MIRRORS/meta-virtualization
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-virtualization.git synced 2025-07-19 20:59:41 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

lxc: update to 4.0.11

Browse Source 
update to 4.0.11

1.drop two patches that have been integrated to upstream repo.
2.drop tests-add-no-validate-when-using-download-template.patch
  because it is no longer appropriate as the "download" has been
  replaced with "busybox"
3.fix the apply failure of templates-use-curl-instead-of-wget.patch
4.update lxc from 4.0.10 to 4.0.11

Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This commit is contained in:
Xu, Yanfei 2021-11-01 18:13:19 +08:00 committed by Bruce Ashfield
parent f71bedc29d
commit 3bff112a44
5 changed files with 15 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
View File

@ -1,46 +0,0 @@
From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001
From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Date: Mon, 23 Aug 2021 22:04:40 +0200
Subject: [PATCH] config: enable seccomp profile only when compiled with
libseccomp
Make lxc fail if seccomp.profile is specified but lxc is compiled
without seccomp support. Currently, seccomp.profile is silently ignored
if is specified in such a scenario. This could lead to the false
impression that the seccomp filter is applied while it actually isn't.
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
---
src/lxc/confile.c | 8 ++++++++
1 file changed, 8 insertions(+)
Upstream-Status: Submitted [https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e]
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index d8b96c6921..1cc8da15f1 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const char *key, const char *value,
static int set_config_seccomp_profile(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
+#ifdef HAVE_SECCOMP
return set_config_path_item(&lxc_conf->seccomp.seccomp, value);
+#else
+ return ret_set_errno(-1, ENOSYS);
+#endif
}
static int set_config_execute_cmd(const char *key, const char *value,
@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const char *key, char *retv, int inle
static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
struct lxc_conf *c, void *data)
{
+#ifdef HAVE_SECCOMP
return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp);
+#else
+ return ret_errno(ENOSYS);
+#endif
}
static int get_config_autodev(const char *key, char *retv, int inlen,

36
recipes-containers/lxc/files/fix_c_command.patch
View File

@ -1,36 +0,0 @@
From 9becf309a81806ef08acf9ca99ab95c1bcfa1f65 Mon Sep 17 00:00:00 2001
From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Date: Mon, 23 Aug 2021 15:39:28 +0200
Subject: [PATCH] attach: Fix -c command
Currently, the -c command (to set the selinux context) seems to be
broken because the passed context is ignored and always overwritten by
the context specified in the config file. The intention behind the -c
imho was to be able to manually overwrite this behavior. This patch
ensures that the selinux context will be set if passed via the command
line.
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
---
src/lxc/tools/lxc_attach.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Upstream-Status: Backport [https://github.com/lxc/lxc/commit/9becf309a81806ef08acf9ca99ab95c1bcfa1f65.patch]
Comment: No change in any hunk
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index 0374d980b4..e6b388b20c 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -379,7 +379,10 @@ int main(int argc, char *argv[])
attach_options.gid = my_args.gid;
// selinux_context will be NULL if not set
- attach_options.lsm_label = selinux_context;
+ if (selinux_context) {
+ attach_options.attach_flags |= LXC_ATTACH_LSM_LABEL;
+ attach_options.lsm_label = selinux_context;
+ }
if (command.program) {
ret = c->attach_run_wait(c, &attach_options, command.program,

23
recipes-containers/lxc/files/templates-use-curl-instead-of-wget.patch
View File

@ -1,4 +1,4 @@
From 07890dd8ffdcd08b7be1ddbd9f56ac55482c76bb Mon Sep 17 00:00:00 2001 From 1db2db7783bd7ec2aa1da86e640019891634c659 Mon Sep 17 00:00:00 2001
From: Joakim Roubert <joakimr@axis.com> From: Joakim Roubert <joakimr@axis.com>
Date: Fri, 16 Aug 2019 07:52:48 +0200 Date: Fri, 16 Aug 2019 07:52:48 +0200
Subject: [PATCH] Use curl instead of wget Subject: [PATCH] Use curl instead of wget
@ -7,16 +7,16 @@ When curl's MIT license is preferable to wget's GPLv3.
Change-Id: I4684ae7569704514fdcc63e0655c556efcaf44f8 Change-Id: I4684ae7569704514fdcc63e0655c556efcaf44f8
Signed-off-by: Joakim Roubert <joakimr@axis.com> Signed-off-by: Joakim Roubert <joakimr@axis.com>
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
--- ---
templates/lxc-download.in | 10 +++++----- templates/lxc-download.in | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-) 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/templates/lxc-download.in b/templates/lxc-download.in diff --git a/templates/lxc-download.in b/templates/lxc-download.in
index d7e6128..8a4b567 100644 index e8570692a..f7291b0cc 100755
--- a/templates/lxc-download.in --- a/templates/lxc-download.in
+++ b/templates/lxc-download.in +++ b/templates/lxc-download.in
@@ -74,9 +74,9 @@ cleanup() { @@ -75,9 +75,9 @@ cleanup() {
fi fi
} }
@ -28,18 +28,18 @@ index d7e6128..8a4b567 100644
return 0 return 0
fi fi
done done
@@ -85,8 +85,8 @@ wget_wrapper() { @@ -86,8 +86,8 @@ wget_wrapper() {
} }
download_file() { download_file() {
- if ! wget_wrapper -T 30 -q "https://${DOWNLOAD_SERVER}/$1" -O "$2" >/dev/null 2>&1; then - if ! wget_wrapper --user-agent="lxc/@PACKAGE_VERSION@ compat:${DOWNLOAD_COMPAT_LEVEL}" -T 30 -q "https://${DOWNLOAD_SERVER}/$1" -O "$2" >/dev/null 2>&1; then
- if ! wget_wrapper -T 30 -q "http://${DOWNLOAD_SERVER}/$1" -O "$2" >/dev/null 2>&1; then - if ! wget_wrapper --user-agent="lxc/@PACKAGE_VERSION@ compat:${DOWNLOAD_COMPAT_LEVEL}" -T 30 -q "http://${DOWNLOAD_SERVER}/$1" -O "$2" >/dev/null 2>&1; then
+ if ! curl_wrapper -m 30 -s "https://${DOWNLOAD_SERVER}/$1" -o "$2" >/dev/null 2>&1; then + if ! curl_wrapper --user-agent="lxc/@PACKAGE_VERSION@ compat:${DOWNLOAD_COMPAT_LEVEL}" -m 30 -s "https://${DOWNLOAD_SERVER}/$1" -o "$2" >/dev/null 2>&1; then
+ if ! curl_wrapper -m 30 -s "http://${DOWNLOAD_SERVER}/$1" -o "$2" >/dev/null 2>&1; then + if ! curl_wrapper --user-agent="lxc/@PACKAGE_VERSION@ compat:${DOWNLOAD_COMPAT_LEVEL}" -m 30 -s "http://${DOWNLOAD_SERVER}/$1" -o "$2" >/dev/null 2>&1; then
if [ "$3" = "noexit" ]; then if [ "$3" = "noexit" ]; then
return 1 return 1
else else
@@ -271,7 +271,7 @@ while :; do @@ -277,7 +277,7 @@ while :; do
done done
# Check for required binaries # Check for required binaries
@ -48,3 +48,6 @@ index d7e6128..8a4b567 100644
if ! command -V "${bin}" >/dev/null 2>&1; then if ! command -V "${bin}" >/dev/null 2>&1; then
echo "ERROR: Missing required tool: ${bin}" 1>&2 echo "ERROR: Missing required tool: ${bin}" 1>&2
exit 1 exit 1
--
2.27.0

85
recipes-containers/lxc/files/tests-add-no-validate-when-using-download-template.patch
View File

@ -1,85 +0,0 @@
From 1c2506434e744d8c6a86e42c9d8bae4cde7553f6 Mon Sep 17 00:00:00 2001
From: Mark Asselstine <mark.asselstine@windriver.com>
Date: Thu, 31 May 2018 15:14:26 -0400
Subject: [PATCH] tests: add '--no-validate' when using download template
We are usually running the ptests with core-image-minimal which has no
mechanism to validate the downloads. Validation isn't really of
interest to this test at any rate so simply add '--no-validate' to
avoid failing due to no GPG validation.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
---
src/tests/lxc-test-apparmor-mount | 2 +-
src/tests/lxc-test-autostart | 2 +-
src/tests/lxc-test-no-new-privs | 2 +-
src/tests/lxc-test-unpriv | 2 +-
src/tests/lxc-test-usernic.in | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
Index: lxc-4.0.9/src/tests/lxc-test-apparmor-mount
===================================================================
--- lxc-4.0.9.orig/src/tests/lxc-test-apparmor-mount
+++ lxc-4.0.9/src/tests/lxc-test-apparmor-mount
@@ -170,7 +170,7 @@
done
fi
-run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH
+run_cmd lxc-create -t download -n $cname -- --no-validate -d ubuntu -r $release -a $ARCH
echo "test default confined container"
run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
Index: lxc-4.0.9/src/tests/lxc-test-autostart
===================================================================
--- lxc-4.0.9.orig/src/tests/lxc-test-autostart
+++ lxc-4.0.9/src/tests/lxc-test-autostart
@@ -55,7 +55,7 @@
done
fi
-lxc-create -t download -n $CONTAINER_NAME -B dir -- -d ubuntu -r $release -a $ARCH
+lxc-create -t download -n $CONTAINER_NAME -B dir -- --no-validate -d ubuntu -r $release -a $ARCH
CONTAINER_PATH=$(dirname $(lxc-info -n $CONTAINER_NAME -c lxc.rootfs.path -H) | sed -e 's/dir://')
cp $CONTAINER_PATH/config $CONTAINER_PATH/config.bak
Index: lxc-4.0.9/src/tests/lxc-test-no-new-privs
===================================================================
--- lxc-4.0.9.orig/src/tests/lxc-test-no-new-privs
+++ lxc-4.0.9/src/tests/lxc-test-no-new-privs
@@ -49,7 +49,7 @@
ARCH=$(dpkg --print-architecture)
fi
-lxc-create -t download -n c1 -- -d ubuntu -r xenial -a $ARCH
+lxc-create -t download -n c1 -- --no-validate -d ubuntu -r xenial -a $ARCH
echo "lxc.no_new_privs = 1" >> /var/lib/lxc/c1/config
lxc-start -n c1
Index: lxc-4.0.9/src/tests/lxc-test-unpriv
===================================================================
--- lxc-4.0.9.orig/src/tests/lxc-test-unpriv
+++ lxc-4.0.9/src/tests/lxc-test-unpriv
@@ -178,7 +178,7 @@
cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
chown -R $TUSER: $HDIR/.cache/lxc
-run_cmd lxc-create -t download -n c1 -l trace -o "${UNPRIV_LOG}" -- -d ubuntu -r $release -a $ARCH
+run_cmd lxc-create -t download -n c1 -l trace -o "${UNPRIV_LOG}" -- --no-validate -d ubuntu -r $release -a $ARCH
# Make sure we can start it - twice
Index: lxc-4.0.9/src/tests/lxc-test-usernic.in
===================================================================
--- lxc-4.0.9.orig/src/tests/lxc-test-usernic.in
+++ lxc-4.0.9/src/tests/lxc-test-usernic.in
@@ -147,7 +147,7 @@
fi
# Create three containers
-run_cmd "lxc-create -t download -n b1 -- -d ubuntu -r $release -a $ARCH"
+run_cmd "lxc-create -t download -n b1 -- --no-validate -d ubuntu -r $release -a $ARCH"
run_cmd "lxc-start -n b1 -d"
p1=$(run_cmd "lxc-info -n b1 -p -H")

7
recipes-containers/lxc/lxc_git.bb
View File

@ -46,15 +46,12 @@ SRC_URI = "git://github.com/lxc/lxc.git;branch=stable-4.0 \
file://template-make-busybox-template-compatible-with-core-.patch \ file://template-make-busybox-template-compatible-with-core-.patch \
file://templates-use-curl-instead-of-wget.patch \ file://templates-use-curl-instead-of-wget.patch \
file://tests-our-init-is-not-busybox.patch \ file://tests-our-init-is-not-busybox.patch \
file://tests-add-no-validate-when-using-download-template.patch \
file://dnsmasq.conf \ file://dnsmasq.conf \
file://lxc-net \ file://lxc-net \
file://enable_seccomp_profile_when_compiled_libseccomp.patch \
file://fix_c_command.patch \
" "
SRCREV = "cec7cb14b2a4367d4cb21a90e1b90d0f98a9d874" SRCREV = "48e079bf318982ae7d5684feeb7358870fa71c10"
PV = "4.0.10+git${SRCPV}" PV = "4.0.11+git${SRCPV}"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"