimming lxc.pts in lxc-debconfig. - * Allowing mac values to be set to none in lxc-debconfig in order to not - set any mac address in config. - - -- Daniel Baumann Fri, 18 Jul 2014 09:57:50 +0200 - -lxc (1.1.0~alpha1-1) unstable; urgency=low - - * Merging upstream version 1.1.0~alpha1. - * Refreshing lsb-init-functions.patch. - * Refreshing debian-config.patch. - - -- Daniel Baumann Tue, 08 Jul 2014 18:45:01 +0200 - -lxc (1.0.4-4) unstable; urgency=low - - * Also dropping dac_read_search cap by default. - * Running subscripts with nowarnings for debconf. - * Overwriting resolv.conf when updating intermedate system from cache - with host resolv.conf, solves issues where cache is outdated or - network environment changed (laptops), thanks to Habegger Andreas - . - - -- Daniel Baumann Mon, 30 Jun 2014 20:10:58 +0200 - -lxc (1.0.4-3) unstable; urgency=low - - * Updating fixes for upstreams systemd file (Closes: #751553). - - -- Daniel Baumann Sat, 14 Jun 2014 12:38:56 +0200 - -lxc (1.0.4-2) unstable; urgency=low - - [ Scott Kitterman ] - * Using dh-python3 and python3:Depends to generate correct python - depends (Closes: #748495). - - -- Daniel Baumann Fri, 13 Jun 2014 21:19:10 +0200 - -lxc (1.0.4-1) unstable; urgency=low - - * Adding note regarding warnings about memory.use_hierarchy in README - (Closes: #750029). - * Merging upstream version 1.0.4. - * Refreshing lxcinitdir.patch. - * Refreshing lxc-sysvinit.patch. - * Refreshing lsb-init-headers.patch. - * Refreshing lsb-init-functions.patch. - * Refreshing lsb-init-lock.patch. - - -- Daniel Baumann Fri, 13 Jun 2014 20:23:24 +0200 - -lxc (1.0.3-3) unstable; urgency=low - - * Checking for kernel architecture on i386 to support creating amd64 - systems on i386-systems-with-amd64-kernels as well (Closes: #750387). - * Adding initial Estonian debconf translations from Georg Kahest - (Closes: #750547). - * Disabling dbus, signal, and ptrace in the apparmor profiles until - Debian has a recent enough apparmor version (#746764), thanks to - Intrigeri (Closes: #750107). - * Simplifying default bind mounts in lxc-debconfig for shared storage - data. - * Updating lxcpath variable in lxc-stuff handling of /etc/lxc/lxc.conf - (Closes: #750385). - - -- Daniel Baumann Wed, 11 Jun 2014 16:27:27 +0200 - -lxc (1.0.3-2) unstable; urgency=low - - * Removing lxc-initscript, not needed anymore. - * Updating autostart handling in various tools to use lxc.start.auto. - * Building with graphviz (Closes: #749358). - - -- Daniel Baumann Sun, 01 Jun 2014 20:13:48 +0200 - -lxc (1.0.3-1) unstable; urgency=low - - * Merging upstream version 1.0.3. - * Refreshing lxc-sigint.patch. - * Manually passing systemd unit directory to install command since - upstream fails to do handle that properly. - * Updating lxc.install for /usr/sbin/init.lxc. - * Adding update-rc.d integration for sysvinit script. - * Adding remote_fs depends in irkerhook-lxc initscript. - * Adding dummy restart target in irkerhook-lxc initscript. - * Adding dummy force-reload target in irkerhook-lxc initscript. - * Correcting formating typo in copyright file. - * Adding lxc-stuff lintian overrides. - * Updating lxc lintian overrides. - * Adding patch to add missing shebang in lxc-patch.py. - * Updating preseed files for live-debconfig 4.0~alpha32-1. - * Don't mount fuse into the container, will fail if fuse isn't - installed. - * Correcting default mode in lxc-debconfig when being run on a plain - debian system. - * Updating manpage version and date headers. - * Dropping automatic enabling of selinux handling in lxc-debconfig - through live-debconfig. - * Also automatically preseed openssh-server/lxc-enable for live- - debconfig in lxc-debconfig. - - -- Daniel Baumann Tue, 06 May 2014 19:48:16 +0200 - -lxc (1.0.0-10) unstable; urgency=low - - * Removing conflicts to libvirt-bin (Closes: #745169). - - -- Daniel Baumann Mon, 28 Apr 2014 19:29:47 +0200 - -lxc (1.0.0-9) unstable; urgency=low - - * Adding conflicts to libvirt-bin which messes with cgroups (Closes: - #745169). - * Adding updates Spanish debconf translations from Camaleón - (Closes: #744854). - * Configuring systemd service manually since the upstream makefile fails - to do that (Closes: #745670). - - -- Daniel Baumann Sat, 26 Apr 2014 07:47:09 +0200 - -lxc (1.0.0-8) unstable; urgency=low - - * Building with libseccomp on amd64, armhf, and i386 only (Closes: - #744295). - - -- Daniel Baumann Sat, 12 Apr 2014 20:33:08 +0200 - -lxc (1.0.0-7) unstable; urgency=low - - * Marking lxc/containers debconf default value as non-translatable - (Closes: #743473). - * Setting language field in French debconf translation file (Closes: - #743471). - - -- Daniel Baumann Sat, 05 Apr 2014 11:29:49 +0200 - -lxc (1.0.0-6) unstable; urgency=low - - * Removing lxc-top until lua-alt-getopt is available. - - -- Daniel Baumann Wed, 02 Apr 2014 22:20:59 +0200 - -lxc (1.0.0-5) unstable; urgency=low - - * Building with dh --parallel. - - -- Daniel Baumann Mon, 31 Mar 2014 21:06:52 +0200 - -lxc (1.0.0-4) experimental; urgency=low - - * Only run irkerhook when irkerhook is actually installed, not just when - it's enabled only. - * Updating todo file. - * Adding patch from Stefan Siegel to make lxc- - attach ignore SIGINT (Closes: #740264). - - -- Daniel Baumann Sat, 01 Mar 2014 12:32:54 +0100 - -lxc (1.0.0-3) experimental; urgency=low - - * Adding initial Italian debconf translation from Gianluigi Tiesi - (Closes: #740217). - * Creating missing lock directory in upstreams sysvinit initscript - (Closes: #740216). - - -- Daniel Baumann Thu, 27 Feb 2014 12:09:38 +0100 - -lxc (1.0.0-2) experimental; urgency=low - - * Correcting upstreams wrong lsb headers in sysvinit initscript (Closes: - #740065). - * Correcting upstreams wrong lsb functions in sysvinit initscript - (Closes: #740066). - - -- Daniel Baumann Tue, 25 Feb 2014 19:16:02 +0100 - -lxc (1.0.0-1) experimental; urgency=low - - * Merging upstream version 1.0.0. - * Lowering lxc-stuff recommends to suggests. - * Installing lxc-debconfig as lxc-debian in lxc-stuff only on progress- - linux. - * Dropping lxc bash-completion, upstream has stolen^Wtaken without - credit to its original author, Gaé Lucas , the - debian version and improved it a bit (*sigh*). - * Dropping initscript in lxc-stuff now that upstream has one too. - * Including new systemd files in lxc. - * Refreshing lxcinitdir.patch. - * Adding build-depends to doxygen. - * Including apidoc in lxc-dev. - * Updating todo file. - * Correcting wrong default directory for sysvinit scripts. - * Still uploading to experimental since it's completely untested yet, - but soon starting migration to unstable (Closes: #739782). - - -- Daniel Baumann Mon, 24 Feb 2014 16:17:41 +0100 - -lxc (1.0.0~beta1-6) experimental; urgency=low - - * Choosing default template based on host distribution for lxc-create - when using lxc wrapper. - * Correcting creation of mount entry directories. - * Correcting recommends handling. - - -- Daniel Baumann Mon, 24 Feb 2014 07:39:45 +0100 - -lxc (1.0.0~beta1-5) experimental; urgency=low - - * Adding support for multiple channels in irkerhook-lxc. - - -- Daniel Baumann Sun, 19 Jan 2014 08:42:08 +0100 - -lxc (1.0.0~beta1-4) experimental; urgency=low - - * Starting irkerhook-lxc initscript before lxc. - * Using fancy color for some actions in irc notification. - * Building without log-path set to /var/log/lxc, it would need to have - all subdirectories for the containers created. - * Using lxc wrapper for starting containers in lxc-initscript as well. - * Relaxing depends of irkerhook-lxc initscript on installed irker. - - -- Daniel Baumann Sat, 18 Jan 2014 10:02:17 +0100 - -lxc (1.0.0~beta1-3) experimental; urgency=low - - * Correcting lxc-create handling in lxc convenience wrapper. - * Setting global log-path to /var/log/lxc. - * Adding irkerhook-lxc initscript. - * Don't start initscripts on package installation. - - -- Daniel Baumann Sat, 18 Jan 2014 08:42:33 +0100 - -lxc (1.0.0~beta1-2) experimental; urgency=low - - * Adding irker integration with lxc wrapper. - - -- Daniel Baumann Fri, 17 Jan 2014 17:14:26 +0100 - -lxc (1.0.0~beta1-1) experimental; urgency=low - - * Merging upstream version 1.0.0~beta1. - * Refreshing lxcinitdir.patch. - * Updating copyright notices for 2014. - * Updating upstream mailinglist reference in copyright file. - * Using /srv/lxc/containers instead of /var/lib/lxc as default value. - * Dropping lxc/auto debconf handling in lxc-stuff, if the lxc initscript - should not be used, it's better to disable it rather than to run it as - noop. - * Removing internal lxc-debconfig-with-live-debconfig option. - * Dropping /etc/default/lxc entirely, directly using upstreams - /etc/lxc/lxc.conf instead from now on. - * Moving /srv/share/ to /srv/lxc/data/. - - -- Daniel Baumann Thu, 16 Jan 2014 17:20:14 +0100 - -lxc (1.0.0~alpha3-5) experimental; urgency=low - - * Moving python3 depends to recommends. - * Adding lua5.2 to recommends (Closes: #731774). - * Updating stop command in lxc-initscript (Closes: #731667). - - -- Daniel Baumann Mon, 09 Dec 2013 19:05:06 +0100 - -lxc (1.0.0~alpha3-4) experimental; urgency=low - - * Excluding shell scripts in /etc/lxc/debconfig from debconf prompt with - list of presed files as well. - - -- Daniel Baumann Thu, 05 Dec 2013 19:25:49 +0100 - -lxc (1.0.0~alpha3-3) experimental; urgency=low - - * Updating list of special cases in lxc convenience wrapper. - * Updating generic preseed examples for live-debconfig 4.0~alpha31. - * Updating distribution specific preseed examples for live-debconfig - 4.0~alpha31. - * Updating cairon codename for progress-linux. - - -- Daniel Baumann Thu, 05 Dec 2013 14:05:53 +0100 - -lxc (1.0.0~alpha3-2) experimental; urgency=low - - * Building with disabled rpath. - * Building with explicitly enabled apparmor. - * Building with enabled python. - * Building with enabled selinux. - * Building with enabled tests. - * Including lxc-ubuntu again, it apparently was un-broken again as of - 1.0.0~alpha3. - * Using dedicated directory for temporary rootfs mounts. - * Dropping superfluous libdir and libexecdir switches in configure call. - * Adding patch to correct wrong default directory for lxc-init. - * Sorting configure switches. - * Building with enabled seccomp. - * Building with enabled lua. - * Dropping libcap2-bin from suggests, not usefull anymore. - * Adding shlibs:Depends to lxc-dev. - * Updating todo file. - - -- Daniel Baumann Wed, 27 Nov 2013 10:01:19 +0100 - -lxc (1.0.0~alpha3-1) experimental; urgency=low - - * Merging upstream version 1.0.0~alpha3. - * Dropping ftbfs-sparc.patch, merged upstream. - * Updating preseed-file for live-debconfig 4.0~alpha30-1. - * Updating todo file. - - -- Daniel Baumann Thu, 21 Nov 2013 08:39:56 +0100 - -lxc (1.0.0~alpha2-6) experimental; urgency=low - - * Also dropping permissions on /var/cache/lxc for consistency - (eventhough there's only the minimal bootstrap in there). - - -- Daniel Baumann Wed, 06 Nov 2013 13:42:45 +0100 - -lxc (1.0.0~alpha2-5) experimental; urgency=low - - * Shortening versioned breaks of lxc-stuff against lxc. - * Adding rsync to lxc recommends, lxc-clone uses it (Closes: #728860). - * Setting lxc directory permissions to 0700 to avoid unprivileged users - on the system to abuse setuid binaries in the container rootfs'es. - * Using dpkg-statoverride to allow local overrides of (otherwise) - enforced restricted access permissions to /etc/lxc, /var/lib/lxc, and - /var/log/lxc. - - -- Daniel Baumann Wed, 06 Nov 2013 13:11:09 +0100 - -lxc (1.0.0~alpha2-4) experimental; urgency=low - - * Updatin lxc-stuff dehelper install file with proper paths (Closes: - #728435). - - -- Daniel Baumann Sun, 03 Nov 2013 14:16:28 +0100 - -lxc (1.0.0~alpha2-3) experimental; urgency=low - - * Running second pass of live-debconfig with debconf frontend - noninteractive and priority critical (Closes: #727705). - * Updating to standards version 3.9.5. - * Disabling /dev/kmsg in default container config. - * Dropping left-over progress-linux apt preconfiguration. - * Dropping lxc-halt since all 'new' containers can be shutdown by sigpwr - by default for quite a while already. - * Renaming lxc-all to lxc-initscript. - * Making lxc support 'all' as argument in order to run commands on all - available containers. - * Updating manpages. - * Updating wrapping of default config files. - * Allowing to have architecture set to auto in order to have - architecture-neutral preseed files. - * Unmounting any stray bind mounts on failed container creation. - * Excluding directories and includes in /etc/lxc/debconfig from - automatic selection dialog. - * Moving lxc-stuff docs to local directory within sources tree. - * Moving lxc-stuff initscript to local directory within sources tree. - * Updating todo file. - - -- Daniel Baumann Tue, 29 Oct 2013 15:41:44 +0100 - -lxc (1.0.0~alpha2-2) experimental; urgency=low - - * Moving local additions to separate binary package lxc-stuff. - - -- Daniel Baumann Wed, 23 Oct 2013 20:39:37 +0200 - -lxc (1.0.0~alpha2-1) experimental; urgency=low - - * Merging upstream version 1.0.0~alpha2. - * Dropping ptsmode.patch, included upstream. - * Updating homepage field. - * Updating copyright file. - * Removing currently broken ubuntu template (Closes: #727244). - * Removing set -e from rules for shell commands, not needed anymore. - - -- Daniel Baumann Wed, 23 Oct 2013 20:26:32 +0200 - -lxc (1.0.0~alpha1-2) experimental; urgency=low - - * Adding now required --rootfs handling to lxc-debconfig template. - * Keeping local lxc-list for the time being. - - -- Daniel Baumann Tue, 17 Sep 2013 15:59:32 +0200 - -lxc (1.0.0~alpha1-1) experimental; urgency=low - - * Merging upstream version 1.0.0~alpha1. - * Building with autoreconf again. - * Removing lxc-configuration-path.patch, not needed anymore. - * Removing lxc-debconfig.patch, not needed anymore. - * Removing lxc-destroy-symlinks.patch, not needed anymore. - * Removing lxc-clone-mac.patch, not needed anymore. - * Removing lxc-init-path.patch, not needed anymore. - * Removing lxc-quote-arguments.patch, not needed anymore. - * Removing lxc-unshare-manpage.patch. not needed anymore. - * Removing lxc-path.patch, not needed anymore. - * Rediffing ftbfs-sparc.patch. - * Rediffing ptsmode.patch. - * Renumbering patches. - * Removing removal of removed templates in rules. - * Reincluding lxc-busybox template. - * Keeping local lxc-list for now, but not as the default lxc-list. - * Sourcing init-functions in initscript. - - -- Daniel Baumann Tue, 17 Sep 2013 14:40:47 +0200 - -lxc (0.9.0-21) experimental; urgency=low - - * Updating lxc-backup/lxc-restore. - * Changing preseed hiearchy to more suitable includes-before-including - for one-level of includes only. - * Removing cgroup-bin conflict, again (Closes: #723130). - * Correcting variable spelling typo when writing preseeded apt - preferences for pinning packages. - * Temporarily building without autoreconf since newer automake fails on - sub-directories quite unelegantly. - - -- Daniel Baumann Tue, 17 Sep 2013 13:12:17 +0200 - -lxc (0.9.0-20) experimental; urgency=low - - * Allowing comma seperated list for multiple includes as well as - whitespace seperated lists. - * Clarifing comment about reading-in preseed files. - * Explicitly setting list of enabled component for live-debconfig in - includable example preseeds for progress-linux to include all used - components rather than minimal default only. - * Completing support for multiple preseed files for the first (non- - chrooted) part of lxc-debconfig, one level of recursion only for now. - * Adding support for multiple preseed files for the second (chrooted) - part of lxc-debconfig. - * Showing error message if updating the cache has failed with note about - removing the cache. - * Adding note about hierarchy of preseed files in readme file. - * Moving preseed examples to subdirectory within - /usr/share/doc/lxc/examples. - * Renaming lxc-debconfig preseed file to proper name for use in example - directory. - * Adding comments in rules for removed upstream stuff. - * Updating example preseed files for live-debconfig 4.0~a27-1. - * Updating todo file. - - -- Daniel Baumann Tue, 03 Sep 2013 13:36:36 +0200 - -lxc (0.9.0-19) experimental; urgency=low - - * Adding preseding support for pinning of local repositories. - * Adding support for multiple includable preseed files within one - preseed field, to simple toplevel preseed files rather than requireing - to use includes in chains. - * Changing order of include files, included preseed files overwrite the - including preseed file which is the intuitive order. - * Removing superfluous colon in progress-linux specific apt preferences. - * Moving out logic from initscript to dedicated lxc-all script in - preparation for systemd support. - - -- Daniel Baumann Wed, 21 Aug 2013 12:31:42 +0200 - -lxc (0.9.0-18) experimental; urgency=low - - * Adding patch from James Cook to weaken mode on - pts for compliance with eglibc 2.18 within containers (Closes: - #720122). - The origin of the patch referenced in the bts implies that this allows - unprivileged users access to the ttys, should that be the case, an - unprivileged user can access the host systems terminal (read-write), - thus needs further testing before moving this to unstable. - - -- Daniel Baumann Tue, 20 Aug 2013 10:12:46 +0200 - -lxc (0.9.0-17) experimental; urgency=low - - * Updating vcs fields. - * Updating swapaccount parameter in readme for linux 3, thanks to Michal - Hocko (Closes: #719774). - - -- Daniel Baumann Sat, 17 Aug 2013 15:49:51 +0200 - -lxc (0.9.0-16) experimental; urgency=low - - * Correcting template location. - - -- Daniel Baumann Wed, 31 Jul 2013 16:26:51 +0200 - -lxc (0.9.0-15) experimental; urgency=low - - * Updating example preseed file. - * Adding sample includeable preseed files for progress-linux. - * Moving templates to local subdirectory within packaging. - - -- Daniel Baumann Wed, 31 Jul 2013 16:01:47 +0200 - -lxc (0.9.0-14) experimental; urgency=low - - * Adding temporary workaround to run chrooted commands in lxc-debconfig - with 'set -e' until the whole template can be run with 'set -e' - (Closes: #717717). - * Adding support of includable preseed files within lxc-debconfig. - - -- Daniel Baumann Mon, 29 Jul 2013 11:50:22 +0200 - -lxc (0.9.0-13) experimental; urgency=low - - * Adding vcs fields. - * Wrapping control fields. - * Avoid including internal preseed.sh script (Closes: #717714). - - -- Daniel Baumann Wed, 24 Jul 2013 08:27:38 +0200 - -lxc (0.9.0-12) experimental; urgency=low - - * Including wget in minimal bootstrap set in order to be able to - bootstrap archive-keys trust paths. - * Adding three suggestions to improve German debconf translations from - Helge Kreutzmann (Closes: #715475). - - -- Daniel Baumann Fri, 12 Jul 2013 15:42:10 +0200 - -lxc (0.9.0-11) experimental; urgency=low - - * Reverting dropping of sys_boot capability, otherwise sysvinit will not - terminate in some cases on shutdown. - - -- Daniel Baumann Tue, 25 Jun 2013 12:19:51 +0200 - -lxc (0.9.0-10) experimental; urgency=low - - * Sorting debhelper build-with list in rules. - * Updating lxc-debconfig for live-debconfig 4.0~a25. - - -- Daniel Baumann Tue, 25 Jun 2013 11:47:22 +0200 - -lxc (0.9.0-9) experimental; urgency=low - - * Updating for lxc-debconfig for live-debconfig 4.0~a24-1. - * Adding missing build-depends to pkg-config. - - -- Daniel Baumann Wed, 05 Jun 2013 10:58:01 +0200 - -lxc (0.9.0-8) experimental; urgency=low - - * Using dh-autoreconf (Closes: #706443). - - -- Daniel Baumann Tue, 04 Jun 2013 18:42:33 +0200 - -lxc (0.9.0-7) experimental; urgency=low - - * Updating versioning scheme references to match new scheme since - wheezy. - * Shortening archive names. - - -- Daniel Baumann Fri, 31 May 2013 13:47:13 +0200 - -lxc (0.9.0-6) experimental; urgency=low - - * Adding patch from Thomas Nemeth to fix - FTBFS on sparc (Closes: #709454). - - -- Daniel Baumann Wed, 29 May 2013 07:37:32 +0200 - -lxc (0.9.0-5) experimental; urgency=low - - [ Daniel Baumann ] - * Completing temporary hacks for derivatives wrt/ replacing packages of - priority essential. - - [ Nik Lutz ] - * Replacing container tmpfs with cgroup in systemd-container hook to not - waste memory. - - [ Daniel Baumann ] - * Setting lxc.autodev depending on initsystem automatically to the - correct value explicitly in container config files. - * Running live-debconfig after packages have been installed in lxc- - debconfig again. - * Applying parts from a patch from Jeremiah C. Foster - to improve wording in readme (Closes: - #709280). - * De-emphasign note about bridges in readme. - * Correcting typo in lxc-halt. - * Correcting multi-default files read-in in init file, thanks to Harald - Dunkel . - * Applying slightly modified patch from Harald Dunkel - to add support for lxc-path in local debian - additions (Closes: #706379). - * Adding slightly modified patch from Harald Dunkel - to add support for lxc-path in upstream - commands. - * Enabling configpath log. - * Cosmetically restrict access to /dev/rtc a bit more in the default lxc - config. - * Adding sample device configs for /dev/full, /dev/hpet, and /dev/kvm in - default container configs. - * Dropping note about now obsoleted lxc-setcap in readme. - * Autogenerating preseed example file from debconf files. - - -- Daniel Baumann Tue, 28 May 2013 14:50:34 +0200 - -lxc (0.9.0-4) experimental; urgency=low - - [ Nik Lutz ] - * Correcting typo in path when writing hooks for systemd in container - configs. - - [ Daniel Baumann ] - * Correcting wrong toolname in lxc-unshare manpage (Closes: #705709). - - -- Daniel Baumann Fri, 19 Apr 2013 15:58:57 +0200 - -lxc (0.9.0-3) experimental; urgency=low - - [ Daniel Baumann ] - * Quoting arguments from templates properly in lxc-create, thanks to - Denys Gavrysh (Closes: #705458). - - [ Nik Lutz ] - * Disabling sysfs mount config for containers with systemd. - * Adding hooks for systemd support. - * Enabling hooks for containers with init-system systemd. - - -- Daniel Baumann Mon, 15 Apr 2013 15:39:30 +0200 - -lxc (0.9.0-2) experimental; urgency=low - - [ Daniel Baumann ] - * Updating todo file. - * Also importing base-release keys for progress-linux. - - [ Nik Lutz ] - * Do not write empty lxc.mount entries for sys and proc-fs if debconf - value is 'none'. - - -- Daniel Baumann Sun, 14 Apr 2013 11:27:15 +0200 - -lxc (0.9.0-1) experimental; urgency=low - - * Merging upstream version 0.9.0. - * Removing lxc-create-template.patch, not needed anymore. - * Updating archive-key signature validiation to look by default at both - debian and debian-maintainers keyrings. - - -- Daniel Baumann Thu, 11 Apr 2013 13:48:30 +0200 - -lxc (0.9.0~rc1-5) experimental; urgency=low - - * Enabling backports by default for any release except jessie and sid. - * Updating handling of debian-backports differently for wheezy and newer - releases. - * Making proc and sysfs mount entries preseedable in lxc-debconfig to - support custom options. - * Correcting automatic directory creation for mount entries, thanks to - Niels Boehm (Closes: #704814). - - -- Daniel Baumann Sat, 06 Apr 2013 10:51:13 +0200 - -lxc (0.9.0~rc1-4) experimental; urgency=low - - * Dropping ubuntu mode in lxc-debconfig, ubuntu support seems not worth - to pursue (Closes: #704563). - - -- Daniel Baumann Wed, 03 Apr 2013 12:56:59 +0200 - -lxc (0.9.0~rc1-3) experimental; urgency=low - - * Correcting same typo in lxc-backup, lxc-halt, and lxc-restore too. - - -- Daniel Baumann Sun, 31 Mar 2013 22:01:26 +0200 - -lxc (0.9.0~rc1-2) experimental; urgency=low - - * Correcting typo in lxc-ls. - - -- Daniel Baumann Tue, 26 Mar 2013 19:31:54 +0100 - -lxc (0.9.0~rc1-1) experimental; urgency=low - - * Merging upstream version 0.9.0~rc1. - * Using lxc.functions in local lxc tools. - * Updating version numbers in example preseed files. - * Refreshing local manpages. - * Updating progress-linux archive references. - * Updating todo file. - - -- Daniel Baumann Fri, 22 Mar 2013 13:26:17 +0100 - -lxc (0.9.0~alpha3-2) unstable; urgency=low - - * Removing all references to my old email address. - - -- Daniel Baumann Sun, 10 Mar 2013 20:58:58 +0100 - -lxc (0.9.0~alpha3-1) unstable; urgency=low - - * Updating handling of mount entries to work to do the right thing when - files are being tried to be bind-mounted instead of directories. - * Merging upstream version 0.9.0~alpha3. - * Adding --with-distro=debian when calling configure. - * Extending manual hack to workaround broken preseeding in tzdata - (Closes: #701800). - * Dropping bash.patch, not required anymore. - * Adding patch for lxc-create to not try to execute directories as - templates should the user have such a situation and specify it - (wrongly) (Closes: #701689). - * Rediffing lxc-clone-mac.patch. - * Currently hardcoding lxc directory. - * Defaulting to sysvinit for the time being on progress-linux. - * Updating todo file. - - -- Daniel Baumann Wed, 27 Feb 2013 14:04:06 +0100 - -lxc (0.9.0~alpha2-10) unstable; urgency=low - - * Adding support for systemd in lxc-debconfig. - - -- Daniel Baumann Sat, 09 Feb 2013 07:55:46 +0100 - -lxc (0.9.0~alpha2-9) unstable; urgency=low - - * Dropping audit_control, audit_write, linux_immutable, setpcap, - sys_pacct, sys_rawio, and sys_time capabilities by default too. - - -- Daniel Baumann Thu, 07 Feb 2013 14:33:35 +0100 - -lxc (0.9.0~alpha2-8) unstable; urgency=low - - * Added commented set -e in lxc-debconfig as reminder to support that at - some point. - * Setting umask to 0022 by default within lxc-debconfig, thanks to Ivan - Vilata i Balaguer (Closes: #699816). - * Dropping sys_boot capability by default too. - * Still adding commented entries about capabilties to be dropped in lxc - config for reference purpose even when no capability is actualy - dropped. - * Updating manpage date and version numbers. - - -- Daniel Baumann Thu, 07 Feb 2013 13:14:35 +0100 - -lxc (0.9.0~alpha2-7) unstable; urgency=low - - * Updating example preseeding files for live-debconfig 4.0~a17-1. - * Using variable for sysfs mount options for consistency. - * Creating mountpoint for automatically detected shared directories. - * Also removing archive-key signatures after importing them. - * Setting bash shebang until we'll get a fixed lxc-checkconfig for dash - in the next upstream release (Closes: #698956). - * Using 4 digit prefixes for patches. - * Tightening diff headers in patches. - * Adding dpkg-source local-options. - * Executing late-command and late-host-command indirectly to preserve - amps and other things. - * Updating todo file. - - -- Daniel Baumann Thu, 31 Jan 2013 09:08:47 +0100 - -lxc (0.9.0~alpha2-6) unstable; urgency=low - - * Mounting /proc within container read-only by default. - * Correcting dist typo for chairon. - * Updating filenames for archive key names for progress-linux. - * Checking signatures on progress-linux archive keys on import against - debian-keyring, if available. - * Improve usability of initial preseed file selection dialog in lxc- - debconfig. - - -- Daniel Baumann Sat, 26 Jan 2013 22:45:02 +0100 - -lxc (0.9.0~alpha2-5) unstable; urgency=low - - * Updating standards to version 3.9.4. - * Dropping dpkg-source compression levels. - * Dropping bash.patch, not worth the hassle (Closes: #698730). - * Renumbering patches. - * Updating version in local files. - - -- Daniel Baumann Thu, 24 Jan 2013 19:59:16 +0100 - -lxc (0.9.0~alpha2-4) unstable; urgency=low - - * Updating example preseeding file for lxc-debconfig. - * Don't show root password dialog when crypted root password via live- - debconfig has been preseeded. - * Enforcing keeping of old configuration files on dpkg when installing - packages after live-debconfig and using noninteractive debconf - frontend. - * Before reworking the initial preseed file selection, let's improve the - wording a bit for those that do not want to use a preseed file at all. - - -- Daniel Baumann Sat, 19 Jan 2013 07:59:45 +0100 - -lxc (0.9.0~alpha2-3) unstable; urgency=low - - * Correcting spelling typo when getting lxc-debconfig/lxc-debconfig- - with-live-debconfig from debconf. - * Correcting debconf field name for live-debconfig root passwd. - * Updating live-debconfig version number in lxc-debconfig example - preseed files. - * Undoing special handling for live-debconfig script names for live- - debconfig 4.0~a15-1. - - -- Daniel Baumann Fri, 18 Jan 2013 20:50:19 +0100 - -lxc (0.9.0~alpha2-2) unstable; urgency=low - - * Updating bash.patch (Closes: #696921). - * Correcting mirror typo in preseed example files. - * Adding suggests to live-config-doc. - * Introducing LXC_DEBCONFIG_WITH_LIVE_DEBCONFIG variable in - /etc/default/lxc in order to allow the local admin to not use live- - debconfig to configure the chroot but do whatever he wants to do - instead (be it manually configuring it, or running late-commands via - lxc-debconf). - * Adding support for /etc/default/lxc.d/* files which overwrite - definitions in /etc/default/lxc if used. - * Automatically shortening veth names exceeding 15 characters to match - limitations in linux for the interface name lenghts. - * Updating bash patch to set shell to /bin/bash in lxc-checkconfig. - * Disallowing access to /dev/fuse in the default config, but keep it - commented in the config file so the local admin can enable it easily. - * Adding commented entries in config for loop device nodes. - * Adding patch to correct path to lxc-init in the sshd template (Closes: - #697267). - * Correcting harmless typo in bash patch regarding if statements in lxc- - destroy. - * Adding comment about the problem of running live-debconfig before - packages have been installed. - * Temporarily don't enable backports on wheezy by default as the debian- - backports repositores for wheezy are not available yet. - * Correcting spelling typo in fieldname for live-debconfigs script - selection. - * Correcting wrong preseed value for live-debconfig scripts that need to - be dereferenced. - * Also support internal preseeding for lxc-debconfig-with-live- - debconfig, not just the global switch via /etc/default. - * Updating live-debconfig run command for version 4.0~a14-1. - * Updating copyright file for packaging files. - * Updating year in copyright notices for 2013. - - -- Daniel Baumann Fri, 18 Jan 2013 15:28:46 +0100 - -lxc (0.9.0~alpha2-1) unstable; urgency=low - - * Correcting wrong example in local lxc(1) manpage. - * Updating live-debconfig initialization for version 4.0~a11. - * Updating reference to future passwd support in live-debconfig within - lxc-debconfig. - * Renaming local archive preseed values for consistency with live-build. - * Updating some leftovers from eth to eth-ipv4 renaming (in preparation - for ipv6). - * Merging upstream version 0.9.0~alpha2. - * Dropping lxc-distclean.patch, solved upstream. - * Dropping lxc-checkconfig modifications in bash.patch, not worth the - constant hassle when new upstream releases appear. - * Dropping lxc-create modifications in bash.patch, merged upstream. - * Rediffing lxc-destroy modifications in bash.patch. - * Removing lxc-ls modifications from bash.patch, lxc-ls is python now. - * Rediffing lxc-netstat modifications in bash.patch. - * Rediffing lxc-ps modifications in bash.patch. - * Dropping lxc-setcap modifications in bash.patch, merged upstream. - * Dropping lxc-setuid modifications in bash.patch, merged upstream. - * Dropping lxc-version modifications in bash.patch, merged upstream. - * Rediffing lxc-debconfig.patch. - * Rediffing lxc-destroy-symlinks.patch. - * Rediffing lxc-clone-mac.patch. - * Removing lxc-kmsg.patch, included upstream. - * Renumbering patches. - * Updating docbook build-depends for new upstream. - * Updating date and version headers in local manpages. - * Updating example preseed files for pretty-much final preseed layout - for jessie (additions only, no renames). - * Prefering local preseeding of live-debconfig over the automatic one - from lxc-debconfig. - * Changing live-debconfig invokation to also work with locally preseeded - live-debconfig script multiselect. - * Simplifying live-debconfig preseeding initialization by using live- - debconfig-set-selections. - * Adding note about late reconfiguring all packages of priority - essential. - * Using live-debconfigs passwd script for user creation rather than too - limited user-setup from debian-installer. - - -- Daniel Baumann Sun, 23 Dec 2012 10:31:55 +0100 - -lxc (0.8.0-5) unstable; urgency=low - - * Updating live-debconfig initialization for version 4.0~a10. - - -- Daniel Baumann Thu, 06 Dec 2012 21:22:59 +0100 - -lxc (0.8.0-4) unstable; urgency=low - - * Updating initscript to handle variables in its internal lxc loop - function (Closes: #695098). - - -- Daniel Baumann Wed, 05 Dec 2012 13:06:41 +0100 - -lxc (0.8.0-3) unstable; urgency=low - - * Using tar to copy bootstrapped systems to target, thanks to Marc - Fournier (Closes: #683837, #687767). - * Temporarily keeping lxc-ps as a bash script (Closes: #694448). - - -- Daniel Baumann Wed, 28 Nov 2012 12:09:02 +0100 - -lxc (0.8.0-2) unstable; urgency=low - - * Adding patch to use debian essential stuff rather than openssl to - generate random mac address in lxc-clone. - * Adding rsync to suggests (Closes: #693932). - * Adding Brazilian Portugese debconf translations from Adriano Rafael - Gomes (Closes: #693381). - * Adding patch from Serge Hallyn to not fail - on failure to link kmsg (Closes: #694472). - * Using lxc-shutdown in initscript rather than lxc-halt (Closes: - #694337). - * Using flock without -n in lxc-debconfig. - * Updating todo file. - * Replacing lxc-ubuntu with lxc-debconfig. - - -- Daniel Baumann Mon, 26 Nov 2012 21:43:10 +0100 - -lxc (0.8.0-1) unstable; urgency=low - - * Correcting email address in previous changelog entry. - * Merging upstream version 0.8.0. - * Building with apparmor support. - * Removing lxc-directories.patch, merged upstream. - * Rediffing lxc-configuration-path.patch. - * Removing lxc-create-template-name.patch, merged upstream. - * Removing doc-ip-address.patch, merged upstream. - * Rediffing and updating bash.patch. - * Removing lxc-netstat.patch, merged upstream. - * Rediffing lxc-debconfig.patch. - * Removing lxc-create-trap-name.patch, merged upstream. - * Removing lxc-clone-trap-name.patch, merged upstream. - * Removing lxc-console-escape.patch, merged upstream. - * Removing lxc-create-rootfs.patch, merged upstream. - * Removing lxc-setcap-paths.patch, not needed anymore after merging - lxc-directories.patch. - * Renumbering patches. - * Rebuilding manpages. - * Dropping conditional multiarch support, not needed anymore for - jessie and wheezy backports. - * Renaming progress mode to progress-linux to match the used naming - scheme. - * Dropping lxc-shutdown alternative for lxc-halt and lxc-stop as - upstream added an own lxc-shutdown command. - - -- Daniel Baumann Mon, 12 Nov 2012 14:19:43 +0100 - -lxc (0.8.0~rc1-14) unstable; urgency=low - - * Removing suggests on lxctl. - * Updating todo file. - * Adding note about live-debconf requirement when building legacy - distributions. - * Adding note about veth not removed on container stop in readme. - * Disabling access to network devices in lxc config when no network is - configured throuhg lxc-debconfig. - * Running live-debconfig with the same debconf frontend and priorities - as the rest of the template, respecting any preseeds. - * Updating debconf variableswithin chrooted setups. - * Adding /usr/share/lxc/includes for including random content after - container creation. - - -- Daniel Baumann Wed, 31 Oct 2012 15:31:16 +0100 - -lxc (0.8.0~rc1-13) unstable; urgency=low - - * Suggesting a random MAC by default in lxc-debconfig. - * Renaming leftover internal variables from lxc-debconf to lxc- - debconfig in lxc-debconfig for consistency. - * Using 4 digits as script prefix rather than two for consistency. - - -- Daniel Baumann Thu, 30 Aug 2012 17:37:03 +0200 - -lxc (0.8.0~rc1-12) unstable; urgency=low - - * Correcting email addres in previous changelog entry. - * Using http.debian.net for debian and debian-backports mirrors in - lxc-debconfig for debian mode. - * Sourcing /etc/lxc/default for lxc directory in lxc-backup and lxc- - restore, if available. - * Reworking lxc convenience wrapper to work with the different lxc - programs that do or do not require container arguments. - * Updating todo file. - * Adding support for jessie in lxc-debconfig. - * Completing support for baureo and baureo-backports in lxc-debconfig. - * Adding support for chairon and chairon-backports in lxc-debconfig. - * Setting debian default distribution to wheezy in lxc-debconfig. - * Setting progress default distribution to baureo in lxc-debconfig. - * Correcting debconf fieldnames for bridge and mac in lxc-debconfig - templates and examples. - * Importing the proper archive keys beyond artax for the respective - progress release in lxc-debconfig. - * Correcting initscript to not make noise about container configs in - /etc/lxc/auto without having an existing container for it. - - -- Daniel Baumann Thu, 30 Aug 2012 15:32:44 +0200 - -lxc (0.8.0~rc1-11) unstable; urgency=low - - * Avoid superfluous asking twice of debconf questions (Closes: - #685602). - * Renaming lxc-debconf to lxc-debconfig for consistency with live- - debconfig. - * Updating base-files hack for dpkg origins. - * Installing additional packages after live-debconfig in order to - provide an already preconfigured system for configuration packages - to act upon. - - -- Daniel Baumann Wed, 29 Aug 2012 12:57:33 +0200 - -lxc (0.8.0~rc1-10) unstable; urgency=low - - * Adding some lxc related boot parameters in readme (Closes: #683999). - * Correcting spelling typo in previous changelog entry. - * Adding note about lxc directory in readme. - * Sourcing /etc/default/lxc in lxc-ls (Closes: #684124). - * Listing attached consoles in lxc-list. - * Using printf in lxc-list to produce a table output. - * Adding updated Danish debconf translations from Joe Dalton - (Closes: #684572). - * Mounting /proc with hidepid=2 on progress by default. - * Also removing auto symlink when destroying containers. - * Protecting multiarch queries since install files are run with set - - e. - * Adding missing live-config preseedings in lxc-debconf (Closes: - #680469). - * Updating todo file. - - -- Daniel Baumann Wed, 22 Aug 2012 09:01:11 +0200 + * disable lxc-test-fuzzers - the test is failing to download external + artifacts + + -- Serge Hallyn Tue, 17 Jan 2023 21:44:40 -0600 + +lxc (1:5.0.1-0ubuntu4) lunar; urgency=medium + + * Fix meson build in debian/tests/exercise: specify the rest of the + required configuration parameters. + * d/p/test-usernic-fixes: + - drop the hunks dealing with cgroups. lxc uses the systemd api + to do that. + - ifconfig is not available, use ip + + -- Serge Hallyn Mon, 16 Jan 2023 21:32:01 -0600 + +lxc (1:5.0.1-0ubuntu3) lunar; urgency=medium + + * fix meson reconfiguration usage: the build/ directory doesn't exist + yet when tests/exercise runs, so use meson setup to create it. + + -- Serge Hallyn Sun, 15 Jan 2023 22:53:15 -0600 + +lxc (1:5.0.1-0ubuntu2) lunar; urgency=medium + + * Fix autopkg tests to use meson instead of autoconf + + -- Serge Hallyn Tue, 10 Jan 2023 16:21:26 -0600 + +lxc (1:5.0.1-0ubuntu1) lunar; urgency=medium + + * Update to lxc-5.0.1 (using the orig tarball from debian) + * d/p: add all patches up to current git master + * d/control: add libsystemd-dev and meson + * d/rules: follow guidance from daily packaging + * remove d/.git-dpm + * update paths in liblxc1.install and liblxc.lintian-overrides + + -- Serge Hallyn Wed, 16 Nov 2022 09:31:08 -0600 + +lxc (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3) kinetic; urgency=medium + + * d/p/ppc64el-gcc12-warning.patch: refine the patch to be less brittle in + case of upstream changes + + -- Simon Chopin Wed, 07 Sep 2022 10:19:55 +0200 + +lxc (1:5.0.0~git2209-g5a7b9ce67-0ubuntu2) kinetic; urgency=medium + + * d/p/lp1987625/*.patch: cherry-picked to fix FTBFS against glibc 2.36 + (LP: #1987625) + * d/p/ppc64el-gcc12-warning.patch: work around a false positive warning in + GCC 12 on ppc64el due to it defaulting to -O3 + + -- Simon Chopin Fri, 26 Aug 2022 11:18:18 +0200 + +lxc (1:5.0.0~git2209-g5a7b9ce67-0ubuntu1) jammy; urgency=medium + + * Pre-release snapshot of LXC 5.0 LTS (LP: #1967620) + - New configuration keys: + - lxc.cgroup.dir.monitor.pivot + - lxc.cgroup.dir.monitor + - lxc.cgroup.dir.container.inner + - lxc.cgroup.dir.container + - lxc.time.offset.boot + - lxc.time.offset.monotonic + - veth.n_rxqueues + - veth.n_txqueues + - veth.vlan.id + - veth.vlan.tagged.id + * Drop patches (now upstreamed): + - 0002-lxc-checkconfig-Fix-bashism.patch + - 0003-doc-Fix-reverse-allowlist-denylist.patch + * Update lintian overrides for current lintian version + * debian/control: Switch to debhelper-compat + + -- Stéphane Graber Tue, 05 Apr 2022 18:07:22 -0400 + +lxc (1:4.0.12-0ubuntu2) jammy; urgency=medium + + * No-change rebuild to update maintainer scripts, see LP: 1959054 + + -- Dave Jones Wed, 16 Feb 2022 17:06:54 +0000 + +lxc (1:4.0.12-0ubuntu1) jammy; urgency=medium + * Cherry-pick upstream bugfixes (stable-4.0): + - 0002-lxc-checkconfig-Fix-bashism.patch + - 0003-doc-Fix-reverse-allowlist-denylist.patch (LP: #1957934) + + * New upstream bugfix release (4.0.12): + (https://discuss.linuxcontainers.org/t/lxc-4-0-12-has-been-released/13288) + - Fixed CRIU restoration of containers with pre-created veth interfaces + - Fixed issue with kernels lacking SMT support + - Extended cgroup2 config options in lxc.mount.auto (cgroup2) + - lxc-download now relies on HTTPS for validation (avoids GPG issues) + + * New upstream bugfix release (4.0.11) + (LP: #1943441, LP: #1938771, LP: #1891903): + (https://discuss.linuxcontainers.org/t/lxc-4-0-11-has-been-released/12427) + - Core scheduling support (lxc.sched.core) + - riscv64 support in lxc.arch + - Significantly improved bash completion profile + - Greater use of the new VFS mount API (when supported by the kernel) + - Fix containers with empty network namespaces + - Handle kernels that lack TIOCGPTPEER + - Improve CPU bitmask/id handling (handle skipped CPU numbers) + - Reworked the tests to run offline + + * Bump to debhelper 12 (allows focal SRUs) + * Bump standards to 4.6.0.1 + * Add lintian overrides for incorrect bashism detection + * Remove bash completion install logic (now done upstream) + + -- Stéphane Graber Wed, 02 Feb 2022 20:48:39 -0500 + +lxc (1:4.0.10-0ubuntu5) impish; urgency=medium + + * d/t/exercise: Skip tests that are incompatible with cgroups v2 + (LP: #1943704) + + -- Lukas Märdian Fri, 17 Sep 2021 15:00:26 +0200 + +lxc (1:4.0.10-0ubuntu4) impish; urgency=medium + + * Cherry-pick upstream bugfixes (stable-4.0): + - 0002-cgroups-populate-hierarchy-for-device-cgroup.patch + - 0003-cgroups-remove-unneeded-variables-from-cgroup_tree_c.patch + - 0004-lxc_setup_ttys-Handle-existing-ttyN-file-without-und.patch + - 0005-bpf-bpf_devices_cgroup_supported-should-check-if-bpf.patch + - 0006-conf-use-new-mount-api-for-devpts-setup.patch + - 0007-terminal-ttyname_r-returns-an-error-number-on-failur.patch + - 0008-conf-ensure-devpts_fd-is-set-to-EBADF.patch + - 0009-Fix-typos.patch + - 0010-conf-surface-failures-to-setup-console.patch + - 0011-conf-set-source-property-for-devpts.patch + - 0012-conf-attach-devpts-mount-directly-when-new-mount-api.patch + - 0013-conf-s-lxc_setup_devpts_parent-lxc_recv_devpts_from_.patch + - 0014-conf-use-a-relative-path-in-symlinkat.patch + - 0015-conf-update-comment.patch + - 0016-conf-add-and-use-mount_beneath_fd.patch + - 0017-terminal-don-t-use-ttyname_r-for-native-terminal-all.patch + - 0018-conf-merge-devpts-setup-and-move-before-pivot-root.patch + - 0019-string_utils-cast-__s64-to-long-long-signed-int.patch + - 0020-terminal-split-out-lxc_devpts_terminal-helper.patch + - 0021-conf-move-lxc_create_ttys-before-pivot-root.patch + - 0022-conf-stash-pty_nr-in-struct-lxc_terminal.patch + - 0023-mount_utils-add-mount_fd.patch + - 0024-conf-use-mount_fd-helper-when-mounting-ttys.patch + - 0025-conf-use-mount_fd-in-lxc_setup_dev_console.patch + - 0026-conf-use-mount_fd-during-console-mounting.patch + - 0027-file_utils-add-open_at_same.patch + - 0028-conf-rework-console-setup.patch + - 0029-terminal-remove-unused-argument-from-lxc_devpts_term.patch + - 0030-start-allow-containers-to-use-a-native-console.patch + - 0031-conf-handle-kernels-without-TIOCGPTPEER.patch + - 0032-terminal-move-native-terminal-allocation-from-error-.patch + - 0033-terminal-fail-on-unknown-error-during-TIOCGPTPEER.patch + - 0034-mount_utils-introduce-mount_at.patch + - 0035-conf-fix-logging-in-lxc_idmapped_mounts_child.patch + - 0036-conf-refactor-lxc_recv_ttys_from_child.patch + - 0037-conf-log-failure-to-create-tty-mountpoint.patch + - 0038-conf-let-parse_vfs_attr-handle-legacy-mount-flags-as.patch + - 0039-mount_utils-make-some-mount-helpers-static-inline.patch + - 0040-conf-allow-mount-options-for-rootfs-when-using-new-m.patch + - 0041-tests-add-test-for-rootfs-mount-options.patch + - 0042-network-fix-container-with-empty-network-namespaces.patch + - 0043-lsm-apparmor-log-failure-to-write-AppArmor-profile.patch + - 0044-lsm-apparmor-use-cleanup-macro.patch + - 0045-doc-api-extensions-Grammar-fix.patch + + -- Stéphane Graber Mon, 09 Aug 2021 13:45:59 -0400 + +lxc (1:4.0.10-0ubuntu3) impish; urgency=medium + + * debian/rules: Fix setuid bit handling for lxc-user-nic + + -- Stéphane Graber Fri, 30 Jul 2021 14:52:48 -0400 + +lxc (1:4.0.10-0ubuntu2) impish; urgency=medium + + * debian/patches: Re-introduce default lxcbr0 configuration. + 0001-Ubuntu-default-lxcbr0-configuration.patch + + -- Stéphane Graber Thu, 29 Jul 2021 17:42:39 -0400 + +lxc (1:4.0.10-0ubuntu1) impish; urgency=medium + + * New upstream bugfix release (4.0.10): + - Fix issues with less common architectures + - Support for additional idmap mounts + - nft support in lxc-net + - Cleaner mount entries for sys:mixed + - Switched GPG server to keyserver.ubuntu.com + + * New upstream bugfix release (4.0.9): + - Fix incorrect personality setting when running 32bit containers on 64bit + + * New upstream bugfix release (4.0.8): + - Fix CGroup attach against older running containers + + * New upstream bugfix release (4.0.7): + - Testing improvements including fixes from oss-fuzz + - Rework of the attach codepath + - Cgroup handling rework + + * Drop all patches: + - Cherry-picks are all now included + - "Allocate new lxcbr0 subnet at startup time" is no longer needed + as LXC isn't pre-installed in Ubuntu images, so going with the + upstream init script simplifies maintenance. + + * Bump standards to 4.5.1 + - Tweak lintian overrides (renames, cleanups, ...) + - Drop --with systemd (built-in now) + - Update debian/watch regexp and version + + -- Stéphane Graber Wed, 28 Jul 2021 15:42:28 -0400 + +lxc (1:4.0.6-0ubuntu1) hirsute; urgency=medium + + * New upstream bugfix release (4.0.6): + - Improve handling for compatibility architectures for seccomp + - Harden seccomp notifier implementation + - Rework parsing of /proc//mountinfo to handle kernel regression + - Improve network device restoration + - Significantly cleanup and harden config file parsing + - Support new capabilities CAP_PERFORM, CAP_BPF, and CAP_CHECKPOINT_RESTORE + - Harden containers started without CAP_NET_ADMIN + * New upstream bugfix release (4.0.5): + - Support allocating PTS devices from within the container + - Harden more path/mount handling logics + - Rework LSM logic to limit initializer use + * Cherry-pick upstream fixes: + - 0002-commands-fix-check-for-seccomp-notify-support.patch + - 0003-configure-skip-libseccomp-tests-if-it-is-disabled.patch + - 0004-conf-fix-containers-retaining-CAP_NET_ADMIN.patch + - 0005-cgroups-fix-cgroup-mounting.patch + - 0006-lsm-remove-obsolute-comment-about-constructor.patch + - 0007-lxc_attach-include-rexec-conditionally.patch + - 0008-tree-wide-fix-some-header-inclusions.patch + - 0009-initutils-fix-missing-includes.patch + - 0010-configure-support-static-binaries.patch + - 0011-autotools-enable-static-builds-for-tools.patch + - 0012-autotools-enable-static-builds-for-commands.patch + - 0013-tree-wide-fix-compilation-with-Wstrict-prototypes-Wo.patch + - 0014-config-update-ax_pthread.m4.patch + - 0015-configure-add-AC_SYS_LARGEFILE-checking.patch + - 0016-autotools-update-build.patch + - 0017-file_utils-introduce-read_file_at.patch + - 0018-string_utils-add-must_make_path_relative.patch + - 0019-cgroups-coding-style-fixes.patch + - 0020-cgroups-rework-cg_unified_init.patch + - 0021-cgroups-detect-and-record-cgroup2-freezer-support.patch + - 0022-criu-handle-cgroup2-freezer.patch + - 0023-mkdir-p-proc-sys-on-container-startup.patch + - 0024-conf-fix-coding-style.patch + - 0025-conf-coding-style-fixes.patch + - 0026-conf-move-proc-and-sys-mountpoint-creation-int-lxc_m.patch + - 0027-attach-invert-child-parent-handling.patch + - 0028-attach-use-__do_free-cleanup-macro-for-cwd.patch + - 0029-attach-tweak-logging.patch + - 0030-attach-use-__do_close-for-labelfd.patch + - 0031-attach-coding-style-fixes.patch + - 0032-attach-use-free_disarm.patch + - 0033-attach-s-attach_child_main-do_attach-g.patch + - 0034-attach-mark-do_attach-as-__noreturn.patch + - 0035-attach-make-do_attach-void.patch + - 0036-attach-use-close_prot_errno_disarm.patch + - 0037-attach-add-some-DEBUG-logging-to-stdfd-dpulication.patch + - 0038-cgroups-fix-cgroup-mounting.patch + - 0039-utils-fix-mount_at.patch + - 0040-configure-fix-static-builds-with-clang-12-and-LTO.patch + - 0041-cgroups-bpf-fixes.patch + - 0042-croups-improve-__do_bpf_program_free.patch + - 0043-cgroups-coding-style-fixes.patch + - 0044-cgroups-don-t-initiliaze-NULL-log.patch + - 0045-cgroups-ensure-all-memory-is-zeroed.patch + - 0046-cgroups-use-zalloc.patch + - 0047-cgroups-tweak-cgroup-initialization.patch + - 0048-log-remove-pointless-inline.patch + - 0049-log-add-lxc_log_get_fd.patch + - 0050-seccomp-use-lxc_log_get_fd.patch + - 0051-log-rework-lxc_log_get_level.patch + - 0052-seccomp-use-lxc_log_get_level.patch + - 0053-cgroups-use-bpf-log-when-logging-at-trace-level.patch + - 0054-log-add-lxc_log_trace-helper.patch + - 0055-cgroups-use-PTR_TO_U64.patch + - 0056-cgroups-align-methods.patch + - 0057-utils-use-SYSTRACE-when-logging-stdio-permission-fix.patch + - 0058-attach-log-failues-to-dup2-with-SYSDEBUG.patch + - 0059-attach-fix-logging-for-stdfd-replacement.patch + - 0060-attach-fix-error-checking-for-dup2.patch + - 0061-cgroups-initialize-variable.patch + - 0062-commands_utils-don-t-leak-memory.patch + - 0063-conf-use-lxc_log_trace.patch + - 0064-confile_utils-use-lxc_log_trace.patch + - 0065-rexec-check-lseek-return-value.patch + + -- Stéphane Graber Thu, 11 Feb 2021 16:34:13 -0500 + +lxc (1:4.0.4-0ubuntu3) groovy; urgency=medium + + * Cherry-pick upstream bugfix: + - cgroups: fix armhf builds + + -- Stéphane Graber Tue, 25 Aug 2020 09:45:30 -0400 + +lxc (1:4.0.4-0ubuntu2) groovy; urgency=medium + + * Cherry-pick upstream bugfix: + - cgfsng: fix cgroup attach cgroup creation + + -- Stéphane Graber Fri, 21 Aug 2020 14:09:35 -0400 + +lxc (1:4.0.4-0ubuntu1) groovy; urgency=medium + + * New upstream bugfix release (4.0.4): + - Support for new Linux clone flags (clone into cgroup) + - Support for new Linux VFS system calls + - Internal symbols are now properly hidden from external consumers + * New upstream bugfix release (4.0.3): + - Improvement to cgroupv1/cgroupv2 handling + - Various improvements and tests for lxc-usernsexec + + -- Stéphane Graber Thu, 20 Aug 2020 18:07:53 -0400 + +lxc (1:4.0.2-0ubuntu1) focal; urgency=medium + + * New ypstream bugfix release (4.0.2): + - RISC-V 64bit support + - Better group handling in lxc-user-nic + - Seccomp syscall interception fix for newer kernels + - CGroup v1 limits are now automatically skipped on v2 systems + - Fix a variety of issues identified by the Coverity Scan service + + -- Stéphane Graber Thu, 16 Apr 2020 15:52:36 -0400 + +lxc (1:4.0.1-0ubuntu2) focal; urgency=medium + + * Cherry-pick upstream fixes: + - 0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch + - 0002-start-ensure-all-file-descriptors-are-closed-during-.patch + - 0003-syscall_numbers-handle-riscv.patch + - 0004-lxc_user_nic-simplify-group-retrieval.patch + - 0005-lxc_user_nic-continue-when-we-failed-to-find-a-group.patch + - 0006-cgroups-whitespace-fixes.patch + - 0007-seccomp-newer-kernels-require-the-buffer-to-be-zeroe.patch + + -- Stéphane Graber Wed, 08 Apr 2020 23:33:44 -0400 + +lxc (1:4.0.1-0ubuntu1) focal; urgency=medium + + * New upstream bugfix release (4.0.1): + - Tweak systemd ordering (start after remote-fs.target) + - Fix various issues around attach and cgroups + - Fix shutdown timeout not working on pidfd systems + - Fix cgroup issue on 4.9 kernel + - Fix write issues in /dev/stdout + * Fix upgrade ordering (LP: #1870483) + * Update lintian overrides: + - Drop epoch bump override (no longer detecting it) + - Add /usr/libexec override (LXC only uses /usr/lib) + + -- Stéphane Graber Mon, 06 Apr 2020 16:24:28 -0400 + +lxc (1:4.0.0-0ubuntu2) focal; urgency=medium + + * Cherry-pick upstream bugfixes: + - 0036-fix-non-root-user-cannot-write-dev-stdout.patch + - 0037-cgroups-fix-uninitialized-transient_len-warning.patch + - 0038-utils-rework-fix_stdio_permissions.patch + - 0039-utils-use-setres-u-g-id-in-lxc_switch_uid_gid.patch + - 0040-cgroups-fix-build-warning-on-GCC-7.patch + - 0041-lxccontainer-poll-takes-millisecond-not-seconds.patch + + -- Stéphane Graber Thu, 02 Apr 2020 12:25:20 -0400 + +lxc (1:4.0.0-0ubuntu1) focal; urgency=medium + + * Bump epoch to match Debian. (LP: #1837537) + * New upstream release (4.0.0): + - Fixes (LP: #1867535, LP: #1861880, LP: #1858799, LP: #1831258) + - cgroups: Full cgroup2 support + - cgroups: Freezer support in CGroup2 + - cgroups: eBPF device controller support in CGroup2 + - config: Add lxc.autodev.tmpfs.size configuration key + - config: Add lxc.selinux.context.keyring key + - config: Add lxc.keyring.session + - file utils: Add fopen_cached() and fdopen_cached + - api: Add new init_pidfd() member + - memory utils: Add new cleanup api + - lxc-usernsexec: Make it easy to map own uid + - seccomp: Add s390 support + - syscalls: Improve manual syscall implementations + - network: Improved network device creation and removal + - network: Allow moving wireless devices + * Cherry-pick upstream bugfixes: + - 0002-lxc_init-move-main-down.patch + - 0003-lxc_init-add-missing-O_CLOEXEC.patch + - 0004-lxc.service-Starts-after-remote-fs.target-to-allow-c.patch + - 0005-tree-wide-harden-mount-option-parsing.patch + - 0006-dir-use-cleanup-macro-in-dir_mount.patch + - 0007-dir-improve-dir-backend.patch + - 0008-cgroups-fix-attaching-to-the-unified-cgroup.patch + - 0009-conf-rework-and-fix-leak-in-userns_exec_1.patch + - 0010-commands-log-actual-errno-when-lxc_cmd_get_cgroup2_f.patch + - 0011-cgroups-move-pointer-dereference-after-check.patch + - 0012-cgroups-rework-__cg_unified_attach.patch + - 0013-attach-use-close_prot_errno_disarm.patch + - 0014-cgroups-remove-unused-variable.patch + - 0015-cgroups-fix-unified-cgroup-attach.patch + - 0016-fixup-i-o-handler-return-values.patch + - 0017-Revert-cgroups-fix-unified-cgroup-attach.patch + - 0018-conf-introduce-and-use-userns_exec_minimal.patch + - 0019-conf-simplify-userns_exec_minimal.patch + - 0020-cgroups-use-hidden-directory-for-attaching-cgroup.patch + - 0021-cgroups-please-compilers.patch + - 0022-monitor-process-exited-by-signal-SIGKILL-clean-cgrou.patch + - 0023-cgroups-move-check-for-valid-monitor-process-up.patch + - 0024-cgroups-better-helper-naming.patch + - 0025-tree-wide-s-recursive_destroy-lxc_rm_rf-g.patch + - 0026-verify-cgroup-controller-name.patch + - 0027-cgroups-handle-older-kernels-e.g.-v4.9.patch + - 0028-start-log-error-when-failing-to-create-cgroup.patch + - 0029-cgroups-send-two-attach-fds.patch + - 0030-cgroups-send-two-fds-to-attach-to-unified-cgroup.patch + - 0031-start-remove-unnecessary-check-for-valid-cgroup_ops.patch + - 0032-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch + - 0033-apparmor-generate-ro-bind-remount-rule-list.patch + - 0034-autotools-don-t-install-run-coccinelle.sh.patch + - 0035-systemd-Add-Documentation-key.patch + * Bump to new standards (4.5.0) + * Move manpages to the correct packages (libpam-cgfs, libpam-common) + * Refresh lintian overrides (lxc-utils) + + -- Stéphane Graber Wed, 01 Apr 2020 17:35:58 -0400 + +lxc (3.0.4-0ubuntu3) focal; urgency=medium + + * No-change rebuild for libgcc-s1 package name change. + + -- Matthias Klose Sun, 22 Mar 2020 16:48:35 +0100 + +lxc (3.0.4-0ubuntu2) focal; urgency=medium + + * Cherry-pick upstream bugfixes (LP: #1848587): + - tests: use /dev/loop-control instead of /dev/network_latency + + -- Stéphane Graber Tue, 26 Nov 2019 12:22:37 -0500 + +lxc (3.0.4-0ubuntu1) eoan; urgency=medium + + * New upstream bugfix release (3.0.4). + * Cherry-pick upstream bugfixes: + - cgfsng: fix memory leak in lxc_cpumask_to_cpulist + - cgroups: use __do_free + - cgroups: move variables into tighter scope + - cgroups: simplify cgfsng_setup_limits() + - cgroups: use __do_free in cgfsng_attach() + - cgroups: move variable into tighter scope + - cgroups: move variable into tighter scope + - cgroups: simplify cgfsng_nrtasks() + - cgroups: move variable into tighter scope + - cgroups: correctly order variables + - cgroups: move variable into tighter scope + - fix memory leak in do_storage_create + - Move code/variable in smaller scope + - start: expose LXC_PID to network hooks too + - cgroups: hande cpuset initialization race + - pidf_send_signal: fix return value + - cgroup: check for non-empty conf + - typo fix + - Suppress hardcoded table sizes + - lxc/log: add error_log_errno macro + - pidfds: don't print a scary warning on ENOSYS + - cgroups: initialize cpuset properly + - lxccontainer: fix detaching wlan devices + - utils: fix wrong integer of a function parameter + - lxc.pc: Fix invalid @DLOG_LIBS@ + * debian/control: Set Rules-Requires-Root to no + * debian/control: Bump standards to 4.4.0 + * debian/upstream: Reduce size of GPG key + * debian/source: Remove unused lintian override + + -- Stéphane Graber Mon, 07 Oct 2019 19:24:07 -0400 + +lxc (3.0.3-0ubuntu1) disco; urgency=medium + + * New upstream bugfix release (LP: #1804755): + - CONTRIBUTING: Update reference to kernel coding style + - CONTRIBUTING: Link to latest online kernel docs + - CONTRIBUTING: Direct readers to CODING_STYLE.md + - CODING_STYLE: Mention kernel style in introduction + - CONTRIBUTING: Add 'be' to fix grammar + - CODING_STLYE: Simplify explanation for use of 'extern' + - CODING_STLYE: Remove sections implied by 'kernel style' + - CODING_STYLE: Fix non-uniform heading level + - CODING_STYLE: Update section header format + - cmd: Use parenthesis around complex macro + - cmd: Use 'void' instead of empty parameter list + - cmd: Do not use braces for single statement block + - cmd: Fix whitespace issues + - cmd: Use 'const' for static string constant. + - cmd: Remove unnecessary whitespace in string + - cmd: Put trailing */ on a separate line + - cmd: Remove typo'd semicolon + - cmd: Do not use comparison to NULL + - lxc_init: s/SYSDEBUG()/SYSERROR()/g in remove_self + - tools: lxc-attach: add default log priority & cleanups + - tools: lxc-cgroup: add default log priority & cleanups + - tools: lxc-checkpoint: add default log priority & cleanups + - tools: lxc-console: add default log priority & cleanups + - tools: lxc-create: add default log priority & cleanups + - tools: lxc-destroy: add default log priority & cleanups + - tools: lxc-device: add default log priority & cleanups + - tools: lxc-execute: add default log priority & cleanups + - tools: lxc-start: add default log priority & cleanups + - tools: lxc-stop: add default log priority & cleanups + - tools: lxc-freeze: add default log priority & cleanups + - tools: lxc-unfreeze: add default log priority & cleanups + - storage_utils: move duplicated function from tools + - tools: fix lxc-execute command parsing + - lseek - integer overflow + - cmd: lxc-user-nic: change log macro & cleanups + - cmd: lxc-usernsexec reorder includes + - cmd: move declarations to macro.h + - cmd: use utils.{c,h} helpers in lxc-usernsexec + - cmd: simplify lxc-usernsexec + - cmd: use safe number parsers in lxc-usernsexec + - macro: add missing headers + - macro: add macvlan properties + - tools: Indicate container startup failure + - storage: exit() => _exit(). when exec is failed + - tools: lxc-wait: add default log priority & cleanups + - conf: fix path/lxcpath mixups in tty setup + - cmd: use goto for cleanup in lxc-usernsexec + - cmd: Do not reassign variable before it is used + - cmd: Reduce scope of 'count' variable + - cmd: Fix format issues found by clang-format + - list: fix indent + - utils: split into {file,string}_utils.{c,h} + - pam_cgfs: build from the same sources as liblxc + - conf: fix devpts mounting when fully unprivileged + - macro: s/rexit()/_exit()/g + - attach: move struct declaration to top + - macro: move macros from attach.c + - Makefile: don't allow undefined symbols + - autotools: check if compiler is new enough + - log: handle strerror_r() versions + - autotools: add --{disable,enable}-thread-safety + - log: fail build on ENFORCE_THREAD_SAFETY error + - {file,string}_utils: remove NO_LOG + - initutils: remove useless comment + - string_utils: remove unnecessary include + - string_utils: remove unused headers + - string_utils: add remove_trailing_slashes() + - Makefile: remove last pam_cgfs special-casing + - conf: add missing headers + - Fix typo + - ifaddrs: add safe implementation of getifaddrs() + - Makefile: conditionalize ifaddrs.h inclusion + - execute: skip lxc-init logging when unprivileged + - execute: pass /proc/self/fd/ + - tests: cleanup get_item.c + - build: fix musl + - configure: reorder header checks + - compiler: add compiler.h header + - commands: return -1 on lxc_cmd_get_init_pid() err + - tests: add basic.c + - tests: cleanup Makefile + - commands: ensure -1 is sent on EPIPE for init pid + - macro: add LXC_AUDS_ADDR_LEN + - macro: move LXC_CMD_DATA_MAX from commands.h + - macro: add PTR_TO_INT() and INT_TO_PTR() + - macro: add INTTYPE_TO_STRLEN() + - caps: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - cgfsng: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - confile: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - log: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - lsm: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - macro: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - lxccontainer: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - monitor: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - network: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - string_utils: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - utils: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - tools: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - conf: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - tests: s/LXC_NUMSTRLEN64/INTTYPE_TO_STRLEN()/ + - macro: final INTTYPE_TO_STRLEN() related cleanups + - macro: coding style fixes + - Makefile: correctly add ifaddrs to noinst_HEADERS + - start: remove duplicate macros + - caps: move macros to macro header + - string_utils: use UINT64_MAX macro + - tree-wide: use sizeof on static arrays + - Revert "tree-wide: use sizeof on static arrays" + - commands: pass around intmax_t + - commands: assign before converting to pointer + - macro: calculate buffer lengths correctly + - Revert "Revert "tree-wide: use sizeof on static arrays"" + - macro: move MS_* macros + - caps: fix illegal access to array bound + - utils: defensive programming + - nl: remove duplicated define + - syntax error: mismatch brace + - commands: better error message + - file_utils: add lxc_recv_nointr() + - commands: switch to setting errno and returning -1 + - log: do not clobber errno + - log: save errno on strerror_r() + - tree-wide: s/recv()/lxc_recv_nointr()/g + - file_utils: add lxc_send_nointr() + - tree-wide: s/send()/lxc_send_nointr()/g + - nl: save errno on lxc_netns_set_nsid() + - log: log_append_logfile() add new error path + - lxccontainer: fix dereferenced pointer + - lxc: fix build with --disable-werror + - utils: improve get_ns_uid() and add get_ns_gid() + - utils: improve lxc_switch_uid_gid() + - log: support dlog + - attach: handle id switching smarter + - start: avoid unnecessary syscalls + - utils: make lxc_setgroups() return bool + - utils: make lxc_switch_uid_gid() return bool + - lxccontainer: use correct pid_t type + - conf: remove extra MS_BIND with sysfs:mixed + - network: use correct type in lxc_netns_set_nsid() + - network: add lxc_netns_get_nsid() + - remove unused variables + - file_utils: remove unused function + - network: minor tweaks + - add compile flags for dlog + - log: add common functions + - log: add additional info of dlog + - attach: don't shutdown ipc socket in child + - security: fix too wide or inconsistent non-owner permissions + - attach: report standard shell exit codes + - af_unix: add function to remove duplicated codes for set sockaddr + - lxccontainer: remove locks from set_cgroup_item() + - lxccontainer: remove locks from get_cgroup_item() + - apparmor: account for specified rootfs path (closes #2617) + - conf: realpath() uses null as second parameter to prevent buffer overflow + - start: s/backgrounded/daemonize/g + - cgfsng: mark ops with \_\_cgfsng_ops\_\_ attribute + - autotools: add -Wimplicit-fallthrough + - cgroup: rename container specific cgroup functions + - cgroups: s/fullcgpath/container_full_path/g + - cgroups: add missing string.h include + - cgroups: s/base_cgroup/container_base_path/g + - autotools: fix wrong AX_CHECK_COMPILE_FLAG test + - compiler: s/\_\_fallthrough\_\_/\_\_fallthrough/g + - compiler: s/\_\_noreturn\_\_/\_\_noreturn/g + - cgfsng: s/\_\_cgfsng_ops\_\_/\_\_cgfsng_ops/g + - macro: add STRLITERALLEN() and STRARRAYLEN() + - tree-wide: replace sizeof() with SIZEOF2STRLEN() + - compiler: \_\_attribute\_\_((noreturn)) on bionic + - autotools: support -Wcast-align + - autotools: support -Wstrict-prototypes + - network: add netns_getifaddrs() implementation + - tree_wide: switch to netns_getifaddrs() + - netns_ifaddrs: mark casts as safe + - autotools: fix lxc_user_nic build + - stop: Only freeze if freezer is available + - doc: tweak documentation a little + - cgfsng: set errno to ENOENT on get_hierarchy() + - cgfsng: s/cgfsng_destroy/cgfsng_payload_destroy/g + - cgfsng: s/25/INTTYPE_TO_STRLEN(pid_t)/g + - compiler: fix \_\_noreturn on bionic + - compiler: add \_\_hot attribute + - netns_ifaddrs: fix missing include + - autools: prevent dlog build on stable branch + - tree-wide: fix includes to fix bionic builds + - template: oci template supports for char user info + - btrfs: fix btrfs containers + - oci-template: Add logic for no /etc/passwd, group + - configure: fix -Wimplicit-fallthrough check + - utils: add lxc_setup_keyring() + - autotools: support -z relro and -z now + - netns_ifaddrs: handle IFLA_STATS{64} correctly + - syscall_wrappers: add pivot_root() + - raw_syscalls: add lxc_raw_execveat() + - raw_syscalls: add lxc_raw_clone{_cb}() + - raw_syscalls: add lxc_raw_getpid() + - autotools: fix lxc init build + - autotools: fix lxc-monitord build + - autotools: fix lxc-user-nic build + - autotools: fix lxc-usernsexec build + - tests: add missing build dependencies + - netns_ifaddrs: only use struct rtnl_link_stats64 + - cgroups: remove unnecessary line + - netns_iaddrs: remove unused functions + - parse: prefault config file with MAP_POPULATE + - cgfsng: avoid tiny race window + - utils: fix lxc_set_death_signal() + - cgfsng: handle v1 cpuset hierarchy first + - syscall_wrappers: move memfd_create() + - syscall_wrappers: move setns() + - syscall_wrappers: move sethostname() + - syscall_wrappers: move unshare() + - syscall_wrappers: move signalfd() + - raw_syscalls: move lxc_raw_gettid() + - tools: lxc-start: remove unused argument + - tools: lxc-unshare: remove unnecessary initialization + - parse: remove access() check + - parse: report errors when failing config parsing + - macro: add PATH_MAX + - cmd: s/MAXPATHLEN/PATH_MAX/g + - conf: s/MAXPATHLEN/PATH_MAX/g + - confile: s/MAXPATHLEN/PATH_MAX/g + - log: s/MAXPATHLEN/PATH_MAX/g + - lxccontainer: s/MAXPATHLEN/PATH_MAX/g + - macro: s/MAXPATHLEN/PATH_MAX/g + - network: s/MAXPATHLEN/PATH_MAX/g + - pam: s/MAXPATHLEN/PATH_MAX/g + - start: s/MAXPATHLEN/PATH_MAX/g + - terminal: s/MAXPATHLEN/PATH_MAX/g + - utils: s/MAXPATHLEN/PATH_MAX/g + - storage: s/MAXPATHLEN/PATH_MAX/g + - tools: s/MAXPATHLEN/PATH_MAX/g + - attach: reset signal mask + - start: change log level + - file_utils: fix too wide or inconsistent non-owner permissions + - attach: fix missing pthread.h include + - macro: add NETLINK_DUMP_STRICT_CHK + - macro: add SOL_NETLINK + - netns_ifaddrs: check for NETLINK_DUMP_STRICT_CHK + - parse: do not mask failed parse + - test: test invalid config keys + - confile: remove unused variable + - parse: fix uninitialized pointer access + - fix rpm packaging error for static library + - fix post section script error for rpm install + - conf: log prlimit setup + - conf: verify_start_hooks() after lxc.mount.entry + - checkpoint: fix running do_dump() + - monitor: log cleanups + - monitor: checking name too long to make monitor sock name + - commands_utils: improve code redundancy to make abstract unix socket name + - monitor: fix coding standard + - autools: use -fno-strict-aliasing + - checkconfig: Handle missing kernel version + - lxc-init: log to /dev/console + - autotools: fix --disable-commands builds + - string_utils: fix global buffer overflow issue + - include: simplify strlcpy() + - raw_syscalls: ensure function always returns value + - confile: fix append_unexp_config_line() + - parse: protect against config updates during parse + - parse: fix uninitialized value + - tree-wide: coding style fixes + - start: simplify + - autotools: compiler based hardening + - coverity: update .travis.yml + - coverity: update .travis.yml + - coverity: update .travis.yml + - coverity: update .travis.yml + - coverity: update .travis.yml + - confile: do not overwrite global variable + - commands: simplify + - cgfsng: move increment out of branch + - monitord: do not hide global variable + - tools/lxc_copy: do not hide global variable + - tools/lxc_top: do not hide global variable + - tools/lxc_info: do not hide global variable + - state: remove tautological check + - conf: remove tautological check + - conf: use O_CLOEXEC in lxc_pivot_root() + - conf: remove tautological check + - lxccontainer: remove check from goto target + - start: prevent values smaller 0 + - tools/lxc_stop: use correct check + - cmd/lxc_init: do not hide global variable + - coverity: #1440391 + - coverity: #1440389 + - coverity: #1426130 + - storage_utils: add error handling + - storage_utils: cleanups + - storage_utils: use _exit() instead of exit() in child process + - parse: cleanups + - dlog: inherit dlog fds + - spelling: allocate + - spelling: ambiguous + - spelling: answer + - spelling: architecture + - spelling: array + - spelling: asynchronous + - spelling: backingstorage + - spelling: capabilities + - spelling: character + - spelling: checkpoint + - spelling: comma + - spelling: command + - spelling: committer + - spelling: configuration + - spelling: constant + - spelling: container + - spelling: control + - spelling: convenience + - spelling: could + - spelling: describing + - spelling: device + - spelling: exiting + - spelling: explicitly + - spelling: feature + - spelling: github + - spelling: hierarchy + - spelling: hoops + - spelling: ifindices + - spelling: implementations + - spelling: inherited + - spelling: initialize + - spelling: javascript + - spelling: keepdata + - spelling: libraries + - spelling: loglevel + - spelling: namespace + - spelling: otherwise + - spelling: output + - spelling: overlayfs + - spelling: overridden + - spelling: override + - spelling: passphrase + - spelling: perhaps + - spelling: pertains + - spelling: portion + - spelling: potentially + - spelling: returns + - spelling: root + - spelling: securityfs + - spelling: snapshotting + - spelling: specified + - spelling: specify + - spelling: subtracting + - spelling: successfully + - spelling: syscall + - spelling: timeout + - spelling: unsigned + - spelling: userns + - spelling: without + - lxcmntent: coding rules + - string_utils: coding rules + - log: fix too wide or inconsistent non-owner permissions + - coverity: move to separate branch + - include: correctly include macro.h + - Fix spacing error in namespace.c + - caps: replace read with lxc_read_nointr + - log: replace write with lxc_write_nointr + - dlog: move match_dlog_fds() + - conf: s/ty/tty/g + - pam_cgfs: remove redundancy file utils + - cgfs: remove redundancy utils + - pam_cgfs: remove dependency from cap & log + - utils: fix coding styles + - utils: add errno logs for exception case + - Adds -qq flags to lvcreate commands + - utils: make keyring allocation failure non-fatal + - autotools: fix lxc-{create,copy} build + - cgfsng: remove freezer requirement + - start: don't call cgroup_exit() twice + + * Bump standards to 4.2.0 + - Update lintian overrides + + -- Stéphane Graber Thu, 22 Nov 2018 23:49:34 -0500 + +lxc (3.0.2-0ubuntu4) cosmic; urgency=medium + + * Cherry-pick upstream fixes: + - 0024-commands-return-1-on-lxc_cmd_get_init_pid-err.patch + + -- Stéphane Graber Sat, 25 Aug 2018 00:49:17 -0400 + +lxc (3.0.2-0ubuntu3) cosmic; urgency=medium + + * Run autoreconf during autopkgtest. + + -- Stéphane Graber Fri, 24 Aug 2018 15:24:19 -0400 + +lxc (3.0.2-0ubuntu2) cosmic; urgency=medium + + * Cherry-pick upstream fixes: + - 0022-execute-skip-lxc-init-logging-when-unprivileged.patch + - 0023-execute-pass-proc-self-fd-nr.patch + + -- Stéphane Graber Thu, 23 Aug 2018 12:33:49 -0400 + +lxc (3.0.2-0ubuntu1) cosmic; urgency=medium + + * New upstream bugfix release (LP: #1788457): + - CVE 2018-6556: verify netns fd in lxc-user-nic + - fixed a range of bugs found by Coverity + - lxc-usernsexec: cleanup and bugfixes + - log: add CMD_SYSINFO() + - log: add CMD_SYSERROR() + - state: s/sleep()/nanosleep()/ + - lxclock: improve file locking + - lxccontainer: improve file locking + - lxccontainer: fix F_OFD_GETLK checks + - netlink: add __netlink_{send,recv,transaction} + - netns: allocate network namespace id + - MAINTAINERS: add Wolfgang Bumiller + - pam_cgfs: cleanups + - log: add default log priority + - tree-wide: pass unsigned long to prctl() + - macro: add new macro header + - conf: mount devpts without “max” on EINVAL + - tree-wide: handle EINTR in read() and write() + - tree-wide: replace pipe() with pipe2() + - confile: split mount options into flags and data + - conf: improve rootfs setup + - autotools: default to -Wvla -std=gnu11 + - tree-wide: remove VLAs + - tree-wide: replace strtok_r() with lxc_iterate_parts() + - utils: add lxc_iterate_parts() + - apparmor: allow start-container to change to lxc-** + - apparmor: update current profiles + - apparmor: Allow /usr/lib* paths for mount and pivot_root + - conf: the atime flags are locked in userns + - conf: handle partially functional device nodes + - conf: create /dev directory + - autotools: build both a shared and static liblxc + - namespace: add api to convert namespaces to standard identifiers + - tree-wide: set MSG_NOSIGNAL + - tree-wide: use mknod() to create dummy files + - cgfsng: respect lxc.cgroup.use + - cgroups: remove is_crucial_cgroup_subsystem() + - tree-wide: remove unneeded log prefixes + - tests: cleanup all tests + - terminal: set FD_CLOEXEC on pty file descriptors + - conf: simplify lxc_setup_dev_console() + - tools: rework tools + - autodev: adapt to changes in Linux 4.18 + - log: change DEBUG, INFO, TRACE, NOTICE macro using strerror to SYS* macro + - log: add lxc_log_strerror_r macro + - network: unpriv lxc will run lxc.net.[i].script.up now + - conf: only use newuidmap and newgidmap when necessary + - autotools: support tls in cross-compile + + * Cherry-pick upstream fixes: + - 0002-tools-fix-lxc-execute-command-parsing.patch + - 0003-lseek-integer-overflow.patch + - 0004-cmd-lxc-usernsexec-reorder-includes.patch + - 0005-cmd-move-declarations-to-macro.h.patch + - 0006-cmd-use-utils.-c-h-helpers-in-lxc-usernsexec.patch + - 0007-cmd-simplify-lxc-usernsexec.patch + - 0008-cmd-use-safe-number-parsers-in-lxc-usernsexec.patch + - 0009-tools-Indicate-container-startup-failure.patch + - 0010-conf-fix-path-lxcpath-mixups-in-tty-setup.patch + - 0011-cmd-use-goto-for-cleanup-in-lxc-usernsexec.patch + - 0012-utils-split-into-file-string-_utils.-c-h.patch + - 0013-pam_cgfs-build-from-the-same-sources-as-liblxc.patch + - 0014-conf-fix-devpts-mounting-when-fully-unprivileged.patch + - 0015-macro-s-rexit-_exit-g.patch + - 0016-Makefile-don-t-allow-undefined-symbols.patch + - 0017-autotools-check-if-compiler-is-new-enough.patch + - 0018-log-handle-strerror_r-versions.patch + - 0019-autotools-add-disable-enable-thread-safety.patch + - 0020-log-fail-build-on-ENFORCE_THREAD_SAFETY-error.patch + - 0021-macro-add-missing-headers.patch + + * Bump standards to 4.2.0 + - Update lintian overrides + * Include new .a file into liblxc-dev + * Override GPG keyserver in autopkgtest + + -- Stéphane Graber Wed, 22 Aug 2018 11:26:07 -0400 + +lxc (3.0.1-0ubuntu1) cosmic; urgency=medium + + * New upstream bugfix release: + - tools: fix unitialized variable + - storage: fix lvm fs uuid generation + - lxc-oci: fix Cmd/Entrypoint parsing + - lxc-oci: make umoci less verbose + - lxclock: use thread-safe OFD fcntl() locks + - locktests: fix test suite + - conf: ensure umounts don’t propagate to host + - doc: Tweak Japanese translation in lxc.container.conf(5) + - fix signal sending in lxc.init + - rootfs pinning: On NFS, make file hidden but don’t delete it + - conf: fix temporary file creation + - ringbuf: fix temporary file creation + - Fix compilation with static libcap and shared gnutls + - attach: always drop supplementary groups + - lxc init: remove dead code + - storage/rsync: free memory on error + - tools/utils: free memory on error + - lxc init: coding style + - utils: define __NR_setns if missing on old glibcs + - attach: try to always drop supplementary groups + - conf: ret-try devpts mount without gid=5 on error + - execute: fix app containers without root mapping + - conf: fix net type checks in run_script_argv() + - seccomp: handle arch inversion + - seccomp: handle all errors + - seccomp: cleanup compat architecture handling + - seccomp: improve logging + - tools: document -d/–daemonize for lxc-execute + - seccomp: non-functional changes + - seccomp: handle arch inversion II + - lxc-oci: mkdir the download directory + - do_lxcapi_create: set umask + - lxc/tools/lxc_monitor: include missing + - pam-cgfs: ignore the system umask when creating the cgroup hierarchy + - Also pass action scripts to CRIU on checkpointing + - Fix the memory leak in cgfsng_attach + - Fix memory leak in list_active_containers + - Fix tool_utils.c build when HAVE_SETNS is unset + - coverity: #1435210 + - coverity: #1435208 + - coverity: #1435207 + - coverity: #1435206 + - coverity: #1435205 + - coverity: #1435203 + - coverity: #1435200 + - coverity: #1435198 + - coverity: #1426734 + - lxccontainer: non-functional changes + - lxccontainer: use thread-safe OFD locks + - lxccontainer: non-functional changes + - lxccontainer: do_lxcapi_is_running() + - lxccontainer: do_lxcapi_freeze() + - lxccontainer: do_lxcapi_unfreeze() + - lxccontainer: non-functional changes + - lxccontainer: use thread-safe open() + write() + - lxccontainer: non-functional changes + - lxccontainer: non-functional changes + - lxccontainer: non-functional changes + - coverity: #1435263 + - fix logic for execute log file + - utils: add LXC_PROC_PID_FD_LEN + - execute: use static buffer + - execute: do not check inherited fds again + - add some TRACE/ERROR reporting + - execute: account for -o path option count + - execute: set init_path when existing init is found + - genl: remove + - coverity: #1248104 + - coverity: #1248105 + - coverity: #1425744 + - utils: account for terminating \0 byte + - confile: satisfy gcc-8 + - network: silence gcc-8 + - network: adhere to IFNAMSIZ limit + - support case ignored suffix for sizes + - utils: fix parse_byte_size_string() coding style + - strlcpy: add strlcpy() implementation + - tree-wide: s/strncpy()/strlcpy()/g + - CODING_STYLE: add section about using strlcpy() + - tools: s/strncpy()/strlcpy()/g + - Revert “tools: s/strncpy()/strlcpy()/g” + - tools: s/strncpy()/memcpy()/ + - doc: Add “-d/–daemon” option to Japanese lxc-execute(1) + - doc: Fix size unit style in Japanese lxc.container.conf(5) + - coverity: #1435604 + - coverity: #1435603 + - coverity: #1435602 + - coverity: #1425844 + - config: allow read-write /sys in user namespace + - coverity: #1425836 + - coverity: #1248106 + - capabilities: raise ambient capabilities + - coverity: #1425802 + - cgroups: refactor cgroup handling + - cgroups: remove freezer_state() + - seccomp: #ifdef SCMP_ARCH_AARCH64 + - conf: simplify write_id_mapping() + - log: enable per-thread container name prefix + - lxc-init: skip signals that can’t be caught + - execute: use execveat() syscall if supported + - tools: only create log file when requested + - seccomp: fix off-by-one error in array allocation for sscanf + - seccomp: remove confusing comment line + - seccomp: remove unnecessary memset + - seccomp: fix type mismatch when parsing syscall arguments filters + - lxcseccomp: cleanup header + - seccomp: parse_config_v1() + - utils: add remove_trailing_newlines() + - seccomp: get_v2_default_action() + - seccomp: get_action_name() + - seccomp: get_v2_action() + - seccomp: fix get_seccomp_arg_value() + - seccomp: parse_v2_rules() + - seccomp: move #ifdefines + - seccomp: get_hostarch() + - seccomp: scmp_filter_ctx get_new_ctx() + - seccomp: do_resolve_add_rule() + - seccomp: parse_config_v2() + - seccomp: parse_config() + - seccomp: lxc_read_seccomp_config() + - tree-wide: s/sigprocmask/pthread_sigmask()/g + - utils: fix task_blocking_signal() + - lxccontainer: fix fd leaks when sending signals + - confile: order architectures + - start: log setns() failure + - seccomp: leak fixup + - seccomp: re-add action parse error handling + - seccomp: refactor line handling of parse_config + - seccomp: error on unrecognized actions + - seccomp: lxc_read_seccomp_config() + - seccomp: parse_v2_rules() + - seccomp: make do_resolve_add_rule() more strict + - tools: fix lxc-create with global config value + - tools: fix lxc-create with global config value II + - coverity: #1435806 + - coverity: #1435805 + - coverity: #1435803 + - coverity: #1435747 + - conf: non-functional changes + - conf: make is_execute a boolean + - conf: non-functional changes + - conf: make close_all_fds a boolean + - conf: reshuffle mount members + - conf: simplify tty handling + - conf: pts -> pty_max + - conf: non-functional changes + - utils: fix task_blocking_signal() + - network: fix socket handle leak + - start: do not init ns_clone_flags to -1 + - conf: ensure lxc_delete_tty() does not crash + - start: add reboot macros + - conf: make root idmap structs const + - conf: make tmp_umount_proc bool + - conf: non-functional changes + - conf: va_end was not called. + - confile: improve strprint() + - change defines for return value of handlers + - start: fix waitpid() blocking issue + - start: log unknown info.si_code + - tree-wide: fix mode of some files + - confile_utils: apply strprint() + - templates: actually create DOWNLOAD_TEMP directory + - templates: fix download template + - Patch lxc-update-config + + * Bump standard to 4.1.4 + + -- Stéphane Graber Tue, 05 Jun 2018 17:05:49 -0400 + +lxc (3.0.0-0ubuntu2) bionic; urgency=medium + + * Add missing breaks/replaces for lxc-init moving from lxc1 to + liblxc-common (LP: #1760609). + + -- Stéphane Graber Mon, 02 Apr 2018 11:56:45 -0400 + +lxc (3.0.0-0ubuntu1) bionic; urgency=medium + + * New upstream LTS release: + - LXC 3.0 will be supported until June 2023. + - Announcement: https://linuxcontainers.org/lxc/news/ + + -- Stéphane Graber Wed, 28 Mar 2018 00:07:48 -0400 + +lxc (3.0.0~beta4-0ubuntu1) bionic; urgency=medium + + * New upstream beta (3.0.0~beta4) + + -- Stéphane Graber Mon, 26 Mar 2018 23:40:44 -0400 + +lxc (3.0.0~beta3-0ubuntu1) bionic; urgency=medium + + * New upstream beta (3.0.0~beta3) + + -- Stéphane Graber Fri, 23 Mar 2018 16:25:55 -0400 + +lxc (3.0.0~beta2-0ubuntu2) bionic; urgency=medium + + * Move LXC's init and init.static to liblxc-common + + -- Stéphane Graber Mon, 19 Mar 2018 18:36:31 -0400 + +lxc (3.0.0~beta2-0ubuntu1) bionic; urgency=medium + + * New upstream beta (3.0.0~beta2) + + -- Stéphane Graber Mon, 19 Mar 2018 17:43:49 -0400 + +lxc (3.0.0~beta1-0ubuntu3) bionic; urgency=medium + + * Make liblxc-common conflicts/replaces lxc-common rather than + breaks/replaces. + + -- Stéphane Graber Mon, 05 Mar 2018 04:31:40 -0500 + +lxc (3.0.0~beta1-0ubuntu2) bionic; urgency=medium + + * Fix autopkgtest + - Record timing of tests in autopkgtest. + - Disable the lxc-test-state-server test due to broken busybox. + + -- Stéphane Graber Fri, 02 Mar 2018 17:20:11 -0500 + +lxc (3.0.0~beta1-0ubuntu1) bionic; urgency=medium + + * New upstream beta (3.0.0~beta1) + * Remove lxc-templates, now its own source + - Move lxc-templates from recommends to suggests + - liblxc-common now replaces part of lxc-templates + * Remove python3-lxc, now its own source + * Add libpam-cgfs (moved from lxcfs) + + -- Stéphane Graber Thu, 01 Mar 2018 14:02:28 -0500 + +lxc (2.1.1-0ubuntu4) bionic; urgency=medium + + * Loosen dependency on lxc-templates ahead of LXC 3.0. + + -- Stéphane Graber Wed, 28 Feb 2018 18:33:11 -0500 + +lxc (2.1.1-0ubuntu3) bionic; urgency=medium + + * Drop lxc-utils dependency on python3-lxc. + + -- Stéphane Graber Wed, 28 Feb 2018 18:26:35 -0500 + +lxc (2.1.1-0ubuntu2) bionic; urgency=medium + + * Drop some packages ahead of LXC 3.0: + - lxc-tests (not needed for autopkgtests anymore) + - lua-lxc (unused and moved out of tree upstream) + + * Rename packages: + - lxc1 to lxc-utils (lxc1 becomes transitional) + - lxc-common to liblxc-common + - lxc-dev to liblxc-dev (lxc-dev becomes transitional) + + * Update debian/tests/exercise + - Make it build the test binaries + + * Drop backward compatibility code for pre-16.04 Ubuntu + + * Update to current standards + - Fix trailing whitespaces in debian/changelog + - Move debian/source.lintian-overrides to debian/lintian-overrides + - Update all URLs in debian/changelog to https + - Bump compat to 10 + - Bump standards to 4.1.3 + - Drop --with autotools_dev from debian/rules + - Bump debhelper dependency to 10 or higher + - Drop dh-autoreconf, autotools-dev and dh-systemd build-dependencies + - Drop un-needed lintian source overrides + + -- Stéphane Graber Mon, 26 Feb 2018 16:01:23 -0500 + +lxc (2.1.1-0ubuntu1) bionic; urgency=medium + + * New upstream bugfix release (LXC 2.1.1) + - apparmor: Drop useless apparmor denies + - cgfsng: Check whether we have a conf + - cgfsng: Fail when limits fail to apply + - conf: Error out on too many mappings + - conf: Ignore lxc.kmsg and lxc.pivotdir + - conf: Make update warning opt-in + - conf: Preserve newlines in configuration file + - conf: Remove dead assignments in parse_idmaps() + - conf: Remove unnecessary zeroing + - conf: Use the proper type for rlim_t, fixing build failure on x32. + - console: Clean tty state + return 0 on peer exit + - console: Remove dead assignments + - core: Introduce userns_exec_full() and port the codebase to it + - criu: Use correct check initialization check + - doc: Add lxc.cgroup.dir to Japanese lxc.container.conf(5) + - doc: Add lxc-update-config manpage + - doc: Document missing env variables + - doc: Fix regex-typo in Japanese and Korean lxc-monitor(1) + - doc: Fix regex-typo in lxc-monitor.sgml.in + - doc: Translate lxc(7) into Japanese + - doc: Translate lxc-update-config(1) into Japanese + - execute: Enable console & standard /dev symlinks + - init: Become session leader + - log: Fix a format string build failure on x32. + - log: Prevent stack smashing + - monitor: Remove dead assignment + - network: Add missing checks for empty links + - network: Clear ifindeces + - network: Non-functional changes + - network: Remove dead assignments + - network: Use single helper to delete networks + - start: Don't close inherited namespace fds + - start: Move env setup before container setup + - start: Pass LXC_LOG_LEVEL to hooks + - start: Remove dead variable + - start: Set environment variables correctly + - start: Switch ids at last possible instance + - storage: Avoid segfault on missing lxc.rootfs.path + - storage: Fix typo in error message + - storage/lvm: Fix thinpool logical volumes + - storage/overlay: Do not write to invalid memory + - storage/overlay: Fix use after free() + - storage/zfs: Return error directly when zfs creation fails + - template/alpine: Change file check to also check file size (-f => -s) + - template/archlinux: Change locale "en-US.UTF-8" to "en_US.UTF-8" + - template/debian: Don't force getty@ configuration + - template/plamo: Delete unnecessary process during container shutdown + - tests: Avoid NULL pointer dereference + - tests: Remove dead assignments + - tests: Support systemd hybrid cgroups + - tools: Print "-devel" when LXC_DEVEL is true + - tools/lxc-unshare: Do not pass NULL pointer + - tools/lxc-update-config: Remove lxc.pivotdir and lxc.kmsg entries + - tools/lxc-update-config: Strip lxc.rootfs.backend and handle IPv4 addrs + - tools/lxc-user-nic: Remove double initialization + - tools/lxc-usernsexec: Remove dead assignments + - utils: Do not write to 0 sized buffer + - utils: Duplicate stderr as well in lxc_popen() + - utils: Fix lxc_popen()/lxc_pclose() + - utils: Remove dead assignments in lxc_popen() + + * Drop all patches, now upstream. + * Use upstream manpage for lxc-update-config. + * Refresh lintian overrides. + * Bump standards to 4.1.1. + + -- Stéphane Graber Tue, 31 Oct 2017 18:59:59 -0400 + +lxc (2.1.0-0ubuntu1) artful; urgency=medium + + * New upstream release (LXC 2.1): (LP: #1715278) + - https://linuxcontainers.org/lxc/news + + - This is an intermediary release between LXC 2.0 (LTS) and LXC 3.0 (LTS). + LXC 2.1 supports both the older configuration keys and the newer ones. + A number of options and commands will also now issue deprecation + warning before they completely go away in LXC 3.0. + + It is recommended that you run "lxc-update-config" for your + containers and make sure that there is no leftover warnings. + + * Cherry-pick fixes from upstream: + - 0002-Fix-typo.patch + - 0003-network-add-missing-checks-for-empty-links.patch + - 0004-cleanup-remove-unnecessary-zeroing.patch + - 0005-console-clean-tty-state-return-0-on-peer-exit.patch + - 0006-tools-fix-lxc-upate-config.patch + - 0007-criu-use-correct-check-initialization-check.patch + - 0008-storage-overlay-do-not-write-to-invalid-memory.patch + - 0009-utils-do-not-write-to-0-sized-buffer.patch + - 0010-overlay-fix-use-after-free.patch + - 0011-lxc-unshare-do-not-pass-NULL-pointer.patch + - 0012-lxc-user-nic-remove-double-initialization.patch + - 0013-execute-enable-console-standard-dev-symlinks.patch + - 0014-start-switch-ids-at-last-possible-instance.patch + - 0015-storage-avoid-segfault.patch + - 0016-tests-Support-systemd-hybrid-cgroups.patch + + * Build depend on python3-setuptools. + * Bump standard to 4.0.0. + * Drop upstart jobs on artful and higher. + * Update lintian overrides. + * Build a manpage with help2man for lxc-update-config. + + -- Stéphane Graber Mon, 18 Sep 2017 18:32:38 -0400 + +lxc (2.0.8-0ubuntu7.1) artful; urgency=medium + + * Cherrypick fixes for netplan to fix release-regressed autopkgtests and + unblock proposed migration of reverse-dependencies. + + -- Dimitri John Ledkov Wed, 06 Sep 2017 17:10:01 +0100 + +lxc (2.0.8-0ubuntu7) artful; urgency=medium + + * Cherry-pick upstream fix: + - 0014-templates-ubuntu-conditionally-move-upstart-ssh-job-.patch + + -- Stéphane Graber Tue, 29 Aug 2017 14:40:49 -0400 + +lxc (2.0.8-0ubuntu6) artful; urgency=medium + + * Cherry-pick upstream fix: + - 0012-cgroups-handle-hybrid-cgroup-layouts.patch + + -- Stéphane Graber Tue, 22 Aug 2017 18:43:41 -0400 + +lxc (2.0.8-0ubuntu5) artful; urgency=medium + + * debian/patches/0012-gcc-7-workaround.patch: workaround for gcc-7 bug + that causes lxc to FTBFS. LP: #1711449. Closes: #853531. + + -- Tiago Stürmer Daitx Thu, 17 Aug 2017 20:29:29 +0000 + +lxc (2.0.8-0ubuntu4) artful; urgency=medium + + * No-change rebuild to build to drop python3.5. + + -- Matthias Klose Sat, 05 Aug 2017 16:25:57 +0000 + +lxc (2.0.8-0ubuntu3) artful; urgency=medium + + * Cherry-pick upstream workaround for ppc64el failure: + - 0011-utils-fix-ppc64le-builds.patch + + -- Stéphane Graber Mon, 29 May 2017 13:15:38 -0400 + +lxc (2.0.8-0ubuntu2) artful; urgency=medium + + * Cherry-pick some upstream fixes: + - conf{,ile}: allow one to clear all config items + - start: pin rootfs when privileged + - conf: fix build without libcap + - start: don't call lxc_map_ids() without id map + - lxc-attach: allow for situations without /dev/tty + - utils: fix num parsing functions + - tests: lxc_safe_{u}int() add corner-case tests + + -- Stéphane Graber Tue, 16 May 2017 13:35:34 -0400 + +lxc (2.0.8-0ubuntu1) artful; urgency=medium + + * New upstream bugfix release (2.0.8): + - Security fix for CVE-2017-5985 (previously fixed in Ubuntu) + + - All templates have been updated to not set default passwords anymore, + instead requiring lxc-attach be used to configure users. + + This may affect some automated environments that were relying on our + default (very much insecure) users. + + - Make lxc-start-ephemeral Python 3.2-compatible + - Fix typo + - Allow build without sys/capability.h + - lxc-opensuse: fix default value for release code + - util: always malloc for setproctitle + - util: update setproctitle comments + - confile: clear lxc.network..ipv{4,6} when empty + - lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals + - Make lxc-net return non-zero on failure + - seccomp: allow x32 guests on amd64 hosts. + - Add HAVE_LIBCAP + - c/r: only supply --ext-mount-map for bind mounts + - Added 'mkdir -p' functionality in create_or_remove_cgroup + - Use LXC_ROOTFS_MOUNT in clonehostname hook + - squeeze is not a supported release anymore, drop the key + - start: dumb down SIGCHLD from WARN() to NOTICE() + - log: fix lxc_unix_epoch_to_utc() + - cgfsng: make trim() safer + - seccomp: set SCMP_FLTATR_ATL_TSKIP if available + - lxc-user-nic: re-order #includes + - lxc-user-nic: improve + bugfix + - lxc-user-nic: delete link on failure + - conf: only try to delete veth when privileged + - Fix lxc-containers to support multiple bridges + - Fix mixed tab/spaces in previous patch + - lxc-alpine: use dl-cdn.a.o as default mirror instead of random one + - lxc-checkconfig: verify new[ug]idmap are setuid-root + - [templates] archlinux: resolve conflicting files + - [templates] archlinux: noneed default_timezone variable + - python3: Deal with potential NULL char* + - lxc-download.in / allow setting keyserver from env + - lxc-download.in / Document keyserver change in help + - Change variable check to match existing style + - tree-wide: include directly + - conf/ile: make sure buffer is large enough + - tree-wide: include directly + - tests: Support running on IPv6 networks + - tests: Kill containers (don't wait for shutdown) + - Fix opening wrong file in suggest_default_idmap + - do not set the root password in the debian template + - do not set insecure passwords + - don't set a default password for altlinux, gentoo, openmandriva and pld + - tools: exit with return code of lxc_execute() + - Keep veth.pair.name on network shutdown + - Makefile: fix static clang init.lxc build + - Avoid waiting for bridge interface if disabled in sysconfig/lxc + - Increased buffer length in print_stats() + - avoid assigning to a variable which is not POSIX shell proof (bug #1498) + - remove obsolete note about api stability + - conf: less error prone pointer access + - conf: lxc_map_ids() non-functional changes + - caps: add lxc_{proc,file}_cap_is_set() + - conf: check for {filecaps,setuid} on new{g,u}idmap + - conf: improve log when mounting rootfs + - ls: simplify the judgment condition when list active containers + - fix typo introduced in #1509 + - attach|unshare: fix the wrong comment + - caps: skip file capability checks on android + - autotools: check for cap_get_file + - caps: return false if caps are not supported + - conf: non-functional changes to setup_pts() + - conf: use bind-mount for /dev/ptmx + - conf: non-functional changes + - utils: use loop device helpers from LXD + - create ISSUE_TEMPLATE.md + - cgroups: improve cgfsng debugging + - issue template: fix typo + - conf: close fd in lxc_setup_devpts() + - conf: non-functional changes + - utils: tweak lxc_mount_proc_if_needed() + - Change sshd template to work with Ubuntu 17.04 + - conf: order mount options + - conf: add MS_LAZYTIME to mount options + - monitor: report errno on exec() error + - af unix: allow for maximum socket name + - commands: avoid NULL pointer dereference + - commands: non-functional changes + - lxccontainer: avoid NULL pointer dereference + - monitor: simplify abstract socket logic + - precise is not the latest LTS, let's use xenial instead + - fix the wrong exit status + - conf: non-functional changes lxc_fill_autodev() + - conf: remove /dev/console from lxc_fill_autodev() + - conf: non-functional changes lxc_setup() + - conf: non-functional changes to console functions + - conf: improve lxc_setup_dev_console() + - conf: lxc_setup_ttydir_console() + - config: remove /dev/console bind mount + - doc: document console behavior + - utils: add lxc_unstack_mountpoint() + - conf: unstack all mounts atop /dev/console + - console: fail when we cannot allocate peer tty + - start: remove umount2() + - conf: non-functional changes + - utils: handle > 2^31 in lxc_unstack_mountpoint() + - Install systemd units for CentOS + - Merge ubuntu and debiancase + - start: add crucial details about lxc_spawn() + + * Fix broken proxy detection in debian/tests/exercise + * Only move lxc bash completion from /etc if we installed it there + + -- Stéphane Graber Fri, 12 May 2017 12:30:47 -0400 + +lxc (2.0.7-0ubuntu4) artful; urgency=medium + + * Update test-suite to skip 'hybrid' (v1 & v2 mounted simultaniously) + cgroups for now. LP: #1690125 + + -- Dimitri John Ledkov Thu, 11 May 2017 12:01:33 +0100 + +lxc (2.0.7-0ubuntu2) zesty-security; urgency=medium + + * SECURITY UPDATE: lxc-user-nic doesn't check netns ownership (LP: #1654676) + - Ensure target netns is caller-owned + - CVE-2017-5985 + + -- Stéphane Graber Tue, 07 Mar 2017 14:33:46 -0500 + +lxc (2.0.7-0ubuntu1) zesty; urgency=medium + + * New upstream bugfix release (2.0.7): + - attach: Close lsm label file descriptor + - attach: Non-functional changes + - attach: Simplify lsm_openat() + - caps: Add lxc_cap_is_set() + - conf: attach: Save errno across call to close + - conf: Clearly report to either use drop or keep + - conf: criu: Add make_anonymous_mount_file() + - conf: Fix suggest_default_idmap() + - configure: Add --enable-gnutls option + - configure: Check for memfd_create() + - configure: Check whether gettid() is declared + - configure: Do not allow variable length arrays + - configure: Remove -Werror=vla + - configure: Use AC_HEADER_MAJOR to detect major()/minor()/makedev() + - conf: Non-functional changes + - conf: Remove thread-unsafe strsignal + improve log + - init: Add cgroupfs-mount to Should-Start/Stop sysvinit LSB headers + - log: Add lxc_unix_epoch_to_utc() + - log: Annotate lxc_unix_epoch_to_utc() + - log: Drop all timezone conversion functions + - log: Make sure that date is correctly formatted + - log: Use lxc_unix_epoch_to_utc() + - log: Use N/A if getpid() != gettid() when threaded + - log: Use thread-safe localtime_r() + - lvm: Suppress warnings about leaked files + - lxccontainer: Log failure to send sig to init pid + - monitor: Add more logging + - monitor: Close mainloop on exit if we opened it + - monitor: Improve log + set log level to DEBUG + - monitor: Log which pipe fd is currently used + - monitor: Make lxc-monitord async signal safe + - monitor: Non-functional changes + - python3-lxc: Fix api_test.py on s390x + - start: Check for CAP_SETGID before setgroups() + - start: Fix execute and improve setgroups() calls + - state: Use async signal safe fun in lxc_wait() + - templates: lxc-debian: Don't try to read /usr/lib/systemd on the host + - templates: lxc-debian: Fix getty service startup + - templates: lxc-debian: Fix typo with dpkg --print-foreign-architectures + - templates: lxc-debian: Handle ppc hostarch -> powerpc + - templates: lxc-opensuse: Change openSUSE default release to Leap 42.2 + - templates: lxc-opensuse: Remove libgcc_s1 + - templates: lxc-opensuse: Remove poweroff.target -> sigpwr.target copy + - templates: lxc-opensuse: Set to be unconfined by AppArmor + - templates: lxc-opensuse: Update for Leap 42.2 + - tests; Don't cause test failures on cleanup errors + - tests: Skip unpriv tests on broken overlay module + - tools: Improve logging + - tools: lxc-start: Remove c->is_defined(c) check + - tools: lxc-start: Set configfile after load_config + - tools: Only check for O_RDONLY + - tree-wide: Random macro cleanups + - tree-wide: Remove any variable length arrays + - tree-wide: Sic semper assertis! + - utils: Add macro __LXC_NUMSTRLEN + - utils: Add uid, gid, group convenience wrappers + + * Cherry-pick upstream bugfix: + - 0002-Make-lxc-start-ephemeral-Python-3.2-compatible.patch + + * Resolve lintian warnings + - Drop un-needed overrides + - Fix typos in debian/control + + -- Stéphane Graber Fri, 27 Jan 2017 17:21:52 -0500 + +lxc (2.0.6-0ubuntu5) zesty; urgency=medium + + * Cherry-pick upstream bugfix: + - 0003-tools-only-check-for-O_RDONLY.patch (LP: #1653725) + + -- Stéphane Graber Wed, 04 Jan 2017 14:11:45 -0500 + +lxc (2.0.6-0ubuntu4) zesty; urgency=medium + + * Cherry-pick upstream bugfix: + - tests: Don't cause test failures on-cleanup errors + + -- Stéphane Graber Thu, 01 Dec 2016 18:37:52 -0500 + +lxc (2.0.6-0ubuntu3) zesty; urgency=medium + + * Properly escape the dirmngr command so it doesn't end up being an + empty string... + + -- Stéphane Graber Thu, 01 Dec 2016 16:08:30 -0500 + +lxc (2.0.6-0ubuntu2) zesty; urgency=medium + + * Workaround autopkgtest failure when using gpg2 with dirmngr. + * Restrict tests to run on standalone systems. + + -- Stéphane Graber Thu, 01 Dec 2016 12:27:51 -0500 + +lxc (2.0.6-0ubuntu1) zesty; urgency=medium + + * New upstream bugfix release (2.0.6): + - Security fix for CVE-2016-8649 + - utils: make detect_ramfs_rootfs() return bool + - tests: add test for detect_ramfs_rootfs() + - add Documentation entries to lxc and lxc@ units + - mark the python examples as having utf-8 encoding + - log: sanity check the returned value from snprintf() + - lxc-alpine: mount /dev/shm as tmpfs + - archlinux: Do DHCP on eth0 + - archlinux: Fix resolving + - Drop leftover references to lxc_strerror() + - tests: fix image download for s390x + - tools: fix coding style in lxc_attach + - tools: make overlay valid backend + - tools: better error reporting for lxc-start + - alpine: Fix installing extra packages + - lxc-alpine: do not drop setfcap + - s390x: Fix seccomp handling of personalities + - tools: correct the argument typo in lxc_copy + - Use libtool for liblxc.so + - c/r: use --external instead of --veth-pair + - c/r: remember to increment netnr + - c/r: add checkpoint/restore support for macvlan interfaces + - ubuntu: Fix package upgrades requiring proc + - c/r: drop duplicate hunk from macvlan case + - c/r: use snprintf to compute device name + - Tweak libtool handling to work with Android + - tests: add lxc_error() and lxc_debug() + - container start: clone newcgroup immediately + - use python3_sitearch for including the python code + - fix rpm build, include all built files, but only once + - cgfs: fix invalid free() + - find OpenSUSE's build also as obs-build + - improve help text for --fancy and --fancy-format + - improve wording of the help page for lxc-ls + - cgfs: add print_cgfs_init_debuginfo() + - cgfs: skip empty entries under /proc/self/cgroup + - cgfs: explicitly check for NULL + - tools: use correct exit code for lxc-stop + - c/r: explicitly emit bind mounts as criu arguments + - log: bump LXC_LOG_BUFFER_SIZE to 4096 + - conf: merge network namespace move & rename on shutdown + - c/r: save criu's stdout during dump too + - c/r: remove extra \ns from logs + - c/r: fix off-by-one error + - c/r: check state before doing a checkpoint/restore + - start: CLONE_NEWCGROUP after we have setup cgroups + - create symlink for /var/run + - utils: add lxc_append_string() + - cgroups: remove isolated cpus from cpuset.cpus + - Update Ubuntu release name: add zesty and remove wily + - templates: add squashfs support to lxc-ubuntu-cloud.in + - cgroups: skip v2 hierarchy entry + - also stop lxc-net in runlevels 0 and 6 + - add lxc.egg-info to gitignore + - install bash completion where pkg-config tells us to + - conf: do not use %m format specifier + - debian: Don't depend on libui-dialog-perl + - cgroups: use %zu format specifier to print size_t + - lxc-checkpoint: automatically detect if --external or --veth-pair + - cgroups: prevent segfault in cgfsng + - utils: add lxc_preserve_ns() + - start: add netnsfd to lxc_handler + - conf: use lxc_preserve_ns() + - attach: use lxc_preserve_ns() + - lxc_user_nic: use lxc_preserve_ns() + - conf, start: improve log output + - conf: explicitly remove veth device from host + - conf, start: be smarter when deleting networks + - start, utils: improve preserve_ns() + - start, error: improve log + non-functional changes + - start, namespace: move ns_info to namespace.{c,h} + - attach, utils: bugfixes + - attach: use ns_info[LXC_NS_MAX] struct + - namespace: always attach to user namespace first + - cgroup: improve isolcpus handling + - cgroups: handle non-existent isolcpus file + - utils: add lxc_safe_uint() + - tests: add unit tests for lxc_safe_uint() + - utils: add lxc_safe_int() + - tests: add unit tests for lxc_safe_int() + - conf/ile: get ip prefix via lxc_safe_uint() + - confile: use lxc_safe_u/int in config_init_{u,g}id + - conf/ile: use lxc_safe_uint() in config_pts() + - conf/ile: use lxc_safe_u/int() in config_start() + - conf/ile: use lxc_safe_uint() in config_monitor() + - conf/ile: use lxc_safe_uint() in config_tty() + - conf/ile: use lxc_safe_uint() in config_kmsg() + - conf/ile: avoid atoi in config_lsm_aa_incomplete() + - conf/ile: use lxc_safe_uint() in config_autodev() + - conf/ile: avoid atoi() in config_ephemeral() + - utils: use lxc_safe_int() + - lxc_monitord: use lxc_safe_int() && use exit() + - start: use lxc_safe_int() + - conf: use lxc_safe_{u}int() + - tools/lxc_execute: use lxc_safe_uint() + - tools/lxc_stop: use lxc_safe_uint() + - utils: add lxc_safe_long() + - tests: add unit tests for lxc_safe_long() + - tools/lxc_stop: use lxc_safe_long() + - tools/lxc_top: use lxc_safe_int() + - tools/lxc_ls: use lxc_safe_uint() + - tools/lxc_autostart: use lxc_safe_{int,long}() + - tools/lxc_console: use lxc_safe_uint() + - tools: replace non-standard namespace identifiers + - Configure a static MAC address on the LXC bridge + - tests: remove overflow tests + - attach: do not send procfd to attached process + * Remaining patches: + - 0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch + * Re-enable lxc-test-ubuntu on yakkety/zesty (template was fixed). + + -- Stéphane Graber Wed, 23 Nov 2016 23:56:02 -0500 + +lxc (2.0.5-0ubuntu4) zesty-security; urgency=medium + + * SECURITY UPDATE: Escape through ptrace and inherited fd (LP: #1639345) + - attach: Do not send procfd to attached process + - CVE-2016-8649 + + -- Stéphane Graber Tue, 22 Nov 2016 00:49:00 -0500 + +lxc (2.0.5-0ubuntu3) zesty; urgency=medium + + * Also skip lxc-test-ubuntu on zesty + (LXC still doesn't support squashfs cloud images) + + -- Stéphane Graber Fri, 21 Oct 2016 22:40:14 -0400 + +lxc (2.0.5-0ubuntu2) zesty; urgency=medium + + * Cherry-pick bugfix from upstream: + - s390x: Fix seccomp handling of personalities (LP: #1635639) + - Setup libtool (LP: #1620313) + * Build-depend on dpkg-dev (>= 1.16.1~) | hardening-wrapper. LP: #1620313. + + -- Stéphane Graber Fri, 21 Oct 2016 13:44:19 -0400 + +lxc (2.0.5-0ubuntu1) yakkety; urgency=medium + + * New upstream bugfix release (2.0.5): + - Fix .gitignore after /tools/ split + - Add lxc-test-utils to .gitignore + - bdev: use correct overlay module name + - cleanup: tools: remove --name from lxc-top usage message + - cleanup: whitespaces in option alignment for lxc-execute + - Use full GPG fingerprint instead of long IDs. + - tools: move --rcfile to the common options list + - tools: set configfile after load_config + - doc: add --rcfile to common opts + - doc: Update Korean lxc-attach(1) + - doc: Add --rcfile to Korean common opts + - doc: Add --rcfile to Japanese common opts + - tools: use exit(EXIT_*) everywhere + - tools: unify exit() calls outside of main() + - utils: Add mips signalfd syscall numbers + - seccomp: Implement MIPS seccomp handling + - seccomp: Add mips and mips64 entries to lxc_config_parse_arch + - seccomp: fix strerror() + - confile: add more archs to lxc_config_parse_arch() + - seccomp: add support for s390x + - seccomp: remove double include and order includes + - seccomp: non functional changes + - templates: use fd 9 instead of 200 + - templates: fedora requires openssl binary + - tools: use boolean for ret in lxc_device.c + - c/r: use /proc/self/tid/children instead of pidfile + - c/r: Fix pid_t on some arches + - templates: Add mips hostarch detection to debian + - cleanup: replace tabs wth spaces in usage strings + - remove extra 'ret' + - c/r: write status only after trying to parse the pid + - set FULL_PATH_NAMES=NO in doc/api/Doxyfile + - templates: rm halt.target -> sigpwr.target symlink + - templates: remove creation of bogus directory + - console: use correct log name + - configure: add --disable-werror + - tests: fix get_item tests + - templates: use correct cron version in alpine template + - c/r: zero a smaller than known migrate_opts struct + - lxczfs: small fixes + - c/r: free valid_opts if necessary + - make rsync deal with sparse files efficiently + - lxc-create -t debian fails on ppc64el arch + - c/r: fix typo in comment + - cgroup: add new functions for interacting with hierachies + - utils: add lxc_deslashify + - c/r: pass --cgroup-roots on checkpoint + - cgroup: get rid of weird hack in cgfsng_escape + - cgroup: drop cgroup_canonical_path + - c/r: check that cgroup_num_hierarchies > 0 + - tools: do not add trailing spaces on lxc-ls -1 + - conf: retrieve mtu from netdev->link + - conf: try to retrieve mtu from veth + - c/r: detatch from controlling tty on restore + - Fix null derefence if attach is called without access to any tty + - utils: fix lxc_string_split() + - tools: lxc_deslashify() handle special cases + - tests: add unit tests for lxc_deslashify() + - Fix for ALTLinux container creation in all branches + - utils: lxc_deslashify() free memory + - Fix spelling of CentOS in the templates + - Define LXC_DEVEL to detect development releases + - tools: lxc-checkconfig conditionalize devpts check + * Drop all cherry-pick patches, now upstream. + * Update to newer standards. Drop un-needed debian/control field. + * Address all lintian messages. + * Revert the previous upload as it caused FTBFS. + + -- Stéphane Graber Wed, 05 Oct 2016 13:56:58 +0200 + +lxc (2.0.4-0ubuntu5) yakkety; urgency=medium + + * Build-depend on dpkg-dev (>= 1.16.1~) | hardening-wrapper. LP: #1620313. + + -- Matthias Klose Thu, 29 Sep 2016 21:59:35 +0200 + +lxc (2.0.4-0ubuntu4) yakkety; urgency=medium + + * tests: Depend on dirmngr (LP: #1623424) + + -- Stéphane Graber Mon, 19 Sep 2016 12:30:44 -0400 + +lxc (2.0.4-0ubuntu3) yakkety; urgency=medium + + * Cherry-pick from upstream (fixes checkpoint/restore): + - 0003-c-r-use-proc-self-tid-children-instead-of-pidfile.patch + - 0004-c-r-Fix-pid_t-on-some-arches.patch + + -- Stéphane Graber Fri, 26 Aug 2016 16:27:18 -0400 + +lxc (2.0.4-0ubuntu2) yakkety; urgency=medium + + * Cherry-pick from upstream (for 4.6 kernel): + - 0002-bdev-use-correct-overlay-module-name + + -- Stéphane Graber Tue, 16 Aug 2016 19:28:50 -0400 + +lxc (2.0.4-0ubuntu1) yakkety; urgency=medium + + * New upstream bugfix release (2.0.4): + - core: Add a prefix to the lxc.pc + - core: Add flag in mount_entry to skip NODEV in case of a + persistent dev entry + - core: Add missing cgroup namespace to ns_info struct + - core: attach: setns instead of unshare in lxc-attach + - core: bdev: Add subdirectories to search path + - core: bdev: Be smarter about btrfs subvolume detection + - core: cgfsng: Don't pre-calculate path + - core: cgfsng: Fix is_lxcfs() and is_cgroupfs() + - core: cgroups: Move cgroup files to common subfolder + - core: conf: Set pty_info to NULL after free + - core: Detect if we should send SIGRTMIN+3 + - core: Replace readdir_r() with readdir() + - core: Set up MTU for vlan-type interfaces. + - core: tools, tests: Reorganize repo + - c/r: Add support for CRIU's --action-script + - c/r: Add support for ghost-limit in CRIU + - c/r: Drop in-flight connections during CRIU dump + - c/r: Initialize migrate_opts properly + - c/r: Make local function static + - c/r: Replace tmpnam() with mkstemp() + - c/r: Store criu version + - c/r: Use PRIu64 format specifier + - doc: Fix typo found by lintian + - doc: Update Japanese lxc-attach(1) + - doc: Update lxc-attach(1) + - lxc-attach: Add -f option (rcfile) + - lxc-attach: Cleanup whitespaces + - lxc-create: Add missing newline in output + - lxc-ls: Use correct runtime path + - templates: alpine: Add support for new arch + - templates: alpine: Mount tmpfs under /run + - templates: debian: Add more quotes to variables (at least $rootfs + should now be covered) + - templates: debian: Avoid noisy perl warnings caused by missing locales + - templates: debian: fix regression when creating wheezy containers + - templates: debian: Make shellcheck (Ubuntu: 0.3.7-5 amd64) most + possible happy + - tests: Add unit tests for lxc_string_in_array() + - tests: Add unit tests for lxc_string_replace() + + -- Stéphane Graber Mon, 15 Aug 2016 23:59:44 -0400 + +lxc (2.0.3-0ubuntu3) yakkety; urgency=medium + + * lxccontainer: Detect if we should send SIGRTMIN+3. Fixes shutdown with + current systemd that dropped the SIGPWR downstream unit. Patch + cherry-picked from upstream master. + + -- Martin Pitt Mon, 01 Aug 2016 08:08:44 +0200 + +lxc (2.0.3-0ubuntu2) yakkety; urgency=medium + + * Build-depend on libgnutls28-dev, not libgnutls-dev which was never + renamed in Debian. + + -- Steve Langasek Thu, 14 Jul 2016 22:56:04 -0700 + +lxc (2.0.3-0ubuntu1) yakkety; urgency=medium + + * New upstream bugfix release (2.0.3): + - apparmor: Refresh generated file + + * New upstream bugfix release (2.0.2): + - apparmor: add make-rslave to usr.bin.lxc-start + - apparmor: Allow bind-mounts + - apparmor: Allow mount move + - apparmor: Update mount states handling + - core: Drop lxc-devsetup as unneeded by current autodev + - core: Fix redefinition of struct in6_addr + - core: Include all lxcmntent.h function declarations on Bionic + - c/r: c/r: use criu's "full" mode for cgroups + - systemd: start containers in foreground when using the lxc@.service + - templates: debian: Make sure init is installed + - templates: oracle: Fix console login + - templates: plamo: Fix various issues + - templates: ubuntu: Install apt-transport-https by default + - travis: ensure 'make install' doesn't fail + - travis: test VPATH builds + - upstart: Force lxc-instance to behave like a good Upstart client + + * Tighten versioned dependencies between the various binary packages. + * Drop lxc-devsetup as it was removed upstream (unneeded with LXC 2.0). + + -- Stéphane Graber Wed, 29 Jun 2016 16:39:06 -0400 + +lxc (2.0.1-0ubuntu2) yakkety; urgency=medium + + * On yakkety, skip the lxc-test-ubuntu test as it requires root.tar.xz + images to be available over simplestreams which don't exist anymore. + + -- Stéphane Graber Thu, 23 Jun 2016 15:41:40 -0400 + +lxc (2.0.1-0ubuntu1) yakkety; urgency=medium + + * New upstream bugfix release (2.0.1) + - apparmor: Also allow fstype=fuse for fuse filesystems + - attach: adapt lxc-attach tests & add test for pty logging + - attach: don't fail attach on failure to setup a SIGWINCH handler. + - attach: fix a variety of lxc-attach pts handling issues + - attach: switch console pty to raw mode (fixes ncurses-based programs) + - attach: use raw settings of ssh for pty + - bindings: fixed python-lxc reference to var before assignment in create() + - bindings: set PyErr when Container.init fails + - cgfsng: defer to cgfs if needed subsystems are not available + - cgfsng: don't require that systemd subsystem be mounted + - core: Added missing type to keys in lxc_list_nicconfigs + - core: Allow configuration file values to be quoted + - core: log: remove duplicate definitons and bump buffer size + - core: sync: properly fail on unexpected message sizes + - core: Unshare netns after setting the userns mappings + (fixes ownership of /proc/net) + - core: various fixes as reported by static analysis + - c/r: add an option to use faster inotify support in CRIU + - c/r: rearrange things to pass struct migrate_opts all the way down + - doc: ignore temporary files generated by doxygen + - doc: tweak manpage generation date to be compatible with + reproducible builds + - doc: update MAINTAINERS + - doc: update to translated manpages + - init: add missing lsb headers to sysvinit scripts + - init: don't make sysv init scripts dependant on distribution specifics + - init: drop obsolete syslog.target from lxc.service.in + - lxc-attach: add logging option to manpage + - lxc-checkconfig: better render when stdout isn't a terminal + - lxc-create: fix -B best option + - lxc-destroy: avoid double print + - lxc-ls: use fewer syscalls when doing ipc + - templates: Add apt-transport-https to minbase variant of Ubuntu template + - templates: fix a typo in the capabilities name for Gentoo (sys_resource) + - templates: logic fix in the Centos template for RHEL7+ support + - templates: tweak Alpine DHCP configuration to send its hostname + - templates: tweak to network configuration of the Oracle template + + -- Stéphane Graber Mon, 16 May 2016 17:39:23 -0400 + +lxc (2.0.0-0ubuntu2) xenial; urgency=medium + + * Add a distro-info test dependency as it's needed to get information + about new Ubuntu releases. (LP: #1572188) + + This is needed to fix the current autopkgtest failures. + + -- Stéphane Graber Tue, 19 Apr 2016 16:06:32 +0100 + +lxc (2.0.0-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0 final) + - Upstream announcement: https://linuxcontainers.org/lxc/news + - Change from last rc: + + Allow bypassing bdev auto detection by setting lxc.rootfs.backend + This fixes a longstanding performance issue caused by LXC having + to run through all its backends and forking sub-processes to + perform the detection. + * Make new lintian happy: + - Bump to 3.9.7 standards + - Update git URL to https + - Override systemd Documentation field warning (upstream units) + + -- Stéphane Graber Wed, 06 Apr 2016 14:42:39 -0400 + +lxc (2.0.0~rc15-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc15) + - lxc-debian: Update supported release names + - lxc-ubuntu: Fix building on secondary architectures + - Update .gitignore for *.so.* + - Use smarter error handling for lxc_strmmap() + - Use common lxc ordering for included headers + - Fix possible buffer overflow strncat only returns its first + argument and not the end of the written string. Thus "buf-pos" is always + 0 and consquently no range check is performed. + - Use snprintf instead of strncat + - CRIU: Support using the CRIU page server for faster migrations. + This optimization isn't used by default, it requires a custom liblxc1 + client. + - Fix buffer overflow in do_start() + - Fixed indentation and comments + * Drop previously cherry-picked change, now upstream. + + -- Stéphane Graber Thu, 31 Mar 2016 18:14:44 -0400 + +lxc (2.0.0~rc14-0ubuntu2) xenial; urgency=medium + + * Cherry-pick tentative upstream fix: + - lxc-ubuntu: Fix building on secondary architectures + + -- Stéphane Graber Wed, 30 Mar 2016 01:29:09 -0400 + +lxc (2.0.0~rc14-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc14) + - open_without_symlink: Don't SYSERROR on something else than ELOOP + - lxc-busybox: Touch /etc/fstab in the container rootfs + - lxc.spec.in: fixed hardcoded path to lxc-net config file + - sync: add LXC_SYNC_ERROR to report errors from another process. + - start: use LXC_SYNC_ERROR to report errors. + - lxc-busybox: Remove warning for dynamically linked Busybox + - utils: split null_stdfds() to open_devnull() and set_stdfds() + - start: open /dev/null from "host" /dev + - Fix installation of out-of-tree (VPATH) builds + - Timezone inside the container is not the same as the host + - use httpredir.debian.org as the default Debian mirror + - always provide a default mirror for debootstraping Ubuntu + - only enable Debian's main repository by default + - start: only use host's /dev/null when absolutely necessary + - add funs to mmap() files to \0-terminated strings + - use lxc_mmap() and lxc_munmap() + - better naming for mmap helpers + + -- Stéphane Graber Tue, 29 Mar 2016 21:35:55 -0400 + +lxc (2.0.0~rc13-0ubuntu2) xenial; urgency=medium + + * Fix the bash completion profiles. + Now that it's in /usr/share, we need it to match the command name, + so rename the main profile to lxc1 and add a symlink for each supported + command. + + -- Stéphane Graber Wed, 23 Mar 2016 13:17:02 -0400 + +lxc (2.0.0~rc13-0ubuntu1) xenial; urgency=medium + + * New usptream release (2.0.0~rc13) + - c/r: don't pass --ext-mount-map flag when console=none + - c/r: don't fail if there is no console_fd on restore + - lxc-checkpoint: make things static when they can be + - c/r: rename restore & friends to __criu_restore + + -- Stéphane Graber Tue, 22 Mar 2016 17:24:32 -0400 + +lxc (2.0.0~rc12-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc12) + - c/r: print criu's stdout when it fails + - c/r: log the exact command we exec + + -- Stéphane Graber Mon, 21 Mar 2016 16:48:24 -0400 + +lxc (2.0.0~rc11-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc11) + - download: Bump to compat level 3 + - autodev: don't always create /dev/console + - cgfsng: two fixes for cgroup-full + - use hierarchy base path not just controller cgroup + - cgroups: try to load cgmanager first + - implement lxc.mount.auto = cgroup for cgfsng + - Prevent access to pci devices + - nesting: remove the nesting hint from configuration templates + - nesting: document how to enable nesting in container configurations + - c/r: drop lxc.console=none config requirement + - criu: hide more stuff in criu.c + + -- Stéphane Graber Thu, 17 Mar 2016 23:26:54 -0400 + +lxc (2.0.0~rc10-0ubuntu2) xenial; urgency=medium + + * Re-order the systemd | cgroup-lite dependency to be + cgroup-lite | systemd instead. + + Systems using systemd will already have it installed, satisfying the + condition and systems that don't have it installed want cgroup-lite + pulled in instead of systemd. + + -- Stéphane Graber Fri, 11 Mar 2016 12:07:21 -0500 + +lxc (2.0.0~rc10-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc10) + - Improve the lxc-attach tests + - Make the exec_criu function static + - cgfsng: Fix cgroup_escape for CRIU + - cgfsng: Return the cgroup path, not the full mounted path + - cgfsng: Fix mode of tasks and procs + - cgfsng: Fix cgroup removal on stop + + -- Stéphane Graber Fri, 11 Mar 2016 01:19:24 -0500 + +lxc (2.0.0~rc9-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc9) + - cgfsng: Fix bad readline length. + - cgfsng: Workaround issue with small size reallocs on i386. + - cgfsng: Make sure a cgroup does not already exist. + + -- Stéphane Graber Wed, 09 Mar 2016 03:06:27 -0500 + +lxc (2.0.0~rc8-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc8) + - Prevent writes to /sys/kernel/debug + - Fix debug output from cgfsng + - Set clone_children to 1 in cgfsng (fixes adt) + + -- Stéphane Graber Tue, 08 Mar 2016 17:47:24 -0500 + +lxc (2.0.0~rc7-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc7) + - Fix upstream tarball to include lxc-devsetup + + -- Stéphane Graber Mon, 07 Mar 2016 18:52:29 -0500 + +lxc (2.0.0~rc6-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc6) + - Update documentation and manpages + - Tweak to init scripts + - Fix lxc-attach pts handling for stderr + - Add a test for lxc-attach pts handling + - Implement a new, more reliable cgfs backend + - Fix to the ALTLinux template + - Fix to the AppArmor profile for systemd + + -- Stéphane Graber Mon, 07 Mar 2016 18:23:02 -0500 + +lxc (2.0.0~rc5-0ubuntu1) xenial; urgency=medium + + * New usptream release (2.0.0~rc5) + - Fix a number of cgfs issues (LP: #1549363, LP: #1543697, LP: #1552355) + - Fix attach failing to allocate a tty (LP: #1551960) + - Fix LXC rebooting the container despite post-stop failure + - Fix lxc-copy output (LP: #1551935) + - Documentation, manpagen and manpage translations update + - Update to the plamo template + + -- Stéphane Graber Thu, 03 Mar 2016 11:05:25 -0500 + +lxc (2.0.0~rc4-0ubuntu1) xenial; urgency=medium + + * New usptream release (2.0.0~rc4) + - Various cgfs fixes + - Updated documentation + + -- Stéphane Graber Fri, 26 Feb 2016 22:38:43 -0500 + +lxc (2.0.0~rc3-0ubuntu3) xenial; urgency=medium + + * Tweak the apparmor part of the lxc postinst: + - Allow loading on systems without mount mediation (precise backport) + - Always wipe the apparmor cache before reloading the profiles. + + -- Stéphane Graber Fri, 26 Feb 2016 01:45:48 -0500 + +lxc (2.0.0~rc3-0ubuntu2) xenial; urgency=medium + + * Cherry-pick bugfix from upstream: + - cgfs: make sure we use valid cgroup mountpoints + + -- Stéphane Graber Thu, 25 Feb 2016 14:40:08 -0500 + +lxc (2.0.0~rc3-0ubuntu1) xenial; urgency=medium + + * New upstream release (2.0.0~rc3) + - Make the cgfs backend and cgns work without cgmanager + - Manpage updates + - Mark lxc-clone and lxc-start-ephemeral deprecated (still included) + * Set --enable-deprecated so we still ship lxc-clone and lxc-start-ephemeral + + -- Stéphane Graber Wed, 24 Feb 2016 21:16:50 -0500 + +lxc (2.0.0~rc2-0ubuntu3) xenial; urgency=medium + + * Use versioned dependencies against the various binary packages. + * Update lxc-templates to depend on lxc1 not lxc. (LP: #1549136) + * Move the lxcfs recommends from lxc-templates to liblxc1. + * Drop cgmanager, use the cgfs backend instead. + * Have liblxc1 depend on systemd | cgroup-lite for cgfs backend. + + -- Stéphane Graber Wed, 24 Feb 2016 11:34:25 -0500 + +lxc (2.0.0~rc2-0ubuntu2) xenial; urgency=medium + + * Fix apparmor profile loading order. + + -- Stéphane Graber Mon, 22 Feb 2016 17:24:44 -0500 + +lxc (2.0.0~rc2-0ubuntu1) xenial; urgency=medium + + * New upstream snapshot (2.0.0~rc2) + - Support upstream Linux cgns. (LP: #1548440) + * Move bash completion profile to /usr/share/bash-completion + * Update a bunch of lintian overrides + * Update packaging for the LTS + - Drop lxc-dbg in favor of the dbgsym packages + - Introduce a new lxc1 package for the old command line tools + - Turn the lxc package into a transitional package to lxc1 + - Introduce a new lxc-common package for all the bits needed by liblxc1 + - Move apparmor, selinux and binary helpers from lxc to lxc-common + - Make lxc-dev depend on liblxc1 rather than lxc + - Move the hooks and template configs from lxc to lxc-templates + + All this moving around of files and new packages will not affect the + functionality of any existing system, nor the behavior of "apt-get + install lxc". It will however make it possible for LXD to provide a new + "lxc2" package which will install a LXD-only experience. + + -- Stéphane Graber Fri, 19 Feb 2016 23:16:23 -0500 + +lxc (2.0.0~rc1-0ubuntu1) xenial; urgency=medium + + * New upstream snapshot (2.0.0~rc1) + - Drop all patches except for the fix for LP: #1509414 + * Add logic to fix bash completion on 12.04 backports. + + -- Stéphane Graber Thu, 18 Feb 2016 12:32:36 -0500 + +lxc (2.0.0~beta2-0ubuntu2) xenial; urgency=medium + + * Cherry-pick upstream bugfix for lxc-ls behavior. + This should fix the current juju test regression. + + -- Stéphane Graber Tue, 02 Feb 2016 14:53:40 +0100 + +lxc (2.0.0~beta2-0ubuntu1) xenial; urgency=medium + + * New upstream snapshot (2.0.0~beta2) + - Drop all patches except for the fix for LP: #1509414 + + -- Stéphane Graber Mon, 01 Feb 2016 17:25:03 +0100 + +lxc (1.1.5-0ubuntu6) xenial; urgency=medium + + * Switch recommends from libpam-cgm to libpam-cgfs. + + -- Serge Hallyn Fri, 29 Jan 2016 11:32:16 +0100 + +lxc (1.1.5-0ubuntu5) xenial; urgency=medium + + * No-change rebuild to drop python3.4 support. + + -- Matthias Klose Tue, 19 Jan 2016 13:33:28 +0000 + +lxc (1.1.5-0ubuntu4) xenial; urgency=medium + + * Add libpam-cgm to Recommends + * Cherrypick upstream patches to support starting containers when not all + cgroups are writeable. + * Cherrypick upstream patch to avoid null dereference in failure case. + + -- Serge Hallyn Tue, 12 Jan 2016 18:01:07 -0800 + +lxc (1.1.5-0ubuntu3) xenial; urgency=medium + + * Cherry-pick from upstream: + - Fix preserve_ns to work on < 3.8 kernels. (LP: #1516971) + - Fix process title rewrite to not mangle the environment. (LP: #1517107) + + -- Stéphane Graber Wed, 18 Nov 2015 13:30:41 -0500 + +lxc (1.1.5-0ubuntu2) xenial; urgency=medium + + * Cherry-pick from upstream: + - Fix ubuntu-cloud template to detect compression algorithm instead + of hardcoding xz. Also update list of supported releases and use trusty + as the fallback release. (LP: #1515463) + * Update lxc-tests description to make it clear that this package is + meant to be used by developers and by automated testing. + + -- Stéphane Graber Fri, 13 Nov 2015 12:05:36 -0500 + +lxc (1.1.5-0ubuntu1) xenial; urgency=medium + + * New upstream bugfix release (1.1.5) + (LP: #1514558, LP: #1497420, LP: #1466458, LP: #1510619) + * Drop proxy detection from the autopkgtest exercise script. + + -- Stéphane Graber Mon, 09 Nov 2015 14:22:16 -0500 + +lxc (1.1.4-0ubuntu3) xenial; urgency=medium + + * Revert previous upload as we now have a NetworkManager fix! + + -- Stéphane Graber Tue, 03 Nov 2015 15:47:55 -0500 + +lxc (1.1.4-0ubuntu2) xenial; urgency=medium + + * Add a workaround for the broken NetworkManager which breaks lxcbr0 + from under us. (LP: #1512749) + + -- Stéphane Graber Tue, 03 Nov 2015 12:05:10 -0500 + +lxc (1.1.4-0ubuntu1.1) wily-proposed; urgency=medium + + * lxc-net init script: update to select the default lxc bridge network + at first service start time rather than install time. (LP: #1509414) + * lxc-net init script: also move cleanup() definition as it was undefined + when called after failed dnsmasq. + * lxc.preinst: + - remove code for writing /etc/default/lxc-net (moved to lxc-net service) + - add code removing just the known-potentially-bad /etc/default/lxc-net + - if user had deleted /etc/default/lxc-net (intending to disable lxcbr0), + honor that by creating one which says not to use lxcbr0. + + -- Serge Hallyn Fri, 23 Oct 2015 19:29:23 -0500 + +lxc (1.1.4-0ubuntu1) wily; urgency=medium + + * New upstream bugfix release (1.1.4) + - This fixes CVE-2015-1335 (LP: #1476662) + - Detailed changelog at: https://linuxcontainers.org/lxc/news + + -- Stéphane Graber Tue, 06 Oct 2015 15:45:15 +0100 + +lxc (1.1.3-0ubuntu2) wily; urgency=medium + + * Build using libseccomp on all architectures. + + -- Matthias Klose Sat, 03 Oct 2015 21:02:39 +0200 + +lxc (1.1.3-0ubuntu1) wily; urgency=medium + + * New upstream bugfix release (1.1.3) + - Drop all patches (all upstream now) + * Drop lxc-restore-net from lxc.install as it's no longer needed by CRIU. + + -- Stéphane Graber Fri, 14 Aug 2015 19:45:30 -0400 + +lxc (1.1.2-0ubuntu5) wily; urgency=medium + + * debian/rules: call dh_systemd_start --no-restart-on-upgrade (LP: #1476691) + + -- Serge Hallyn Thu, 23 Jul 2015 09:35:12 -0500 + +lxc (1.1.2-0ubuntu4) wily; urgency=medium + + * No-change rebuild for python3.5 transition + + -- Steve Langasek Wed, 22 Jul 2015 19:00:00 +0000 + +lxc (1.1.2-0ubuntu3) vivid; urgency=medium + + * Cherry-pick a bunch of bugfixes: + - 81216170c1c2555498573e9fe200e20d3b433b14 fix integer overflow in setproctitle + - e310e136b9de89c9f8596c004afa217f308aea3d c/r: no double fclose() of mnts + - 216113e77331881d3c45bd4e141a4f458c9a4565 fix NULL dereference + - 53caaac80f6850287251cc5e3a02479fb4a27087 fix dead code + - 8721f7f43185208e0c1802ff2bc03108fd3e3204 lxc-fedora: manage secondary architectures + - 3149bd4c0e81973b3db2e1230bd1784dc222a4ed don't compare unsigned values as negative ones + - 17f48b9679b2bb6d4e5d156fa59e6399f82277d9 Revert (by hand) "logs: introduce a thread-local 'current' lxc_config" + + Those combined will make LXD pass its testsutie (fixing threading bugs). + + -- Stéphane Graber Tue, 14 Apr 2015 18:39:15 -0500 + +lxc (1.1.2-0ubuntu2) vivid; urgency=medium + + * Cherry-pick a fix from upstream to resolve invalid command message + on container stop. + + -- Stéphane Graber Mon, 13 Apr 2015 17:02:41 -0500 + +lxc (1.1.2-0ubuntu1) vivid; urgency=medium + + * New upstream bugfix release (1.1.2) + - Drop all patches (all upstream now) + - Fix checkpoint/restore of vivid containers + - Fix unprivileged containers under systemd + - Fix a few race conditions and hangs + - Update manpages + + -- Stéphane Graber Fri, 10 Apr 2015 15:24:50 -0400 + +lxc (1.1.1-0ubuntu4) vivid; urgency=medium + + * Cherry-pick fix for lxc-test-apparmor: + - fad5004627bebe251228450a8a086500d803b9e4 + + -- Stéphane Graber Mon, 06 Apr 2015 12:32:31 -0400 + +lxc (1.1.1-0ubuntu3) vivid; urgency=medium + + * Add lxcfs as a test dependency of lxc. + * Reload apparmor at configure time if the profile helper script isn't + around and apparmor appears to be installed (ignore errors). + + -- Stéphane Graber Mon, 30 Mar 2015 12:49:37 -0400 + +lxc (1.1.1-0ubuntu2) vivid; urgency=medium + + * Cherry-pick fix for attach when stdin isn't a tty: + - d3b6301135280d21d0c1c7d427e1c587b3177b69 + + -- Stéphane Graber Tue, 17 Mar 2015 15:51:09 -0400 + +lxc (1.1.1-0ubuntu1) vivid; urgency=medium + + * New upstream bugfix release (1.1.1) + + -- Stéphane Graber Mon, 16 Mar 2015 17:09:54 -0400 + +lxc (1.1.0-0ubuntu1) vivid; urgency=medium + + * New upstream release (1.1.0) + + -- Stéphane Graber Fri, 30 Jan 2015 14:17:14 +0100 + +lxc (1.1.0~rc4-0ubuntu1) vivid; urgency=medium + + * New upstream release (1.1.0~rc4) + + -- Stéphane Graber Fri, 30 Jan 2015 00:04:05 +0100 + +lxc (1.1.0~rc3-0ubuntu1) vivid; urgency=medium + + * New upstream release (1.1.0~rc3) + + -- Stéphane Graber Wed, 28 Jan 2015 23:35:01 +0100 + +lxc (1.1.0~rc2-0ubuntu1) vivid; urgency=medium + + * New upstream release (1.1.0~rc2) + + -- Stéphane Graber Sun, 25 Jan 2015 15:55:35 -0500 + +lxc (1.1.0~rc1-0ubuntu1) vivid; urgency=medium + + * New upstream release (1.1.0~rc1) + * Add lxcfs to lxc-templates recommends. (MIR: #1413405) + * Build the lua-lxc binding. (MIR: #1413402) + + -- Stéphane Graber Wed, 21 Jan 2015 17:34:45 -0500 + +lxc (1.1.0~alpha3-0ubuntu1) vivid; urgency=medium + + * New upstream release (1.1.0~alpha3) + - Drop all patches, they are now all upstream. + + -- Stéphane Graber Wed, 03 Dec 2014 15:31:34 -0500 + +lxc (1.1.0~alpha2-0ubuntu7) vivid; urgency=medium + + * Cherrypick 0010-apparmor-check-for-mount-feature-at-a-better-time.patch + from upstream to fix startup failure with certain setups (LP: #1386840) + + -- Serge Hallyn Tue, 11 Nov 2014 14:54:44 -0600 + +lxc (1.1.0~alpha2-0ubuntu6) vivid; urgency=medium + + * 0009-attach-dont-ignore-sigint-sigkill-if-stdin-is-redirected: cherrypick + an upstream patch needed to keep lxd from being exited with ctrl-c after + a lxc shell. + + -- Serge Hallyn Fri, 07 Nov 2014 15:58:58 +0100 + +lxc (1.1.0~alpha2-0ubuntu5) vivid; urgency=medium + + * cherrypick 0008-cgmanager-fix-attach-with-all-controller from upstream to + fix regression in attaching to containers. + + -- Serge Hallyn Mon, 03 Nov 2014 17:22:53 +0100 + +lxc (1.1.0~alpha2-0ubuntu4) vivid; urgency=medium + + * install lxc-restore-net to /usr/share so that it doesn't get overmounted by + the rootfs in preparation for restore. (LP: #1384751) + + -- Tycho Andersen Mon, 27 Oct 2014 19:36:21 -0500 + +lxc (1.1.0~alpha2-0ubuntu3) utopic; urgency=medium + + * fix usernic and apparmor-mounts tests to not clear out the host's + /etc/lxc/lxc-usernet + * fix unprivileged containers when user's cgroup paths are not all + equivalent, and add a testcase for that. + * fix broken behavior when configuration has 'lxc.mount.auto =' + (LP: #1379030) + + -- Serge Hallyn Thu, 09 Oct 2014 12:25:16 -0500 + +lxc (1.1.0~alpha2-0ubuntu2) utopic; urgency=medium + + * Cherry-pick usptream bugfix for lxc-usernic test. + + -- Stéphane Graber Thu, 02 Oct 2014 15:01:56 -0400 + +lxc (1.1.0~alpha2-0ubuntu1) utopic; urgency=medium + + * New upstream release (1.1.0~alpha2) (LP: #1376437) + - Fixes systemd support of lxc-net. (LP: #1312532) + - Introduces support for Openvswitch bridges + - Fixes running unprivilged containers on recent kernels + - Various other bugfixes (LP: #1349918, LP: #1353734, LP: #1354375, + LP: #1307215, LP: #1346815, LP: #1271000, + LP: #1372878) + * WARNING: This release changes the default behavior of lxc-start to + daemonized. If you do need it to stick to the foreground, please pass it + -F or --foreground. The new -F option has also been pushed to the + stable 1.0 branch so that scripts can be made to work regardless of + default behavior. + + -- Stéphane Graber Wed, 01 Oct 2014 17:55:02 -0400 + +lxc (1.1.0~alpha1-0ubuntu5) utopic; urgency=medium + + * d/p/0003-apparmor-also-deny-silent-remount.patch: update to also patch + container-base.in + * d/p/0004-apparmor-signal-ptrace-unix-mediation.patch: refine signal and + ptrace rules and add unix rules for container enforcement (LP: #1373555) + * debian/rules: + - don't delete the dbus, ptrace and signal lines, but instead comment them + out. This is more consistent with the comment in the policy and lets + people see what the policy would be + - adjust for unix rules + - adjust versioned depends + + -- Jamie Strandboge Fri, 26 Sep 2014 10:59:21 -0500 + +lxc (1.1.0~alpha1-0ubuntu4) utopic; urgency=medium + + * d/p/0003-apparmor-also-deny-silent-remount.patch: newer lxc uses 'silent' + when remounting on shutdown. Silence that denial too + + -- Jamie Strandboge Thu, 04 Sep 2014 15:24:15 -0500 + +lxc (1.1.0~alpha1-0ubuntu3) utopic; urgency=medium + + * No-change rebuild to get dbgsyms for all binaries onto + ddebs.ubuntu.com + + -- Steve Langasek Thu, 24 Jul 2014 12:20:43 -0700 + +lxc (1.1.0~alpha1-0ubuntu2) utopic; urgency=medium + + * d/p/0001-lxc-test-unpriv-usernic.in-make-sure-to-chgrp-as-wel.patch: + Fix test failures in jenkins. + * d/p/0002-Remove-mention-of-mountcgroups-in-ubuntu.common-conf.patch: + Fix the comment in the ubuntu common config about how to support nesting. + (LP: #1342960) + + -- Serge Hallyn Thu, 17 Jul 2014 16:42:46 -0500 + +lxc (1.1.0~alpha1-0ubuntu1) utopic; urgency=medium + + * New upstream release (1.1.0~alpha1) + * Enable ppc64el adt as we now have ppc64el images available for download. + + -- Stéphane Graber Mon, 07 Jul 2014 15:44:27 -0400 + +lxc (1.0.4-0ubuntu2) utopic; urgency=medium + + * Cherry-pick upstream commits to fix testsuite under adt: + - tests: Avoid the download template when possible + - tests: Don't fail when HOME isn't defined + - tests: apparmor: Always end with a newline + + -- Stéphane Graber Sat, 14 Jun 2014 16:07:18 -0400 + +lxc (1.0.4-0ubuntu1) utopic; urgency=medium + + * New upstream bugfix release. + - Drop all existing patches (all applied upstream). + * Depend on either cgmanager or cgroup-lite and recommend cgmanager. + This should ensure systems get cgmanager by default even if cgroup-lite + is already installed, yet makes it possible for the user to remove + cgmanager if they really want to. + * Remove hardcoded dependency on apparmor, instead generate it from + rules so that the source package can be backported without changes (the + right apparmor version will be picked up based on the release number). + + -- Stéphane Graber Fri, 13 Jun 2014 15:09:04 -0400 + +lxc (1.0.3-0ubuntu5build1) utopic; urgency=medium + + * no-change rebuild to pick up /etc/init.d/ files. + + -- Serge Hallyn Thu, 29 May 2014 11:59:18 -0500 + +lxc (1.0.3-0ubuntu5) utopic; urgency=medium + + * Cherry-pick upstream commit to fix lxc-attach on 3.15 kernels. + + -- Stéphane Graber Mon, 26 May 2014 07:51:29 +0200 + +lxc (1.0.3-0ubuntu4) utopic; urgency=medium + + * Do not start lxc-instance in postinst without any instance specified, + as that is an invalid request. + + -- Dimitri John Ledkov Thu, 15 May 2014 15:18:33 +0100 + +lxc (1.0.3-0ubuntu3) trusty; urgency=medium + + * Add a dependency on the new apparmor to make sure we have the new + parser around before we attempt to load a profile requiring the new + stanza support. (LP: #1304167) + + -- Stéphane Graber Mon, 14 Apr 2014 10:10:40 -0400 + +lxc (1.0.3-0ubuntu2) trusty; urgency=medium + + * Cherry-pick upstream fix for cgmanager integration. (LP: #1303649) + + -- Stéphane Graber Fri, 11 Apr 2014 12:17:41 -0400 + +lxc (1.0.3-0ubuntu1) trusty; urgency=medium + + * New upstream bugfix release. + * Drop debian/patches/apparmor-signal-ptrace.patch, now upstream. + + -- Stéphane Graber Tue, 08 Apr 2014 19:32:40 -0400 + +lxc (1.0.2-0ubuntu2) trusty; urgency=medium + + * updates for AppArmor signal and ptrace mediation (LP: #1298611) + - debian/patches/apparmor-signal-ptrace.patch: add signal and ptrace rules + to abstractions/container-base and abstractions/start-container + - debian/rules: remove signal and ptrace rules for Ubuntu releases earlier + than 14.04 LTS + + -- Jamie Strandboge Thu, 03 Apr 2014 07:06:56 -0500 + +lxc (1.0.2-0ubuntu1) trusty; urgency=medium + + * New upstream bugfix release. + * Update packaging from daily branch. + - Build-depend on libcgmanager-dev + - Build-depend on libseccomp-dev for armhf too + - Move rsync dependency from lxc to liblxc1 + - Stop recommending cgroup-lite | cgroup-bin (replace by cgmanager) + - Stop recommending libcap2-bin (lxc-setcap was dropped ages ago) + - Stop recommending openssl from lxc (only used by templates) + - Move uidmap recommend from lxc to liblxc1 + - Recommend busybox-static for lxc-templates + - Add cgmanager as a dependency of liblxc1 + - Enable cgmanager support in LXC (LP: #1279048) + - Drop cgroup-lite test suite dependency. + - Update testsuite runner to work inside an unprivileged container. + - Update testsuite runner to work in the LXC CI environment. + + -- Stéphane Graber Thu, 27 Mar 2014 23:18:11 -0400 + +lxc (1.0.1-0ubuntu1) trusty; urgency=medium + + * New upstream bugfix release. (LP: #1246094, LP: #1277466) + Changelog at: https://linuxcontainers.org/news + * Add xz-utils to lxc-templates' dependencies. + + -- Stéphane Graber Fri, 07 Mar 2014 12:18:28 -0500 + +lxc (1.0.0-0ubuntu4) trusty; urgency=medium + + * Tweak autopkgtest proxy detection to hopefully detect the right + proxy on the armhf testers... + + -- Stéphane Graber Sat, 22 Feb 2014 00:28:50 -0500 + +lxc (1.0.0-0ubuntu3) trusty; urgency=medium + + * Add debootstrap to autopkgtest dependencies. + + -- Stéphane Graber Fri, 21 Feb 2014 22:24:03 -0500 + +lxc (1.0.0-0ubuntu2) trusty; urgency=medium + + * Update autopkgtest script to detect: + - ppc64el + - running in a container + - running on an older kernel + + -- Stéphane Graber Fri, 21 Feb 2014 20:16:44 -0500 + +lxc (1.0.0-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0). + * Replace liblxc0 by liblxc1. + + -- Stéphane Graber Thu, 20 Feb 2014 13:53:18 -0500 + +lxc (1.0.0~rc4-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0~rc4). + + -- Stéphane Graber Wed, 19 Feb 2014 15:04:25 -0500 + +lxc (1.0.0~rc3-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0~rc3). + + -- Stéphane Graber Mon, 17 Feb 2014 22:16:17 -0500 + +lxc (1.0.0~rc1-0ubuntu2) trusty; urgency=medium + + * Re-add adt proxy workaround, it should have been fixed in adt but + apparently it's not, so keep hardcoding the right values for now. + + -- Stéphane Graber Thu, 13 Feb 2014 23:55:59 -0500 + +lxc (1.0.0~rc1-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0~rc1). + * Drop dont_crash_log_init.patch: upstreamed + * Drop adt proxy workaround (fixed in adt). + * Make lxc-templates arch:any since unfortunately lxc-sshd hardcodes + some paths... + + -- Stéphane Graber Thu, 13 Feb 2014 18:58:51 -0500 + +lxc (1.0.0~beta4-0ubuntu2) trusty; urgency=medium + + * debian/patches/dont_crash_log_init.patch: don't crash if no name is passed + to lxc_log_init(), such as is the case with lxc-autostart. (LP: #1277450) + + -- Mathieu Trudel-Lapierre Fri, 07 Feb 2014 07:06:50 -0500 + +lxc (1.0.0~beta4-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0~beta4). (LP: #1273769) + * Move uidmap from Depends to Recommends. + * Drop duplicate python3 cflags (LP: #1272948) + * Tweak adt to use a proxy server. + + -- Stéphane Graber Thu, 06 Feb 2014 19:32:23 -0500 + +lxc (1.0.0~beta3-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0~beta3). + * Drop Build-conflict and instead pass --disable-lua. + * Update autopkgtests to dynamically run all upstream tests. + * Create /etc/lxc/lxc-usernet if missing. + * Apparmor profiles and upstart jobs are now upstream (drop from packaging). + * Bash completetion is now upstream. + * Update lintian overrides. + * DEPRECATED: lxc-aa-custom-profile has been dropped, instead use the + examples in the default configuration file. + * DEPRECATED: lxc-list has been dropped. Use "lxc-ls -f" instead. + * DEPRECATED: lxc-halt has been dropped. Use "lxc-stop" instead. + + -- Stéphane Graber Mon, 27 Jan 2014 14:40:48 +0000 + +lxc (1.0.0~beta2-0ubuntu2) trusty; urgency=medium + + * Build python3 extension for all supported python versions. LP: #127236. + * Build-conflict with lua5.2*, the packaging is not ready for it. + + -- Matthias Klose Sun, 26 Jan 2014 09:57:03 +0100 + +lxc (1.0.0~beta2-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0~beta2). + * Removed patches (no remaining): + - 0000-add-autostart.patch + - 0001-fix-lxc-usernsexec-regression.patch + * Update packaging for upstream's implementation of autostart. + * Allow dbus in lxc-start apparmor profile (needed by the avahi hook). + + -- Stéphane Graber Wed, 15 Jan 2014 20:22:45 -0500 + +lxc (1.0.0~beta1-0ubuntu3) trusty; urgency=medium + + * Add lxc-container-with-mounting apparmor profile. + * Add iptables rules to always allow DHCP and DNS from the containers + to the host. + + -- Stéphane Graber Wed, 01 Jan 2014 14:37:49 +0100 + +lxc (1.0.0~beta1-0ubuntu2) trusty; urgency=medium + + * d/p/0001-fix-lxc-usernsexec-regression.patch: fix a regression breaking + lxc-usernsexec and, through that, all unprivileged container use. + + -- Serge Hallyn Thu, 19 Dec 2013 14:04:58 -0600 + +lxc (1.0.0~beta1-0ubuntu1) trusty; urgency=medium + + * New upstream release (1.0.0~beta1). + * Removed patches: + - 0001-lxcapi_clone-set-the-right-environment-variable-for-.patch + - 0002-don-t-fail-lxc-init-if-we-couldn-t-mount-proc.patch + + -- Stéphane Graber Tue, 17 Dec 2013 15:52:17 -0500 + +lxc (1.0.0~alpha3-0ubuntu8) trusty; urgency=low + + * Add iptables rule to fix checksum of udp packets for dhcp (LP: #930962) + + -- Serge Hallyn Tue, 10 Dec 2013 11:27:09 -0600 + +lxc (1.0.0~alpha3-0ubuntu7) trusty; urgency=low + + * Add a lxc-default-with-mounting profile which allows the container to + mount block filesystems. (LP: #1257389) + + -- Serge Hallyn Mon, 09 Dec 2013 13:19:31 -0600 + +lxc (1.0.0~alpha3-0ubuntu6) trusty; urgency=low + + * lxc-net: detect whether iptables -w flag is supported, so that backports + won't be broken. + + -- Serge Hallyn Mon, 02 Dec 2013 21:06:47 -0600 + +lxc (1.0.0~alpha3-0ubuntu5) trusty; urgency=low + + * Add -w to iptables calls in lxc-net (LP: #1257117) + + -- Serge Hallyn Mon, 02 Dec 2013 17:49:28 -0600 + +lxc (1.0.0~alpha3-0ubuntu4) trusty; urgency=low + + * Build-depend on libgnutls-dev for template checksuming. + + -- Stéphane Graber Fri, 29 Nov 2013 20:16:56 -0500 + +lxc (1.0.0~alpha3-0ubuntu3) trusty; urgency=low + + * d/p/0002-don-t-fail-lxc-init-if-we-couldn-t-mount-proc.patch: fix + failure to run lxc-init when lxc.cap.drop=sys_admin. (LP: #1253669) + + -- Serge Hallyn Fri, 22 Nov 2013 15:57:59 -0600 + +lxc (1.0.0~alpha3-0ubuntu2) trusty; urgency=low + + * Cherry-pick fix for lxc-clone hook script environment variable. + 0001-lxcapi_clone-set-the-right-environment-variable-for-.patch + (LP: #1253573) + + -- Stéphane Graber Thu, 21 Nov 2013 10:29:45 -0500 + +lxc (1.0.0~alpha3-0ubuntu1) trusty; urgency=low + + * New upstream release (1.0.0~alpha3). + * Removed patches: + - 0001-debian-template-set-hwaddr + - 0002-lxc-start-if-we-pass-in-a-config-file-then-don-t-use.patch + - get_rid_of_lxcpath_anon_idea.patch + + -- Stéphane Graber Fri, 15 Nov 2013 16:31:01 -0500 + +lxc (1.0.0~alpha2-0ubuntu6) trusty; urgency=low + + * d/p/0002-lxc-start-if-we-pass-in-a-config-file-then-don-t-use.patch + fix lxc-start -with -f option to not use multiple configuration + files (LP: #1251352) + + -- Serge Hallyn Thu, 14 Nov 2013 14:19:02 -0600 + +lxc (1.0.0~alpha2-0ubuntu5) trusty; urgency=low + + [ Serge Hallyn] + * debian/rules and debian/lxc.postinst: set /var/lib/lxc and /var/cache/lxc + to be perms 700. That prevents unprivileged users from running setuid-root + applications. Install that way by default, and for any previous versions, + update the permissions. After this version, respect the user's choice. + (LP: #1244635) + + [ Stéphane Graber ] + * Allow lxc.conf to start even if LXC_AUTO=false so that other jobs + can depend on it. Also make sure we always load our apparmor profiles. + (LP: #1227937) + + -- Stéphane Graber Tue, 29 Oct 2013 12:15:21 -0400 + +lxc (1.0.0~alpha2-0ubuntu4) trusty; urgency=low + + * get_rid_of_lxcpath_anon_idea.patch: allow lxc-stop and lxc-attach to + work more easily with containers started with a custom config (-f). + (LP: #1244301) + + -- Serge Hallyn Thu, 24 Oct 2013 11:55:06 -0500 + +lxc (1.0.0~alpha2-0ubuntu3) trusty; urgency=low + + * Fix syntax error in upstart job. + + -- Stéphane Graber Mon, 21 Oct 2013 18:51:36 -0400 + +lxc (1.0.0~alpha2-0ubuntu2) trusty; urgency=low + + * Set lxcpath in lxc-instance, that should make the containers visible + in lxc-ls and other tools again. (LP: #1242074) + + -- Stéphane Graber Mon, 21 Oct 2013 15:27:05 -0400 + +lxc (1.0.0~alpha2-0ubuntu1) trusty; urgency=low + + * New upstream release (1.0.0~alpha2). + * Removed patches: + - 0002-pin_rootfs-be-quiet-and-don-t-fail-container-start.patch + - 0003-move-monitor-fifo-and-monitor-sock-to-run.patch + - 0004-hash-lxcname-for-use-in-monitor-unix-socket-sun_path.patch + - 0005-ignore-ability-to-init-lxc-monitord.log.patch + - 0006-add-pstore-to-container-fstab.patch + - 0007-apparmor.c-drop-newline-when-reading-current-profile.patch + - 0008-Fix-crasher-in-get_ips.patch + - 0009-lxc-ubuntu-cloud-pass-numeric-owner-and-p-to-untar.patch + - 0010-lxc-ubuntu-cloud-Cope-with-spaces-in-paths.patch + - 0011-ubuntu-cloud-prep-hook-fix-debug-helper-to-not-inapp.patch + * Change website to new URL (http://linuxcontainers.org). + * Build with the test binaries and introduce a new lxc-tests package. + * Don't build any of the binary packages on !linux. + * Enable SELinux support. + * Add watch file. + + -- Stéphane Graber Mon, 21 Oct 2013 09:17:18 -0400 + +lxc (1.0.0~alpha1-0ubuntu11) saucy; urgency=low + + * Deny any kind of access to /sys/kernel/security/** as the containers + have no reason to read that and it's been causing dbus-daemon to think + it can integrate with apparmor. + + -- Stéphane Graber Thu, 10 Oct 2013 12:58:54 -0400 + +lxc (1.0.0~alpha1-0ubuntu10) saucy; urgency=low + + [ Serge Hallyn ] + * Cherrypicking bugfix from upstream + - 0011-ubuntu-cloud-prep-hook-fix-debug-helper-to-not-inapp.patch + + [ Stéphane Graber ] + * On saucy and higher, add "dbus," to the container-base profile. + (done that way as LXC is backported down to 12.04) + + -- Stéphane Graber Wed, 09 Oct 2013 14:04:23 -0400 + +lxc (1.0.0~alpha1-0ubuntu9) saucy; urgency=low + + * Update patch with current upstream version (LP: #1236726) + - 0009-lxc-ubuntu-cloud-pass-numeric-owner-and-p-to-untar.patch + * Cherrypicking bugfix from upstream + - 0010-lxc-ubuntu-cloud-Cope-with-spaces-in-paths.patch + + -- Stéphane Graber Tue, 08 Oct 2013 11:11:33 -0400 + +lxc (1.0.0~alpha1-0ubuntu8) saucy; urgency=low + + * Add a recommends on uuid-runtime to lxc-templates as the + ubuntu-cloud template uses uuidgen. + + -- Stéphane Graber Mon, 07 Oct 2013 17:35:56 -0400 + +lxc (1.0.0~alpha1-0ubuntu7) saucy; urgency=low + + * Cherrypicking bugfix from upstream (LP: #1236577) + - 0009-lxc-ubuntu-cloud-pass-numeric-owner-and-p-to-untar.patch + + -- Serge Hallyn Mon, 07 Oct 2013 16:17:27 -0500 + +lxc (1.0.0~alpha1-0ubuntu6) saucy; urgency=low + + * Cherrypicking bugfix from upstream + - 0008-Fix-crasher-in-get_ips.patch + (Fixes lxc-list on Ubuntu Touch amongst other cases) + + -- Stéphane Graber Sun, 29 Sep 2013 20:52:53 -0400 + +lxc (1.0.0~alpha1-0ubuntu5) saucy; urgency=low + + * Cherrypicking bugfix from upstream (LP: #1227313) + - 0007-apparmor.c-drop-newline-when-reading-current-profile.patch + + -- Serge Hallyn Fri, 27 Sep 2013 15:14:24 -0500 + +lxc (1.0.0~alpha1-0ubuntu4) saucy; urgency=low + + * modify 0006-add-pstore-to-container-fstab.patch: make pstore mount + optional. + + -- Serge Hallyn Mon, 16 Sep 2013 11:50:05 -0500 + +lxc (1.0.0~alpha1-0ubuntu3) saucy; urgency=low + + * Cherrypick bugfix from upstream + (pre-mount pstore to avoid mountall hanging at boot time): + - 0006-add-pstore-to-container-fstab.patch + + -- Stéphane Graber Fri, 13 Sep 2013 16:57:29 -0400 + +lxc (1.0.0~alpha1-0ubuntu2) saucy; urgency=low + + * Add allow-stderr to autopkgtst restrictions as the Ubuntu template + uses policy-rc.d to disable some daemons and that causes a message to + be printed on stderr when the service tries to start. + + -- Stéphane Graber Thu, 12 Sep 2013 13:57:17 -0400 + +lxc (1.0.0~alpha1-0ubuntu1) saucy; urgency=low + + * New upstream release (LP: #1218426) + - A very long list of bugfixes, including: + (LP: #1081786, LP: #1029777, LP: #987770, LP: #1212290, LP: #1199146, + LP: #1124526, LP: #1014916, LP: #1212414, LP: #1168526, LP: #1135871) + * Removed patches: + - transition/00-redirect-lxc-halt.patch + - 0001-fix-race-with-fast-init + - 0002-lxc-functions-safe-in-dash + - 0003-python-module-fixes + - 0004-lxc-ps-handle-cgroup-collisions.patch + - 0005-cgroup-prevent-DOS-when-a-hierachy-is-mounted-multip.patch + - 0006-lxc-clone-fix-lvm-blockdev-usage + - 0007-lxc.conf.doc + - 0008-ignore-rootfs-pin-fail.patch + - 0009-conf.c-if-we-don-t-specify-a-rootfs-we-still-need-pr.patch + - conf.c-always-strdup-rootfs.mount + - 0011-cgroup-hook-handle-stricter-kernel + - 0012-add-kernel-filesystems-to-fstab + - 0013-ubuntu-cloud-fix-hostid + - 0014-lxc-apparmor-null-terminate-buffer + - 0015-fix-ipv6-pton + * Refreshed patches: + - transition/00-redirect-lxc-list.patch + - 0000-add-autostart.patch + - 0001-debian-template-set-hwaddr + * New patches (fix regression when /var/lib/lxc is read-only): + - 0002-pin_rootfs-be-quiet-and-don-t-fail-container-start.patch + - 0003-move-monitor-fifo-and-monitor-sock-to-run.patch + - 0004-hash-lxcname-for-use-in-monitor-unix-socket-sun_path.patch + - 0005-ignore-ability-to-init-lxc-monitord.log.patch + * Updated debian/copyright to reflect reality. + * Fix lxc-template's short description. + * Replace the cloud-utils recommends by cloud-image-utils | cloud-utils + to use the new saucy package and still allow for easy backports. + (LP: #1224545) + + -- Stéphane Graber Thu, 12 Sep 2013 12:45:05 -0400 + +lxc (0.9.0-0ubuntu23) saucy; urgency=low + + * 0014-lxc-apparmor-null-terminate-buffer: make sure a value we fread is + null-terminated (LP: #1215386) + * 0015-fix-ipv6-pton: call inet_pton on the value without the netmask. + (LP: #1215391) + + -- Serge Hallyn Fri, 23 Aug 2013 11:39:55 -0500 + +lxc (0.9.0-0ubuntu22) saucy; urgency=low + + * ubuntu-cloud: fix typo keeping --hostid from working (LP: #1197357) + + -- Serge Hallyn Thu, 15 Aug 2013 14:40:58 -0500 + +lxc (0.9.0-0ubuntu21) saucy; urgency=low + + * Fix autopkgtest failure by unsetting TMPDIR in the test. + + -- Stéphane Graber Fri, 09 Aug 2013 16:30:47 +0200 + +lxc (0.9.0-0ubuntu20) saucy; urgency=low + + * Build-depend on hardening-wrapper to meet MIR security requirements. + This is done instead of using the new dpkg-buildflags as those are a pain + to get to work when building both binaries and libraries when using -PIE. + + -- Stéphane Graber Fri, 09 Aug 2013 14:33:59 +0200 + +lxc (0.9.0-0ubuntu19) saucy; urgency=low + + * Add variable in /etc/default/lxc-net to optionally resolve .lxc on + lxcbr0. + + -- Serge Hallyn Tue, 06 Aug 2013 09:03:59 -0500 + +lxc (0.9.0-0ubuntu18) saucy; urgency=low + + * 0012-add-kernel-filesystems-to-fstab: saucy containers will fail to start + unless security, debug, and connections are pre-mounted. + + -- Serge Hallyn Thu, 25 Jul 2013 22:01:02 -0500 + +lxc (0.9.0-0ubuntu17) saucy; urgency=low + + * 0011-cgroup-hook-handle-stricter-kernel: fix the mountcgroups hook in the + face of new restrictions imposed by the kernel on devices cgroups. + (LP: #1196518) + + -- Serge Hallyn Fri, 05 Jul 2013 20:44:57 +0200 + +lxc (0.9.0-0ubuntu16) saucy; urgency=low + + * conf.c-always-strdup-rootfs.mount: prevent segfault when using + lxc.rootfs.mount. + + -- Serge Hallyn Mon, 01 Jul 2013 15:29:17 -0500 + +lxc (0.9.0-0ubuntu15) saucy; urgency=low + + * lxc-net: support an optional dnsmasq configuration file. + * 0010-debian-template-set-hwaddr: set persistent macaddr when creating a + debian container (LP: #1080681) + * lxc.apport: add /etc/lxc/{dnsmasq,default,lxc}.conf and + /etc/default/lxc{,-net}.conf + + -- Serge Hallyn Tue, 11 Jun 2013 07:47:32 -0500 + +lxc (0.9.0-0ubuntu14) saucy; urgency=low + + * 0009-conf.c-if-we-don-t-specify-a-rootfs-we-still-need-pr.patch: if + apparmor is enabled and no rootfs was specified, then re-mount /proc + so that we can write the requested apparmor profile under /proc/1. + (LP: #1188501) + + -- Serge Hallyn Mon, 10 Jun 2013 09:27:32 -0500 + +lxc (0.9.0-0ubuntu13) saucy; urgency=low + + * 0008-ignore-rootfs-pin-fail.patch: don't refuse to start a container + on readonly fs. + + -- Serge Hallyn Wed, 05 Jun 2013 21:35:40 +0200 + +lxc (0.9.0-0ubuntu12) saucy; urgency=low + + * 0007-lxc.conf.doc: Fill in missing sections in lxc.conf(5) manual + page (LP: 1182085) + + -- Serge Hallyn Tue, 28 May 2013 13:23:57 -0500 + +lxc (0.9.0-0ubuntu11) saucy; urgency=low + + * lxc-net: deal with the fact that some kernels may not have the needed + network bridge support. + + -- Stéphane Graber Tue, 28 May 2013 10:52:22 -0400 + +lxc (0.9.0-0ubuntu10) saucy; urgency=low + + * Rebuild-only upload (LP: #1183807) + + -- Serge Hallyn Fri, 24 May 2013 10:51:44 -0500 + +lxc (0.9.0-0ubuntu9) saucy; urgency=low + + * 0006-lxc-clone-fix-lvm-blockdev-usage: fix use of wrong pathnames for both + block devices and mount targets in the LVM case. (LP: #1183354) + + -- Serge Hallyn Thu, 23 May 2013 14:22:38 -0500 + +lxc (0.9.0-0ubuntu8) saucy; urgency=low + + [ James Hunt ] + * Add basic DEP-8 tests to ensure a container can be created, started, + stopped and cloned. + + -- James Hunt Tue, 21 May 2013 14:44:12 +0100 + +lxc (0.9.0-0ubuntu7) saucy; urgency=low + + * 0005-cgroup-prevent-DOS-when-a-hierachy-is-mounted-multip.patch: prevent + DOS when a cgroup hierarchy is mounted multiple times (LP: #1176287) + + -- Serge Hallyn Wed, 15 May 2013 22:19:59 +0000 + +lxc (0.9.0-0ubuntu6) saucy; urgency=low + + * debian/lxc.default, debian/lxc.preinst: calculate an open 10.0.x.0 network + for lxcbr0 to use at package install time. This allows easier package + installion when nested. + + -- Serge Hallyn Tue, 14 May 2013 14:34:51 -0500 + +lxc (0.9.0-0ubuntu5) saucy; urgency=low + + * push 0004-lxc-ps-handle-cgroup-collisions.patch from upstream to handle + the case where $container's cgroup is + /sys/fs/cgroup/$cgroup/lxc/$container-1. + + -- Serge Hallyn Wed, 08 May 2013 16:02:44 -0500 + +lxc (0.9.0-0ubuntu4) saucy; urgency=low + + * Fix lxc-list crashing when passed --nesting with nested containers. + (LP: #1177408) + * Fix lxc-ls to show nested containers when using alternate lxcpath. + (LP: #1177412) + * Fix python3 API bug leading to parameter corruption in create and start. + (LP: #1177400) + + -- Stéphane Graber Tue, 07 May 2013 10:48:40 -0400 + +lxc (0.9.0-0ubuntu3) raring; urgency=low + + * 0003-python-module-fixes: Cherry pick python module bugfixes from upstream. + * Update deprecation warning for lxc-halt and lxc-list, moving the + deprecation from 0.9 to 1.0. + + -- Stéphane Graber Thu, 18 Apr 2013 22:29:39 +0200 + +lxc (0.9.0-0ubuntu2) raring; urgency=low + + * 0002-lxc-functions-safe-in-dash: stop lxc-clone from silently failing. + (LP: #1166870) + + -- Serge Hallyn Tue, 09 Apr 2013 12:38:02 -0500 + +lxc (0.9.0-0ubuntu1) raring; urgency=low + + * New upstream release (0.9.0) (LP: #1166286) + - New features + (fixing a regression for 0.8/0.9alpha who relied on --keep-env) + + lxc-attach: Add --clear-env and --keep-env to lxc-attach + + lxc-clone: Support 'permanent ephemeral' containers + + lxc-start-ephemeral: Implement -n to match manpage + - Bugfix + + automake: Fix 'make clean' + + automake: Fix missing files with "make dist" + + core: API shouldn't be calling create for already defined containers or + destroy for non defined ones + + core: Build fixes for ia64 + + core: Make lxc.functions return the default lxcpath if + /etc/lxc/lxc.conf doesn't provide one + + core: Properly cleanup network devices if pinning root filesystem + din't work + + core: rcfile shouldn't be recorded in lxc_conf if the attempt to load a + config file fails + + core: Set all mounts to MS_SLAVE when starting a container without + a rootfs + + core: Use $localstatedir/log/lxc for default log path + + git: Updated gitignore (for lxc-ls) + + lxc-attach: Set container=lxc in the environment + + lxc-create: require absolute path for non-standard templates + + lxc-shutdown Make all processes exit before timeout if shutdown works + + lxc-shutdown: Properly handle timeout case + + manpage: Fixed typo in the main LXC manpage + + python: Fix runtime failure on armhf + + ubuntu template: Tweak architecture support (to match what's supported) + * Removed 0002-fix-armhf-python-failure, merged upstream. + + -- Stéphane Graber Mon, 08 Apr 2013 12:19:32 -0400 + +lxc (0.9.0~rc1-0ubuntu3) raring; urgency=low + + * Add code to postinst to fix any double-migration of /etc/dnsmasq. + (LP: #1157332) + + -- Stéphane Graber Wed, 27 Mar 2013 16:51:11 -0400 + +lxc (0.9.0~rc1-0ubuntu2) raring; urgency=low + + * Fix python3-lxc on armhf (LP: #1159817). + + -- Stéphane Graber Tue, 26 Mar 2013 11:21:46 -0400 + +lxc (0.9.0~rc1-0ubuntu1) raring; urgency=low + + * New upstream release (0.9.0~rc1) + - New features + * alpine: template now supports bridges auto-detect and setting hwaddr + * archlinux: update template to use lxc.stopsignal and lxc.kmsg + * core: Add example hooks from Ubuntu package + * core: Add --lxcpath (-P) option to all the tools + * core: attach: now also changes the apparmor profile + * core: attach: try to detect the user shell when attaching + * core: config: add lxc.kmsg (defaults to old enabled behaviour) + * core: config: add lxc.stopsignal (defaults to old SIGKILL behaviour) + * core: lxc-ls: Implement support for nested containers + * core: New exported API function, get_version + * lenny: Remove deprecated template + * lxc-ps: New '--host' option + * opensuse: update template to support 12.2 and 12.3 + - Bugfixes + * core: Add missing config.h includes. + * core: af_unix: make sure to keep useful errno + * core: attach: fixed lxc-attach to deal with user namespaces + * core: attach: free result before potentially strduping a second time. + * core: c api -> createl: correctly handle 0 template args + * core: commands.c: sanity check to not write too-long cgroup path name + * core: ensure clock_gettime symbol is found + * core: Fix typos identified by lintian + * core: fix writing multiple uidmap ranges + * core: give a hint if old cgroup can't be moved + * core: improved README + * core: lxc_id_mapping: don't try to write mappings if there are none + * core: make [ug]id map ordering consistent with /proc//[ug]id_map + * core: only INFO rcfile if asprintf successfully allocates it + * core: Remove redundant clearenv call + * core: Replace deprecated AM_CONFIG_HEADER + * core: rootfs pin: fix two bugs + * core: try to set clone_children when setting up cgroups + * core: Use AC_SEARCH_LIBS instead of hardcoded lists + * core: userns: handle delayed write errors at fclose + * legacy: only output appropriate directories/containers in lxc-ls + * lxc-ubuntu{-cloud}: Config layout tweaking + * opensuse: fix template to better work with lxc-clone, support shutdown, + * oracle: template fixes for older releases + * python: Drop use of hardcoded @LXCPATH@ + * rpm: include hook files and tests in make dist + various code improvements + * Remove example hooks from packaging as they have now been upstreamed. + * Update apparmor profile to allow for lxc-create to work for nested + precise containers. + + -- Stéphane Graber Tue, 19 Mar 2013 11:32:44 -0400 + +lxc (0.9.0~alpha3-0ubuntu3) raring; urgency=low + + * 0001-fix-race-with-fast-init: Before starting lxc_mainloop, check whether + lxc-init has already exited. If it has, return immediately to reap it. + (LP: #1134923) (LP: #1144873) + + -- Serge Hallyn Mon, 11 Mar 2013 10:14:39 -0500 + +lxc (0.9.0~alpha3-0ubuntu2) raring; urgency=low + + * Remove hardcoded --enable-seccomp from debian/rules as seccomp isn't + present on armhf and powerpc, leading to FTBFS on those two architectures. + + -- Stéphane Graber Mon, 18 Feb 2013 19:01:38 -0500 + +lxc (0.9.0~alpha3-0ubuntu1) raring; urgency=low + + * New upstream release (0.9.0~alpha3) + * NOTE: We took the opportunity of this new upstream release bringing + its lot of significant changes to reduce the amount of custom code that's + shipped in the packages and hasn't been submitted upstream. + If you strongly feel about any of those, please submit a cleaned up version + to upstream LXC for inclusion. + + The following tools/templates have been dropped: + - lxc-debconf (upstream ships lxc-debian and lxc-lenny) + - lxc (use the lxc-* commands directly) + - lxc-backup (was just a wrapper on rsync using hardcoded paths) + - lxc-restore (was just a wrapper on rsync using hardcoded paths) + + And the following are provided through compatibility symlinks and will be + dropped in final 0.9: + - lxc-list (equivalent of lxc-ls --fancy) + - lxc-halt (replaced by lxc-shutdown) + + This release also deprecates the following tools as they were considered + mostly broken and the user namespace support makes them mostly useless: + - lxc-setcap + - lxc-setuid + + * The following patches were included upstream: + - 0013-lxc-create-use-default-config.patch + - 0030-ubuntu-template-fail.patch + - 0031-ubuntu-template-resolvconf.patch + - 0044-lxc-destroy-rm-autos + - 0045-fix-other-templates + - 0046-lxc-clone-change-hwaddr + - 0047-bindhome-check-shell + - 0049-ubuntu-template-sudo-and-cleanup + - 0050-clone-lvm-sizes + - 0052-ubuntu-bind-user-conflict + - 0053-lxc-start-pin-rootfs + - 0054-ubuntu-debug + - 0055-ubuntu-handle-badgrp + - 0056-dont-watch-utmp + - 0057-update-manpages + - 0058-fixup-ubuntu-cloud + - 0059-reenable-daily-cloudimg + - 0060-lxc-shutdown + - 0061-lxc-start-apparmor + - 0062-templates-relative-paths + - 0063-check-apparmor-enabled + - 0064-apparmor-mount-proc + - 0065-fix-bindhome-relpath + - 0066-confile-typo + - 0067-templates-lxc-profile + - 0068-fix-lxc-config-layout + - 0069-ubuntu-cloud-fix + - 0070-templates-rmdir-dev-shm + - 0071-ubuntu-cloud-fix-image-extraction + - 0072-lxc-shutdown-help + - 0073-lxc-destroy-waits-before-destroy + - 0074-lxc-execute-find-init + - 0075-lxc-ls-bash + - 0076-fix-sprintfs + - 0077-execute-without-rootfs + - 0078-lxc-clone-quote-line + - 0079-quantal-support + - 0080-drop-maverick + - 0081-fix-multiarch-install + - 0082-umount-old-proc + - 0083-ubuntu-simplify-template + - 0084-lxc-ubuntu-drop-duplicate-code.patch + - 0085-pivot-dir + - 0086-lxc-unshare-zero-args + - 0087-lxc-ls-dash + - 0088-ubuntu-template-flock + - 0089-lxc-netstat-exec + - 0090-lxc-ubuntu-use-dpkg-add-architecture + - 0091-introduce-container-hooks.patch + - 0092-clone-no-dhclient.conf-update-when-not-hardcoded + - 0093-lxc-clone-copy-fstab + - 0094-fix-dev-shm-check + - 0095-lxc-clone-change-uuid-on-xfs.patch + - 0096-lxc-wait-add-timeout.patch + - 0097-seccomp + - 0098-config-file-includes + - 0099-cleanup-after-template-help + - 0100-template-cleanup-cache + - 0101-template-empty-apt-cache + - 0102-lxc-start-d-check-privs + - 0103-make-rootfs-location-optional + - 0104-add-option-to-lxc-attach-to-select-ns + - 0105-lxc-attach-add-R-option + - 01-lxc-directories.patch + - 0200-liblxc + - 0201-fix-mkdir-race + - 0202-make-api-start-reliable + - 0203-python-lxc + - 0204-ubuntu-cloud-userdata-path + - 0205-lxc-ls-manpage-document-two-lines + - 0206-lxc-wait-initialize-timeout + - 0207-ubuntu-cloud-fixes.patch + - 0208-fix-getitem-utsname-segv + - 0209-reload-conf-after-create + - 0210-fix-debian-templates + - 0211-add-hooks-to-manpage + - 0213-add-premount-hook.patch + - 0214-give-pclose-errno + - 0215-lxc-clone-name-arg + - 0216-hook-kmsg-to-console + - 0217-lxc-clone-fix-fstab + - 0218-api-shutdown-fix-doublestop + - 0219-python-module-improvements + - 0220-getitem-per-hook-type + - 0221-make-nonflush-upgrades-robust + - 0222-debian-dhcp3-package + - 0223-ubuntu-template-user-msg + - 0225-ubuntu-cloud-numeric-owner + - 0226-add-lxc-autodev + - 0227-ubuntu-cloud-parsing + - 0228-ignore-kmsg-setup-failure + - 0229-lxc-clone-mount-fix + - 0230-autodev-makedev-console + - 02-lxc-distclean.patch + - 03-lxc-configuration-path.patch + - 04-lxc-create-template-name.patch + - 05-doc-ip-address.patch + - 06-bash.patch + - 07-lxc-netstat.patch + - 08-lxc-debconf.patch + - 09-lxc-create-trap-name.patch + - 10-lxc-clone-trap-name.patch + - 11-lxc-console-escape.patch + - 12-lxc-create-rootfs.patch + - compilecleanups/0001-replace-HOOK-define-with-proper-code.patch + - compilecleanups/0002-add-prototype-for-clone-2-as-per-manpage.patch + - compilecleanups/0003-check-chdir-return-value.patch + - compilecleanups/0004-Fix-passing-non-const-char-in-for-const-char.patch + - compilecleanups/0005-return-nonvoid + - compilecleanups/0006-unused-var + - compilecleanups/0007-tests-check-return-values + - seccompapi/0001-seccomp-free-conf-seccomp-filename-char.patch + - seccompapi/0002-README-fix-typo-in-example-script.patch + - seccompapi/0003-support-new-libseccomp-api.patch + + * New patches: + - transition/00-redirect-lxc-halt.patch: Show warning when lxc-halt is + called as lxc-shutdown now replaces it. + - transition/01-redirect-lxc-list.patch: Show warning when lxc-list is + called as lxc-ls now replaces it. Default to --fancy in this mode. + - 0000-add-autostart.patch: Add autostart support to lxc-destroy and + lxc-ls. + + * Disable the test binaries, those are only useful in the dailies. + * Drop lxc.manpages, all the needed manpages are now upstream. + * Transition /etc/lxc/lxc.conf to /etc/lxc/default.conf. + * Drop debian/*.in as they didn't contain any variable anymore. + * Drop outdated sysvinit script. We use upstart and don't intend to maintain + the sysvinit script in Ubuntu. + * Drop lxc.config and po/*. We've never used debconf for lxc in Ubuntu. + * Fix some bugs in the ecryptfs hook. + + -- Stéphane Graber Mon, 18 Feb 2013 18:25:18 -0500 + +lxc (0.8.0~rc1-4ubuntu50) raring; urgency=low + + * Create /etc/dnsmasq.d when missing. + + -- Stéphane Graber Fri, 08 Feb 2013 16:25:44 -0500 + +lxc (0.8.0~rc1-4ubuntu49) raring; urgency=low + + * Don't directly write/remove /etc/dnsmasq.d/lxc as that's causing problems + when removing and reinstalling lxc. + Instead have dnsmasq ship /etc/dnsmasq.d-available/lxc and create/remove + a symlink in /etc/dnsmasq.d/. (LP: #1113821) + + -- Stéphane Graber Wed, 06 Feb 2013 16:13:18 -0500 + +lxc (0.8.0~rc1-4ubuntu48) raring; urgency=low + + * debian/patches/seccompapi/: update the seccomp usage to handle the + >= 1.0.0 libseccomp api. + + -- Serge Hallyn Tue, 11 Dec 2012 12:46:08 -0600 + +lxc (0.8.0~rc1-4ubuntu47) raring; urgency=low + + * 0230-autodev-makedev-console: Run MAKEDEV(console) before creating + consoles in the container. This is to make up for the fact that + userspace (i.e. mountall) won't be doing so, since it otherwise + would overwrite the consoles set up by lxc. (LP: #1075717) + + -- Serge Hallyn Wed, 28 Nov 2012 16:08:37 -0600 + +lxc (0.8.0~rc1-4ubuntu46) raring; urgency=low + + * 0229-lxc-clone-mount-fix: fix wrong handling of lxc.mount entries in + lxc-clone. (LP: #1084089) + * debian/apparmor/abstractions-lxc-container-base: deny read/write under + /sys/firmware/efi/efivars. + + -- Serge Hallyn Wed, 28 Nov 2012 11:04:17 -0600 + +lxc (0.8.0~rc1-4ubuntu45) raring; urgency=low + + [ Stéphane Graber ] + * Allow the container to mount efivars on /sys/firmware/efi/efivars. + efivars is automatically mounted by mountall on UEFI systems, failure to + do so leads to a complete boot failured. + * Allow mounts and pivot_roots under /usr/lib/lxc/root/ for compatibility + with nested precise lxc hosts (quantal -> precise -> containers). + + [ Serge Hallyn ] + * update 0227-ubuntu-cloud-parsing to catch a doc typo stgraber had found + in the upstream review. + * 0228-ignore-kmsg-setup-failure: ignore failure to set up kmsg, since that + is not critical. + + [ Christian Kampka ] + * Have upstart run lxc instances (LP: #1049908) + + -- Serge Hallyn Tue, 27 Nov 2012 22:52:10 -0600 + +lxc (0.8.0~rc1-4ubuntu44) raring; urgency=low + + [ Scott Moser ] + * 0225-ubuntu-cloud-numeric-owner: use --numeric-owner when extracting root + filesystems with tar (LP: #1066084) + + [ Serge Hallyn ] + * Remove 0224-ubuntu-templates-devtmpfs (LP: #1070914) + * 0226-add-lxc-autodev: implement automatic mount and populate of /dev. + * 0227-ubuntu-cloud-parsing: fix some option parsing bugs in ubuntu-cloud + template (LP: #1076031) + + -- Serge Hallyn Mon, 26 Nov 2012 10:11:00 -0600 + +lxc (0.8.0~rc1-4ubuntu43) raring; urgency=low + + * Fix debian/lxc.install.in to drop /var/lib/lxc/{cache|packages|templates} + as they've been moved to the new lxc-templates package. + * Bump Breaks/Replaces/Depends/Recommends versions to ubuntu43. + + -- Stéphane Graber Tue, 13 Nov 2012 12:09:30 -0500 + +lxc (0.8.0~rc1-4ubuntu42) raring; urgency=low + + * Add --dhcp-authoritative and --dhcp-leasefile options to lxc-net's dnsmasq. + This should help LXC keep IPs consistent accross reboots. + * Wrap-and-sort debian/control and debian/lxc.install + * Split templates out of the lxc binary package into a new lxc-templates + package. Have python3-lxc and lxc recommend the new package and have it + depend on lxc as a few templates use the command line tools. + * Move template related Depends/Recommends/Suggests to the new lxc-templates + package. -lxc (0.8.0~rc1-9) unstable; urgency=low + -- Stéphane Graber Mon, 12 Nov 2012 17:28:12 -0500 - * Updating todo file. - * Correcting freudian typo in lxc directory removal in postrm (Closes: - #679842). - * Adding updated Czech debconf translations from Michal Simunek - (Closes: #679681). - * Using split out live-debconfig now. - * Adding patch to correct paths to lxc-init in lxc-setcap (Closes: - #682790). - * Adding Japanese debconf translations from Kenshi Muto - (Closes: #683123). - * Using relative mount paths for /proc and /sys in container - configurations produced by lxc-debconf (Closes: #683444). - * Shortening name of dpkg.cfg.d configuration file used during chroot - operations. - - -- Daniel Baumann Sat, 04 Aug 2012 10:38:43 +0200 - -lxc (0.8.0~rc1-8) unstable; urgency=low - - * Removing comments in lxc-debconf debconf templates, apparently - that's no longer supported (Closes: #679849). - * Removing lxc directory in postrm (Closes: #679842). - - -- Daniel Baumann Wed, 04 Jul 2012 00:24:59 +0200 - -lxc (0.8.0~rc1-7) unstable; urgency=low - - * Updating email address in copyright headers for local additions. - - -- Daniel Baumann Sat, 30 Jun 2012 14:08:11 +0200 - -lxc (0.8.0~rc1-6) unstable; urgency=low - - * Adding copyright headers to local debian additions. - * Create /etc/lxc/auto when creating symlinks for the unlikely event - that user has it removed. - * Switching to xz compression. - * Updating GPL boilerplate in copyright file. - * Simplyfing backports compatible use of multiarch debhelper install - files. - * Adding prerm script to remove alternatives (Closes: #668438). - * Correcting spelling typo in readme. - * Clarify in readme the name of the symlinks in /etc/lxc/auto. - * Deriving container name from parent directory of the configuration - file, not from the name of the configuration file (Closes: #673552). - * Tidying up initscripts start sequence. - * Adding explicit docbook build-depends. - * Updating lintian overrides. +lxc (0.8.0~rc1-4ubuntu41) raring; urgency=low - -- Daniel Baumann Sat, 30 Jun 2012 00:05:28 +0200 + * Rebuild to drop python3.2 extension. -lxc (0.8.0~rc1-5) unstable; urgency=low + -- Matthias Klose Thu, 08 Nov 2012 11:15:42 +0000 - * Updating todo file. - * Prefering iputils-ping over inetutils-ping in lxc-progress.cfg - example. - * Temporarily including bzip2 manually when bootstrapping until - #657560 has been fixed in unstable. - * Only show experimental as a valid optional archive choice in lxc- - debconf for sid, rather than security, volatile, backports, and - proposed-updates (which all are evidently unavailable for unstable). - * Adding updated Russian debconf translations from Yuri Kozlov - (Closes: #671053). - * Adding updated Spanish debconf translations from Camaleón - (Closes: #677404). - * Adding updated Swedish debconf translations from Martin Bagge - (Closes: #673889). - * Adding updated Portuguese debconf translations from Miguel - Figueiredo (Closes: #674950). - * Adding updated Dutch debconf translations from Jeroen Schot - (Closes: #673776). - * Correcting incorrect lxc-netstat.patch, thanks to Serge Hallyn - (Closes: #677124). - * Updating lxc-directories.patch (Closes: #664764). - * Updating base-files hack for newer versions of base-files (sid). - * Moving away from linux-container and use live-config instead. - * Replacing linux-container debconf prefix with lxc-debconf for - outside template preseeding. - * Updating some remaining leftover cruft from linux-container in - variable namespacing. +lxc (0.8.0~rc1-4ubuntu40) raring; urgency=low + + * Add the multiarch include path for python3.3. + * Use dpkg-buildflags. + + -- Matthias Klose Thu, 25 Oct 2012 19:34:54 +0200 + +lxc (0.8.0~rc1-4ubuntu37) quantal; urgency=low + + * update 0222-debian-dhcp3-package: use dhcp3-client, not server! + * 0224-ubuntu-templates-devtmpfs: mount devtmpfs in ubuntu containers. + (LP: #1060404) + + -- Serge Hallyn Thu, 04 Oct 2012 12:06:02 -0500 + +lxc (0.8.0~rc1-4ubuntu36) quantal; urgency=low + + * 0222-debian-dhcp3-package: fix install of debian testing containers. + (LP: #1052972) + * 0223-ubuntu-template-user-msg: don't say default user is ubuntu when + it isn't. (LP: #1052315) + + -- Serge Hallyn Wed, 19 Sep 2012 11:58:53 -0500 + +lxc (0.8.0~rc1-4ubuntu35) quantal; urgency=low + + * 0220-getitem-per-hook-type: support clear_item for specific hooks. + (LP: #1050719) + * 0221-make-nonflush-upgrades-robust: be more robust about out of date + container caches. (LP: #942862) + + -- Serge Hallyn Fri, 14 Sep 2012 11:45:46 -0500 + +lxc (0.8.0~rc1-4ubuntu34) quantal; urgency=low + + [ Serge Hallyn ] + * 0214-give-pclose-errno: help debug pclose failures when lxc runs scripts. + * 0215-lxc-clone-name-arg: fix incorrect checking for --name argument. + (LP: #1049914) + * 0216-hook-kmsg-to-console: link /dev/kmsg to /dev/console so init log + messages can be seen. (LP: #1049926) + * 0217-lxc-clone-fix-fstab: fix check for lxc.mount in lxc-clone + (LP: #1049987) + * 0218-api-shutdown-fix-doublestop: don't call c->stop() when already + stopped (LP: #1050001) + * Update lxc-start-container apparmor abstraction to allow ecryptfs mounts + from the pre-mount script. Remove the instruction to add that line from + the example hook. + * Update lxc-start-container apparmor abstraction to allow mounts to paths + under /var/lib/lxc/$container/, so that pre-mount hooks can stage mounts + there. Also update the mountecryptfs example premount hook to use that. + (LP: #1050469) + * debian/rules: remove parsing of apparmor.in files. + + [ Stéphane Graber ] + * Update lxc-start-container apparmor abstraction to allow aufs and overlayfs + mounts from the pre-mount scripts. This is required by some hooks and will + be needed by the new lxc-start-ephemeral. + * Remove multi-arch path in lxc-start-container apparmor abstraction and + instead just allow /usr/lib/*/lxc/ so nested containers running on a + different architecture don't get blocked by apparmor. + * Cherry-pick python-lxc fixes from upstream: + - Minor PEP-8 syntax fix + - Return an exception when getting Container instance as non-root + - Automatically convert any state string passed to wait() to its uppercase + equivalent. + - Replace test.py by a full example of the API. + - Remove zombie handler function from C module as it's no longer required + and causes weird bugs when used with the hooks. + + [ William Grant ] + * lxc-start-ephemeral: exit with the command's status, not always 0. + (LP: #1050351) + + -- Serge Hallyn Thu, 13 Sep 2012 12:02:45 -0500 + +lxc (0.8.0~rc1-4ubuntu33) quantal; urgency=low + + [ Serge Hallyn ] + * 0206-lxc-wait-initialize-timeout: initialize timeout to -1 so lxc-wait + will, by default, wait for the container to enter the requested state. + * debian/patches/compilecleanups/* - fix compile time warnings. + * lxc.lxc-net.upstart: tell iptables not to masquerate packets between + containers. (LP: #1045947) + * 0208-fix-getitem-utsname-segv: fix seg fault when doing get_item(utsname) + on newly created container. + * 0209-reload-conf-after-create: add ability to free a lxc_conf. Use that + after calling Container->Create() to completely reload the newly created + config. + * 0211-add-hooks-to-manpage: document lxc.hook in the lxc.conf manpage. + * 0212-lxc-destroy-rm-symlink: If rootfs is a symbolic link to a directory, + remove it. (LP: #1046117) + * 0213-add-premount-hook.patch: add a premount hook to support encrypted + filesystems. (LP: #1043052) + + [ Scott Moser ] + * 0207-ubuntu-cloud-fixes.patch: cleanups to lxc-ubuntu-cloud.in + fix for quantal images that do not have user 'ubuntu' present + (LP: #1045955) + + [ Rex Tsai ] + * 0210-fix-debian-templates: Fix lxc-shutdown/lxc-restart in Debian + containers and fix lxc.utsname for lenny containers. + (LP: #1046684, LP: #1046696) + + [ Stéphane Graber ] + * lxc.lxc-net.upstart: Make the iptables call more consistent (LP: #1045947) + + -- Serge Hallyn Thu, 30 Aug 2012 11:32:06 -0500 + +lxc (0.8.0~rc1-4ubuntu32) quantal; urgency=low + + * 0204-ubuntu-cloud-userdata-path: Fix broken behavior when a relative + path is passed into '--userdata' argument. (LP: #1043582) + * 0205-lxc-ls-manpage-document-two-lines: Document the default two-line + output format of lxc-ls. (LP: #1043018) + * lxc-start-ephemeral: support fedora and centos (LP: #1042431) + + -- Serge Hallyn Thu, 30 Aug 2012 10:05:06 -0500 + +lxc (0.8.0~rc1-4ubuntu31) quantal; urgency=low + + * Previous upload had documentation turned off, making it FTBFS on i386, + this was a leftover change from a test build, revert that bit. + + -- Stéphane Graber Tue, 28 Aug 2012 06:07:05 -0400 + +lxc (0.8.0~rc1-4ubuntu30) quantal; urgency=low + + * Fix long description's spelling of Python. + * Make python-lxc a patch against the upstream tree and integrate with + autotools instead of maintaining in debian/python-lxc. + Resulting binary package has been checked to be identical, this is to + done to make it easier to push upstream. + + -- Stéphane Graber Tue, 28 Aug 2012 05:55:05 -0400 + +lxc (0.8.0~rc1-4ubuntu29) quantal; urgency=low + + [ Serge Hallyn ] + * fix lxcapi_start to not return true when it container failed to start. + * 0201-fix-mkdir-race: don't raise error if mkdir fails with EEXIST. + * 0202-make-api-start-reliable: have daemonized start through the api + wait until the container is RUNNING before returning true. If a 5 + second timeout is hit before the container is RUNNING, return false. + + [ Stéphane Graber ] + * python-lxc: in get_ips() if timeout is 1 don't wait one second before + returning. + * python-lxc: Add import time warning that the API isn't yet stable and + so may change at any point in the future. + + -- Stéphane Graber Sat, 25 Aug 2012 12:44:17 -0400 + +lxc (0.8.0~rc1-4ubuntu28) quantal; urgency=low + + [ Stéphane Graber ] + * Merge liblxc changes: + - Build-depend on automake as autogen.sh is now run at build time. + - Introduce new liblxc0 binary package + - Make lxc to depend on liblxc0 + - Move library to the new binary package + - Change libdir to be the public multi-arch path + - Build with --disable-rpath + - Move all the test binaries to a lxc-test-* namespace + * Merge python3-lxc changes: + - Introduce new python3-lxc binary package + - Update debian/rules to build the python3 code + * Update lxc-start-ephemeral: + - Replace tabs by 4 spaces, fix indentation + - Fix code to work properly as non-root (calling sudo where needed) + + [ Serge Hallyn ] + * confile.c: support hooks in save_config(). + * conf.h: Add array of hook names + + -- Stéphane Graber Wed, 22 Aug 2012 11:50:51 -0400 + +lxc (0.8.0~rc1-4ubuntu27) quantal; urgency=low + + * Add patches from mailing list to support per-namespace attach with + lxc-attach. + - 0104-add-option-to-lxc-attach-to-select-ns + - 0105-lxc-attach-add-R-option + + -- Serge Hallyn Tue, 21 Aug 2012 16:10:08 -0500 + +lxc (0.8.0~rc1-4ubuntu26) quantal; urgency=low + + * 0100-template-cleanup-cache: clean up template cache if interrupted + during build. (LP: #1037331) + * 0101-template-empty-apt-cache: do an apt-cache clean after creating + a new cache. (LP: #1037626) + * 0102-lxc-start-d-check-privs: exit early (with failure) if starting a + daemonized container with insufficient privilege. (LP: #918327) + * 0103-make-rootfs-location-optional: allow custom location for a + container rootfs to be specified. (LP: #1019398) + + -- Serge Hallyn Fri, 17 Aug 2012 09:44:02 -0500 + +lxc (0.8.0~rc1-4ubuntu25) quantal; urgency=low + + * debian/control: only depend on libseccomp-dev on i386 and amd64, and + switch to upstream-submitted seccomp patch (LP: #1037701) + * debian/rules: add '--with autoreconf' to force recreation of + configure from configure.ac + * 0099-cleanup-after-template-help: don't leave a partially created + container when -h is passed after '--'. (LP: #1031043) + + -- Serge Hallyn Thu, 16 Aug 2012 17:03:07 -0500 + +lxc (0.8.0~rc1-4ubuntu24) quantal; urgency=low + + * lxc-start-ephemeral: use unionfs only for the rootfs itself + (LP: #959352) + * allow config files to include other config files. + + -- Serge Hallyn Tue, 14 Aug 2012 13:11:24 +0000 + +lxc (0.8.0~rc1-4ubuntu23) quantal; urgency=low + + * fix FTBFS + - add libseccomp to build-deps + - add autoreconf to build-deps to regenerate Makefile.in at build time. + + -- Serge Hallyn Wed, 08 Aug 2012 18:11:21 -0500 + +lxc (0.8.0~rc1-4ubuntu22) quantal; urgency=low + + [ Stéphane Graber ] + * Fix call to echo in lxc-start-ephemeral that was literally showing + '$LXC_BASE' instead of the variable's value. + + [ Serge Hallyn ] + * Introduce support for seccomp. + + -- Serge Hallyn Wed, 08 Aug 2012 10:43:06 -0500 + +lxc (0.8.0~rc1-4ubuntu21) quantal; urgency=low + + [ Stéphane Graber ] + * Fix lxc-ubuntu and lxc-ubuntu-cloud to fix the /dev/shm workaround to only + trigger when /dev/shm is not a symlink. (LP: #974584) + + [ Serge Hallyn ] + * lxc.lxc-net.upstart: replace the check for USE_LXC_BRIDGE (which could be + changed from true to false after starting lxc-net) with one for the + existence /var/run/lxc. (LP: #1019290) + * 0095-lxc-clone-change-uuid-on-xfs.patch: give each cloned xfs-backed + lvm partition a unique uuid so they can be mounted simultaneously. + (LP: #1013549) + * 0096-lxc-wait-add-timeout.patch: patch submitted upstream to add a timeout + option to lxc-wait. (LP: #1020179) + + -- Serge Hallyn Thu, 26 Jul 2012 17:40:36 +0000 + +lxc (0.8.0~rc1-4ubuntu20) quantal; urgency=low + + [ Stéphane Graber ] + * debian/apparmor/lxc-default-with-nesting: allow mounting /proc and /sys + so containers can be created. + + [ Serge Hallyn ] + * 0093-lxc-clone-copy-fstab: fix updating of lxc.mount entries in lxc-clone + + -- Serge Hallyn Fri, 20 Jul 2012 09:38:35 -0500 + +lxc (0.8.0~rc1-4ubuntu19) quantal; urgency=low + + * Move /etc/apparmor.d/abstractions/lxc-* to /etc/apparmor.d/abstractions/lxc/ + - Rename lxc-container-default to container-base + - Rename lxc-start-container to start-container + - Update references + * Allow write access to /proc/sys/kernel/shm* as these are namespaced (IPC). + + -- Stéphane Graber Thu, 05 Jul 2012 12:02:19 -0400 + +lxc (0.8.0~rc1-4ubuntu18) quantal; urgency=low + + * Patch lxc-clone to stop messing with dhclient.conf when it contains a + placeholder ( or gethostname()). Fixes cases where dpkg will + prompt for modified config file on upgrade. + + -- Stéphane Graber Tue, 03 Jul 2012 17:57:27 -0400 + +lxc (0.8.0~rc1-4ubuntu17) quantal-proposed; urgency=low + + [ Stéphane Graber ] + * 0090-lxc-ubuntu-use-dpkg-add-architecture: Update lxc-ubuntu + template to use "dpkg --add-architecture" in containers running + dpkg >= 1.16.2. (LP: #1017862) + + [ Serge Hallyn ] + * 0091-introduce-container-hooks.patch: introduce container hooks at several + points in the container life-cycle. + * Add copyright statement to lxc-aa-custom-profile + * Add debian/hooks/mountcgroups as an example (installed under + /usr/share/lxc/hooks) + + -- Serge Hallyn Tue, 26 Jun 2012 13:04:01 -0500 + +lxc (0.8.0~rc1-4ubuntu16) quantal; urgency=low + + * Update debian/local/lxc-list to only list every container once + and to support both the Debian and Ubuntu way of marking a container + as auto-started. + * Depend on adduser as it's being used in postinst. + * Fix lintian-overrides syntax and silence no-debconf-templates. + * Only run dh_apparmor against the lxc package. + * Don't override /var/log/lxc as 700, there's no good reason for that. + + -- Stéphane Graber Mon, 25 Jun 2012 15:00:01 -0400 + +lxc (0.8.0~rc1-4ubuntu15) quantal; urgency=low + + [ Serge Hallyn ] + * Add 'lxc-aa-custom-profile' command to make it easier to start using a + cusom profile for a container. + + [ Stéphane Graber ] + * Update apparmor profiles to fix nesting: + - Allow fstype=cgroup mounts for lxc-default-with-nesting + - Only prevent mounting devpts for lxc-default and not + in lxc-default-with-nesting as it's required to spawn containers. + + -- Stéphane Graber Mon, 25 Jun 2012 01:34:12 -0400 + +lxc (0.8.0~rc1-4ubuntu14) quantal; urgency=low + + * Apparmor profile update: + - Move lxc-start profile content to abstractions/lxc-start-container + - Move lxc-default profile content to abstractions/lxc/container-default + - Include the abstractions + - Update lxc-default-with-nesting to include both abstractions + - Allow fstype=fuse.*, for all containers + + -- Stéphane Graber Tue, 19 Jun 2012 15:13:23 +0000 + +lxc (0.8.0~rc1-4ubuntu13) quantal; urgency=low + + * 0086-lxc-unshare-zero-args: fix lxc-unshare segfaulting when no command + is given (LP: #1011603) + * 0087-lxc-ls-dash: fix lxc-ls for containers whose names start with a + dash (LP: #1006332) + * 0088-ubuntu-template-flock: don't fail when flock is busy, just wait, + so concurrent lxc-creates don't break. (LP: #1007483) + * 0089-lxc-netstat-exec: fix lxc-netstat errors (LP: #1011739) + + -- Serge Hallyn Mon, 11 Jun 2012 15:46:25 +0000 + +lxc (0.8.0~rc1-4ubuntu12) quantal; urgency=low + + * Fix broken logic in lxc-ubuntu template where lxc.devttydir would be + set to 'lxc' only for releases that don't support it. (LP: #1007493) + + -- Stéphane Graber Fri, 01 Jun 2012 11:57:44 -0400 + +lxc (0.8.0~rc1-4ubuntu11) quantal; urgency=low + + * add apport hook + + -- Serge Hallyn Fri, 01 Jun 2012 08:13:03 -0500 + +lxc (0.8.0~rc1-4ubuntu10) quantal; urgency=low + + [ Serge Hallyn ] + * 0084-lxc-ubuntu-drop-duplicate-code.patch: drop some duplicate code from + the ubuntu template. (LP: #1004118) + * 0085-pivot-dir: use a directory other than /mnt to put the pivot_root + old dir into (LP: #986385) + + [ Stéphane Graber ] + * Ship /etc/dnsmasq.d/lxc to configure an eventual system wide + dnsmasq daemon not to listen on the LXC bridge interface. (LP: #928524) + * Drop rm calls from postrm for apparmor rules, these were in the purge + target so didn't really serve any purpose. + + -- Stéphane Graber Tue, 29 May 2012 16:56:25 -0400 + +lxc (0.8.0~rc1-4ubuntu9) quantal; urgency=low + + * debian/lxc-net.upstart: don't put '()' after call to cleanup. + (LP: #1000174) + + -- Serge Hallyn Mon, 21 May 2012 08:26:25 -0700 + +lxc (0.8.0~rc1-4ubuntu8) quantal; urgency=low + + * Update lxc-ubuntu: + - Update list of extra packages for debootstrap to only include vim + and ssh. The others were only relevant when we were still using the + minbase variant. (LP: #996839) + - Drop any hardcoded Ubuntu version check and replace by feature + checks instead. + - Format lxc-ubuntu to consistently use 4-spaces indent instead of + mixed spaces/tabs. + - Update default /etc/network/interfaces to include the header. + - Update default /etc/hosts to match that of a regular Ubuntu system. + - Drop support for end-of-life releases (gutsy on sparc). + - Make sure /etc/resolv.conf is valid before running any apt command. + - Update template help message for release and arch parameters. + - Switch default Ubuntu version from lucid to precise. + * Update lxc-start-ephemeral: + - Remove lxc-ip and replace it by a call to "ip netns" until we have + an extended lxc-attach we can use for that. + - Fix a race in lxc-start-ephemeral where the container isn't yet + running when trying to get its IPs. + - Update a few calls so that lxc-start-ephemeral can be called as a + user (ensure consistent usage of sudo across the script). + * Add new lxc-default-with-nesting apparmor profile, allowing nested + containers. + + -- Stéphane Graber Fri, 18 May 2012 19:05:44 -0400 + +lxc (0.8.0~rc1-4ubuntu7) quantal; urgency=low + + [ Francesco Banconi ] + * Introduced lxc-ip: retrieve the ip addresses of a container. + * lxc-start-ephemeral: use lxc-ip to ssh to the container (LP: #994752). + + -- Serge Hallyn Wed, 16 May 2012 10:46:21 -0500 + +lxc (0.8.0~rc1-4ubuntu6) quantal; urgency=low + + * debian/control: add apparmor to lxc Depends (LP: #997681) + * debian/local/lxc-start-ephemeral: quote $line so its contents don't get + expanded (LP: #997687) + + -- Serge Hallyn Thu, 10 May 2012 09:04:29 -0700 + +lxc (0.8.0~rc1-4ubuntu5) quantal; urgency=low + + * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted, + make sure that /proc/self points to 1, since we are container init. + Otherwise, assume proc is an old one, and umount it and remount our own. + If we keep the old proc mounted, apparmor transitions will by tried for + wrong task and fail. Also move check for whether apparmor is enabled so + that it is called by lxc-execute. (LP: #993706) + * update 0074-lxc-execute-find-init to look for lxc-init in + LXCINITDIR/lxc/lxc-init + * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud + needs it. (LP: 995361) + * debian/lxc.upstart: load apparmor profiles before auto-starting containers. + (LP: #989853) + * pop 06-bash.patch and 0075-lxc-ls-bash. lxc-clone also has bashims, just + stick to using bash until upstream is also converted (so we are safe + against patches). + + -- Serge Hallyn Mon, 07 May 2012 21:22:26 +0000 + +lxc (0.8.0~rc1-4ubuntu4) quantal; urgency=low + + * Fix Ubuntu template to install the host architecture of the required + mutli-arch packages (when using qemu-user-static) instead of hardcoded + "amd64" version. + + -- Stéphane Graber Fri, 04 May 2012 23:21:22 -0400 + +lxc (0.8.0~rc1-4ubuntu3) quantal; urgency=low + + * Add support for quantal in lxc-ubuntu and lxc-ubuntucloud + * Drop support for maverick in lxc-ubuntu and lxc-ubuntucloud + + -- Stéphane Graber Wed, 02 May 2012 21:28:11 -0400 + +lxc (0.8.0~rc1-4ubuntu2) quantal; urgency=low + + * lxc-clone: put quotes around $line to avoid expansion (LP: #993515) + + -- Serge Hallyn Wed, 02 May 2012 15:23:52 -0500 + +lxc (0.8.0~rc1-4ubuntu1) quantal; urgency=low + + * Merge from unstable. Remaining changes: + - control: + - update maintainer + - Build-Depends: add dh-apparmor and libapparmor-dev + - lxc Depends: add bridge-utils, dnsmasq-base, iptables, rsync + - lxc Recommends: add cgroup-lite | cgroup-bin, openssl + - lxc Suggests: add btrfs-tools, lvm2, qemu-user-static + - lxc Conflicts: remove (cgroup-bin) + - Add lxc-start-ephemeral and lxc-wait to debian/local + - apparmor: + - add lxc.apparmor, lxc-containers.apparmor, + lxc-default.apparmor, and new lxc.apparmor.in + - add debian/lxc.conf (default container creation config file) + - debian/lxc.install.in: + * add lxc-start-ephemeral + * add debian/lxc.conf + * skip lxc-debconf* + * skip lxc-ls (Use upstream's) + - debian/lxc*.install.in: use '*', not @DEB_HOST_MULTIARCH@ + - Use our own completely different lxc.postinst and lxc.postrm + - remove lxc.templates + - debian/rules: + * add DEB_DH_INSTALLINIT_ARGS = --upstart-only + * don't do debconf stuff + * add debian/*.apparmor.in to files processed under + override_dh_auto_clean + * don't comment out ubuntu or busybox templates + * do apparmor stuff and install our own lxc-wait under override_dh_install + * install our upstart scripts in override_dh_installinit + - add lxc.default, lxc.lxc-net.upstart, lxc.upstart under + debian/ + + * patches kept: + - 0013-lxc-create-use-default-config.patch (needed manual rebase) + - 0030-ubuntu-template-fail.patch + - 0031-ubuntu-template-resolvconf.patch + - 0044-lxc-destroy-rm-autos + - debian/patches/0045-fix-other-templates + - debian/patches/0046-lxc-clone-change-hwaddr + - debian/patches/0047-bindhome-check-shell + - debian/patches/0049-ubuntu-template-sudo-and-cleanup + - debian/patches/0050-clone-lvm-sizes + - debian/patches/0052-ubuntu-bind-user-conflict + - debian/patches/0053-lxc-start-pin-rootfs + - debian/patches/0054-ubuntu-debug + - debian/patches/0055-ubuntu-handle-badgrp + - debian/patches/0056-dont-watch-utmp + - debian/patches/0057-update-manpages + - debian/patches/0058-fixup-ubuntu-cloud + - debian/patches/0059-reenable-daily-cloudimg + - debian/patches/0060-lxc-shutdown + - debian/patches/0061-lxc-start-apparmor + - debian/patches/0062-templates-relative-paths + - debian/patches/0063-check-apparmor-enabled + - debian/patches/0064-apparmor-mount-proc + - debian/patches/0065-fix-bindhome-relpath + - debian/patches/0066-confile-typo + - debian/patches/0067-templates-lxc-profile + - debian/patches/0068-fix-lxc-config-layout + - debian/patches/0069-ubuntu-cloud-fix + - debian/patches/0070-templates-rmdir-dev-shm + - debian/patches/0071-ubuntu-cloud-fix-image-extraction + - debian/patches/0072-lxc-shutdown-help + - debian/patches/0073-lxc-destroy-waits-before-destroy + - mark all patches which have been forwarded as such, refresh all + * 0074-lxc-execute-find-init: lxc-init had moved. Introduce a function in + lxc-execute to go find it. Otherwise lxc-execute for any older releases + will fail. + * 0075-lxc-ls-bash: lxc-ls needs bash, not sh + * add debian/lxc.apparmor.in so DEB_HOST_MULTIARCH can be expanded + * 0076-fix-sprintfs: - check return values for all sprintfs and snprintfs + which could overflow (LP: #988918) + * 0077-execute-without-rootfs: let lxc-execute succeed with no rootfs + (LP: #981955) - -- Daniel Baumann Thu, 14 Jun 2012 10:15:53 +0200 + -- Serge Hallyn Thu, 26 Apr 2012 15:18:35 -0500 lxc (0.8.0~rc1-4) unstable; urgency=low @@ -2164,21 +4216,21 @@ lxc (0.8.0~rc1-4) unstable; urgency=low * Also setting libexedir via configure argument which in turn will set lxcinitdir properly on multiarch (Closes: #664764). - -- Daniel Baumann Tue, 10 Apr 2012 20:04:36 +0200 + -- Daniel Baumann Tue, 10 Apr 2012 20:04:36 +0200 lxc (0.8.0~rc1-3) unstable; urgency=low * Adding pre-depends to multiarch-support (Closes: #663274). * Updating lintian overrides. - -- Daniel Baumann Sat, 10 Mar 2012 09:51:28 +0100 + -- Daniel Baumann Sat, 10 Mar 2012 09:51:28 +0100 lxc (0.8.0~rc1-2) unstable; urgency=low * Helping to migrate lxc-shutdown debconf setting for alternative on upgrades from 0.7.5 to 0.8.0. - -- Daniel Baumann Fri, 09 Mar 2012 15:27:21 +0100 + -- Daniel Baumann Fri, 09 Mar 2012 15:27:21 +0100 lxc (0.8.0~rc1-1) unstable; urgency=low @@ -2211,14 +4263,14 @@ lxc (0.8.0~rc1-1) unstable; urgency=low * Updating to standards version 3.9.3. * Updating copyright file machine-readable format version 1.0. - -- Daniel Baumann Fri, 09 Mar 2012 13:05:03 +0100 + -- Daniel Baumann Fri, 09 Mar 2012 13:05:03 +0100 lxc (0.7.5-24) unstable; urgency=low * Switching to cdn.archive.progress-linux.org in lxc-debconf as default mirror for progress. - -- Daniel Baumann Fri, 03 Feb 2012 22:23:00 +0100 + -- Daniel Baumann Fri, 03 Feb 2012 22:23:00 +0100 lxc (0.7.5-23) unstable; urgency=low @@ -2228,7 +4280,7 @@ lxc (0.7.5-23) unstable; urgency=low * Not upgrading users /etc/default/lxc file and leave any unused cruft in there to rot (Closes: #657654). - -- Daniel Baumann Fri, 27 Jan 2012 21:38:14 +0100 + -- Daniel Baumann Fri, 27 Jan 2012 21:38:14 +0100 lxc (0.7.5-22) unstable; urgency=low @@ -2247,7 +4299,7 @@ lxc (0.7.5-21) unstable; urgency=low * Automatically creating directories specified in mount entries in lxc-debconf. - -- Daniel Baumann Mon, 23 Jan 2012 11:19:56 +0100 + -- Daniel Baumann Mon, 23 Jan 2012 11:19:56 +0100 lxc (0.7.5-20) unstable; urgency=low @@ -2263,7 +4315,7 @@ lxc (0.7.5-20) unstable; urgency=low * Updating to debhelper version 9. * Updating todo file. - -- Daniel Baumann Sat, 21 Jan 2012 17:32:18 +0100 + -- Daniel Baumann Sat, 21 Jan 2012 17:32:18 +0100 lxc (0.7.5-19) unstable; urgency=low @@ -2277,7 +4329,7 @@ lxc (0.7.5-19) unstable; urgency=low #655173). * Adding patch to correct signal names in lxc-clone trap. - -- Daniel Baumann Mon, 09 Jan 2012 16:13:39 +0100 + -- Daniel Baumann Mon, 09 Jan 2012 16:13:39 +0100 lxc (0.7.5-18) unstable; urgency=low @@ -2291,7 +4343,7 @@ lxc (0.7.5-18) unstable; urgency=low * Reconfigure tzdata when using preseeding in lxc-debconf. * Updating year in copyright file. - -- Daniel Baumann Sun, 08 Jan 2012 13:30:37 +0100 + -- Daniel Baumann Sun, 08 Jan 2012 13:30:37 +0100 lxc (0.7.5-17) unstable; urgency=low @@ -2323,7 +4375,7 @@ lxc (0.7.5-17) unstable; urgency=low * Updating preseed example files. * Updating todo file. - -- Daniel Baumann Wed, 28 Dec 2011 08:10:28 +0100 + -- Daniel Baumann Wed, 28 Dec 2011 08:10:28 +0100 lxc (0.7.5-16) unstable; urgency=low @@ -2353,7 +4405,7 @@ lxc (0.7.5-16) unstable; urgency=low * Adding preseed only option for capabilties dropping in lxc config files of lxc-debconf. - -- Daniel Baumann Mon, 26 Dec 2011 12:13:07 +0100 + -- Daniel Baumann Mon, 26 Dec 2011 12:13:07 +0100 lxc (0.7.5-15) unstable; urgency=low @@ -2370,7 +4422,7 @@ lxc (0.7.5-15) unstable; urgency=low /etc/lxc/decbonf in lxc-debconf. * Updating todo file. - -- Daniel Baumann Mon, 12 Dec 2011 12:14:28 +0100 + -- Daniel Baumann Mon, 12 Dec 2011 12:14:28 +0100 lxc (0.7.5-14) unstable; urgency=low @@ -2396,7 +4448,7 @@ lxc (0.7.5-14) unstable; urgency=low * Reorder entry for console log in default config of lxc-debconf. * Updating preseeding examples for lxc-debconf. - -- Daniel Baumann Sat, 10 Dec 2011 23:20:40 +0100 + -- Daniel Baumann Sat, 10 Dec 2011 23:20:40 +0100 lxc (0.7.5-13) unstable; urgency=low @@ -2438,7 +4490,7 @@ lxc (0.7.5-13) unstable; urgency=low * Adding late command to supported preseeding options in lxc-debconf. * Updating todo file. - -- Daniel Baumann Thu, 08 Dec 2011 14:31:16 +0100 + -- Daniel Baumann Thu, 08 Dec 2011 14:31:16 +0100 lxc (0.7.5-12) unstable; urgency=low @@ -2453,7 +4505,7 @@ lxc (0.7.5-12) unstable; urgency=low * Adding -n and --name option to lxc-halt to better integrate with the rest of the lxc tools. - -- Daniel Baumann Fri, 02 Dec 2011 07:16:07 +0100 + -- Daniel Baumann Fri, 02 Dec 2011 07:16:07 +0100 lxc (0.7.5-11) unstable; urgency=low @@ -2474,7 +4526,7 @@ lxc (0.7.5-11) unstable; urgency=low * Correcting wrong volatile default url for lenny in lxc-debconf. * Correcting typo when upgrading system in lxc-debconf. - -- Daniel Baumann Thu, 01 Dec 2011 06:41:32 +0100 + -- Daniel Baumann Thu, 01 Dec 2011 06:41:32 +0100 lxc (0.7.5-10) unstable; urgency=low @@ -2490,13 +4542,13 @@ lxc (0.7.5-10) unstable; urgency=low * Upgrading cache before copying it in lxc-debconf. * Updating todo file. - -- Daniel Baumann Tue, 29 Nov 2011 20:13:20 +0100 + -- Daniel Baumann Tue, 29 Nov 2011 20:13:20 +0100 lxc (0.7.5-9) unstable; urgency=low * Splitting out linux-container package into own source package. - -- Daniel Baumann Tue, 15 Nov 2011 22:10:17 +0100 + -- Daniel Baumann Tue, 15 Nov 2011 22:10:17 +0100 lxc (0.7.5-8) unstable; urgency=low @@ -2510,7 +4562,7 @@ lxc (0.7.5-8) unstable; urgency=low * Adding config option to disable automatic installation of recommended packages in lxc-debconf. - -- Daniel Baumann Mon, 14 Nov 2011 17:45:27 +0100 + -- Daniel Baumann Mon, 14 Nov 2011 17:45:27 +0100 lxc (0.7.5-7) unstable; urgency=low @@ -2520,7 +4572,7 @@ lxc (0.7.5-7) unstable; urgency=low * Shuffling dist-upgrade arround in lxc-debconf to be active in all modes. - -- Daniel Baumann Fri, 11 Nov 2011 18:53:39 +0100 + -- Daniel Baumann Fri, 11 Nov 2011 18:53:39 +0100 lxc (0.7.5-6) unstable; urgency=low @@ -2581,72 +4633,611 @@ lxc (0.7.5-6) unstable; urgency=low container. * Updating todo files. - -- Daniel Baumann Fri, 11 Nov 2011 15:49:51 +0100 + -- Daniel Baumann Fri, 11 Nov 2011 15:49:51 +0100 -lxc (0.7.5-5) unstable; urgency=low +lxc (0.7.5-3ubuntu52) precise; urgency=low - * Correcting wording in 0.7.5-3 changelog entry. - * Updating copyright file to reflect rewrite of packaging. - * Sorting overrides in rules alphabetically. - * Adding debconf support for managing lxc directory. - * Updating todo files. - * Adding conflicts against cgroup-bin for the time being (Closes: - #647769). - * Silencing update-rc.d calls in linux-container postinst. - * Update bailout in linux-container postinst if disabled. - * Adding error message in lxc-backup and lxc-restore if container - directories do not exist. - * Adding lxc-halt command. - * Correcting indenting in lxc init script. - * Renaming internal command variable to program in lxc init script for - consistency with local lxc tools. - * Allowing to choose shutdown method trough debconf (Closes: #595926). - * Using lxc convenience wrapper in lxc init script. - * Adding manpage for lxc-halt. - * Updating linux-container hostname handling. - - -- Daniel Baumann Sun, 06 Nov 2011 07:53:56 +0100 - -lxc (0.7.5-4) unstable; urgency=low - - * Adding patch to add entry for daemontools-run to /etc/inittab in - debian template if required. - * Adding patch to set a random root password in debian template. - * Updating debian-config.patch to create mount entries for shared data - directory conditionally upon existence. - * Adding patch to silence type call for debootstrap in debian - template. - * Adding patch to avoid warnings about locales if the target locale - and the source locale don't match by using C for all chroot calls - within the debian template. - * Using compression level 9 also for binary packages. - * Adding lxctl to suggests. - * Adding manpage for lxc-list. - * Using more precise program term instead of command when refering to - lxc tools in lxc wrapper. - * Adding manpage for lxc wrapper. - * Correcting typo in conffile name of lxc config script. - * Adding lxc postrm script to remove /etc/default/lxc when purging - package. - * Adding linux-container support package, currently exactely - replicating what lxc-debian does, see readme. - * Updating todo file. - * Adding readme for linux-container package. - * Adjusting wildcard in lxc install file to not include manpages. - * Adding manpages file for lxc to include local manpages. + [ Ben Howard ] + * Fixed image extraction for old releases (LP: #979996). + + [ Timothy Chen ] + * 0072-lxc-shutdown-help: display usage when passed help. (LP: #980905) + * 0073-lxc-destroy-waits-before-destroy: lxc-shutdown waits for the + container to fully stop before it destroys it. (LP: #980902) + + -- Serge Hallyn Mon, 16 Apr 2012 12:02:06 -0500 + +lxc (0.7.5-3ubuntu51) precise; urgency=low + + * 0070-templates-rmdir-dev-shm: in precise containers, rmdir $rootfs/dev/shm + and and create it as a symbolic link to /run/shm. (LP: #974584) + + -- Serge Hallyn Thu, 12 Apr 2012 09:54:22 -0500 + +lxc (0.7.5-3ubuntu50) precise; urgency=low + + [ Stéphane Graber ] + * Minor ubuntu template tweak to add missing space after lxc.network.hwaddr. + + [ Ben Howard ] + * Fixed ubuntu-cloud template user-data handling (LP: 977376) + + -- Ben Howard Mon, 09 Apr 2012 14:24:24 -0600 + +lxc (0.7.5-3ubuntu49) precise; urgency=low + + * debian/lxc-default.apparmor: add mediate_deleted flag (LP: #969299) + + -- Serge Hallyn Mon, 02 Apr 2012 09:38:21 -0500 + +lxc (0.7.5-3ubuntu48) precise; urgency=low + + * debian/lxc-default.apparmor: explicitly silence warnings about attempting + to mount debugfs to /var/lib/ureadahead/debugfs/. + * 0066-confile-typo: fix typo + * debian/lxc.apparmor: allow transition to unconfined + * 0067-templates-lxc-profile: leave a comment in container configs we + create to show how to run it unconfined + * debian/lxc-containers.apparmor: move #include from + debian/lxc-default.apparmor here to prevent policy loading errors when + more container profiles are defined (LP: #969228) + * debian/lxc-default.apparmor: remove obsolete FIXME comment + + -- Serge Hallyn Fri, 30 Mar 2012 15:35:07 -0500 + +lxc (0.7.5-3ubuntu47) precise; urgency=low + + * 0065-fix-bindhome-relpath: use relative path as target for bind mount + in lxc-ubuntu template (LP: #968371) + + -- Serge Hallyn Thu, 29 Mar 2012 22:04:30 +0000 + +lxc (0.7.5-3ubuntu46) precise; urgency=low + + * Allow mqueue to be mounted anywhere (LP: #968326) + + -- Stéphane Graber Thu, 29 Mar 2012 11:34:45 -0400 + +lxc (0.7.5-3ubuntu45) precise; urgency=low + + * 0064-apparmor-mount-proc: mount /proc if we need to before changing + apparmor profile (LP: #963388). (Also fixes two bad error paths) + * lxc.postinst: use the right filename for loading profile + + -- Serge Hallyn Sun, 25 Mar 2012 21:45:03 -0500 + +lxc (0.7.5-3ubuntu44) precise; urgency=low + + * debian/lxc.upstart and debian/lxc.postinst: Don't load policies if mount + restrictions not supported (LP: #961824) + * 0063-check-apparmor-enabled: don't try apparmor transition if aa is not + enabled or doesn't support mount mediation. Also don't fail lxc-init + if container couldn't mount /proc and /sys. + * debian/lxc-default.apparmor: allow container to mount /proc and /sys. + + -- Serge Hallyn Wed, 21 Mar 2012 21:33:08 -0500 + +lxc (0.7.5-3ubuntu43) precise; urgency=low + + * lxc.apparmor: allow all umount activity in lxc-start (LP: #961536) + + -- Serge Hallyn Wed, 21 Mar 2012 14:49:14 -0500 + +lxc (0.7.5-3ubuntu42) precise; urgency=low + + * debian/lxc.postinst: don't try to run apparmor_parser if it doesn't + exist. + + -- Serge Hallyn Wed, 21 Mar 2012 11:35:17 -0500 + +lxc (0.7.5-3ubuntu41) precise; urgency=low + + * add lxc-shutdown command: + - 0060-lxc-shutdown: add the command to the source + - debian/lxc.upstart: use lxc-shutdown to shut down containers cleanly + - debian/lxc.default: add LXC_SHUTDOWN_TIMEOUT (default 120s) + * support per-container apparmor policies: (LP: #953453) + - 0061-lxc-start-apparmor: add lxc.aa_profile to config file. If not + specified, lxc-default profile is used for container. Otherwise, the + specified profile is used. + Note that per-container profiles must be named 'lxc-*'. + - split debian/lxc-default.apparmor from debian/lxc.apparmor. + - have /etc/apparmor.d/lxc-containers #include /etc/apparmor.d/lxc/* + - debian/lxc.postinst: load the new lxc-containers profiles + - debian/lxc.postrm: remove lxc-containers profiles + - debian/rules: make new etc/apparmor.d/lxc dir and copy lxc-default into it + - debian/control: add libapparmor-dev to build-depends + - debian/lxc.upstart: load apparmor per-container policies at pre-start. + * debian/lxc.apparmor: insert the stricter mount rules for lxc-start + (LP: #645625) (LP: #942934) + * debian/local/lxc-start-ephemeral: re-enable aufs option (LP: #960262) + * replace upstream lxc-wait with our own bash script (LP: #951181) + - debian/local/lxc-wait: the script + - debian/rules: copy the script into place + * 0062-templates-relative-paths: update templates to use relative paths, + and make lxc-start always accept /var/lib/lxc/CN/rootfs as target prefix, + to make lvm containers work. (LP: #960860) + + -- Serge Hallyn Wed, 21 Mar 2012 08:20:06 -0500 + +lxc (0.7.5-3ubuntu40) precise; urgency=low + + * Re-enable apparmor profile now that the userspace was fixed. + Some part of the profile are still disabled because of missing kernel + or userspace features, see the FIXMEs for these, hopefully fixed soon. + + -- Stéphane Graber Fri, 16 Mar 2012 19:58:43 -0400 + +lxc (0.7.5-3ubuntu39) precise; urgency=low + + * 0059-reenable-daily-cloudimg: let user specify daily cloud images. + + -- Serge Hallyn Fri, 16 Mar 2012 09:54:43 -0500 + +lxc (0.7.5-3ubuntu38) precise; urgency=low + + * 0058-fixup-ubuntu-cloud: + - fix typo in check for $debug (LP: #955935) + - Download specified release, not always precise + - If cloudimg rootfs.tar.gz does not exist, create one from the base + cloudimg tar.gz. (LP: #955938) + - Explicitly set ubuntu user's password. + - Switch from daily to released stream (per smoser's suggestion). + + -- Serge Hallyn Thu, 15 Mar 2012 17:57:10 -0500 + +lxc (0.7.5-3ubuntu37) precise; urgency=low + + [Serge Hallyn] + * 0057-update-manpages: update manual pages to reflect some new options. + [Gary Poster] + * lxc-start-ephemeral: fix broken use of '-- command' (LP: #954632) + + -- Serge Hallyn Wed, 14 Mar 2012 10:52:44 -0500 + +lxc (0.7.5-3ubuntu36) precise; urgency=low + + [Gary Poster] + * debian/local/lxc-start-ephemeral: make ephemeral bind mounts use a tempfs + for the upper dir, not another overlayfs. Otherwise writes/creates are + not allowed by overlayfs! + + -- Serge Hallyn Mon, 12 Mar 2012 13:22:06 -0500 + +lxc (0.7.5-3ubuntu35) precise; urgency=low + + [Gary Poster] + * lxc-start-ephemeral: convert ephemeral approach to change all bound fstab + mounts; convert binding to also modify fstab + [Benji York] + * lxc-start-ephemeral: munge the fstab and comment out a flaky line + [Serge Hallyn] + * 0056-dont-watch-utmp: don't watch utmp if kernel supports container + reboot. (LP: #948623) + * debian/control: add dh-apparmor to Build-Depends (LP: #948481) + * lxc-start-ephemeral: add '-d' option to daemonize. + * debian/lxc.upstart: don't run post-stop if LXC_AUTO=false (LP: #949362) + + -- Serge Hallyn Mon, 12 Mar 2012 09:51:59 -0500 + +lxc (0.7.5-3ubuntu34) precise; urgency=low + + [Benji York] + * lxc-start-ephemeral: create unique MAC for each new + ephemeral container (LP: #949956) + + -- Scott Moser Thu, 08 Mar 2012 16:23:49 -0500 + +lxc (0.7.5-3ubuntu33) precise; urgency=low + + * Update apparmor profile to temporarily disable it. + This will be reverted once apparmor has been fixed. (LP: #947617) + + -- Stéphane Graber Tue, 06 Mar 2012 12:25:21 -0500 + +lxc (0.7.5-3ubuntu32) precise; urgency=low + + * add user (-u) and key (-S) to lxc-start-ephemeral. (LP: #945183) + + -- benji Fri, 02 Mar 2012 17:20:46 -0500 + +lxc (0.7.5-3ubuntu31) precise; urgency=low + + * 0050-clone-lvm-sizes: make lxc-clone with lvm snapshots create a + snapshot of the same size as the original. (LP: #939765) + * run our dnsmasq as user 'lxc-dnsmasq' (LP: #939774) + - add debian/lxc.postinst to create the user + - debian/lxc.lxc-net.upstart: run dnsmasq as lxc-dnsmasq user + * 0051-lxc-create-lvm-use-1G: bump lvm blockdev size to 1G (LP: #942338) + * 0052-ubuntu-bind-user-conflict: don't create 'ubuntu' user when a user + gets bound in. (LP: #942144) + * 0053-lxc-start-pin-rootfs: don't let the container remount an underlying + shared fs readonly (LP: #942325) + * 0054-ubuntu-debug: add --debug option to ubuntu and ubuntu-cloud + templates (LP: #942847) + * 0055-ubuntu-handle-badgrp: fix the group handling to not assume a user's + group has the user's name. (LP: #942850) + + -- Serge Hallyn Tue, 28 Feb 2012 15:03:45 -0600 + +lxc (0.7.5-3ubuntu30) precise; urgency=low + + [ Serge Hallyn ] + * 0048-warn-if-container-started: If container startup fails because the + container is already running, give an error message to that effect. + (LP: #938765) + + [ Stéphane Graber ] + * 0049-ubuntu-template-sudo-and-cleanup: Always make the user part of the + sudo group. This group has been around since at least 10.04 and is more + reliable than the admin group. Still add the user to the admin group + until 12.04 as some tool expect that. (LP: #938752) + Also fix a minor layout issue in the generate LXC config. + + -- Stéphane Graber Wed, 22 Feb 2012 12:33:32 -0500 + +lxc (0.7.5-3ubuntu29) precise; urgency=low + + * 0047-bindhome-check-shell: + - Make sure to install a bound user's shell in the container. (LP: #936762) + - Create bound user's group in the container. + + -- Serge Hallyn Mon, 20 Feb 2012 14:31:05 -0600 + +lxc (0.7.5-3ubuntu28) precise; urgency=low + + * 0045-fix-other-templates: lots of template fixes. Make sshd, debian, + fedoray, and busybox templates actually work. Fix inconsistent --auth_key + vs --auth-key usage in ubuntu templates. + * 0046-lxc-clone-change-hwaddr - when cloning a container, give it a new + hwaddr. (LP: #934256) + + -- Serge Hallyn Fri, 17 Feb 2012 15:18:19 -0600 + +lxc (0.7.5-3ubuntu27) precise; urgency=low + + [ Graham Binns ] + * debian/local/lxc-start-ephemeral: retry ssh in case sshd was slow in + starting. (LP: #933779) + + -- Serge Hallyn Thu, 16 Feb 2012 16:47:03 -0600 + +lxc (0.7.5-3ubuntu26) precise; urgency=low + + [ Ben Howard ] + * 0043-tweak-templates.patch: + - Add a macaddr to configs created by ubuntu-cloud template + - Add ssh key injection, locales, and tarball specification support to + ubuntu-cloud template. + + [ Serge Hallyn ] + * (also in 0043-tweak-templates.patch) Add a macaddr to configs created by + ubuntu template (LP: #931229) and allow an ssh key to be injected. + * debian/control: add openssl as Recommends as it's now used by the + templates. + * 0044-lxc-destroy-rm-autos: remove autostart symlinks when deleting a + container. (LP: #930525) + + -- Serge Hallyn Wed, 15 Feb 2012 23:33:12 -0600 + +lxc (0.7.5-3ubuntu25) precise; urgency=low + + * 0042-close-fds.patch: add a new --close-all-fds option. Normally if + lxc-start is started with an open fd, it exits with failiure. With + this option specified, the fds will be closed and startup will continue. + --daemon now implies --close-all-fds. (LP: #931220) + + -- Serge Hallyn Mon, 13 Feb 2012 14:03:25 -0600 + +lxc (0.7.5-3ubuntu24) precise; urgency=low + + [ Serge Hallyn ] + * 0040-consoles-into-devlxc.patch: move lxc's console and ttys into + /dev/lxc/, and create symlinks into /dev. (LP: #927519) + + [ Stéphane Graber ] + * 0041-ubuntu-template-user-and-tty: + + Use ubuntu/ubuntu by default instead of root/root + + Set devttydir to /dev/lxc on Precise + + Stop modifying dhclient.conf as the default behavior is identical. + + Stop removing tty[56].conf on Precise + + Do not modify /etc/udev/udev.conf on Precise + + Move information message about default login/password to the end + of the container cration so users can't miss it. + + -- Stéphane Graber Fri, 10 Feb 2012 17:09:15 -0500 + +lxc (0.7.5-3ubuntu23) precise; urgency=low + + * debian/lxc.upstart, debian/lxc.lxc-net.upstart, and debian/rules: + Upstartify lxc. + * remove debian/lxc.init + + -- Serge Hallyn Fri, 10 Feb 2012 10:35:55 -0600 + +lxc (0.7.5-3ubuntu22) precise; urgency=low + + * debian/lxc.init: + - at setup_lxc_bridge, return early if ${LXC_BRIDGE) already exists. + (LP: #929514) + - switch 'ip link show' and 'brctl show' checks for /sys/class/net lookups. + - try to prevent destroying host network setup if /etc/default/lxc is + bad. Set defaults for lxc network variables if unset. + - don't pass along variables as arguments if not needed. + + -- Serge Hallyn Thu, 09 Feb 2012 10:22:20 -0600 + +lxc (0.7.5-3ubuntu21) precise; urgency=low + + * debian/lxc.init: Exit cleanly in undo_network(), to avoid the init.d + script and thus the package installation to fail if the network could not + be configured for LXC. (LP: #929382) + + -- Martin Pitt Thu, 09 Feb 2012 16:47:09 +0100 + +lxc (0.7.5-3ubuntu20) precise; urgency=low + + * Remove lxcguest package. No longer needed in precise. + * ubuntu-cloud template: by default assume non-cloud environment, unless + '-- -C' option is given. Otherwise containers started in a private + environment won't create ssh keys, etc. + * 0039-no-lxcguest-in-p-template: don't install the lxcguest package if + we are creating a precise (or higher) container. + + -- Serge Hallyn Wed, 08 Feb 2012 14:46:43 -0600 + +lxc (0.7.5-3ubuntu19) precise; urgency=low + + * 0036-fix-reboot-detection - actually detect when our kernel supports + container reboot. + * 0037-silence-netstat-errors-in-lxcls - silence netstat warnings in + lxc-ls + * 0038-ubuntu-cloud-template - add a template to create containers based + on the ubuntu cloud images. + + -- Serge Hallyn Tue, 07 Feb 2012 17:35:35 -0600 + +lxc (0.7.5-3ubuntu18) precise; urgency=low + + * lxcguest.lxcguest.upstart: emit the net-device-up IFACE=lo event, so + that any upstart jobs waiting on it (esp rc-sysinit before oneiric) will + proceed. (LP: #924337) + * 0034-fix-lxc-execute-reboot.patch: fix bad handling of 'exit 0' for + lxc-execute introduced with the container reboot handling. (LP: #927863) + * debian/lxcguest.lxcmount.upstart: add '--no-wait' to emit to make sure we + don't wait for the event to be processed. + * 0035-lxc-init-ignore-shm.patch: if lxc-init can't mount /dev/shm, don't + fail on account of that. (LP: #927883) + * debian/lxc.init: if the network is already up, exit before setting the + trap EXIT. - -- Daniel Baumann Fri, 04 Nov 2011 16:55:08 +0100 + -- Serge Hallyn Mon, 06 Feb 2012 17:37:37 -0600 + +lxc (0.7.5-3ubuntu17) precise; urgency=low + + [ Serge Hallyn ] + * 0032-start-check-caps.patch: exit early and with a clear error message + if lxc-start is run with insufficient permissions. (LP: #925520) + * debian/lxc.init: if there is a failure during lxc network setup, clean + up and exit. (LP: #925511) + + [ Stéphane Graber ] + * 0033-ubuntu-template-multiarch.patch: Add support for building + containers using qemu-user-static, using multi-arch to install some + packages of the host architecture so the container boots and works. + * Add qemu-user-static as a Suggest of lxc. + + -- Stéphane Graber Thu, 02 Feb 2012 19:06:19 -0500 + +lxc (0.7.5-3ubuntu16) precise; urgency=low + + * debian/lxc.apparmor: allow write under /sys/fs/cgroup (LP: #924281) + * remove 0032-refuse-console.patch. We'll need to fix the core of the + problem, likely in lxc-start. But /dev/tty is ok for container to + access. + + -- Serge Hallyn Tue, 31 Jan 2012 12:07:22 -0600 + +lxc (0.7.5-3ubuntu15) precise; urgency=low + + * 0032-refuse-console.patch: don't allow access to 5:0, which is the + host's /dev/console. + * debian/lxc.apparmor, debian/rules: install an apparmor profile for + lxc-start. + + -- Serge Hallyn Fri, 27 Jan 2012 13:46:59 -0600 + +lxc (0.7.5-3ubuntu14) precise; urgency=low + + * debian/control: add btrfs-tools to lxc Suggests (LP: #942241) + * 0030-ubuntu-template-fail.patch: make lxc-ubuntu template fail on + error (LP: #922645) + * 0031-ubuntu-template-resolvconf.patch: handle /etc/resolv.conf being + a symlink as is now done by resolvconf by default. (LP: #922706) + * debian/lxcguest.lxcmount.upstart: emit mounted MOUNTPOINT=/run + to make resolvconf start. (LP: #922706) + + -- Serge Hallyn Fri, 27 Jan 2012 11:13:26 -0600 + +lxc (0.7.5-3ubuntu13) precise; urgency=low + + * 0029-btrfs-clone-support.patch: add support for cloning via + btrfs snapshots (LP: #921921). + + -- Scott Moser Thu, 26 Jan 2012 11:38:07 -0500 + +lxc (0.7.5-3ubuntu12) precise; urgency=low + + * If the kernel supports container reboot disambuation, then don't drop + CAP_SYS_BOOT, and (always) try to use it after the container exits. + (LP: #914676) + * 0027-fix-lxc-netstat.patch: fix lxc-netstat for new nested cgroup + handling (LP: #921732) + * 0028-recursively-rmdir-cgroups.patch: if the container has created + any cgroups (i.e. by starting libvirt), make sure to delete those. + (LP: #921808) + + -- Serge Hallyn Wed, 25 Jan 2012 14:22:51 -0600 + +lxc (0.7.5-3ubuntu11) precise; urgency=low + + * 0025-lxc-ubuntu-drop-path-arg.patch: don't show '--path' argument in + help output, and replace --clean with --flush-cache. + + -- Serge Hallyn Tue, 24 Jan 2012 13:10:42 -0600 + +lxc (0.7.5-3ubuntu10) precise; urgency=low + + * lxc-create: when --lvname is specified, use it for lvcreate instead of + the lvname. + + -- Serge Hallyn Mon, 23 Jan 2012 17:24:53 -0600 + +lxc (0.7.5-3ubuntu9) precise; urgency=low + + * 0024-lxc-create-and-clone-fixes.patch: + - add lvm support to lxc-create + - better clean up on lxc-clone error + * debian/control: + - add rsync to lxc Depends, as templates use it. + - add lvm2 to lxc Suggests + + -- Serge Hallyn Fri, 20 Jan 2012 14:34:54 -0600 + +lxc (0.7.5-3ubuntu8) precise; urgency=low + + [ Scott Moser ] + * update 0021-add-dev-full-to-whitelist.patch: + - add 10:228 (/dev/hpet) and 10:232 (/dev/kvm) to devices whitelist in the + ubuntu template (LP: #918946) + + [ Serge Hallyn ] + * debian/lxc.init: don't bail if there is no default route. + * lxc-destroy (in 0022-fix-lxc-destroy-bugs.patch): + - don't delete a running container + - handle case where rootfs is not specififed in config (or config is + corrupt or has been deleted) + - fix broken detection of lvm backing store + * 0023-set-clone-children-earlier.patch: for cpuset in particular, the + clone_children flag must be set at cgroup root. Otherwise we'll fail + to move $$ into /sys/fs/cgroup/cpuset/lxc/tasks. + + -- Serge Hallyn Fri, 20 Jan 2012 10:56:32 -0600 + +lxc (0.7.5-3ubuntu7) precise; urgency=low + + * lxc-ubuntu template: add 1:7 (/dev/full) to whitelist (LP: #918946) + + -- Serge Hallyn Thu, 19 Jan 2012 16:21:48 -0600 + +lxc (0.7.5-3ubuntu6) precise; urgency=low + + * debian/patches/0020-drop-cap-mac-admin.patch - to prevent containers + from loading apparmor policy. + * update 0016-nested-cgroups.patch: create cgroup dirs 0755 so that + unprivileged users can read them (with lxc-ls). + * debian/local/lxc-start-ephemeral: support in-line commands (LP: #914169) + + -- Serge Hallyn Tue, 17 Jan 2012 10:55:20 -0600 + +lxc (0.7.5-3ubuntu5) precise; urgency=low + + [ Robie Basak ] + * debian/patches/0015-ubuntu-templ-use-updates.patch: use ports.ubuntu.com + in sources.list for alternative architectures (LP: #820715). + * debian/patches/0015-ubuntu-templ-use-updates.patch: dist-upgrade in an + isolated environment to avoid leaving a bind mount behind (LP: #913877). + * debian/lxc.{default,init}: call ifconfig with explicit netmask + (LP: #913727). + + [ Serge Hallyn ] + * debian/lxc.default: update the MIRROR example - using 'localhost' + fails for updates after the container has been started. + * debian/lxcguest.console.upstart: pass 'console' not '/dev/console' to + getty. (LP: #913952) + * debian/patches/0015-ubuntu-templ-use-updates.patch: at post_process(), + copy host's /etc/resolv.conf (which may have changed) into chroot before + apt-get actions, and always do a apt-get update before installing lxcguest, + as the package version may have changed in the archive. (LP: #914155) + * 0016-nested-cgroups.patch: nest container cgroups under the host's + init cgroup. (LP: #901482) + * 0017-pull-upstream-fedora-template.patch: move to the upstream + lxc-fedora template (LP: #881903) + * 0018-make-lxc-ps-search-proc.patch: work when cgroups are mounted with + '-n'. + * debian/patches/0019-fix-lxc-ls-nested-cgroups.patch: fix lxc-ls to + handle the support for nested cgroups. (pull this into previous + commit msg before pushing) + + -- Serge Hallyn Tue, 10 Jan 2012 18:51:45 +0000 + +lxc (0.7.5-3ubuntu4) precise; urgency=low + + * add a default bridge for lxc to use. (LP: #801002) + * Add debian/lxc.conf, which gets installed as /etc/lxc/lxc.conf as a + sample, usable, default config. (LP: #823862) + * Add precise to the list of distros + * Add -updates and -security to /etc/apt/sources.list after debootstrap + for container creation (LP: #820715) + + -- Serge Hallyn Thu, 10 Nov 2011 16:00:44 -0600 + +lxc (0.7.5-3ubuntu3) precise; urgency=low + + * lxc-is-container needs to be in lxcguest, not in lxc + + -- Stéphane Graber Fri, 11 Nov 2011 10:42:31 -0500 + +lxc (0.7.5-3ubuntu2) precise; urgency=low + + * Remove auto-generated debian-changes-0.7.5-3ubuntu1. + * Cherry-pick Ubuntu template tweaks from upstream: + - Set a list of capabilities to drop + - Allow containers to create tap devices + - Allow mknod for any device + - Drop mac_override and mac_admin + + -- Stéphane Graber Thu, 10 Nov 2011 10:11:22 -0500 + +lxc (0.7.5-3ubuntu1) precise; urgency=low + + [ Serge Hallyn ] + * Merge from unstable. Remaining changes: + - Add lxcguest package (contains lxc-is-container and upstart jobs) + - debian/control: add cgroup-lite | cgroup-bin Recommends to the lxc package + - debian/lxc.install - README gets (mis-)installed under --with-rootdir. + - remove debian/lxc.{pre,post}inst + - keep debian/lxc.default - removing the now obsolete RUN line, and + adding the new LXC_AUTO variable. + - keep all 000* patches + + 0001-monitor-support-quit.patch + + 0002-fix-personality-segfault.patch + + 0003-non-fatal-unsupported-personality.patch + + 0004-fix-ubuntu-template-only-install-essential.patch + + 0005-fix-sshd-template.patch + + 0006-fix-checkconfig.patch + + 0007-fix-lxc-clone-hostname.patch + + 0008-fix-bindhome-in-template.patch + + 0009-ubuntu-template-drop-resolvconf.patch + + [ Stéphane Graber ] + * Merge from unstable. Remaining changes: + - Remove debian/lxc.templates and debian/lxc.install as we kept our + default file and dropped debian's pre/post i:nst scripts. + - Add lxc-start-ephemeral and lxc-is-container to debian/local + + -- Stéphane Graber Tue, 25 Oct 2011 16:13:32 -0400 lxc (0.7.5-3) unstable; urgency=low - * Aborting early in initscript if lxc is removed but not purged. + * Aborting early in initscript if lxc is not removed but not purged. * Correcting typo in proc mount entry in the default config of the debian template, thanks to Sylvain Collilieux (Closes: #643715). * Correcting incomplete lxc command loop over all containers in initscript, thanks to Biuro (Closes: #643774). - -- Daniel Baumann Fri, 30 Sep 2011 01:01:12 +0200 + -- Daniel Baumann Fri, 30 Sep 2011 01:01:12 +0200 lxc (0.7.5-2) unstable; urgency=low @@ -2670,7 +5261,7 @@ lxc (0.7.5-2) unstable; urgency=low * Listing auto information in lxc-list. * Rewriting initscript. - -- Daniel Baumann Wed, 21 Sep 2011 13:31:51 +0200 + -- Daniel Baumann Wed, 21 Sep 2011 13:31:51 +0200 lxc (0.7.5-1) unstable; urgency=low @@ -2684,7 +5275,125 @@ lxc (0.7.5-1) unstable; urgency=low * Rediffing debian2.patch. * Renaming and renumbering patches. - -- Daniel Baumann Mon, 22 Aug 2011 11:36:00 +0200 + -- Daniel Baumann Mon, 22 Aug 2011 11:36:00 +0200 + +lxc (0.7.5-0ubuntu10) precise; urgency=low + + * debian/patches/0009-ubuntu-template-drop-resolvconf.patch: + Drop resolvconf from package list for oneiric containers. It appears + to stop containers from getting a useful resolv.conf without doing + ifdown; ifup; and is apparently unwanted anyway. (LP: #880020) + * debian/lxcguest.lxcguest.upstart: mkdir /run/lock on boot + (LP: #880030) + * debian/fstab.lxc and debian/fstab.libvirt: mount tmpfs on /run/lock, + not /var/lock (as per new stock /lib/init/fstab). + + -- Serge Hallyn Mon, 24 Oct 2011 11:45:53 -0500 + +lxc (0.7.5-0ubuntu9) precise; urgency=low + + * debian/patches/0008-fix-bindhome-in-template.patch: fix a bug in the + ubuntu template: if the user specified with -b does not exist, a bad + container fstab was created, so that, with no warning or indication of + why, the container failed to start. (LP: #879052) + + -- Serge Hallyn Thu, 20 Oct 2011 14:51:37 -0500 + +lxc (0.7.5-0ubuntu8) oneiric; urgency=low + + * debian/patches/0007-fix-lxc-clone-hostname.patch: make sure $hostname + is defined before it is first used. Reported by Benjamin Saller. + (LP: #850205) + * add missing ; at end of 'send hostname' in dhclient.conf (LP: #851274) + + -- Serge Hallyn Wed, 14 Sep 2011 15:07:25 -0500 + +lxc (0.7.5-0ubuntu7) oneiric; urgency=low + + * Fix lxc-checkconfig to correctly detect support for clone_children, so + as not to erroneously report failure. (LP: #827798) + + -- Serge Hallyn Fri, 02 Sep 2011 17:59:07 +0000 + +lxc (0.7.5-0ubuntu6) oneiric; urgency=low + + * debian/rules: use --with-rootfs-path=/usr/lib/lxc/root. (LP: #838410) + * debian/lxc.dirs: add usr/lib/lxc/root + * fix-sshd-template.patch: + - templates/lxc-sshd.in: add /run/shm to list of directories to create. + Technically /dev/shm needn't be there, as the config will overmount with + the host's /dev. + - Don't fail if we can't create /dev/mqueue. It'll fail anyway (because + /dev is mounted read-only), and we don't really need it. Without this + fix, lxc-init fails to run on ubuntu systems, as the host doesn't have + /dev/mqueue. + + -- Serge Hallyn Thu, 01 Sep 2011 16:01:31 +0000 + +lxc (0.7.5-0ubuntu5) oneiric; urgency=low + + * Update Recommends to prefer cgroup-lite if available (LP: #829628) + + -- Stéphane Graber Thu, 25 Aug 2011 16:04:07 -0400 + +lxc (0.7.5-0ubuntu4) oneiric; urgency=low + + * Chery pick fix for Oneiric template (so ubuntu-minimal gets installed): + - 0004-fix-ubuntu-template-only-install-essential.patch + + -- Stéphane Graber Fri, 12 Aug 2011 15:50:02 -0400 + +lxc (0.7.5-0ubuntu3) oneiric; urgency=low + + * Update lxcguest not to remove /var/run but instead wipe its content. + That's needed since the transition to /run as /var/run is now a symlink. + + -- Stéphane Graber Fri, 12 Aug 2011 12:26:52 -0400 + +lxc (0.7.5-0ubuntu2) oneiric; urgency=low + + * Rename 0015-monitor-support-quit.patch to 0001-monitor-support-quit.patch + * Cherry pick two upstream commits (to fix LXC on ARM) + - personality-segfault.patch + - unsupported-personality.patch + + -- Stéphane Graber Fri, 12 Aug 2011 11:11:04 -0400 + +lxc (0.7.5-0ubuntu1) oneiric; urgency=low + + * New upstream release (0.7.5) + * Patches no longer needed + - diff-to-bcbd102cb + * Patches merged upstream + - 05-fedora.patch + - 0004-add-arm-to-supported-archs.patch + - 0005-dont-use-devpts-in-fstab + - 0006-templates-allow-fuse.patch + - 0007-bindhome-dont-add-groups.patch + - 0008-templates-add-ubuntu-keyring.patch + - 0009-fix-lxc-ps.patch + - 0010-fix-shutdown.patch + - 0011-fix-lxc-ls.patch + - 0012-fix-lxc-netstat.patch + - 0013-unshare-call-cgroup-create.patch + - 0014-lxc-ps-accept-n.patch + - 0016-fix-lxc-ps-typeo.patch + * Remaining patches + - 01-libdir.patch + - 02-distclean.patch + - 03-module-init-tools.patch + - 04-configuration-path.patch + - 06-debian.patch + - 07-debian2.patch + - 0015-monitor-support-quit.patch + + [ Serge Hallyn ] + * add overlayfs support to lxc-start-ephemeral. + * fix comment in debian/fstab.libvirt. + * lxcguest.console.upstart: Don't run in libvirt. as libvirt will symlink + /dev/tty1 to /dev/pts/0, so /etc/init/tty1.conf will run a console. + + -- Stéphane Graber Thu, 11 Aug 2011 14:58:14 -0400 lxc (0.7.4.2-4) unstable; urgency=low @@ -2699,7 +5408,98 @@ lxc (0.7.4.2-4) unstable; urgency=low * Adding patch to disable services in debian template upgrade proof (Closes: #636851). - -- Daniel Baumann Sun, 07 Aug 2011 11:12:30 +0200 + -- Daniel Baumann Sun, 07 Aug 2011 11:12:30 +0200 + +lxc (0.7.4.2-3ubuntu6) oneiric; urgency=low + + * Add lxc-start-ephemeral by Robert Collins (LP: #807351) + * Add a --quit-on-stop arg to lxc-monitor for use by lxc-start-ephemeral. + * Modify lxcguest.conf to clear out /var/run (LP: #819621) + * Fix a bug in lxc-ps when cgroup-bin is not mounted. + * Modify lxc-ps to accept '-n name' and support '--' to separate options + for ps. (LP: #820720) + + -- Serge Hallyn Wed, 03 Aug 2011 19:48:11 -0500 + +lxc (0.7.4.2-3ubuntu5) oneiric; urgency=low + + * debian/patches/0011-fix-lxc-ls.patch: + debian/patches/0012-fix-lxc-netstat.patch: + The cgroup mounts created by cgroup-bin do not show up in /etc/mtab. + lxc-ls and lxc-netstat, as lxc-ps before, assume that /etc/mtab is + symlinked to /proc/mounts. (LP: #819319) + * debian/patches/0013-unshare-call-cgroup-create.patch: + Don't spit out an error when there is no cgroup to remove because the + ns cgroup is not mounted. (LP: #819319) + + -- Serge Hallyn Mon, 01 Aug 2011 09:28:02 -0500 + +lxc (0.7.4.2-3ubuntu4) oneiric; urgency=low + + * debian/patches/0010-fix-shutdown.patch: If /var/run is a symlink to /run + in the container, then opening /proc//root/var/run/utmp will end up + opening the host's utmp. Therefore the hack detecting shutdown through + utmp fails. (LP: #817565) + + -- Serge Hallyn Thu, 28 Jul 2011 12:24:46 -0500 + +lxc (0.7.4.2-3ubuntu3) oneiric; urgency=low + + * debian/patches/0009-fix-lxc-ps.patch: make lxc-ps work when cgroup-bin + is installed. (LP: #817606) + + -- Serge Hallyn Thu, 28 Jul 2011 11:34:23 -0500 + +lxc (0.7.4.2-3ubuntu2) oneiric; urgency=low + + * add ubuntu-keyring to list of packages for oneiric. (LP: #817233) + + -- Serge Hallyn Wed, 27 Jul 2011 15:19:05 -0700 + +lxc (0.7.4.2-3ubuntu1) oneiric; urgency=low + + * Merge from Debian (0.7.4.2-3) (LP: #812892) + - patches: import debian's patches 02-07 + * 06 needed to be ported due to changes upstream + - debian/lxc.manpages: switch to Debian version + - debian/lxc.TODO + - switch README.Debian for lxc.README.Debian from debian package + - remove debian/watch and debian/gbp.conf + - bump debian/compat + - copy debian/copyright from debian package + - copy debian/source/options + - debian/control: increased debhelper version to >= 8. + + * Remaining changes: + - keep debian/patches/diff-to-bcbd102cb to bump to upstream git HEAD + - keep ubuntu patches 0004-0006, which are pending acceptance upstream. + - keep lxcguest package (not in debian): + * debian/control: define package + * debian/fstab.lxc and debian/fstab.libvirt + * debian/lxcguest.console.upstart + * debian/lxcguest.lxcguest.upstart + * debian/lxcguest.lxcmount.upstart + * debian/lxcguest.install + * debian/lxc-is-container: keep Ubuntu-specific script + - debian/local: a new set of scripts, NOT yet merged from Debian. + - debian/lxc.default: keep example MIRROR + - lxc-dev package (not in Ubuntu): + * skip debian/control entry + * skip debian/lxc-dev.install + - debian/lxc.dirs: + * keep Ubuntu-specific entries: + * usr/share/lintian/overrides + * usr/share/doc/lxc/examples + - debian/lxc.docs: only in Ubuntu + - debian/lxc.install: keep Ubuntu version + - debian/rules: keep old version (new debian version is lovely but + fails to build Ubuntu package. + + * debian/patches/0007-bindhome-dont-add-groups.patch: when binding a user + into container, don't auto-insert his groups from the host into the + container (LP: #813403). + + -- Serge Hallyn Fri, 22 Jul 2011 11:47:41 -0500 lxc (0.7.4.2-3) unstable; urgency=low @@ -2715,7 +5515,7 @@ lxc (0.7.4.2-3) unstable; urgency=low * Adding patch to extend architecture static fallback list for powerpc in debian template. - -- Daniel Baumann Fri, 22 Jul 2011 17:40:22 +0200 + -- Daniel Baumann Fri, 22 Jul 2011 17:40:22 +0200 lxc (0.7.4.2-2) unstable; urgency=low @@ -2723,7 +5523,7 @@ lxc (0.7.4.2-2) unstable; urgency=low * Adding debug package. * Switching architecture fields to linux-any. - -- Daniel Baumann Fri, 15 Jul 2011 14:20:57 +0200 + -- Daniel Baumann Fri, 15 Jul 2011 14:20:57 +0200 lxc (0.7.4.2-1) unstable; urgency=low @@ -2756,7 +5556,71 @@ lxc (0.7.4.2-1) unstable; urgency=low * Removing superfluous section field. * Adding todo file. - -- Daniel Baumann Wed, 13 Jul 2011 01:36:32 +0200 + -- Daniel Baumann Wed, 13 Jul 2011 01:36:32 +0200 + +lxc (0.7.4.2-0.3ubuntu4) oneiric; urgency=low + + * introduce lxc-is-container script and 'lxcguest' upstart job which both + detect (the script exploiting the upstart job) whether we are in a + container. (LP: #813075) + + -- Serge Hallyn Tue, 19 Jul 2011 15:16:49 -0500 + +lxc (0.7.4.2-0.3ubuntu3) oneiric; urgency=low + + * Clean up packaging + - remove 0002-disable-debian-checkroot-script.patch: it is wrong. + - remove 0003-squeeze-missing-tty.patch: it is redundant. + - diff-to-bcbd102cb: mark forwarded as not-needed + - 0004-add-arm-to-supported-archs.patch: Add author and description. + - 0004-0006: mark forwarded as yes + - Not renumbering 0004-0006 as that is more confusing, and they + will hopefully go away with 0.7.5. + - remove dh_install calls from rules + - rename lxc.overrides to lxc.lintian-overrides and remove rules entry + to do so + - remove commented out include of /usr/share/cdbs/1/rules/dpatch.mk + + -- Serge Hallyn Tue, 12 Jul 2011 13:08:26 -0500 + +lxc (0.7.4.2-0.3ubuntu2) oneiric; urgency=low + + * Add a Recommend on cgroup-bin (LP: #800456) + + -- Stéphane Graber Thu, 07 Jul 2011 22:49:46 +0200 + +lxc (0.7.4.2-0.3ubuntu1) oneiric; urgency=low + + * Sync upstream 0.7.4.2 + * Add diff up to git head. + - Fix interaction with cgroups-bin (LP: #784093) + - Fix arch support to create i386 containers on amd64 (LP: #798476) + - Support a bind-mounted $HOME with template (LP: #800482) + * add debootstrap to Recommends (LP: #803745) + * debian/patchs updates: + - refresh 0002-disable-debian-checkroot-script.patch + - drop: + * 0004-add-ubuntu-mirrors.patch + * 0005-add-netbase-to-templates.patch + * 0006-fix-template-syntax-error.patch + * 0007-natty-template-install-lxcguest.patch + * 0010-templates-use-dpkg.patch + - renamed and updated: + * 0008-add-arm-to-supported-archs.patch to + 0004-add-arm-to-supported-archs.patch + * 0009-templates-dont-use-devpts-in-fstab to + 0005-dont-use-devpts-in-fstab + * 0011-templates-allow-fuse.patch to + 0006-templates-allow-fuse.patch + * remove unused debian/lxc-start.sh + * include autoreconf.mk to force Makefile.in to be rebuilt + * Remaining changes over debian: + - add lxcguest package + - debian/control + * keep docbook-utils in Build-Depends + - lxc.default: add commented example MIRROR + + -- Serge Hallyn Thu, 07 Jul 2011 13:53:52 -0500 lxc (0.7.4.2-0.3) unstable; urgency=low @@ -2768,14 +5632,14 @@ lxc (0.7.4.2-0.3) unstable; urgency=low for auto started containers (Closes: #632849). * Correct spelling typo in README.Debian. - -- Daniel Baumann Wed, 06 Jul 2011 15:11:37 +0200 + -- Daniel Baumann Wed, 06 Jul 2011 15:11:37 +0200 lxc (0.7.4.2-0.2) unstable; urgency=low * Non-maintainer upload. * Handle empty /etc/lxc/auto (Closes: #632648). - -- Daniel Baumann Tue, 05 Jul 2011 05:58:59 +0200 + -- Daniel Baumann Tue, 05 Jul 2011 05:58:59 +0200 lxc (0.7.4.2-0.1) unstable; urgency=low @@ -2815,7 +5679,118 @@ lxc (0.7.4.2-0.1) unstable; urgency=low [ Daniel Baumann ] * Simplify usage of basename in initscript. - -- Daniel Baumann Mon, 27 Jun 2011 15:04:11 +0200 + -- Daniel Baumann Mon, 27 Jun 2011 15:04:11 +0200 + +lxc (0.7.4-0ubuntu11) oneiric; urgency=low + + * Allow containers to access /dev/fuse (LP: #800886) + + -- Serge Hallyn Wed, 22 Jun 2011 16:06:23 -0500 + +lxc (0.7.4-0ubuntu10) oneiric; urgency=low + + * Import patch from stgraber to use dpkg to decide arch in lxc templates. + This is necessary for templates to work on arm. + + -- Serge Hallyn Fri, 27 May 2011 13:38:19 -0400 + +lxc (0.7.4-0ubuntu9) oneiric; urgency=low + + * lxcguest: Recognize 'LIBVIRT_LXC_UUID' in place of 'container=libvirt' + as proving that upstart is running in a container. + + -- Serge Hallyn Mon, 16 May 2011 14:03:52 -0500 + +lxc (0.7.4-0ubuntu8) oneiric; urgency=low + + * debian/patches/0009-templates-dont-use-devpts-in-fstab: remove devpts + entry from $confdir/container/fstab, as it is not needed, and can + cause the host devpts mount options to change, because it happens + before lxc has done a mount -o newinstance. (LP: #607636) + + -- Serge Hallyn Fri, 06 May 2011 12:08:07 -0500 + +lxc (0.7.4-0ubuntu7) natty; urgency=low + + * lxcguest: for libvirt containers, offer console on /dev/pts/0 rather + than /dev/console. + * lxcguest: offer alternate jobs for libvirt-lxc. Libvirt-lxc doesn't watch + guest's utmp (doesn't support clean shutdown at all) so it can safely + mount its own /var/run and such. Hopefully this can go away after lxc + supports clean shutdown/reboot without the utmp-watching hack. + (LP: #757752) + * debian/fstab.lxc: comment out all entries. /sys gets mounted anyway, + and we need to not overmount /var because otherwise the container parent + won't see utmp, can't see the container is shutdown, and won't kill + the init. Note that when expected kernel functionality to help clean up + container reboot and shutdown comes, these can be uncommented. + (LP: #754655) + + -- Serge Hallyn Fri, 08 Apr 2011 09:02:48 -0500 + +lxc (0.7.4-0ubuntu5) natty; urgency=low + + * Add ARM to list of supported archs - LP: #745884 + + -- Marcin Juszkiewicz Wed, 06 Apr 2011 16:49:15 +0200 + +lxc (0.7.4-0ubuntu4) natty; urgency=low + + * Add lxcguest to the list of packages installed by the natty template. + (LP: #745907) + * Since lxcguest will be installed, don't install our own console.conf, + and don't clear out /lib/init/fstab. + + -- Serge Hallyn Fri, 01 Apr 2011 08:50:36 -0500 + +lxc (0.7.4-0ubuntu3) natty; urgency=low + + * Fix an error in the syntax in the ubuntu templates - they were using + upstart job syntax which is not valid in bash for including the + /etc/default files. (LP: #742770) + * debian/lxc.default: Comment out the example defines so as not to cause + trouble, and fix the default MIRROR. + + -- Serge Hallyn Fri, 25 Mar 2011 15:55:05 -0500 + +lxc (0.7.4-0ubuntu2) natty; urgency=low + + * Fix an error in the syntax in the ubuntu templates - they were using + upstart job syntax which is not valid in bash for including the + /etc/default files. (LP: #742770) + * Now that the /etc/default file is actually sourced, comment out + the example defines. + + -- Serge Hallyn Fri, 25 Mar 2011 15:55:05 -0500 + +lxc (0.7.4-0ubuntu2) natty; urgency=low + + * lxc-natty.in: Adding package "netbase" to debootstrap (LP: #740167) + + -- Ahmed Kamal Tue, 22 Mar 2011 18:47:29 +0200 + +lxc (0.7.4-0ubuntu1) natty; urgency=low + + * New upstream version. + * Refreshed patches, dropped 0005-env.patch since it was already + accepted upstream. + + -- Chuck Short Thu, 10 Mar 2011 07:25:34 -0500 + +lxc (0.7.3.1-0ubuntu1) natty; urgency=low + + * Base on new upstream git tree with new maverick and natty templates, + and able to run without ns cgroup. + * Send a 'container=lxc' variable to upstart. The upstream git has + the same patch, though this tree has it as a quilt patch. + * Add lxcguest package which converts a system into one which can + boot upstart both as a container and a (kvm or bare-metal) host. + * Add a MIRROR default in /etc/default/lxc, and use that in the + debootstrap command in the lucid, maverick and natty templates. + * Remove 0004-restore-lxc.mount-lxc.mount.entry-functionality.patch + which prevents containers from starting. + + -- Serge Hallyn Sun, 23 Jan 2011 17:28:55 -0600 lxc (0.7.3-1) unstable; urgency=low diff -pruN 1:5.0.1-1/debian/contrib/bin/lxc-unpriv-attach 1:5.0.1-0ubuntu6/debian/contrib/bin/lxc-unpriv-attach --- 1:5.0.1-1/debian/contrib/bin/lxc-unpriv-attach 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/contrib/bin/lxc-unpriv-attach 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -#!/bin/bash - -if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then - echo "Can't start an unprivileged container on a pure CGroups v2 host without a systemd user session running." - echo "If you are trying to get a non-interactive user to have unprivileged containers running, you need to" - echo "enable lingering sessions for that user, via loginctl enable-linger ${USER} as root." - exit 1 -fi - -export XDG_RUNTIME_DIR="/run/user/$UID" -export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus" - -/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-attach "$@" diff -pruN 1:5.0.1-1/debian/contrib/bin/lxc-unpriv-start 1:5.0.1-0ubuntu6/debian/contrib/bin/lxc-unpriv-start --- 1:5.0.1-1/debian/contrib/bin/lxc-unpriv-start 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/contrib/bin/lxc-unpriv-start 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -#!/bin/bash - -if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then - echo "Can't start an unprivileged container on a pure CGroups v2 host without a systemd user session running." - echo "If you are trying to get a non-interactive user to have unprivileged containers running, you need to" - echo "enable lingering sessions for that user, via loginctl enable-linger ${USER} as root." - exit 1 -fi - -export XDG_RUNTIME_DIR="/run/user/$UID" -export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus" - -/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-start "$@" diff -pruN 1:5.0.1-1/debian/contrib/default.conf 1:5.0.1-0ubuntu6/debian/contrib/default.conf --- 1:5.0.1-1/debian/contrib/default.conf 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/contrib/default.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -lxc.net.0.type = veth -lxc.net.0.link = lxcbr0 -lxc.net.0.flags = up - -lxc.apparmor.profile = generated -lxc.apparmor.allow_nesting = 1 diff -pruN 1:5.0.1-1/debian/contrib/lxc-net 1:5.0.1-0ubuntu6/debian/contrib/lxc-net --- 1:5.0.1-1/debian/contrib/lxc-net 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/contrib/lxc-net 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -USE_LXC_BRIDGE="true" - -# Honor system's dnsmasq configuration -#LXC_DHCP_CONFILE=/etc/dnsmasq.conf diff -pruN 1:5.0.1-1/debian/control 1:5.0.1-0ubuntu6/debian/control --- 1:5.0.1-1/debian/control 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/control 2023-01-19 23:53:14.000000000 +0000 @@ -1,55 +1,69 @@ Source: lxc Section: admin Priority: optional -Maintainer: pkg-lxc -Uploaders: Antonio Terceiro , - Evgeni Golov , - Pierre-Elliott Bécue +Maintainer: Ubuntu Developers Build-Depends: bash-completion, - debhelper-compat (= 13), + debhelper-compat (= 12), dh-apparmor, - dh-exec, docbook2x, - doxygen, - graphviz, - libapparmor-dev, + dpkg-dev (>= 1.16.1~) | hardening-wrapper, + libapparmor-dev (>= 2.8.96~2652-0ubuntu1), libcap-dev, libgnutls28-dev, - liblua5.2-dev, libpam0g-dev, - libseccomp-dev [!alpha !hppa !m68k !sh4 !sparc64], - libselinux-dev, + libseccomp-dev, + libselinux1-dev, + libsystemd-dev, linux-libc-dev, meson, - pkg-config, - systemd -Standards-Version: 4.6.0 -Homepage: https://linuxcontainers.org/ -Vcs-Git: https://salsa.debian.org/lxc-team/lxc.git -Vcs-Browser: https://salsa.debian.org/lxc-team/lxc + pkg-config +Standards-Version: 4.6.0.1 +Homepage: https://linuxcontainers.org +Vcs-Git: https://github.com/lxc/lxc-pkg-ubuntu +Vcs-Browser: https://github.com/lxc/lxc-pkg-ubuntu +Rules-Requires-Root: no Package: lxc +Architecture: all +Depends: lxc-utils (>= ${source:Version}), ${misc:Depends} +Section: oldlibs +Description: Transitional package - lxc -> lxc-utils + This is a transitional dummy package. It can safely be removed. + . + lxc is now replaced by lxc-utils. + +Package: lxc1 +Architecture: all +Depends: lxc-utils (>= ${source:Version}), ${misc:Depends} +Section: oldlibs +Description: Transitional package - lxc1 -> lxc-utils + This is a transitional dummy package. It can safely be removed. + . + lxc1 is now replaced by lxc-utils. + +Package: lxc-dev +Architecture: all +Depends: liblxc-dev (>= ${source:Version}), ${misc:Depends} +Section: oldlibs +Description: Transitional package - lxc-dev -> liblxc-dev + This is a transitional dummy package. It can safely be removed. + . + lxc-dev is now replaced by liblxc-dev. + +Package: lxc-utils Architecture: linux-any Pre-Depends: ${misc:Pre-Depends} -Depends: dnsmasq-base, - iproute2, - liblxc-common (= ${binary:Version}), - lsb-base, - nftables | iptables, +Depends: adduser, + bridge-utils, + dnsmasq-base, + iptables, + liblxc1 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} -Recommends: apparmor, - debootstrap, - dirmngr, - gnupg, - libpam-cgfs, - lxc-templates, - lxcfs, - openssl, - rsync, - uidmap, - wget -Suggests: btrfs-progs, lvm2, python3-lxc +Recommends: libpam-cgfs +Suggests: btrfs-tools, lvm2, lxc-templates, lxctl +Replaces: lxc1 (<< 2.1.1-0ubuntu2~) +Breaks: lxc1 (<< 2.1.1-0ubuntu2~) Description: Linux Containers userspace tools Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be @@ -60,80 +74,81 @@ Description: Linux Containers userspace daemon in a container, or to boot an entire "containerized" system, and to manage and debug your containers. -Package: lxc-dev -Section: libdevel +Package: liblxc-common Architecture: linux-any -Depends: libcap-dev, - liblxc1 (= ${binary:Version}), - libseccomp-dev [!alpha !hppa !m68k !sh4 !sparc64], - libselinux-dev, - lxc (= ${binary:Version}), +Depends: liblxc1 (= ${binary:Version}), + ${lxc:Depends}, ${misc:Depends}, ${shlibs:Depends} -Description: Linux Containers userspace tools (development) +Conflicts: lxc-common +Replaces: lxc-common, + lxc-templates (<< 3.0.0~beta1-0ubuntu1~), + lxc-utils (<< 1:4.0.0-0ubuntu1~), + lxc1 (<< 3.0.0~beta2-0ubuntu2~) +Breaks: lxc-templates (<< 3.0.0~beta1-0ubuntu1~), + lxc-utils (<< 1:4.0.0-0ubuntu1~), + lxc1 (<< 3.0.0~beta2-0ubuntu2~) +Provides: lxc-common +Description: Linux Containers userspace tools (common tools) Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be created using the Control Group and Namespace features included in the Linux kernel. . - This package contains the development files. + This package contains a few binaries and security profiles required by + all liblxc users. -Package: lxc-tests +Package: liblxc-dev +Section: libdevel Architecture: linux-any Depends: liblxc1 (= ${binary:Version}), - lxc (= ${binary:Version}), - ${misc:Depends}, - ${shlibs:Depends} -Description: Linux Containers userspace tools (test binaries) + libcap-dev, + libseccomp-dev, + libselinux1-dev, + ${misc:Depends} +Replaces: lxc-dev (<< 2.1.1-0ubuntu2~) +Breaks: lxc-dev (<< 2.1.1-0ubuntu2~) +Description: Linux Containers userspace tools (development) Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be created using the Control Group and Namespace features included in the Linux kernel. . - This package contains the test binaries. Those binaries are primarily - used for autopkgtest and by some developers. They are not meant to be - installed on regular user systems. + This package contains the development files. Package: liblxc1 -Section: libs Architecture: linux-any -Multi-Arch: same -Depends: ${misc:Depends}, ${shlibs:Depends} -Suggests: cgroupfs-mount | systemd -Description: Linux Containers userspace tools (library) - Containers are insulated areas inside a system, which have their own namespace - for filesystem, network, PID, IPC, CPU and memory allocation and which can be - created using the Control Group and Namespace features included in the Linux - kernel. - . - This package contains the shared library. - -Package: liblxc-common Section: libs -Architecture: linux-any -Depends: liblxc1 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} -Breaks: lxc (<< 1:4.0.11-1~) -Replaces: lxc (<< 1:4.0.11-1~) +Pre-Depends: ${misc:Pre-Depends} +Depends: cgroup-lite | systemd, + liblxc-common (= ${binary:Version}), + rsync, + ${misc:Depends}, + ${shlibs:Depends} +Recommends: lxcfs, uidmap Description: Linux Containers userspace tools (library) Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be created using the Control Group and Namespace features included in the Linux kernel. . - This package contains the common files for the shared library + This package contains the libraries. Package: libpam-cgfs Architecture: linux-any -Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} -Depends: libpam-runtime, +Depends: libpam-runtime (>= 1.0.1-6), ${lxcfs:Depends}, ${misc:Depends}, ${shlibs:Depends} +Replaces: lxc-utils (<< 1:4.0.0-0ubuntu1~) +Breaks: lxc-utils (<< 1:4.0.0-0ubuntu1~) Conflicts: libpam-cgm Description: PAM module for managing cgroups for LXC - LXCFS provides a FUSE based filesystem to improve the LXC experience - within the containers. + Containers are insulated areas inside a system, which have their own namespace + for filesystem, network, PID, IPC, CPU and memory allocation and which can be + created using the Control Group and Namespace features included in the Linux + kernel. . This provides a Pluggable Authentication Module (PAM) to provide logged-in users with a set of cgroups which they can administer. diff -pruN 1:5.0.1-1/debian/copyright 1:5.0.1-0ubuntu6/debian/copyright --- 1:5.0.1-1/debian/copyright 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/copyright 2023-01-10 21:29:10.000000000 +0000 @@ -1,57 +1,15 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: LXC +Upstream-Name: lxc Upstream-Contact: lxc-devel@lists.linuxcontainers.org -Source: http://linuxcontainers.org/downloads/ +Source: https://linuxcontainers.org/downloads/ Files: * -Copyright: 2007-2009 Daniel Lezcano - 2007-2012 IBM Corporation - 2011-2022 Serge Hallyn - 2012-2022 Stéphane Graber - 2015-2022 Canonical Ltd - 2015-2022 Christian Brauner - 2017 Adrian Reber +Copyright: 2007-2013 various LXC contributors (see headers for details) License: LGPL-2.1+ -Files: src/lxc/* -Copyright: 2007-2009 Daniel Lezcano - 2011-2022 Serge Hallyn - 2012-2022 Stéphane Graber - 2012-2015 Dwight Engen - 2015-2022 Canonical Ltd - 2015-2022 Christian Brauner - 2017 Adrian Reber -License: LGPL-2.1+ - -Files: src/lxc/tools/lxc_ls.c src/lxc/tools/lxc_copy.c src/lxc/tools/lxc_destroy.c src/lxc/tools/lxc_checkpoint.c src/lxc/tools/lxc_create.c src/lxc/tools/lxc_snapshot.c -Copyright: 2007-2009 Daniel Lezcano - 2011-2022 Serge Hallyn - 2012-2022 Stéphane Graber - 2012-2015 Dwight Engen - 2015-2022 Canonical Ltd - 2015-2022 Christian Brauner - 2017 Adrian Reber -License: GPL-2+ - -Files: src/include/* -Copyright: 2012-2022 Stéphane Graber - 2015-2022 Canonical Ltd - 2015-2022 Christian Brauner -License: LGPL-2.1+ - -Files: src/include/getgrgid_r.c src/include/getgrgid_r.h src/include/strchrnul.c src/include/strchrnul.h src/include/strlcat.c src/include/strlcat.h src/include/strlcpy.c src/include/strlcpy.h -Copyright: 2012-2022 Stéphane Graber - 2015-2022 Canonical Ltd - 2015-2022 Christian Brauner -License: GPL-2+ - -Files: src/include/bpf_common.h src/include/bpf.h -Copyright: Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com -License: GPL-2+ - -Files: src/include/prlimit.c src/include/prlimit.h -Copyright: 2008 The Android Open Source Project -License: BSD-2-Clause +Files: src/lxc/tools/* +Copyright: 2007-2013 various LXC contributors (see headers for details) +License: GPL-2 Files: src/include/getline.c src/include/getline.h Copyright: 2006 SPARTA, Inc. @@ -61,66 +19,46 @@ Files: src/include/lxcmntent.c src/inclu Copyright: 1995-2013 Free Software Foundation, Inc. License: LGPL-2.1+ -Files: src/tests/* -Copyright: 2011-2022 Serge Hallyn - 2012-2022 Stéphane Graber - 2015-2022 Canonical Ltd - 2012-2015 Dwight Engen - 2012-2013 Oracle - 2015-2022 Christian Brauner -License: GPL-2+ - -Files: src/tests/console.c src/tests/attach.c -Copyright: 2012-2015 Dwight Engen - 2012-2013 Oracle -License: GPL-2+ - -Files: src/tests/lxc_raw_clone.c src/tests/lxc-test-apparmor-generated src/tests/lxc-test-apparmor-mount src/tests/lxc-test-automount src/tests/lxc-test-autostart src/tests/lxc-test-cloneconfig src/tests/lxc-test-createconfig src/tests/lxc-test-exit-code src/tests/lxctest.h src/tests/lxc-test-lxc-attach src/tests/lxc-test-no-new-privs src/tests/lxc-test-procsys src/tests/lxc-test-rootfs src/tests/lxc-test-snapdeps src/tests/lxc-test-unpriv src/tests/lxc-test-usernic.in src/tests/lxc-test-utils.c src/tests/reboot.c -Copyright: 2011-2022 Serge Hallyn - 2012-2022 Stéphane Graber - 2015-2022 Canonical Ltd - 2012-2015 Dwight Engen - 2012-2013 Oracle - 2015-2022 Christian Brauner -License: LGPL-2.1+ - -Files: hooks/clonehostname -Copyright: 2013 Oracle -License: GPL-2+ - -Files: hooks/dhclient-script -Copyright: 1997 Dan Halbert - 1999 Brian J. Murrell -License: GPL-2+ - -Files: hooks/mountecryptfsroot -Copyright: 2011-2013 Canonical Ltd -License: LGPL-2.1+ - -Files: hooks/nvidia -Copyright: 2017, 2018 NVIDIA CORPORATION. License: LGPL-2.1+ - -Files: hooks/squid-deb-proxy-client -Copyright: 2014 Christopher Glass. -License: GPL-2+ - -Files: hooks/unmount-namespace.c -Copyright: 2015 Wolfgang Bumiller -License: GPL-2+ - -Files: debian/* -Copyright: 2011-2015 Daniel Baumann - 2015-2022 Antonio Terceiro - 2016-2017 Evgeni Golov - 2018 Salvatore Bonaccorso - 2018-2022 Pierre-Elliott Bécue -License: GPL-2+ + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU Lesser General Public + License version 2.1 can be found in the file + `/usr/share/common-licenses/LGPL-2.1'. + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License version 2, as + published by the Free Software Foundation. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. License: BSD-2-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - . * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, @@ -137,37 +75,3 @@ License: BSD-2-clause ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -License: GPL-2+ - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 2 of the License, or - (at your option) any later version. - . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - . - You should have received a copy of the GNU General Public License - along with this program. If not, see . - . - The complete text of the GNU General Public License - can be found in /usr/share/common-licenses/GPL-2 file. - -License: LGPL-2.1+ - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation, either version 2.1 of the License, or - (at your option) any later version. - . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Lesser General Public License for more details. - . - You should have received a copy of the GNU Lesser General Public License - along with this program. If not, see . - . - The complete text of the GNU Lesser General Public License - can be found in /usr/share/common-licenses/LGPL-2.1 file. diff -pruN 1:5.0.1-1/debian/gbp.conf 1:5.0.1-0ubuntu6/debian/gbp.conf --- 1:5.0.1-1/debian/gbp.conf 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -[DEFAULT] -pristine-tar = True -debian-branch = master diff -pruN 1:5.0.1-1/debian/liblxc1.install 1:5.0.1-0ubuntu6/debian/liblxc1.install --- 1:5.0.1-1/debian/liblxc1.install 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/liblxc1.install 2023-01-10 21:29:10.000000000 +0000 @@ -1 +1,2 @@ -usr/lib/*/liblxc*.so.* +usr/lib/*/*.so.* +usr/lib/*/lxc/rootfs/README diff -pruN 1:5.0.1-1/debian/liblxc1.lintian-overrides 1:5.0.1-0ubuntu6/debian/liblxc1.lintian-overrides --- 1:5.0.1-1/debian/liblxc1.lintian-overrides 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/liblxc1.lintian-overrides 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,2 @@ +no-symbols-control-file usr/lib/x86_64-linux-gnu/liblxc.so.* +package-contains-documentation-outside-usr-share-doc usr/lib/x86_64-linux-gnu/lxc/rootfs/README diff -pruN 1:5.0.1-1/debian/liblxc1.symbols 1:5.0.1-0ubuntu6/debian/liblxc1.symbols --- 1:5.0.1-1/debian/liblxc1.symbols 2022-08-01 20:19:45.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/liblxc1.symbols 1970-01-01 00:00:00.000000000 +0000 @@ -1,716 +0,0 @@ -liblxc.so.1 liblxc1 #MINVER# -* Build-Depends-Package: lxc-dev -#MISSING: 1:4.0.4# __cgfsng_delegate_controllers@Base 1:4.0.2 -#MISSING: 1:4.0.4# __criu_check_feature@Base 1:3.0.2 -#MISSING: 1:4.0.4# __criu_dump@Base 1:3.0.2 -#MISSING: 1:4.0.4# __criu_pre_dump@Base 1:3.0.2 -#MISSING: 1:4.0.4# __criu_restore@Base 1:3.0.2 -#MISSING: 1:4.0.4# __lxc_start@Base 1:3.0.2 -#MISSING: 1:4.0.4# __netlink_recv@Base 1:3.0.2 -#MISSING: 1:4.0.4# __netlink_send@Base 1:3.0.2 -#MISSING: 1:4.0.4# __netlink_transaction@Base 1:3.0.2 - __safe_mount_beneath_at@Base 1:4.0.5 -#MISSING: 1:5.0.1# __unlockpt@Base 1:5.0.0 -#MISSING: 1:4.0.4# add_elem_to_mount_list@Base 1:4.0.2 -#MISSING: 1:4.0.4# add_required_remount_flags@Base 1:3.0.2 -#MISSING: 1:4.0.4# addattr@Base 1:3.0.2 -#MISSING: 1:4.0.4# append_unexp_config_line@Base 1:3.0.2 -#MISSING: 1:4.0.4# attach_block_device@Base 1:3.0.2 -#MISSING: 1:4.0.4# attach_nbd@Base 1:3.0.2 -#MISSING: 1:4.0.4# blk_getsize@Base 1:3.0.2 -#MISSING: 1:4.0.4# bpf_devices_cgroup_supported@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_list_add_device@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_program_append_device@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_program_cgroup_attach@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_program_cgroup_detach@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_program_finalize@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_program_free@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_program_init@Base 1:4.0.2 -#MISSING: 1:4.0.4# bpf_program_new@Base 1:4.0.2 -#MISSING: 1:4.0.4# btrfs_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_create_clone@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_create_snapshot@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_list_get_path_rootid@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_same_fs@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_snapshot@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_snapshot_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_try_remove_subvol@Base 1:3.0.2 -#MISSING: 1:4.0.4# btrfs_umount@Base 1:3.0.2 -#MISSING: 1:4.0.4# cgfsng_devices_activate@Base 1:4.0.2 -#MISSING: 1:4.0.4# cgfsng_monitor_delegate_controllers@Base 1:4.0.2 -#MISSING: 1:4.0.4# cgfsng_ops_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# cgfsng_payload_delegate_controllers@Base 1:4.0.2 -#MISSING: 1:4.0.4# cgfsng_payload_finalize@Base 1:4.0.2 -#MISSING: 1:4.0.4# cgns_supported@Base 1:3.0.2 -#MISSING: 1:4.0.4# cgroup_attach@Base 1:4.0.2 -#MISSING: 1:4.0.4# cgroup_exit@Base 1:3.0.2 -#MISSING: 1:4.0.4# cgroup_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# choose_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# chown_mapped_root@Base 1:3.0.2 -#MISSING: 1:4.0.4# chown_mapped_root_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# clear_unexp_config_line@Base 1:3.0.2 -#MISSING: 1:4.0.4# clone_update_unexp_hooks@Base 1:3.0.2 -#MISSING: 1:4.0.4# clone_update_unexp_ovl_paths@Base 1:3.0.2 -#MISSING: 1:4.0.4# config_ip_prefix@Base 1:3.0.2 -#MISSING: 1:4.0.4# container_disk_lock@Base 1:3.0.2 -#MISSING: 1:4.0.4# container_disk_unlock@Base 1:3.0.2 -#MISSING: 1:4.0.4# container_mem_lock@Base 1:3.0.2 -#MISSING: 1:4.0.4# container_mem_unlock@Base 1:3.0.2 - current_config@Base 1:3.0.2 -#MISSING: 1:4.0.4# detach_block_device@Base 1:3.0.2 -#MISSING: 1:4.0.4# detach_nbd_idx@Base 1:3.0.2 -#MISSING: 1:4.0.4# detect_fs@Base 1:3.0.2 -#MISSING: 1:4.0.4# detect_ramfs_rootfs@Base 1:3.0.2 -#MISSING: 1:4.0.4# detect_shared_rootfs@Base 1:3.0.2 -#MISSING: 1:4.0.4# dir_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# dir_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# dir_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# dir_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# dir_exists@Base 1:3.0.2 -#MISSING: 1:4.0.4# dir_mount@Base 1:3.0.2 -#MISSING: 1:3.0.4# dir_new_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# dir_umount@Base 1:3.0.2 -#MISSING: 1:4.0.4# do_append_unexp_config_line@Base 1:3.0.2 -#MISSING: 1:4.0.4# do_mkfs_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# do_resolve_add_rule@Base 1:3.0.2 -#MISSING: 1:4.0.4# fd_cloexec@Base 1:3.0.2 -#MISSING: 1:4.0.4# fd_to_buf@Base 1:4.0.2 -#MISSING: 1:4.0.4# fd_to_fd@Base 1:3.0.4 -#MISSING: 1:4.0.4# fdopen_cached@Base 1:4.0.2 -#MISSING: 1:4.0.4# fhas_fs_type@Base 1:3.0.2 -#MISSING: 1:4.0.4# file_exists@Base 1:3.0.2 -#MISSING: 1:4.0.4# file_to_buf@Base 1:3.0.3 -#MISSING: 1:4.0.4# find_fstype_cb@Base 1:3.0.2 -#MISSING: 1:4.0.4# find_unmapped_nsid@Base 1:3.0.2 -#MISSING: 1:4.0.4# fix_stdio_permissions@Base 1:4.0.2 -#MISSING: 1:4.0.4# fnv_64a_buf@Base 1:3.0.2 -#MISSING: 1:4.0.4# fopen_cached@Base 1:4.0.2 -#MISSING: 1:4.0.4# fopen_cloexec@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_btrfs_subvol_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_cgroup_version@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_fssize@Base 1:3.0.3 -#MISSING: 1:4.0.4# get_hierarchy@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_hostarch@Base 1:3.0.2 -#MISSING: 1:4.0.2# get_mapped_rootid@Base 1:3.0.2 -#MISSING: 1:4.0.2# get_minimal_idmap@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_new_ctx@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_ns_gid@Base 1:3.0.3 -#MISSING: 1:4.0.4# get_ns_uid@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_rundir@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_template_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# get_u16@Base 1:3.0.2 -#MISSING: 1:4.0.4# has_fs_type@Base 1:3.0.2 -#MISSING: 1:4.0.4# id128_to_uuid_string@Base 1:3.0.4 -#MISSING: 1:4.0.4# in_caplist@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_blktype@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_btrfs_fs@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_btrfs_subvol@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_cgroupfs_v1@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_cgroupfs_v2@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_dir@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_fs_type@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_ovs_bridge@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_shared_mountpoint@Base 1:4.0.2 -#MISSING: 1:4.0.4# is_valid_storage_type@Base 1:3.0.2 -#MISSING: 1:4.0.4# is_wlan@Base 1:4.0.2 -#MISSING: 1:4.0.4# linkderef@Base 1:3.0.2 - list_active_containers@Base 1:3.0.2 - list_all_containers@Base 1:3.0.2 - list_defined_containers@Base 1:3.0.2 -#MISSING: 1:4.0.4# loop_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# loop_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# loop_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# loop_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# loop_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# loop_umount@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_apparmor_drv_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_enabled@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_keyring_label_set@Base 1:4.0.2 -#MISSING: 1:4.0.4# lsm_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_nop_drv_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_process_cleanup@Base 1:3.0.3 -#MISSING: 1:4.0.4# lsm_process_label_fd_get@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_process_label_get@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_process_label_set@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_process_label_set_at@Base 1:3.0.2 -#MISSING: 1:4.0.4# lsm_process_prepare@Base 1:3.0.3 -#MISSING: 1:4.0.4# lsm_selinux_drv_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_compare_lv_attr@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_create_clone@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_create_snapshot@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_is_thin_pool@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_is_thin_volume@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# lvm_umount@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abort@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_close@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_connect@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_open@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_rcv_credential@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_recv_fds@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_send_credential@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_send_fds@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_abstract_unix_send_fds_iov@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_add_state_client@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_allocate_ttys@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ambient_caps_down@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ambient_caps_up@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_append_null_to_array@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_append_paths@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_append_string@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_array_len@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_attach@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_attach_remount_sys_proc@Base 1:4.0.2 - lxc_attach_run_command@Base 1:3.0.2 - lxc_attach_run_shell@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_bridge_attach@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_can_use_pidfd@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_caps_down@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_caps_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_caps_last_cap@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_caps_up@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_char_left_gc@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_char_right_gc@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_check_inherited@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_chroot@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_apparmor_raw@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_clear_automounts@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_cgroup2_devices@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_clear_cgroups@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_config_caps@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_config_keepcaps@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_environment@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_groups@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_hooks@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_idmaps@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_includes@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_limits@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_mount_entries@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_namespace@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_clear_procs@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clear_sysctls@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_clone@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_add_bpf_device_cgroup@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_cmd_add_state_client@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_connect@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_console@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_console_log@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_freeze@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_cgroup2_fd@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_cgroup_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_clone_flags@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_config_item@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_init_pid@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_init_pidfd@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_lxcpath@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_get_state@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_mainloop_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_seccomp_notify_add_listener@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_cmd_serve_state_clients@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_sock_get_state@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_sock_rcv_state@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_stop@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_terminal_winch@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_cmd_unfreeze@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_conf_free@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_conf_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_config_define_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_config_define_free@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_config_define_load@Base 1:3.0.2 - lxc_config_item_is_supported@Base 1:3.0.2 -#MISSING: 1:3.0.4# lxc_config_net_hwaddr@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_config_net_is_hwaddr@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_config_parse_arch@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_config_read@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_config_value_empty@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_console@Base 1:3.0.2 - lxc_container_get@Base 1:3.0.2 - lxc_container_new@Base 1:3.0.2 - lxc_container_put@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_convert_mac@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_count_file_lines@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_create_network@Base 1:4.0.2 -#MISSING: 1:4.0.2# lxc_create_network_priv@Base 1:3.0.2 -#MISSING: 1:4.0.2# lxc_create_network_unpriv@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_create_tmp_proc_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_delete_network@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_delete_network_priv@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_delete_network_unpriv@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_delete_tty@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_deslashify@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_end@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_error_set_and_log@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_execute@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_file_cap_is_set@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_file_for_each_line@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_file_for_each_line_mmap@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_fill_elevated_privileges@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_fill_namespace_flags@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_find_gateway_addresses@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_find_next_power2@Base 1:3.0.2 -#MISSING: 1:4.0.2# lxc_fini@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_free_array@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_free_handler@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_free_networks@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_freeze@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_get_conf_bool@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_get_conf_int@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_get_conf_size_t@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_get_conf_str@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_get_conf_uint64@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_get_config@Base 1:3.0.2 - lxc_get_global_config_item@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_get_netdev_by_idx@Base 1:3.0.2 - lxc_get_version@Base 1:3.0.2 - lxc_get_wait_states@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_getstate@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_global_config_value@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_grow_array@Base 1:3.0.2 - lxc_has_api_extension@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_id128_randomize@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_id128_write@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_id128_write_fd@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_ifname_alnum_case_sensitive@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_inherit_namespace@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_init_handler@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ip_forwarding_off@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_ip_forwarding_on@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_ipv4_addr_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ipv4_addr_get@Base 1:3.0.2 -#MISSING: 1:4.0.2# lxc_ipv4_dest_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ipv4_gateway_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ipv6_addr_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ipv6_addr_get@Base 1:3.0.2 -#MISSING: 1:4.0.2# lxc_ipv6_dest_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ipv6_gateway_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ipvlan_flag_to_isolation@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_ipvlan_flag_to_mode@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_ipvlan_isolation_to_flag@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_ipvlan_mode_to_flag@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_is_line_empty@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_list_config_items@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_list_net@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_list_subkeys@Base 1:3.0.2 - lxc_log_category_af_unix@Base 1:3.0.2 - lxc_log_category_apparmor@Base 1:3.0.2 - lxc_log_category_attach@Base 1:3.0.2 - lxc_log_category_btrfs@Base 1:3.0.2 - lxc_log_category_caps@Base 1:3.0.2 - lxc_log_category_cgfsng@Base 1:3.0.2 - lxc_log_category_cgroup2_devices@Base 1:4.0.2 - lxc_log_category_cgroup@Base 1:3.0.2 - lxc_log_category_cgroup_utils@Base 1:4.0.10 - lxc_log_category_commands@Base 1:3.0.2 - lxc_log_category_commands_utils@Base 1:3.0.2 - lxc_log_category_conf@Base 1:3.0.2 - lxc_log_category_confile@Base 1:3.0.2 - lxc_log_category_confile_utils@Base 1:3.0.2 - lxc_log_category_criu@Base 1:3.0.2 - lxc_log_category_dir@Base 1:3.0.2 - lxc_log_category_error@Base 1:3.0.2 - lxc_log_category_execute@Base 1:3.0.2 - lxc_log_category_freezer@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_category_initutils@Base 1:3.0.2 - lxc_log_category_log@Base 1:3.0.2 - lxc_log_category_loop@Base 1:3.0.2 - lxc_log_category_lsm@Base 1:3.0.2 - lxc_log_category_lvm@Base 1:3.0.2 - lxc_log_category_lxc@Base 1:3.0.2 - lxc_log_category_lxccontainer@Base 1:3.0.2 - lxc_log_category_lxclock@Base 1:3.0.2 - lxc_log_category_mainloop@Base 1:4.0.11 - lxc_log_category_monitor@Base 1:3.0.2 - lxc_log_category_mount_utils@Base 1:4.0.4 - lxc_log_category_namespace@Base 1:3.0.2 - lxc_log_category_nbd@Base 1:3.0.2 - lxc_log_category_network@Base 1:3.0.2 - lxc_log_category_nl@Base 1:3.0.3 - lxc_log_category_overlay@Base 1:3.0.2 - lxc_log_category_parse@Base 1:3.0.2 - lxc_log_category_process_utils@Base 1:4.0.4 - lxc_log_category_rbd@Base 1:3.0.2 - lxc_log_category_rsync@Base 1:3.0.2 - lxc_log_category_seccomp@Base 1:3.0.2 - lxc_log_category_selinux@Base 1:3.0.2 - lxc_log_category_start@Base 1:3.0.2 - lxc_log_category_state@Base 1:3.0.2 - lxc_log_category_storage@Base 1:3.0.2 - lxc_log_category_storage_utils@Base 1:3.0.2 - lxc_log_category_sync@Base 1:3.0.2 - lxc_log_category_terminal@Base 1:3.0.2 - lxc_log_category_utils@Base 1:3.0.2 - lxc_log_category_zfs@Base 1:3.0.2 - lxc_log_close@Base 1:3.0.2 - lxc_log_configured_netdevs@Base 1:3.0.2 - lxc_log_enable_syslog@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_configured_netdevs@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_enable_syslog@Base 1:3.0.2 - lxc_log_fd@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_get_file@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_get_level@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_get_prefix@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_has_valid_level@Base 1:3.0.2 - lxc_log_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_options_no_override@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_set_file@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_set_level@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_set_prefix@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_log_syslog@Base 1:3.0.2 - lxc_log_use_global_fd@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_macvlan_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_macvlan_flag_to_mode@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_macvlan_mode_to_flag@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_mainloop@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_mainloop_add_handler@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_mainloop_close@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_mainloop_del_handler@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_mainloop_open@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_make_abstract_socket_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_make_controlling_terminal@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_make_tmpfile@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_map_ids@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_map_ids_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.2# lxc_mkifname@Base 1:3.0.2 -#MISSING: 1:4.0.11# lxc_monitor_close@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_fifo_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_open@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_read@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_read_fdset@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_read_timeout@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_send_exit_code@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_send_state@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitor_sock_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_monitord_spawn@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_mount_proc_if_needed@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_namespace_2_cloneflag@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_namespace_2_ns_idx@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_namespace_2_std_identifiers@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_neigh_proxy_off@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_neigh_proxy_on@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_net_type_to_str@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_delete_by_index@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_delete_by_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_down@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_isup@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_move_by_index@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_move_by_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_move_wlan@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_netdev_rename_by_index@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_rename_by_name@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_set_mtu@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netdev_up@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_netns_get_nsid@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_netns_set_nsid@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_network_add@Base 1:3.0.2 - lxc_network_info@Base 1:4.0.10 -#MISSING: 1:4.0.4# lxc_network_move_created_netdev_priv@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_network_recv_from_parent@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_network_recv_name_and_ifindex_from_child@Base 1:3.0.2 -#MISSING: 1:4.0.2# lxc_network_recv_veth_names_from_parent@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_network_send_name_and_ifindex_to_parent@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_network_send_to_child@Base 1:4.0.2 -#MISSING: 1:4.0.2# lxc_network_send_veth_names_to_child@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_newlock@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_nic_exists@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_normalize_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_open_dirfd@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_ovs_delete_port@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_pclose@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_poll@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_popen@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_prepare_loop_dev@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_preserve_ns@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_proc_cap_is_set@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_putlock@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_pwrite_nointr@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_quiet_specified@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_raw_clone@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_raw_clone_cb@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_raw_execveat@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_raw_pidfd_send_signal@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_read_file_expect@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_read_from_file@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_read_nointr@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_read_nointr_expect@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_read_seccomp_config@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_readat@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_recv_nointr@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_recvmsg_nointr_iov@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_remove_nic_by_idx@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_requests_empty_network@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_restore_phys_nics_to_netns@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_rexec@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_ringbuf_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ringbuf_move_read_addr@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ringbuf_read@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_ringbuf_write@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_rm_rf@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_rmdir_onedev@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_rsync@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_rsync_exec@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_rsync_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_safe_int@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_safe_long@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_safe_long_long@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_safe_uint64@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_safe_uint@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_safe_ulong@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_seccomp_add_notifier@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_seccomp_free@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_seccomp_load@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_seccomp_recv_notifier_fd@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_seccomp_send_notifier_fd@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_seccomp_setup_proxy@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_send_nointr@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_sendfile_nointr@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_serve_state_clients@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_set_config_item_locked@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_set_death_signal@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_set_state@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_setgroups@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_setup@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_setup_keyring@Base 1:3.0.3 -#MISSING: 1:4.0.4# lxc_setup_network_in_child_namespaces@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_setup_rootfs_prepare_root@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_setup_tios@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_socket_set_timeout@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_start@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_state2str@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_storage_get_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_storage_rsync_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_str2state@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_string_in_array@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_string_in_list@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_string_join@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_string_replace@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_string_split@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_string_split_and_trim@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_string_split_quoted@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_strmmap@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_strmunmap@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_switch_uid_gid@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_barrier_child@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_barrier_parent@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_fini@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_fini_child@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_fini_parent@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_wait_child@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_wait_parent@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_wake_child@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_sync_wake_parent@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_allocate@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_conf_free@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_create_log_file@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_delete@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_free@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_getfd@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_info_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_init@Base 1:3.0.2 -#MISSING: 1:3.0.4# lxc_terminal_init_global@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_io_cb@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_mainloop_add@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_map_ids@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_master_cb@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_prepare_login@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_set_stdfds@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_setup@Base 1:3.0.2 -#MISSING: 1:4.0.2# lxc_terminal_signal_fini@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_signal_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_signalfd_cb@Base 1:3.0.2 -#MISSING: 1:3.0.4# lxc_terminal_sigwinch@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_stdin_cb@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_winsz@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_terminal_write_ringbuffer@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_trim_whitespace_in_place@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_try_cmd@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_unfreeze@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_unix_connect@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_unix_connect_type@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_unix_send_fds@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_unix_sockaddr@Base 1:3.0.4 -#MISSING: 1:4.0.4# lxc_unstack_mountpoint@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_va_arg_list_to_argv@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_va_arg_list_to_argv_const@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_veth_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_veth_mode_to_flag@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_vlan_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_wait@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_wait_for_pid_status@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_write_nointr@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_write_openat@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_write_to_file@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxc_writeat@Base 1:4.0.2 -#MISSING: 1:4.0.4# lxc_zero_handler@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxchook_names@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxclock@Base 1:3.0.2 -#MISSING: 1:4.0.4# lxcunlock@Base 1:3.0.2 -#MISSING: 1:4.0.4# make_anonymous_mount_file@Base 1:3.0.2 -#MISSING: 1:4.0.4# mapped_hostid@Base 1:3.0.2 -#MISSING: 1:4.0.4# mkdir_p@Base 1:3.0.2 - mod_all_rdeps@Base 1:3.0.2 -#MISSING: 1:4.0.4# mount_unknown_fs@Base 1:3.0.2 -#MISSING: 1:4.0.4# must_append_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# must_concat@Base 1:3.0.2 -#MISSING: 1:4.0.4# must_copy_string@Base 1:3.0.2 -#MISSING: 1:4.0.4# must_make_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# must_realloc@Base 1:3.0.2 -#MISSING: 1:4.0.4# nbd_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# nbd_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# nbd_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# nbd_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# nbd_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# nbd_ops@Base 1:3.0.2 -#MISSING: 1:4.0.4# nbd_umount@Base 1:3.0.2 -#MISSING: 1:4.0.4# netdev_get_flag@Base 1:3.0.2 -#MISSING: 1:4.0.4# netdev_get_mtu@Base 1:3.0.2 -#MISSING: 1:4.0.4# netdev_set_flag@Base 1:3.0.2 -#MISSING: 1:4.0.4# netlink_close@Base 1:3.0.2 -#MISSING: 1:4.0.4# netlink_open@Base 1:3.0.2 -#MISSING: 1:4.0.4# netlink_rcv@Base 1:3.0.2 -#MISSING: 1:4.0.4# netlink_send@Base 1:3.0.2 -#MISSING: 1:4.0.4# netlink_transaction@Base 1:3.0.2 -#MISSING: 1:4.0.4# netns_freeifaddrs@Base 1:3.0.3 -#MISSING: 1:4.0.4# netns_getifaddrs@Base 1:3.0.3 -#MISSING: 1:4.0.4# network_ifname@Base 1:3.0.2 -#MISSING: 1:4.0.4# network_new_hwaddrs@Base 1:3.0.2 -#MISSING: 1:4.0.4# new_hwaddr@Base 1:3.0.2 -#MISSING: 1:4.0.4# nla_begin_nested@Base 1:3.0.2 -#MISSING: 1:4.0.4# nla_end_nested@Base 1:3.0.2 -#MISSING: 1:4.0.4# nla_put_attr@Base 1:3.0.2 -#MISSING: 1:4.0.4# nla_put_buffer@Base 1:3.0.2 -#MISSING: 1:4.0.4# nla_put_string@Base 1:3.0.2 -#MISSING: 1:4.0.4# nla_put_u16@Base 1:3.0.2 -#MISSING: 1:4.0.4# nla_put_u32@Base 1:3.0.2 -#MISSING: 1:4.0.4# nlmsg_alloc@Base 1:3.0.2 -#MISSING: 1:4.0.4# nlmsg_alloc_reserve@Base 1:3.0.2 -#MISSING: 1:4.0.4# nlmsg_data@Base 1:3.0.2 -#MISSING: 1:4.0.4# nlmsg_free@Base 1:3.0.2 -#MISSING: 1:4.0.4# nlmsg_len@Base 1:3.0.2 -#MISSING: 1:4.0.4# nlmsg_reserve@Base 1:3.0.2 -#MISSING: 1:4.0.4# ns_info@Base 1:3.0.2 -#MISSING: 1:4.0.4# null_stdfds@Base 1:3.0.2 -#MISSING: 1:4.0.4# on_path@Base 1:3.0.2 -#MISSING: 1:4.0.4# open_devnull@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_get_lower@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_get_rootfs@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_mkdir@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_umount@Base 1:3.0.2 -#MISSING: 1:4.0.4# ovl_update_abs_paths@Base 1:3.0.2 -#MISSING: 1:4.0.4# parse_byte_size_string@Base 1:3.0.2 -#MISSING: 1:4.0.4# parse_idmaps@Base 1:3.0.2 -#MISSING: 1:3.0.4# parse_limit_value@Base 1:3.0.2 -#MISSING: 1:4.0.4# parse_mntopts@Base 1:3.0.2 -#MISSING: 1:4.0.4# parse_propagationopts@Base 1:3.0.2 -#MISSING: 1:4.0.4# pin_rootfs@Base 1:3.0.2 -#MISSING: 1:4.0.4# print_to_file@Base 1:3.0.2 -#MISSING: 1:4.0.4# process_lock@Base 1:3.0.2 -#MISSING: 1:4.0.4# process_unlock@Base 1:3.0.2 -#MISSING: 1:4.0.4# prune_init_scope@Base 1:3.0.2 -#MISSING: 1:4.0.4# rand_complete_hwaddr@Base 1:3.0.2 -#MISSING: 1:4.0.4# randseed@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_create_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_delete_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_map_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_umount@Base 1:3.0.2 -#MISSING: 1:4.0.4# rbd_unmap_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.2# recursive_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# remount_all_slave@Base 1:3.0.2 -#MISSING: 1:4.0.4# remove_trailing_newlines@Base 1:3.0.2 -#MISSING: 1:4.0.4# remove_trailing_slashes@Base 1:3.0.2 -#MISSING: 1:4.0.4# requires_nbd@Base 1:3.0.2 -#MISSING: 1:4.0.4# resolve_clone_flags@Base 1:3.0.2 -#MISSING: 1:4.0.4# rootfs_is_blockdev@Base 1:3.0.2 -#MISSING: 1:4.0.4# rtnetlink_close@Base 1:3.0.2 -#MISSING: 1:4.0.4# rtnetlink_open@Base 1:3.0.2 -#MISSING: 1:4.0.4# rtnetlink_rcv@Base 1:3.0.2 -#MISSING: 1:4.0.4# rtnetlink_send@Base 1:3.0.2 -#MISSING: 1:4.0.4# rtnetlink_transaction@Base 1:3.0.2 -#MISSING: 1:4.0.4# rtnlmsg_alloc@Base 1:3.0.2 -#MISSING: 1:4.0.4# rtnlmsg_free@Base 1:3.0.2 -#MISSING: 1:4.0.4# run_command@Base 1:3.0.2 -#MISSING: 1:4.0.4# run_command_internal@Base 1:3.0.4 -#MISSING: 1:4.0.4# run_command_status@Base 1:3.0.4 -#MISSING: 1:4.0.4# run_lxc_hooks@Base 1:3.0.2 -#MISSING: 1:4.0.4# run_script@Base 1:3.0.2 -#MISSING: 1:4.0.4# run_script_argv@Base 1:3.0.2 -#MISSING: 1:4.0.4# safe_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# seccomp_conf_init@Base 1:4.0.2 -#MISSING: 1:4.0.4# seccomp_notify_handler@Base 1:4.0.2 -#MISSING: 1:4.0.4# set_config_bool_item@Base 1:4.0.2 -#MISSING: 1:4.0.4# set_config_path_item@Base 1:3.0.2 -#MISSING: 1:4.0.4# set_config_string_item@Base 1:3.0.2 -#MISSING: 1:4.0.4# set_config_string_item_max@Base 1:3.0.2 -#MISSING: 1:4.0.4# set_stdfds@Base 1:3.0.2 -#MISSING: 1:4.0.4# setproctitle@Base 1:3.0.2 -#MISSING: 1:4.0.4# setup_private_host_hw_addr@Base 1:3.0.2 -#MISSING: 1:4.0.4# setup_proc_filesystem@Base 1:3.0.2 -#MISSING: 1:4.0.4# setup_resource_limits@Base 1:3.0.2 -#MISSING: 1:4.0.4# setup_sysctl_parameters@Base 1:3.0.2 -#MISSING: 1:4.0.4# should_default_to_snapshot@Base 1:3.0.2 -#MISSING: 1:4.0.4# sig_parse@Base 1:3.0.2 -#MISSING: 1:4.0.4# sort_cgroup_settings@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_can_backup@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_copy@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_destroy_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_get@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_init@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_is_dir@Base 1:3.0.2 -#MISSING: 1:4.0.4# storage_put@Base 1:3.0.2 -#MISSING: 1:4.0.11# strlcat@Base 1:3.0.2 -#MISSING: 1:4.0.11# strlcpy@Base 1:3.0.2 -#MISSING: 1:4.0.4# suggest_default_idmap@Base 1:3.0.2 -#MISSING: 1:4.0.4# switch_to_ns@Base 1:3.0.2 -#MISSING: 1:4.0.4# task_blocks_signal@Base 1:3.0.2 -#MISSING: 1:4.0.4# test_writeable_v1@Base 1:3.0.2 -#MISSING: 1:4.0.4# test_writeable_v2@Base 1:3.0.2 -#MISSING: 1:4.0.4# tmp_proc_unmount@Base 1:3.0.2 -#MISSING: 1:4.0.4# unified_cgroup_hierarchy@Base 1:4.0.2 -#MISSING: 1:4.0.4# unpriv_snap_allowed@Base 1:3.0.2 -#MISSING: 1:3.0.4# update_hwaddr@Base 1:3.0.2 -#MISSING: 1:4.0.4# userns_exec_1@Base 1:3.0.2 -#MISSING: 1:4.0.4# userns_exec_full@Base 1:3.0.2 -#MISSING: 1:4.0.4# userns_exec_minimal@Base 1:4.0.2 -#MISSING: 1:4.0.4# wait_for_pid@Base 1:3.0.2 -#MISSING: 1:4.0.4# wait_for_pidfd@Base 1:4.0.2 -#MISSING: 1:4.0.4# write_config@Base 1:3.0.2 -#MISSING: 1:4.0.4# write_id_mapping@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_clone_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_clonepaths@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_copy@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_create@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_create_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_delete_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_destroy@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_detect@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_detect_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_get_parent_snapshot_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_mount@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_snapshot@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_snapshot_exec_wrapper@Base 1:3.0.2 -#MISSING: 1:4.0.4# zfs_umount@Base 1:3.0.2 diff -pruN 1:5.0.1-1/debian/liblxc-common.install 1:5.0.1-0ubuntu6/debian/liblxc-common.install --- 1:5.0.1-1/debian/liblxc-common.install 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/liblxc-common.install 2023-01-10 21:29:10.000000000 +0000 @@ -1,9 +1,8 @@ etc/apparmor.d -usr/lib/*/lxc/rootfs -usr/libexec/lxc/hooks -usr/libexec/lxc/lxc-apparmor-load -usr/libexec/lxc/lxc-monitord -usr/libexec/lxc/lxc-user-nic +usr/lib/*/lxc/hooks +usr/lib/*/lxc/lxc-apparmor-load +usr/lib/*/lxc/lxc-monitord +usr/lib/*/lxc/lxc-user-nic usr/sbin/* usr/share/doc usr/share/lxc/config diff -pruN 1:5.0.1-1/debian/liblxc-common.lintian-overrides 1:5.0.1-0ubuntu6/debian/liblxc-common.lintian-overrides --- 1:5.0.1-1/debian/liblxc-common.lintian-overrides 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/liblxc-common.lintian-overrides 2023-01-10 21:29:10.000000000 +0000 @@ -1,2 +1,23 @@ -# false positive (lxc-user-nic) -liblxc-common: elevated-privileges 4755 root/root [usr/libexec/lxc/lxc-user-nic] +# This is a setuid helper +elevated-privileges usr/lib/*/lxc/lxc-user-nic 4755 root/root + +# Documentation specific to the path +package-contains-documentation-outside-usr-share-doc usr/share/lxc/config/common.conf.d/README + +# Used internally by LXC (located there for historical reasons) +no-manual-page usr/sbin/init.lxc +no-manual-page usr/sbin/init.lxc.static + +# Ships in /usr/lib/ARCH/lxc/ +spare-manual-page usr/share/man/ja/man1/lxc-user-nic.1.gz +spare-manual-page usr/share/man/ko/man1/lxc-user-nic.1.gz +spare-manual-page usr/share/man/man1/lxc-user-nic.1.gz + +# LXC uses /usr/lib, not /usr/libexec +executable-in-usr-lib usr/lib/*/lxc/hooks/unmount-namespace +executable-in-usr-lib usr/lib/*/lxc/lxc-apparmor-load +executable-in-usr-lib usr/lib/*/lxc/lxc-monitord +executable-in-usr-lib usr/lib/*/lxc/lxc-user-nic + +# Incorrectly flagging help message as bash +bash-term-in-posix-shell '[ -a' [usr/share/lxc/templates/lxc-download:131] diff -pruN 1:5.0.1-1/debian/liblxc-common.postinst 1:5.0.1-0ubuntu6/debian/liblxc-common.postinst --- 1:5.0.1-1/debian/liblxc-common.postinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/liblxc-common.postinst 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +case "$1" in + configure) + # There appears to be some cases where apparmor gets confused + # about the freshness of its cache, so lets just wipe it. + rm -f /etc/apparmor.d/cache/lxc-containers + + # lxc-containers must be manually loaded as dh_apparmor doesn't + # know what to do with it + if [ -x /lib/init/apparmor-profile-load ]; then + /lib/init/apparmor-profile-load lxc-containers + elif [ -x /etc/init.d/apparmor ]; then + invoke-rc.d apparmor reload || true + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 diff -pruN 1:5.0.1-1/debian/liblxc-dev.install 1:5.0.1-0ubuntu6/debian/liblxc-dev.install --- 1:5.0.1-1/debian/liblxc-dev.install 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/liblxc-dev.install 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,4 @@ +usr/include +usr/lib/*/*.a +usr/lib/*/*.so +usr/lib/*/pkgconfig diff -pruN 1:5.0.1-1/debian/libpam-cgfs.install 1:5.0.1-0ubuntu6/debian/libpam-cgfs.install --- 1:5.0.1-1/debian/libpam-cgfs.install 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/libpam-cgfs.install 2023-01-10 21:29:10.000000000 +0000 @@ -1,2 +1,2 @@ -#! /usr/bin/dh-exec --with-scripts=subst-multiarch -usr/lib/${DEB_HOST_MULTIARCH}/pam_cgfs.so /lib/${DEB_HOST_MULTIARCH}/security +lib/*/security +usr/share/pam-configs diff -pruN 1:5.0.1-1/debian/libpam-cgfs.lintian-overrides 1:5.0.1-0ubuntu6/debian/libpam-cgfs.lintian-overrides --- 1:5.0.1-1/debian/libpam-cgfs.lintian-overrides 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/libpam-cgfs.lintian-overrides 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,3 @@ +# PAM plugin, not a binary +spare-manual-page usr/share/man/ja/man8/pam_cgfs.8.gz +spare-manual-page usr/share/man/man8/pam_cgfs.8.gz diff -pruN 1:5.0.1-1/debian/libpam-cgfs.pam 1:5.0.1-0ubuntu6/debian/libpam-cgfs.pam --- 1:5.0.1-1/debian/libpam-cgfs.pam 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/libpam-cgfs.pam 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,6 @@ +Name: Create cgroups for user login sessions +Default: yes +Priority: 0 +Session-Type: Additional +Session: + optional pam_cgfs.so -c freezer,memory,name=systemd diff -pruN 1:5.0.1-1/debian/lxc.config 1:5.0.1-0ubuntu6/debian/lxc.config --- 1:5.0.1-1/debian/lxc.config 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc.config 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -#!/bin/sh - -set -e - -. /usr/share/debconf/confmodule - -do_configure(){ - if [ ! -z "$2" ] && dpkg --compare-versions "$2" le "1:3.0.2-1~exp+4"; then - db_input high lxc/auto_update_config || true - db_go - fi -} - -case "$1" in - configure|reconfigure) - do_configure "$@" - ;; - - *) - echo "config called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac diff -pruN 1:5.0.1-1/debian/lxc-dev.doc-base 1:5.0.1-0ubuntu6/debian/lxc-dev.doc-base --- 1:5.0.1-1/debian/lxc-dev.doc-base 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-dev.doc-base 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -Document: lxc -Title: LXC Documentation -Section: System/Administration - -Format: HTML -Index: /usr/share/doc/lxc/html/index.html -Files: /usr/share/doc/lxc/html/*.html diff -pruN 1:5.0.1-1/debian/lxc-dev.install 1:5.0.1-0ubuntu6/debian/lxc-dev.install --- 1:5.0.1-1/debian/lxc-dev.install 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-dev.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -doc/api/html/* /usr/share/doc/lxc/html -usr/include -usr/lib/*/liblxc.so -usr/lib/*/pkgconfig diff -pruN 1:5.0.1-1/debian/lxc.install 1:5.0.1-0ubuntu6/debian/lxc.install --- 1:5.0.1-1/debian/lxc.install 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -debian/contrib/bin/lxc-unpriv-attach usr/bin/ -debian/contrib/bin/lxc-unpriv-start usr/bin/ -debian/contrib/default.conf etc/lxc/ -debian/contrib/lxc-net etc/default/ -etc/default -etc/init.d -etc/lxc -etc/sysctl.d -lib -usr/bin -usr/libexec/lxc/lxc-containers -usr/libexec/lxc/lxc-net -usr/share/bash-completion -usr/share/lxc/lxc.functions -usr/share/man -var diff -pruN 1:5.0.1-1/debian/lxc.links 1:5.0.1-0ubuntu6/debian/lxc.links --- 1:5.0.1-1/debian/lxc.links 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc.links 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -usr/share/man/man1/lxc-attach.1.gz usr/share/man/man1/lxc-unpriv-attach.1.gz -usr/share/man/man1/lxc-start.1.gz usr/share/man/man1/lxc-unpriv-start.1.gz diff -pruN 1:5.0.1-1/debian/lxc.postinst 1:5.0.1-0ubuntu6/debian/lxc.postinst --- 1:5.0.1-1/debian/lxc.postinst 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -#!/bin/sh - -set -e - -. /usr/share/debconf/confmodule - -upgrade () { - if [ ! -z "$2" ] && dpkg --compare-versions "$2" le "1:3.0.2-1~exp+3"; then - db_get lxc/auto_update_config - res="$RET" - if [ "$res" = "true" ]; then - lxc-update-config -c /etc/lxc/default.conf - find /var/lib/lxc -maxdepth 2 -iname "config" -exec /usr/bin/lxc-update-config -c {} \; - fi - fi - - if [ -z "$2" ] || dpkg --compare-versions "$2" le "1:3.1.0+really3.0.3-2"; then - if command -v apparmor_parser > /dev/null && [ -e /etc/apparmor.d/lxc-containers ]; then - apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers || \ - echo "Failed to run 'apparmor_parser -rWT /etc/apparmor.d/lxc-containers'. You will probably need to run it by hand at some point." - fi - fi -} - -case "$1" in - configure) - upgrade "$@" - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -db_stop -exit 0 diff -pruN 1:5.0.1-1/debian/lxc.sysctl 1:5.0.1-0ubuntu6/debian/lxc.sysctl --- 1:5.0.1-1/debian/lxc.sysctl 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc.sysctl 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -# Defines the maximum number of inotify listeners. -# By default, this value is 128, which is quickly exhausted when using -# systemd-based LXC containers (15 containers are enough). -# When the limit is reached, systemd becomes mostly unusable, throwing -# "Too many open files" all around (both on the host and in containers). -# See https://kdecherf.com/blog/2015/09/12/systemd-and-the-fd-exhaustion/ -# Increase the user inotify instance limit to allow for about -# 100 containers to run before the limit is hit again -fs.inotify.max_user_instances = 1024 diff -pruN 1:5.0.1-1/debian/lxc-tests.lintian-overrides 1:5.0.1-0ubuntu6/debian/lxc-tests.lintian-overrides --- 1:5.0.1-1/debian/lxc-tests.lintian-overrides 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-tests.lintian-overrides 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -lxc-tests: no-manual-page diff -pruN 1:5.0.1-1/debian/lxc-utils.apport 1:5.0.1-0ubuntu6/debian/lxc-utils.apport --- 1:5.0.1-1/debian/lxc-utils.apport 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.apport 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,26 @@ +'''apport package hook for lxc + +(c) 2012 Canonical Ltd. +Author: +Serge Hallyn +''' + +from apport.hookutils import * +from os import path +import re + +def add_info(report): + attach_related_packages(report, ['dnsmasq', 'dnsmasq-base', 'libvirt-bin', 'apparmor', 'libapparmor1', 'apparmor-utils', 'auditd', 'libaudit0']) + attach_mac_events(report) + attach_upstart_overrides(report, "lxc") + command_output(['ls', '-ld', '/bin/sh']) + attach_conffiles(report, 'lxc') + report["lxcsyslog"] = recent_syslog(re.compile("lxc")) + # should we attach all lxc apparmor files + #command_output(['ls', '-l', '/etc/apparmor.d/lxc'] + #command_output(['cat', '/etc/apparmor.d/lxc/*'] + attach_file_if_exists(report, '/etc/default/lxc-net', key='lxc-net.default') + attach_file_if_exists(report, '/etc/default/lxc', key='lxc.default') + attach_file_if_exists(report, '/etc/lxc/lxc.conf', key='lxc.conf') + attach_file_if_exists(report, '/etc/lxc/default.conf', key='defaults.conf') + attach_file_if_exists(report, '/etc/lxc/dnsmasq.conf', key='dnsmasq.conf') diff -pruN 1:5.0.1-1/debian/lxc-utils.default 1:5.0.1-0ubuntu6/debian/lxc-utils.default --- 1:5.0.1-1/debian/lxc-utils.default 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.default 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,14 @@ +# MIRROR to be used by ubuntu template at container creation: +# Leaving it undefined is fine +#MIRROR="http://archive.ubuntu.com/ubuntu" +# or +#MIRROR="http://:3142/archive.ubuntu.com/ubuntu" + +# LXC_AUTO - whether or not to start containers symlinked under +# /etc/lxc/auto +LXC_AUTO="true" + +USE_LXC_BRIDGE="false" # overridden in lxc-net +[ -f /etc/default/lxc-net ] && . /etc/default/lxc-net + +LXC_SHUTDOWN_TIMEOUT=120 diff -pruN 1:5.0.1-1/debian/lxc-utils.dirs 1:5.0.1-0ubuntu6/debian/lxc-utils.dirs --- 1:5.0.1-1/debian/lxc-utils.dirs 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.dirs 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1 @@ +var/log/lxc diff -pruN 1:5.0.1-1/debian/lxc-utils.dnsmasq 1:5.0.1-0ubuntu6/debian/lxc-utils.dnsmasq --- 1:5.0.1-1/debian/lxc-utils.dnsmasq 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.dnsmasq 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,5 @@ +# Tell any system-wide dnsmasq instance to make sure to bind to interfaces +# instead of listening on 0.0.0.0 +# WARNING: changes to this file will get lost if lxc is removed. +bind-interfaces +except-interface=lxcbr0 diff -pruN 1:5.0.1-1/debian/lxc-utils.install 1:5.0.1-0ubuntu6/debian/lxc-utils.install --- 1:5.0.1-1/debian/lxc-utils.install 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.install 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,14 @@ +etc/default +etc/dnsmasq.d-available +etc/init +etc/lxc +lib/systemd +usr/bin/lxc-* +usr/lib/*/lxc/lxc-containers +usr/lib/*/lxc/lxc-net +usr/share/apport +usr/share/bash-completion +usr/share/lxc/lxc.functions +usr/share/man +var/cache/lxc +var/lib/lxc diff -pruN 1:5.0.1-1/debian/lxc-utils.lintian-overrides 1:5.0.1-0ubuntu6/debian/lxc-utils.lintian-overrides --- 1:5.0.1-1/debian/lxc-utils.lintian-overrides 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.lintian-overrides 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,15 @@ +# For security reasons, we can't have users traverse to the containers +non-standard-dir-perm var/cache/lxc/ 0700 != 0755 +non-standard-dir-perm var/lib/lxc/ 0700 != 0755 + +# This isn't a config script, it's our config migration tool +old-style-config-script usr/bin/lxc-update-config + +# Not an alternative init system on Ubuntu +package-supports-alternative-init-but-no-init.d-script lib/systemd/system/lxc-monitord.service +package-supports-alternative-init-but-no-init.d-script lib/systemd/system/lxc-net.service +package-supports-alternative-init-but-no-init.d-script lib/systemd/system/lxc.service + +# LXC uses /usr/lib, not /usr/libexec +executable-in-usr-lib usr/lib/*/lxc/lxc-containers +executable-in-usr-lib usr/lib/*/lxc/lxc-net diff -pruN 1:5.0.1-1/debian/lxc-utils.maintscript 1:5.0.1-0ubuntu6/debian/lxc-utils.maintscript --- 1:5.0.1-1/debian/lxc-utils.maintscript 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.maintscript 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,3 @@ +rm_conffile /etc/init/lxc.conf 2.1.0-0ubuntu1~ +rm_conffile /etc/init/lxc-instance.conf 2.1.0-0ubuntu1~ +rm_conffile /etc/init/lxc-net.conf 2.1.0-0ubuntu1~ diff -pruN 1:5.0.1-1/debian/lxc-utils.maintscript.in 1:5.0.1-0ubuntu6/debian/lxc-utils.maintscript.in --- 1:5.0.1-1/debian/lxc-utils.maintscript.in 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.maintscript.in 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,3 @@ +rm_conffile /etc/init/lxc.conf 2.1.0-0ubuntu1~ +rm_conffile /etc/init/lxc-instance.conf 2.1.0-0ubuntu1~ +rm_conffile /etc/init/lxc-net.conf 2.1.0-0ubuntu1~ diff -pruN 1:5.0.1-1/debian/lxc-utils.postinst 1:5.0.1-0ubuntu6/debian/lxc-utils.postinst --- 1:5.0.1-1/debian/lxc-utils.postinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.postinst 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,107 @@ +#!/bin/sh +# postinst script for lxc +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +add_users() +{ + if ! getent group lxc-dnsmasq >/dev/null; then + addgroup --quiet --system lxc-dnsmasq + fi + + if ! getent passwd lxc-dnsmasq >/dev/null; then + adduser --quiet \ + --system \ + --ingroup lxc-dnsmasq \ + --quiet \ + --disabled-login \ + --disabled-password \ + --home /var/lib/lxc \ + --no-create-home \ + -gecos "LXC dnsmasq" \ + lxc-dnsmasq + fi +} + +case "$1" in + configure) + add_users + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +# We need this after the debhelper generated code so that dpkg-maintscript +# can do its renamming first. +if [ "$1" = "configure" ]; then + + # The dnsmasq hook has been introduced through SRU into Ubuntu 12.04 + # and Ubuntu 12.10. + # + # This means that even though we version-guard the maintscripts entry + # it'll fire multiple times for users doing 12.04 => 12.10 => 13.04 + # or even just 12.10 => 13.04. + # + # As there's unfortunately no way to specify per-series base versions + # for maintscripts hooks, we let it fire multiple times and then fix up + # the mess it creates. + # + # This migration code can be removed after Ubuntu 14.04 LTS is released. + if [ -L /etc/dnsmasq.d-available/lxc ] && + [ "$(readlink /etc/dnsmasq.d-available/lxc)" = "/etc/dnsmasq.d-available/lxc" ] && + [ -e /etc/dnsmasq.d-available/lxc.dpkg-new ]; then + echo "The dnsmasq configuration has been migrated twice, fixing it." + mv /etc/dnsmasq.d-available/lxc /etc/dnsmasq.d/lxc + mv /etc/dnsmasq.d-available/lxc.dpkg-new /etc/dnsmasq.d-available/lxc + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi + + # Configure dnsmasq + if [ -f /etc/dnsmasq.d-available/lxc ]; then + echo "Setting up lxc dnsmasq configuration." + mkdir -p /etc/dnsmasq.d + if [ ! -e /etc/dnsmasq.d/lxc ]; then + ln -s /etc/dnsmasq.d-available/lxc /etc/dnsmasq.d/lxc + fi + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi + + # Up to version 1.0.0~alpha2-0ubuntu4 lxc was installed world + # readable. After that version if users want it that way for + # convenience, then that's fine. But one time go ahead and + # forcibly change the permissions. + if dpkg --compare-versions "$2" lt "1.0.0~alpha2-0ubuntu5"; then + chmod 700 /var/lib/lxc + chmod 700 /var/cache/lxc + fi +fi +exit 0 diff -pruN 1:5.0.1-1/debian/lxc-utils.postrm 1:5.0.1-0ubuntu6/debian/lxc-utils.postrm --- 1:5.0.1-1/debian/lxc-utils.postrm 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.postrm 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,46 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + remove) + if [ -L /etc/dnsmasq.d/lxc ]; then + echo "Removing lxc dnsmasq configuration" + rm -f /etc/dnsmasq.d/lxc 2>/dev/null || true + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi + ;; + purge|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff -pruN 1:5.0.1-1/debian/lxc-utils.preinst 1:5.0.1-0ubuntu6/debian/lxc-utils.preinst --- 1:5.0.1-1/debian/lxc-utils.preinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/lxc-utils.preinst 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,75 @@ +#!/bin/sh + +set -e + +migrate_auto() +{ + echo "Migrating /etc/lxc/auto to lxc.auto.start config flag" + for container in /etc/lxc/auto/*; do + [ "$container" = "/etc/lxc/auto/*" ] && continue + + if [ ! -L "$container" ]; then + echo "$container isn't a symlink, skipping." + fi + + if [ -d "$container" ] && [ -e "$container/config" ]; then + echo " - Marking $container/config as auto-started" + echo "" >> $container/config + echo "# Added by lxc postinst, migration of autostart flag" >> $container/config + echo "lxc.start.auto = 1" >> $container/config + fi + + if [ -f "$container" ]; then + echo " - Marking $container as auto-started" + echo "" >> $container + echo "# Added by lxc postinst, migration of autostart flag" >> $container + echo "lxc.start.auto = 1" >> $container + fi + + rm $container + done + + # Try to remove /etc/lxc/auto (but ignore failure if non-empty) + rmdir /etc/lxc/auto/ >/dev/null 2>&1 || true +} + +case "${1}" in + install|upgrade) + if [ -d /etc/lxc/auto ]; then + migrate_auto + fi + + if [ ! -f /etc/lxc/lxc-usernet ]; then + mkdir -p /etc/lxc/ + echo "# USERNAME TYPE BRIDGE COUNT" > /etc/lxc/lxc-usernet + fi + + # If we have the stock preinstalled /etc/default/lxc-net, then + # remove it so that lxc-net can recreate on startup. + if dpkg --compare-versions "$2" eq "1.1.4-0ubuntu1"; then + if [ -f /etc/default/lxc-net ]; then + sum="$(md5sum /etc/default/lxc-net | awk '{ print $1 }')" + if [ "$sum" = e3f08a54cbdd4ebff86207417f366e6e ]; then + found=0; for f in /sys/class/net/lxcbr0/lower*; do [ -d "$f" ] && found=$(($found+1)); done + if [ $found -eq 0 ]; then + invoke-rc.d lxc-net stop + fi + rm -f /etc/default/lxc-net + fi + else + echo "# written on upgrade from 1.1.4-0ubuntu1." > /etc/default/lxc-net + echo "USE_LXC_BRIDGE=false" >> /etc/default/lxc-net + fi + fi + ;; + abort-upgrade) + ;; + *) + echo "preinst called with unknown argument (${1})" + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 diff -pruN 1:5.0.1-1/debian/NEWS 1:5.0.1-0ubuntu6/debian/NEWS --- 1:5.0.1-1/debian/NEWS 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/NEWS 1970-01-01 00:00:00.000000000 +0000 @@ -1,158 +0,0 @@ -lxc (1:4.0.6-2) unstable; urgency=medium - - * A new way of handling unprivileged containers starting and attachment has - been made available through the lxc-unpriv-start and lxc-unpriv-attach - commands. See /usr/share/doc/lxc/README.Debian.gz for more details. - - -- Pierre-Elliott Bécue Fri, 11 Jun 2021 15:12:15 +0200 - -lxc (1:4.0.2-1~1) experimental; urgency=medium - - Major changes in the Debian packaging: - - 1. lxc-net is now enabled by default, and newly created containers will - have networking by default. - - Major changes between LXC 3.0.x and LXC 4: - - 1. CGroupV2 support: - LXC 4 supports the unified CGroup hierarchy, which means that the - containers will now be able to handle a booted system with an init like - systemd using the unified CGroup hierarchy. This has implications - regarding the unprivileged containers, as a standard user can't get an - empty CGroup by themselves. In that specific situation, libpam_cgfs is - useless. - - A solution to run an unprivileged container as a standard non-root user - is to use systemd-run: - - `systemd-run --user --scope -p "Delegate=yes" lxc-start container-name` - - The user instance of systemd will delegate an empty CGroup available and - manipulable properly by the container. - 2. The default AppArmor profile now denies access to /proc/acpi/. This was - already the case in Debian but has been merged upstream. - 3. config: Add lxc.autodev.tmpfs.size configuration key: - LXC supports creating a useable minimal /dev directory for the container by - setting lxc.autodev = 1 in the container’s config file. To do this LXC sets up - a tmpfs mount on /dev. This tmpfs mount could not be restricted in prior - releases. Now it is possible to set a limit on the size of the tmpfs mount by - setting lxc.autodev.tmpfs.size to the number of bytes that the tmpfs should be - restricted to use. - 4. config: Add lxc.selinux.context.keyring key - This allows one to specify the selinux context to be used for the keyring - the container uses. - 5. config: Add lxc.keyring.session - Setting this to 1 (default) will cause LXC to create a new session keyring. - - Other changes: - 1. Freezer support in CGroupV2: - As part of the cgroup2 support work for LXC 4.0 support for cgroup2’s - implementation of the freezer controller has been added. It allows one - to poll until the cgroup is frozen or unfrozen making freezing and - unfreezing container’s way more reliable than before. - 2. file utils: Add fopen_cached() and fdopen_cached - These helpers first read a whole file and then make it available as a - stream to be read via regular file-based libc apis. This makes LXC’s - handling of various files more robust where the underlying file can - change while it is read. - 3. PIDfd support - LXC 4.0 fully supports the new pidfd kernel api the LXC team has merged - in the upstream Linux kernel. The pidfd of the container’s init process - can be requested via c->init_pidfd(c). - 4. memory utils: Add new cleanup api - LXC 4.0 expands the usage of the compiler’s cleanup attribute by introducing - new internal apis to define and call cleanup macros for complex resource - allocations. Significant results in decreasing bugs around file - descriptor and memory leaks by switching to this new way of cleaning up - resources have been observed. - 5. lxc-usernsexec: Make it easy to map own uid - The lxc-usernsexec binary now finds a default mapping as specified in - /etc/subuid and /etc/subgid and writes it via newuidmap and newgidmap. - 6. seccomp: Add s390 support - LXC 4.0’s seccomp implementation now supports s390 as architecture. - 7. syscalls: Improve manual syscall implementations - Whenever a given syscall is not supported or exposed by the underlying C - library of the system LXC will define syscall stubs for important - syscalls or new features it deems extremely valuable. This used to be - done by checking for __NR_ being defined. But - __NR_ being defined depended on the correct headers for - the currently running kernel LXC was compiled on being installed and - would be problematic whenever LXC was compiled on a system running an - older kernel but used or deployed on systems that use a new kernel. In - such scenarios LXC could not make use of new kernel features even though - it should. Definitions for __NR_ are introduced whenever - the system does not define it already and it is a supported architecture - (which is basically any architecture). This results in a better handling - of kernel <-> header version mismatches and compilation <-> deployment - kernel mismatches. - 8. network: Improved network device creation and removal - The way network devices are created, tracked, moved between network - namespaces, and are removed has been reworked. This makes the low-level - network management way more reliable. - 9. network: Allow moving wireless devices - LXC allowed to move wireless network devices (nl80211) into containers. This - was broken for a while. With 4.0 the ability to move wireless network devices - is restored and improved. - - -- Pierre-Elliott Bécue Thu, 15 Apr 2020 22:44:32 +0200 - -lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium - - LXC 3 got some significant changes from LXC 2. - - 1. The configuration files use different variables. A userland script - lxc-update-config is available to update automatically your - configuration files. An automatic update is possible and offered by - debconf during the upgrade of lxc version < 3.0.2 to lxc version >= - 3.0.2. Mind that this update will only work for privileged containers - with configurations present in /var/lib/lxc/*/config and any other - container will not be updated. - 2. AppArmor support in Debian has increased, thus preventing some systemd - isolation features to work in LXC 3.0.X. Debian has backported some - patches from LXC 3.1 that, along with some configurations in a - container, will allow systemd isolation features to work. - - The required configuration parameters are the ones which follow: - lxc.apparmor.profile = generated - lxc.apparmor.allow_nesting = 1 - - These parameters are provided in the `/etc/lxc/default.conf` file - shipped with LXC 3. Hence, any newly created container will have these - parameters set properly, except if you alter the aforementioned file. - - WARNING: Note that with these parameters, unprivileged containers won't - be able to start. lxc.apparmor.profile must be set to either - 'unconfined' or to 'lxc-container-default-cgns'. This can be done either - in the unprivileged container configuration file or in the user's - .config/lxc/default.conf file. - 3. lxc-templates is deprecated by upstream. The new way of building - containers is via their distrobuilder software. This software isn't in - Debian Buster, and thus, we still provide lxc-templates. If you relied - on it (eg, with lxc.include parameter in some configuration file), you - should install lxc-templates in case it doesn't come by itself (via - recommends). Otherwise you may experience issues after the upgrade. - - -- Pierre-Elliott Bécue Sat, 09 Mar 2019 13:09:05 +0100 - -lxc (1:1.1.5-1) unstable; urgency=medium - - LXC before 1.1 did silently ignore lxc.aa_profile if the kernel did - not have the AppArmor mount feature (by checking for the existence of - /sys/kernel/security/apparmor/features/mount/mask). - - As of LXC 1.1 it will error out with the following message in the log: - Incomplete AppArmor support in your kernel - If you really want to start this container, set - lxc.aa_allow_incomplete = 1 in your container configuration file - - Debian does not ship with AppArmor enabled in the kernel by default, - so this should not affect default installs. However if you have enabled - AppArmor, your containers will fail to start after the upgrade. - - Please add "lxc.aa_allow_incomplete = 1" to your configuration to - start AppArmor-secured containers until we have full support in the - kernel. - - -- Evgeni Golov Sun, 31 Jan 2016 18:22:40 -0200 - diff -pruN 1:5.0.1-1/debian/pam-cgfs.config 1:5.0.1-0ubuntu6/debian/pam-cgfs.config --- 1:5.0.1-1/debian/pam-cgfs.config 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/pam-cgfs.config 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -Name: Create cgroups for user login sessions -Default: yes -Priority: 0 -Session-Type: Additional -Session: - optional pam_cgfs.so -c freezer,memory,name=systemd diff -pruN 1:5.0.1-1/debian/patches/0000-Ubuntu-default-lxcbr0-configuration.patch 1:5.0.1-0ubuntu6/debian/patches/0000-Ubuntu-default-lxcbr0-configuration.patch --- 1:5.0.1-1/debian/patches/0000-Ubuntu-default-lxcbr0-configuration.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0000-Ubuntu-default-lxcbr0-configuration.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,139 @@ +From 30ed06f0cd8f00513a62813e2d814154a73b9250 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?St=C3=A9phane=20Graber?= +Date: Thu, 29 Jul 2021 17:29:07 -0400 +Subject: Ubuntu default lxcbr0 configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Stéphane Graber +--- + config/init/common/lxc-net.in | 100 +++++++++++++++++++++++++++++++--- + 1 file changed, 91 insertions(+), 9 deletions(-) + +diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in +index efee9b96f..ca7e03290 100644 +--- a/config/init/common/lxc-net.in ++++ b/config/init/common/lxc-net.in +@@ -25,6 +25,85 @@ LXC_IPV6_MASK="" + LXC_IPV6_NETWORK="" + LXC_IPV6_NAT="false" + ++write_lxc_net() ++{ ++ local i=$1 ++ cat >> $distrosysconfdir/lxc-net << EOF ++# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your ++# containers. Set to "false" if you'll use virbr0 or another existing ++# bridge, or mavlan to your host's NIC. ++USE_LXC_BRIDGE="true" ++ ++# If you change the LXC_BRIDGE to something other than lxcbr0, then ++# you will also need to update your /etc/lxc/default.conf as well as the ++# configuration (/var/lib/lxc//config) for any containers ++# already created using the default config to reflect the new bridge ++# name. ++# If you have the dnsmasq daemon installed, you'll also have to update ++# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon. ++LXC_BRIDGE="lxcbr0" ++LXC_ADDR="10.0.$i.1" ++LXC_NETMASK="255.255.255.0" ++LXC_NETWORK="10.0.$i.0/24" ++LXC_DHCP_RANGE="10.0.$i.2,10.0.$i.254" ++LXC_DHCP_MAX="253" ++# Uncomment the next line if you'd like to use a conf-file for the lxcbr0 ++# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have ++# container 'mail1' always get ip address 10.0.3.100. ++#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf ++ ++# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc ++# domain. You can then add "server=/lxc/10.0.$i.1' (or your actual \$LXC_ADDR) ++# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf, ++# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager). ++# Once these changes are made, restart the lxc-net and network-manager services. ++# 'container1.lxc' will then resolve on your host. ++#LXC_DOMAIN="lxc" ++EOF ++} ++ ++configure_lxcbr0() ++{ ++ local i=3 ++ cat > $distrosysconfdir/lxc-net << EOF ++# This file is auto-generated by lxc.postinst if it does not ++# exist. Customizations will not be overridden. ++EOF ++ # if lxcbr0 exists, keep using the same network ++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then ++ i=`ip addr show lxcbr0 | grep "inet\>" | awk '{ print $2 }' | awk -F. '{ print $3 }'` ++ write_lxc_net $i ++ return ++ fi ++ # if no lxcbr0, find an open 10.0.a.0 network ++ for l in `ip addr show | grep "inet\>" |awk '{ print $2 }' | grep '^10\.0\.' | sort -n`; do ++ j=`echo $l | awk -F. '{ print $3 }'` ++ if [ $j -gt $i ]; then ++ write_lxc_net $i ++ return ++ fi ++ i=$((j+1)) ++ done ++ if [ $i -ne 254 ]; then ++ write_lxc_net $i ++ fi ++} ++ ++update_lxcnet_config() ++{ ++ local i=3 ++ # if lxcbr0 exists, keep using the same network ++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then ++ return ++ fi ++ # our LXC_NET conflicts with an existing interface. Probably first ++ # run after system install with package pre-install. Find a new subnet ++ configure_lxcbr0 ++ ++ # and re-load the newly created config ++ [ ! -f $distrosysconfdir/lxc-net ] || . $distrosysconfdir/lxc-net ++} ++ + [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc + + use_nft() { +@@ -111,7 +190,19 @@ add rule ip lxc postrouting ip saddr ${LXC_NETWORK} ip daddr != ${LXC_NETWORK} c + nft "${NFT_RULESET}" + } + ++cleanup() { ++ set +e ++ if [ "$FAILED" = "1" ]; then ++ echo "Failed to setup lxc-net." >&2 ++ stop force ++ exit 1 ++ fi ++} ++ + start() { ++ ++ [ ! -f $distrosysconfdir/lxc-net ] && update_lxcnet_config ++ + [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; } + + [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; } +@@ -122,15 +213,6 @@ start() { + + FAILED=1 + +- cleanup() { +- set +e +- if [ "$FAILED" = "1" ]; then +- echo "Failed to setup lxc-net." >&2 +- stop force +- exit 1 +- fi +- } +- + trap cleanup EXIT HUP INT TERM + set -e + diff -pruN 1:5.0.1-1/debian/patches/0001-meson-Generate-compile-commands-by-iterating-over-an.patch 1:5.0.1-0ubuntu6/debian/patches/0001-meson-Generate-compile-commands-by-iterating-over-an.patch --- 1:5.0.1-1/debian/patches/0001-meson-Generate-compile-commands-by-iterating-over-an.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0001-meson-Generate-compile-commands-by-iterating-over-an.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,258 @@ +From 289d6413ebac8b34394a9f5dbffdb6a70e7f145f Mon Sep 17 00:00:00 2001 +From: Petr Malat +Date: Wed, 15 Jun 2022 15:59:30 +0200 +Subject: [PATCH 01/45] meson: Generate compile commands by iterating over an + array + +This makes it possible to add a new command without updating multiple +places in the meson file. + +Signed-off-by: Petr Malat +--- + src/lxc/tools/meson.build | 230 ++------------------------------------ + 1 file changed, 12 insertions(+), 218 deletions(-) + +diff --git a/src/lxc/tools/meson.build b/src/lxc/tools/meson.build +index 072f08beb..1bf3be0c2 100644 +--- a/src/lxc/tools/meson.build ++++ b/src/lxc/tools/meson.build +@@ -2,224 +2,18 @@ + + tools_common_sources = liblxc_sources + files('arguments.c', 'arguments.h') + include_sources + netns_ifaddrs_sources + +-tools_lxc_attach_sources = files( +- 'lxc_attach.c') + tools_common_sources +- +-tools_lxc_autostart_sources = files( +- 'lxc_autostart.c') + tools_common_sources +- +-tools_lxc_cgroup_sources = files( +- 'lxc_cgroup.c') + tools_common_sources +- +-tools_lxc_checkpoint_sources = files( +- 'lxc_checkpoint.c') + tools_common_sources +- +-tools_lxc_config_sources = files( +- 'lxc_config.c') + tools_common_sources +- +-tools_lxc_console_sources = files( +- 'lxc_console.c') + tools_common_sources +- +-tools_lxc_copy_sources = files( +- 'lxc_copy.c') + tools_common_sources +- +-tools_lxc_create_sources = files( +- 'lxc_create.c') + tools_common_sources +- +-tools_lxc_destroy_sources = files( +- 'lxc_destroy.c') + tools_common_sources +- +-tools_lxc_device_sources = files( +- 'lxc_device.c') + tools_common_sources +- +-tools_lxc_execute_sources = files( +- 'lxc_execute.c') + tools_common_sources +- +-tools_lxc_freeze_sources = files( +- 'lxc_freeze.c') + tools_common_sources +- +-tools_lxc_info_sources = files( +- 'lxc_info.c') + tools_common_sources +- +-tools_lxc_ls_sources = files( +- 'lxc_ls.c') + tools_common_sources +- +-tools_lxc_monitor_sources = files( +- 'lxc_monitor.c') + tools_common_sources +- +-tools_lxc_snapshot_sources = files( +- 'lxc_snapshot.c') + tools_common_sources +- +-tools_lxc_start_sources = files( +- 'lxc_start.c') + tools_common_sources +- +-tools_lxc_stop_sources = files( +- 'lxc_stop.c') + tools_common_sources +- +-tools_lxc_top_sources = files( +- 'lxc_top.c') + tools_common_sources +- +-tools_lxc_unfreeze_sources = files( +- 'lxc_unfreeze.c') + tools_common_sources +- +-tools_lxc_unshare_sources = files( +- 'lxc_unshare.c') + tools_common_sources +- +-tools_lxc_wait_sources = files( +- 'lxc_wait.c') + tools_common_sources ++tools_commands = ['attach', 'autostart', 'cgroup', 'checkpoint', 'config', ++ 'console', 'copy', 'create', 'destroy', 'device', 'execute', 'freeze', ++ 'info', 'ls', 'monitor', 'snapshot', 'start', 'stop', 'top', 'unfreeze', ++ 'unshare', 'wait'] + + if want_tools +- public_programs += executable( +- 'lxc-attach', +- tools_lxc_attach_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-autostart', +- tools_lxc_autostart_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-cgroup', +- tools_lxc_cgroup_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-checkpoint', +- tools_lxc_checkpoint_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-config', +- tools_lxc_config_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-console', +- tools_lxc_console_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-copy', +- tools_lxc_copy_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-create', +- tools_lxc_create_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-destroy', +- tools_lxc_destroy_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-device', +- tools_lxc_device_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-execute', +- tools_lxc_execute_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-freeze', +- tools_lxc_freeze_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-info', +- tools_lxc_info_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-ls', +- tools_lxc_ls_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-monitor', +- tools_lxc_monitor_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-snapshot', +- tools_lxc_snapshot_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-start', +- tools_lxc_start_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-stop', +- tools_lxc_stop_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-top', +- tools_lxc_top_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-unfreeze', +- tools_lxc_unfreeze_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-unshare', +- tools_lxc_unshare_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) +- +- public_programs += executable( +- 'lxc-wait', +- tools_lxc_wait_sources, +- include_directories: liblxc_includes, +- dependencies: liblxc_dep, +- install: true) ++ foreach cmd : tools_commands ++ public_programs += executable( ++ 'lxc-' + cmd, ++ files('lxc_' + cmd + '.c') + tools_common_sources, ++ include_directories: liblxc_includes, ++ dependencies: liblxc_dep, ++ install: true) ++ endforeach + endif +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0002-tools-Provide-multicall-lxc-binary.patch 1:5.0.1-0ubuntu6/debian/patches/0002-tools-Provide-multicall-lxc-binary.patch --- 1:5.0.1-1/debian/patches/0002-tools-Provide-multicall-lxc-binary.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0002-tools-Provide-multicall-lxc-binary.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,531 @@ +From f4d02217ee2baf7275175d2c6610de4908a9addf Mon Sep 17 00:00:00 2001 +From: Petr Malat +Date: Wed, 15 Jun 2022 13:16:43 +0200 +Subject: [PATCH 02/45] tools: Provide multicall lxc binary + +Create a binary, which embeds all lxc tools similar way as busybox +embeds its applets. This is handy for embedded systems as it saves +roughly 90% of the disk space. + +To disable normal tools and use multicall binary exclusively use the +following meson setup options: + -Dtools=false -Dtools-multicall=true + +Signed-off-by: Petr Malat +--- + meson.build | 3 +- + meson_options.txt | 3 + + src/lxc/tools/lxc_attach.c | 3 +- + src/lxc/tools/lxc_autostart.c | 3 +- + src/lxc/tools/lxc_cgroup.c | 3 +- + src/lxc/tools/lxc_checkpoint.c | 3 +- + src/lxc/tools/lxc_config.c | 3 +- + src/lxc/tools/lxc_console.c | 3 +- + src/lxc/tools/lxc_copy.c | 3 +- + src/lxc/tools/lxc_create.c | 3 +- + src/lxc/tools/lxc_destroy.c | 3 +- + src/lxc/tools/lxc_device.c | 3 +- + src/lxc/tools/lxc_execute.c | 3 +- + src/lxc/tools/lxc_freeze.c | 3 +- + src/lxc/tools/lxc_info.c | 3 +- + src/lxc/tools/lxc_ls.c | 3 +- + src/lxc/tools/lxc_monitor.c | 3 +- + src/lxc/tools/lxc_multicall.c | 108 +++++++++++++++++++++++++++++++++ + src/lxc/tools/lxc_snapshot.c | 3 +- + src/lxc/tools/lxc_start.c | 3 +- + src/lxc/tools/lxc_stop.c | 3 +- + src/lxc/tools/lxc_top.c | 3 +- + src/lxc/tools/lxc_unfreeze.c | 3 +- + src/lxc/tools/lxc_unshare.c | 3 +- + src/lxc/tools/lxc_wait.c | 3 +- + src/lxc/tools/meson.build | 23 +++++++ + 26 files changed, 180 insertions(+), 23 deletions(-) + create mode 100644 src/lxc/tools/lxc_multicall.c + +Index: lxc-5.0.1/meson.build +=================================================================== +--- lxc-5.0.1.orig/meson.build ++++ lxc-5.0.1/meson.build +@@ -141,6 +141,7 @@ want_pam_cgroup = get_option('pam-cgroup + want_mans = get_option('man') + want_tests = get_option('tests') + want_tools = get_option('tools') ++want_tools_multicall = get_option('tools-multicall') + want_commands = get_option('commands') + want_capabilities = get_option('capabilities') + want_apparmor = get_option('apparmor') +@@ -872,7 +873,7 @@ subdir('hooks') + if want_commands + subdir('src/lxc/cmd') + endif +-if want_tools ++if want_tools or want_tools_multicall + subdir('src/lxc/tools') + endif + subdir('src/lxc/tools/include') +Index: lxc-5.0.1/meson_options.txt +=================================================================== +--- lxc-5.0.1.orig/meson_options.txt ++++ lxc-5.0.1/meson_options.txt +@@ -37,6 +37,9 @@ option('pam-cgroup', type: 'boolean', va + option('tools', type: 'boolean', value: 'true', + description: 'build and install tools') + ++option('tools-multicall', type: 'boolean', value: 'false', ++ description: 'build and install busybox style multicall binary') ++ + # was --{disable,enable}-commands in autotools + option('commands', type: 'boolean', value: 'true', + description: 'build and install commands') +Index: lxc-5.0.1/src/lxc/tools/lxc_attach.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_attach.c ++++ lxc-5.0.1/src/lxc/tools/lxc_attach.c +@@ -271,7 +271,8 @@ static int lxc_attach_create_log_file(co + return fd; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_attach_main"))) main(int argc, char *argv[]); ++int lxc_attach_main(int argc, char *argv[]) + { + int ret = -1; + int wexit = 0; +Index: lxc-5.0.1/src/lxc/tools/lxc_autostart.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_autostart.c ++++ lxc-5.0.1/src/lxc/tools/lxc_autostart.c +@@ -304,7 +304,8 @@ static int toss_list(struct lxc_list *c_ + return 1; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_autostart_main"))) main(int argc, char *argv[]); ++int lxc_autostart_main(int argc, char *argv[]) + { + int count = 0, failed = 0, i = 0, ret = 0; + struct lxc_list *cmd_group; +Index: lxc-5.0.1/src/lxc/tools/lxc_cgroup.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_cgroup.c ++++ lxc-5.0.1/src/lxc/tools/lxc_cgroup.c +@@ -50,7 +50,8 @@ static int my_checker(const struct lxc_a + return 0; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_cgroup_main"))) main(int argc, char *argv[]); ++int lxc_cgroup_main(int argc, char *argv[]) + { + char *state_object = NULL, *value = NULL; + struct lxc_container *c; +Index: lxc-5.0.1/src/lxc/tools/lxc_checkpoint.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_checkpoint.c ++++ lxc-5.0.1/src/lxc/tools/lxc_checkpoint.c +@@ -246,7 +246,8 @@ static bool restore(struct lxc_container + } + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_checkpoint_main"))) main(int argc, char *argv[]); ++int lxc_checkpoint_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_config.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_config.c ++++ lxc-5.0.1/src/lxc/tools/lxc_config.c +@@ -40,7 +40,8 @@ static void list_config_items(void) + exit(EXIT_SUCCESS); + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_config_main"))) main(int argc, char *argv[]); ++int lxc_config_main(int argc, char *argv[]) + { + struct lxc_config_items *i; + const char *value; +Index: lxc-5.0.1/src/lxc/tools/lxc_console.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_console.c ++++ lxc-5.0.1/src/lxc/tools/lxc_console.c +@@ -77,7 +77,8 @@ static char etoc(const char *expr) + return 1 + ((c > 'Z') ? (c - 'a') : (c - 'Z')); + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_console_main"))) main(int argc, char *argv[]); ++int lxc_console_main(int argc, char *argv[]) + { + int ret; + struct lxc_container *c; +Index: lxc-5.0.1/src/lxc/tools/lxc_copy.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_copy.c ++++ lxc-5.0.1/src/lxc/tools/lxc_copy.c +@@ -142,7 +142,8 @@ static int parse_mntsubopts(char *subopt + static int parse_bind_mnt(char *mntstring, enum mnttype type); + static int parse_ovl_mnt(char *mntstring, enum mnttype type); + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_copy_main"))) main(int argc, char *argv[]); ++int lxc_copy_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_create.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_create.c ++++ lxc-5.0.1/src/lxc/tools/lxc_create.c +@@ -190,7 +190,8 @@ static bool validate_bdev_args(struct lx + return true; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_create_main"))) main(int argc, char *argv[]); ++int lxc_create_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct bdev_specs spec; +Index: lxc-5.0.1/src/lxc/tools/lxc_destroy.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_destroy.c ++++ lxc-5.0.1/src/lxc/tools/lxc_destroy.c +@@ -188,7 +188,8 @@ static bool do_destroy_with_snapshots(st + return bret; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_destroy_main"))) main(int argc, char *argv[]); ++int lxc_destroy_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_device.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_device.c ++++ lxc-5.0.1/src/lxc/tools/lxc_device.c +@@ -78,7 +78,8 @@ static bool is_interface(const char *dev + return false; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_device_main"))) main(int argc, char *argv[]); ++int lxc_device_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_execute.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_execute.c ++++ lxc-5.0.1/src/lxc/tools/lxc_execute.c +@@ -128,7 +128,8 @@ static bool set_argv(struct lxc_containe + return true; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_execute_main"))) main(int argc, char *argv[]); ++int lxc_execute_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_freeze.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_freeze.c ++++ lxc-5.0.1/src/lxc/tools/lxc_freeze.c +@@ -36,7 +36,8 @@ Options :\n\ + .log_file = "none", + }; + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_freeze_main"))) main(int argc, char *argv[]); ++int lxc_freeze_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_info.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_info.c ++++ lxc-5.0.1/src/lxc/tools/lxc_info.c +@@ -388,7 +388,8 @@ static int print_info(const char *name, + return 0; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_info_main"))) main(int argc, char *argv[]); ++int lxc_info_main(int argc, char *argv[]) + { + int ret = EXIT_FAILURE; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_ls.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_ls.c ++++ lxc-5.0.1/src/lxc/tools/lxc_ls.c +@@ -188,7 +188,8 @@ Options :\n\ + .ls_nesting = 0, + }; + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_ls_main"))) main(int argc, char *argv[]); ++int lxc_ls_main(int argc, char *argv[]) + { + int ret = EXIT_FAILURE; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_monitor.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_monitor.c ++++ lxc-5.0.1/src/lxc/tools/lxc_monitor.c +@@ -216,7 +216,8 @@ static int lxc_tool_monitord_spawn(const + _exit(EXIT_FAILURE); + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_monitor_main"))) main(int argc, char *argv[]); ++int lxc_monitor_main(int argc, char *argv[]) + { + char *regexp; + struct lxc_msg msg; +Index: lxc-5.0.1/src/lxc/tools/lxc_multicall.c +=================================================================== +--- /dev/null ++++ lxc-5.0.1/src/lxc/tools/lxc_multicall.c +@@ -0,0 +1,108 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++#include ++ ++#define PREFIX "lxc-" ++ ++int lxc_attach_main(int argc, char *argv[]); ++int lxc_autostart_main(int argc, char *argv[]); ++int lxc_cgroup_main(int argc, char *argv[]); ++int lxc_checkpoint_main(int argc, char *argv[]); ++int lxc_config_main(int argc, char *argv[]); ++int lxc_console_main(int argc, char *argv[]); ++int lxc_copy_main(int argc, char *argv[]); ++int lxc_create_main(int argc, char *argv[]); ++int lxc_destroy_main(int argc, char *argv[]); ++int lxc_device_main(int argc, char *argv[]); ++int lxc_execute_main(int argc, char *argv[]); ++int lxc_freeze_main(int argc, char *argv[]); ++int lxc_info_main(int argc, char *argv[]); ++int lxc_ls_main(int argc, char *argv[]); ++int lxc_monitor_main(int argc, char *argv[]); ++int lxc_snapshot_main(int argc, char *argv[]); ++int lxc_start_main(int argc, char *argv[]); ++int lxc_stop_main(int argc, char *argv[]); ++int lxc_top_main(int argc, char *argv[]); ++int lxc_unfreeze_main(int argc, char *argv[]); ++int lxc_unshare_main(int argc, char *argv[]); ++int lxc_wait_main(int argc, char *argv[]); ++ ++static const struct { ++ const char *cmd; ++ int (*main)(int argc, char *argv[]); ++} applets[] = { ++ { "attach", lxc_attach_main }, ++ { "autostart", lxc_autostart_main }, ++ { "cgroup", lxc_cgroup_main }, ++ { "checkpoint", lxc_checkpoint_main }, ++ { "config", lxc_config_main }, ++ { "console", lxc_console_main }, ++ { "copy", lxc_copy_main }, ++ { "create", lxc_create_main }, ++ { "destroy", lxc_destroy_main }, ++ { "device", lxc_device_main }, ++ { "execute", lxc_execute_main }, ++ { "freeze", lxc_freeze_main }, ++ { "info", lxc_info_main }, ++ { "ls", lxc_ls_main }, ++ { "monitor", lxc_monitor_main }, ++ { "snapshot", lxc_snapshot_main }, ++ { "start", lxc_start_main }, ++ { "stop", lxc_stop_main }, ++ { "top", lxc_top_main }, ++ { "unfreeze", lxc_unfreeze_main }, ++ { "unshare", lxc_unshare_main }, ++ { "wait", lxc_wait_main } ++}; ++ ++const int applets_nmemb = (int)(sizeof(applets)/sizeof(applets[0])); ++ ++int main(int argc, char *argv[]) ++{ ++ const char *cmd; ++ int i; ++ ++ if (argc < 1) ++ goto err0; ++ ++ cmd = strrchr(argv[0], '/'); ++ cmd = cmd ? cmd + 1 : argv[0]; ++ ++ ++ if (!strcmp(cmd, "lxc")) { ++ if (argc < 2) ++ goto err0; ++ cmd = argv[1]; ++ argc -= 1; ++ argv += 1; ++ if (!strcmp(cmd, "-h") || !strcmp(cmd, "--help")) ++ goto err0; ++ } else if (!strncmp(cmd, PREFIX, strlen(PREFIX))) { ++ cmd += strlen(PREFIX); ++ } else { ++ goto err0; ++ } ++ ++ for (i = 0; i < applets_nmemb; i++) { ++ if (!strcmp(applets[i].cmd, cmd)) ++ return applets[i].main(argc, argv); ++ } ++ ++ fprintf(stderr, "Unsupported command '%s'\n", cmd); ++ goto err1; ++ ++err0: fprintf(stderr, "This is a multi-call binary, argv[0] is expected to be\n" ++ " a name of the requested command prefixed with '%s'\n" ++ "or\n" ++ " 'lxc' and the command should be the 1st argument.\n\n" ++ "For example calling this program as '%sls' or 'lxc' " ++ "with the argument 'ls' lists containers.\n\n", ++ PREFIX, PREFIX); ++err1: fprintf(stderr, "Known commands:\n"); ++ for (i = 0; i < applets_nmemb; i++) { ++ fprintf(stderr, "%s ", applets[i].cmd); ++ } ++ putc('\n', stderr); ++ return 1; ++} +Index: lxc-5.0.1/src/lxc/tools/lxc_snapshot.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_snapshot.c ++++ lxc-5.0.1/src/lxc/tools/lxc_snapshot.c +@@ -61,7 +61,8 @@ static int do_snapshot_restore(struct lx + static int do_snapshot_task(struct lxc_container *c, enum task task); + static void print_file(char *path); + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_snapshot_main"))) main(int argc, char *argv[]); ++int lxc_snapshot_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_start.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_start.c ++++ lxc-5.0.1/src/lxc/tools/lxc_start.c +@@ -149,7 +149,8 @@ static int ensure_path(char **confpath, + return 0; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_start_main"))) main(int argc, char *argv[]); ++int lxc_start_main(int argc, char *argv[]) + { + const char *lxcpath; + char *const *args; +Index: lxc-5.0.1/src/lxc/tools/lxc_stop.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_stop.c ++++ lxc-5.0.1/src/lxc/tools/lxc_stop.c +@@ -81,7 +81,8 @@ static int my_parser(struct lxc_argument + return 0; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_stop_main"))) main(int argc, char *argv[]); ++int lxc_stop_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_top.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_top.c ++++ lxc-5.0.1/src/lxc/tools/lxc_top.c +@@ -564,7 +564,8 @@ static int stdin_handler(int fd, uint32_ + return LXC_MAINLOOP_CLOSE; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_top_main"))) main(int argc, char *argv[]); ++int lxc_top_main(int argc, char *argv[]) + { + struct lxc_async_descr descr; + int ret, ct_print_cnt; +Index: lxc-5.0.1/src/lxc/tools/lxc_unfreeze.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_unfreeze.c ++++ lxc-5.0.1/src/lxc/tools/lxc_unfreeze.c +@@ -36,7 +36,8 @@ Options :\n\ + .log_file = "none", + }; + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_unfreeze_main"))) main(int argc, char *argv[]); ++int lxc_unfreeze_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/lxc_unshare.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_unshare.c ++++ lxc-5.0.1/src/lxc/tools/lxc_unshare.c +@@ -280,7 +280,8 @@ static void free_ifname_list(void) + } + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_unshare_main"))) main(int argc, char *argv[]); ++int lxc_unshare_main(int argc, char *argv[]) + { + int ret; + pid_t pid; +Index: lxc-5.0.1/src/lxc/tools/lxc_wait.c +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/lxc_wait.c ++++ lxc-5.0.1/src/lxc/tools/lxc_wait.c +@@ -72,7 +72,8 @@ static int my_checker(const struct lxc_a + return 0; + } + +-int main(int argc, char *argv[]) ++int __attribute__((weak, alias("lxc_wait_main"))) main(int argc, char *argv[]); ++int lxc_wait_main(int argc, char *argv[]) + { + struct lxc_container *c; + struct lxc_log log; +Index: lxc-5.0.1/src/lxc/tools/meson.build +=================================================================== +--- lxc-5.0.1.orig/src/lxc/tools/meson.build ++++ lxc-5.0.1/src/lxc/tools/meson.build +@@ -17,3 +17,26 @@ if want_tools + install: true) + endforeach + endif ++ ++if want_tools_multicall ++ tools_all_sources = files('lxc_multicall.c') + tools_common_sources ++ foreach cmd : tools_commands ++ tools_all_sources += files('lxc_' + cmd + '.c') ++ endforeach ++ ++ public_programs += executable( ++ 'lxc', ++ tools_all_sources, ++ include_directories: liblxc_includes, ++ dependencies: liblxc_dep, ++ install: true) ++ ++ if want_tools == false ++ foreach cmd : tools_commands ++ public_programs += install_symlink( ++ 'lxc-' + cmd, ++ pointing_to: 'lxc', ++ install_dir: get_option('bindir')) ++ endforeach ++ endif ++endif diff -pruN 1:5.0.1-1/debian/patches/0003-meson-Set-DEVEL-flag-post-release.patch 1:5.0.1-0ubuntu6/debian/patches/0003-meson-Set-DEVEL-flag-post-release.patch --- 1:5.0.1-1/debian/patches/0003-meson-Set-DEVEL-flag-post-release.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0003-meson-Set-DEVEL-flag-post-release.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,26 @@ +From e73520adf4fd6a7548872ac4097adb67b7cd1314 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?St=C3=A9phane=20Graber?= +Date: Thu, 16 Jun 2022 16:41:05 -0400 +Subject: [PATCH 03/45] meson: Set DEVEL flag post release +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Stéphane Graber +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: lxc-5.0.1/meson.build +=================================================================== +--- lxc-5.0.1.orig/meson.build ++++ lxc-5.0.1/meson.build +@@ -30,7 +30,7 @@ version_data.set('LXC_VERSION_MINOR', '0 + version_data.set('LXC_VERSION_MICRO', '1') + version_data.set('LXC_VERSION_BETA', '') + version_data.set('LXC_ABI', liblxc_version) +-version_data.set('LXC_DEVEL', '0') ++version_data.set('LXC_DEVEL', '1') + version_data.set('LXC_VERSION', meson.project_version()) + + # Path handling. diff -pruN 1:5.0.1-1/debian/patches/0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch 1:5.0.1-0ubuntu6/debian/patches/0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch --- 1:5.0.1-1/debian/patches/0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch 2022-08-01 20:38:46.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= -Date: Mon, 5 Aug 2019 11:38:22 +0200 -Subject: [apparmor.d] Sets container-base accordingly to container-base.in - ---- - config/apparmor/abstractions/container-base | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base -index 0774765..a242aa4 100644 ---- a/config/apparmor/abstractions/container-base -+++ b/config/apparmor/abstractions/container-base -@@ -73,6 +73,7 @@ - # block some other dangerous paths - deny @{PROC}/kcore rwklx, - deny @{PROC}/sysrq-trigger rwklx, -+ deny @{PROC}/acpi/** rwklx, - - # deny writes in /sys except for /sys/fs/cgroup, also allow - # fusectl, securityfs and debugfs to be mounted there (read-only) -@@ -85,7 +86,6 @@ - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, -- mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, - mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, - - # deny reads from debugfs -@@ -147,7 +147,6 @@ - mount options=(rw,move) /s[^y]*{,/**}, - mount options=(rw,move) /sy[^s]*{,/**}, - mount options=(rw,move) /sys?*{,/**}, -- - # generated by: lxc-generate-aa-rules.py container-rules.base - deny /proc/sys/[^kn]*{,/**} wklx, - deny /proc/sys/k[^e]*{,/**} wklx, diff -pruN 1:5.0.1-1/debian/patches/0004-Fix-uninitialized-read-in-parse_cap-when-libcap-is-n.patch 1:5.0.1-0ubuntu6/debian/patches/0004-Fix-uninitialized-read-in-parse_cap-when-libcap-is-n.patch --- 1:5.0.1-1/debian/patches/0004-Fix-uninitialized-read-in-parse_cap-when-libcap-is-n.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0004-Fix-uninitialized-read-in-parse_cap-when-libcap-is-n.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,82 @@ +From b203e1a141a26c933ef0ca38c4eccc3e8c6637fd Mon Sep 17 00:00:00 2001 +From: Raphael Isemann +Date: Tue, 21 Jun 2022 13:10:40 +0200 +Subject: [PATCH 04/45] Fix uninitialized read in parse_cap when libcap is not + used + +fuzz-lxc-cgroup-init currently fails for me with the input +``` + lxc.cap.keep=0 +``` + +with this report: + +``` +==640655==WARNING: MemorySanitizer: use-of-uninitialized-value + #0 0x833c77 in parse_cap /src/lxc/san_build/../src/lxc/conf.c:3161:6 + #1 0xaa5fd6 in add_cap_entry /src/lxc/san_build/../src/lxc/confile.c:2462:9 + #2 0x9eb69c in set_config_cap_keep /src/lxc/san_build/../src/lxc/confile.c:2503:8 + #3 0x974a76 in parse_line /src/lxc/san_build/../src/lxc/confile.c:3115:9 + #4 0xea8cac in lxc_file_for_each_line_mmap /src/lxc/san_build/../src/lxc/parse.c:123:9 + #5 0x9700a1 in lxc_config_read /src/lxc/san_build/../src/lxc/confile.c:3192:9 + #6 0x4a3b50 in LLVMFuzzerTestOneInput /src/lxc/san_build/../src/tests/fuzz-lxc-cgroup-init.c:40:8 + #7 0x10556e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 + #8 0x1041372 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 + #9 0x1046bbc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 + #10 0x106f7b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 + #11 0x7ffff7bc00b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 + #12 0x420a9d in _start (/home/fuzzer/oss-fuzz/build/out/lxc/fuzz-lxc-cgroup-init+0x420a9d) + + Uninitialized value was created by an allocation of 'last_cap' in the stack frame of function 'parse_cap' + #0 0x832e30 in parse_cap /src/lxc/san_build/../src/lxc/conf.c:3131 +``` + +The reason is that without libcap we parse_cap ends up comparing two +uninitialized values. See the snippet below: + +``` +int parse_cap(const char *cap_name, __u32 *cap) +{ + int ret; + unsigned int res; + __u32 last_cap; + + [...] + + ret = lxc_caps_last_cap(&last_cap); // NOTE: 1. Call here. + if (ret) // Not taken as dummy lxc_caps_last_cap returned 0. + return -1; + + if ((__u32)res > last_cap) // last_cap is uninitialized. + return -1; + + *cap = (__u32)res; + return 0; +} +``` + +Root cause seems to be that the dummy `lxc_caps_last_cap` returns 0 but +doesn't set the last_cap value. This patch just returns -1 as an error code +to avoid the uninitialized read. + +Note: When reproducing the bug you need to compile with O0 and *not* with O1 +otherwise you will not see the report. + +Signed-off-by: Raphael Isemann +--- + src/lxc/caps.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: lxc-5.0.1/src/lxc/caps.h +=================================================================== +--- lxc-5.0.1.orig/src/lxc/caps.h ++++ lxc-5.0.1/src/lxc/caps.h +@@ -44,7 +44,7 @@ static inline int lxc_ambient_caps_down( + + static inline int lxc_caps_init(void) + { +- return 0; ++ return -1; + } + + static inline int lxc_caps_last_cap(__u32 *cap) diff -pruN 1:5.0.1-1/debian/patches/0004-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch 1:5.0.1-0ubuntu6/debian/patches/0004-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch --- 1:5.0.1-1/debian/patches/0004-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch 2022-08-01 20:38:46.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0004-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= -Date: Mon, 1 Aug 2022 22:35:10 +0200 -Subject: [nesting] Extend mount permissions in apparmor to allow systemd - services' restrictions to work - -These options allow systemd security features to work. In particular -cases, it helps with systemd-logind and program like this - -It's only added in nesting profile as it could pose security risks on -privileged containers. - -mount options=(rw,rbind) -> /run/systemd/unit-root/, -mount options=(rw,rbind) -> /run/systemd/unit-root/**, -mount options=(rw,rshared) -> /, -mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/, ---- - config/apparmor/profiles/lxc-default-with-nesting | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting -index cd198be..01562a9 100644 ---- a/config/apparmor/profiles/lxc-default-with-nesting -+++ b/config/apparmor/profiles/lxc-default-with-nesting -@@ -10,6 +10,10 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de - mount fstype=proc -> /var/cache/lxc/**, - mount fstype=sysfs -> /var/cache/lxc/**, - mount options=(rw,bind), -+ mount options=(rw,rbind) -> /run/systemd/unit-root/, -+ mount options=(rw,rbind) -> /run/systemd/unit-root/**, -+ mount options=(rw,rshared) -> /, -+ mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/, - mount fstype=cgroup -> /sys/fs/cgroup/**, - mount fstype=cgroup2 -> /sys/fs/cgroup/**, - } diff -pruN 1:5.0.1-1/debian/patches/0005-lxc.service-Starts-after-remote-fs.target.patch 1:5.0.1-0ubuntu6/debian/patches/0005-lxc.service-Starts-after-remote-fs.target.patch --- 1:5.0.1-1/debian/patches/0005-lxc.service-Starts-after-remote-fs.target.patch 2022-08-01 20:38:46.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0005-lxc.service-Starts-after-remote-fs.target.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,20 +0,0 @@ -From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= -Date: Mon, 5 Aug 2019 11:53:54 +0200 -Subject: [lxc.service] Starts after remote-fs.target - ---- - config/init/systemd/lxc.service.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in -index 397a6c4..9135176 100644 ---- a/config/init/systemd/lxc.service.in -+++ b/config/init/systemd/lxc.service.in -@@ -1,6 +1,6 @@ - [Unit] - Description=LXC Container Initialization and Autoboot Code --After=network.target lxc-net.service remote-fs.target -+After=network.target remote-fs.target lxc-net.service - Wants=lxc-net.service - Documentation=man:lxc-autostart man:lxc - diff -pruN 1:5.0.1-1/debian/patches/0005-use-systemd-dbus-StartTransientUnit-for-unpriv-cgrou.patch 1:5.0.1-0ubuntu6/debian/patches/0005-use-systemd-dbus-StartTransientUnit-for-unpriv-cgrou.patch --- 1:5.0.1-1/debian/patches/0005-use-systemd-dbus-StartTransientUnit-for-unpriv-cgrou.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0005-use-systemd-dbus-StartTransientUnit-for-unpriv-cgrou.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,910 @@ +From c55353f84a8c171d0ccb911e1d34a5ed5577def1 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Tue, 21 Jun 2022 14:50:53 +0200 +Subject: [PATCH 05/45] use systemd dbus StartTransientUnit for unpriv cgroup2 + +If, when init'ing cgroups for a container start, we detect that we +are an unprivileged user on a unified-hierarchy-only system, then we +try to request systemd, through dbus api, to create a new scope for +us with delegation. Call the cgroup it creates for us P1. We then +create P1/init, move ourselves into there, so we can enable the +controllers for delegation to P1's children through P1/cgroup.subtree_control. + +On attach, we try to request systemd attach us to the container's +scope. We can't do that ourselves in the normal case, as root owns +our login cgroups. + +Create a new command api for the lxc monitor to tell lxc-attach the +systemd scope to which to attach. + +Changelog: + * free cgroup_meta.systemd_scope in lxc_conf_free (Thanks Tycho) + * fix some indent + * address some (not all) of brauner's feedback + +Signed-off-by: Serge Hallyn +--- + .github/workflows/build.yml | 2 +- + .github/workflows/coverity.yml | 2 +- + .github/workflows/sanitizers.sh | 2 +- + .github/workflows/sanitizers.yml | 2 +- + meson.build | 51 ++++ + meson_options.txt | 3 + + src/lxc/cgroups/cgfsng.c | 417 ++++++++++++++++++++++++++++++- + src/lxc/commands.c | 51 ++++ + src/lxc/commands.h | 2 + + src/lxc/conf.c | 1 + + src/lxc/conf.h | 7 + + src/tests/oss-fuzz.sh | 2 +- + 12 files changed, 524 insertions(+), 18 deletions(-) + +diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml +index f01fdb3c9..0a6f406ca 100644 +--- a/.github/workflows/build.yml ++++ b/.github/workflows/build.yml +@@ -26,7 +26,7 @@ jobs: + run: | + sudo apt-get update -qq + sudo apt-get install -qq gcc clang meson llvm +- sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x ++ sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libsystemd-dev + + - name: Compiler version + env: +diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml +index 4457474b7..52d7cac72 100644 +--- a/.github/workflows/coverity.yml ++++ b/.github/workflows/coverity.yml +@@ -25,7 +25,7 @@ jobs: + run: | + sudo apt-get update -qq + sudo apt-get install -qq gcc clang +- sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev docbook2x ++ sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev docbook2x libsystemd-dev + + - name: Compiler version + run: | +diff --git a/.github/workflows/sanitizers.sh b/.github/workflows/sanitizers.sh +index 061061c0a..0144f153e 100755 +--- a/.github/workflows/sanitizers.sh ++++ b/.github/workflows/sanitizers.sh +@@ -18,7 +18,7 @@ apt-get install --yes --no-install-recommends \ + libpam0g-dev libseccomp-dev libselinux1-dev libtool linux-libc-dev \ + llvm lsb-release make openssl pkg-config python3-all-dev \ + python3-setuptools rsync squashfs-tools uidmap unzip uuid-runtime \ +- wget xz-utils systemd-coredump ++ wget xz-utils systemd-coredump libsystemd-dev + apt-get remove --yes lxc-utils liblxc-common liblxc1 liblxc-dev + + ARGS="-Dprefix=/usr -Dtests=true -Dpam-cgroup=false -Dwerror=true -Dio-uring-event-loop=false -Db_lto_mode=default -Db_lundef=false" +diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml +index 4a28c8e1c..ce50dfaec 100644 +--- a/.github/workflows/sanitizers.yml ++++ b/.github/workflows/sanitizers.yml +@@ -22,7 +22,7 @@ jobs: + run: | + sudo apt-get update -qq + sudo apt-get install -qq gcc clang meson llvm +- sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x ++ sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libsystemd-dev + + - name: Compiler version + env: +diff --git a/meson.build b/meson.build +index 4cef7c9fc..21eba6d1e 100644 +--- a/meson.build ++++ b/meson.build +@@ -151,6 +151,7 @@ want_oss_fuzz = get_option('oss-fuzz') + want_seccomp = get_option('seccomp') + want_thread_safety = get_option('thread-safety') + want_memfd_rexec = get_option('memfd-rexec') ++want_sd_bus = get_option('sd-bus') + + srcconf.set_quoted('DEFAULT_CGROUP_PATTERN', cgrouppattern) + if coverity +@@ -256,6 +257,49 @@ else + srcconf.set10('HAVE_LIBURING', false) + endif + ++if not want_sd_bus.disabled() ++ has_sd_bus = true ++ sd_bus_optional = want_sd_bus.auto() ++ ++ libsystemd = dependency('libsystemd', required: not sd_bus_optional) ++ if not libsystemd.found() ++ if not sd_bus_optional ++ error('missing required libsystemd dependency') ++ endif ++ ++ has_sd_bus = false ++ endif ++ ++ if not cc.has_header('systemd/sd-bus.h') ++ if not sd_bus_optional ++ error('libsystemd misses required systemd/sd-bus.h header') ++ endif ++ ++ has_sd_bus = false ++ endif ++ ++ if not cc.has_header('systemd/sd-event.h') ++ if not sd_bus_optional ++ error('libsystemd misses required systemd/sd-event.h header') ++ endif ++ ++ has_sd_bus = false ++ endif ++ ++ if not cc.has_function('sd_bus_call_method_asyncv', prefix: '#include ', dependencies: libsystemd) ++ if not sd_bus_optional ++ error('libsystemd misses required sd_bus_call_method_asyncv function') ++ endif ++ ++ has_sd_bus = false ++ endif ++ ++ srcconf.set10('HAVE_LIBSYSTEMD', has_sd_bus) ++else ++ has_sd_bus = false ++ srcconf.set10('HAVE_LIBSYSTEMD', false) ++endif ++ + ## Time EPOCH. + sh = find_program('sh') + date = find_program('date') +@@ -639,6 +683,8 @@ endforeach + found_headers = [] + missing_headers = [] + foreach tuple: [ ++ ['systemd/sd-bus.h'], ++ ['systemd/sd-event.h'], + ['sys/resource.h'], + ['sys/memfd.h'], + ['sys/personality.h'], +@@ -676,6 +722,7 @@ foreach tuple: [ + ['pam'], + ['openssl'], + ['liburing'], ++ ['libsystemd'], + ] + + if tuple.length() >= 2 +@@ -750,6 +797,10 @@ if want_io_uring + liblxc_dependencies += [liburing] + endif + ++if has_sd_bus ++ liblxc_dependencies += [libsystemd] ++endif ++ + liblxc_link_whole = [liblxc_static] + + liblxc = shared_library( +diff --git a/meson_options.txt b/meson_options.txt +index d82ae3486..c14dacf27 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -22,6 +22,9 @@ option('init-script', type : 'array', + option('io-uring-event-loop', type: 'boolean', value: 'false', + description: 'Enable io-uring based event loop') + ++option('sd-bus', type: 'feature', value: 'auto', ++ description: 'Enable linking against sd-bus') ++ + # was --{disable,enable}-doc in autotools + option('man', type: 'boolean', value: 'true', + description: 'build and install manpages') +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index e39bde8df..ee4fc052f 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -57,6 +58,11 @@ + #include "strlcat.h" + #endif + ++#if HAVE_LIBSYSTEMD ++#include ++#include ++#endif ++ + lxc_log_define(cgfsng, cgroup); + + /* +@@ -947,6 +953,354 @@ static bool check_cgroup_dir_config(struct lxc_conf *conf) + return true; + } + ++#define SYSTEMD_SCOPE_FAILED 2 ++#define SYSTEMD_SCOPE_UNSUPP 1 ++#define SYSTEMD_SCOPE_SUCCESS 0 ++ ++#if HAVE_LIBSYSTEMD ++struct sd_callback_data { ++ char *scope_name; ++ bool job_complete; ++}; ++ ++static int systemd_jobremoved_callback(sd_bus_message *m, void *userdata, sd_bus_error *error) ++{ ++ char *path, *unit, *result; ++ struct sd_callback_data *sd_data = userdata; ++ uint32_t id; ++ int r; ++ ++ r = sd_bus_message_read(m, "uoss", &id, &path, &unit, &result); ++ if (r < 0) ++ return log_error(-1, "bad message received in callback: %s", strerror(-r)); ++ ++ if (sd_data->scope_name && strcmp(unit, sd_data->scope_name) != 0) ++ return log_trace(-1, "unit was '%s' not '%s'", unit, sd_data->scope_name); ++ if (strcmp(result, "done") == 0) { ++ sd_data->job_complete = true; ++ return log_info(1, "job is done"); ++ } ++ return log_debug(0, "result was '%s', not 'done'", result); ++} ++ ++#define DESTINATION "org.freedesktop.systemd1" ++#define PATH "/org/freedesktop/systemd1" ++#define INTERFACE "org.freedesktop.systemd1.Manager" ++#define MEMBER "StartTransientUnit" ++static bool start_scope(sd_bus *bus, struct sd_callback_data *data, struct sd_event *event) ++{ ++ __attribute__((__cleanup__(sd_bus_error_free))) sd_bus_error error = SD_BUS_ERROR_NULL;; ++ __attribute__((__cleanup__(sd_bus_message_unrefp))) sd_bus_message *reply = NULL; ++ __attribute__((__cleanup__(sd_bus_message_unrefp))) sd_bus_message *m = NULL; ++ char *path = NULL; ++ int r; ++ ++ r = sd_bus_message_new_method_call(bus, &m, ++ DESTINATION, PATH, INTERFACE, MEMBER); ++ if (r < 0) ++ return log_error(false, "Failed creating sdbus message"); ++ ++ r = sd_bus_message_append(m, "ss", data->scope_name, "fail"); ++ if (r < 0) ++ return log_error(false, "Failed setting systemd scope name"); ++ ++ r = sd_bus_message_open_container(m, 'a', "(sv)"); ++ if (r < 0) ++ return log_error(false, "Failed allocating sdbus msg properties"); ++ ++ r = sd_bus_message_append(m, "(sv)(sv)(sv)", ++ "PIDs", "au", 1, getpid(), ++ "Delegate", "b", 1, ++ "CollectMode", "s", "inactive-or-failed"); ++ if (r < 0) ++ return log_error(false, "Failed setting properties on sdbus message"); ++ ++ r = sd_bus_message_close_container(m); ++ if (r < 0) ++ return log_error(false, "Failed closing sdbus message properties"); ++ ++ r = sd_bus_message_append(m, "a(sa(sv))", 0); ++ if (r < 0) ++ return log_error(false, "Failed appending aux boilerplate\n"); ++ ++ r = sd_bus_call(NULL, m, 0, &error, &reply); ++ if (r < 0) ++ return log_error(false, "Failed sending sdbus message: %s", error.message); ++ ++ /* Parse the response message */ ++ r = sd_bus_message_read(reply, "o", &path); ++ if (r < 0) ++ return log_error(false, "Failed to parse response message: %s", strerror(-r)); ++ ++ /* Now spin up a mini-event-loop to wait for the "job completed" message */ ++ int tries = 0; ++ ++ while (!data->job_complete) { ++ r = sd_event_run(event, 1000 * 1000); ++ if (r < 0) { ++ log_debug(stderr, "Error waiting for JobRemoved: %s\n", strerror(-r)); ++ continue; ++ } ++ if (data->job_complete || tries == 5) ++ break; ++ if (r > 0) { ++ log_trace(stderr, "Debug: we processed an event (%d), but not the one we wanted\n", r); ++ continue; ++ } ++ if (r == 0) // timeout ++ tries++; ++ } ++ if (!data->job_complete) { ++ return log_error(false, "Error: %s job was never removed", data->scope_name); ++ } ++ return true; ++} ++ ++static bool string_pure_unified_system(char *contents) ++{ ++ char *p; ++ bool first_line_read = false; ++ ++ lxc_iterate_parts(p, contents, "\n") { ++ if (first_line_read) // if >1 line, this is not pure unified ++ return false; ++ first_line_read = true; ++ ++ if (strlen(p) > 3 && strncmp(p, "0:", 2) == 0) ++ return true; ++ } ++ ++ return false; ++} ++ ++/* ++ * Only call get_current_unified_cgroup() when we are in a pure ++ * unified (v2-only) cgroup ++ */ ++static char *get_current_unified_cgroup(void) ++{ ++ __do_free char *buf = NULL; ++ __do_free_string_list char **list = NULL; ++ char *p; ++ ++ buf = read_file_at(-EBADF, "/proc/self/cgroup", PROTECT_OPEN, 0); ++ if (!buf) ++ return NULL; ++ ++ if (!string_pure_unified_system(buf)) ++ return NULL; ++ ++ // 0::/user.slice/user-1000.slice/session-136.scope ++ // Get past the "0::" ++ p = buf; ++ if (strnequal(p, "0::", STRLITERALLEN("0::"))) ++ p += STRLITERALLEN("0::"); ++ ++ return strdup(p); ++} ++ ++static bool pure_unified_system(void) ++{ ++ __do_free char *buf = NULL; ++ ++ buf = read_file_at(-EBADF, "/proc/self/cgroup", PROTECT_OPEN, 0); ++ if (!buf) ++ return false; ++ ++ return string_pure_unified_system(buf); ++} ++ ++#define MEMBER_JOIN "AttachProcessesToUnit" ++static bool enter_scope(char *scope_name, pid_t pid) ++{ ++ __attribute__((__cleanup__(sd_bus_unrefp))) sd_bus *bus = NULL; ++ __attribute__((__cleanup__(sd_bus_error_free))) sd_bus_error error = SD_BUS_ERROR_NULL;; ++ __attribute__((__cleanup__(sd_bus_message_unrefp))) sd_bus_message *reply = NULL; ++ __attribute__((__cleanup__(sd_bus_message_unrefp))) sd_bus_message *m = NULL; ++ int r; ++ ++ r = sd_bus_open_user(&bus); ++ if (r < 0) ++ return log_error(false, "Failed to connect to user bus: %s", strerror(-r)); ++ ++ r = sd_bus_message_new_method_call(bus, &m, ++ DESTINATION, PATH, INTERFACE, MEMBER_JOIN); ++ if (r < 0) ++ return log_error(false, "Failed creating sdbus message"); ++ ++ r = sd_bus_message_append(m, "ssau", scope_name, "/init", 1, pid); ++ if (r < 0) ++ return log_error(false, "Failed setting systemd scope name"); ++ ++ ++ r = sd_bus_call(NULL, m, 0, &error, &reply); ++ if (r < 0) ++ return log_error(false, "Failed sending sdbus message: %s", error.message); ++ ++ return true; ++} ++ ++static bool enable_controllers_delegation(int fd_dir, char *cg) ++{ ++ __do_free char *rbuf = NULL; ++ __do_free char *wbuf = NULL; ++ __do_free_string_list char **cpulist = NULL; ++ char *controller; ++ size_t full_len = 0; ++ bool first = true; ++ int ret; ++ ++ rbuf = read_file_at(fd_dir, "cgroup.controllers", PROTECT_OPEN, 0); ++ if (!rbuf) ++ return false; ++ ++ lxc_iterate_parts(controller, rbuf, " ") { ++ full_len += strlen(controller) + 2; ++ wbuf = must_realloc(wbuf, full_len); ++ if (first) { ++ wbuf[0] = '\0'; ++ first = false; ++ } else { ++ (void)strlcat(wbuf, " ", full_len + 1); ++ } ++ strlcat(wbuf, "+", full_len + 1); ++ strlcat(wbuf, controller, full_len + 1); ++ } ++ if (!wbuf) ++ return log_debug(true, "No controllers to delegate!"); ++ ++ ret = lxc_writeat(fd_dir, "cgroup.subtree_control", wbuf, strlen(wbuf)); ++ if (ret < 0) ++ return log_error_errno(false, errno, "Failed to write \"%s\" to %s/cgroup.subtree_control", wbuf, cg); ++ ++ return true; ++} ++ ++/* ++ * systemd places us in say .../lxc-1.scope. We create lxc-1.scope/init, ++ * move ourselves to there, then enable controllers in lxc-1.scope ++ */ ++static bool move_and_delegate_unified(char *parent_cgroup) ++{ ++ __do_free char *buf = NULL; ++ __do_close int fd_parent = -EBADF; ++ int ret; ++ ++ fd_parent = open_at(-EBADF, parent_cgroup, O_DIRECTORY, 0, 0); ++ if (fd_parent < 0) ++ return syserror_ret(false, "Failed opening cgroup dir \"%s\"", parent_cgroup); ++ ++ ret = mkdirat(fd_parent, "init", 0755); ++ if (ret < 0 && errno != EEXIST) ++ return syserror_ret(false, "Failed to create \"%d/init\" cgroup", fd_parent); ++ ++ buf = read_file_at(fd_parent, "cgroup.procs", PROTECT_OPEN, 0); ++ if (!buf) ++ return false; ++ ++ ret = lxc_writeat(fd_parent, "init/cgroup.procs", buf, strlen(buf)); ++ if (ret) ++ return syserror_ret(false, "Failed to escape to cgroup \"init/cgroup.procs\""); ++ ++ /* enable controllers in parent_cgroup */ ++ return enable_controllers_delegation(fd_parent, parent_cgroup); ++} ++ ++static int unpriv_systemd_create_scope(struct cgroup_ops *ops, struct lxc_conf *conf) ++{ ++ __do_free char *full_scope_name = NULL; ++ __do_free char *fs_cg_path = NULL; ++ sd_event *event = NULL; ++ __attribute__((__cleanup__(sd_bus_unrefp))) sd_bus *bus = NULL; // free the bus before the names it references, just to be sure ++ struct sd_callback_data sd_data; ++ int idx = 0; ++ size_t len; ++ int r; ++ ++ if (geteuid() == 0) ++ return log_info(SYSTEMD_SCOPE_UNSUPP, "Running privileged, not using a systemd unit"); ++ // Pure_unified_layout() can't be used as that info is not yet setup. At ++ // the same time, we don't want to calculate current cgroups until after ++ // we optionally enter a new systemd user scope. So let's just do a quick ++ // check for pure unified cgroup system: single line /proc/self/cgroup with ++ // only index '0:' ++ if (!pure_unified_system()) ++ return log_info(SYSTEMD_SCOPE_UNSUPP, "Not in unified layout, not using a systemd unit"); ++ ++ r = sd_bus_open_user(&bus); ++ if (r < 0) ++ return log_error(SYSTEMD_SCOPE_FAILED, "Failed to connect to user bus: %s", strerror(-r)); ++ ++ r = sd_bus_call_method_asyncv(bus, NULL, DESTINATION, PATH, INTERFACE, "Subscribe", NULL, NULL, NULL, NULL); ++ if (r < 0) ++ return log_error(SYSTEMD_SCOPE_FAILED, "Failed to subscribe to signals: %s", strerror(-r)); ++ ++ sd_data.job_complete = false; ++ sd_data.scope_name = NULL; ++ r = sd_bus_match_signal(bus, ++ NULL, // no slot ++ DESTINATION, PATH, INTERFACE, "JobRemoved", ++ systemd_jobremoved_callback, &sd_data); ++ if (r < 0) ++ return log_error(SYSTEMD_SCOPE_FAILED, "Failed to register systemd event loop signal handler: %s", strerror(-r)); ++ ++ // NEXT: create and attach event ++ r = sd_event_new(&event); ++ if (r < 0) ++ return log_error(SYSTEMD_SCOPE_FAILED, "Failed allocating new event: %s\n", strerror(-r)); ++ r = sd_bus_attach_event(bus, event, SD_EVENT_PRIORITY_NORMAL); ++ if (r < 0) { ++ // bus won't clean up event since the attach failed ++ sd_event_unrefp(&event); ++ return log_error(SYSTEMD_SCOPE_FAILED, "Failed attaching event: %s\n", strerror(-r)); ++ } ++ ++ // "lxc-" + (conf->name) + "-NN" + ".scope" + '\0' ++ len = STRLITERALLEN("lxc-") + strlen(conf->name) + 3 + STRLITERALLEN(".scope") + 1; ++ full_scope_name = malloc(len); ++ if (!full_scope_name) ++ return syserror("Out of memory"); ++ ++ do { ++ snprintf(full_scope_name, len, "lxc-%s-%d.scope", conf->name, idx); ++ sd_data.scope_name = full_scope_name; ++ if (start_scope(bus, &sd_data, event)) { ++ conf->cgroup_meta.systemd_scope = get_current_unified_cgroup(); ++ if (!conf->cgroup_meta.systemd_scope) ++ return log_trace(SYSTEMD_SCOPE_FAILED, "Out of memory"); ++ fs_cg_path = must_make_path("/sys/fs/cgroup", conf->cgroup_meta.systemd_scope, NULL); ++ if (!move_and_delegate_unified(fs_cg_path)) ++ return log_error(SYSTEMD_SCOPE_FAILED, "Failed delegating the controllers to our cgroup"); ++ return log_trace(SYSTEMD_SCOPE_SUCCESS, "Created systemd scope %s", full_scope_name); ++ } ++ idx++; ++ } while (idx < 99); ++ ++ return SYSTEMD_SCOPE_FAILED; // failed, let's try old-school after all ++} ++#else /* !HAVE_LIBSYSTEMD */ ++static int unpriv_systemd_create_scope(struct cgroup_ops *ops, struct lxc_conf *conf) ++{ ++ TRACE("unpriv_systemd_create_scope: no systemd support"); ++ return SYSTEMD_SCOPE_UNSUPP; // not supported ++} ++#endif /* HAVE_LIBSYSTEMD */ ++ ++// Return a duplicate of cgroup path @cg without leading /, so ++// that caller can own+free it and be certain it's not abspath. ++static char *cgroup_relpath(char *cg) ++{ ++ char *p; ++ ++ if (!cg || strequal(cg, "/")) ++ return NULL; ++ p = strdup(deabs(cg)); ++ if (!p) ++ return ERR_PTR(-ENOMEM); ++ ++ return p; ++} ++ + __cgfsng_ops static bool cgfsng_monitor_create(struct cgroup_ops *ops, struct lxc_handler *handler) + { + __do_free char *monitor_cgroup = NULL; +@@ -1176,14 +1530,19 @@ __cgfsng_ops static bool cgfsng_monitor_enter(struct cgroup_ops *ops, + if (ret) + return log_error_errno(false, errno, "Failed to enter cgroup %d", h->dfd_mon); + +- TRACE("Moved monitor into cgroup %d", h->dfd_mon); ++ TRACE("Moved monitor (%d) into cgroup %d", handler->monitor_pid, h->dfd_mon); + + if (handler->transient_pid <= 0) + continue; + + ret = lxc_writeat(h->dfd_mon, "cgroup.procs", transient, transient_len); +- if (ret) +- return log_error_errno(false, errno, "Failed to enter cgroup %d", h->dfd_mon); ++ if (ret) { ++ // TODO: probably ask systemd to do the move for us instead ++ if (!handler->conf->cgroup_meta.systemd_scope) ++ return log_error_errno(false, errno, "Failed to enter pid %d into cgroup %d", handler->transient_pid, h->dfd_mon); ++ else ++ TRACE("Failed moving transient process into cgroup %d", h->dfd_mon); ++ } + + TRACE("Moved transient process into cgroup %d", h->dfd_mon); + +@@ -2184,14 +2543,30 @@ static int cgroup_attach_create_leaf(const struct lxc_conf *conf, + } + + static int cgroup_attach_move_into_leaf(const struct lxc_conf *conf, ++ const char *lxcpath, + int unified_fd, int *sk_fd, pid_t pid, + bool unprivileged) + { + __do_close int sk = *sk_fd, target_fd0 = -EBADF, target_fd1 = -EBADF; + char pidstr[INTTYPE_TO_STRLEN(int64_t) + 1]; + size_t pidstr_len; ++#if HAVE_LIBSYSTEMD ++ __do_free char *scope = NULL; ++#endif + ssize_t ret; + ++#if HAVE_LIBSYSTEMD ++ scope = lxc_cmd_get_systemd_scope(conf->name, lxcpath); ++ if (scope) { ++ TRACE("%s:%s is running under systemd-created scope '%s'. Attaching...", lxcpath, conf->name, scope); ++ if (enter_scope(scope, pid)) ++ TRACE("Successfully entered scope '%s'", scope); ++ else ++ ERROR("Failed entering scope '%s'", scope); ++ } else { ++ TRACE("%s:%s is not running under a systemd-created scope", lxcpath, conf->name); ++ } ++#endif + if (unprivileged) { + ret = lxc_abstract_unix_recv_two_fds(sk, &target_fd0, &target_fd1); + if (ret < 0) +@@ -2229,6 +2604,7 @@ static int cgroup_attach_move_into_leaf(const struct lxc_conf *conf, + + struct userns_exec_unified_attach_data { + const struct lxc_conf *conf; ++ const char *lxcpath; + int unified_fd; + int sk_pair[2]; + pid_t pid; +@@ -2239,8 +2615,8 @@ static int cgroup_unified_attach_child_wrapper(void *data) + { + struct userns_exec_unified_attach_data *args = data; + +- if (!args->conf || args->unified_fd < 0 || args->pid <= 0 || +- args->sk_pair[0] < 0 || args->sk_pair[1] < 0) ++ if (!args->conf || !args->lxcpath || args->unified_fd < 0 || ++ args->pid <= 0 || args->sk_pair[0] < 0 || args->sk_pair[1] < 0) + return ret_errno(EINVAL); + + close_prot_errno_disarm(args->sk_pair[0]); +@@ -2257,7 +2633,8 @@ static int cgroup_unified_attach_parent_wrapper(void *data) + return ret_errno(EINVAL); + + close_prot_errno_disarm(args->sk_pair[1]); +- return cgroup_attach_move_into_leaf(args->conf, args->unified_fd, ++ return cgroup_attach_move_into_leaf(args->conf, args->lxcpath, ++ args->unified_fd, + &args->sk_pair[0], args->pid, + args->unprivileged); + } +@@ -2286,6 +2663,7 @@ static int __cg_unified_attach(const struct hierarchy *h, + ret = cgroup_attach(conf, name, lxcpath, pid); + if (ret == 0) + return log_trace(0, "Attached to unified cgroup via command handler"); ++ TRACE("__cg_unified_attach: cgroup_attach returned %d", ret); + if (!ERRNO_IS_NOT_SUPPORTED(ret) && ret != -ENOCGROUP2) + return log_error_errno(ret, errno, "Failed to attach to unified cgroup"); + +@@ -2294,6 +2672,7 @@ static int __cg_unified_attach(const struct hierarchy *h, + /* not running */ + if (!cgroup) + return 0; ++ TRACE("lxc_cmd_get_cgroup_path returned %s", cgroup); + + path = make_cgroup_path(h, cgroup, NULL); + +@@ -2307,6 +2686,7 @@ static int __cg_unified_attach(const struct hierarchy *h, + .unified_fd = unified_fd, + .pid = pid, + .unprivileged = am_guest_unpriv(), ++ .lxcpath = lxcpath, + }; + + ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, args.sk_pair); +@@ -3152,12 +3532,19 @@ static const char *stable_order(const char *controllers) + #define CGFSNG_LAYOUT_UNIFIED BIT(1) + + static int __initialize_cgroups(struct cgroup_ops *ops, bool relative, +- bool unprivileged) ++ bool unprivileged, struct lxc_conf *conf) + { + __do_free char *cgroup_info = NULL; + unsigned int layout_mask = 0; ++ int ret; + char *it; + ++ ret = unpriv_systemd_create_scope(ops, conf); ++ if (ret < 0) ++ return ret_set_errno(false, ret); ++ else if (ret == 0) ++ TRACE("Entered an unpriv systemd scope"); ++ + /* + * Root spawned containers escape the current cgroup, so use init's + * cgroups as our base in that case. +@@ -3175,7 +3562,7 @@ static int __initialize_cgroups(struct cgroup_ops *ops, bool relative, + __do_free_string_list char **controller_list = NULL, + **delegate = NULL; + char *line; +- int dfd, ret, type; ++ int dfd, type; + + /* Handle the unified cgroup hierarchy. */ + line = it; +@@ -3185,7 +3572,10 @@ static int __initialize_cgroups(struct cgroup_ops *ops, bool relative, + type = UNIFIED_HIERARCHY; + layout_mask |= CGFSNG_LAYOUT_UNIFIED; + +- current_cgroup = current_unified_cgroup(relative, line); ++ if (conf->cgroup_meta.systemd_scope) ++ current_cgroup = cgroup_relpath(conf->cgroup_meta.systemd_scope); ++ if (IS_ERR_OR_NULL(current_cgroup)) ++ current_cgroup = current_unified_cgroup(relative, line); + if (IS_ERR(current_cgroup)) + return PTR_ERR(current_cgroup); + +@@ -3429,7 +3819,7 @@ static int initialize_cgroups(struct cgroup_ops *ops, struct lxc_conf *conf) + */ + ops->dfd_mnt = dfd; + +- ret = __initialize_cgroups(ops, conf->cgroup_meta.relative, !list_empty(&conf->id_map)); ++ ret = __initialize_cgroups(ops, conf->cgroup_meta.relative, !list_empty(&conf->id_map), conf); + if (ret < 0) + return syserror_ret(ret, "Failed to initialize cgroups"); + +@@ -3502,7 +3892,7 @@ struct cgroup_ops *cgroup_ops_init(struct lxc_conf *conf) + return move_ptr(cgfsng_ops); + } + +-static int __unified_attach_fd(const struct lxc_conf *conf, int fd_unified, pid_t pid) ++static int __unified_attach_fd(const struct lxc_conf *conf, const char *lxcpath, int fd_unified, pid_t pid) + { + int ret; + +@@ -3512,6 +3902,7 @@ static int __unified_attach_fd(const struct lxc_conf *conf, int fd_unified, pid_ + .unified_fd = fd_unified, + .pid = pid, + .unprivileged = am_guest_unpriv(), ++ .lxcpath = lxcpath, + }; + + ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, args.sk_pair); +@@ -3555,7 +3946,7 @@ static int __cgroup_attach_many(const struct lxc_conf *conf, const char *name, + int dfd_con = ctx->fd[idx]; + + if (unified_cgroup_fd(dfd_con)) +- ret = __unified_attach_fd(conf, dfd_con, pid); ++ ret = __unified_attach_fd(conf, lxcpath, dfd_con, pid); + else + ret = lxc_writeat(dfd_con, "cgroup.procs", pidstr, pidstr_len); + if (ret) +@@ -3580,7 +3971,7 @@ static int __cgroup_attach_unified(const struct lxc_conf *conf, const char *name + if (dfd_unified < 0) + return ret_errno(ENOSYS); + +- return __unified_attach_fd(conf, dfd_unified, pid); ++ return __unified_attach_fd(conf, lxcpath, dfd_unified, pid); + } + + int cgroup_attach(const struct lxc_conf *conf, const char *name, +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index 27861f25d..946c72e95 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -89,6 +89,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd) + [LXC_CMD_GET_CGROUP_CTX] = "get_cgroup_ctx", + [LXC_CMD_GET_CGROUP_FD] = "get_cgroup_fd", + [LXC_CMD_GET_LIMIT_CGROUP_FD] = "get_limit_cgroup_fd", ++ [LXC_CMD_GET_SYSTEMD_SCOPE] = "get_systemd_scope", + }; + + if (cmd >= LXC_CMD_MAX) +@@ -1316,6 +1317,55 @@ static int lxc_cmd_get_lxcpath_callback(int fd, struct lxc_cmd_req *req, + return lxc_cmd_rsp_send_reap(fd, &rsp); + } + ++char *lxc_cmd_get_systemd_scope(const char *name, const char *lxcpath) ++{ ++ bool stopped = false; ++ ssize_t ret; ++ struct lxc_cmd_rr cmd; ++ ++ lxc_cmd_init(&cmd, LXC_CMD_GET_SYSTEMD_SCOPE); ++ ++ ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); ++ if (ret < 0) ++ return NULL; ++ ++ if (cmd.rsp.ret == 0) ++ return cmd.rsp.data; ++ ++ return NULL; ++} ++ ++static int lxc_cmd_get_systemd_scope_callback(int fd, struct lxc_cmd_req *req, ++ struct lxc_handler *handler, ++ struct lxc_async_descr *descr) ++{ ++ __do_free char *scope = NULL; ++ struct lxc_cmd_rsp rsp = { ++ .ret = -EINVAL, ++ }; ++ ++ // cgroup_meta.systemd_scope is the full cgroup path to the scope. ++ // The caller just wants the actual scope name, that is, basename(). ++ // (XXX - or do we want the caller to massage it? I'm undecided) ++ if (handler->conf->cgroup_meta.systemd_scope) { ++ scope = strrchr(handler->conf->cgroup_meta.systemd_scope, '/'); ++ if (scope && *scope) ++ scope++; ++ if (scope && *scope) ++ scope = strdup(scope); ++ } ++ ++ if (!scope) ++ goto out; ++ ++ rsp.ret = 0; ++ rsp.data = scope; ++ rsp.datalen = strlen(scope) + 1; ++ ++out: ++ return lxc_cmd_rsp_send_reap(fd, &rsp); ++} ++ + int lxc_cmd_add_state_client(const char *name, const char *lxcpath, + lxc_state_t states[static MAX_STATE], + int *state_client_fd) +@@ -1900,6 +1950,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, + [LXC_CMD_GET_CGROUP_CTX] = lxc_cmd_get_cgroup_ctx_callback, + [LXC_CMD_GET_CGROUP_FD] = lxc_cmd_get_cgroup_fd_callback, + [LXC_CMD_GET_LIMIT_CGROUP_FD] = lxc_cmd_get_limit_cgroup_fd_callback, ++ [LXC_CMD_GET_SYSTEMD_SCOPE] = lxc_cmd_get_systemd_scope_callback, + }; + + if (req->cmd >= LXC_CMD_MAX) +diff --git a/src/lxc/commands.h b/src/lxc/commands.h +index b4aac93a0..2a3974807 100644 +--- a/src/lxc/commands.h ++++ b/src/lxc/commands.h +@@ -52,6 +52,7 @@ typedef enum { + LXC_CMD_GET_CGROUP_CTX = 23, + LXC_CMD_GET_CGROUP_FD = 24, + LXC_CMD_GET_LIMIT_CGROUP_FD = 25, ++ LXC_CMD_GET_SYSTEMD_SCOPE = 26, + LXC_CMD_MAX, + } lxc_cmd_t; + +@@ -115,6 +116,7 @@ __hidden extern char *lxc_cmd_get_config_item(const char *name, const char *item + const char *lxcpath); + __hidden extern char *lxc_cmd_get_name(const char *hashed_sock); + __hidden extern char *lxc_cmd_get_lxcpath(const char *hashed_sock); ++__hidden extern char *lxc_cmd_get_systemd_scope(const char *name, const char *lxcpath); + __hidden extern pid_t lxc_cmd_get_init_pid(const char *name, const char *lxcpath); + __hidden extern int lxc_cmd_get_init_pidfd(const char *name, const char *lxcpath); + __hidden extern int lxc_cmd_get_state(const char *name, const char *lxcpath); +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index a3293a531..a24fdcc8f 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4831,6 +4831,7 @@ void lxc_conf_free(struct lxc_conf *conf) + free(conf->cgroup_meta.container_dir); + free(conf->cgroup_meta.namespace_dir); + free(conf->cgroup_meta.controllers); ++ free(conf->cgroup_meta.systemd_scope); + free(conf->shmount.path_host); + free(conf->shmount.path_cont); + free(conf); +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index ccf59b47e..7dc2f15b6 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -74,6 +74,13 @@ struct lxc_cgroup { + char *container_dir; + char *namespace_dir; + bool relative; ++ /* If an unpriv user in pure unified-only hierarchy ++ * starts a container, then we ask systemd to create ++ * a scope for us, and create the monitor and container ++ * cgroups under that. ++ * This will ignore the above things like monitor_dir ++ */ ++ char *systemd_scope; + }; + }; + +diff --git a/src/tests/oss-fuzz.sh b/src/tests/oss-fuzz.sh +index 4a3920a77..2f95d34e5 100755 +--- a/src/tests/oss-fuzz.sh ++++ b/src/tests/oss-fuzz.sh +@@ -24,7 +24,7 @@ mkdir -p $OUT + apt-get update -qq + apt-get install --yes --no-install-recommends \ + build-essential docbook2x doxygen git \ +- wget xz-utils systemd-coredump pkgconf ++ wget xz-utils systemd-coredump pkgconf libsystemd-dev + apt-get remove --yes lxc-utils liblxc-common liblxc1 liblxc-dev + + # make sure we have a new enough meson version +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0006-adjust-pam-dir.patch 1:5.0.1-0ubuntu6/debian/patches/0006-adjust-pam-dir.patch --- 1:5.0.1-1/debian/patches/0006-adjust-pam-dir.patch 2022-08-01 20:38:46.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0006-adjust-pam-dir.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,22 +0,0 @@ -From: Mathias Gibbens -Date: Mon, 1 Aug 2022 22:34:08 +0200 -Subject: Modify the pam installation directory for Debian's packaging - -Forwarded: https://github.com/lxc/lxc/issues/4155 ---- - meson.build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/meson.build b/meson.build -index 5d1bb36..8e32ce9 100644 ---- a/meson.build -+++ b/meson.build -@@ -78,7 +78,7 @@ lxctemplateconfcommondir = join_paths(lxctemplateconfdir, 'common.conf.d') - lxctemplatedir = join_paths(lxcdatadir, 'templates') - lxc_user_network_conf = join_paths(sysconfdir, user_network_conf_opt) - lxc_user_network_db = join_paths(runtimepath, user_network_db_opt) --pam_security = join_paths(libdir, 'security') -+pam_security = libdir - - # Configuration options. - srcconf = configuration_data() diff -pruN 1:5.0.1-1/debian/patches/0006-fix-for-issue-4026-set-broadcast-to-0.0.0.0-for-31-a.patch 1:5.0.1-0ubuntu6/debian/patches/0006-fix-for-issue-4026-set-broadcast-to-0.0.0.0-for-31-a.patch --- 1:5.0.1-1/debian/patches/0006-fix-for-issue-4026-set-broadcast-to-0.0.0.0-for-31-a.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0006-fix-for-issue-4026-set-broadcast-to-0.0.0.0-for-31-a.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,44 @@ +From 26de6cbc8d8c765877c8e55cf2d84b0ceec5fad1 Mon Sep 17 00:00:00 2001 +From: "Marc E. Fiuczynski" +Date: Mon, 13 Jun 2022 08:43:14 -0400 +Subject: [PATCH 06/45] fix for issue 4026: set broadcast to 0.0.0.0 for /31 + and /32 + +Signed-off-by: Marc E. Fiuczynski +--- + src/lxc/confile.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index f5ff9f620..7966d32e8 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -899,13 +899,19 @@ static int set_config_net_ipv4_address(const char *key, const char *value, + + /* If no broadcast address, compute one from the prefix and address. */ + if (!bcast) { +- unsigned int shift = LAST_BIT_PER_TYPE(inetdev->prefix); ++ /* 0<=inetdev->prefix<=32 */ ++ switch (inetdev->prefix) { ++ case 32: /* single IPv4 network */ ++ ; /* fall thru */ ++ case 31: /* RFC 3021 point to point network */ ++ inetdev->bcast.s_addr = INADDR_ANY; ++ break; + +- inetdev->bcast.s_addr = inetdev->addr.s_addr; +- if (inetdev->prefix < shift) +- shift = inetdev->prefix; +- inetdev->bcast.s_addr |= htonl(INADDR_BROADCAST >> shift); +- } ++ default: ++ inetdev->bcast.s_addr |= htonl(INADDR_BROADCAST >> inetdev->prefix); ++ break; ++ } ++ } + + list_add_tail(&inetdev->head, &netdev->ipv4_addresses); + move_ptr(inetdev); +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0007-conf-log-file-descriptors-on-error-during-idmapped-m.patch 1:5.0.1-0ubuntu6/debian/patches/0007-conf-log-file-descriptors-on-error-during-idmapped-m.patch --- 1:5.0.1-1/debian/patches/0007-conf-log-file-descriptors-on-error-during-idmapped-m.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0007-conf-log-file-descriptors-on-error-during-idmapped-m.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,27 @@ +From fc133a9f37a62f4f35d66ee309d28d4953920b4a Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 29 Jun 2022 18:29:52 +0200 +Subject: [PATCH 07/45] conf: log file descriptors on error during idmapped + mount setup + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index a24fdcc8f..0bc42993b 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4120,7 +4120,7 @@ int lxc_idmapped_mounts_parent(struct lxc_handler *handler) + return syserror("Failed to receive idmapped mount file descriptors from child"); + + if (fd_from < 0 || fd_userns < 0) +- return log_trace(0, "Finished receiving idmapped mount file descriptors from child"); ++ return log_trace(0, "Finished receiving idmapped mount file descriptors (%d | %d) from child", fd_from, fd_userns); + + attr.attr_set = MOUNT_ATTR_IDMAP; + attr.userns_fd = fd_userns; +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0008-start-don-t-overwrite-file-descriptors-during-namesp.patch 1:5.0.1-0ubuntu6/debian/patches/0008-start-don-t-overwrite-file-descriptors-during-namesp.patch --- 1:5.0.1-1/debian/patches/0008-start-don-t-overwrite-file-descriptors-during-namesp.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0008-start-don-t-overwrite-file-descriptors-during-namesp.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,28 @@ +From 7317d2a8a7d81a6208c64446b47f09748d406ecc Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 29 Jun 2022 18:31:01 +0200 +Subject: [PATCH 08/45] start: don't overwrite file descriptors during + namespace preservation + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/start.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index d0a860361..bf1a589ba 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -150,9 +150,6 @@ static int lxc_try_preserve_namespace(struct lxc_handler *handler, + static bool lxc_try_preserve_namespaces(struct lxc_handler *handler, + int ns_clone_flags) + { +- for (lxc_namespace_t ns_idx = 0; ns_idx < LXC_NS_MAX; ns_idx++) +- handler->nsfd[ns_idx] = -EBADF; +- + for (lxc_namespace_t ns_idx = 0; ns_idx < LXC_NS_MAX; ns_idx++) { + int ret; + const char *ns = ns_info[ns_idx].proc_name; +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0009-start-record-inherited-namespaces-earlier-to-make-it.patch 1:5.0.1-0ubuntu6/debian/patches/0009-start-record-inherited-namespaces-earlier-to-make-it.patch --- 1:5.0.1-1/debian/patches/0009-start-record-inherited-namespaces-earlier-to-make-it.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0009-start-record-inherited-namespaces-earlier-to-make-it.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,133 @@ +From 6c50e09f2cd59d60aa3d60d87c8e6442ad062c48 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 29 Jun 2022 18:31:37 +0200 +Subject: [PATCH 09/45] start: record inherited namespaces earlier to make it + available for idmapped rootfs setup + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/start.c | 67 ++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 49 insertions(+), 18 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index bf1a589ba..bc6b2252b 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1585,6 +1585,18 @@ static int core_scheduling(struct lxc_handler *handler) + return 0; + } + ++static bool inherits_namespaces(const struct lxc_handler *handler) ++{ ++ struct lxc_conf *conf = handler->conf; ++ ++ for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++) { ++ if (conf->ns_share[i]) ++ return true; ++ } ++ ++ return false; ++} ++ + /* lxc_spawn() performs crucial setup tasks and clone()s the new process which + * exec()s the requested container binary. + * Note that lxc_spawn() runs in the parent namespaces. Any operations performed +@@ -1600,25 +1612,12 @@ static int lxc_spawn(struct lxc_handler *handler) + bool wants_to_map_ids; + struct list_head *id_map; + const char *name = handler->name; +- const char *lxcpath = handler->lxcpath; +- bool share_ns = false; + struct lxc_conf *conf = handler->conf; + struct cgroup_ops *cgroup_ops = handler->cgroup_ops; + + id_map = &conf->id_map; + wants_to_map_ids = !list_empty(id_map); + +- for (i = 0; i < LXC_NS_MAX; i++) { +- if (!conf->ns_share[i]) +- continue; +- +- handler->nsfd[i] = lxc_inherit_namespace(conf->ns_share[i], lxcpath, ns_info[i].proc_name); +- if (handler->nsfd[i] < 0) +- return -1; +- +- share_ns = true; +- } +- + if (!lxc_sync_init(handler)) + return -1; + +@@ -1629,10 +1628,6 @@ static int lxc_spawn(struct lxc_handler *handler) + data_sock0 = handler->data_sock[0]; + data_sock1 = handler->data_sock[1]; + +- ret = resolve_clone_flags(handler); +- if (ret < 0) +- goto out_sync_fini; +- + if (handler->ns_clone_flags & CLONE_NEWNET) { + ret = lxc_find_gateway_addresses(handler); + if (ret) { +@@ -1647,7 +1642,7 @@ static int lxc_spawn(struct lxc_handler *handler) + } + + /* Create a process in a new set of namespaces. */ +- if (share_ns) { ++ if (inherits_namespaces(handler)) { + pid_t attacher_pid; + + attacher_pid = lxc_clone(do_share_ns, handler, +@@ -1992,6 +1987,28 @@ out_sync_fini: + return -1; + } + ++static int lxc_inherit_namespaces(struct lxc_handler *handler) ++{ ++ const char *lxcpath = handler->lxcpath; ++ struct lxc_conf *conf = handler->conf; ++ ++ for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++) { ++ if (!conf->ns_share[i]) ++ continue; ++ ++ handler->nsfd[i] = lxc_inherit_namespace(conf->ns_share[i], ++ lxcpath, ++ ns_info[i].proc_name); ++ if (handler->nsfd[i] < 0) ++ return -1; ++ ++ TRACE("Recording inherited %s namespace with fd %d", ++ ns_info[i].proc_name, handler->nsfd[i]); ++ } ++ ++ return 0; ++} ++ + int __lxc_start(struct lxc_handler *handler, struct lxc_operations *ops, + void *data, const char *lxcpath, bool daemonize, int *error_num) + { +@@ -2034,6 +2051,20 @@ int __lxc_start(struct lxc_handler *handler, struct lxc_operations *ops, + goto out_abort; + } + ++ ret = resolve_clone_flags(handler); ++ if (ret < 0) { ++ ERROR("Failed to resolve clone flags"); ++ ret = -1; ++ goto out_abort; ++ } ++ ++ ret = lxc_inherit_namespaces(handler); ++ if (ret) { ++ SYSERROR("Failed to record inherited namespaces"); ++ ret = -1; ++ goto out_abort; ++ } ++ + /* If the rootfs is not a blockdev, prevent the container from marking + * it readonly. + * If the container is unprivileged then skip rootfs pinning. +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0010-conf-fix-append_ttyname.patch 1:5.0.1-0ubuntu6/debian/patches/0010-conf-fix-append_ttyname.patch --- 1:5.0.1-1/debian/patches/0010-conf-fix-append_ttyname.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0010-conf-fix-append_ttyname.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,75 @@ +From eae44ce1993160508dc7155318f6cc9c18bfaf3f Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 30 Jun 2022 12:48:01 +0200 +Subject: [PATCH 10/45] conf: fix append_ttyname() + +We appended container_tty= and then used setenv(container_tty, ...) +resulting int container_tty=container_tty=. + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/conf.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 0bc42993b..ffbe74c2f 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -922,29 +922,29 @@ static int lxc_setup_dev_symlinks(const struct lxc_rootfs *rootfs) + } + + /* Build a space-separate list of ptys to pass to systemd. */ +-static bool append_ttyname(char **pp, char *name) ++static bool append_ttyname(struct lxc_tty_info *ttys, char *tty_name) + { +- char *p; ++ char *tty_names, *buf; + size_t size; + +- if (!*pp) { +- *pp = zalloc(strlen(name) + strlen("container_ttys=") + 1); +- if (!*pp) +- return false; ++ if (!tty_name) ++ return false; + +- sprintf(*pp, "container_ttys=%s", name); +- return true; +- } ++ size = strlen(tty_name) + 1; ++ if (ttys->tty_names) ++ size += strlen(ttys->tty_names) + 1; + +- size = strlen(*pp) + strlen(name) + 2; +- p = realloc(*pp, size); +- if (!p) ++ buf = realloc(ttys->tty_names, size); ++ if (!buf) + return false; ++ tty_names = buf; + +- *pp = p; +- (void)strlcat(p, " ", size); +- (void)strlcat(p, name, size); +- ++ if (ttys->tty_names) ++ (void)strlcat(buf, " ", size); ++ else ++ buf[0] = '\0'; ++ (void)strlcat(buf, tty_name, size); ++ ttys->tty_names = tty_names; + return true; + } + +@@ -1065,7 +1065,7 @@ static int lxc_setup_ttys(struct lxc_conf *conf) + DEBUG("Bind mounted \"%s\" onto \"%s\"", tty->name, rootfs->buf); + } + +- if (!append_ttyname(&conf->ttys.tty_names, tty->name)) ++ if (!append_ttyname(&conf->ttys, tty->name)) + return log_error(-1, "Error setting up container_ttys string"); + } + +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0011-start-fix-namespace-sharing.patch 1:5.0.1-0ubuntu6/debian/patches/0011-start-fix-namespace-sharing.patch --- 1:5.0.1-1/debian/patches/0011-start-fix-namespace-sharing.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0011-start-fix-namespace-sharing.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,54 @@ +From 07a00b78f0142ee2098a30b792c80eb578765d39 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Fri, 1 Jul 2022 10:12:45 +0200 +Subject: [PATCH 11/45] start: fix namespace sharing + +Fixes: #4134 +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/start.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index bc6b2252b..7751b7e90 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1597,6 +1597,13 @@ static bool inherits_namespaces(const struct lxc_handler *handler) + return false; + } + ++static inline void resolve_cgroup_clone_flags(struct lxc_handler *handler) ++{ ++ handler->clone_flags &= ~(CLONE_INTO_CGROUP | CLONE_NEWCGROUP); ++ handler->ns_on_clone_flags &= ~(CLONE_INTO_CGROUP | CLONE_NEWCGROUP); ++ handler->ns_unshare_flags |= CLONE_NEWCGROUP; ++} ++ + /* lxc_spawn() performs crucial setup tasks and clone()s the new process which + * exec()s the requested container binary. + * Note that lxc_spawn() runs in the parent namespaces. Any operations performed +@@ -1645,6 +1652,7 @@ static int lxc_spawn(struct lxc_handler *handler) + if (inherits_namespaces(handler)) { + pid_t attacher_pid; + ++ resolve_cgroup_clone_flags(handler); + attacher_pid = lxc_clone(do_share_ns, handler, + CLONE_VFORK | CLONE_VM | CLONE_FILES, NULL); + if (attacher_pid < 0) { +@@ -1686,11 +1694,8 @@ static int lxc_spawn(struct lxc_handler *handler) + SYSTRACE("Failed to spawn container directly into target cgroup"); + + /* Kernel might simply be too old for CLONE_INTO_CGROUP. */ +- handler->clone_flags &= ~(CLONE_INTO_CGROUP | CLONE_NEWCGROUP); +- handler->ns_on_clone_flags &= ~CLONE_NEWCGROUP; +- handler->ns_unshare_flags |= CLONE_NEWCGROUP; +- +- clone_args.flags = handler->clone_flags; ++ resolve_cgroup_clone_flags(handler); ++ clone_args.flags = handler->clone_flags; + + handler->pid = lxc_clone3(&clone_args, CLONE_ARGS_SIZE_VER0); + } else if (cgroup_fd >= 0) { +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0012-add-check-for-statvfs.patch 1:5.0.1-0ubuntu6/debian/patches/0012-add-check-for-statvfs.patch --- 1:5.0.1-1/debian/patches/0012-add-check-for-statvfs.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0012-add-check-for-statvfs.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,47 @@ +From 8ee615c27d4e646b13a767ffc59823262b38427d Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 1 Jul 2022 11:09:15 +0200 +Subject: [PATCH 12/45] add check for statvfs + +we use HAVE_STATVFS in the code but with meson the check got +lost causing mount_entry to fail to remount some things such +as a bind mount of /dev/fuse via + + lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0 + +which would cause the following log messages: + + DEBUG conf - ../src/lxc/conf.c:mount_entry:2416 - Remounting "/dev/fuse" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/fuse" to respect bind or remount options + ERROR conf - ../src/lxc/conf.c:mount_entry:2459 - Operation not permitted - Failed to mount "/dev/fuse" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/fuse" + +note that the `Flags for ... were ...` line is not showing +up there, which depends on HAVE_STATVFS + +Signed-off-by: Wolfgang Bumiller +--- + meson.build | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/meson.build b/meson.build +index 21eba6d1e..6a056fa70 100644 +--- a/meson.build ++++ b/meson.build +@@ -538,6 +538,7 @@ foreach tuple: [ + ['sigdescr_np'], + ['signalfd'], + ['statx'], ++ ['statvfs'], + ['strlcat'], + ['strlcpy'], + ['unshare'], +@@ -667,6 +668,7 @@ foreach ident: [ + ['setns', '''#include '''], + ['sigdescr_np', '''#include '''], + ['signalfd', '''#include '''], ++ ['statvfs', '''#include '''], + ['statx', '''#include + #include + #include '''], +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0013-Fix-off-by-one-error-constructing-mount-options.patch 1:5.0.1-0ubuntu6/debian/patches/0013-Fix-off-by-one-error-constructing-mount-options.patch --- 1:5.0.1-1/debian/patches/0013-Fix-off-by-one-error-constructing-mount-options.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0013-Fix-off-by-one-error-constructing-mount-options.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,28 @@ +From df3301046fc5f31881a2d4736cc5c381342ecc3d Mon Sep 17 00:00:00 2001 +From: srd424 +Date: Sun, 3 Jul 2022 10:21:30 +0100 +Subject: [PATCH 13/45] Fix off-by-one error constructing mount options + +This fixes a really subtle off-by-one error constructing overlay mount options if rootfs options are provided and modern overlayfs (i.e. requiring a workdir) is used. We need to allow for the extra "," required to separate the extra options when computing the length! + +Signed-off-by: srd424 +--- + src/lxc/storage/overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/storage/overlay.c b/src/lxc/storage/overlay.c +index f8094fada..0c3fa1220 100644 +--- a/src/lxc/storage/overlay.c ++++ b/src/lxc/storage/overlay.c +@@ -445,7 +445,7 @@ int ovl_mount(struct lxc_storage *bdev) + upper, lower, mntdata); + + len2 = strlen(lower) + strlen(upper) + strlen(work) + +- strlen("upperdir=,lowerdir=,workdir=") + ++ strlen("upperdir=,lowerdir=,workdir=,") + + strlen(mntdata) + 1; + options_work = must_realloc(NULL, len2); + ret2 = snprintf(options, len2, +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0014-Store-mount-options-in-correct-variable.patch 1:5.0.1-0ubuntu6/debian/patches/0014-Store-mount-options-in-correct-variable.patch --- 1:5.0.1-1/debian/patches/0014-Store-mount-options-in-correct-variable.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0014-Store-mount-options-in-correct-variable.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,28 @@ +From 3d360cf9dbf556e5ff90b562fa3baac73821a342 Mon Sep 17 00:00:00 2001 +From: srd424 +Date: Sun, 3 Jul 2022 18:18:23 +0100 +Subject: [PATCH 14/45] Store mount options in correct variable + +This was exposed by the fix in the previous commit. + +Signed-off-by: srd424 +--- + src/lxc/storage/overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/storage/overlay.c b/src/lxc/storage/overlay.c +index 0c3fa1220..f38f3a740 100644 +--- a/src/lxc/storage/overlay.c ++++ b/src/lxc/storage/overlay.c +@@ -448,7 +448,7 @@ int ovl_mount(struct lxc_storage *bdev) + strlen("upperdir=,lowerdir=,workdir=,") + + strlen(mntdata) + 1; + options_work = must_realloc(NULL, len2); +- ret2 = snprintf(options, len2, ++ ret2 = snprintf(options_work, len2, + "upperdir=%s,lowerdir=%s,workdir=%s,%s", upper, + lower, work, mntdata); + } else { +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0015-meson-add-remaining-still-in-use-config-checks.patch 1:5.0.1-0ubuntu6/debian/patches/0015-meson-add-remaining-still-in-use-config-checks.patch --- 1:5.0.1-1/debian/patches/0015-meson-add-remaining-still-in-use-config-checks.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0015-meson-add-remaining-still-in-use-config-checks.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,140 @@ +From 353f0f99267e28a5049d01a28895aa2305119c0d Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Mon, 4 Jul 2022 11:27:14 +0200 +Subject: [PATCH 15/45] meson: add remaining still-in-use config checks + +These are all still in use in the code but have not been +added to meson.build when switching over from autoconf. + +Signed-off-by: Wolfgang Bumiller +--- + meson.build | 35 ++++++++++++++++++++++++++++++----- + src/tests/meson.build | 6 +++--- + 2 files changed, 33 insertions(+), 8 deletions(-) + +diff --git a/meson.build b/meson.build +index 6a056fa70..992fa08c7 100644 +--- a/meson.build ++++ b/meson.build +@@ -420,6 +420,9 @@ if want_capabilities + if not libcap.found() + # Compat with Ubuntu 14.04 which ships libcap w/o .pc file + libcap = cc.find_library('cap', required: false) ++ else ++ have = cc.has_function('cap_get_file', dependencies: libcap, prefix: '#include ') ++ srcconf.set10('LIBCAP_SUPPORTS_FILE_CAPABILITIES', have) + endif + srcconf.set10('HAVE_LIBCAP', libcap.found()) + pkgconfig_libs += libcap +@@ -444,6 +447,9 @@ else + srcconf.set10('HAVE_STATIC_LIBCAP', false) + endif + ++libutil = cc.find_library('util', required: false) ++ ++oss_fuzz_dependencies = [] + if want_oss_fuzz + srcconf.set10('FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION', true) + srcconf.set10('RUN_ON_OSS_FUZZ', true) +@@ -459,12 +465,21 @@ srcconf.set10('HAVE_PAM', pam.found()) + pkgconfig_libs += pam + + ## Others. ++have = cc.has_function('fmemopen', prefix: '#include ', args: '-D_GNU_SOURCE') ++srcconf.set10('HAVE_FMEMOPEN', have) ++ ++have_openpty = cc.has_function('openpty', dependencies: libutil, prefix: '#include ') ++srcconf.set10('HAVE_OPENPTY', have_openpty) ++ ++have = cc.has_function('pthread_setcancelstate', prefix: '#include ') ++srcconf.set10('HAVE_PTHREAD_SETCANCELSTATE', have) ++ ++have = cc.has_function('rand_r') ++srcconf.set10('HAVE_RAND_R', have) ++ + have = cc.has_function('strchrnul', prefix: '#include ', args: '-D_GNU_SOURCE') + srcconf.set10('HAVE_STRCHRNUL', have) + +-have = cc.has_function('openpty', prefix: '#include ', args: '-D_GNU_SOURCE') +-srcconf.set10('HAVE_OPENPTY', have) +- + have_func_strerror_r = cc.has_function('strerror_r', prefix: '#include ', args: '-D_GNU_SOURCE') + srcconf.set10('HAVE_STRERROR_R', have_func_strerror_r) + +@@ -565,16 +580,18 @@ decl_headers = ''' + #include + #include + #include +-#include ++#include + #include + #include ++#include + ''' + + foreach decl: [ + '__aligned_u64', ++ 'struct clone_args', + 'struct mount_attr', + 'struct open_how', +- 'struct clone_args', ++ 'struct rtnl_link_stats64', + ] + + # We get -1 if the size cannot be determined +@@ -594,6 +611,7 @@ foreach tuple: [ + ['__aligned_u64'], + ['struct mount_attr'], + ['struct open_how'], ++ ['struct rtnl_link_stats64'], + ] + + if tuple.length() >= 2 +@@ -803,6 +821,13 @@ if has_sd_bus + liblxc_dependencies += [libsystemd] + endif + ++if have_openpty ++ liblxc_dependencies += [libutil] ++ if want_oss_fuzz ++ oss_fuzz_dependencies += [libutil] ++ endif ++endif ++ + liblxc_link_whole = [liblxc_static] + + liblxc = shared_library( +diff --git a/src/tests/meson.build b/src/tests/meson.build +index 625a4b6f7..03d9f2290 100644 +--- a/src/tests/meson.build ++++ b/src/tests/meson.build +@@ -408,7 +408,7 @@ if want_oss_fuzz + 'fuzz-lxc-cgroup-init', + files('fuzz-lxc-cgroup-init.c') + tests_common_sources, + include_directories: liblxc_includes, +- dependencies: [fuzzing_engine], ++ dependencies: [fuzzing_engine, oss_fuzz_dependencies], + link_with: [liblxc_static], + install: false, + install_dir: bindir) +@@ -417,7 +417,7 @@ if want_oss_fuzz + 'fuzz-lxc-config-read', + files('fuzz-lxc-config-read.c') + tests_common_sources, + include_directories: liblxc_includes, +- dependencies: [fuzzing_engine], ++ dependencies: [fuzzing_engine, oss_fuzz_dependencies], + link_with: [liblxc_static], + install: false, + install_dir: bindir) +@@ -426,7 +426,7 @@ if want_oss_fuzz + 'fuzz-lxc-define-load', + files('fuzz-lxc-define-load.c') + tests_common_sources, + include_directories: liblxc_includes, +- dependencies: [fuzzing_engine], ++ dependencies: [fuzzing_engine, oss_fuzz_dependencies], + link_with: [liblxc_static], + install: false, + install_dir: bindir) +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0016-src-lxc-log.h-fix-STRERROR_R_CHAR_P.patch 1:5.0.1-0ubuntu6/debian/patches/0016-src-lxc-log.h-fix-STRERROR_R_CHAR_P.patch --- 1:5.0.1-1/debian/patches/0016-src-lxc-log.h-fix-STRERROR_R_CHAR_P.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0016-src-lxc-log.h-fix-STRERROR_R_CHAR_P.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,37 @@ +From 8ee8879083f40d2d0b9cef46d6a6907c1b5a814b Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Thu, 14 Jul 2022 12:31:21 +0200 +Subject: [PATCH 16/45] src/lxc/log.h: fix STRERROR_R_CHAR_P + +STRERROR_R_CHAR_P is always defined to 0 or 1 depending on the value of +have_func_strerror_r_char_p in meson.build so replace #ifdef by #if to +avoid a redefinition build failure if char *strerror_r is not defined + +Signed-off-by: Fabrice Fontaine +--- + src/lxc/log.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/log.h b/src/lxc/log.h +index 554a2e1d4..fcddc679a 100644 +--- a/src/lxc/log.h ++++ b/src/lxc/log.h +@@ -304,13 +304,13 @@ __lxc_unused static inline void LXC_##LEVEL(struct lxc_log_locinfo* locinfo, \ + * Helper macro to define errno string. + */ + #if HAVE_STRERROR_R +- #ifdef STRERROR_R_CHAR_P ++ #if STRERROR_R_CHAR_P + char *strerror_r(int errnum, char *buf, size_t buflen); + #else + int strerror_r(int errnum, char *buf, size_t buflen); + #endif + +- #ifdef STRERROR_R_CHAR_P ++ #if STRERROR_R_CHAR_P + #define lxc_log_strerror_r \ + char errno_buf[PATH_MAX / 2] = {"Failed to get errno string"}; \ + char *ptr = NULL; \ +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0017-meson.build-fix-build-with-Dcapabilities-false.patch 1:5.0.1-0ubuntu6/debian/patches/0017-meson.build-fix-build-with-Dcapabilities-false.patch --- 1:5.0.1-1/debian/patches/0017-meson.build-fix-build-with-Dcapabilities-false.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0017-meson.build-fix-build-with-Dcapabilities-false.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,30 @@ +From 7d72354898feac15bc4082130bcbe638bae02450 Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Thu, 14 Jul 2022 17:03:40 +0200 +Subject: [PATCH 17/45] meson.build: fix build with -Dcapabilities=false + +Define libcap_static to an empty array to avoid the following build +failure with -Dcapabilities=false: + +output/build/lxc-5.0.0/src/lxc/cmd/meson.build:64:4: ERROR: Unknown variable "libcap_static". + +Signed-off-by: Fabrice Fontaine +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 992fa08c7..4ed57a655 100644 +--- a/meson.build ++++ b/meson.build +@@ -443,6 +443,7 @@ int main(int argc, char *argv[]) { return 0; }; + srcconf.set10('HAVE_STATIC_LIBCAP', false) + endif + else ++ libcap_static = [] + srcconf.set10('HAVE_LIBCAP', false) + srcconf.set10('HAVE_STATIC_LIBCAP', false) + endif +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0018-meson.build-fix-build-without-stack-protector.patch 1:5.0.1-0ubuntu6/debian/patches/0018-meson.build-fix-build-without-stack-protector.patch --- 1:5.0.1-1/debian/patches/0018-meson.build-fix-build-without-stack-protector.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0018-meson.build-fix-build-without-stack-protector.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,36 @@ +From 5e704fe389ef56d89d14caf52ec45fb045670ece Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Thu, 14 Jul 2022 17:49:54 +0200 +Subject: [PATCH 18/45] meson.build: fix build without stack-protector + +Move -fstack-protector-strong from possible_cc_flags to +possible_link_flags to avoid a build failure on toolchains without ssp + +Signed-off-by: Fabrice Fontaine +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 4ed57a655..a145faf06 100644 +--- a/meson.build ++++ b/meson.build +@@ -177,7 +177,6 @@ possible_cc_flags = [ + '-Wstrict-prototypes', + '-fno-strict-aliasing', + '-fstack-clash-protection', +- '-fstack-protector-strong', + '--param=ssp-buffer-size=4', + '--mcet -fcf-protection', + '-Werror=implicit-function-declaration', +@@ -215,6 +214,7 @@ possible_link_flags = [ + '-Wl,-z,now', + '-Wl,-fuse-ld=gold', + '-fstack-protector', ++ '-fstack-protector-strong', + ] + + if sanitize == 'none' +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0019-README-update-security-mails.patch 1:5.0.1-0ubuntu6/debian/patches/0019-README-update-security-mails.patch --- 1:5.0.1-1/debian/patches/0019-README-update-security-mails.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0019-README-update-security-mails.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,27 @@ +From 7f664307113e582e2c7bd4f39f433bb7af597560 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 19 Jul 2022 10:29:41 +0200 +Subject: [PATCH 19/45] README: update security mails + +Reported-by: Serge Hallyn +Signed-off-by: Christian Brauner (Microsoft) +--- + README.md | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/README.md b/README.md +index b0f59e2a6..186137107 100644 +--- a/README.md ++++ b/README.md +@@ -132,7 +132,7 @@ report it by e-mail to all of the following persons: + + - serge (at) hallyn (dot) com + - stgraber (at) ubuntu (dot) com +-- christian.brauner (at) ubuntu (dot) com ++- brauner (at) kernel (dot) org + + For further details please have a look at + +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0020-lxc-usernsexec-allow-to-select-which-g-u-id-to-switc.patch 1:5.0.1-0ubuntu6/debian/patches/0020-lxc-usernsexec-allow-to-select-which-g-u-id-to-switc.patch --- 1:5.0.1-1/debian/patches/0020-lxc-usernsexec-allow-to-select-which-g-u-id-to-switc.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0020-lxc-usernsexec-allow-to-select-which-g-u-id-to-switc.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,62 @@ +From 32a07151939c6c251def2a1e5e04973e4c64103a Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 25 Jul 2022 22:25:55 +0200 +Subject: [PATCH 20/45] lxc-usernsexec: allow to select which {g,u}id to switch + to + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/cmd/lxc_usernsexec.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/cmd/lxc_usernsexec.c b/src/lxc/cmd/lxc_usernsexec.c +index 96a1182a3..b17faa38c 100644 +--- a/src/lxc/cmd/lxc_usernsexec.c ++++ b/src/lxc/cmd/lxc_usernsexec.c +@@ -32,6 +32,9 @@ + #include "utils.h" + + __hidden extern int lxc_log_fd; ++/* Assume we want to become root */ ++static uid_t uid = 0; ++static gid_t gid = 0; + + static void usage(const char *name) + { +@@ -90,8 +93,7 @@ static int do_child(void *vargv) + if (!lxc_drop_groups() && errno != EPERM) + return -1; + +- /* Assume we want to become root */ +- if (!lxc_switch_uid_gid(0, 0)) ++ if (!lxc_switch_uid_gid(uid, gid)) + return -1; + + ret = unshare(CLONE_NEWNS); +@@ -328,7 +330,7 @@ int main(int argc, char *argv[]) + } + } + +- while ((c = getopt(argc, argv, "m:hs")) != EOF) { ++ while ((c = getopt(argc, argv, "m:hsu:g:")) != EOF) { + switch (c) { + case 'm': + ret = parse_map(optarg); +@@ -343,6 +345,14 @@ int main(int argc, char *argv[]) + case 's': + map_self = true; + break; ++ case 'u': ++ if (lxc_safe_uint(optarg, &uid) < 0) ++ return -1; ++ break; ++ case 'g': ++ if (lxc_safe_uint(optarg, &gid) < 0) ++ return -1; ++ break; + default: + usage(argv[0]); + _exit(EXIT_FAILURE); +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0021-gitignore-Simplify.patch 1:5.0.1-0ubuntu6/debian/patches/0021-gitignore-Simplify.patch --- 1:5.0.1-1/debian/patches/0021-gitignore-Simplify.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0021-gitignore-Simplify.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,173 @@ +From e452c8945788e8b81854f74296d89fe6d1a60529 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?St=C3=A9phane=20Graber?= +Date: Mon, 1 Aug 2022 17:45:52 -0400 +Subject: [PATCH 21/45] gitignore: Simplify +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The move to meson has made it so that all rendered/built files are now +nicely self-contained. This lets us greatly simplify our gitignore, +effectively just ignoring release tarballs and the few usual temporary +files we may deal with during development. + +Signed-off-by: Stéphane Graber +--- + .gitignore | 142 ++--------------------------------------------------- + 1 file changed, 3 insertions(+), 139 deletions(-) + +diff --git a/.gitignore b/.gitignore +index b6f99f2da..2af52b650 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -1,144 +1,8 @@ +-*.o +-*.a +-*.lo +-*.la +-*.so +-*.so.* +-*.sgml +-*.conf ++# Temporarily files. + *~ +-*.gz + *.swp +- +-.deps +-.libs +-.dirstamp +- +-lxc.spec +-lxc.pc +- +-templates/* +-!templates/*.in +-templates/Makefile.in +- +-src/lxc/init.lxc +-src/lxc/init.lxc.static +-src/lxc/lxc-attach +-src/lxc/lxc-autostart +-src/lxc/lxc-cgroup +-src/lxc/tools/lxc-checkconfig +-src/lxc/tools/lxc-update-config +-src/lxc/lxc-checkpoint +-src/lxc/lxc-console +-src/lxc/lxc-config +-src/lxc/lxc-copy +-src/lxc/lxc-create +-src/lxc/lxc-destroy +-src/lxc/lxc-device +-src/lxc/lxc-execute +-src/lxc/lxc-freeze +-src/lxc/lxc.functions +-src/lxc/lxc-info +-src/lxc/lxc-init +-src/lxc/lxc-ls +-src/lxc/lxc-monitor +-src/lxc/lxc-monitord +-src/lxc/lxc-shutdown +-src/lxc/lxc-snapshot +-src/lxc/lxc-start +-src/lxc/lxc-stop +-src/lxc/lxc-top +-src/lxc/lxc-unfreeze +-src/lxc/lxc-unshare +-src/lxc/lxc-usernsexec +-src/lxc/lxc-wait +-src/lxc/lxc-user-nic +-src/lxc/version.h +-src/lxc/cmd/lxc-checkconfig +-src/lxc/cmd/lxc-update-config +- +-src/tests/lxc-test-device-add-remove +-src/tests/lxc-test-attach +-src/tests/lxc-test-apparmor +-src/tests/lxc-test-arch-parse +-src/tests/lxc-test-cgpath +-src/tests/lxc-test-clonetest +-src/tests/lxc-test-concurrent +-src/tests/lxc-test-console +-src/tests/lxc-test-console-log +-src/tests/lxc-test-containertests +-src/tests/lxc-test-createtest +-src/tests/lxc-test-destroytest +-src/tests/lxc-test-get_item +-src/tests/lxc-test-getkeys +-src/tests/lxc-test-list +-src/tests/lxc-test-livepatch +-src/tests/lxc-test-locktests +-src/tests/lxc-test-lxcpath +-src/tests/lxc-test-may-control +-src/tests/lxc-test-reboot +-src/tests/lxc-test-saveconfig +-src/tests/lxc-test-shutdowntest +-src/tests/lxc-test-snapshot +-src/tests/lxc-test-startone +-src/tests/lxc-test-usernic +-src/tests/lxc-test-utils* +-src/tests/lxc-usernic-test +-src/tests/lxc-test-config-jump-table +-src/tests/lxc-test-parse-config-file +-src/tests/lxc-test-proc-pid +-src/tests/lxc-test-shortlived +-src/tests/lxc-test-api-reboot +-src/tests/lxc-test-criu-check-feature +-src/tests/lxc-test-raw-clone +-src/tests/lxc-test-share-ns +-src/tests/lxc-test-state-server +-src/tests/lxc-test-basic +-src/tests/lxc-test-cve-2019-5736 +-src/tests/lxc-test-mount-injection +-src/tests/lxc-test-sysctls +-src/tests/lxc-test-sys-mixed +-src/tests/lxc-test-rootfs-options +-src/tests/lxc-test-capabilities +- +-config/apparmor/abstractions/start-container +-config/bash/lxc +-config/init/common/lxc-containers +-config/init/common/lxc-net +-config/init/systemd/lxc-autostart-helper +-config/init/systemd/lxc-monitord.service +-config/init/systemd/lxc-net.service +-config/init/systemd/lxc.service +-config/init/systemd/lxc@.service +-config/init/sysvinit/lxc +-config/init/sysvinit/lxc-containers +-config/init/sysvinit/lxc-net +-config/sysconfig/lxc +- +-doc/*.1 +-doc/*.5 +-doc/*.7 +-doc/*.8 +-doc/ja/*.1 +-doc/ja/*.5 +-doc/ja/*.7 +-doc/ja/*.8 +-doc/ko/*.1 +-doc/ko/*.5 +-doc/ko/*.7 +-doc/manpage.links +-doc/manpage.refs +-doc/api/html/* +- +-hooks/unmount-namespace +-hooks/dhclient +- +-.pc +-patches + *.orig + *.rej +-tags +-TAGS + +-doc/api/doxygen_sqlite3.db +-doc/api/*.tmp ++# Release tarballs. ++lxc-*.tar.gz* +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0022-build-detect-where-struct-mount_attr-is-declared.patch 1:5.0.1-0ubuntu6/debian/patches/0022-build-detect-where-struct-mount_attr-is-declared.patch --- 1:5.0.1-1/debian/patches/0022-build-detect-where-struct-mount_attr-is-declared.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0022-build-detect-where-struct-mount_attr-is-declared.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,186 @@ +From c1115e1503bf955c97f4cf3b925a6a9f619764c3 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 9 Aug 2022 16:14:25 +0200 +Subject: [PATCH 22/45] build: detect where struct mount_attr is declared + +Fixes: #4176 +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 30 ++++++++++++++++++++++++++++-- + src/lxc/conf.c | 6 +++--- + src/lxc/conf.h | 2 +- + src/lxc/mount_utils.c | 6 +++--- + src/lxc/syscall_wrappers.h | 12 ++++++++++-- + 5 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/meson.build b/meson.build +index a145faf06..f679aabbc 100644 +--- a/meson.build ++++ b/meson.build +@@ -590,7 +590,6 @@ decl_headers = ''' + foreach decl: [ + '__aligned_u64', + 'struct clone_args', +- 'struct mount_attr', + 'struct open_how', + 'struct rtnl_link_stats64', + ] +@@ -610,7 +609,6 @@ foreach tuple: [ + ['struct seccomp_notif_sizes'], + ['struct clone_args'], + ['__aligned_u64'], +- ['struct mount_attr'], + ['struct open_how'], + ['struct rtnl_link_stats64'], + ] +@@ -630,6 +628,34 @@ foreach tuple: [ + endif + endforeach + ++## Types. ++decl_headers = ''' ++#include ++''' ++ ++# We get -1 if the size cannot be determined ++if cc.sizeof('struct mount_attr', prefix: decl_headers, args: '-D_GNU_SOURCE') > 0 ++ srcconf.set10('HAVE_' + 'struct mount_attr'.underscorify().to_upper(), true) ++ found_types += 'struct mount_attr (sys/mount.h)' ++else ++ srcconf.set10('HAVE_' + 'struct mount_attr'.underscorify().to_upper(), false) ++ missing_types += 'struct mount_attr (sys/mount.h)' ++endif ++ ++## Types. ++decl_headers = ''' ++#include ++''' ++ ++# We get -1 if the size cannot be determined ++if cc.sizeof('struct mount_attr', prefix: decl_headers, args: '-D_GNU_SOURCE') > 0 ++ srcconf.set10('HAVE_UAPI_' + 'struct mount_attr'.underscorify().to_upper(), true) ++ found_types += 'struct mount_attr (linux/mount.h)' ++else ++ srcconf.set10('HAVE_UAPI_' + 'struct mount_attr'.underscorify().to_upper(), false) ++ missing_types += 'struct mount_attr (linux/mount.h)' ++endif ++ + ## Headers. + foreach ident: [ + ['bpf', '''#include +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index ffbe74c2f..4193cd07f 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2885,7 +2885,7 @@ static int __lxc_idmapped_mounts_child(struct lxc_handler *handler, FILE *f) + struct lxc_mount_options opts = {}; + int dfd_from; + const char *source_relative, *target_relative; +- struct lxc_mount_attr attr = {}; ++ struct mount_attr attr = {}; + + ret = parse_lxc_mount_attrs(&opts, mntent.mnt_opts); + if (ret < 0) +@@ -3005,7 +3005,7 @@ static int __lxc_idmapped_mounts_child(struct lxc_handler *handler, FILE *f) + + /* Set propagation mount options. */ + if (opts.attr.propagation) { +- attr = (struct lxc_mount_attr) { ++ attr = (struct mount_attr) { + .propagation = opts.attr.propagation, + }; + +@@ -4109,7 +4109,7 @@ int lxc_idmapped_mounts_parent(struct lxc_handler *handler) + + for (;;) { + __do_close int fd_from = -EBADF, fd_userns = -EBADF; +- struct lxc_mount_attr attr = {}; ++ struct mount_attr attr = {}; + struct lxc_mount_options opts = {}; + ssize_t ret; + +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 7dc2f15b6..772479f9e 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -223,7 +223,7 @@ struct lxc_mount_options { + unsigned long mnt_flags; + unsigned long prop_flags; + char *data; +- struct lxc_mount_attr attr; ++ struct mount_attr attr; + char *raw_options; + }; + +diff --git a/src/lxc/mount_utils.c b/src/lxc/mount_utils.c +index bba75f933..88dd73ee3 100644 +--- a/src/lxc/mount_utils.c ++++ b/src/lxc/mount_utils.c +@@ -31,7 +31,7 @@ lxc_log_define(mount_utils, lxc); + * setting in @attr_set, but must also specify MOUNT_ATTR__ATIME in the + * @attr_clr field. + */ +-static inline void set_atime(struct lxc_mount_attr *attr) ++static inline void set_atime(struct mount_attr *attr) + { + switch (attr->attr_set & MOUNT_ATTR__ATIME) { + case MOUNT_ATTR_RELATIME: +@@ -272,7 +272,7 @@ int create_detached_idmapped_mount(const char *path, int userns_fd, + { + __do_close int fd_tree_from = -EBADF; + unsigned int open_tree_flags = OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC; +- struct lxc_mount_attr attr = { ++ struct mount_attr attr = { + .attr_set = MOUNT_ATTR_IDMAP | attr_set, + .attr_clr = attr_clr, + .userns_fd = userns_fd, +@@ -335,7 +335,7 @@ int __fd_bind_mount(int dfd_from, const char *path_from, __u64 o_flags_from, + __u64 attr_clr, __u64 propagation, int userns_fd, + bool recursive) + { +- struct lxc_mount_attr attr = { ++ struct mount_attr attr = { + .attr_set = attr_set, + .attr_clr = attr_clr, + .propagation = propagation, +diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h +index a5e98b565..c8a7d0c7b 100644 +--- a/src/lxc/syscall_wrappers.h ++++ b/src/lxc/syscall_wrappers.h +@@ -18,6 +18,12 @@ + #include "macro.h" + #include "syscall_numbers.h" + ++#if HAVE_STRUCT_MOUNT_ATTR ++#include ++#elif HAVE_UAPI_STRUCT_MOUNT_ATTR ++#include ++#endif ++ + #ifdef HAVE_LINUX_MEMFD_H + #include + #endif +@@ -210,16 +216,18 @@ extern int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags); + /* + * mount_setattr() + */ +-struct lxc_mount_attr { ++#if !HAVE_STRUCT_MOUNT_ATTR && !HAVE_UAPI_STRUCT_MOUNT_ATTR ++struct mount_attr { + __u64 attr_set; + __u64 attr_clr; + __u64 propagation; + __u64 userns_fd; + }; ++#endif + + #if !HAVE_MOUNT_SETATTR + static inline int mount_setattr(int dfd, const char *path, unsigned int flags, +- struct lxc_mount_attr *attr, size_t size) ++ struct mount_attr *attr, size_t size) + { + return syscall(__NR_mount_setattr, dfd, path, flags, attr, size); + } +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0023-build-detect-sys-pidfd.h-availability.patch 1:5.0.1-0ubuntu6/debian/patches/0023-build-detect-sys-pidfd.h-availability.patch --- 1:5.0.1-1/debian/patches/0023-build-detect-sys-pidfd.h-availability.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0023-build-detect-sys-pidfd.h-availability.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,54 @@ +From ef1e0607b82e27350c2d677d649c6a0a9693fd40 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 9 Aug 2022 16:27:40 +0200 +Subject: [PATCH 23/45] build: detect sys/pidfd.h availability + +Fixes: #4176 +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 1 + + src/lxc/process_utils.h | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/meson.build b/meson.build +index f679aabbc..e99954233 100644 +--- a/meson.build ++++ b/meson.build +@@ -735,6 +735,7 @@ foreach tuple: [ + ['sys/resource.h'], + ['sys/memfd.h'], + ['sys/personality.h'], ++ ['sys/pidfd.h'], + ['sys/signalfd.h'], + ['sys/timerfd.h'], + ['pty.h'], +diff --git a/src/lxc/process_utils.h b/src/lxc/process_utils.h +index 9c15b1574..ed84741d0 100644 +--- a/src/lxc/process_utils.h ++++ b/src/lxc/process_utils.h +@@ -15,6 +15,10 @@ + #include + #include + ++#if HAVE_SYS_PIDFD_H ++#include ++#endif ++ + #include "compiler.h" + #include "syscall_numbers.h" + +@@ -136,9 +140,11 @@ + #endif + + /* waitid */ ++#if !HAVE_SYS_PIDFD_H + #ifndef P_PIDFD + #define P_PIDFD 3 + #endif ++#endif + + #ifndef CLONE_ARGS_SIZE_VER0 + #define CLONE_ARGS_SIZE_VER0 64 /* sizeof first published struct */ +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0024-build-check-for-FS_CONFIG_-header-symbol-in-sys-moun.patch 1:5.0.1-0ubuntu6/debian/patches/0024-build-check-for-FS_CONFIG_-header-symbol-in-sys-moun.patch --- 1:5.0.1-1/debian/patches/0024-build-check-for-FS_CONFIG_-header-symbol-in-sys-moun.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0024-build-check-for-FS_CONFIG_-header-symbol-in-sys-moun.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,151 @@ +From cbabe8abf11e7e7fb49c123bae31efdd9bc8f1e8 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 9 Aug 2022 17:19:40 +0200 +Subject: [PATCH 24/45] build: check for FS_CONFIG_* header symbol in + sys/mount.h + +Fixes: #4176 +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 59 +++++++++++++++++++++++++++++++++++++++++-- + src/lxc/mount_utils.h | 16 ++++++++++++ + 2 files changed, 73 insertions(+), 2 deletions(-) + +diff --git a/meson.build b/meson.build +index e99954233..9f8a5de60 100644 +--- a/meson.build ++++ b/meson.build +@@ -639,8 +639,7 @@ if cc.sizeof('struct mount_attr', prefix: decl_headers, args: '-D_GNU_SOURCE') > + found_types += 'struct mount_attr (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'struct mount_attr'.underscorify().to_upper(), false) +- missing_types += 'struct mount_attr (sys/mount.h)' +-endif ++ missing_types += 'struct mount_attr (sys/mount.h)' endif + + ## Types. + decl_headers = ''' +@@ -656,6 +655,62 @@ else + missing_types += 'struct mount_attr (linux/mount.h)' + endif + ++if cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG') ++ srcconf.set10('HAVE_' + 'FSCONFIG_SET_FLAG'.underscorify().to_upper(), true) ++ found_types += 'FSCONFIG_SET_FLAG' ++else ++ srcconf.set10('HAVE_' + 'FSCONFIG_SET_FLAG'.underscorify().to_upper(), false) ++ missing_types += 'FSCONFIG_SET_FLAG' ++endif ++ ++if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_STRING') ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_STRING'.underscorify().to_upper(), true) ++ found_types += 'FS_CONFIG_SET_STRING' ++else ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_STRING'.underscorify().to_upper(), false) ++ missing_types += 'FS_CONFIG_SET_STRING' ++endif ++ ++if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_BINARY') ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_BINARY'.underscorify().to_upper(), true) ++ found_types += 'FS_CONFIG_SET_BINARY' ++else ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_BINARY'.underscorify().to_upper(), false) ++ missing_types += 'FS_CONFIG_SET_BINARY' ++endif ++ ++if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_PATH_EMPTY') ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_EMPTY'.underscorify().to_upper(), true) ++ found_types += 'FS_CONFIG_SET_PATH_EMPTY' ++else ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_EMPTY'.underscorify().to_upper(), false) ++ missing_types += 'FS_CONFIG_SET_PATH_EMPTY' ++endif ++ ++if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_PATH_FD') ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_FD'.underscorify().to_upper(), true) ++ found_types += 'FS_CONFIG_SET_PATH_FD' ++else ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_FD'.underscorify().to_upper(), false) ++ missing_types += 'FS_CONFIG_SET_PATH_FD' ++endif ++ ++if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_CMD_CREATE') ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_CREATE'.underscorify().to_upper(), true) ++ found_types += 'FS_CONFIG_SET_CMD_CREATE' ++else ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_CREATE'.underscorify().to_upper(), false) ++ missing_types += 'FS_CONFIG_SET_CMD_CREATE' ++endif ++ ++if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_CMD_RECONFIGURE') ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_RECONFIGURE'.underscorify().to_upper(), true) ++ found_types += 'FS_CONFIG_SET_CMD_RECONFIGURE' ++else ++ srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_RECONFIGURE'.underscorify().to_upper(), false) ++ missing_types += 'FS_CONFIG_SET_CMD_RECONFIGURE' ++endif ++ + ## Headers. + foreach ident: [ + ['bpf', '''#include +diff --git a/src/lxc/mount_utils.h b/src/lxc/mount_utils.h +index ea392672d..fd3473945 100644 +--- a/src/lxc/mount_utils.h ++++ b/src/lxc/mount_utils.h +@@ -82,37 +82,53 @@ struct lxc_rootfs; + #endif + + /* fsconfig() commands */ ++#if !HAVE_FSCONFIG_SET_FLAG + #ifndef FSCONFIG_SET_FLAG + #define FSCONFIG_SET_FLAG 0 /* Set parameter, supplying no value */ + #endif ++#endif + ++#if !HAVE_FSCONFIG_SET_STRING + #ifndef FSCONFIG_SET_STRING + #define FSCONFIG_SET_STRING 1 /* Set parameter, supplying a string value */ + #endif ++#endif + ++#if !HAVE_FSCONFIG_SET_BINARY + #ifndef FSCONFIG_SET_BINARY + #define FSCONFIG_SET_BINARY 2 /* Set parameter, supplying a binary blob value */ + #endif ++#endif + ++#if !HAVE_FSCONFIG_SET_PATH + #ifndef FSCONFIG_SET_PATH + #define FSCONFIG_SET_PATH 3 /* Set parameter, supplying an object by path */ + #endif ++#endif + ++#if !HAVE_FSCONFIG_SET_PATH_EMPTY + #ifndef FSCONFIG_SET_PATH_EMPTY + #define FSCONFIG_SET_PATH_EMPTY 4 /* Set parameter, supplying an object by (empty) path */ + #endif ++#endif + ++#if !HAVE_FSCONFIG_SET_FD + #ifndef FSCONFIG_SET_FD + #define FSCONFIG_SET_FD 5 /* Set parameter, supplying an object by fd */ + #endif ++#endif + ++#if !HAVE_FSCONFIG_CMD_CREATE + #ifndef FSCONFIG_CMD_CREATE + #define FSCONFIG_CMD_CREATE 6 /* Invoke superblock creation */ + #endif ++#endif + ++#if !FSCONFIG_CMD_RECONFIGURE + #ifndef FSCONFIG_CMD_RECONFIGURE + #define FSCONFIG_CMD_RECONFIGURE 7 /* Invoke superblock reconfiguration */ + #endif ++#endif + + /* fsmount() flags */ + #ifndef FSMOUNT_CLOEXEC +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0025-meson.build-allow-explicit-distrosysconfdir.patch 1:5.0.1-0ubuntu6/debian/patches/0025-meson.build-allow-explicit-distrosysconfdir.patch --- 1:5.0.1-1/debian/patches/0025-meson.build-allow-explicit-distrosysconfdir.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0025-meson.build-allow-explicit-distrosysconfdir.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,62 @@ +From 16ebb29dccb35bf74e8a19e8c45d2513f927476f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= + +Date: Tue, 9 Aug 2022 22:24:09 +0700 +Subject: [PATCH 25/45] meson.build: allow explicit distrosysconfdir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allows either: + +- Build inside minimal-and-clean chroot with neither + /etc/sysconfig nor /etc/default available. +- Cross Compile lxc from foreign distro, + let's say host distro uses /etc/sysconfig and build distro + uses /etc/default and vice versus. + +Signed-off-by: Đoàn Trần Công Danh +--- + meson.build | 8 ++++++-- + meson_options.txt | 3 +++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/meson.build b/meson.build +index a145faf06..b27cc8edc 100644 +--- a/meson.build ++++ b/meson.build +@@ -117,14 +117,18 @@ conf.set('SYSCONFDIR', sysconfdir) + + # Set sysconfdir + fs = import('fs') +-if fs.is_dir('/etc/sysconfig') ++distrosysconfdir = get_option('distrosysconfdir') ++if distrosysconfdir != '' ++ distrosysconfdir = join_paths(sysconfdir, distrosysconfdir) ++ conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir) ++elif fs.is_dir('/etc/sysconfig') + distrosysconfdir = join_paths(sysconfdir, 'sysconfig') + conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir) + elif fs.is_dir('/etc/default') + distrosysconfdir = join_paths(sysconfdir, 'default') + conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir) + else +- distrosysconfdir = '' ++ error('"distrosysconfdir" is not set') + endif + + # Cross-compile on Android. +diff --git a/meson_options.txt b/meson_options.txt +index c14dacf27..de583a086 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -115,3 +115,6 @@ option('thread-safety', type : 'boolean', value : 'true', + # was --{disable,enable}-memfd-rexec in autotools + option('memfd-rexec', type : 'boolean', value : 'true', + description : 'whether to rexec the lxc-attach binary when attaching to a container') ++ ++option('distrosysconfdir', type : 'string', value: '', ++ description: 'relative path to sysconfdir for distro default configuration') +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0026-tree-wide-wipe-direct-or-indirect-linux-mount.h-incl.patch 1:5.0.1-0ubuntu6/debian/patches/0026-tree-wide-wipe-direct-or-indirect-linux-mount.h-incl.patch --- 1:5.0.1-1/debian/patches/0026-tree-wide-wipe-direct-or-indirect-linux-mount.h-incl.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0026-tree-wide-wipe-direct-or-indirect-linux-mount.h-incl.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,211 @@ +From 4771699fd97b1e9ee7dc4f7cfe01c8ddd698f682 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 10 Aug 2022 11:42:52 +0200 +Subject: [PATCH 26/45] tree-wide: wipe direct or indirect linux/mount.h + inclusion + +It is incompatible with sys/mount.h and causes massive headaches. + +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 44 +++++++++++++------------------------- + src/lxc/macro.h | 13 +++++++++++ + src/lxc/mount_utils.h | 2 +- + src/lxc/syscall_wrappers.h | 9 ++------ + src/lxc/utils.c | 2 -- + 5 files changed, 31 insertions(+), 39 deletions(-) + +diff --git a/meson.build b/meson.build +index 9f8a5de60..d55808fb0 100644 +--- a/meson.build ++++ b/meson.build +@@ -628,7 +628,6 @@ foreach tuple: [ + endif + endforeach + +-## Types. + decl_headers = ''' + #include + ''' +@@ -641,74 +640,61 @@ else + srcconf.set10('HAVE_' + 'struct mount_attr'.underscorify().to_upper(), false) + missing_types += 'struct mount_attr (sys/mount.h)' endif + +-## Types. +-decl_headers = ''' +-#include +-''' +- +-# We get -1 if the size cannot be determined +-if cc.sizeof('struct mount_attr', prefix: decl_headers, args: '-D_GNU_SOURCE') > 0 +- srcconf.set10('HAVE_UAPI_' + 'struct mount_attr'.underscorify().to_upper(), true) +- found_types += 'struct mount_attr (linux/mount.h)' +-else +- srcconf.set10('HAVE_UAPI_' + 'struct mount_attr'.underscorify().to_upper(), false) +- missing_types += 'struct mount_attr (linux/mount.h)' +-endif +- ++## Check if sys/mount.h defines the fsconfig commands + if cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG') + srcconf.set10('HAVE_' + 'FSCONFIG_SET_FLAG'.underscorify().to_upper(), true) +- found_types += 'FSCONFIG_SET_FLAG' ++ found_types += 'FSCONFIG_SET_FLAG (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'FSCONFIG_SET_FLAG'.underscorify().to_upper(), false) +- missing_types += 'FSCONFIG_SET_FLAG' ++ missing_types += 'FSCONFIG_SET_FLAG (sys/mount.h)' + endif + + if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_STRING') + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_STRING'.underscorify().to_upper(), true) +- found_types += 'FS_CONFIG_SET_STRING' ++ found_types += 'FS_CONFIG_SET_STRING (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_STRING'.underscorify().to_upper(), false) +- missing_types += 'FS_CONFIG_SET_STRING' ++ missing_types += 'FS_CONFIG_SET_STRING (sys/mount.h)' + endif + + if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_BINARY') + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_BINARY'.underscorify().to_upper(), true) +- found_types += 'FS_CONFIG_SET_BINARY' ++ found_types += 'FS_CONFIG_SET_BINARY (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_BINARY'.underscorify().to_upper(), false) +- missing_types += 'FS_CONFIG_SET_BINARY' ++ missing_types += 'FS_CONFIG_SET_BINARY (sys/mount.h)' + endif + + if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_PATH_EMPTY') + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_EMPTY'.underscorify().to_upper(), true) +- found_types += 'FS_CONFIG_SET_PATH_EMPTY' ++ found_types += 'FS_CONFIG_SET_PATH_EMPTY (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_EMPTY'.underscorify().to_upper(), false) +- missing_types += 'FS_CONFIG_SET_PATH_EMPTY' ++ missing_types += 'FS_CONFIG_SET_PATH_EMPTY (sys/mount.h)' + endif + + if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_PATH_FD') + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_FD'.underscorify().to_upper(), true) +- found_types += 'FS_CONFIG_SET_PATH_FD' ++ found_types += 'FS_CONFIG_SET_PATH_FD (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_PATH_FD'.underscorify().to_upper(), false) +- missing_types += 'FS_CONFIG_SET_PATH_FD' ++ missing_types += 'FS_CONFIG_SET_PATH_FD (sys/mount.h)' + endif + + if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_CMD_CREATE') + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_CREATE'.underscorify().to_upper(), true) +- found_types += 'FS_CONFIG_SET_CMD_CREATE' ++ found_types += 'FS_CONFIG_SET_CMD_CREAT (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_CREATE'.underscorify().to_upper(), false) +- missing_types += 'FS_CONFIG_SET_CMD_CREATE' ++ missing_types += 'FS_CONFIG_SET_CMD_CREATE (sys/mount.h)' + endif + + if cc.has_header_symbol('sys/mount.h', 'FS_CONFIG_SET_CMD_RECONFIGURE') + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_RECONFIGURE'.underscorify().to_upper(), true) +- found_types += 'FS_CONFIG_SET_CMD_RECONFIGURE' ++ found_types += 'FS_CONFIG_SET_CMD_RECONFIGURE (sys/mount.h)' + else + srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_RECONFIGURE'.underscorify().to_upper(), false) +- missing_types += 'FS_CONFIG_SET_CMD_RECONFIGURE' ++ missing_types += 'FS_CONFIG_SET_CMD_RECONFIGURE (sys/mount.h)' + endif + + ## Headers. +diff --git a/src/lxc/macro.h b/src/lxc/macro.h +index 464dd5013..f00230060 100644 +--- a/src/lxc/macro.h ++++ b/src/lxc/macro.h +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -812,4 +813,16 @@ static inline bool is_set(__u32 bit, __u32 *bitarr) + + #define BIT(nr) (1UL << (nr)) + ++#ifndef FS_IOC_GETFLAGS ++#define FS_IOC_GETFLAGS _IOR('f', 1, long) ++#endif ++ ++#ifndef FS_IOC_SETFLAGS ++#define FS_IOC_SETFLAGS _IOW('f', 2, long) ++#endif ++ ++#ifndef FS_IMMUTABLE_FL ++#define FS_IMMUTABLE_FL 0x00000010 /* Immutable file */ ++#endif ++ + #endif /* __LXC_MACRO_H */ +diff --git a/src/lxc/mount_utils.h b/src/lxc/mount_utils.h +index fd3473945..dc30d4ad3 100644 +--- a/src/lxc/mount_utils.h ++++ b/src/lxc/mount_utils.h +@@ -124,7 +124,7 @@ struct lxc_rootfs; + #endif + #endif + +-#if !FSCONFIG_CMD_RECONFIGURE ++#if !HAVE_FSCONFIG_CMD_RECONFIGURE + #ifndef FSCONFIG_CMD_RECONFIGURE + #define FSCONFIG_CMD_RECONFIGURE 7 /* Invoke superblock reconfiguration */ + #endif +diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h +index c8a7d0c7b..22ce536b4 100644 +--- a/src/lxc/syscall_wrappers.h ++++ b/src/lxc/syscall_wrappers.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -18,12 +19,6 @@ + #include "macro.h" + #include "syscall_numbers.h" + +-#if HAVE_STRUCT_MOUNT_ATTR +-#include +-#elif HAVE_UAPI_STRUCT_MOUNT_ATTR +-#include +-#endif +- + #ifdef HAVE_LINUX_MEMFD_H + #include + #endif +@@ -216,7 +211,7 @@ extern int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags); + /* + * mount_setattr() + */ +-#if !HAVE_STRUCT_MOUNT_ATTR && !HAVE_UAPI_STRUCT_MOUNT_ATTR ++#if !HAVE_STRUCT_MOUNT_ATTR + struct mount_attr { + __u64 attr_set; + __u64 attr_clr; +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index ca0c4ed29..390c56d54 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -19,8 +19,6 @@ + #include + #include + #include +-/* Needs to be after sys/mount.h header */ +-#include + #include + #include + #include +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0027-tree-wide-use-struct-clone_args-directly.patch 1:5.0.1-0ubuntu6/debian/patches/0027-tree-wide-use-struct-clone_args-directly.patch --- 1:5.0.1-1/debian/patches/0027-tree-wide-use-struct-clone_args-directly.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0027-tree-wide-use-struct-clone_args-directly.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,114 @@ +From 63468abd3287ebd5cc4ed9205334217031049fb4 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 10 Aug 2022 12:03:54 +0200 +Subject: [PATCH 27/45] tree-wide: use struct clone_args directly + +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 1 - + src/lxc/process_utils.c | 2 +- + src/lxc/process_utils.h | 7 ++++--- + src/lxc/start.c | 2 +- + src/lxc/start.h | 1 - + src/tests/reboot.c | 2 -- + 6 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/meson.build b/meson.build +index d55808fb0..d10e82ab8 100644 +--- a/meson.build ++++ b/meson.build +@@ -583,7 +583,6 @@ decl_headers = ''' + #include + #include + #include +-#include + #include + ''' + +diff --git a/src/lxc/process_utils.c b/src/lxc/process_utils.c +index 76e27da0f..eb52736b6 100644 +--- a/src/lxc/process_utils.c ++++ b/src/lxc/process_utils.c +@@ -90,7 +90,7 @@ __returns_twice pid_t lxc_raw_legacy_clone(unsigned long flags, int *pidfd) + __returns_twice pid_t lxc_raw_clone(unsigned long flags, int *pidfd) + { + pid_t pid; +- struct lxc_clone_args args = { ++ struct clone_args args = { + .flags = flags, + .pidfd = ptr_to_u64(pidfd), + }; +diff --git a/src/lxc/process_utils.h b/src/lxc/process_utils.h +index ed84741d0..d2bf97802 100644 +--- a/src/lxc/process_utils.h ++++ b/src/lxc/process_utils.h +@@ -5,7 +5,6 @@ + + #include "config.h" + +-#include + #include + #include + #include +@@ -165,7 +164,8 @@ + #define u64_to_ptr(x) ((void *)(uintptr_t)x) + #endif + +-struct lxc_clone_args { ++#if !HAVE_STRUCT_CLONE_ARGS ++struct clone_args { + __aligned_u64 flags; + __aligned_u64 pidfd; + __aligned_u64 child_tid; +@@ -178,8 +178,9 @@ struct lxc_clone_args { + __aligned_u64 set_tid_size; + __aligned_u64 cgroup; + }; ++#endif + +-__returns_twice static inline pid_t lxc_clone3(struct lxc_clone_args *args, size_t size) ++__returns_twice static inline pid_t lxc_clone3(struct clone_args *args, size_t size) + { + return syscall(__NR_clone3, args, size); + } +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 7751b7e90..9f68304bf 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1673,7 +1673,7 @@ static int lxc_spawn(struct lxc_handler *handler) + } else { + int cgroup_fd = -EBADF; + +- struct lxc_clone_args clone_args = { ++ struct clone_args clone_args = { + .flags = handler->clone_flags, + .pidfd = ptr_to_u64(&handler->pidfd), + .exit_signal = SIGCHLD, +diff --git a/src/lxc/start.h b/src/lxc/start.h +index 86b4c29a4..cd36bc55f 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -5,7 +5,6 @@ + + #include "config.h" + +-#include + #include + #include + #include +diff --git a/src/tests/reboot.c b/src/tests/reboot.c +index 0a07bf467..005e9863d 100644 +--- a/src/tests/reboot.c ++++ b/src/tests/reboot.c +@@ -32,8 +32,6 @@ + + #include "namespace.h" + +-#include +-#include + #include + + int clone(int (*fn)(void *), void *child_stack, int flags, void *arg, ...); +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0028-tree-wide-use-struct-open_how-directly.patch 1:5.0.1-0ubuntu6/debian/patches/0028-tree-wide-use-struct-open_how-directly.patch --- 1:5.0.1-1/debian/patches/0028-tree-wide-use-struct-open_how-directly.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0028-tree-wide-use-struct-open_how-directly.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,125 @@ +From 133aa416ca2a5996090ec0e697e253646364d274 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 10 Aug 2022 12:18:49 +0200 +Subject: [PATCH 28/45] tree-wide: use struct open_how directly + +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 2 -- + src/lxc/file_utils.c | 2 +- + src/lxc/mount_utils.c | 8 ++++---- + src/lxc/syscall_wrappers.h | 6 ++++-- + src/lxc/utils.c | 2 +- + 5 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/meson.build b/meson.build +index d10e82ab8..5881d1463 100644 +--- a/meson.build ++++ b/meson.build +@@ -580,9 +580,7 @@ decl_headers = ''' + #include + #include + #include +-#include + #include +-#include + #include + ''' + +diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c +index ca31690e4..38f056766 100644 +--- a/src/lxc/file_utils.c ++++ b/src/lxc/file_utils.c +@@ -652,7 +652,7 @@ int open_at(int dfd, const char *path, unsigned int o_flags, + unsigned int resolve_flags, mode_t mode) + { + __do_close int fd = -EBADF; +- struct lxc_open_how how = { ++ struct open_how how = { + .flags = o_flags, + .mode = mode, + .resolve = resolve_flags, +diff --git a/src/lxc/mount_utils.c b/src/lxc/mount_utils.c +index 88dd73ee3..5763afafc 100644 +--- a/src/lxc/mount_utils.c ++++ b/src/lxc/mount_utils.c +@@ -186,7 +186,7 @@ int fs_prepare(const char *fs_name, + int fd_from; + + if (!is_empty_string(path_from)) { +- struct lxc_open_how how = { ++ struct open_how how = { + .flags = o_flags_from, + .resolve = resolve_flags_from, + }; +@@ -237,7 +237,7 @@ int fs_attach(int fd_fs, + int fd_to, ret; + + if (!is_empty_string(path_to)) { +- struct lxc_open_how how = { ++ struct open_how how = { + .flags = o_flags_to, + .resolve = resolve_flags_to, + }; +@@ -308,7 +308,7 @@ int move_detached_mount(int dfd_from, int dfd_to, const char *path_to, + int fd_to, ret; + + if (!is_empty_string(path_to)) { +- struct lxc_open_how how = { ++ struct open_how how = { + .flags = o_flags_to, + .resolve = resolve_flags_to, + }; +@@ -348,7 +348,7 @@ int __fd_bind_mount(int dfd_from, const char *path_from, __u64 o_flags_from, + set_atime(&attr); + + if (!is_empty_string(path_from)) { +- struct lxc_open_how how = { ++ struct open_how how = { + .flags = o_flags_from, + .resolve = resolve_flags_from, + }; +diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h +index 22ce536b4..0710e0803 100644 +--- a/src/lxc/syscall_wrappers.h ++++ b/src/lxc/syscall_wrappers.h +@@ -240,11 +240,13 @@ static inline int mount_setattr(int dfd, const char *path, unsigned int flags, + * @mode: O_CREAT/O_TMPFILE file mode. + * @resolve: RESOLVE_* flags. + */ +-struct lxc_open_how { ++#if !HAVE_STRUCT_OPEN_HOW ++struct open_how { + __u64 flags; + __u64 mode; + __u64 resolve; + }; ++#endif + + /* how->resolve flags for openat2(2). */ + #ifndef RESOLVE_NO_XDEV +@@ -296,7 +298,7 @@ struct lxc_open_how { + #define PROTECT_OPEN_RW (O_CLOEXEC | O_NOCTTY | O_RDWR | O_NOFOLLOW) + + #if !HAVE_OPENAT2 +-static inline int openat2(int dfd, const char *filename, struct lxc_open_how *how, size_t size) ++static inline int openat2(int dfd, const char *filename, struct open_how *how, size_t size) + { + return syscall(__NR_openat2, dfd, filename, how, size); + } +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 390c56d54..0e2a7188b 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1095,7 +1095,7 @@ int __safe_mount_beneath_at(int beneath_fd, const char *src, const char *dst, co + unsigned int flags, const void *data) + { + __do_close int source_fd = -EBADF, target_fd = -EBADF; +- struct lxc_open_how how = { ++ struct open_how how = { + .flags = PROTECT_OPATH_DIRECTORY, + .resolve = PROTECT_LOOKUP_BENEATH_WITH_MAGICLINKS, + }; +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0029-meson-fix-docbook2x-detection.patch 1:5.0.1-0ubuntu6/debian/patches/0029-meson-fix-docbook2x-detection.patch --- 1:5.0.1-1/debian/patches/0029-meson-fix-docbook2x-detection.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0029-meson-fix-docbook2x-detection.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,50 @@ +From 06f99c2599db8140bd839532caa8f6ee0d1c3ff6 Mon Sep 17 00:00:00 2001 +From: Cameron Nemo +Date: Tue, 16 Aug 2022 20:30:39 -0700 +Subject: [PATCH 29/45] meson: fix docbook2x detection + +docbook2man can sometimes be docbook2x and other times be docbook-utils. +Rather than compare paths, use version constraints to detect version. + +Signed-off-by: Cameron Nemo +--- + meson.build | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/meson.build b/meson.build +index 666824c5a..2b160d4ac 100644 +--- a/meson.build ++++ b/meson.build +@@ -324,9 +324,6 @@ endif + generate_date = run_command(date, '--utc', '--date=@' + time_epoch, '+%Y-%m-%d', check: true).stdout().strip() + + ## Manpages. +-sgml2man = find_program('docbook2X2man', 'docbook2x-man', 'db2x_docbook2man', 'docbook2man', 'docbook-to-man', required: want_mans) +-docbook2man = find_program('docbook2man', required: false) +- + docconf = configuration_data() + docconf.set('builddir', '.') + docconf.set('BINDIR', bindir) +@@ -341,10 +338,15 @@ docconf.set('LXCTEMPLATEDIR', lxctemplatedir) + docconf.set('LXC_USERNIC_CONF', lxc_user_network_conf) + docconf.set('LXC_USERNIC_DB', lxc_user_network_db) + docconf.set('PACKAGE_VERSION', version_data.get('LXC_VERSION')) +-if sgml2man.found() and docbook2man.found() and sgml2man.full_path() == docbook2man.full_path() +- docconf.set('docdtd', '"-//Davenport//DTD DocBook V3.0//EN"') +-else +- docconf.set('docdtd', '"-//OASIS//DTD DocBook XML" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"') ++docconf.set('docdtd', '"-//OASIS//DTD DocBook XML" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"') ++sgml2man = find_program('docbook2X2man', 'docbook2x-man', 'db2x_docbook2man', 'docbook2man', 'docbook-to-man', required: false, version: '>=0.8') ++if not sgml2man.found() ++ sgml2man = find_program('docbook2man', required: false, version: '<0.8') ++ if sgml2man.found() ++ docconf.set('docdtd', '"-//Davenport//DTD DocBook V3.0//EN"') ++ elif want_mans ++ error('missing required docbook2x or docbook-utils dependency') ++ endif + endif + + ## Threads. +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0030-tree-wide-minimize-liburing.h-inclusion.patch 1:5.0.1-0ubuntu6/debian/patches/0030-tree-wide-minimize-liburing.h-inclusion.patch --- 1:5.0.1-1/debian/patches/0030-tree-wide-minimize-liburing.h-inclusion.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0030-tree-wide-minimize-liburing.h-inclusion.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,46 @@ +From 68cf564890a36a1a094aa08af5cd34fab24e59d3 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 17 Aug 2022 09:39:25 +0200 +Subject: [PATCH 30/45] tree-wide: minimize liburing.h inclusion + +because it brings in linux/fs.h and defines struct open_how. + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/macro.h | 4 ---- + src/lxc/mainloop.h | 4 ---- + 2 files changed, 8 deletions(-) + +diff --git a/src/lxc/macro.h b/src/lxc/macro.h +index f00230060..58e3a7f25 100644 +--- a/src/lxc/macro.h ++++ b/src/lxc/macro.h +@@ -22,10 +22,6 @@ + + #include "compiler.h" + +-#if HAVE_LIBURING +-#include +-#endif +- + #ifndef PATH_MAX + #define PATH_MAX 4096 + #endif +diff --git a/src/lxc/mainloop.h b/src/lxc/mainloop.h +index d6995910a..7d644b756 100644 +--- a/src/lxc/mainloop.h ++++ b/src/lxc/mainloop.h +@@ -11,10 +11,6 @@ + #include "hlist.h" + #include "memory_utils.h" + +-#if HAVE_LIBURING +-#include +-#endif +- + #define LXC_MAINLOOP_ERROR -1 + #define LXC_MAINLOOP_CONTINUE 0 + #define LXC_MAINLOOP_CLOSE 1 +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0031-mount-move-mount-utilities-from-syscall_wrappers.h-i.patch 1:5.0.1-0ubuntu6/debian/patches/0031-mount-move-mount-utilities-from-syscall_wrappers.h-i.patch --- 1:5.0.1-1/debian/patches/0031-mount-move-mount-utilities-from-syscall_wrappers.h-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0031-mount-move-mount-utilities-from-syscall_wrappers.h-i.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,226 @@ +From 74c2f58e1fe8be16b0cee0e15f3152bccf74ad81 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 17 Aug 2022 09:44:34 +0200 +Subject: [PATCH 31/45] mount: move mount utilities from syscall_wrappers.h + into mount_utils.h + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/conf.h | 1 + + src/lxc/mount_utils.h | 84 +++++++++++++++++++++++++++++++++++++ + src/lxc/syscall_wrappers.h | 85 -------------------------------------- + 3 files changed, 85 insertions(+), 85 deletions(-) + +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 772479f9e..82cb66a77 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -21,6 +21,7 @@ + #include "list.h" + #include "lxcseccomp.h" + #include "memory_utils.h" ++#include "mount_utils.h" + #include "namespace.h" + #include "ringbuf.h" + #include "start.h" +diff --git a/src/lxc/mount_utils.h b/src/lxc/mount_utils.h +index dc30d4ad3..a76f7bd1f 100644 +--- a/src/lxc/mount_utils.h ++++ b/src/lxc/mount_utils.h +@@ -176,6 +176,90 @@ struct lxc_rootfs; + #define MOUNT_ATTR_IDMAP 0x00100000 + #endif + ++#if !HAVE_MOVE_MOUNT ++static inline int move_mount_lxc(int from_dfd, const char *from_pathname, ++ int to_dfd, const char *to_pathname, ++ unsigned int flags) ++{ ++ return syscall(__NR_move_mount, from_dfd, from_pathname, to_dfd, ++ to_pathname, flags); ++} ++#define move_mount move_mount_lxc ++#else ++extern int move_mount(int from_dfd, const char *from_pathname, int to_dfd, ++ const char *to_pathname, unsigned int flags); ++#endif ++ ++#if !HAVE_OPEN_TREE ++static inline int open_tree_lxc(int dfd, const char *filename, unsigned int flags) ++{ ++ return syscall(__NR_open_tree, dfd, filename, flags); ++} ++#define open_tree open_tree_lxc ++#else ++extern int open_tree(int dfd, const char *filename, unsigned int flags); ++#endif ++ ++#if !HAVE_FSOPEN ++static inline int fsopen_lxc(const char *fs_name, unsigned int flags) ++{ ++ return syscall(__NR_fsopen, fs_name, flags); ++} ++#define fsopen fsopen_lxc ++#else ++extern int fsopen(const char *fs_name, unsigned int flags); ++#endif ++ ++#if !HAVE_FSPICK ++static inline int fspick_lxc(int dfd, const char *path, unsigned int flags) ++{ ++ return syscall(__NR_fspick, dfd, path, flags); ++} ++#define fspick fspick_lxc ++#else ++extern int fspick(int dfd, const char *path, unsigned int flags); ++#endif ++ ++#if !HAVE_FSCONFIG ++static inline int fsconfig_lxc(int fd, unsigned int cmd, const char *key, const void *value, int aux) ++{ ++ return syscall(__NR_fsconfig, fd, cmd, key, value, aux); ++} ++#define fsconfig fsconfig_lxc ++#else ++extern int fsconfig(int fd, unsigned int cmd, const char *key, const void *value, int aux); ++#endif ++ ++#if !HAVE_FSMOUNT ++static inline int fsmount_lxc(int fs_fd, unsigned int flags, unsigned int attr_flags) ++{ ++ return syscall(__NR_fsmount, fs_fd, flags, attr_flags); ++} ++#define fsmount fsmount_lxc ++#else ++extern int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags); ++#endif ++ ++/* ++ * mount_setattr() ++ */ ++#if !HAVE_STRUCT_MOUNT_ATTR ++struct mount_attr { ++ __u64 attr_set; ++ __u64 attr_clr; ++ __u64 propagation; ++ __u64 userns_fd; ++}; ++#endif ++ ++#if !HAVE_MOUNT_SETATTR ++static inline int mount_setattr(int dfd, const char *path, unsigned int flags, ++ struct mount_attr *attr, size_t size) ++{ ++ return syscall(__NR_mount_setattr, dfd, path, flags, attr, size); ++} ++#endif ++ + __hidden extern int mnt_attributes_new(unsigned int old_flags, unsigned int *new_flags); + + __hidden extern int mnt_attributes_old(unsigned int new_flags, unsigned int *old_flags); +diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h +index 0710e0803..d5b7c3bf0 100644 +--- a/src/lxc/syscall_wrappers.h ++++ b/src/lxc/syscall_wrappers.h +@@ -10,7 +10,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -144,90 +143,6 @@ static int faccessat(int __fd, const char *__file, int __type, int __flag) + } + #endif + +-#if !HAVE_MOVE_MOUNT +-static inline int move_mount_lxc(int from_dfd, const char *from_pathname, +- int to_dfd, const char *to_pathname, +- unsigned int flags) +-{ +- return syscall(__NR_move_mount, from_dfd, from_pathname, to_dfd, +- to_pathname, flags); +-} +-#define move_mount move_mount_lxc +-#else +-extern int move_mount(int from_dfd, const char *from_pathname, int to_dfd, +- const char *to_pathname, unsigned int flags); +-#endif +- +-#if !HAVE_OPEN_TREE +-static inline int open_tree_lxc(int dfd, const char *filename, unsigned int flags) +-{ +- return syscall(__NR_open_tree, dfd, filename, flags); +-} +-#define open_tree open_tree_lxc +-#else +-extern int open_tree(int dfd, const char *filename, unsigned int flags); +-#endif +- +-#if !HAVE_FSOPEN +-static inline int fsopen_lxc(const char *fs_name, unsigned int flags) +-{ +- return syscall(__NR_fsopen, fs_name, flags); +-} +-#define fsopen fsopen_lxc +-#else +-extern int fsopen(const char *fs_name, unsigned int flags); +-#endif +- +-#if !HAVE_FSPICK +-static inline int fspick_lxc(int dfd, const char *path, unsigned int flags) +-{ +- return syscall(__NR_fspick, dfd, path, flags); +-} +-#define fspick fspick_lxc +-#else +-extern int fspick(int dfd, const char *path, unsigned int flags); +-#endif +- +-#if !HAVE_FSCONFIG +-static inline int fsconfig_lxc(int fd, unsigned int cmd, const char *key, const void *value, int aux) +-{ +- return syscall(__NR_fsconfig, fd, cmd, key, value, aux); +-} +-#define fsconfig fsconfig_lxc +-#else +-extern int fsconfig(int fd, unsigned int cmd, const char *key, const void *value, int aux); +-#endif +- +-#if !HAVE_FSMOUNT +-static inline int fsmount_lxc(int fs_fd, unsigned int flags, unsigned int attr_flags) +-{ +- return syscall(__NR_fsmount, fs_fd, flags, attr_flags); +-} +-#define fsmount fsmount_lxc +-#else +-extern int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags); +-#endif +- +-/* +- * mount_setattr() +- */ +-#if !HAVE_STRUCT_MOUNT_ATTR +-struct mount_attr { +- __u64 attr_set; +- __u64 attr_clr; +- __u64 propagation; +- __u64 userns_fd; +-}; +-#endif +- +-#if !HAVE_MOUNT_SETATTR +-static inline int mount_setattr(int dfd, const char *path, unsigned int flags, +- struct mount_attr *attr, size_t size) +-{ +- return syscall(__NR_mount_setattr, dfd, path, flags, attr, size); +-} +-#endif +- + /* + * Arguments for how openat2(2) should open the target path. If only @flags and + * @mode are non-zero, then openat2(2) operates very similarly to openat(2). +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0032-mount_utils-remove-conf.h-include.patch 1:5.0.1-0ubuntu6/debian/patches/0032-mount_utils-remove-conf.h-include.patch --- 1:5.0.1-1/debian/patches/0032-mount_utils-remove-conf.h-include.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0032-mount_utils-remove-conf.h-include.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,25 @@ +From da8c298534b0854aab9be51b5deba72649dc34e2 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 17 Aug 2022 09:46:14 +0200 +Subject: [PATCH 32/45] mount_utils: remove conf.h include + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/mount_utils.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/lxc/mount_utils.c b/src/lxc/mount_utils.c +index 5763afafc..123bbda77 100644 +--- a/src/lxc/mount_utils.c ++++ b/src/lxc/mount_utils.c +@@ -10,7 +10,6 @@ + #include + #include + +-#include "conf.h" + #include "file_utils.h" + #include "log.h" + #include "macro.h" +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0033-build-prevent-the-inclusion-of-linux-mount.h-with-a-.patch 1:5.0.1-0ubuntu6/debian/patches/0033-build-prevent-the-inclusion-of-linux-mount.h-with-a-.patch --- 1:5.0.1-1/debian/patches/0033-build-prevent-the-inclusion-of-linux-mount.h-with-a-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0033-build-prevent-the-inclusion-of-linux-mount.h-with-a-.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,30 @@ +From 7b1836bce13d32343df9cc1bdb6e0205ef6f195d Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 17 Aug 2022 09:48:32 +0200 +Subject: [PATCH 33/45] build: prevent the inclusion of linux/mount.h with a + hack + +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/meson.build b/meson.build +index 666824c5a..3f1840417 100644 +--- a/meson.build ++++ b/meson.build +@@ -85,6 +85,11 @@ srcconf = configuration_data() + srcconf.set('_GNU_SOURCE', true) + srcconf.set('_FILE_OFFSET_BITS', 64) + srcconf.set('__STDC_FORMAT_MACROS', true) ++ ++## This is a hack to prevent any inclusion ofr linux/mount.h which causes ++## conflicts with sys/mount.h all over the place ++srcconf.set('_LINUX_MOUNT_H', true) ++ + srcconf.set_quoted('APPARMOR_CACHE_DIR', lxcapparmorcachedir) + srcconf.set_quoted('LIBEXECDIR', libexecdir) + srcconf.set_quoted('LOGPATH', lxclogpath) +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0034-tree-wide-split-open-helpers-into-open_utils.h.patch 1:5.0.1-0ubuntu6/debian/patches/0034-tree-wide-split-open-helpers-into-open_utils.h.patch --- 1:5.0.1-1/debian/patches/0034-tree-wide-split-open-helpers-into-open_utils.h.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0034-tree-wide-split-open-helpers-into-open_utils.h.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,453 @@ +From 589a930f15ec7b43ddf20b30cf615701c0a6d9b9 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 17 Aug 2022 09:58:34 +0200 +Subject: [PATCH 34/45] tree-wide: split open helpers into open_utils.h + +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/attach.c | 1 + + src/lxc/caps.c | 1 + + src/lxc/cgroups/cgfsng.c | 1 + + src/lxc/cgroups/cgroup.c | 3 +- + src/lxc/cgroups/cgroup_utils.c | 1 + + src/lxc/cmd/meson.build | 2 + + src/lxc/conf.c | 1 + + src/lxc/file_utils.c | 6 +++ + src/lxc/file_utils.h | 5 +- + src/lxc/lsm/apparmor.c | 1 + + src/lxc/lsm/selinux.c | 1 + + src/lxc/lxccontainer.c | 1 + + src/lxc/meson.build | 1 + + src/lxc/mount_utils.c | 1 + + src/lxc/open_utils.h | 87 ++++++++++++++++++++++++++++++++++ + src/lxc/pam/meson.build | 1 + + src/lxc/storage/dir.c | 1 + + src/lxc/syscall_wrappers.h | 76 ----------------------------- + src/lxc/terminal.c | 1 + + src/lxc/utils.c | 1 + + 20 files changed, 112 insertions(+), 81 deletions(-) + create mode 100644 src/lxc/open_utils.h + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 77da7bb45..769613d6d 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -40,6 +40,7 @@ + #include "memory_utils.h" + #include "mount_utils.h" + #include "namespace.h" ++#include "open_utils.h" + #include "process_utils.h" + #include "sync.h" + #include "syscall_wrappers.h" +diff --git a/src/lxc/caps.c b/src/lxc/caps.c +index a99048864..273cf08f5 100644 +--- a/src/lxc/caps.c ++++ b/src/lxc/caps.c +@@ -14,6 +14,7 @@ + #include "log.h" + #include "macro.h" + #include "memory_utils.h" ++#include "open_utils.h" + + lxc_log_define(caps, lxc); + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index ee4fc052f..8a3615893 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -45,6 +45,7 @@ + #include "mainloop.h" + #include "memory_utils.h" + #include "mount_utils.h" ++#include "open_utils.h" + #include "storage/storage.h" + #include "string_utils.h" + #include "syscall_wrappers.h" +diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c +index 8f6e49e04..5e2a7d099 100644 +--- a/src/lxc/cgroups/cgroup.c ++++ b/src/lxc/cgroups/cgroup.c +@@ -12,8 +12,9 @@ + #include "compiler.h" + #include "conf.h" + #include "initutils.h" +-#include "memory_utils.h" + #include "log.h" ++#include "memory_utils.h" ++#include "open_utils.h" + #include "start.h" + #include "string_utils.h" + +diff --git a/src/lxc/cgroups/cgroup_utils.c b/src/lxc/cgroups/cgroup_utils.c +index c5fb91c2f..dc2fbec4b 100644 +--- a/src/lxc/cgroups/cgroup_utils.c ++++ b/src/lxc/cgroups/cgroup_utils.c +@@ -14,6 +14,7 @@ + #include "log.h" + #include "macro.h" + #include "memory_utils.h" ++#include "open_utils.h" + #include "utils.h" + + lxc_log_define(cgroup_utils, lxc); +diff --git a/src/lxc/cmd/meson.build b/src/lxc/cmd/meson.build +index f84269ecb..c7df528d3 100644 +--- a/src/lxc/cmd/meson.build ++++ b/src/lxc/cmd/meson.build +@@ -20,6 +20,7 @@ cmd_lxc_init_sources = files( + '../memory_utils.h', + '../namespace.c', + '../namespace.h', ++ '../open_utils.h', + '../string_utils.c', + '../string_utils.h') + include_sources + +@@ -41,6 +42,7 @@ cmd_lxc_init_static_sources = files( + '../memory_utils.h', + '../namespace.c', + '../namespace.h', ++ '../open_utils.h', + '../string_utils.c', + '../string_utils.h') + include_sources + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 4193cd07f..a04bb0de8 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -50,6 +50,7 @@ + #include "mount_utils.h" + #include "namespace.h" + #include "network.h" ++#include "open_utils.h" + #include "parse.h" + #include "process_utils.h" + #include "ringbuf.h" +diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c +index 38f056766..5ee2bea9e 100644 +--- a/src/lxc/file_utils.c ++++ b/src/lxc/file_utils.c +@@ -15,6 +15,7 @@ + #include "file_utils.h" + #include "macro.h" + #include "memory_utils.h" ++#include "open_utils.h" + #include "string_utils.h" + #include "syscall_wrappers.h" + #include "utils.h" +@@ -800,3 +801,8 @@ bool same_device(int fda, const char *patha, int fdb, const char *pathb) + + return (st_fda.st_rdev == st_fdb.st_rdev); + } ++ ++int open_beneath(int dfd, const char *path, unsigned int flags) ++{ ++ return open_at(dfd, path, flags, PROTECT_LOOKUP_BENEATH, 0); ++} +diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h +index e169ab8b0..fc20da5a2 100644 +--- a/src/lxc/file_utils.h ++++ b/src/lxc/file_utils.h +@@ -108,10 +108,7 @@ __hidden extern int open_at(int dfd, const char *path, unsigned int o_flags, + __hidden extern int open_at_same(int fd_same, int dfd, const char *path, + unsigned int o_flags, + unsigned int resolve_flags, mode_t mode); +-static inline int open_beneath(int dfd, const char *path, unsigned int flags) +-{ +- return open_at(dfd, path, flags, PROTECT_LOOKUP_BENEATH, 0); +-} ++__hidden extern int open_beneath(int dfd, const char *path, unsigned int flags); + __hidden int fd_make_nonblocking(int fd); + __hidden extern char *read_file_at(int dfd, const char *fnam, + unsigned int o_flags, +diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c +index fa4e4d6e0..bf0f771e2 100644 +--- a/src/lxc/lsm/apparmor.c ++++ b/src/lxc/lsm/apparmor.c +@@ -18,6 +18,7 @@ + #include "file_utils.h" + #include "log.h" + #include "lsm.h" ++#include "open_utils.h" + #include "parse.h" + #include "process_utils.h" + #include "utils.h" +diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c +index 7a34b9cc4..9c131ee29 100644 +--- a/src/lxc/lsm/selinux.c ++++ b/src/lxc/lsm/selinux.c +@@ -15,6 +15,7 @@ + #include "log.h" + #include "lsm.h" + #include "memory_utils.h" ++#include "open_utils.h" + + #define DEFAULT_LABEL "unconfined_t" + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 4363340b3..8df60595a 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -47,6 +47,7 @@ + #include "monitor.h" + #include "namespace.h" + #include "network.h" ++#include "open_utils.h" + #include "parse.h" + #include "process_utils.h" + #include "start.h" +diff --git a/src/lxc/meson.build b/src/lxc/meson.build +index 38faf7f5e..b4609e203 100644 +--- a/src/lxc/meson.build ++++ b/src/lxc/meson.build +@@ -114,6 +114,7 @@ liblxc_sources = files( + 'nl.h', + 'parse.c', + 'parse.h', ++ 'open_utils.h', + 'process_utils.c', + 'process_utils.h', + 'rexec.c', +diff --git a/src/lxc/mount_utils.c b/src/lxc/mount_utils.c +index 123bbda77..fe8da8200 100644 +--- a/src/lxc/mount_utils.c ++++ b/src/lxc/mount_utils.c +@@ -15,6 +15,7 @@ + #include "macro.h" + #include "memory_utils.h" + #include "mount_utils.h" ++#include "open_utils.h" + #include "syscall_numbers.h" + #include "syscall_wrappers.h" + +diff --git a/src/lxc/open_utils.h b/src/lxc/open_utils.h +new file mode 100644 +index 000000000..7ff5945c7 +--- /dev/null ++++ b/src/lxc/open_utils.h +@@ -0,0 +1,87 @@ ++/* SPDX-License-Identifier: LGPL-2.1+ */ ++ ++#ifndef __LXC_OPEN_UTILS_H ++#define __LXC_OPEN_UTILS_H ++ ++#include "config.h" ++ ++#include "syscall_numbers.h" ++ ++/* ++ * Arguments for how openat2(2) should open the target path. If only @flags and ++ * @mode are non-zero, then openat2(2) operates very similarly to openat(2). ++ * ++ * However, unlike openat(2), unknown or invalid bits in @flags result in ++ * -EINVAL rather than being silently ignored. @mode must be zero unless one of ++ * {O_CREAT, O_TMPFILE} are set. ++ * ++ * @flags: O_* flags. ++ * @mode: O_CREAT/O_TMPFILE file mode. ++ * @resolve: RESOLVE_* flags. ++ */ ++#if !HAVE_STRUCT_OPEN_HOW ++struct open_how { ++ __u64 flags; ++ __u64 mode; ++ __u64 resolve; ++}; ++#endif ++ ++/* how->resolve flags for openat2(2). */ ++#ifndef RESOLVE_NO_XDEV ++#define RESOLVE_NO_XDEV 0x01 /* Block mount-point crossings ++ (includes bind-mounts). */ ++#endif ++ ++#ifndef RESOLVE_NO_MAGICLINKS ++#define RESOLVE_NO_MAGICLINKS 0x02 /* Block traversal through procfs-style ++ "magic-links". */ ++#endif ++ ++#ifndef RESOLVE_NO_SYMLINKS ++#define RESOLVE_NO_SYMLINKS 0x04 /* Block traversal through all symlinks ++ (implies OEXT_NO_MAGICLINKS) */ ++#endif ++ ++#ifndef RESOLVE_BENEATH ++#define RESOLVE_BENEATH 0x08 /* Block "lexical" trickery like ++ "..", symlinks, and absolute ++ paths which escape the dirfd. */ ++#endif ++ ++#ifndef RESOLVE_IN_ROOT ++#define RESOLVE_IN_ROOT 0x10 /* Make all jumps to "/" and ".." ++ be scoped inside the dirfd ++ (similar to chroot(2)). */ ++#endif ++ ++#define PROTECT_LOOKUP_BENEATH (RESOLVE_BENEATH | RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS) ++#define PROTECT_LOOKUP_BENEATH_WITH_SYMLINKS (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_SYMLINKS) ++#define PROTECT_LOOKUP_BENEATH_WITH_MAGICLINKS (PROTECT_LOOKUP_BENEATH & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS)) ++#define PROTECT_LOOKUP_BENEATH_XDEV (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_XDEV) ++ ++#define PROTECT_LOOKUP_ABSOLUTE (PROTECT_LOOKUP_BENEATH & ~RESOLVE_BENEATH) ++#define PROTECT_LOOKUP_ABSOLUTE_WITH_SYMLINKS (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_SYMLINKS) ++#define PROTECT_LOOKUP_ABSOLUTE_WITH_MAGICLINKS (PROTECT_LOOKUP_ABSOLUTE & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS)) ++#define PROTECT_LOOKUP_ABSOLUTE_XDEV (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_XDEV) ++#define PROTECT_LOOKUP_ABSOLUTE_XDEV_SYMLINKS (PROTECT_LOOKUP_ABSOLUTE_WITH_SYMLINKS & ~RESOLVE_NO_XDEV) ++ ++#define PROTECT_OPATH_FILE (O_NOFOLLOW | O_PATH | O_CLOEXEC) ++#define PROTECT_OPATH_DIRECTORY (PROTECT_OPATH_FILE | O_DIRECTORY) ++ ++#define PROTECT_OPEN_WITH_TRAILING_SYMLINKS (O_CLOEXEC | O_NOCTTY | O_RDONLY) ++#define PROTECT_OPEN (PROTECT_OPEN_WITH_TRAILING_SYMLINKS | O_NOFOLLOW) ++ ++#define PROTECT_OPEN_W_WITH_TRAILING_SYMLINKS (O_CLOEXEC | O_NOCTTY | O_WRONLY) ++#define PROTECT_OPEN_W (PROTECT_OPEN_W_WITH_TRAILING_SYMLINKS | O_NOFOLLOW) ++#define PROTECT_OPEN_RW (O_CLOEXEC | O_NOCTTY | O_RDWR | O_NOFOLLOW) ++ ++#if !HAVE_OPENAT2 ++static inline int openat2(int dfd, const char *filename, struct open_how *how, size_t size) ++{ ++ return syscall(__NR_openat2, dfd, filename, how, size); ++} ++#endif /* HAVE_OPENAT2 */ ++ ++#endif /* __LXC_OPEN_UTILS_H */ ++ +diff --git a/src/lxc/pam/meson.build b/src/lxc/pam/meson.build +index 3078fb1c4..3151c43fc 100644 +--- a/src/lxc/pam/meson.build ++++ b/src/lxc/pam/meson.build +@@ -6,6 +6,7 @@ pam_cgfs_sources = files( + '../file_utils.h', + '../macro.h', + '../memory_utils.h', ++ '../open_utils.h', + '../string_utils.c', + '../string_utils.h') + include_sources + +diff --git a/src/lxc/storage/dir.c b/src/lxc/storage/dir.c +index dca510140..bdf4e3f3a 100644 +--- a/src/lxc/storage/dir.c ++++ b/src/lxc/storage/dir.c +@@ -10,6 +10,7 @@ + #include "macro.h" + #include "memory_utils.h" + #include "mount_utils.h" ++#include "open_utils.h" + #include "storage.h" + #include "utils.h" + +diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h +index d5b7c3bf0..87e0294fd 100644 +--- a/src/lxc/syscall_wrappers.h ++++ b/src/lxc/syscall_wrappers.h +@@ -143,82 +143,6 @@ static int faccessat(int __fd, const char *__file, int __type, int __flag) + } + #endif + +-/* +- * Arguments for how openat2(2) should open the target path. If only @flags and +- * @mode are non-zero, then openat2(2) operates very similarly to openat(2). +- * +- * However, unlike openat(2), unknown or invalid bits in @flags result in +- * -EINVAL rather than being silently ignored. @mode must be zero unless one of +- * {O_CREAT, O_TMPFILE} are set. +- * +- * @flags: O_* flags. +- * @mode: O_CREAT/O_TMPFILE file mode. +- * @resolve: RESOLVE_* flags. +- */ +-#if !HAVE_STRUCT_OPEN_HOW +-struct open_how { +- __u64 flags; +- __u64 mode; +- __u64 resolve; +-}; +-#endif +- +-/* how->resolve flags for openat2(2). */ +-#ifndef RESOLVE_NO_XDEV +-#define RESOLVE_NO_XDEV 0x01 /* Block mount-point crossings +- (includes bind-mounts). */ +-#endif +- +-#ifndef RESOLVE_NO_MAGICLINKS +-#define RESOLVE_NO_MAGICLINKS 0x02 /* Block traversal through procfs-style +- "magic-links". */ +-#endif +- +-#ifndef RESOLVE_NO_SYMLINKS +-#define RESOLVE_NO_SYMLINKS 0x04 /* Block traversal through all symlinks +- (implies OEXT_NO_MAGICLINKS) */ +-#endif +- +-#ifndef RESOLVE_BENEATH +-#define RESOLVE_BENEATH 0x08 /* Block "lexical" trickery like +- "..", symlinks, and absolute +- paths which escape the dirfd. */ +-#endif +- +-#ifndef RESOLVE_IN_ROOT +-#define RESOLVE_IN_ROOT 0x10 /* Make all jumps to "/" and ".." +- be scoped inside the dirfd +- (similar to chroot(2)). */ +-#endif +- +-#define PROTECT_LOOKUP_BENEATH (RESOLVE_BENEATH | RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS) +-#define PROTECT_LOOKUP_BENEATH_WITH_SYMLINKS (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_SYMLINKS) +-#define PROTECT_LOOKUP_BENEATH_WITH_MAGICLINKS (PROTECT_LOOKUP_BENEATH & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS)) +-#define PROTECT_LOOKUP_BENEATH_XDEV (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_XDEV) +- +-#define PROTECT_LOOKUP_ABSOLUTE (PROTECT_LOOKUP_BENEATH & ~RESOLVE_BENEATH) +-#define PROTECT_LOOKUP_ABSOLUTE_WITH_SYMLINKS (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_SYMLINKS) +-#define PROTECT_LOOKUP_ABSOLUTE_WITH_MAGICLINKS (PROTECT_LOOKUP_ABSOLUTE & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS)) +-#define PROTECT_LOOKUP_ABSOLUTE_XDEV (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_XDEV) +-#define PROTECT_LOOKUP_ABSOLUTE_XDEV_SYMLINKS (PROTECT_LOOKUP_ABSOLUTE_WITH_SYMLINKS & ~RESOLVE_NO_XDEV) +- +-#define PROTECT_OPATH_FILE (O_NOFOLLOW | O_PATH | O_CLOEXEC) +-#define PROTECT_OPATH_DIRECTORY (PROTECT_OPATH_FILE | O_DIRECTORY) +- +-#define PROTECT_OPEN_WITH_TRAILING_SYMLINKS (O_CLOEXEC | O_NOCTTY | O_RDONLY) +-#define PROTECT_OPEN (PROTECT_OPEN_WITH_TRAILING_SYMLINKS | O_NOFOLLOW) +- +-#define PROTECT_OPEN_W_WITH_TRAILING_SYMLINKS (O_CLOEXEC | O_NOCTTY | O_WRONLY) +-#define PROTECT_OPEN_W (PROTECT_OPEN_W_WITH_TRAILING_SYMLINKS | O_NOFOLLOW) +-#define PROTECT_OPEN_RW (O_CLOEXEC | O_NOCTTY | O_RDWR | O_NOFOLLOW) +- +-#if !HAVE_OPENAT2 +-static inline int openat2(int dfd, const char *filename, struct open_how *how, size_t size) +-{ +- return syscall(__NR_openat2, dfd, filename, how, size); +-} +-#endif /* HAVE_OPENAT2 */ +- + #ifndef CLOSE_RANGE_UNSHARE + #define CLOSE_RANGE_UNSHARE (1U << 1) + #endif +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 38ba5c14d..a1dcc2dc7 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -23,6 +23,7 @@ + #include "lxclock.h" + #include "mainloop.h" + #include "memory_utils.h" ++#include "open_utils.h" + #include "start.h" + #include "syscall_wrappers.h" + #include "terminal.h" +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 0e2a7188b..d3d82e23e 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -32,6 +32,7 @@ + #include "lxclock.h" + #include "memory_utils.h" + #include "namespace.h" ++#include "open_utils.h" + #include "parse.h" + #include "process_utils.h" + #include "syscall_wrappers.h" +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0035-use-sd_bus_call_method_async-to-replace-the-asyncv-o.patch 1:5.0.1-0ubuntu6/debian/patches/0035-use-sd_bus_call_method_async-to-replace-the-asyncv-o.patch --- 1:5.0.1-1/debian/patches/0035-use-sd_bus_call_method_async-to-replace-the-asyncv-o.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0035-use-sd_bus_call_method_async-to-replace-the-asyncv-o.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,47 @@ +From b0abedf60b40adf0f2fb3cf9dfee4bc601f7b39f Mon Sep 17 00:00:00 2001 +From: Chen Qi +Date: Thu, 25 Aug 2022 05:45:53 -0700 +Subject: [PATCH 35/45] use sd_bus_call_method_async to replace the asyncv one + +The sd_bus_call_method_asyncv's 10th parameter is of type +va_list and supplying NULL when invoking it causes compilation +error. Just replace it with the async one. + +Signed-off-by: Chen Qi +--- + meson.build | 4 ++-- + src/lxc/cgroups/cgfsng.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/meson.build b/meson.build +index 21955a050..f8bdcf4e8 100644 +--- a/meson.build ++++ b/meson.build +@@ -295,9 +295,9 @@ if not want_sd_bus.disabled() + has_sd_bus = false + endif + +- if not cc.has_function('sd_bus_call_method_asyncv', prefix: '#include ', dependencies: libsystemd) ++ if not cc.has_function('sd_bus_call_method_async', prefix: '#include ', dependencies: libsystemd) + if not sd_bus_optional +- error('libsystemd misses required sd_bus_call_method_asyncv function') ++ error('libsystemd misses required sd_bus_call_method_async function') + endif + + has_sd_bus = false +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 8a3615893..d90e5385e 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1232,7 +1232,7 @@ static int unpriv_systemd_create_scope(struct cgroup_ops *ops, struct lxc_conf * + if (r < 0) + return log_error(SYSTEMD_SCOPE_FAILED, "Failed to connect to user bus: %s", strerror(-r)); + +- r = sd_bus_call_method_asyncv(bus, NULL, DESTINATION, PATH, INTERFACE, "Subscribe", NULL, NULL, NULL, NULL); ++ r = sd_bus_call_method_async(bus, NULL, DESTINATION, PATH, INTERFACE, "Subscribe", NULL, NULL, NULL); + if (r < 0) + return log_error(SYSTEMD_SCOPE_FAILED, "Failed to subscribe to signals: %s", strerror(-r)); + +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0036-fix-error-message-when-use-tools-with-option.patch 1:5.0.1-0ubuntu6/debian/patches/0036-fix-error-message-when-use-tools-with-option.patch --- 1:5.0.1-1/debian/patches/0036-fix-error-message-when-use-tools-with-option.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0036-fix-error-message-when-use-tools-with-option.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,25 @@ +From 20cc784560124961e7dd173a690d70b6b6f0735e Mon Sep 17 00:00:00 2001 +From: "Neil.wrz" +Date: Thu, 1 Sep 2022 02:13:03 -0700 +Subject: [PATCH 36/45] fix error message when use tools with -? option + +Signed-off-by: Neil.wrz +--- + src/lxc/tools/arguments.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index 0f0875079..92510ecbc 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -137,6 +137,7 @@ struct lxc_arguments { + #define LXC_COMMON_OPTIONS \ + { "name", required_argument, 0, 'n' }, \ + { "help", no_argument, 0, 'h' }, \ ++ { "help", no_argument, 0, '?' }, \ + { "usage", no_argument, 0, OPT_USAGE }, \ + { "version", no_argument, 0, OPT_VERSION }, \ + { "quiet", no_argument, 0, 'q' }, \ +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0037-Update-cifuzz.yml.patch 1:5.0.1-0ubuntu6/debian/patches/0037-Update-cifuzz.yml.patch --- 1:5.0.1-1/debian/patches/0037-Update-cifuzz.yml.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0037-Update-cifuzz.yml.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,28 @@ +From 2b802090f5c20139d6170530df9838bdf0c40c41 Mon Sep 17 00:00:00 2001 +From: Alex <93376818+sashashura@users.noreply.github.com> +Date: Thu, 1 Sep 2022 15:52:05 +0100 +Subject: [PATCH 37/45] Update cifuzz.yml + +Signed-off-by: sashashura <93376818+sashashura@users.noreply.github.com> + +Signed-off-by: Alex <93376818+sashashura@users.noreply.github.com> +--- + .github/workflows/cifuzz.yml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +index e7a78c68c..7347f2882 100644 +--- a/.github/workflows/cifuzz.yml ++++ b/.github/workflows/cifuzz.yml +@@ -9,6 +9,8 @@ on: + - 'src/**' + branches: + - master ++permissions: ++ contents: read + jobs: + Fuzzing: + runs-on: ubuntu-22.04 +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0038-build-deps-bump-actions-checkout-from-2-to-3.patch 1:5.0.1-0ubuntu6/debian/patches/0038-build-deps-bump-actions-checkout-from-2-to-3.patch --- 1:5.0.1-1/debian/patches/0038-build-deps-bump-actions-checkout-from-2-to-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0038-build-deps-bump-actions-checkout-from-2-to-3.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,66 @@ +From dc4f1220fe37cc04a080de97bcab505a839a7a43 Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon, 12 Sep 2022 13:31:52 +0000 +Subject: [PATCH 38/45] build(deps): bump actions/checkout from 2 to 3 + +Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. +- [Release notes](https://github.com/actions/checkout/releases) +- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) +- [Commits](https://github.com/actions/checkout/compare/v2...v3) + +--- +updated-dependencies: +- dependency-name: actions/checkout + dependency-type: direct:production + update-type: version-update:semver-major +... + +Signed-off-by: dependabot[bot] +--- + .github/workflows/coverity.yml | 2 +- + .github/workflows/sanitizers.yml | 2 +- + .github/workflows/static-analysis.yml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml +index 52d7cac72..ae002c140 100644 +--- a/.github/workflows/coverity.yml ++++ b/.github/workflows/coverity.yml +@@ -11,7 +11,7 @@ jobs: + runs-on: ubuntu-22.04 + steps: + - name: Checkout code +- uses: actions/checkout@v2 ++ uses: actions/checkout@v3 + + - name: Download Coverity Build Tool + run: | +diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml +index ce50dfaec..748db8b48 100644 +--- a/.github/workflows/sanitizers.yml ++++ b/.github/workflows/sanitizers.yml +@@ -16,7 +16,7 @@ jobs: + runs-on: ubuntu-22.04 + steps: + - name: Checkout code +- uses: actions/checkout@v2 ++ uses: actions/checkout@v3 + + - name: Install dependencies + run: | +diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml +index 4c107c00b..72434235f 100644 +--- a/.github/workflows/static-analysis.yml ++++ b/.github/workflows/static-analysis.yml +@@ -10,7 +10,7 @@ jobs: + runs-on: ubuntu-22.04 + steps: + - name: Checkout code +- uses: actions/checkout@v2 ++ uses: actions/checkout@v3 + + - name: Install dependencies + run: | +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0039-conf-allow-cross-device-links.patch 1:5.0.1-0ubuntu6/debian/patches/0039-conf-allow-cross-device-links.patch --- 1:5.0.1-1/debian/patches/0039-conf-allow-cross-device-links.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0039-conf-allow-cross-device-links.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,27 @@ +From 4a66dabf86ed1a0f210a23371126f27df6929eb7 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 14 Sep 2022 16:21:20 +0200 +Subject: [PATCH 39/45] conf: allow cross-device links + +Fixes: https://github.com/lxc/lxd/issues/10914 +Signed-off-by: Christian Brauner (Microsoft) +--- + src/lxc/conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index a04bb0de8..bc1b25464 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -3041,7 +3041,7 @@ static int __lxc_idmapped_mounts_child(struct lxc_handler *handler, FILE *f) + dfd_from = rootfs->dfd_mnt; + else + dfd_from = rootfs->dfd_host; +- fd_to = open_at(dfd_from, target_relative, PROTECT_OPATH_FILE, PROTECT_LOOKUP_BENEATH_WITH_SYMLINKS, 0); ++ fd_to = open_at(dfd_from, target_relative, PROTECT_OPATH_FILE, PROTECT_LOOKUP_BENEATH_XDEV, 0); + if (fd_to < 0) { + if (opts.optional) { + TRACE("Skipping optional idmapped mount"); +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0040-Update-README.md.patch 1:5.0.1-0ubuntu6/debian/patches/0040-Update-README.md.patch --- 1:5.0.1-1/debian/patches/0040-Update-README.md.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0040-Update-README.md.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,28 @@ +From 09233897b54d86e5c397b921edf32a90c8c7a237 Mon Sep 17 00:00:00 2001 +From: DarkGuySM <78262720+DarkGuySM@users.noreply.github.com> +Date: Sun, 2 Oct 2022 15:36:50 +0530 +Subject: [PATCH 40/45] Update README.md + +Corrected grammar in readme. + +Signed-off-by: DarkGuySM <78262720+DarkGuySM@users.noreply.github.com> +--- + README.md | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/README.md b/README.md +index 186137107..c476e46eb 100644 +--- a/README.md ++++ b/README.md +@@ -190,7 +190,7 @@ When you find you need help, the LXC projects provides you with several options. + + ### Discuss Forum + +-We maintain an discuss forum at ++We maintain a discuss forum at + + - https://discuss.linuxcontainers.org/ + +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0041-lxc-attach-Fix-lost-return-codes-of-spawned-processe.patch 1:5.0.1-0ubuntu6/debian/patches/0041-lxc-attach-Fix-lost-return-codes-of-spawned-processe.patch --- 1:5.0.1-1/debian/patches/0041-lxc-attach-Fix-lost-return-codes-of-spawned-processe.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0041-lxc-attach-Fix-lost-return-codes-of-spawned-processe.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,39 @@ +From 4ebca5a005afbc19c08f663e24d3e76518d12fa8 Mon Sep 17 00:00:00 2001 +From: Mohammed Ajmal Siddiqui +Date: Wed, 5 Oct 2022 12:20:58 +0530 +Subject: [PATCH 41/45] lxc-attach: Fix lost return codes of spawned processes + that are killed + +lxc-attach swallows the return codes of processes that are terminated +via a signal, and by default exits with a return code of 0 (i.e. +indicating success) even if the command it tried to execute was +terminated. + +This patch fixes it by explicitly checking if the process was terminated +via a signal, and returning an appropriate exit code. + +Note that we add 128 to the signal value to generate the exit code +because by convention the exit code is 128 + signal number. e.g. if a +process is killed via signal 9, then the error code is 9 + 128 = 137. + +Signed-off-by: Mohammed Ajmal Siddiqui +--- + src/lxc/tools/lxc_attach.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index fa303c7b4..6482b0aee 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -399,6 +399,8 @@ int lxc_attach_main(int argc, char *argv[]) + } + if (WIFEXITED(ret)) + wexit = WEXITSTATUS(ret); ++ else if (WIFSIGNALED(ret)) ++ wexit = WTERMSIG(ret) + 128; + + out: + lxc_container_put(c); +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0042-lxc-attach-Detect-EACCES-from-execvp-and-convert-to-.patch 1:5.0.1-0ubuntu6/debian/patches/0042-lxc-attach-Detect-EACCES-from-execvp-and-convert-to-.patch --- 1:5.0.1-1/debian/patches/0042-lxc-attach-Detect-EACCES-from-execvp-and-convert-to-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0042-lxc-attach-Detect-EACCES-from-execvp-and-convert-to-.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,44 @@ +From f7cadaa346a0233c00bbd60412c5f6148288d217 Mon Sep 17 00:00:00 2001 +From: Thomas Parrott +Date: Thu, 13 Oct 2022 15:33:30 +0100 +Subject: [PATCH 42/45] lxc/attach: Detect EACCES from execvp and convert to + 126 exit status + +Before: + + sudo lxc-attach -n test /etc/passwd ; echo $? + lxc-attach: test: ../src/lxc/attach.c: lxc_attach_run_command: 1841 Permission denied - Failed to exec "/etc/passwd" + 255 + +After: + + sudo lxc-attach -n test /etc/passwd ; echo $? + lxc-attach: test: ../src/lxc/attach.c: lxc_attach_run_command: 1841 Permission denied - Failed to exec "/etc/passwd" + 126 + +Which better aligns with bash: + + /etc/passwd; echo $? + bash: /etc/passwd: Permission denied + 126 + +Signed-off-by: Thomas Parrott +--- + src/lxc/attach.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 769613d6d..f086e96c4 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -1828,6 +1828,7 @@ int lxc_attach_run_command(void *payload) + ret = execvp(cmd->program, cmd->argv); + if (ret < 0) { + switch (errno) { ++ case EACCES: + case ENOEXEC: + ret = 126; + break; +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0043-build-add-libsystemd-to-oss-fuzz-dependencies.patch 1:5.0.1-0ubuntu6/debian/patches/0043-build-add-libsystemd-to-oss-fuzz-dependencies.patch --- 1:5.0.1-1/debian/patches/0043-build-add-libsystemd-to-oss-fuzz-dependencies.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0043-build-add-libsystemd-to-oss-fuzz-dependencies.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,28 @@ +From 3cac3fce4b3a7259b5726a0d4ecdfa936cbf15eb Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 13 Oct 2022 17:48:10 +0200 +Subject: [PATCH 43/45] build: add libsystemd to oss fuzz dependencies + +Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52169 +Signed-off-by: Christian Brauner (Microsoft) +--- + meson.build | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/meson.build b/meson.build +index f8bdcf4e8..9e0b1b67f 100644 +--- a/meson.build ++++ b/meson.build +@@ -896,6 +896,9 @@ endif + + if has_sd_bus + liblxc_dependencies += [libsystemd] ++ if want_oss_fuzz ++ oss_fuzz_dependencies += [libsystemd] ++ endif + endif + + if have_openpty +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0044-tools-lxc-destroy-update-help-message-for-force.patch 1:5.0.1-0ubuntu6/debian/patches/0044-tools-lxc-destroy-update-help-message-for-force.patch --- 1:5.0.1-1/debian/patches/0044-tools-lxc-destroy-update-help-message-for-force.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0044-tools-lxc-destroy-update-help-message-for-force.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,31 @@ +From 8480c56a4502df3cb13c5a66fb50adfca88ebd21 Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Wed, 19 Oct 2022 11:59:34 +0800 +Subject: [PATCH 44/45] tools: lxc-destroy: update help message for --force + +Looks like the --force is a flag to stop a running container before +destroying it. + +Update the help message accordingly. + +Signed-off-by: Po-Hsu Lin +--- + src/lxc/tools/lxc_destroy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/tools/lxc_destroy.c b/src/lxc/tools/lxc_destroy.c +index e0fb09c57..fd5cab801 100644 +--- a/src/lxc/tools/lxc_destroy.c ++++ b/src/lxc/tools/lxc_destroy.c +@@ -38,7 +38,7 @@ lxc-destroy destroys a container with the identifier NAME\n\ + Options :\n\ + -n, --name=NAME NAME of the container\n\ + -s, --snapshots destroy including all snapshots\n\ +- -f, --force wait for the container to shut down\n\ ++ -f, --force stop and destroy the container if it's still running\n\ + --rcfile=FILE Load configuration file FILE\n", + .options = my_longopts, + .parser = my_parser, +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/0045-tests-lxc-test-checkpoint-restore-use-trap-to-do-cle.patch 1:5.0.1-0ubuntu6/debian/patches/0045-tests-lxc-test-checkpoint-restore-use-trap-to-do-cle.patch --- 1:5.0.1-1/debian/patches/0045-tests-lxc-test-checkpoint-restore-use-trap-to-do-cle.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/0045-tests-lxc-test-checkpoint-restore-use-trap-to-do-cle.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,52 @@ +From 73fd9bf5580d8b7d1f61b2e90dfd352355028f4a Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Wed, 19 Oct 2022 14:17:29 +0800 +Subject: [PATCH 45/45] tests: lxc-test-checkpoint-restore: use trap to do + cleanup + +This test will fail on Jammy 5.15, and because of the "set -e" it +will never go through the lxc-stop and lxc-destroy code in the end +of this script. Thus the lxc-test-criu container will not be removed. + +Compose a cleanup() and use TRAP to solve this problem. + +Signed-off-by: Po-Hsu Lin +--- + src/tests/lxc-test-checkpoint-restore | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/tests/lxc-test-checkpoint-restore b/src/tests/lxc-test-checkpoint-restore +index 5aee0a427..9498c126e 100755 +--- a/src/tests/lxc-test-checkpoint-restore ++++ b/src/tests/lxc-test-checkpoint-restore +@@ -10,6 +10,12 @@ FAIL() { + exit 1 + } + ++cleanup() { ++ set +e ++ lxc-stop -n $name -k ++ lxc-destroy -f -n $name ++} ++ + if [ "$(id -u)" != "0" ]; then + echo "ERROR: Must run as root." + exit 1 +@@ -27,6 +33,7 @@ if verlte "$criu_version" "1.3.1"; then + fi + + name=lxc-test-criu ++trap cleanup EXIT HUP INT TERM + lxc-create -t busybox -n $name || FAIL "creating container" + + cat >> "$(lxc-config lxc.lxcpath)/$name/config" < +Date: Fri, 11 Nov 2022 18:20:37 -0600 +Subject: [PATCH 1/1] src/lxc/meson.build: fix the static library path + +Since switching to meson, liblxc.a is being shipped as liblxc_static.a. +Change it back to liblxc.a. + +Signed-off-by: Serge Hallyn +--- + src/lxc/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/meson.build b/src/lxc/meson.build +index b4609e203..6d4c70097 100644 +--- a/src/lxc/meson.build ++++ b/src/lxc/meson.build +@@ -149,7 +149,7 @@ if want_selinux and libselinux.found() + endif + + liblxc_static = static_library( +- 'lxc_static', ++ 'lxc', + liblxc_sources + include_sources + netns_ifaddrs_sources, + install: true, + include_directories: liblxc_includes, +-- +2.37.2 + diff -pruN 1:5.0.1-1/debian/patches/ppc64el-gcc12-warning.patch 1:5.0.1-0ubuntu6/debian/patches/ppc64el-gcc12-warning.patch --- 1:5.0.1-1/debian/patches/ppc64el-gcc12-warning.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/ppc64el-gcc12-warning.patch 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,23 @@ +Description: Fix a spurious warning on PPC64EL with GCC 12 + The optimizations on that architecture would lead to some loop unrolling + beyond the fixed buffer size. The generated code is correct, and the code + sections that would overflow the buffer are actually unreachable, but for + some reason GCC isn't able to deduce this by itself, so we put a hard limit + on the loop itself. +Author: Simon Chopin +Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106757 +Last-Update: 2022-09-06 + +Index: lxc-5.0.0~git2209-g5a7b9ce67/src/lxc/seccomp.c +=================================================================== +--- lxc-5.0.0~git2209-g5a7b9ce67.orig/src/lxc/seccomp.c ++++ lxc-5.0.0~git2209-g5a7b9ce67/src/lxc/seccomp.c +@@ -543,7 +543,7 @@ static enum lxc_seccomp_rule_status_t do + } + + memset(&arg_cmp, 0, sizeof(arg_cmp)); +- for (size_t i = 0; i < rule->args_num; i++) { ++ for (size_t i = 0; i < rule->args_num && i < sizeof(arg_cmp)/sizeof(arg_cmp[0]); i++) { + INFO("arg_cmp[%zu]: SCMP_CMP(%u, %llu, %llu, %llu)", i, + rule->args_value[i].index, + (long long unsigned int)rule->args_value[i].op, diff -pruN 1:5.0.1-1/debian/patches/series 1:5.0.1-0ubuntu6/debian/patches/series --- 1:5.0.1-1/debian/patches/series 2022-08-01 20:38:46.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/series 2023-01-17 05:17:59.000000000 +0000 @@ -1,4 +1,33 @@ -0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch -0005-lxc.service-Starts-after-remote-fs.target.patch -0006-adjust-pam-dir.patch -0004-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch +0000-Ubuntu-default-lxcbr0-configuration.patch +0002-tools-Provide-multicall-lxc-binary.patch +0003-meson-Set-DEVEL-flag-post-release.patch +0004-Fix-uninitialized-read-in-parse_cap-when-libcap-is-n.patch +0020-lxc-usernsexec-allow-to-select-which-g-u-id-to-switc.patch +0021-gitignore-Simplify.patch +0022-build-detect-where-struct-mount_attr-is-declared.patch +0023-build-detect-sys-pidfd.h-availability.patch +0024-build-check-for-FS_CONFIG_-header-symbol-in-sys-moun.patch +0025-meson.build-allow-explicit-distrosysconfdir.patch +0026-tree-wide-wipe-direct-or-indirect-linux-mount.h-incl.patch +0027-tree-wide-use-struct-clone_args-directly.patch +0028-tree-wide-use-struct-open_how-directly.patch +0029-meson-fix-docbook2x-detection.patch +0030-tree-wide-minimize-liburing.h-inclusion.patch +0031-mount-move-mount-utilities-from-syscall_wrappers.h-i.patch +0032-mount_utils-remove-conf.h-include.patch +0033-build-prevent-the-inclusion-of-linux-mount.h-with-a-.patch +0034-tree-wide-split-open-helpers-into-open_utils.h.patch +0035-use-sd_bus_call_method_async-to-replace-the-asyncv-o.patch +0036-fix-error-message-when-use-tools-with-option.patch +0037-Update-cifuzz.yml.patch +0038-build-deps-bump-actions-checkout-from-2-to-3.patch +0039-conf-allow-cross-device-links.patch +0040-Update-README.md.patch +0041-lxc-attach-Fix-lost-return-codes-of-spawned-processe.patch +0042-lxc-attach-Detect-EACCES-from-execvp-and-convert-to-.patch +0043-build-add-libsystemd-to-oss-fuzz-dependencies.patch +0044-tools-lxc-destroy-update-help-message-for-force.patch +0045-tests-lxc-test-checkpoint-restore-use-trap-to-do-cle.patch +0046-src-lxc-meson.build-fix-the-static-library-path.patch +ppc64el-gcc12-warning.patch +test-usernic-fixes diff -pruN 1:5.0.1-1/debian/patches/test-usernic-fixes 1:5.0.1-0ubuntu6/debian/patches/test-usernic-fixes --- 1:5.0.1-1/debian/patches/test-usernic-fixes 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/patches/test-usernic-fixes 2023-01-17 06:48:27.000000000 +0000 @@ -0,0 +1,49 @@ +Index: lxc-5.0.1/src/tests/lxc-test-usernic.in +=================================================================== +--- lxc-5.0.1.orig/src/tests/lxc-test-usernic.in ++++ lxc-5.0.1/src/tests/lxc-test-usernic.in +@@ -80,42 +80,14 @@ lxc.idmap = u 0 910000 10000 + lxc.idmap = g 0 910000 10000 + EOF + +-if command -v cgm >/dev/null 2>&1; then +- cgm create all usernic-user +- cgm chown all usernic-user $(id -u usernic-user) $(id -g usernic-user) +- cgm movepid all usernic-user $$ +-elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then +- for d in $(cut -d : -f 2 /proc/self/cgroup); do +- dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ +- --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \ +- string:$d string:usernic-user >/dev/null +- +- dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ +- --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \ +- string:$d string:usernic-user int32:$(id -u usernic-user) int32:$(id -g usernic-user) >/dev/null +- +- dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ +- --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \ +- string:$d string:usernic-user int32:$$ >/dev/null +- done +-else +- for d in /sys/fs/cgroup/*; do +- [ "$d" = "/sys/fs/cgroup/unified" ] && continue +- [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children +- [ ! -d $d/lxctest ] && mkdir $d/lxctest +- chown -R usernic-user: $d/lxctest +- echo $$ > $d/lxctest/tasks +- done +-fi +- + mkdir -p /run/user/$(id -u usernic-user) + chown -R usernic-user: /run/user/$(id -u usernic-user) /home/usernic-user + + # Create two test bridges + brctl addbr usernic-br0 + brctl addbr usernic-br1 +-ifconfig usernic-br0 0.0.0.0 up +-ifconfig usernic-br1 0.0.0.0 up ++ip link set usernic-br0 up ++ip link set usernic-br1 up + + # Create three containers + run_cmd "lxc-create -t busybox -n b1" diff -pruN 1:5.0.1-1/debian/po/de.po 1:5.0.1-0ubuntu6/debian/po/de.po --- 1:5.0.1-1/debian/po/de.po 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/de.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -# German debconf translation of lxc. -# This file is distributed under the same license as the lxc package. -# Copyright (C) 2007-2012 IBM Corporation. -# Copyright (C) of this file 2018 Chris Leick . -# -msgid "" -msgstr "" -"Project-Id-Version: lxc 3.0.0-1\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: 2018-12-11 18:05+0100\n" -"Last-Translator: Chris Leick \n" -"Language-Team: German \n" -"Language: de\n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -# https://de.wikipedia.org/wiki/LXC -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "Format der LXC2-Konfiguration automatisch auf LXC3 aktualisieren?" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" -"LXC 3 bringt viele Änderungen für Container-Konfigurationsdateien mit sich. " -"Es bringt außerdem ein Programm namens »/usr/bin/lxc-update-config« mit, das " -"eine Aktualisierung seiner Konfiguration ermöglicht." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" -"Diese Aufgabe kann entweder nun automatisch oder später manuell erledigt " -"werden." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" -"Nicht privilegierte Container-Konfigurationen müssen so oder so manuell über " -"den Befehl »/usr/bin/lxc-update-config« aktualisiert werden." diff -pruN 1:5.0.1-1/debian/po/es.po 1:5.0.1-0ubuntu6/debian/po/es.po --- 1:5.0.1-1/debian/po/es.po 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/es.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -# lxc po-debconf translation to Spanish -# Copyright (C) 2014 Software in the Public Interest -# This file is distributed under the same license as the lxc package. -# -# Changes: -# - Initial translation -# Camaleón , 2011, 2014. -# -# - Updates -# -# -# Traductores, si no conocen el formato PO, merece la pena leer la -# documentación de gettext, especialmente las secciones dedicadas a este -# formato, por ejemplo ejecutando: -# info -n '(gettext)PO Files' -# info -n '(gettext)Header Entry' -# -# Equipo de traducción al español, por favor lean antes de traducir -# los siguientes documentos: -# -# - El proyecto de traducción de Debian al español -# http://www.debian.org/intl/spanish/ -# especialmente las notas y normas de traducción en -# http://www.debian.org/intl/spanish/notas -# -# - La guía de traducción de po's de debconf: -# /usr/share/doc/po-debconf/README-trans -# o http://www.debian.org/intl/l10n/po-debconf/README-trans -# -msgid "" -msgstr "" -"Project-Id-Version: lxc 3.1.0+really3.0.4-3\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: 2020-04-19 12:12+0200\n" -"Last-Translator: Camaleón \n" -"Language-Team: Debian Spanish \n" -"Language: es\n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "" -"¿Desea actualizar automáticamente el formato de configuración lxc2 a lxc3?" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" -"LXC 3 incorpora muchos cambios en los archivos de configuración de los " -"contenedores. También incluye un binario «/usr/bin/lxc-update-config» que " -"permite actualizar esta configuración." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" -"Puede actualizar ahora el formato automáticamente, o hacerlo después de " -"manera manual." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" -"En cualquier caso, las configuraciones de los contenedores sin privilegios " -"tienen que actualizarse manualmente a través de la orden «/usr/bin/lxc-" -"update-config»." diff -pruN 1:5.0.1-1/debian/po/fr.po 1:5.0.1-0ubuntu6/debian/po/fr.po --- 1:5.0.1-1/debian/po/fr.po 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/fr.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -# French translation for lxc debconf templates. -# Copyright (C) 2018 Pierre-Elliott Bécue -# This file is distributed under the same license as the mailman3 package. -# Pierre-Elliott Bécue , 2018. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: lxc\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: 2018-11-29 22:21+0100\n" -"Last-Translator: Pierre-Elliott Bécue \n" -"Language-Team: French \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "" -"Mettre à jour automatiquement les fichiers configurations de lxc 2 vers 3 ?" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" -"LXC 3 impose des changements profonds dans les fichiers de configuration des " -"conteneurs. Il vient également avec un binaire `/usr/bin/lxc-update-config` " -"qui permet de mettre à jour ces configurations automatiquement." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" -"Cette mise à jour peut soit être faite automatiquement dès maintenant ou " -"bien manuellement plus tard." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" -"Les configurations des conteneurs non-privilégiés devront être mises à" -"jour manuellement via la commande `/usr/bin/lxc-update-config` dans les " -"deux cas." diff -pruN 1:5.0.1-1/debian/po/nl.po 1:5.0.1-0ubuntu6/debian/po/nl.po --- 1:5.0.1-1/debian/po/nl.po 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/nl.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -# Dutch translation of lxc debconf templates. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the lxc package. -# FIRST AUTHOR , YEAR. -# Frans Spiesschaert , 2019. -# -msgid "" -msgstr "" -"Project-Id-Version: lxc_1_3.1.0+really3.0.3-2\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: 2019-02-12 16:38+0100\n" -"Last-Translator: Frans Spiesschaert \n" -"Language-Team: Debian Dutch l10n Team \n" -"Language: nl\n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=2; plural=(n != 1);\n" -"X-Generator: Gtranslator 2.91.7\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "De lxc2-configuratie-indeling automatisch updaten naar lxc3?" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" -"Met ingang van LXC 3 werden verschillende wijzigingen aangebracht aan de " -"configuratiebestanden van containers. LXC 3 bevat ook een uitvoerbaar " -"bestand `/usr/bin/lxc-update-config` waarmee men zijn configuratie kan " -"updaten." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" -"Deze taak kan ofwel nu automatisch uitgevoerd worden of later handmatig " -"gebeuren." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" -"De configuraties van niet-geprivilegieerde containers zullen hoe dan ook " -"manueel bijgewerkt moeten worden via het commando `/usr/bin/lxc-update-" -"config`." diff -pruN 1:5.0.1-1/debian/po/POTFILES.in 1:5.0.1-0ubuntu6/debian/po/POTFILES.in --- 1:5.0.1-1/debian/po/POTFILES.in 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/POTFILES.in 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -[type: gettext/rfc822deb] templates diff -pruN 1:5.0.1-1/debian/po/pt_BR.po 1:5.0.1-0ubuntu6/debian/po/pt_BR.po --- 1:5.0.1-1/debian/po/pt_BR.po 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/pt_BR.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -# Debconf translations for lxc. -# Copyright (C) 2019 THE lxc'S COPYRIGHT HOLDER -# This file is distributed under the same license as the lxc package. -# Adriano Rafael Gomes , 2019. -# -msgid "" -msgstr "" -"Project-Id-Version: lxc\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: 2019-01-19 18:23-0200\n" -"Last-Translator: Adriano Rafael Gomes \n" -"Language-Team: Brazilian Portuguese \n" -"Language: pt_BR\n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "Atualizar automaticamente o formato de configuração de lxc2 para lxc3?" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" -"O LXC 3 vem com várias mudanças para os arquivos de configuração dos " -"contêineres. Ele também vem com um binário \"/usr/bin/lxc-update-config\" " -"que permite que sua configuração seja atualizada." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" -"Esse procedimento pode ser feito automaticamente agora ou manualmente mais " -"tarde." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" -"As configurações de contêineres sem privilégios deverão ser atualizadas " -"manualmente de qualquer modo via o comando \"/usr/bin/lxc-update-config\"." diff -pruN 1:5.0.1-1/debian/po/pt.po 1:5.0.1-0ubuntu6/debian/po/pt.po --- 1:5.0.1-1/debian/po/pt.po 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/pt.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -# Translation of lxc debconf messages to European Portuguese -# Copyright (C) 2019 THE lxc'S COPYRIGHT HOLDER -# This file is distributed under the same license as the lxc package. -# -# Américo Monteiro , 2019. -msgid "" -msgstr "" -"Project-Id-Version: lxc 3.1.0+really3.0.3-2\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: 2019-01-13 20:08+0000\n" -"Last-Translator: Américo Monteiro \n" -"Language-Team: Portuguese <>\n" -"Language: pt\n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=2; plural=(n != 1);\n" -"X-Generator: Lokalize 2.0\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "Actualizar automaticamente o formato de configuração lxc2 para lxc3?" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" -"O LXC 3 vem com muitas alterações para ficheiros de configuração dos " -"contentores. Vem também com um binário `/usr/bin/lxc-update-config` " -"que permite actualizar esta configuração." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" -"Este trabalho pode ser automaticamente agora ou manualmente mais tarde." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" -"Configurações de contentores sem privilégios terão de ser actualizadas " -"manualmente do outro modo via comando `/usr/bin/lxc-update-config`. " diff -pruN 1:5.0.1-1/debian/po/ru.po 1:5.0.1-0ubuntu6/debian/po/ru.po --- 1:5.0.1-1/debian/po/ru.po 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/ru.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -# Russian translation of debconf template for lxc -# Copyright (C) 2019 -# This file is distributed under the same license as the lxc package. -# Lev Lamberov , 2019 -# -msgid "" -msgstr "" -"Project-Id-Version: lxc\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: 2019-01-27 20:36+0500\n" -"Last-Translator: Lev Lamberov \n" -"Language-Team: Debian L10N Russian \n" -"Language: ru\n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" -"X-Generator: Poedit 2.2.1\n" -"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" -"%10<=4 && (n%100<12 || n%100>14) ? 1 : 2);\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "Обновить формат настроек lxc2 до lxc3 автоматически?" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" -"LXC 3 привносит множество изменений в файлы настройки контейнеров. Также в " -"пакете имеется двоичный файл `/usr/bin/lxc-update-config`, позволяющий " -"обновлять настройки." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" -"Эта задача может быть выполнена сейчас автоматически либо позже вручную." - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" -"Так или иначе, настройки непривилегированных контейнеров следует обновить " -"вручную с помощью команды `/usr/bin/lxc-update-config`." diff -pruN 1:5.0.1-1/debian/po/templates.pot 1:5.0.1-0ubuntu6/debian/po/templates.pot --- 1:5.0.1-1/debian/po/templates.pot 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/po/templates.pot 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the lxc package. -# FIRST AUTHOR , YEAR. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: lxc\n" -"Report-Msgid-Bugs-To: lxc@packages.debian.org\n" -"POT-Creation-Date: 2018-11-29 22:19+0100\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=CHARSET\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "Auto update lxc2 configuration format to lxc3?" -msgstr "" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"LXC 3 comes with many changes for containers' configuration files. It also " -"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " -"his configuration." -msgstr "" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "This job can be done either automatically now or manually later." -msgstr "" - -#. Type: boolean -#. Description -#: ../templates:1001 -msgid "" -"Unpriviledged containers configurations will have to be updated manually " -"either way via the `/usr/bin/lxc-update-config` command." -msgstr "" diff -pruN 1:5.0.1-1/debian/README.Debian 1:5.0.1-0ubuntu6/debian/README.Debian --- 1:5.0.1-1/debian/README.Debian 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/README.Debian 2023-01-10 21:29:10.000000000 +0000 @@ -1,148 +1,25 @@ -LXC for Debian --------------- +Domain Names for Containers -Most templates ship without a root password, so you cannot login with - lxc-console -n -You can, however, get a shell (without a tty) by running - lxc-attach -n +For convenience, it is possible to automatically map domain names to your +containers' IP addresses. This allows connecting to them from the host machine +using names like mycontainer.lxc, rather than having to keep track of their +numeric addresses. -If you really need a root password set, you can do so by calling - lxc-attach -n passwd -or you could allow a password-less login by calling - lxc-attach -n sed -i '/root/ s/:\*:/::/' /etc/shadow -After either of these you will be again able to login via lxc-console. +First, uncomment the following line in the host's /etc/default/lxc-net file: -Starting LXC containers ------------------------ +LXC_DOMAIN="lxc" -Should you meet troubles to start a container, a first thing to do is to check -whether apparmor is installed (it is a Recommend of the package, hence it can -be absent if you disabled the installation of recommends). If not, you have -two options: +Next, add the following line to the system dnsmasq configuration file: - 1. Install it - 2. Alter the lxc.apparmor.profile entry in `/etc/lxc/default.conf`, and in - your containers configurations. `lxc.apparmor.profile = unconfined` is the - appropriate option. Mind also to remove the `lxc.apparmor.allow_nesting` - entry. +server=/lxc/10.0.3.1 -If AppArmor is present and you still have issues, follow the advice by setting ---logfile and --logpriority options and you'll get more intel on why your -containers won't start. +On Debian-based systems running NetworkManager, such as Ubuntu desktops, add +that line to /etc/NetworkManager/dnsmasq.d/lxc.conf (or a similarly-named file +in the same directory). On systems without NetworkManager, add it to +/etc/dnsmasq.conf instead. You may have to create the file yourself. -Unprivileged containers ------------------------ +Finally, restart the lxc-net service, and the network-manager service if it is +running on your system: (These commands must be run as root.) -Using unprivileged containers, i.e. containers started by non-root users, -requires a few configuration steps. Steps 1 to 4 need to be done as root, and -the others as your non-root user. - -1) User namespaces - -The Linux kernel must have unprivileged user namespaces enabled. This is -default in the default Debian kernel since 5.10+. To check run this command: - - # sysctl kernel.unprivileged_userns_clone - kernel.unprivileged_userns_clone = 1 - -If it reports 0 instead 1, it's disabled. To enable it: - - # echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/unpriv-usernd.conf - # sysctl -p - -2) subuid and subgid - -Your user account needs to have entries in /etc/subuid and /etc/subgid: - - # grep myusername /etc/subuid /etc/subgid - /etc/subuid:myusername:100000:65536 - /etc/subgid:myusername:100000:65536 - -In recent systems, that should already be the case. Otherwise, you can add -those entries with `usermod` options --add-subuids and --add-subgids. - -3) Permissions checking - -Make sure that for your user, .local/share/lxc will be accessible (eXecutable -bit on the directories) by the root subuid associated with your user (in the -example above, it'd be uid 100000. - -There are at least two solutions if it's not. The firstone is a chmod a+x on -the directories. If you chose this one do mind the security implications. In -particular, it is recommended in that case to set your container's rootfs with -mode 770 or 750 so that any external user can't see its content. - -An alternative is to use setfacl to just give the access to that uid. As the -user who will run the unprivileged container, from your home, run - -$ setfacl --modify user:100000:x . .local .local/share - -4) Networking configuration - -The easiest way to setup networking is to use lxc-net, which is enabled by -default for containers started by root. For non-root unprivileged containers, -you need to allow your non-root user to create virtual network interfaces with: - - # echo myusername veth lxcbr0 10 >> /etc/lxc/lxc-usernet - -5) Default container configuration - -Add the following to ~/.config/lxc/default.conf: - - lxc.include = /etc/lxc/default.conf - lxc.idmap = u 0 100000 65536 - lxc.idmap = g 0 100000 65536 - lxc.mount.auto = proc:mixed sys:ro cgroup:mixed - lxc.apparmor.profile = unconfined - -The lxc.idmap entries must match the id ranges in /etc/subuid and /etc/subgid, -as explained in step 2 above. - -6) Creating containers - -non-root users can only use the `download` template. Example: - - $ lxc-create -t download -n mycontainer -- -d debian -r bullseye -a amd64 - -7) Starting containers - -Under the unified groups hierarchy (default in systemd starting with Debian -11/bullseye), a non-root user needs lxc-start to have some additional -privileges to start container as a non-root user. The easiest way to do that -is via systemd. You can either start the container via a user defined service -that sets Delegate=true property, or do it explicitly with system-run: - - $ systemd-run --scope --quiet --user --property=Delegate=yes \ - lxc-start -n mycontainer - -or, lastly, you can use the helper script Debian made available: -lxc-unpriv-start. It'll care about using the systemd-run command properly and -also to make sure the required environment variables are set properly. - -8) Managing containers - -When not logged in on a graphical session, lxc-attach also requires being run -via systemd-run as lxc-start above. Other common actions, such as lxc-console, -lxc-stop and lxc-destroy, can be run directly. - -Debian also made available a lxc-unpriv-attach command to ease the use of -lxc-attach. - -9) Avoiding containers destruction by systemd - -When exiting a user session (closing ssh or a tty), the remaining processes -running in background die, including the containers. The solution to avoid such -an issue is to either have the unprivileged containers running as a user -service, or to enable session lingering via loginctl. - -As a user, if policykit-1 is installed, it's just a call to `loginctl -enable-linger` - -If policykit-1 can't be installed, then one must be root and do a `sudo -loginctl enable-linger {username}`. - -Containers started via systemd-run won't get killed. - - -- Evgeni Golov Sat, 16 Jul 2016 11:49:16 +0200 - -- Antonio Terceiro Sat, 30 Jan 2021 10:02:37 -0300 - -- Pierre-Elliott Bécue Fri, 11 Jun 2021 15:08:30 +0200 +invoke-rc.d lxc-net restart +invoke-rc.d network-manager restart diff -pruN 1:5.0.1-1/debian/rules 1:5.0.1-0ubuntu6/debian/rules --- 1:5.0.1-1/debian/rules 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/rules 2023-01-10 21:29:10.000000000 +0000 @@ -1,63 +1,88 @@ #!/usr/bin/make -f - +export DEB_BUILD_HARDENING = 1 export DEB_BUILD_MAINT_OPTIONS = hardening=+all +include /usr/share/dpkg/default.mk + +DEB_DH_INSTALLINIT_ARGS = --upstart-only + +SHELL := sh -e + +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) %: dh ${@} --buildsystem=meson override_dh_auto_configure: - dh_auto_configure -- \ - -Dman=true \ - -Dapparmor=true \ - -Dselinux=true \ - -Dcapabilities=true \ - -Dexamples=true \ - -Dpam-cgroup=true \ - -Dtests=true \ - -Dinit-script=sysvinit,systemd - -override_dh_auto_build: - dh_auto_build - # See https://github.com/lxc/lxc/issues/4156 - cd doc/api/ && doxygen - -override_dh_auto_install: - dh_auto_install - - # install pam config - cp $(CURDIR)/debian/pam-cgfs.config \ - $(CURDIR)/debian/libpam-cgfs/usr/share/pam-configs/cgfs + dh_auto_configure -- -Dman=true -Dpam-cgroup=true \ + -Dlibexecdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ + -Dinit-script=systemd,sysvinit,upstart + +override_dh_install: + if [ -x /usr/bin/dh_apparmor ]; then \ + dh_apparmor -p liblxc-common --profile-name=usr.bin.lxc-start; \ + fi + + # libpam-cgfs + mkdir -p debian/tmp/usr/share/pam-configs/ + cp debian/libpam-cgfs.pam debian/tmp/usr/share/pam-configs/cgfs # cleanup .la files find debian/tmp/ -type f -name \*.la -delete - find debian/tmp/ -type f -name \*.a -delete - # move the tests - mkdir -p debian/lxc-tests/usr/bin - mv debian/tmp/usr/bin/lxc-test-* debian/lxc-tests/usr/bin/ + # copy apport hook + mkdir -p debian/tmp/usr/share/apport/package-hooks + cp debian/lxc-utils.apport debian/tmp/usr/share/apport/package-hooks/source_lxc.py + + # copy dnsmasq configuration + mkdir -p debian/tmp/etc/dnsmasq.d-available + cp debian/lxc-utils.dnsmasq debian/tmp/etc/dnsmasq.d-available/lxc + + # move the examples + mv debian/tmp/usr/share/doc/lxc debian/tmp/usr/share/doc/liblxc-common + + # move the PAM module + mkdir -p debian/tmp/lib/$(DEB_HOST_MULTIARCH)/ + mv debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/security/ debian/tmp/lib/$(DEB_HOST_MULTIARCH)/ + + # move the special manpages + mkdir -p debian/libpam-cgfs/usr/share/man/man8/ + mkdir -p debian/libpam-cgfs/usr/share/man/ja/man8/ + mv debian/tmp/usr/share/man/man8/pam_cgfs.8 debian/libpam-cgfs/usr/share/man/man8/ + mv debian/tmp/usr/share/man/ja/man8/pam_cgfs.8 debian/libpam-cgfs/usr/share/man/ja/man8/ + rmdir debian/tmp/usr/share/man/man8 debian/tmp/usr/share/man/ja/man8 + + mkdir -p debian/liblxc-common/usr/share/man/man1/ + mkdir -p debian/liblxc-common/usr/share/man/ja/man1/ + mkdir -p debian/liblxc-common/usr/share/man/ko/man1/ + mv debian/tmp/usr/share/man/man1/lxc-user-nic.1 debian/liblxc-common/usr/share/man/man1/ + mv debian/tmp/usr/share/man/ja/man1/lxc-user-nic.1 debian/liblxc-common/usr/share/man/ja/man1/ + mv debian/tmp/usr/share/man/ko/man1/lxc-user-nic.1 debian/liblxc-common/usr/share/man/ko/man1/ + + dh_install + +override_dh_builddeb: + # prevent system users from using setuid-root binaries under /var/lib/lxc + chmod 700 debian/lxc-utils/var/lib/lxc + chmod 700 debian/lxc-utils/var/cache/lxc - # increase limit of inotify listeners - mkdir -p debian/tmp/etc/sysctl.d - cp debian/lxc.sysctl debian/tmp/etc/sysctl.d/30-lxc-inotify.conf + # mark lxc-user-nic as setuid + chmod u+s debian/liblxc-common/usr/lib/${DEB_HOST_MULTIARCH}/lxc/lxc-user-nic - # fix the sysvinit script name - mv $(CURDIR)/debian/tmp/etc/init.d/lxc-containers \ - $(CURDIR)/debian/tmp/etc/init.d/lxc - - dh_apparmor -p liblxc-common --profile-name=usr.bin.lxc-start - -override_dh_compress: - dh_compress -X.cfg - -override_dh_fixperms: - dh_fixperms -Xusr/libexec/lxc/lxc-user-nic + dh_builddeb override_dh_installinit: - dh_installinit -p lxc --onlyscripts --no-stop-on-upgrade --no-start --name lxc - dh_installinit -p lxc --onlyscripts --no-stop-on-upgrade --no-start --name lxc-net +ifeq (,$(findstring $(DEB_DISTRIBUTION), trusty xenial)) + # Disable upstart integration on artful+ + cp debian/lxc-utils.maintscript.in debian/lxc-utils.maintscript + rm -f debian/lxc-utils/etc/init/*.conf +else + cp debian/lxc-utils/etc/init/lxc.conf debian/lxc-utils.upstart + cp debian/lxc-utils/etc/init/lxc-instance.conf debian/lxc-utils.lxc-instance.upstart + cp debian/lxc-utils/etc/init/lxc-net.conf debian/lxc-utils.lxc-net.upstart + dh_installinit --no-start --no-stop-on-upgrade --name=lxc-instance +endif + dh_installinit --no-stop-on-upgrade --name=lxc + dh_installinit --no-stop-on-upgrade --name=lxc-net override_dh_installsystemd: dh_installsystemd --no-stop-on-upgrade - -override_dh_missing: - dh_missing --fail-missing diff -pruN 1:5.0.1-1/debian/salsa-ci.yml 1:5.0.1-0ubuntu6/debian/salsa-ci.yml --- 1:5.0.1-1/debian/salsa-ci.yml 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ ---- -include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff -pruN 1:5.0.1-1/debian/source/lintian-overrides 1:5.0.1-0ubuntu6/debian/source/lintian-overrides --- 1:5.0.1-1/debian/source/lintian-overrides 1970-01-01 00:00:00.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/source/lintian-overrides 2023-01-10 21:29:10.000000000 +0000 @@ -0,0 +1,8 @@ +# Not quite true yet in Ubuntu +lxc source: ored-build-depends-on-obsolete-package Build-Depends: hardening-wrapper => use dpkg-buildflags instead + +# Intentional +lxc source: intra-source-package-circular-dependency liblxc-common liblxc1 + +# Required for backports +lxc source: package-uses-old-debhelper-compat-version 12 diff -pruN 1:5.0.1-1/debian/templates 1:5.0.1-0ubuntu6/debian/templates --- 1:5.0.1-1/debian/templates 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/templates 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -Template: lxc/auto_update_config -Type: boolean -_Description: Auto update lxc2 configuration format to lxc3? - LXC 3 comes with many changes for containers' configuration files. - It also comes with a binary `/usr/bin/lxc-update-config` that allows - one to update his configuration. - . - This job can be done either automatically now or manually later. - . - Unpriviledged containers configurations will have to be updated manually - either way via the `/usr/bin/lxc-update-config` command. diff -pruN 1:5.0.1-1/debian/tests/basics-create-destroy 1:5.0.1-0ubuntu6/debian/tests/basics-create-destroy --- 1:5.0.1-1/debian/tests/basics-create-destroy 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/tests/basics-create-destroy 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -#!/bin/sh - -set -exu - -lxc-create -t busybox -n test -lxc-ls -f -test -f /var/lib/lxc/test/config -lxc-destroy -n test -lxc-ls -f -! test -f /var/lib/lxc/test/config diff -pruN 1:5.0.1-1/debian/tests/control 1:5.0.1-0ubuntu6/debian/tests/control --- 1:5.0.1-1/debian/tests/control 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/tests/control 2023-01-10 21:29:10.000000000 +0000 @@ -1,22 +1,13 @@ Tests: exercise -Depends: busybox-static, +Depends: autoconf, + busybox-static, + cloud-image-utils, debootstrap, dirmngr, - dnsmasq-base, - file, - gnupg, - iptables, - lsb-release, - rsync, + distro-info, + lxcfs, uidmap, xz-utils, + @builddeps@, @ Restrictions: needs-root allow-stderr isolation-machine - -Tests: unprivileged-containers -Depends: distro-info, uidmap, wget, @ -Restrictions: allow-stderr, isolation-machine, needs-internet - -Tests: basics-create-destroy -Depends: @, busybox-static -Restrictions: allow-stderr, needs-root, superficial diff -pruN 1:5.0.1-1/debian/tests/exercise 1:5.0.1-0ubuntu6/debian/tests/exercise --- 1:5.0.1-1/debian/tests/exercise 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/tests/exercise 2023-01-18 03:44:31.000000000 +0000 @@ -1,14 +1,5 @@ #!/bin/sh # Environment - -if [ ! -d /sys/fs/cgroup/memory ]; then - if [ ! "$AUTOPKGTEST_REBOOT_MARK" = "lxc-prepare" ]; then - sed -i '/GRUB_CMDLINE_LINUX_DEFAULT/ s/GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"/GRUB_CMDLINE_LINUX_DEFAULT="\1 cgroup_enable=memory swapaccount=1"/' /etc/default/grub - update-grub2 - /tmp/autopkgtest-reboot lxc-prepare - fi -fi - set -eu unset TMPDIR @@ -22,7 +13,11 @@ IGNORE_LIST="" # Helper functions pass() { TEST_PASS=$((${TEST_PASS}+1)) - echo "PASS: $1" + + CURRENT_TIME=$(date +%s) + DURATION=$((CURRENT_TIME-START_TIME)) + + echo "PASS: $1 (${DURATION}s)" } fail() { @@ -34,7 +29,11 @@ fail() { done TEST_FAIL=$((${TEST_FAIL}+1)) - echo "FAIL: $1" + + CURRENT_TIME=$(date +%s) + DURATION=$((CURRENT_TIME-START_TIME)) + + echo "FAIL: $1 (${DURATION}s)" if [ -f "$3" ]; then echo "---" @@ -53,42 +52,52 @@ summary() { echo "SUMMARY: pass=$TEST_PASS, fail=$TEST_FAIL, ignored=$TEST_IGNORED" } -# prepare network features, they are disabled by default on Debian -# but we want to test them -echo USE_LXC_BRIDGE=true > /etc/default/lxc-net -service lxc-net restart - -cat </etc/lxc/default.conf -lxc.net.0.type = veth -lxc.net.0.link = lxcbr0 -lxc.net.0.flags = up -lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx +# Source distro information +[ -e /etc/lsb-release ] && . /etc/lsb-release + +# Workaround for broken gpg2 +if [ -n "${http_proxy:-}" ] && [ -e /usr/bin/dirmngr ]; then + dpkg-divert --divert /usr/bin/dirmngr.orig --rename --add /usr/bin/dirmngr + ( + cat << EOF +#!/bin/sh +exec /usr/bin/dirmngr.orig --honor-http-proxy \$@ EOF + ) > /usr/bin/dirmngr + chmod +x /usr/bin/dirmngr +fi -modprobe overlay || true +# Override the GPG server +sed -i '/^DOWNLOAD_URL=$/a DOWNLOAD_KEYSERVER="hkp://keyserver.ubuntu.com:80"' /usr/share/lxc/templates/lxc-download -# since gnupg2 and dirmngr fetching keys after bootup fails in the first seconds -# most probably this is due to entropy in the VM, so lets just wait -sleep 30 +# Build the tests (don't install anything, we want the system lib and tools) +MULTIARCH=$(gcc -print-multiarch) +meson setup -Dtests=true -Dman=false -Dprefix=/usr -Dsysconfdir=/etc -Dlocalstatedir=/var -Dlibdir=/usr/lib/${MULTIARCH} -Dlibexecdir=/usr/lib/${MULTIARCH} -Drootfs-mount-path=/usr/lib/${MULTIARCH}/lxc build +make +rm -rf build/src/tests/lxc-test-*.p +cp build/src/tests/lxc-test-* src/tests/ +rm -f src/tests/lxc-test-fuzzers +cd src/tests/ # The actual tests ## Default testsuite -for testbin in /usr/bin/lxc-test-*; do +for testbin in lxc-test-*; do + [ -x "$testbin" ] || continue + echo "${testbin}" | grep -qv "\.in$" || continue STRING="lxc-tests: $testbin" - [ ! -x "$testbin" ] && continue # Some tests can't be run standalone - [ "$testbin" = "/usr/bin/lxc-test-may-control" ] && continue + [ "$testbin" = "lxc-test-may-control" ] && continue # Skip some tests when running in a container if [ -f /run/container_type ] || (type systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1); then - [ "$testbin" = "/usr/bin/lxc-test-apparmor" ] && \ + [ "$testbin" = "lxc-test-apparmor" ] && \ ignore "$STRING" && continue - [ "$testbin" = "/usr/bin/lxc-test-device-add-remove" ] && \ + [ "$testbin" = "lxc-test-device-add-remove" ] && \ ignore "$STRING" && continue - [ "$testbin" = "/usr/bin/lxc-test-reboot" ] && \ + [ "$testbin" = "lxc-test-reboot" ] && \ ignore "$STRING" && continue fi @@ -96,34 +105,56 @@ for testbin in /usr/bin/lxc-test-*; do if [ -f /proc/self/uid_map ] && \ ! grep -q "4294967295$" /proc/self/uid_map; then - [ "$testbin" = "/usr/bin/lxc-test-unpriv" ] && \ + [ "$testbin" = "lxc-test-unpriv" ] && \ ignore "$STRING" && continue - [ "$testbin" = "/usr/bin/lxc-test-usernic" ] && \ + [ "$testbin" = "lxc-test-usernic" ] && \ ignore "$STRING" && continue fi # Skip some tests on old kernels if [ ! -f /proc/self/uid_map ] || [ ! -f /etc/subuid ] || \ [ ! -f /etc/subgid ]; then - [ "$testbin" = "/usr/bin/lxc-test-unpriv" ] && \ + [ "$testbin" = "lxc-test-unpriv" ] && \ ignore "$STRING" && continue - [ "$testbin" = "/usr/bin/lxc-test-usernic" ] && \ + [ "$testbin" = "lxc-test-usernic" ] && \ ignore "$STRING" && continue fi - # Skip overlay tests when kernel has no overlay support - if ! grep -q overlay /proc/filesystems; then - [ "$testbin" = "/usr/bin/lxc-test-cloneconfig" ] && \ + # Skip some tests because of broken busybox + [ "$testbin" = "lxc-test-state-server" ] && \ + ignore "$STRING" && continue + + # Skip some tests due to cgroup v2 incompatibility + if [ -e /sys/fs/cgroup/system.slice/memory.current ]; then + + [ "$testbin" = "lxc-test-apparmor-mount" ] && \ + ignore "$STRING" && continue + + [ "$testbin" = "lxc-test-autostart" ] && \ + ignore "$STRING" && continue + + [ "$testbin" = "lxc-test-no-new-privs" ] && \ ignore "$STRING" && continue + + [ "$testbin" = "lxc-test-unpriv" ] && \ + ignore "$STRING" && continue + fi OUT=$(mktemp) - $testbin >$OUT 2>&1 && pass "$STRING" || fail "$STRING" "$testbin" "$OUT" + START_TIME=$(date +%s) + ./$testbin >$OUT 2>&1 && pass "$STRING" || fail "$STRING" "$testbin" "$OUT" rm $OUT done +# Workaround for broken gpg2 +if [ -n "${http_proxy:-}" ] && [ -e /usr/bin/dirmngr ]; then + rm /usr/bin/dirmngr + dpkg-divert --divert /usr/bin/dirmngr.orig --rename --remove /usr/bin/dirmngr +fi + # Test summary summary diff -pruN 1:5.0.1-1/debian/tests/unprivileged-containers 1:5.0.1-0ubuntu6/debian/tests/unprivileged-containers --- 1:5.0.1-1/debian/tests/unprivileged-containers 2022-08-01 20:11:52.000000000 +0000 +++ 1:5.0.1-0ubuntu6/debian/tests/unprivileged-containers 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -#!/bin/sh - -set -eu - -######################################################################## -# Configure and run an unprivileged container as a non-root user -######################################################################## - -uidrange=$(awk -F : "{if (\$1 == \"${USER}\") {print(\$2, \$3)}}" /etc/subuid) -gidrange=$(awk -F : "{if (\$1 == \"${USER}\") {print(\$2, \$3)}}" /etc/subgid) -stable=$(distro-info --stable) - -set -x - -mkdir -p ~/.config/lxc - -# no network as this would require some setup as root -tee ~/.config/lxc/default.conf <