From 660ffa675e6d2a6157bde5677816916ddb822630 Mon Sep 17 00:00:00 2001 From: Yanfei Xu Date: Thu, 9 Apr 2020 21:00:38 +0800 Subject: lxc: uprev from 3.2.1 to 4.0.1 Update to the just released 4.0.1. And drop some patches contained in this released. Signed-off-by: Yanfei Xu Signed-off-by: Bruce Ashfield --- ...onf-Add-option-to-set-keyring-SELinux-con.patch | 275 --------------------- ...ppers-rename-internal-memfd_create-to-mem.patch | 46 ---- ...onf-Add-option-to-disable-session-keyring.patch | 217 ---------------- ...k-restore-ability-to-move-nl80211-devices.patch | 94 ------- recipes-containers/lxc/lxc_3.2.1.bb | 201 --------------- recipes-containers/lxc/lxc_4.0.1.bb | 197 +++++++++++++++ 6 files changed, 197 insertions(+), 833 deletions(-) delete mode 100644 recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch delete mode 100644 recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch delete mode 100644 recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch delete mode 100644 recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch delete mode 100644 recipes-containers/lxc/lxc_3.2.1.bb create mode 100644 recipes-containers/lxc/lxc_4.0.1.bb (limited to 'recipes-containers') diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch deleted file mode 100644 index 0da1be08..00000000 --- a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch +++ /dev/null @@ -1,275 +0,0 @@ -From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001 -From: Maximilian Blenk -Date: Wed, 29 Jan 2020 17:09:50 +0100 -Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context - -lxc set's up a new session keyring for every container by default. -If executed on an SELinux enabled system, by default, the keyring -inherits the label of the creating process. If executed with the -currently available SELinux policy, this means that the keyring -is labeled with the lxc_t type. Applications inside the container, -however, might expect that the keyring is labeled with a certain -context (and will fail to access the keyring if it's not explicitly -allowed in the global policy). This patch introduces the config -option lxc.selinux.context.keyring which enables to specify the -label of the newly created keyring. That is, the keyring can be -labeled with the label expected by the started application. - -Signed-off-by: Maximilian Blenk ---- - config/selinux/lxc.te | 3 +++ - src/lxc/conf.c | 10 +++++++++- - src/lxc/conf.h | 1 + - src/lxc/confile.c | 24 ++++++++++++++++++++++++ - src/lxc/lsm/lsm.c | 13 +++++++++++++ - src/lxc/lsm/lsm.h | 2 ++ - src/lxc/lsm/selinux.c | 13 +++++++++++++ - src/lxc/utils.c | 9 ++++++++- - src/lxc/utils.h | 2 +- - 9 files changed, 74 insertions(+), 3 deletions(-) - -diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te -index bb4bfe3a8..d3f78d80b 100644 ---- a/config/selinux/lxc.te -+++ b/config/selinux/lxc.te -@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms; - allow lxc_t self:rawip_socket create_socket_perms; - allow lxc_t self:netlink_route_socket create_netlink_socket_perms; - -+# Needed to set label that the keyring will be created with -+allow lxc_t self:process { setkeycreate }; -+ - dontaudit lxc_t sysctl_kernel_t:file write; - dontaudit lxc_t sysctl_modprobe_t:file write; -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 0f8b3c928..b06fbf047 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void) - new->lsm_aa_profile = NULL; - lxc_list_init(&new->lsm_aa_raw); - new->lsm_se_context = NULL; -+ new->lsm_se_keyring_context = NULL; - new->tmp_umount_proc = false; - new->tmp_umount_proc = 0; - new->shmount.path_host = NULL; -@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler) - int ret; - const char *lxcpath = handler->lxcpath, *name = handler->name; - struct lxc_conf *lxc_conf = handler->conf; -+ char *keyring_context = NULL; - - ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath); - if (ret < 0) { -@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler) - } - } - -- ret = lxc_setup_keyring(); -+ if (lxc_conf->lsm_se_keyring_context) { -+ keyring_context = lxc_conf->lsm_se_keyring_context; -+ } else if (lxc_conf->lsm_se_context) { -+ keyring_context = lxc_conf->lsm_se_context; -+ } -+ -+ ret = lxc_setup_keyring(keyring_context); - if (ret < 0) - return -1; - -diff --git a/src/lxc/conf.h b/src/lxc/conf.h -index 2664a1527..bb47b720e 100644 ---- a/src/lxc/conf.h -+++ b/src/lxc/conf.h -@@ -295,6 +295,7 @@ struct lxc_conf { - unsigned int lsm_aa_allow_incomplete; - struct lxc_list lsm_aa_raw; - char *lsm_se_context; -+ char *lsm_se_keyring_context; - bool tmp_umount_proc; - struct lxc_seccomp seccomp; - int maincmd_fd; -diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index 36d62cbca..df184af73 100644 ---- a/src/lxc/confile.c -+++ b/src/lxc/confile.c -@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting); - lxc_config_define(seccomp_notify_cookie); - lxc_config_define(seccomp_notify_proxy); - lxc_config_define(selinux_context); -+lxc_config_define(selinux_context_keyring); - lxc_config_define(signal_halt); - lxc_config_define(signal_reboot); - lxc_config_define(signal_stop); -@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = { - { "lxc.seccomp.notify.proxy", set_config_seccomp_notify_proxy, get_config_seccomp_notify_proxy, clr_config_seccomp_notify_proxy, }, - { "lxc.seccomp.profile", set_config_seccomp_profile, get_config_seccomp_profile, clr_config_seccomp_profile, }, - { "lxc.selinux.context", set_config_selinux_context, get_config_selinux_context, clr_config_selinux_context, }, -+ { "lxc.selinux.context.keyring", set_config_selinux_context_keyring, get_config_selinux_context_keyring, clr_config_selinux_context_keyring }, - { "lxc.signal.halt", set_config_signal_halt, get_config_signal_halt, clr_config_signal_halt, }, - { "lxc.signal.reboot", set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, }, - { "lxc.signal.stop", set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, }, -@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value, - return set_config_string_item(&lxc_conf->lsm_se_context, value); - } - -+static int set_config_selinux_context_keyring(const char *key, const char *value, -+ struct lxc_conf *lxc_conf, void *data) -+{ -+ return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value); -+} -+ - static int set_config_log_file(const char *key, const char *value, - struct lxc_conf *c, void *data) - { -@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen, - return lxc_get_conf_str(retv, inlen, c->lsm_se_context); - } - -+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen, -+ struct lxc_conf *c, void *data) -+{ -+ return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context); -+} -+ -+ - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then - * just the value(s) will be printed. Since there still could be more than one, - * it is newline-separated. -@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key, - return 0; - } - -+static inline int clr_config_selinux_context_keyring(const char *key, -+ struct lxc_conf *c, void *data) -+{ -+ free(c->lsm_se_keyring_context); -+ c->lsm_se_keyring_context = NULL; -+ return 0; -+} -+ - static inline int clr_config_cgroup_controller(const char *key, - struct lxc_conf *c, void *data) - { -@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv, - strprint(retv, inlen, "dir\n"); - } else if (!strcmp(key, "lxc.selinux")) { - strprint(retv, inlen, "context\n"); -+ strprint(retv, inlen, "context.keyring\n"); - } else if (!strcmp(key, "lxc.mount")) { - strprint(retv, inlen, "auto\n"); - strprint(retv, inlen, "entry\n"); -diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c -index 5538c9e84..48c22b700 100644 ---- a/src/lxc/lsm/lsm.c -+++ b/src/lxc/lsm/lsm.c -@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath) - - drv->cleanup(conf, lxcpath); - } -+ -+int lsm_keyring_label_set(char *label) { -+ -+ if (!drv) { -+ ERROR("LSM driver not inited"); -+ return -1; -+ } -+ -+ if (!drv->keyring_label_set) -+ return 0; -+ -+ return drv->keyring_label_set(label); -+} -diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h -index dda740b3d..a645a2fa0 100644 ---- a/src/lxc/lsm/lsm.h -+++ b/src/lxc/lsm/lsm.h -@@ -38,6 +38,7 @@ struct lsm_drv { - char *(*process_label_get)(pid_t pid); - int (*process_label_set)(const char *label, struct lxc_conf *conf, - bool on_exec); -+ int (*keyring_label_set)(char* label); - int (*prepare)(struct lxc_conf *conf, const char *lxcpath); - void (*cleanup)(struct lxc_conf *conf, const char *lxcpath); - }; -@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec); - extern int lsm_process_label_set_at(int label_fd, const char *label, - bool on_exec); - extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath); -+extern int lsm_keyring_label_set(char *label); - - #endif /* __LXC_LSM_H */ -diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c -index 625bcae90..b3d95c310 100644 ---- a/src/lxc/lsm/selinux.c -+++ b/src/lxc/lsm/selinux.c -@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf, - return 0; - } - -+/* -+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring -+ * -+ * @label : label string -+ * -+ * Returns 0 on success, < 0 on failure -+ */ -+static int selinux_keyring_label_set(char *label) -+{ -+ return setkeycreatecon_raw(label); -+}; -+ - static struct lsm_drv selinux_drv = { - .name = "SELinux", - .enabled = is_selinux_enabled, - .process_label_get = selinux_process_label_get, - .process_label_set = selinux_process_label_set, -+ .keyring_label_set = selinux_keyring_label_set, - }; - - struct lsm_drv *lsm_selinux_drv_init(void) -diff --git a/src/lxc/utils.c b/src/lxc/utils.c -index bf4a9c2cb..90852eb87 100644 ---- a/src/lxc/utils.c -+++ b/src/lxc/utils.c -@@ -48,6 +48,7 @@ - - #include "config.h" - #include "log.h" -+#include "lsm/lsm.h" - #include "lxclock.h" - #include "memory_utils.h" - #include "namespace.h" -@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname) - return r; - } - --int lxc_setup_keyring(void) -+int lxc_setup_keyring(char *keyring_label) - { - key_serial_t keyring; - int ret = 0; - -+ if (keyring_label) { -+ if (lsm_keyring_label_set(keyring_label) < 0) { -+ ERROR("Couldn't set keyring label"); -+ } -+ } -+ - /* Try to allocate a new session keyring for the container to prevent - * information leaks. - */ -diff --git a/src/lxc/utils.h b/src/lxc/utils.h -index dd6404f0b..7560711b7 100644 ---- a/src/lxc/utils.h -+++ b/src/lxc/utils.h -@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n); - extern int lxc_set_death_signal(int signal, pid_t parent); - extern int fd_cloexec(int fd, bool cloexec); - extern int recursive_destroy(char *dirname); --extern int lxc_setup_keyring(void); -+extern int lxc_setup_keyring(char *keyring_label); - - #endif /* __LXC_UTILS_H */ --- -2.24.1 - diff --git a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch deleted file mode 100644 index 9d5b5b8a..00000000 --- a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00 2001 -From: Patrick Havelange -Date: Tue, 22 Oct 2019 12:29:54 +0200 -Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to - memfd_create_lxc - -In case the internal memfd_create has to be used, make sure we don't -clash with the already existing memfd_create function from glibc. - -This can happen if this glibc function is a stub. In this case, at -./configure time, the test for this function will return false, however -the declaration of that function is still available. This leads to -compilation errors. - -Upstream-Status: Backport [lxc-3.2.1 https://github.com/lxc/lxc/pull/3168] - -Signed-off-by: Patrick Havelange -(cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71) -Signed-off-by: Oleksii Kurochko ---- - v2: added Upstream-Status - - src/lxc/syscall_wrappers.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h -index ce67da5b5308..b7edba63f5d7 100644 ---- a/src/lxc/syscall_wrappers.h -+++ b/src/lxc/syscall_wrappers.h -@@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, - #endif - - #ifndef HAVE_MEMFD_CREATE --static inline int memfd_create(const char *name, unsigned int flags) { -+static inline int memfd_create_lxc(const char *name, unsigned int flags) { - #ifndef __NR_memfd_create - #if defined __i386__ - #define __NR_memfd_create 356 -@@ -113,6 +113,7 @@ static inline int memfd_create(const char *name, unsigned int flags) { - return -1; - #endif - } -+#define memfd_create memfd_create_lxc - #else - extern int memfd_create(const char *name, unsigned int flags); - #endif diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch deleted file mode 100644 index 34647c80..00000000 --- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001 -From: Maximilian Blenk -Date: Thu, 30 Jan 2020 19:21:10 +0100 -Subject: [PATCH 3/3] container.conf: Add option to disable session keyring - creation - -lxc set's up a new session keyring for every container by default. -There might be valid use-cases where this is not wanted / needed -(e.g. systemd by default creates a new session keyring anyway). - -Signed-off-by: Maximilian Blenk ---- - src/lxc/conf.c | 19 ++++++++++-------- - src/lxc/conf.h | 1 + - src/lxc/confile.c | 44 ++++++++++++++++++++++------------------- - src/lxc/confile_utils.c | 24 ++++++++++++++++++++++ - src/lxc/confile_utils.h | 2 ++ - 5 files changed, 62 insertions(+), 28 deletions(-) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index b06fbf047..be4761a54 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void) - lxc_list_init(&new->lsm_aa_raw); - new->lsm_se_context = NULL; - new->lsm_se_keyring_context = NULL; -+ new->keyring_disable_session = false; - new->tmp_umount_proc = false; - new->tmp_umount_proc = 0; - new->shmount.path_host = NULL; -@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler) - } - } - -- if (lxc_conf->lsm_se_keyring_context) { -- keyring_context = lxc_conf->lsm_se_keyring_context; -- } else if (lxc_conf->lsm_se_context) { -- keyring_context = lxc_conf->lsm_se_context; -- } -+ if (!lxc_conf->keyring_disable_session) { -+ if (lxc_conf->lsm_se_keyring_context) { -+ keyring_context = lxc_conf->lsm_se_keyring_context; -+ } else if (lxc_conf->lsm_se_context) { -+ keyring_context = lxc_conf->lsm_se_context; -+ } - -- ret = lxc_setup_keyring(keyring_context); -- if (ret < 0) -- return -1; -+ ret = lxc_setup_keyring(keyring_context); -+ if (ret < 0) -+ return -1; -+ } - - if (handler->ns_clone_flags & CLONE_NEWNET) { - ret = lxc_setup_network_in_child_namespaces(lxc_conf, -diff --git a/src/lxc/conf.h b/src/lxc/conf.h -index bb47b720e..b81786838 100644 ---- a/src/lxc/conf.h -+++ b/src/lxc/conf.h -@@ -296,6 +296,7 @@ struct lxc_conf { - struct lxc_list lsm_aa_raw; - char *lsm_se_context; - char *lsm_se_keyring_context; -+ bool keyring_disable_session; - bool tmp_umount_proc; - struct lxc_seccomp seccomp; - int maincmd_fd; -diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index df184af73..fd8b3aaba 100644 ---- a/src/lxc/confile.c -+++ b/src/lxc/confile.c -@@ -110,6 +110,7 @@ lxc_config_define(init_cmd); - lxc_config_define(init_cwd); - lxc_config_define(init_gid); - lxc_config_define(init_uid); -+lxc_config_define(keyring_session); - lxc_config_define(log_file); - lxc_config_define(log_level); - lxc_config_define(log_syslog); -@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = { - { "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, }, - { "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, }, - { "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, }, -+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session }, - { "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, }, - { "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, }, - { "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, }, -@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value - return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value); - } - -+static int set_config_keyring_session(const char *key, const char *value, -+ struct lxc_conf *lxc_conf, void *data) -+{ -+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false); -+} -+ - static int set_config_log_file(const char *key, const char *value, - struct lxc_conf *c, void *data) - { -@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value, - static int set_config_rootfs_managed(const char *key, const char *value, - struct lxc_conf *lxc_conf, void *data) - { -- unsigned int val = 0; -- -- if (lxc_config_value_empty(value)) { -- lxc_conf->rootfs.managed = true; -- return 0; -- } -- -- if (lxc_safe_uint(value, &val) < 0) -- return -EINVAL; -- -- switch (val) { -- case 0: -- lxc_conf->rootfs.managed = false; -- return 0; -- case 1: -- lxc_conf->rootfs.managed = true; -- return 0; -- } -- -- return -EINVAL; -+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true); - } - - static int set_config_rootfs_mount(const char *key, const char *value, -@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i - return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context); - } - -+static int get_config_keyring_session(const char *key, char *retv, int inlen, -+ struct lxc_conf *c, void *data) -+{ -+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session); -+} -+ - - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then - * just the value(s) will be printed. Since there still could be more than one, -@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key, - return 0; - } - -+static inline int clr_config_keyring_session(const char *key, -+ struct lxc_conf *c, void *data) -+{ -+ c->keyring_disable_session = false; -+ return 0; -+} -+ - static inline int clr_config_cgroup_controller(const char *key, - struct lxc_conf *c, void *data) - { -@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv, - strprint(retv, inlen, "order\n"); - } else if (!strcmp(key, "lxc.monitor")) { - strprint(retv, inlen, "unshare\n"); -+ } else if (!strcmp(key, "lxc.keyring")) { -+ strprint(retv, inlen, "session\n"); - } else { - fulllen = -1; - } -diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c -index 6941f4026..02e48454b 100644 ---- a/src/lxc/confile_utils.c -+++ b/src/lxc/confile_utils.c -@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value) - return set_config_string_item_max(conf_item, value, PATH_MAX); - } - -+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action) -+{ -+ unsigned int val = 0; -+ -+ if (lxc_config_value_empty(value)) { -+ *conf_item = empty_conf_action; -+ return 0; -+ } -+ -+ if (lxc_safe_uint(value, &val) < 0) -+ return -EINVAL; -+ -+ switch (val) { -+ case 0: -+ *conf_item = false; -+ return 0; -+ case 1: -+ *conf_item = true; -+ return 0; -+ } -+ -+ return -EINVAL; -+} -+ - int config_ip_prefix(struct in_addr *addr) - { - if (IN_CLASSA(addr->s_addr)) -diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h -index f68f9604f..83d49bace 100644 ---- a/src/lxc/confile_utils.h -+++ b/src/lxc/confile_utils.h -@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value); - extern int set_config_string_item_max(char **conf_item, const char *value, - size_t max); - extern int set_config_path_item(char **conf_item, const char *value); -+extern int set_config_bool_item(bool *conf_item, const char *value, -+ bool empty_conf_action); - extern int config_ip_prefix(struct in_addr *addr); - extern int network_ifname(char *valuep, const char *value, size_t size); - extern void rand_complete_hwaddr(char *hwaddr); --- -2.24.1 - diff --git a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch b/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch deleted file mode 100644 index aa1aecd4..00000000 --- a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Fri, 26 Jul 2019 08:20:02 +0200 -Subject: [PATCH] network: restore ability to move nl80211 devices - -Closes #3105. -Signed-off-by: Christian Brauner ---- - src/lxc/network.c | 31 +++++++++++++++++-------------- - 1 file changed, 17 insertions(+), 14 deletions(-) - -diff --git a/src/lxc/network.c b/src/lxc/network.c -index 9755116..7684f95 100644 ---- a/src/lxc/network.c -+++ b/src/lxc/network.c -@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old, - static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid, - const char *newname) - { -- char *cmd; -+ __do_free char *cmd = NULL; - pid_t fpid; -- int err = -1; - - /* Move phyN into the container. TODO - do this using netlink. - * However, IIUC this involves a bit more complicated work to talk to - * the 80211 module, so for now just call out to iw. - */ - cmd = on_path("iw", NULL); -- if (!cmd) -- goto out1; -- free(cmd); -+ if (!cmd) { -+ return -1; -+ } - - fpid = fork(); - if (fpid < 0) -- goto out1; -+ return -1; - - if (fpid == 0) { - char pidstr[30]; -@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid, - } - - if (wait_for_pid(fpid)) -- goto out1; -+ return -1; - -- err = 0; - if (newname) -- err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname); -+ return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname); - --out1: -- free(physname); -- return err; -+ return 0; - } - - int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname) - { -+ __do_free char *physname = NULL; - int index; -- char *physname; - - if (!ifname) - return -EINVAL; -@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler) - return 0; - - lxc_list_for_each(iterator, network) { -+ __do_free char *physname = NULL; - int ret; - struct lxc_netdev *netdev = iterator->elem; - - if (!netdev->ifindex) - continue; - -- ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL); -+ if (netdev->type == LXC_NET_PHYS) -+ physname = is_wlan(netdev->link); -+ -+ if (physname) -+ ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL); -+ else -+ ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL); - if (ret) { - errno = -ret; - SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d", --- -2.7.4 - diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_3.2.1.bb deleted file mode 100644 index 9592dd9b..00000000 --- a/recipes-containers/lxc/lxc_3.2.1.bb +++ /dev/null @@ -1,201 +0,0 @@ -DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object" -SECTION = "console/utils" -LICENSE = "LGPLv2.1" -LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -DEPENDS = "libxml2 libcap" -RDEPENDS_${PN} = " \ - rsync \ - curl \ - gzip \ - xz \ - tar \ - libcap-bin \ - bridge-utils \ - dnsmasq \ - perl-module-strict \ - perl-module-getopt-long \ - perl-module-vars \ - perl-module-exporter \ - perl-module-constant \ - perl-module-overload \ - perl-module-exporter-heavy \ - gmp \ - libidn \ - gnutls \ - nettle \ - util-linux-mountpoint \ - util-linux-getopt \ -" - -RDEPENDS_${PN}_append_libc-glibc = " glibc-utils" - -RDEPENDS_${PN}-ptest += "file make gmp nettle gnutls bash libgcc" - -RDEPENDS_${PN}-networking += "iptables" - -SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \ - file://lxc-1.0.0-disable-udhcp-from-busybox-template.patch \ - file://run-ptest \ - file://lxc-fix-B-S.patch \ - file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \ - file://logs-optionally-use-base-filenames-to-report-src-fil.patch \ - file://templates-actually-create-DOWNLOAD_TEMP-directory.patch \ - file://template-make-busybox-template-compatible-with-core-.patch \ - file://templates-use-curl-instead-of-wget.patch \ - file://tests-our-init-is-not-busybox.patch \ - file://tests-add-no-validate-when-using-download-template.patch \ - file://network-restore-ability-to-move-nl80211-devices.patch \ - file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \ - file://0002-container.conf-Add-option-to-disable-session-keyring.patch \ - file://dnsmasq.conf \ - file://lxc-net \ - file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch \ - " - -SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85" -SRC_URI[sha256sum] = "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4" - -S = "${WORKDIR}/${BPN}-${PV}" - -# Let's not configure for the host distro. -# -PTEST_CONF = "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '--enable-tests', '', d)}" -EXTRA_OECONF += "--with-distro=${DISTRO} ${PTEST_CONF}" - -EXTRA_OECONF += "--with-init-script=\ -${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit,', '', d)}\ -${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -EXTRA_OECONF += "--enable-log-src-basename" - -CFLAGS_append = " -Wno-error=deprecated-declarations" - -PACKAGECONFIG ??= "templates \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \ -" -PACKAGECONFIG[doc] = "--enable-doc --enable-api-docs,--disable-doc --disable-api-docs,," -PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,," -PACKAGECONFIG[apparmor] = "--enable-apparmor,--disable-apparmor,apparmor,apparmor" -PACKAGECONFIG[templates] = ",,, ${PN}-templates" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux" -PACKAGECONFIG[seccomp] ="--enable-seccomp,--disable-seccomp,libseccomp,libseccomp" -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/,--without-systemdsystemunitdir,systemd," - -# required by python3 to run setup.py -export BUILD_SYS -export HOST_SYS -export STAGING_INCDIR -export STAGING_LIBDIR - -inherit autotools pkgconfig ptest update-rc.d systemd python3native - -SYSTEMD_PACKAGES = "${PN} ${PN}-networking" -SYSTEMD_SERVICE_${PN} = "lxc.service" -SYSTEMD_AUTO_ENABLE_${PN} = "disable" -SYSTEMD_SERVICE_${PN}-networking = "lxc-net.service" -SYSTEMD_AUTO_ENABLE_${PN}-networking = "enable" - -INITSCRIPT_PACKAGES = "${PN} ${PN}-networking" -INITSCRIPT_NAME_${PN} = "lxc-containers" -INITSCRIPT_PARAMS_${PN} = "defaults" -INITSCRIPT_NAME_${PN}-networking = "lxc-net" -INITSCRIPT_PARAMS_${PN}-networking = "defaults" - -FILES_${PN}-doc = "${mandir} ${infodir}" -# For LXC the docdir only contains example configuration files and should be included in the lxc package -FILES_${PN} += "${docdir}" -FILES_${PN} += "${libdir}/python3*" -FILES_${PN} += "${datadir}/bash-completion" -FILES_${PN}-dbg += "${libexecdir}/lxc/.debug" -FILES_${PN}-dbg += "${libexecdir}/lxc/hooks/.debug" -PACKAGES =+ "${PN}-templates ${PN}-networking ${PN}-lua" -FILES_lua-${PN} = "${datadir}/lua ${libdir}/lua" -FILES_lua-${PN}-dbg += "${libdir}/lua/lxc/.debug" -FILES_${PN}-templates += "${datadir}/lxc/templates" -RDEPENDS_${PN}-templates += "bash" - -FILES_${PN}-networking += " \ - ${sysconfdir}/init.d/lxc-net \ - ${sysconfdir}/default/lxc-net \ -" - -CACHED_CONFIGUREVARS += " \ - ac_cv_path_PYTHON='${STAGING_BINDIR_NATIVE}/python3-native/python3' \ - am_cv_python_pyexecdir='${exec_prefix}/${libdir}/python3.5/site-packages' \ - am_cv_python_pythondir='${prefix}/${libdir}/python3.5/site-packages' \ -" - -do_install_append() { - # The /var/cache/lxc directory created by the Makefile - # is wiped out in volatile, we need to create this at boot. - rm -rf ${D}${localstatedir}/cache - install -d ${D}${sysconfdir}/default/volatiles - echo "d root root 0755 ${localstatedir}/cache/lxc none" \ - > ${D}${sysconfdir}/default/volatiles/99_lxc - - for i in `grep -l "#! */bin/bash" ${D}${datadir}/lxc/hooks/*`; do \ - sed -e 's|#! */bin/bash|#!/bin/sh|' -i $i; done - - install -d ${D}${sysconfdir}/init.d - install -m 755 config/init/sysvinit/lxc* ${D}${sysconfdir}/init.d - - # since python3-native is used for install location this will not be - # suitable for the target and we will have to correct the package install - if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then - if [ -d ${D}${exec_prefix}/lib/python* ]; then mv ${D}${exec_prefix}/lib/python* ${D}${libdir}/; fi - rmdir --ignore-fail-on-non-empty ${D}${exec_prefix}/lib - fi - - # /etc/default/lxc sources lxc-net, this allows lxc bridge when lxc-networking - # is not installed this results in no lxcbr0, but when lxc-networking is installed - # lxcbr0 will be fully configured. - install -m 644 ${WORKDIR}/lxc-net ${D}${sysconfdir}/default/ - - # Force the main dnsmasq instance to bind only to specified interfaces and - # to not bind to virbr0. Libvirt will run its own instance on this interface. - install -d ${D}/${sysconfdir}/dnsmasq.d - install -m 644 ${WORKDIR}/dnsmasq.conf ${D}/${sysconfdir}/dnsmasq.d/lxc -} - -EXTRA_OEMAKE += "TEST_DIR=${D}${PTEST_PATH}/src/tests" - -do_install_ptest() { - # Move tests to the "ptest directory" - install -d ${D}/${PTEST_PATH}/tests - mv ${D}/usr/bin/lxc-test-* ${D}/${PTEST_PATH}/tests/. -} - -pkg_postinst_${PN}() { - if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then - /etc/init.d/populate-volatile.sh update - fi -} - -pkg_postinst_ontarget_${PN}-networking() { -if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then -cat >> /etc/network/interfaces << EOF - -auto lxcbr0 -iface lxcbr0 inet dhcp - bridge_ports eth0 - bridge_fd 0 - bridge_maxwait 0 -EOF - -cat</etc/network/if-pre-up.d/lxcbr0 -#! /bin/sh - -if test "x\$IFACE" = xlxcbr0 ; then - brctl show |grep lxcbr0 > /dev/null 2>/dev/null - if [ \$? != 0 ] ; then - brctl addbr lxcbr0 - brctl addif lxcbr0 eth0 - ip addr flush eth0 - ifconfig eth0 up - fi -fi -EOF -chmod 755 /etc/network/if-pre-up.d/lxcbr0 -fi -} diff --git a/recipes-containers/lxc/lxc_4.0.1.bb b/recipes-containers/lxc/lxc_4.0.1.bb new file mode 100644 index 00000000..a3de38ef --- /dev/null +++ b/recipes-containers/lxc/lxc_4.0.1.bb @@ -0,0 +1,197 @@ +DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object" +SECTION = "console/utils" +LICENSE = "LGPLv2.1" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" +DEPENDS = "libxml2 libcap" +RDEPENDS_${PN} = " \ + rsync \ + curl \ + gzip \ + xz \ + tar \ + libcap-bin \ + bridge-utils \ + dnsmasq \ + perl-module-strict \ + perl-module-getopt-long \ + perl-module-vars \ + perl-module-exporter \ + perl-module-constant \ + perl-module-overload \ + perl-module-exporter-heavy \ + gmp \ + libidn \ + gnutls \ + nettle \ + util-linux-mountpoint \ + util-linux-getopt \ +" + +RDEPENDS_${PN}_append_libc-glibc = " glibc-utils" + +RDEPENDS_${PN}-ptest += "file make gmp nettle gnutls bash libgcc" + +RDEPENDS_${PN}-networking += "iptables" + +SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \ + file://lxc-1.0.0-disable-udhcp-from-busybox-template.patch \ + file://run-ptest \ + file://lxc-fix-B-S.patch \ + file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \ + file://logs-optionally-use-base-filenames-to-report-src-fil.patch \ + file://templates-actually-create-DOWNLOAD_TEMP-directory.patch \ + file://template-make-busybox-template-compatible-with-core-.patch \ + file://templates-use-curl-instead-of-wget.patch \ + file://tests-our-init-is-not-busybox.patch \ + file://tests-add-no-validate-when-using-download-template.patch \ + file://dnsmasq.conf \ + file://lxc-net \ + " + +SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156" +SRC_URI[sha256sum] = "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d" + +S = "${WORKDIR}/${BPN}-${PV}" + +# Let's not configure for the host distro. +# +PTEST_CONF = "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '--enable-tests', '', d)}" +EXTRA_OECONF += "--with-distro=${DISTRO} ${PTEST_CONF}" + +EXTRA_OECONF += "--with-init-script=\ +${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit,', '', d)}\ +${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +EXTRA_OECONF += "--enable-log-src-basename" + +CFLAGS_append = " -Wno-error=deprecated-declarations" + +PACKAGECONFIG ??= "templates \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \ +" +PACKAGECONFIG[doc] = "--enable-doc --enable-api-docs,--disable-doc --disable-api-docs,," +PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,," +PACKAGECONFIG[apparmor] = "--enable-apparmor,--disable-apparmor,apparmor,apparmor" +PACKAGECONFIG[templates] = ",,, ${PN}-templates" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux" +PACKAGECONFIG[seccomp] ="--enable-seccomp,--disable-seccomp,libseccomp,libseccomp" +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/,--without-systemdsystemunitdir,systemd," + +# required by python3 to run setup.py +export BUILD_SYS +export HOST_SYS +export STAGING_INCDIR +export STAGING_LIBDIR + +inherit autotools pkgconfig ptest update-rc.d systemd python3native + +SYSTEMD_PACKAGES = "${PN} ${PN}-networking" +SYSTEMD_SERVICE_${PN} = "lxc.service" +SYSTEMD_AUTO_ENABLE_${PN} = "disable" +SYSTEMD_SERVICE_${PN}-networking = "lxc-net.service" +SYSTEMD_AUTO_ENABLE_${PN}-networking = "enable" + +INITSCRIPT_PACKAGES = "${PN} ${PN}-networking" +INITSCRIPT_NAME_${PN} = "lxc-containers" +INITSCRIPT_PARAMS_${PN} = "defaults" +INITSCRIPT_NAME_${PN}-networking = "lxc-net" +INITSCRIPT_PARAMS_${PN}-networking = "defaults" + +FILES_${PN}-doc = "${mandir} ${infodir}" +# For LXC the docdir only contains example configuration files and should be included in the lxc package +FILES_${PN} += "${docdir}" +FILES_${PN} += "${libdir}/python3*" +FILES_${PN} += "${datadir}/bash-completion" +FILES_${PN}-dbg += "${libexecdir}/lxc/.debug" +FILES_${PN}-dbg += "${libexecdir}/lxc/hooks/.debug" +PACKAGES =+ "${PN}-templates ${PN}-networking ${PN}-lua" +FILES_lua-${PN} = "${datadir}/lua ${libdir}/lua" +FILES_lua-${PN}-dbg += "${libdir}/lua/lxc/.debug" +FILES_${PN}-templates += "${datadir}/lxc/templates" +RDEPENDS_${PN}-templates += "bash" + +FILES_${PN}-networking += " \ + ${sysconfdir}/init.d/lxc-net \ + ${sysconfdir}/default/lxc-net \ +" + +CACHED_CONFIGUREVARS += " \ + ac_cv_path_PYTHON='${STAGING_BINDIR_NATIVE}/python3-native/python3' \ + am_cv_python_pyexecdir='${exec_prefix}/${libdir}/python3.5/site-packages' \ + am_cv_python_pythondir='${prefix}/${libdir}/python3.5/site-packages' \ +" + +do_install_append() { + # The /var/cache/lxc directory created by the Makefile + # is wiped out in volatile, we need to create this at boot. + rm -rf ${D}${localstatedir}/cache + install -d ${D}${sysconfdir}/default/volatiles + echo "d root root 0755 ${localstatedir}/cache/lxc none" \ + > ${D}${sysconfdir}/default/volatiles/99_lxc + + for i in `grep -l "#! */bin/bash" ${D}${datadir}/lxc/hooks/*`; do \ + sed -e 's|#! */bin/bash|#!/bin/sh|' -i $i; done + + install -d ${D}${sysconfdir}/init.d + install -m 755 config/init/sysvinit/lxc* ${D}${sysconfdir}/init.d + + # since python3-native is used for install location this will not be + # suitable for the target and we will have to correct the package install + if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then + if [ -d ${D}${exec_prefix}/lib/python* ]; then mv ${D}${exec_prefix}/lib/python* ${D}${libdir}/; fi + rmdir --ignore-fail-on-non-empty ${D}${exec_prefix}/lib + fi + + # /etc/default/lxc sources lxc-net, this allows lxc bridge when lxc-networking + # is not installed this results in no lxcbr0, but when lxc-networking is installed + # lxcbr0 will be fully configured. + install -m 644 ${WORKDIR}/lxc-net ${D}${sysconfdir}/default/ + + # Force the main dnsmasq instance to bind only to specified interfaces and + # to not bind to virbr0. Libvirt will run its own instance on this interface. + install -d ${D}/${sysconfdir}/dnsmasq.d + install -m 644 ${WORKDIR}/dnsmasq.conf ${D}/${sysconfdir}/dnsmasq.d/lxc +} + +EXTRA_OEMAKE += "TEST_DIR=${D}${PTEST_PATH}/src/tests" + +do_install_ptest() { + # Move tests to the "ptest directory" + install -d ${D}/${PTEST_PATH}/tests + mv ${D}/usr/bin/lxc-test-* ${D}/${PTEST_PATH}/tests/. +} + +pkg_postinst_${PN}() { + if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then + /etc/init.d/populate-volatile.sh update + fi +} + +pkg_postinst_ontarget_${PN}-networking() { +if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then +cat >> /etc/network/interfaces << EOF + +auto lxcbr0 +iface lxcbr0 inet dhcp + bridge_ports eth0 + bridge_fd 0 + bridge_maxwait 0 +EOF + +cat</etc/network/if-pre-up.d/lxcbr0 +#! /bin/sh + +if test "x\$IFACE" = xlxcbr0 ; then + brctl show |grep lxcbr0 > /dev/null 2>/dev/null + if [ \$? != 0 ] ; then + brctl addbr lxcbr0 + brctl addif lxcbr0 eth0 + ip addr flush eth0 + ifconfig eth0 up + fi +fi +EOF +chmod 755 /etc/network/if-pre-up.d/lxcbr0 +fi +} -- cgit v1.2.3-54-g00ecf