Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/lxc/files
diff options
context:
space:
mode:
authori.Dark_Templar <darktemplar@dark-templar-archives.net>2017-11-05 11:50:03 +0300
committerMatthias Maier <tamiko@gentoo.org>2018-01-30 11:00:12 -0600
commitdd450253467dd8d704a398d794d1a704cac81ecc (patch)
treec0c78111422314d9dcd6e273f2e0513ebfda2bdf /app-emulation/lxc/files
parentdev-libs/libevdev: Bump to version 1.5.8 (diff)
downloadgentoo-dd450253467dd8d704a398d794d1a704cac81ecc.tar.gz
gentoo-dd450253467dd8d704a398d794d1a704cac81ecc.tar.bz2
gentoo-dd450253467dd8d704a398d794d1a704cac81ecc.zip
app-emulation/lxc: bump to version 2.1.1.
[tamiko: regenerate metadata to make remote hook happy] Closes: https://bugs.gentoo.org/636572 Closes: https://github.com/gentoo/gentoo/pull/6128 Signed-off-by: Matthias Maier <tamiko@gentoo.org>
Diffstat (limited to 'app-emulation/lxc/files')
-rw-r--r--app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch164
-rw-r--r--app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch26
-rw-r--r--app-emulation/lxc/files/lxc.initd.7124
3 files changed, 314 insertions, 0 deletions
diff --git a/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch b/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch
new file mode 100644
index 000000000000..8493491d0d65
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch
@@ -0,0 +1,164 @@
+From b635e92d21d2a4d71a553388f18cfa08f44bf1ba Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Mon, 30 Oct 2017 14:16:46 +0100
+Subject: [PATCH] cgroups: enable container without CAP_SYS_ADMIN
+
+In case cgroup namespaces are supported but we do not have CAP_SYS_ADMIN we
+need to mount cgroups for the container. This patch enables both privileged and
+unprivileged containers without CAP_SYS_ADMIN.
+
+Closes #1737.
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cgroups/cgfs.c | 3 ++-
+ src/lxc/cgroups/cgfsng.c | 52 +++++++++++++++++++++++++++++++++++++++++++++---
+ src/lxc/cgroups/cgroup.c | 2 +-
+ src/lxc/conf.c | 3 ---
+ src/lxc/conf.h | 1 +
+ 5 files changed, 53 insertions(+), 8 deletions(-)
+
+diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
+index bcbd6613..efd627f0 100644
+--- a/src/lxc/cgroups/cgfs.c
++++ b/src/lxc/cgroups/cgfs.c
+@@ -1418,11 +1418,12 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
+ struct cgfs_data *cgfs_d;
+ struct cgroup_process_info *info, *base_info;
+ int r, saved_errno = 0;
++ struct lxc_handler *handler = hdata;
+
+ if (cgns_supported())
+ return true;
+
+- cgfs_d = hdata;
++ cgfs_d = handler->cgroup_data;
+ if (!cgfs_d)
+ return false;
+ base_info = cgfs_d->info;
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index e43edd7d..ec6440c1 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -50,6 +50,7 @@
+ #include <linux/types.h>
+ #include <linux/kdev_t.h>
+
++#include "caps.h"
+ #include "cgroup.h"
+ #include "cgroup_utils.h"
+ #include "commands.h"
+@@ -1616,17 +1617,49 @@ do_secondstage_mounts_if_needed(int type, struct hierarchy *h,
+ return 0;
+ }
+
++static int mount_cgroup_cgns_supported(struct hierarchy *h, const char *controllerpath)
++{
++ int ret;
++ char *controllers = NULL;
++ char *type = "cgroup2";
++
++ if (!h->is_cgroup_v2) {
++ controllers = lxc_string_join(",", (const char **)h->controllers, false);
++ if (!controllers)
++ return -ENOMEM;
++ type = "cgroup";
++ }
++
++ ret = mount("cgroup", controllerpath, type, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RELATIME, controllers);
++ free(controllers);
++ if (ret < 0) {
++ SYSERROR("Failed to mount %s with cgroup filesystem type %s", controllerpath, type);
++ return -1;
++ }
++
++ DEBUG("Mounted %s with cgroup filesystem type %s", controllerpath, type);
++ return 0;
++}
++
+ static bool cgfsng_mount(void *hdata, const char *root, int type)
+ {
+- struct cgfsng_handler_data *d = hdata;
++ int i;
+ char *tmpfspath = NULL;
+ bool retval = false;
+- int i;
++ struct lxc_handler *handler = hdata;
++ struct cgfsng_handler_data *d = handler->cgroup_data;
++ bool has_cgns = false, has_sys_admin = true;
+
+ if ((type & LXC_AUTO_CGROUP_MASK) == 0)
+ return true;
+
+- if (cgns_supported())
++ has_cgns = cgns_supported();
++ if (!lxc_list_empty(&handler->conf->keepcaps))
++ has_sys_admin = in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
++ else
++ has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
++
++ if (has_cgns && has_sys_admin)
+ return true;
+
+ tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL);
+@@ -1662,6 +1695,19 @@ static bool cgfsng_mount(void *hdata, const char *root, int type)
+ free(controllerpath);
+ goto bad;
+ }
++
++ if (has_cgns && !has_sys_admin) {
++ /* If cgroup namespaces are supported but the container
++ * will not have CAP_SYS_ADMIN after it has started we
++ * need to mount the cgroups manually.
++ */
++ r = mount_cgroup_cgns_supported(h, controllerpath);
++ free(controllerpath);
++ if (r < 0)
++ goto bad;
++ continue;
++ }
++
+ if (mount_cgroup_full(type, h, controllerpath, d->container_cgroup) < 0) {
+ free(controllerpath);
+ goto bad;
+diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c
+index 674e3090..36a665b1 100644
+--- a/src/lxc/cgroups/cgroup.c
++++ b/src/lxc/cgroups/cgroup.c
+@@ -166,7 +166,7 @@ bool cgroup_chown(struct lxc_handler *handler)
+ bool cgroup_mount(const char *root, struct lxc_handler *handler, int type)
+ {
+ if (ops)
+- return ops->mount_cgroup(handler->cgroup_data, root, type);
++ return ops->mount_cgroup(handler, root, type);
+
+ return false;
+ }
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index d2fab945..44d97843 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -210,9 +210,6 @@ __thread struct lxc_conf *current_config;
+ struct lxc_conf *current_config;
+ #endif
+
+-/* Declare this here, since we don't want to reshuffle the whole file. */
+-static int in_caplist(int cap, struct lxc_list *caps);
+-
+ static struct mount_opt mount_opt[] = {
+ { "async", 1, MS_SYNCHRONOUS },
+ { "atime", 1, MS_NOATIME },
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index c61f861e..63e71e2d 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -402,5 +402,6 @@ extern unsigned long add_required_remount_flags(const char *s, const char *d,
+ unsigned long flags);
+ extern int run_script(const char *name, const char *section, const char *script,
+ ...);
++extern int in_caplist(int cap, struct lxc_list *caps);
+
+ #endif /* __LXC_CONF_H */
+--
+2.13.6
+
diff --git a/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch b/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch
new file mode 100644
index 000000000000..c16d28ac3033
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch
@@ -0,0 +1,26 @@
+From cdfe90a49f516b0f1210d181980f14a4765e10da Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Mon, 30 Oct 2017 14:17:20 +0100
+Subject: [PATCH] cgfsng: fix cgroup2 detection
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cgroups/cgfsng.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index 897336f0..e43edd7d 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -815,7 +815,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup)
+ new->fullcgpath = NULL;
+
+ /* record if this is the cgroup v2 hierarchy */
+- if (!strcmp(base_cgroup, "cgroup2"))
++ if (clist && !strcmp(*clist, "cgroup2"))
+ new->is_cgroup_v2 = true;
+ else
+ new->is_cgroup_v2 = false;
+--
+2.13.6
+
diff --git a/app-emulation/lxc/files/lxc.initd.7 b/app-emulation/lxc/files/lxc.initd.7
new file mode 100644
index 000000000000..6a42b6aac520
--- /dev/null
+++ b/app-emulation/lxc/files/lxc.initd.7
@@ -0,0 +1,124 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+CONTAINER=${SVCNAME#*.}
+
+LXC_PATH=`lxc-config lxc.lxcpath`
+
+lxc_get_configfile() {
+ if [ -f "${LXC_PATH}/${CONTAINER}.conf" ]; then
+ echo "${LXC_PATH}/${CONTAINER}.conf"
+ elif [ -f "${LXC_PATH}/${CONTAINER}/config" ]; then
+ echo "${LXC_PATH}/${CONTAINER}/config"
+ else
+ eerror "Unable to find a suitable configuration file."
+ eerror "If you set up the container in a non-standard"
+ eerror "location, please set the CONFIGFILE variable."
+ return 1
+ fi
+}
+
+[ $CONTAINER != $SVCNAME ] && CONFIGFILE=${CONFIGFILE:-$(lxc_get_configfile)}
+
+lxc_get_var() {
+ awk 'BEGIN { FS="[ \t]*=[ \t]*" } $1 == "'$1'" { print $2; exit }' ${CONFIGFILE}
+}
+
+lxc_get_net_link_type() {
+ awk 'BEGIN { FS="[ \t]*=[ \t]*"; _link=""; _type="" }
+ $1 == "lxc.network.type" {_type=$2;}
+ $1 == "lxc.network.link" {_link=$2;}
+ match($1, /lxc\.net\.[[:digit:]]+\.type/) {_type=$2;}
+ match($1, /lxc\.net\.[[:digit:]]+\.link/) {_link=$2;}
+ {if(_link != "" && _type != ""){
+ printf("%s:%s\n", _link, _type );
+ _link=""; _type="";
+ }; }' <${CONFIGFILE}
+}
+
+checkconfig() {
+ if [ ${CONTAINER} = ${SVCNAME} ]; then
+ eerror "You have to create an init script for each container:"
+ eerror " ln -s lxc /etc/init.d/lxc.container"
+ return 1
+ fi
+
+ # no need to output anything, the function takes care of that.
+ [ -z "${CONFIGFILE}" ] && return 1
+
+ utsname=$(lxc_get_var lxc.uts.name)
+ if [ -z "$utsname" ] ; then
+ utsname=$(lxc_get_var lxc.utsname)
+ fi
+
+ if [ "${CONTAINER}" != "${utsname}" ]; then
+ eerror "You should use the same name for the service and the"
+ eerror "container. Right now the container is called ${utsname}"
+ return 1
+ fi
+}
+
+depend() {
+ # be quiet, since we have to run depend() also for the
+ # non-muxed init script, unfortunately.
+ checkconfig 2>/dev/null || return 0
+
+ config ${CONFIGFILE}
+ need localmount
+ use lxcfs
+
+ local _x _if
+ for _x in $(lxc_get_net_link_type); do
+ _if=${_x%:*}
+ case "${_x##*:}" in
+ # when the network type is set to phys, we can make use of a
+ # network service (for instance to set it up before we disable
+ # the net_admin capability), but we might also not set it up
+ # at all on the host and leave the net_admin capable service
+ # to take care of it.
+ phys) use net.${_if} ;;
+ *) need net.${_if} ;;
+ esac
+ done
+}
+
+start() {
+ checkconfig || return 1
+ rm -f /var/log/lxc/${CONTAINER}.log
+
+ rootpath=$(lxc_get_var lxc.rootfs)
+
+ # Check the format of our init and the chroot's init, to see
+ # if we have to use linux32 or linux64; always use setarch
+ # when required, as that makes it easier to deal with
+ # x32-based containers.
+ case $(scanelf -BF '%a#f' ${rootpath}/sbin/init) in
+ EM_X86_64) setarch=linux64;;
+ EM_386) setarch=linux32;;
+ esac
+
+ ebegin "Starting ${CONTAINER}"
+ env -i ${setarch} $(which lxc-start) -l WARN -n ${CONTAINER} -f ${CONFIGFILE} -d -o /var/log/lxc/${CONTAINER}.log
+ sleep 1
+
+ # lxc-start -d will _always_ report a correct startup, even if it
+ # failed, so rather than trust that, check that the cgroup exists.
+ [ -d /sys/fs/cgroup/cpuset/lxc/${CONTAINER} ]
+ eend $?
+}
+
+stop() {
+ checkconfig || return 1
+
+
+ if ! [ -d /sys/fs/cgroup/cpuset/lxc/${CONTAINER} ]; then
+ ewarn "${CONTAINER} doesn't seem to be started."
+ return 0
+ fi
+
+ # 10s should be enough to shut everything down
+ ebegin "Stopping ${CONTAINER}"
+ lxc-stop -t 10 -n ${CONTAINER}
+ eend $?
+}