MIRRORS/meta-virtualization
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-virtualization.git synced 2025-07-19 20:59:41 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

lxc: update to 2.0.0

Browse Source 
2.0.0 is released, and contains many of the patches we've been carrying for
1.x.

With this updated, we drop upstream backports (and submitted patches), and
refresh on patch. Otherwise, everything is the same.

Sanity tested on x86-64.

Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This commit is contained in:
Bruce Ashfield 2016-04-25 14:55:34 -04:00
parent 3498e94adf
commit 38cdaf39bf
14 changed files with 8 additions and 922 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
recipes-containers/lxc/files/add-lxc.rebootsignal.patch
View File

@ -1,96 +0,0 @@
From dd267776ee265737520c2c661a51c2d29cf43cb0 Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Date: Mon, 16 Feb 2015 09:38:34 +0000
Subject: [PATCH 10/12] add lxc.rebootsignal
Following the model of f0f1d8c076ae93d8ecf735c2eeae471e27ca6abd, add a reboot
signal for special init processes that work on something other than SIGINT.
Upstream-Status: Accepted
[https://github.com/lxc/lxc/commit/dd267776ee265737520c2c661a51c2d29cf43cb0]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
src/lxc/conf.h | 1 +
src/lxc/confile.c | 14 ++++++++++++++
src/lxc/lxccontainer.c | 5 ++++-
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index afa5517..334ea70 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -323,6 +323,7 @@ struct lxc_conf {
int maincmd_fd;
int autodev; // if 1, mount and fill a /dev at start
int haltsignal; // signal used to halt container
+ int rebootsignal; // signal used to reboot container
int stopsignal; // signal used to hard stop container
int kmsg; // if 1, create /dev/kmsg symlink
char *rcfile; // Copy of the top level rcfile we read
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 8544ac9..42d42e5 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -98,6 +98,7 @@ static int config_includefile(const char *, const char *, struct lxc_conf *);
static int config_network_nic(const char *, const char *, struct lxc_conf *);
static int config_autodev(const char *, const char *, struct lxc_conf *);
static int config_haltsignal(const char *, const char *, struct lxc_conf *);
+static int config_rebootsignal(const char *, const char *, struct lxc_conf *);
static int config_stopsignal(const char *, const char *, struct lxc_conf *);
static int config_start(const char *, const char *, struct lxc_conf *);
static int config_group(const char *, const char *, struct lxc_conf *);
@@ -158,6 +159,7 @@ static struct lxc_config_t config[] = {
{ "lxc.include", config_includefile },
{ "lxc.autodev", config_autodev },
{ "lxc.haltsignal", config_haltsignal },
+ { "lxc.rebootsignal", config_rebootsignal },
{ "lxc.stopsignal", config_stopsignal },
{ "lxc.start.auto", config_start },
{ "lxc.start.delay", config_start },
@@ -1268,6 +1270,18 @@ static int config_haltsignal(const char *key, const char *value,
return 0;
}
+static int config_rebootsignal(const char *key, const char *value,
+ struct lxc_conf *lxc_conf)
+{
+ int sig_n = sig_parse(value);
+
+ if (sig_n < 0)
+ return -1;
+ lxc_conf->rebootsignal = sig_n;
+
+ return 0;
+}
+
static int config_stopsignal(const char *key, const char *value,
struct lxc_conf *lxc_conf)
{
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index e02ee93..4422f4a 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1363,6 +1363,7 @@ free_tpath:
static bool lxcapi_reboot(struct lxc_container *c)
{
pid_t pid;
+ int rebootsignal = SIGINT;
if (!c)
return false;
@@ -1371,7 +1372,9 @@ static bool lxcapi_reboot(struct lxc_container *c)
pid = c->init_pid(c);
if (pid <= 0)
return false;
- if (kill(pid, SIGINT) < 0)
+ if (c->lxc_conf && c->lxc_conf->rebootsignal)
+ rebootsignal = c->lxc_conf->rebootsignal;
+ if (kill(pid, rebootsignal) < 0)
return false;
return true;
--
2.1.4

140
recipes-containers/lxc/files/document-lxc.rebootsignal.patch
View File

@ -1,140 +0,0 @@
From baefc2176780b5e4527c1f86206c0ea72d80c8f5 Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Date: Tue, 10 Mar 2015 10:06:58 +0000
Subject: [PATCH] document lxc.rebootsignal
Also fix some minor indentation mishaps since we're here.
Upstrem-Status: Backport [from LXC 1.1]
[https://github.com/lxc/lxc/commit/936762f3fb6cf10e0756719f03aebe052d5c31a8]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
doc/lxc-stop.sgml.in | 4 +-
doc/lxc.container.conf.sgml.in | 86 ++++++++++++++++++++++++++----------------
2 files changed, 57 insertions(+), 33 deletions(-)
diff --git a/doc/lxc-stop.sgml.in b/doc/lxc-stop.sgml.in
index bc5e6a8..3c69fed 100644
--- a/doc/lxc-stop.sgml.in
+++ b/doc/lxc-stop.sgml.in
@@ -70,7 +70,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
the container's init process, waiting up to 60 seconds for the container
to exit, and then returning. If the container fails to cleanly exit in
60 seconds, it will be sent the <command>lxc.stopsignal</command>
- (defaults to SIGKILL) to force it to shut down.
+ (defaults to SIGKILL) to force it to shut down. A request to reboot will
+ send the <command>lxc.rebootsignal</command> (defaults to SIGINT) to the
+ container's init process.
</para>
<para>
The <optional>-W</optional>, <optional>-r</optional>,
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index e98496d..1962528 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -158,46 +158,68 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<refsect2>
<title>Halt signal</title>
<para>
- Allows one to specify signal name or number, sent by lxc-stop to the
- container's init process to cleanly shutdown the container. Different
- init systems could use different signals to perform clean shutdown
- sequence. This option allows the signal to be specified in kill(1)
- fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
- default signal is SIGPWR.
+ Allows one to specify signal name or number, sent by lxc-stop to the
+ container's init process to cleanly shutdown the container. Different
+ init systems could use different signals to perform clean shutdown
+ sequence. This option allows the signal to be specified in kill(1)
+ fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
+ default signal is SIGPWR.
</para>
<variablelist>
- <varlistentry>
- <term>
- <option>lxc.haltsignal</option>
- </term>
- <listitem>
- <para>
- specify the signal used to halt the container
- </para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.haltsignal</option>
+ </term>
+ <listitem>
+ <para>
+ specify the signal used to halt the container
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>Reboot signal</title>
+ <para>
+ Allows one to specify signal name or number, sent by lxc-stop to
+ reboot the container. This option allows signal to be specified in
+ kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number.
+ The default signal is SIGINT.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>lxc.rebootsignal</option>
+ </term>
+ <listitem>
+ <para>
+ specify the signal used to reboot the container
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
<refsect2>
<title>Stop signal</title>
<para>
- Allows one to specify signal name or number, sent by lxc-stop to forcibly
- shutdown the container. This option allows signal to be specified in
- kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
- The default signal is SIGKILL.
- </para>
- <variablelist>
- <varlistentry>
- <term>
- <option>lxc.stopsignal</option>
- </term>
- <listitem>
- <para>
- specify the signal used to stop the container
- </para>
- </listitem>
- </varlistentry>
+ Allows one to specify signal name or number, sent by lxc-stop to forcibly
+ shutdown the container. This option allows signal to be specified in
+ kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
+ The default signal is SIGKILL.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>lxc.stopsignal</option>
+ </term>
+ <listitem>
+ <para>
+ specify the signal used to stop the container
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
--
2.1.4

43
recipes-containers/lxc/files/lxc-busybox-Remove-warning-for-dynamically-linked-Bu.patch
View File

@ -1,43 +0,0 @@
From 07e4c41f2963d73b9aedd552c74f17a33e89f020 Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Date: Thu, 24 Mar 2016 11:54:27 +0000
Subject: [PATCH] lxc-busybox: Remove warning for dynamically linked Busybox
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The warning has been present since commit 32b37181ea (with no purpose stated).
Support for dynamically linked Busybox has been added since commit bf6cc73696.
Haven't encountered any issues with dynamically linked Busybox in my last
2 years' testing.
Upstream-status: Accepted
[https://github.com/lxc/lxc/commit/07e4c41f2963d73b9aedd552c74f17a33e89f020]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---
templates/lxc-busybox.in | 7 -------
1 file changed, 7 deletions(-)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index f547f9e..336fa12 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -304,13 +304,6 @@ configure_busybox()
return 1
fi
- file -L $(which busybox) | grep -q "statically linked"
- if [ $? -ne 0 ]; then
- echo "warning : busybox is not statically linked."
- echo "warning : The template script may not correctly"
- echo "warning : setup the container environment."
- fi
-
# copy busybox in the rootfs
cp $(which busybox) $rootfs/bin
if [ $? -ne 0 ]; then
--
1.9.1

30
recipes-containers/lxc/files/lxc-busybox-Touch-etc-fstab-in-the-container-rootfs.patch
View File

@ -1,30 +0,0 @@
From 6ab1ca0375feeb00070f0c0f9186551b08b1ee5e Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Date: Tue, 22 Mar 2016 13:33:57 +0000
Subject: [PATCH] lxc-busybox: Touch /etc/fstab in the container rootfs
Upstream-status: Accepted
[https://github.com/lxc/lxc/commit/6ab1ca0375feeb00070f0c0f9186551b08b1ee5e]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
---
templates/lxc-busybox.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index c020e66..f547f9e 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -330,6 +330,9 @@ configure_busybox()
# relink /sbin/init
ln $rootfs/bin/busybox $rootfs/sbin/init
+ # /etc/fstab must exist for "mount -a"
+ touch $rootfs/etc/fstab
+
# passwd exec must be setuid
chmod +s $rootfs/bin/passwd
touch $rootfs/etc/shadow
--
1.9.1

246
recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
View File

@ -1,246 +0,0 @@
From ed52814c776963efdcc9dcda1ec26fc09930ef93 Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Date: Wed, 22 Apr 2015 14:53:32 +0000
Subject: [PATCH] lxc-busybox: add OpenSSH support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add an additional template parameter for SSH support in the container. Currently
this can be implemented using the Dropbear or OpenSSH utility. The respective
tool needs to be available on the host Linux.
If the parameter is omitted, the template will look for the Dropbear utility on
the host and install it if it is available (legacy behavior).
Adding OpenSSH support has been done following the model in the lxc-sshd
template.
Upstream-status: Accepted
[https://github.com/lxc/lxc/commit/ed52814c776963efdcc9dcda1ec26fc09930ef93]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---
templates/lxc-busybox.in | 169 ++++++++++++++++++++++++++++++++++++++---------
1 file changed, 139 insertions(+), 30 deletions(-)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 7e05bd6..95961a3 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -22,6 +22,7 @@
LXC_MAPPED_UID=
LXC_MAPPED_GID=
+SSH=
# Make sure the usual locations are in PATH
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
@@ -160,6 +161,116 @@ EOF
return $res
}
+install_dropbear()
+{
+ # copy dropbear binary
+ cp $(which dropbear) $rootfs/usr/sbin
+ if [ $? -ne 0 ]; then
+ echo "Failed to copy dropbear in the rootfs"
+ return 1
+ fi
+
+ # make symlinks to various ssh utilities
+ utils="\
+ $rootfs/usr/bin/dbclient \
+ $rootfs/usr/bin/scp \
+ $rootfs/usr/bin/ssh \
+ $rootfs/usr/sbin/dropbearkey \
+ $rootfs/usr/sbin/dropbearconvert \
+ "
+ echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
+
+ # add necessary config files
+ mkdir $rootfs/etc/dropbear
+ dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
+ dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
+
+ echo "'dropbear' ssh utility installed"
+
+ return 0
+}
+
+install_openssh()
+{
+ # tools to be installed
+ server_utils="sshd"
+ client_utils="\
+ ssh \
+ scp \
+ sftp \
+ ssh-add \
+ ssh-agent \
+ ssh-keygen \
+ ssh-keyscan \
+ ssh-argv0 \
+ ssh-copy-id \
+ "
+
+ # new folders used by ssh
+ ssh_tree="\
+$rootfs/etc/ssh \
+$rootfs/var/empty/sshd \
+$rootfs/var/lib/empty/sshd \
+$rootfs/var/run/sshd \
+"
+
+ # create folder structure
+ mkdir -p $ssh_tree
+ if [ $? -ne 0 ]; then
+ return 1
+ fi
+
+ # copy binaries
+ for bin in $server_utils $client_utils; do
+ tool_path=`which $bin`
+ cp $tool_path $rootfs/$tool_path
+ if [ $? -ne 0 ]; then
+ echo "Unable to copy $tool_path in the rootfs"
+ return 1
+ fi
+ done
+
+ # add user and group
+ cat <<EOF >> $rootfs/etc/passwd
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+EOF
+
+ cat <<EOF >> $rootfs/etc/group
+sshd:x:74:
+EOF
+
+ # generate container keys
+ ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key >/dev/null 2>&1
+ ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key >/dev/null 2>&1
+
+ # by default setup root password with no password
+ cat <<EOF > $rootfs/etc/ssh/sshd_config
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+UsePrivilegeSeparation yes
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords yes
+ChallengeResponseAuthentication no
+EOF
+
+ echo "'OpenSSH' utility installed"
+
+ return 0
+}
+
configure_busybox()
{
rootfs=$1
@@ -230,34 +341,6 @@ EOF
lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
rm $CHPASSWD_FILE
- # add ssh functionality if dropbear package available on host
- which dropbear >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- # copy dropbear binary
- cp $(which dropbear) $rootfs/usr/sbin
- if [ $? -ne 0 ]; then
- echo "Failed to copy dropbear in the rootfs"
- return 1
- fi
-
- # make symlinks to various ssh utilities
- utils="\
- $rootfs/usr/bin/dbclient \
- $rootfs/usr/bin/scp \
- $rootfs/usr/bin/ssh \
- $rootfs/usr/sbin/dropbearkey \
- $rootfs/usr/sbin/dropbearconvert \
- "
- echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
-
- # add necessary config files
- mkdir $rootfs/etc/dropbear
- dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
- dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
-
- echo "'dropbear' ssh utility installed"
- fi
-
return 0
}
@@ -315,12 +398,12 @@ remap_userns()
usage()
{
cat <<EOF
-$1 -h|--help -p|--path=<path>
+$1 -h|--help -p|--path=<path> -s|--ssh={dropbear,openssh}
EOF
return 0
}
-options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
+options=$(getopt -o hp:n:s: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,ssh: -- "$@")
if [ $? -ne 0 ]; then
usage $(basename $0)
exit 1
@@ -336,6 +419,7 @@ do
-n|--name) name=$2; shift 2;;
--mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
--mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
+ -s|--ssh) SSH=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
@@ -384,3 +468,28 @@ if [ $? -ne 0 ]; then
echo "failed to remap files to user"
exit 1
fi
+
+if [ -n "$SSH" ]; then
+ case "$SSH" in
+ "dropbear")
+ install_dropbear
+ if [ $? -ne 0 ]; then
+ echo "Unable to install 'dropbear' ssh utility"
+ exit 1
+ fi ;;
+ "openssh")
+ install_openssh
+ if [ $? -ne 0 ]; then
+ echo "Unable to install 'OpenSSH' utility"
+ exit 1
+ fi ;;
+ *)
+ echo "$SSH: unrecognized ssh utility"
+ exit 1
+ esac
+else
+ which dropbear >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ install_dropbear
+ fi
+fi
--
2.1.4

31
recipes-containers/lxc/files/lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch
View File

@ -1,31 +0,0 @@
From 22fb28a946397ec19b247efe170c15b263bf89af Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Date: Mon, 16 Feb 2015 09:38:36 +0000
Subject: [PATCH 12/12] lxc-busybox: use lxc.rebootsignal = SIGTERM
Otherwise lxc-stop -r has no effect on the container.
Upstream-Status: Accepted
[https://github.com/lxc/lxc/commit/22fb28a946397ec19b247efe170c15b263bf89af]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
templates/lxc-busybox.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 72531d6..7e05bd6 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -270,6 +270,7 @@ copy_configuration()
grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
cat <<EOF >> $path/config
lxc.haltsignal = SIGUSR1
+lxc.rebootsignal = SIGTERM
lxc.utsname = $name
lxc.tty = 1
lxc.pts = 1
--
2.1.4

13
recipes-containers/lxc/files/lxc-fix-B-S.patch
View File

@ -1,16 +1,15 @@
Index: lxc-1.0.7/config/init/upstart/Makefile.am
Index: lxc-2.0.0/config/init/upstart/Makefile.am
===================================================================
--- lxc-1.0.7.orig/config/init/upstart/Makefile.am
+++ lxc-1.0.7/config/init/upstart/Makefile.am
@@ -3,9 +3,9 @@ EXTRA_DIST = lxc.conf lxc-instance.conf
--- lxc-2.0.0.orig/config/init/upstart/Makefile.am
+++ lxc-2.0.0/config/init/upstart/Makefile.am
@@ -3,9 +3,9 @@
if INIT_SCRIPT_UPSTART
install-upstart: lxc.conf lxc-instance.conf lxc-net.conf
$(MKDIR_P) $(DESTDIR)$(sysconfdir)/init/
- $(INSTALL_DATA) lxc.conf $(DESTDIR)$(sysconfdir)/init/
- $(INSTALL_DATA) lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/
- $(INSTALL_DATA) lxc-net.conf $(DESTDIR)$(sysconfdir)/init/
+ $(INSTALL_DATA) $(srcdir)/lxc.conf $(DESTDIR)$(sysconfdir)/init/
+ $(INSTALL_DATA) $(srcdir)/lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/
$(INSTALL_DATA) $(srcdir)/lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/
- $(INSTALL_DATA) lxc-net.conf $(DESTDIR)$(sysconfdir)/init/
+ $(INSTALL_DATA) $(srcdir)/lxc-net.conf $(DESTDIR)$(sysconfdir)/init/
uninstall-upstart:

72
recipes-containers/lxc/files/lxc-let-lxc-start-support-wlan-phys.patch
View File

@ -1,72 +0,0 @@
From 4acc7a24e098445de502a6f59a8b3dff2cd8536d Mon Sep 17 00:00:00 2001
From: fli <fupan.li@windriver.com>
Date: Thu, 21 Apr 2016 19:07:10 -0700
Subject: [PATCH] lxc: let lxc-start support wlan phys
The commit: e5848d395cb <netdev_move_by_index: support wlan> only
made netdev_move_by_name support wlan, instead of netdev_move_by_index.
Given netdev_move_by_name is a wrapper of netdev_move_by_index, so here
replacing all of the call to lxc_netdev_move_by_index with lxc_netdev_move_by_name
to let lxc-start support wlan phys.
Signed-off-by: fli <fupan.li@windriver.com>
---
src/lxc/conf.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 034bdff..bcba0f1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2623,6 +2623,7 @@ void restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf)
{
int i, ret, oldfd;
char path[MAXPATHLEN];
+ char ifname[IFNAMSIZ];
if (netnsfd < 0)
return;
@@ -2643,9 +2644,13 @@ void restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf)
}
for (i=0; i<conf->num_savednics; i++) {
struct saved_nic *s = &conf->saved_nics[i];
- if (lxc_netdev_move_by_index(s->ifindex, 1, NULL))
- WARN("Error moving nic index:%d back to host netns",
- s->ifindex);
+ /* retrieve the name of the interface */
+ if (!if_indextoname(s->ifindex, ifname)) {
+ WARN("no interface corresponding to index '%d'", s->ifindex);
+ continue;
+ }
+ if (lxc_netdev_move_by_name(ifname, 1, NULL))
+ WARN("Error moving nic name:%s back to host netns", ifname);
}
if (setns(oldfd, 0) != 0)
SYSERROR("Failed to re-enter monitor's netns");
@@ -3208,6 +3213,7 @@ int lxc_assign_network(struct lxc_list *network, pid_t pid)
{
struct lxc_list *iterator;
struct lxc_netdev *netdev;
+ char ifname[IFNAMSIZ];
int am_root = (getuid() == 0);
int err;
@@ -3228,7 +3234,13 @@ int lxc_assign_network(struct lxc_list *network, pid_t pid)
if (!netdev->ifindex)
continue;
- err = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
+ /* retrieve the name of the interface */
+ if (!if_indextoname(netdev->ifindex, ifname)) {
+ ERROR("no interface corresponding to index '%d'", netdev->ifindex);
+ return -1;
+ }
+
+ err = lxc_netdev_move_by_name(ifname, pid, NULL);
if (err) {
ERROR("failed to move '%s' to the container : %s",
netdev->link, strerror(-err));
--
2.7.4

39
recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
View File

@ -1,39 +0,0 @@
From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Date: Fri, 8 Jan 2016 15:38:44 +0000
Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
When running application containers with lxc-execute, /dev is
populated only with device entries. Since /dev is a tmpfs mount in
the container environment, the /dev/shm folder not being present is not
a sufficient reason for the /dev/shm mount to fail.
Create the /dev/shm directory if not present.
Upstream-status: Accepted
[https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
src/lxc/initutils.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 45df60f..8d9016c 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
if (mount_fs("proc", "/proc", "proc"))
INFO("failed to remount proc");
+ /* if /dev has been populated by us, /dev/shm does not exist */
+ if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
+ INFO("failed to create /dev/shm");
+
/* if we can't mount /dev/shm, continue anyway */
if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
INFO("failed to mount /dev/shm");
--
1.9.1

49
recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
View File

@ -1,49 +0,0 @@
From 34be0d3cd8c4eaca9929470bc8bce5e74975bccf Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Date: Thu, 23 Apr 2015 08:33:00 +0000
Subject: [PATCH] lxc-busybox: make some OpenSSH tools optional
Currently, when installing OpenSSH in a Busybox container, the template searches
for all the OpenSSH client binaries available in the Debian distro package. The
included tools might differ from distro to distro, so make part of the tools
optional. The mandatory tools, without which installing OpenSSH fails, are
"sshd" for the server and "ssh" and "scp" for the client.
Upstream-Status: Submitted
[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-April/011696.html]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
templates/lxc-busybox.in | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 95961a3..17a3006 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -197,6 +197,8 @@ install_openssh()
client_utils="\
ssh \
scp \
+ "
+ client_optional_utils="\
sftp \
ssh-add \
ssh-agent \
@@ -230,6 +232,13 @@ $rootfs/var/run/sshd \
fi
done
+ for bin in $client_optional_utils; do
+ tool_path=`which $bin`
+ if [ $? -eq 0 ]; then
+ cp $tool_path $rootfs/$tool_path
+ fi
+ done
+
# add user and group
cat <<EOF >> $rootfs/etc/passwd
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
--
2.1.4

69
recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
View File

@ -1,69 +0,0 @@
From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Date: Wed, 20 Jan 2016 10:53:57 +0000
Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is defined
The safe_mount function was introduced in order to address CVE-2015-1335,
one of the vulnerabilities being a mount with a symlink for the
destination path. In scenarios such as lxc-execute with no rootfs, the
destination path is the host /proc, which is previously mounted by the
host, and is unmounted and mounted again in a new set of namespaces,
therefore eliminating the need to check for it being a symlink.
Mount the rootfs normally if the rootfs is NULL, keep the safe mount
only for scenarios where a different rootfs is defined.
Upstream-status: Accepted
[https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
src/lxc/conf.c | 1 +
src/lxc/utils.c | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 632dde3..1e30c0c 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
return 0;
}
+/* NOTE: not to be called from inside the container namespace! */
int tmp_proc_mount(struct lxc_conf *lxc_conf)
{
int mounted;
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 4e96a50..0bc7a20 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
*
* Returns < 0 on failure, 0 if the correct proc was already mounted
* and 1 if a new proc was mounted.
+ *
+ * NOTE: not to be called from inside the container namespace!
*/
int mount_proc_if_needed(const char *rootfs)
{
@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
return 0;
domount:
- if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
+ if (!strcmp(rootfs,"")) /* rootfs is NULL */
+ ret = mount("proc", path, "proc", 0, NULL);
+ else
+ ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
+
+ if (ret < 0)
return -1;
+
INFO("Mounted /proc in container for security transition");
return 1;
}
--
1.9.1

37
recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
View File

@ -1,37 +0,0 @@
From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Date: Fri, 8 Jan 2016 15:38:35 +0000
Subject: [PATCH] open_without_symlink: Account when prefix is empty string
In the current implementation, the open_without_symlink function
will default to opening the root mount only if the passed rootfs
prefix is null. It doesn't account for the case where this prefix
is passed as an empty string.
Properly handle this second case as well.
Upstream-Status: Accepted
[https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
src/lxc/utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index ed8c4c4..4e96a50 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char *target, const char *prefix_skip)
fulllen = strlen(target);
/* make sure prefix-skip makes sense */
- if (prefix_skip) {
+ if (prefix_skip && strlen(prefix_skip) > 0) {
curlen = strlen(prefix_skip);
if (!is_subdir(target, prefix_skip, curlen)) {
ERROR("WHOA there - target '%s' didn't start with prefix '%s'",
--
1.9.1

49
recipes-containers/lxc/files/open_without_symlink-Don-t-SYSERROR-on-something-els.patch
View File

@ -1,49 +0,0 @@
From 88e078ba865b675f9a0dc61caa0732d7052593f8 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@mailbox.org>
Date: Wed, 23 Mar 2016 16:37:09 +0100
Subject: [PATCH] open_without_symlink: Don't SYSERROR on something else than
ELOOP
The open_without_symlink routine has been specifically created to prevent
mounts with synlinks as source or destination. Keep SYSERROR'ing in that
particular scenario, but leave error handling to calling functions for the
other ones - e.g. optional bind mount when the source dir doesn't exist
throws a nasty error.
Upstream-status: Accepted
[https://github.com/lxc/lxc/commit/88e078ba865b675f9a0dc61caa0732d7052593f8]
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
---
src/lxc/utils.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 6bee698..8e7ebbc 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1621,8 +1621,6 @@ static int open_without_symlink(const char *target, const char *prefix_skip)
errno = saved_errno;
if (errno == ELOOP)
SYSERROR("%s in %s was a symbolic link!", nextpath, target);
- else
- SYSERROR("Error examining %s in %s", nextpath, target);
goto out;
}
}
@@ -1667,8 +1665,11 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
destfd = open_without_symlink(dest, rootfs);
if (destfd < 0) {
- if (srcfd != -1)
+ if (srcfd != -1) {
+ saved_errno = errno;
close(srcfd);
+ errno = saved_errno;
+ }
return destfd;
}
--
1.9.1

16
recipes-containers/lxc/lxc_1.1.5.bb → recipes-containers/lxc/lxc_2.0.0.bb
View File

@ -26,25 +26,13 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
file://runtest.patch \
file://run-ptest \
file://automake-ensure-VPATH-builds-correctly.patch \
file://add-lxc.rebootsignal.patch \
file://document-lxc.rebootsignal.patch \
file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \
file://lxc-fix-B-S.patch \
file://lxc-busybox-add-OpenSSH-support.patch \
file://make-some-OpenSSH-tools-optional.patch \
file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
file://open_without_symlink-Don-t-SYSERROR-on-something-els.patch \
file://lxc-busybox-Touch-etc-fstab-in-the-container-rootfs.patch \
file://lxc-busybox-Remove-warning-for-dynamically-linked-Bu.patch \
file://lxc-let-lxc-start-support-wlan-phys.patch \
"
SRC_URI[md5sum] = "dd9684dde0a58ed13f4f49c855b79a1a"
SRC_URI[sha256sum] = "9588ad1b04e114ee7370f690c65131e28098b28d2521d97c73557d11897ed0be"
SRC_URI[md5sum] = "04a7245a614cd3296b0ae9ceeeb83fbb"
SRC_URI[sha256sum] = "5b737e114d8ef1feb193fba936d77a5697a7c8a10199a068cdd90d1bd27c10e4"
S = "${WORKDIR}/${BPN}-${PV}"