packages/lxc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!485 update lxc to 5.0.2

Browse Source 
* update lxc to 5.0.2
This commit is contained in:
haozi007 2023-07-21 02:43:10 +00:00
parent 41350aee3f
commit 368bb8a97c
39 changed files with 7008 additions and 17035 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2515
0008-refactor-patch-code-of-json.patch → 0001-iSulad-add-json-files-and-adapt-to-meson.patch
View File

File diff suppressed because it is too large Load Diff

2368
0001-refactor-patch-code-of-utils-commands-and-so-on.patch
View File

File diff suppressed because it is too large Load Diff

4485
0002-iSulad-adapt-security-conf-attach-cgroup-and-start.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2856
0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch
View File

File diff suppressed because it is too large Load Diff

1243
0003-refactor-patch-code-of-isulad-for-selinux-attach.patch
View File

File diff suppressed because it is too large Load Diff

2947
0004-refactor-patch-code-of-lxccontianer-and-so-on.patch
View File

File diff suppressed because it is too large Load Diff

1517
0005-refactor-patch-code-of-attach-and-seccomp.patch
View File

File diff suppressed because it is too large Load Diff

1164
0006-refactor-patch-about-namespace-log-terminal.patch
View File

File diff suppressed because it is too large Load Diff

2726
0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch
View File

File diff suppressed because it is too large Load Diff

316
0009-fix-HOME-env-of-container-unset-error.patch
View File

@ -1,316 +0,0 @@
From 043b2483585a2d8168e0fde8b37054733a31f263 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Mon, 25 Jul 2022 15:36:23 +0800
Subject: [PATCH] fix HOME env of container unset error
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/lxc/isulad_utils.c | 210 ++++++++++++++++++++++++++++++++++++++++-
src/lxc/isulad_utils.h | 3 +
src/lxc/start.c | 14 +--
3 files changed, 216 insertions(+), 11 deletions(-)
diff --git a/src/lxc/isulad_utils.c b/src/lxc/isulad_utils.c
index 15d9323..cd7fca8 100644
--- a/src/lxc/isulad_utils.c
+++ b/src/lxc/isulad_utils.c
@@ -6,6 +6,10 @@
* Create: 2020-04-11
******************************************************************************/
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE 1
+#endif
+
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
@@ -13,6 +17,10 @@
#include <fcntl.h>
#include <pwd.h>
#include <ctype.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio_ext.h>
#include "isulad_utils.h"
#include "log.h"
@@ -244,20 +252,34 @@ out:
// isulad: set env home in container
int lxc_setup_env_home(uid_t uid)
{
+#define __PASSWD_FILE__ "/etc/passwd"
char *homedir = "/"; // default home dir is /
+ FILE *stream = NULL;
struct passwd pw, *pwbufp = NULL;
char buf[BUFSIZ];
- int ret;
- ret = getpwuid_r(uid, &pw, buf, sizeof(buf), &pwbufp);
- if ((ret == 0) && (pwbufp != NULL) && (pwbufp->pw_uid == uid)) {
- homedir = pwbufp->pw_dir;
+ stream = fopen_cloexec(__PASSWD_FILE__, "r");
+ if (stream == NULL) {
+ SYSWARN("Failed to open %s", __PASSWD_FILE__);
goto set_env;
}
+#if IS_BIONIC
+ while (util_getpwent_r(stream, &pw, buf, sizeof(buf), &pwbufp) == 0 && pwbufp != NULL) {
+#else
+ while (fgetpwent_r(stream, &pw, buf, sizeof(buf), &pwbufp) == 0 && pwbufp != NULL) {
+#endif
+ if (pwbufp->pw_uid == uid) {
+ homedir = pwbufp->pw_dir;
+ goto set_env;
+ }
+ }
WARN("User invalid, can not find user '%u'", uid);
set_env:
+ if (stream)
+ fclose(stream);
+
// if we didn't configure HOME, set it based on uid
if (setenv("HOME", homedir, 0) < 0) {
SYSERROR("Unable to set env 'HOME'");
@@ -317,3 +339,183 @@ bool is_non_negative_num(const char *s)
}
return true;
}
+
+static int hold_int(const char delim, bool required, char **src, unsigned int *dst)
+{
+ unsigned long long int res = 0;
+ char *err_str = NULL;
+
+ // ensure *src not a empty string
+ if (**src == '\0') {
+ ERROR("Empty subject on given entrie is not allowed.");
+ return -1;
+ }
+
+ errno = 0;
+ // covert string to long long
+ res = strtoull(*src, &err_str, 0);
+ if (errno != 0 && errno != ERANGE) {
+ ERROR("Parse int from string failed.");
+ return -1;
+ }
+
+ // **src is not a digit
+ if (err_str == *src) {
+ if (!required) {
+ ERROR("Integer part is missing.");
+ return -1;
+ }
+ // if required, just set 0
+ *dst = 0;
+ } else {
+ if (sizeof(void *) > 4 && res > UINT_MAX) { // make sure 64-bit platform behave same as 32-bit
+ res = UINT_MAX;
+ }
+ res = res & UINT_MAX;
+ *dst = (uint32_t)res;
+ }
+
+ // normal case
+ if (*err_str == delim) {
+ err_str++;
+ } else if (*err_str != '\0') {
+ ERROR("Invalid digit string.");
+ return -1;
+ }
+
+ *src = err_str; // update src to next valid context in line.
+ return 0;
+}
+
+static void hold_string(const char delim, char **src, char **dst)
+{
+ for (*dst = *src; **src != delim; ++(*src)) {
+ if (**src == '\0') {
+ break;
+ }
+ }
+
+ if (**src == delim) {
+ **src = '\0';
+ ++(*src);
+ }
+}
+
+static int parse_line_pw(const char delim, char *line, struct passwd *result)
+{
+ int ret = 0;
+ bool required = false;
+ char *walker = NULL;
+
+ walker = strpbrk(line, "\n");
+ if (walker != NULL) {
+ // clear newline char
+ *walker = '\0';
+ }
+
+ hold_string(delim, &line, &result->pw_name);
+
+ required = (result->pw_name[0] == '+' || result->pw_name[0] == '-') ? true : false;
+
+ hold_string(delim, &line, &result->pw_passwd);
+
+ ret = hold_int(delim, required, &line, &result->pw_uid);
+ if (ret != 0) {
+ // a legitimate line must have uid
+ ERROR("Parse uid error.");
+ return ret;
+ }
+
+ ret = hold_int(delim, required, &line, &result->pw_gid);
+ if (ret != 0) {
+ // it's ok to not provide gid
+ ERROR("Parse gid error.");
+ return ret;
+ }
+
+ hold_string(delim, &line, &result->pw_gecos);
+
+ hold_string(delim, &line, &result->pw_dir);
+
+ result->pw_shell = line;
+ return 0;
+}
+
+char *util_left_trim_space(char *str)
+{
+ char *begin = str;
+ char *tmp = str;
+ while (isspace(*begin)) {
+ begin++;
+ }
+ while ((*tmp++ = *begin++)) {
+ }
+ return str;
+}
+
+int util_getpwent_r(FILE *stream, struct passwd *resbuf, char *buffer, size_t buflen, struct passwd **result)
+{
+ const char delim = ':';
+ char *buff_end = NULL;
+ char *walker = NULL;
+ bool got = false;
+ int ret = 0;
+
+ if (stream == NULL || resbuf == NULL || buffer == NULL || result == NULL) {
+ ERROR("Password obj, params is NULL.");
+ return -1;
+ }
+
+ if (buflen <= 1) {
+ ERROR("Inadequate buffer length was given.");
+ return -1;
+ }
+
+ buff_end = buffer + buflen - 1;
+ flockfile(stream);
+
+ while (1) {
+ *buff_end = '\xff';
+ walker = fgets_unlocked(buffer, buflen, stream);
+ // if get NULL string
+ if (walker == NULL) {
+ *result = NULL;
+ // reach end of file, return error
+ if (feof(stream)) {
+ ret = ENOENT;
+ goto out;
+ }
+ // overflow buffer
+ ret = ERANGE;
+ goto out;
+ }
+ // just overflow last char in buffer
+ if (*buff_end != '\xff') {
+ *result = NULL;
+ ret = ERANGE;
+ goto out;
+ }
+
+ (void)util_left_trim_space(buffer);
+ // skip comment line and empty line
+ if (walker[0] == '#' || walker[0] == '\0') {
+ continue;
+ }
+
+ if (parse_line_pw(delim, walker, resbuf) == 0) {
+ got = true;
+ break;
+ }
+ }
+ if (!got) {
+ *result = NULL;
+ ret = ERANGE;
+ goto out;
+ }
+
+ *result = resbuf;
+ ret = 0;
+out:
+ funlockfile(stream);
+ return ret;
+}
\ No newline at end of file
diff --git a/src/lxc/isulad_utils.h b/src/lxc/isulad_utils.h
index 345f511..7a5eb89 100644
--- a/src/lxc/isulad_utils.h
+++ b/src/lxc/isulad_utils.h
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <stdbool.h>
+#include <pwd.h>
/* isulad: replace space with SPACE_MAGIC_STR */
#define SPACE_MAGIC_STR "[#)"
@@ -96,4 +97,6 @@ extern bool lxc_process_alive(pid_t pid, unsigned long long start_time);
extern bool is_non_negative_num(const char *s);
+int util_getpwent_r(FILE *stream, struct passwd *resbuf, char *buffer, size_t buflen, struct passwd **result);
+
#endif
diff --git a/src/lxc/start.c b/src/lxc/start.c
index f82df34..6fe1203 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1727,6 +1727,13 @@ static int do_start(void *data)
new_uid = handler->conf->init_uid;
new_gid = handler->conf->init_gid;
+#ifdef HAVE_ISULAD
+ // isulad: set env home in container, must before "Avoid unnecessary syscalls."
+ if (lxc_setup_env_home(new_uid) < 0) {
+ goto out_warn_father;
+ }
+#endif
+
/* Avoid unnecessary syscalls. */
if (new_uid == nsuid)
new_uid = LXC_INVALID_UID;
@@ -1734,13 +1741,6 @@ static int do_start(void *data)
if (new_gid == nsgid)
new_gid = LXC_INVALID_GID;
-#ifdef HAVE_ISULAD
- // isulad: set env home in container
- if (lxc_setup_env_home(new_uid) < 0) {
- goto out_warn_father;
- }
-#endif
-
/* Make sure that the processes STDIO is correctly owned by the user that we are switching to */
ret = fix_stdio_permissions(new_uid);
if (ret)
--
2.25.1

70
0010-check-yajl-only-when-have-isulad.patch
View File

@ -1,70 +0,0 @@
From d4cb8f6a8f46a3f5d72f22d7f79df83ad82215e0 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 25 Jul 2022 16:42:03 +0800
Subject: [PATCH] check yajl only when have isulad
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
configure.ac | 6 +++---
src/lxc/Makefile.am | 7 +++++--
src/lxc/af_unix.c | 2 +-
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index ce8854e..2180586 100644
--- a/configure.ac
+++ b/configure.ac
@@ -120,9 +120,6 @@ AM_CONDITIONAL([DISTRO_UBUNTU], [test "x$with_distro" = "xubuntu"])
AC_CONFIG_LINKS([config/etc/default.conf:config/etc/${distroconf}])
-# Check yajl
-PKG_CHECK_MODULES([YAJL], [yajl >= 2],[],[AC_MSG_ERROR([You must install yajl >= 2])])
-
# Check for init system type
AC_MSG_CHECKING([for init system type])
AC_ARG_WITH([init-script],
@@ -839,6 +836,9 @@ AM_CONDITIONAL([HAVE_ISULAD], [test "x$adapt_isulad" = "xyes"])
if test "x$adapt_isulad" = "xyes"; then
AC_DEFINE([HAVE_ISULAD], 1, [adapt to iSulad])
AC_MSG_RESULT([yes])
+
+ # Check yajl
+ PKG_CHECK_MODULES([YAJL], [yajl >= 2],[],[AC_MSG_ERROR([You must install yajl >= 2])])
else
AC_MSG_RESULT([no])
fi
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index b9a8750..61a229f 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -360,8 +360,11 @@ LDADD = liblxc.la \
@OPENSSL_LIBS@ \
@SECCOMP_LIBS@ \
@SELINUX_LIBS@ \
- @DLOG_LIBS@ \
- @YAJL_LIBS@
+ @DLOG_LIBS@
+
+if HAVE_ISULAD
+ LDADD += @YAJL_LIBS@
+endif
if ENABLE_TOOLS
lxc_attach_SOURCES = tools/lxc_attach.c \
diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index cb4233e..0be9368 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -382,7 +382,7 @@ int lxc_unix_connect_type(struct sockaddr_un *addr, int type)
offsetof(struct sockaddr_un, sun_path) + len);
if (ret < 0)
#ifdef HAVE_ISULAD
- return log_error_errno(-1, errno,
+ return log_warn_errno(-1, errno,
"Failed to connect new AF_UNIX socket");
#else
return log_error_errno(-1, errno,
--
2.25.1

29
0011-drop-security_context_t.patch
View File

@ -1,29 +0,0 @@
From bcc3084c9230486c3a7d40cff633d581f6a1a990 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 26 Jul 2022 14:27:11 +0800
Subject: [PATCH] drop security_context_t
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/lsm/selinux.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index bd4f449..c24d238 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -36,7 +36,11 @@ lxc_log_define(selinux, lsm);
*/
static char *selinux_process_label_get(pid_t pid)
{
+#ifdef HAVE_ISULAD
+ char *ctx;
+#else
security_context_t ctx;
+#endif
char *label;
if (getpidcon_raw(pid, &ctx) < 0) {
--
2.25.1

50
0012-only-set-user-or-image-set-non-empty-HOME.patch
View File

@ -1,50 +0,0 @@
From 7273c6631f692872384cce83cc04b4084ee98f73 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 9 Aug 2022 17:30:59 +0800
Subject: [PATCH] only set user or image set non-empty HOME
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/lxc/isulad_utils.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/lxc/isulad_utils.c b/src/lxc/isulad_utils.c
index cd7fca8..067e1c9 100644
--- a/src/lxc/isulad_utils.c
+++ b/src/lxc/isulad_utils.c
@@ -257,6 +257,13 @@ int lxc_setup_env_home(uid_t uid)
FILE *stream = NULL;
struct passwd pw, *pwbufp = NULL;
char buf[BUFSIZ];
+ const char *curr_home = NULL;
+
+ curr_home = getenv("HOME");
+ // if user set or image set, just use it.
+ if (curr_home != NULL && strcmp(curr_home, "") != 0) {
+ return 0;
+ }
stream = fopen_cloexec(__PASSWD_FILE__, "r");
if (stream == NULL) {
@@ -280,8 +287,9 @@ set_env:
if (stream)
fclose(stream);
- // if we didn't configure HOME, set it based on uid
- if (setenv("HOME", homedir, 0) < 0) {
+ // if we didn't configure HOME, set it based on uid;
+ // override it if reach here.
+ if (setenv("HOME", homedir, 1) < 0) {
SYSERROR("Unable to set env 'HOME'");
return -1;
}
@@ -518,4 +526,4 @@ int util_getpwent_r(FILE *stream, struct passwd *resbuf, char *buffer, size_t bu
out:
funlockfile(stream);
return ret;
-}
\ No newline at end of file
+}
--
2.25.1

38
0013-return-fail-if-no-args-or-no-rootfs-path-found.patch
View File

@ -1,38 +0,0 @@
From a2aff3425a6f35bdb9f83880a1545b89606bf7c9 Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Fri, 19 Aug 2022 14:32:22 +0800
Subject: [PATCH] return fail if no args or no rootfs path found
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/lxccontainer.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 3f75184..4b669bb 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1030,6 +1030,20 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
argv = init_cmd = use_init_args(conf->init_argv, conf->init_argc);
}
+ // do not allow using default rootfs path when isulad
+ if (conf->rootfs.mount == NULL) {
+ ERROR("Empty rootfs path detected");
+ lxc_put_handler(handler);
+ return false;
+ }
+
+ // do not allow using default args when isulad
+ if (!argv) {
+ ERROR("Empty args detected");
+ lxc_put_handler(handler);
+ return false;
+ }
+
if (c->image_type_oci) {
handler->image_type_oci = true;
}
--
2.25.1

25
0014-fix-tools-using-option-give-error-message.patch
View File

@ -1,25 +0,0 @@
From cce266a71a8998e17abada2a7e716298c2169208 Mon Sep 17 00:00:00 2001
From: Neil.wrz<wangrunze13@huawei.com>
Date: Thu, 1 Sep 2022 05:04:56 -0700
Subject: [PATCH] fix tools using '-?' option give error message
Signed-off-by: Neil.wrz<wangrunze13@huawei.com>
---
src/lxc/tools/arguments.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h
index c16d99f..80c2083 100644
--- a/src/lxc/tools/arguments.h
+++ b/src/lxc/tools/arguments.h
@@ -145,6 +145,7 @@ struct lxc_arguments {
#define LXC_COMMON_OPTIONS \
{ "name", required_argument, 0, 'n' }, \
{ "help", no_argument, 0, 'h' }, \
+ { "help", no_argument, 0, '?' }, \
{ "usage", no_argument, 0, OPT_USAGE }, \
{ "version", no_argument, 0, OPT_VERSION }, \
{ "quiet", no_argument, 0, 'q' }, \
--
2.25.1

44
0015-fix-do-mask-pathes-after-parent-mounted.patch
View File

@ -1,44 +0,0 @@
From 96a35e077d21a1abf1cc3819fb842b8089ee268d Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Tue, 20 Sep 2022 01:40:18 -0700
Subject: [PATCH] fix do mask pathes after parent mounted
Signed-off-by: isuladci <isulad@ci.com>
---
src/lxc/conf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 378cf9f..439601a 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3975,19 +3975,19 @@ int lxc_setup(struct lxc_handler *handler)
}
#ifdef HAVE_ISULAD
- // isulad: setup rootfs masked paths
- if (!lxc_list_empty(&lxc_conf->rootfs.maskedpaths)) {
- if (setup_rootfs_maskedpaths(&lxc_conf->rootfs.maskedpaths)) {
- return log_error(-1, "failed to setup maskedpaths");
- }
- }
-
// isulad: setup rootfs ro paths
if (!lxc_list_empty(&lxc_conf->rootfs.ropaths)) {
if (setup_rootfs_ropaths(&lxc_conf->rootfs.ropaths)) {
return log_error(-1, "failed to setup readonlypaths");
}
}
+
+ // isulad: setup rootfs masked paths
+ if (!lxc_list_empty(&lxc_conf->rootfs.maskedpaths)) {
+ if (setup_rootfs_maskedpaths(&lxc_conf->rootfs.maskedpaths)) {
+ return log_error(-1, "failed to setup maskedpaths");
+ }
+ }
//isulad: system container, remount /proc/sys/xxx by mount_list
if (lxc_conf->systemd != NULL && strcmp(lxc_conf->systemd, "true") == 0) {
--
2.25.1

36
0016-skip-kill-cgroup-processes-if-no-hierarchies.patch
View File

@ -1,36 +0,0 @@
From 2aa9204b74c96413944a715408cfd5d2f3a34d66 Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Thu, 22 Sep 2022 10:44:26 +0800
Subject: [PATCH] skip kill cgroup processes if no hierarchies
Signed-off-by: isuladci <isulad@ci.com>
---
src/lxc/cgroups/isulad_cgfsng.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/lxc/cgroups/isulad_cgfsng.c b/src/lxc/cgroups/isulad_cgfsng.c
index 8a9656a..f5cf81c 100644
--- a/src/lxc/cgroups/isulad_cgfsng.c
+++ b/src/lxc/cgroups/isulad_cgfsng.c
@@ -677,15 +677,14 @@ __cgfsng_ops static bool isulad_cgfsng_payload_destroy(struct cgroup_ops *ops,
return false;
}
-#ifdef HAVE_ISULAD
if (ops->no_controller) {
- DEBUG("no controller found, isgnore isulad_cgfsng_payload_destroy");
+ DEBUG("no controller found, ignore isulad_cgfsng_payload_destroy");
return true;
}
-#endif
if (!ops->hierarchies) {
- return false;
+ DEBUG("no hierarchies found, ignore isulad_cgfsng_payload_destroy");
+ return true;
}
if (!handler) {
--
2.25.1

26
0017-lxc-Add-sw64-architecture.patch
View File

@ -1,26 +0,0 @@
From 10ce28085f6d425aae21e043a45c6ef02fdd1e44 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 24 Oct 2022 11:03:11 +0800
Subject: [PATCH] Add sw64 architecture
Signed-off-by: rpm-build <rpm-build>
---
src/lxc/syscall_numbers.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/syscall_numbers.h b/src/lxc/syscall_numbers.h
index bfd0e57..803eab7 100644
--- a/src/lxc/syscall_numbers.h
+++ b/src/lxc/syscall_numbers.h
@@ -377,6 +377,8 @@
#ifndef __NR_pidfd_send_signal
#if defined __alpha__
#define __NR_pidfd_send_signal 534
+ #elif defined __sw_64__
+ #define __NR_pidfd_send_signal 271
#elif defined _MIPS_SIM
#if _MIPS_SIM == _MIPS_SIM_ABI32 /* o32 */
#define __NR_pidfd_send_signal 4424
--
2.33.0

33
0018-add-macro-to-adapt-musl-libc.patch
View File

@ -1,33 +0,0 @@
From 62f36cfa7abafa213b7a0ba26136b409d241b019 Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Thu, 24 Nov 2022 17:05:44 +0800
Subject: [PATCH] add macro to adapt musl libc
Signed-off-by: isuladci <isulad@ci.com>
---
src/lxc/json/json_common.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/lxc/json/json_common.h b/src/lxc/json/json_common.h
index 60aa5fd..67c2df8 100755
--- a/src/lxc/json/json_common.h
+++ b/src/lxc/json/json_common.h
@@ -17,6 +17,15 @@ extern "C" {
# undef linux
+#ifdef __MUSL__
+#undef stdin
+#undef stdout
+#undef stderr
+#define stdin stdin
+#define stdout stdout
+#define stderr stderr
+#endif
+
//options to report error if there is unknown key found in json
# define PARSE_OPTIONS_STRICT 0x01
//options to generate all key and value
--
2.25.1

178
0019-add-lxc-attach-add-gids-option.patch
View File

@ -1,178 +0,0 @@
From 90512fd67873600a490d2432e6c9429771f719be Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Fri, 2 Dec 2022 18:52:39 +0800
Subject: [PATCH] add lxc-attach add-gids option
Signed-off-by: isuladci <isulad@ci.com>
---
src/lxc/attach.c | 13 ++++++--
src/lxc/attach_options.h | 2 ++
src/lxc/tools/arguments.h | 3 ++
src/lxc/tools/lxc_attach.c | 65 ++++++++++++++++++++++++++++++++++++++
4 files changed, 80 insertions(+), 3 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 8a2c52a..24d020d 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1019,9 +1019,16 @@ static int attach_child_main(struct attach_clone_payload *payload)
goto on_error;
}
- if (!lxc_setgroups(init_ctx->container->lxc_conf->init_groups_len,
- init_ctx->container->lxc_conf->init_groups))
- goto on_error;
+ if (options->add_gids != NULL && options->add_gids_len != 0) {
+ if (!lxc_setgroups(options->add_gids_len, options->add_gids)) {
+ goto on_error;
+ }
+ } else {
+ if (!lxc_setgroups(init_ctx->container->lxc_conf->init_groups_len,
+ init_ctx->container->lxc_conf->init_groups)) {
+ goto on_error;
+ }
+ }
#endif
/* Make sure that the processes STDIO is correctly owned by the user that we are switching to */
diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
index 16b4e21..4591d65 100644
--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -124,6 +124,8 @@ typedef struct lxc_attach_options_t {
const char *suffix;
bool disable_pty;
bool open_stdin;
+ gid_t *add_gids; /* attach user additional gids */
+ size_t add_gids_len;
#endif
} lxc_attach_options_t;
diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h
index 80c2083..583390a 100644
--- a/src/lxc/tools/arguments.h
+++ b/src/lxc/tools/arguments.h
@@ -50,6 +50,8 @@ struct lxc_arguments {
int open_stdin;
unsigned int start_timeout; /* isulad: Seconds for waiting on a container to start before it is killed*/
int64_t attach_timeout; /* for lxc-attach */
+ gid_t *add_gids;
+ size_t add_gids_len;
#endif
/* for lxc-console */
@@ -175,6 +177,7 @@ struct lxc_arguments {
#define OPT_OPEN_STDIN OPT_USAGE - 14
#define OPT_ATTACH_TIMEOUT OPT_USAGE - 15
#define OPT_ATTACH_SUFFIX OPT_USAGE - 16
+#define OPT_ADDITIONAL_GIDS OPT_USAGE - 17
#endif
extern int lxc_arguments_parse(struct lxc_arguments *args, int argc,
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index 1a5a241..f6ddf2d 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -78,6 +78,7 @@ static const struct option my_longopts[] = {
#else
{"workdir", required_argument, 0, 'w'},
{"user", required_argument, 0, 'u'},
+ {"add-gids", required_argument, 0, OPT_ADDITIONAL_GIDS},
{"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, /* isulad add terminal fifos*/
{"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO},
{"err-fifo", required_argument, 0, OPT_STDERR_FIFO},
@@ -146,6 +147,7 @@ Options :\n\
"\
-w, --workdir Working directory inside the container.\n\
-u, --user User ID (format: UID[:GID])\n\
+ --add-gids Additional gids (format: GID[,GID])\n\
--in-fifo Stdin fifo path\n\
--out-fifo Stdout fifo path\n\
--err-fifo Stderr fifo path\n\
@@ -228,6 +230,58 @@ static int get_attach_uid_gid(const char *username, uid_t *user_id, gid_t *group
free(tmp);
return 0;
}
+
+static int get_attach_add_gids(const char *add_gids, gid_t **gids, size_t *gids_len)
+{
+ long long int readvalue;
+ size_t i, len;
+ const size_t max_gids = 100;
+ gid_t *g = NULL;
+ __do_free_string_list char **gids_str = NULL;
+
+ if (add_gids == NULL || strlen(add_gids) == 0) {
+ ERROR("None additional gids");
+ return -1;
+ }
+
+ gids_str = lxc_string_split(add_gids, ',');
+ if (gids_str == NULL) {
+ ERROR("Failed to split additional gids");
+ return -1;
+ }
+
+ len = lxc_array_len((void **)gids_str);
+ if (len > max_gids) {
+ ERROR("Too many gids");
+ return -1;
+ }
+
+ g = calloc(len, sizeof(gid_t));
+ if (g == NULL) {
+ ERROR("Out of memory");
+ return -1;
+ }
+
+ for (i = 0; i < len; i++) {
+ if (lxc_safe_long_long(gids_str[i], &readvalue) != 0) {
+ SYSERROR("Invalid gid value %s", gids_str[i]);
+ goto err_out;
+ }
+ if (readvalue < 0) {
+ ERROR("Invalid gid value: %lld", readvalue);
+ goto err_out;
+ }
+ g[i] = (unsigned int)readvalue;
+ }
+
+ *gids = g;
+ *gids_len = len;
+ return 0;
+
+err_out:
+ free(g);
+ return -1;
+}
#endif
static int my_parser(struct lxc_arguments *args, int c, char *arg)
@@ -331,6 +385,12 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg)
case OPT_OPEN_STDIN:
args->open_stdin = 1;
break;
+ case OPT_ADDITIONAL_GIDS:
+ if (get_attach_add_gids(arg, &args->add_gids, &args->add_gids_len) != 0) {
+ ERROR("Failed to get attach additional gids");
+ return -1;
+ }
+ break;
#endif
}
@@ -655,6 +715,11 @@ int main(int argc, char *argv[])
attach_options.initial_cwd = my_args.workdir;
}
+ if (my_args.add_gids) {
+ attach_options.add_gids = my_args.add_gids;
+ attach_options.add_gids_len = my_args.add_gids_len;
+ }
+
/* isulad: add do attach background */
if (attach_options.attach_flags & LXC_ATTACH_TERMINAL)
wexit = do_attach_foreground(c, &command, &attach_options, &errmsg);
--
2.25.1

31
0020-add-sscanf-adapation-code-for-musl.patch
View File

@ -1,31 +0,0 @@
From 3cefa43ec2f5f0366c470290d48bdcd88690cf90 Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Thu, 8 Dec 2022 09:48:29 +0800
Subject: [PATCH] add sscanf adapation code for musl
Signed-off-by: isuladci <isulad@ci.com>
---
src/lxc/isulad_utils.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/isulad_utils.c b/src/lxc/isulad_utils.c
index 067e1c9..ee39302 100644
--- a/src/lxc/isulad_utils.c
+++ b/src/lxc/isulad_utils.c
@@ -173,7 +173,13 @@ static proc_t *lxc_stat2proc(const char *S)
(void)memset(P, 0x00, sizeof(proc_t));
/* parse these two strings separately, skipping the leading "(". */
+ /* https://www.openwall.com/lists/musl/2013/11/15/5: musl's sscanf("%15c",cmd)
+ requires exactly 15 characters; anything shorter is a matching failure. */
+#ifdef __MUSL__
+ num = sscanf(S, "%d (%15s", &P->pid, P->cmd); /* comm[16] in kernel */
+#else
num = sscanf(S, "%d (%15c", &P->pid, P->cmd); /* comm[16] in kernel */
+#endif
if (num != 2) {
ERROR("Call sscanf error: %s", errno ? strerror(errno) : "");
free(P);
--
2.25.1

26
0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch
View File

@ -1,26 +0,0 @@
From 026fea0b424c20c867be1577f5d98bc7bf97ba5a Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Fri, 16 Dec 2022 19:17:11 +0800
Subject: [PATCH] change the --suffi parameter in lxc-attach --help output
Signed-off-by: isuladci <isulad@ci.com>
---
src/lxc/tools/lxc_attach.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index f6ddf2d..fc0529a 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -151,7 +151,7 @@ Options :\n\
--in-fifo Stdin fifo path\n\
--out-fifo Stdout fifo path\n\
--err-fifo Stderr fifo path\n\
- --suffi ID for mutli-attach on one container\n\
+ --suffix ID for mutli-attach on one container\n\
--timeout Timeout in seconds (default: 0)\n\
--disable-pty Disable pty for attach\n\
--open-stdin Open stdin for attach\n\
--
2.25.1

51
0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
View File

@ -1,51 +0,0 @@
From 2b4d27ef9b5d9f38654277f021fabdda2d5f8e36 Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Thu, 12 Jan 2023 19:20:43 -0800
Subject: [PATCH] fix cve CVE-2022-47952: log leaks root information
Signed-off-by: isuladci <isulad@ci.com>
---
src/lxc/cmd/lxc_user_nic.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
index 4160565..5b848da 100644
--- a/src/lxc/cmd/lxc_user_nic.c
+++ b/src/lxc/cmd/lxc_user_nic.c
@@ -1087,20 +1087,16 @@ int main(int argc, char *argv[])
} else if (request == LXC_USERNIC_DELETE) {
char opath[LXC_PROC_PID_FD_LEN];
- /* Open the path with O_PATH which will not trigger an actual
- * open(). Don't report an errno to the caller to not leak
- * information whether the path exists or not.
- * When stracing setuid is stripped so this is not a concern
- * either.
- */
+ // Keep in mind CVE-2022-47952: It's crucial not to leak any
+ // information whether open() succeeded or failed.
netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
if (netns_fd < 0) {
- usernic_error("Failed to open \"%s\"\n", args.pid);
+ usernic_error("Failed while opening netns file for \"%s\"\n", args.pid);
_exit(EXIT_FAILURE);
}
if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
- usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
+ usernic_error("Failed while opening netns file for \"%s\"\n", args.pid);
close(netns_fd);
_exit(EXIT_FAILURE);
}
@@ -1114,7 +1110,7 @@ int main(int argc, char *argv[])
/* Now get an fd that we can use in setns() calls. */
ret = open(opath, O_RDONLY | O_CLOEXEC);
if (ret < 0) {
- CMD_SYSERROR("Failed to open \"%s\"\n", args.pid);
+ CMD_SYSERROR("Failed while opening netns file for \"%s\"\n", args.pid);
close(netns_fd);
_exit(EXIT_FAILURE);
}
--
2.25.1

26
0023-fix-lxc-write-error-message.patch
View File

@ -1,26 +0,0 @@
From 45948760921dbaa1c030b6848168b89428ca1434 Mon Sep 17 00:00:00 2001
From: songbuhuang <544824346@qq.com>
Date: Wed, 8 Feb 2023 14:46:44 +0800
Subject: [PATCH] fix lxc write error message
Signed-off-by: songbuhuang <544824346@qq.com>
---
src/lxc/cgroups/isulad_cgfsng.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/cgroups/isulad_cgfsng.c b/src/lxc/cgroups/isulad_cgfsng.c
index f5cf81c..6ccff63 100644
--- a/src/lxc/cgroups/isulad_cgfsng.c
+++ b/src/lxc/cgroups/isulad_cgfsng.c
@@ -2463,7 +2463,7 @@ retry:
goto retry;
}
lxc_write_error_message(ops->errfd,
- "%s:%d: setting cgroup config for ready process caused \"failed to write %s to %s: %s\".",
+ "%s:%d: setting cgroup config for ready process caused failed to write %s to %s: %s",
__FILE__, __LINE__, value, fullpath, strerror(errno));
}
free(fullpath);
--
2.25.1

27
0024-remove-process-inheritable-capability.patch
View File

@ -1,27 +0,0 @@
From d232c098c9a75fce2b7e6da55faa89cd546d3dc9 Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Tue, 31 Jan 2023 19:14:57 +0800
Subject: [PATCH] remove process inheritable capability
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/conf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 439601a..c478bf2 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5528,7 +5528,8 @@ int lxc_drop_caps(struct lxc_conf *conf)
if (caplist[i]) {
cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
+ // fix CVE-2022-24769
+ // inheritable capability should be empty
}
}
--
2.25.1

32
0025-fix-ops-hierarchies-cause-coredump.patch
View File

@ -1,32 +0,0 @@
From 636f30e34dd33a0b888faa9675fe33fb5aa0ad7a Mon Sep 17 00:00:00 2001
From: "Neil.wrz" <wangrunze13@huawei.com>
Date: Tue, 21 Feb 2023 22:48:44 -0800
Subject: [PATCH] may cause coredump
---
src/lxc/cgroups/isulad_cgfsng.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/lxc/cgroups/isulad_cgfsng.c b/src/lxc/cgroups/isulad_cgfsng.c
index 6ccff63..dcaa229 100644
--- a/src/lxc/cgroups/isulad_cgfsng.c
+++ b/src/lxc/cgroups/isulad_cgfsng.c
@@ -938,8 +938,15 @@ __cgfsng_ops static inline bool isulad_cgfsng_payload_create(struct cgroup_ops *
struct lxc_handler *handler)
{
int i;
+
+ if (!ops)
+ return ret_set_errno(false, ENOENT);
+
char *container_cgroup = ops->container_cgroup;
+ if (!ops->hierarchies)
+ return true;
+
#ifdef HAVE_ISULAD
if (ops->no_controller) {
DEBUG("no controller found, isgnore isulad_cgfsng_payload_create");
--
2.25.1

55
0026-meminfo-cri-1.25.patch
View File

@ -1,55 +0,0 @@
From d8bf23cac765af4bededef26e56f7cde7bafd4fe Mon Sep 17 00:00:00 2001
From: "ilya.kuksenok" <ilya.kuksenok@huawei.com>
Date: Mon, 27 Feb 2023 14:39:39 +0300
Subject: [PATCH] Add metrics
Signed-off-by: ilya.kuksenok <ilya.kuksenok@huawei.com>
---
src/lxc/lxccontainer.c | 14 ++++++++++++++
src/lxc/lxccontainer.h | 5 +++++
2 files changed, 19 insertions(+)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 4b669bb..afbeb3c 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -6053,6 +6053,20 @@ static bool do_lxcapi_get_container_metrics(struct lxc_container *c, struct lxc
metrics->cpu_use_nanos = metrics_get_ull(c, cgroup_ops, "cpuacct.usage");
metrics->pids_current = metrics_get_ull(c, cgroup_ops, "pids.current");
+ uint64_t usage_bytes;
+ uint64_t workingset;
+ usage_bytes = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "rss", 1) +
+ metrics_match_get_ull(c, cgroup_ops, "memory.stat", "cache", 1) +
+ metrics_match_get_ull(c, cgroup_ops, "memory.stat", "swap", 1);
+ // workingset = usage - inactive_file
+ workingset = usage_bytes - metrics_match_get_ull(c, cgroup_ops, "memory.stat", "total_inactive_file", 1);
+ // Avaliable bytes = limit - workingset
+ metrics->avaliable_bytes = metrics_get_ull(c, cgroup_ops, "memory.limit_in_bytes") - workingset;
+ metrics->usage_bytes = usage_bytes;
+ metrics->rss_bytes = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "rss", 1);
+ metrics->page_faults = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "pgfault", 1);
+ metrics->major_page_faults = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "pgmajfault", 1);
+
metrics->cpu_use_user = metrics_match_get_ull(c, cgroup_ops, "cpuacct.stat", "user", 1);
metrics->cpu_use_sys = metrics_match_get_ull(c, cgroup_ops, "cpuacct.stat", "system", 1);
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 3680ade..68dfec9 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -68,6 +68,11 @@ struct lxc_container_metrics {
/* Memory usage */
uint64_t mem_used;
uint64_t mem_limit;
+ uint64_t avaliable_bytes;
+ uint64_t usage_bytes;
+ uint64_t rss_bytes;
+ uint64_t page_faults;
+ uint64_t major_page_faults;
/* Kernel Memory usage */
uint64_t kmem_used;
uint64_t kmem_limit;
--
2.34.1

238
0027-add-loongarch64-support-for-lxc.patch
View File

@ -1,238 +0,0 @@
From 477ecc390bf4d62e8e02b98699b377b848b043de Mon Sep 17 00:00:00 2001
From: Wenlong Zhang <zhangwenlong@loongson.cn>
Date: Thu, 9 Feb 2023 08:18:35 +0000
Subject: [PATCH] add loongarch64 support for lxc
---
src/lxc/seccomp.c | 51 +++++++++++++++++++++++++++++++++++++++
src/lxc/syscall_numbers.h | 26 ++++++++++++++++++++
2 files changed, 77 insertions(+)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ebbba80..94dc23a 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -310,6 +310,7 @@ enum lxc_hostarch_t {
lxc_seccomp_arch_ppc64,
lxc_seccomp_arch_ppc64le,
lxc_seccomp_arch_ppc,
+ lxc_seccomp_arch_loongarch64,
lxc_seccomp_arch_mips,
lxc_seccomp_arch_mips64,
lxc_seccomp_arch_mips64n32,
@@ -344,6 +345,8 @@ int get_hostarch(void)
return lxc_seccomp_arch_ppc64;
else if (strncmp(uts.machine, "ppc", 3) == 0)
return lxc_seccomp_arch_ppc;
+ else if (strncmp(uts.machine, "loongarch64", 11) == 0)
+ return lxc_seccomp_arch_loongarch64;
else if (strncmp(uts.machine, "mips64", 6) == 0)
return MIPS_ARCH_N64;
else if (strncmp(uts.machine, "mips", 4) == 0)
@@ -400,6 +403,11 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
arch = SCMP_ARCH_PPC;
break;
#endif
+#ifdef SCMP_ARCH_LOONGARCH64
+ case lxc_seccomp_arch_loongarch64:
+ arch = SCMP_ARCH_LOONGARCH64;
+ break;
+#endif
#ifdef SCMP_ARCH_MIPS
case lxc_seccomp_arch_mips:
arch = SCMP_ARCH_MIPS;
@@ -738,6 +746,16 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
goto bad;
#endif
#endif
+#ifdef SCMP_ARCH_LOONGARCH64
+ } else if (native_arch == lxc_seccomp_arch_loongarch64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+
+ ctx.lxc_arch[0] = lxc_seccomp_arch_loongarch64;
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_loongarch64,
+ default_policy_action, &ctx.architectures[0]);
+ if (!ctx.contexts[0])
+ goto bad;
+#endif
#ifdef SCMP_ARCH_MIPS
} else if (native_arch == lxc_seccomp_arch_mips64) {
cur_rule_arch = lxc_seccomp_arch_all;
@@ -906,6 +924,17 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
cur_rule_arch = lxc_seccomp_arch_ppc;
}
#endif
+#ifdef SCMP_ARCH_LOONGARCH64
+ else if (strcmp(line, "[loongarch64]") == 0 ||
+ strcmp(line, "[LOONGARCH64]") == 0) {
+ if (native_arch != lxc_seccomp_arch_loongarch64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_loongarch64;
+ }
+#endif
#ifdef SCMP_ARCH_MIPS
else if (strcmp(line, "[mips64]") == 0 ||
strcmp(line, "[MIPS64]") == 0) {
@@ -1263,6 +1292,17 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
goto bad;
#endif
#endif
+#ifdef SCMP_ARCH_LOONGARCH64
+ } else if (native_arch == lxc_seccomp_arch_loongarch64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+
+ ctx.architectures[0] = SCMP_ARCH_LOONGARCH64;
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_loongarch64,
+ default_policy_action,
+ &ctx.needs_merge[0]);
+ if (!ctx.contexts[0])
+ goto bad;
+#endif
#ifdef SCMP_ARCH_MIPS
} else if (native_arch == lxc_seccomp_arch_mips64) {
cur_rule_arch = lxc_seccomp_arch_all;
@@ -1434,6 +1474,17 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
cur_rule_arch = lxc_seccomp_arch_ppc;
}
#endif
+#ifdef SCMP_ARCH_LOONGRCH64
+ else if (strcmp(line, "[loongarch64]") == 0 ||
+ strcmp(line, "[LOONGARCH64]") == 0) {
+ if (native_arch != lxc_seccomp_arch_loongarch64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_loongarch64;
+ }
+#endif
#ifdef SCMP_ARCH_MIPS
else if (strcmp(line, "[mips64]") == 0 ||
strcmp(line, "[MIPS64]") == 0) {
diff --git a/src/lxc/syscall_numbers.h b/src/lxc/syscall_numbers.h
index c68cf24..01aa68d 100644
--- a/src/lxc/syscall_numbers.h
+++ b/src/lxc/syscall_numbers.h
@@ -49,6 +49,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_keyctl 5241
#endif
+ #elif defined __loongarch64
+ #define __NR_keyctl 219
#else
#define -1
#warning "__NR_keyctl not defined for your architecture"
@@ -84,6 +86,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64
#define __NR_memfd_create 5314
#endif
+ #elif defined __loongarch64
+ #define __NR_memfd_create 279
#else
#define -1
#warning "__NR_memfd_create not defined for your architecture"
@@ -117,6 +121,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_pivot_root 5151
#endif
+ #elif defined __loongarch64
+ #define __NR_pivot_root 41
#else
#define -1
#warning "__NR_pivot_root not defined for your architecture"
@@ -150,6 +156,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_setns 5303
#endif
+ #elif defined __loongarch64
+ #define __NR_setns 268
#else
#define -1
#warning "__NR_setns not defined for your architecture"
@@ -183,6 +191,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_sethostname 5165
#endif
+ #elif defined __loongarch64
+ #define __NR_sethostname 161
#else
#define -1
#warning "__NR_sethostname not defined for your architecture"
@@ -216,6 +226,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_signalfd 5276
#endif
+ #elif defined __loongarch64
+ #define __NR_signalfd -1 /* doesn't exist in loongarch64 */
#else
#define -1
#warning "__NR_signalfd not defined for your architecture"
@@ -249,6 +261,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_signalfd4 5283
#endif
+ #elif defined __loongarch64
+ #define __NR_signalfd4 74
#else
#define -1
#warning "__NR_signalfd4 not defined for your architecture"
@@ -282,6 +296,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_unshare 5262
#endif
+ #elif defined __loongarch64
+ #define __NR_unshare 97
#else
#define -1
#warning "__NR_unshare not defined for your architecture"
@@ -315,6 +331,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_bpf 5315
#endif
+ #elif defined __loongarch64
+ #define __NR_bpf 280
#else
#define -1
#warning "__NR_bpf not defined for your architecture"
@@ -348,6 +366,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_faccessat 5259
#endif
+ #elif defined __loongarch64
+ #define __NR_faccessat 48
#else
#define -1
#warning "__NR_faccessat not defined for your architecture"
@@ -401,6 +421,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_seccomp 5312
#endif
+ #elif defined __loongarch64
+ #define __NR_seccomp 277
#else
#define -1
#warning "__NR_seccomp not defined for your architecture"
@@ -434,6 +456,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_gettid 5178
#endif
+ #elif defined __loongarch64
+ #define __NR_gettid 178
#else
#define -1
#warning "__NR_gettid not defined for your architecture"
@@ -471,6 +495,8 @@
#if _MIPS_SIM == _MIPS_SIM_ABI64 /* n64 */
#define __NR_execveat 5316
#endif
+ #elif defined __loongarch64
+ #define __NR_execveat 281
#else
#define -1
#warning "__NR_execveat not defined for your architecture"
--
2.33.0

51
0028-use-ocihooks-env-after-getenv.patch
View File

@ -1,51 +0,0 @@
From 9c82e7c0d345eba3cc0514a536eb8438f328164e Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Thu, 30 Mar 2023 11:38:45 +0800
Subject: [PATCH] use ocihooks env after getenv
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/conf.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index c478bf2..3335b0d 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -6224,7 +6224,8 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en
{
char **result = NULL;
size_t result_len = env_len;
- size_t i, j;
+ size_t i = 0;
+ size_t j, k;
char *tmpenv = NULL;
char *lxc_envs[] = {"LD_LIBRARY_PATH", "PATH", "LXC_CGNS_AWARE", "LXC_PID", "LXC_ROOTFS_MOUNT",
"LXC_CONFIG_FILE", "LXC_CGROUP_PATH", "LXC_ROOTFS_PATH", "LXC_NAME"
@@ -6239,11 +6240,6 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en
return NULL;
memset(result, 0, sizeof(char *) * result_len);
- for(i = 0; i < env_len; i++) {
- if (oldenvs[i])
- result[i] = safe_strdup(oldenvs[i]);
- }
-
for(j = 0; j < (sizeof(lxc_envs) / sizeof(char *)); j++) {
size_t env_buf_len = 0;
tmpenv = getenv(lxc_envs[j]);
@@ -6267,6 +6263,11 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en
}
}
+ for(k = 0; k < env_len; k++) {
+ if (oldenvs[k] && i < (result_len - 1))
+ result[i++] = safe_strdup(oldenvs[k]);
+ }
+
*merge_env_len = i;
return result;
}
--
2.25.1

51
0029-fix-mixed-use-of-signed-and-unsigned-type.patch
View File

@ -1,51 +0,0 @@
From 573aae0ba3b76067e76206b78c8243b34e3f40e3 Mon Sep 17 00:00:00 2001
From: "Neil.wrz" <wangrunze13@huawei.com>
Date: Tue, 18 Apr 2023 00:05:27 -0700
Subject: [PATCH] fix mixed use of signed and unsigned type
Signed-off-by: Neil.wrz <wangrunze13@huawei.com>
---
src/lxc/path.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/lxc/path.c b/src/lxc/path.c
index 46256cb..c0529b7 100644
--- a/src/lxc/path.c
+++ b/src/lxc/path.c
@@ -101,7 +101,7 @@ bool filepath_split(const char *path, char **dir, char **base)
ERROR("Invalid path");
return false;
}
- i = len - 1;
+ i = (ssize_t)(len - 1);
while (i >= 0 && path[i] != '/')
i--;
@@ -326,7 +326,7 @@ static int do_get_symlinks(const char **fullpath, const char *prefix, size_t pre
}
len = strlen(*end);
- if (len >= PATH_MAX - n) {
+ if (len >= (size_t)(PATH_MAX - n)) {
ERROR("Path is too long");
goto out;
}
@@ -619,7 +619,7 @@ char *path_relative(const char *basepath, const char *targpath)
if (b0 != bl) {
// Base elements left. Must go up before going down.
- int seps = 0, i;
+ size_t seps = 0, i;
size_t ncopyed = 0, seps_size;
char *buf = NULL;
@@ -652,4 +652,4 @@ char *path_relative(const char *basepath, const char *targpath)
}
return safe_strdup(targ + t0);
-}
\ No newline at end of file
+}
--
2.25.1

48
0030-remove-unused-meminfo-stats.patch
View File

@ -1,48 +0,0 @@
From 4daa1572b9f129ba46cefb13683de90b49404872 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 18 Apr 2023 15:22:21 +0800
Subject: [PATCH] remove unused meminfo stats
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/lxccontainer.c | 10 ----------
src/lxc/lxccontainer.h | 2 --
2 files changed, 12 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index afbeb3c..cc6c5cd 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -6053,16 +6053,6 @@ static bool do_lxcapi_get_container_metrics(struct lxc_container *c, struct lxc
metrics->cpu_use_nanos = metrics_get_ull(c, cgroup_ops, "cpuacct.usage");
metrics->pids_current = metrics_get_ull(c, cgroup_ops, "pids.current");
- uint64_t usage_bytes;
- uint64_t workingset;
- usage_bytes = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "rss", 1) +
- metrics_match_get_ull(c, cgroup_ops, "memory.stat", "cache", 1) +
- metrics_match_get_ull(c, cgroup_ops, "memory.stat", "swap", 1);
- // workingset = usage - inactive_file
- workingset = usage_bytes - metrics_match_get_ull(c, cgroup_ops, "memory.stat", "total_inactive_file", 1);
- // Avaliable bytes = limit - workingset
- metrics->avaliable_bytes = metrics_get_ull(c, cgroup_ops, "memory.limit_in_bytes") - workingset;
- metrics->usage_bytes = usage_bytes;
metrics->rss_bytes = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "rss", 1);
metrics->page_faults = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "pgfault", 1);
metrics->major_page_faults = metrics_match_get_ull(c,cgroup_ops, "memory.stat", "pgmajfault", 1);
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 68dfec9..96db5e6 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -68,8 +68,6 @@ struct lxc_container_metrics {
/* Memory usage */
uint64_t mem_used;
uint64_t mem_limit;
- uint64_t avaliable_bytes;
- uint64_t usage_bytes;
uint64_t rss_bytes;
uint64_t page_faults;
uint64_t major_page_faults;
--
2.25.1

39
0031-lxc-attach-Fix-lost-return-codes-of-spawned-processe.patch
View File

@ -1,39 +0,0 @@
From 4ebca5a005afbc19c08f663e24d3e76518d12fa8 Mon Sep 17 00:00:00 2001
From: Mohammed Ajmal Siddiqui <ajmalsiddiqui21@gmail.com>
Date: Wed, 5 Oct 2022 12:20:58 +0530
Subject: [PATCH] lxc-attach: Fix lost return codes of spawned processes that
are killed
lxc-attach swallows the return codes of processes that are terminated
via a signal, and by default exits with a return code of 0 (i.e.
indicating success) even if the command it tried to execute was
terminated.
This patch fixes it by explicitly checking if the process was terminated
via a signal, and returning an appropriate exit code.
Note that we add 128 to the signal value to generate the exit code
because by convention the exit code is 128 + signal number. e.g. if a
process is killed via signal 9, then the error code is 9 + 128 = 137.
Signed-off-by: Mohammed Ajmal Siddiqui <ajmalsiddiqui21@gmail.com>
---
src/lxc/tools/lxc_attach.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index fa303c7b4..6482b0aee 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -399,6 +399,8 @@ int lxc_attach_main(int argc, char *argv[])
}
if (WIFEXITED(ret))
wexit = WEXITSTATUS(ret);
+ else if (WIFSIGNALED(ret))
+ wexit = WTERMSIG(ret) + 128;
out:
lxc_container_put(c);
--
2.33.0

30
0032-fix-load-bpf-failed.patch
View File

@ -1,30 +0,0 @@
From ea611fd8e2c04e65c9239a9236376b2686b16832 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Sat, 6 May 2023 17:25:41 +0800
Subject: [PATCH] fix load bpf failed
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/cgroups/cgroup2_devices.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c
index 04ba7b3..690e0b3 100644
--- a/src/lxc/cgroups/cgroup2_devices.c
+++ b/src/lxc/cgroups/cgroup2_devices.c
@@ -237,6 +237,12 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi
if (device->minor != -1)
jump_nr++;
+#ifdef HAVE_ISULAD
+ // add a check, if no jump should do, just return.
+ if (jump_nr == 1)
+ return 0;
+#endif
+
if (device_type > 0) {
struct bpf_insn ins[] = {
BPF_JMP_IMM(BPF_JNE, BPF_REG_2, device_type, jump_nr--),
--
2.25.1

27
0033-fix-mount-device-path-incorrect.patch
View File

@ -1,27 +0,0 @@
From f7da4786892ab6b4bbe1cfedad24127a7d059f3d Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Fri, 16 Jun 2023 12:02:38 +0800
Subject: [PATCH] fix mount device path incorrect
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/conf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 3335b0d..a5573ac 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -6064,7 +6064,8 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list
// Unprivileged containers cannot create devices, so
// try to bind mount the device from the host
- ret = snprintf(hostpath, MAXPATHLEN, "/dev/%s", dev_elem->name);
+ // dev_elem name is the device path
+ ret = snprintf(hostpath, MAXPATHLEN, "%s", dev_elem->name);
if (ret < 0 || ret >= MAXPATHLEN) {
ret = -1;
goto reset_umask;
--
2.25.1

65
0034-add-secure-compile-macro.patch
View File

@ -1,65 +0,0 @@
From 728d921b36f07833470a284a55cbfea4baaab268 Mon Sep 17 00:00:00 2001
From: mzzhou <1362843687@qq.com>
Date: Mon, 10 Jul 2023 21:28:10 +0800
Subject: [PATCH] add secure compile marco
---
configure.ac | 20 ++++++++++++++++++++
src/lxc/Makefile.am | 6 +++++-
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 2180586..e66bdf1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -837,10 +837,30 @@ if test "x$adapt_isulad" = "xyes"; then
AC_DEFINE([HAVE_ISULAD], 1, [adapt to iSulad])
AC_MSG_RESULT([yes])
+ AC_MSG_CHECKING([Whether enable secure compile])
+ AC_ARG_ENABLE([secure-compile],
+ [AC_HELP_STRING([--enable-secure-compile], [enable secure compile [default=no]])],
+ [secure_compile=$enableval], [secure_compile=yes])
+ AM_CONDITIONAL([HAVE_SECURE_COMPILE], [test "x$secure_compile" = "xyes"])
+ AC_DEFINE([HAVE_SECURE_COMPILE], 1, [enable secure compile])
+ AC_MSG_RESULT([yes])
+
# Check yajl
PKG_CHECK_MODULES([YAJL], [yajl >= 2],[],[AC_MSG_ERROR([You must install yajl >= 2])])
else
AC_MSG_RESULT([no])
+
+ AC_MSG_CHECKING([Whether enable secure compile])
+ AC_ARG_ENABLE([secure-compile],
+ [AC_HELP_STRING([--enable-secure-compile], [enable secure compile [default=no]])],
+ [secure_compile=$enableval], [secure_compile=yes])
+ AM_CONDITIONAL([HAVE_SECURE_COMPILE], [test "x$secure_compile" = "xyes"])
+ if test "x$secure_compile" = "xyes"; then
+ AC_DEFINE([HAVE_SECURE_COMPILE], 1, [enable secure compile])
+ AC_MSG_RESULT([yes])
+ else
+ AC_MSG_RESULT([no])
+ fi
fi
# Files requiring some variable expansion
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 61a229f..c1d20f6 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -292,7 +292,11 @@ liblxc_la_LDFLAGS = -pthread \
-version-info @LXC_ABI_MAJOR@
if HAVE_ISULAD
-liblxc_la_LDFLAGS += @YAJL_LIBS@ -Wl,-z,relro \
+liblxc_la_LDFLAGS += @YAJL_LIBS@
+endif
+
+if HAVE_SECURE_COMPILE
+liblxc_la_LDFLAGS += -Wl,-z,relro \
-Wl,-z,now \
-Wl,-z,noexecstack
endif
--
2.41.0.windows.2

12
apply-patches
View File

@ -27,6 +27,12 @@ tar -xzvf $dir_name.tar.gz
cwd=$PWD
cd $cwd/$dir_name
git init .
git add .
git config --local user.name "isuladci"
git config --local user.email "isulad@ci.com"
git commit -m "init repo for lxc-$dir_name"
grep -E "Patch[0-9]{4}:\s*[0-9]{4}-.*\.patch" $cwd/lxc.spec | awk '{print $2}' | while read line
do
if [[ $line == '' || $line =~ ^\s*# ]]; then
@ -36,11 +42,9 @@ do
patch -p1 -F1 -s < $cwd/$line
done
git init .
git add .
git config --local user.name "isuladci"
git config --local user.email "isulad@ci.com"
git commit -m "init repo"
git commit -m "change for iSulad"
git config --local --unset user.name
git config --local --unset user.email

BIN
lxc-4.0.3.tar.gz
View File

Binary file not shown.

BIN
lxc-5.0.2.tar.gz Normal file
View File

Binary file not shown.

568
lxc.spec
View File

@ -1,57 +1,24 @@
%global _release 2022102421
%global _release 1
Name: lxc
Version: 4.0.3
Version: 5.0.2
Release: %{_release}
Summary: Linux Containers userspace tools
License: LGPLv2+ and GPLv2 and GPLv3
URL: https://github.com/lxc/lxc
Source0: https://linuxcontainers.org/downloads/lxc/lxc-4.0.3.tar.gz
Source0: https://linuxcontainers.org/downloads/lxc/lxc-5.0.2.tar.gz
Patch0001: 0001-refactor-patch-code-of-utils-commands-and-so-on.patch
Patch0002: 0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch
Patch0003: 0003-refactor-patch-code-of-isulad-for-selinux-attach.patch
Patch0004: 0004-refactor-patch-code-of-lxccontianer-and-so-on.patch
Patch0005: 0005-refactor-patch-code-of-attach-and-seccomp.patch
Patch0006: 0006-refactor-patch-about-namespace-log-terminal.patch
Patch0007: 0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch
Patch0008: 0008-refactor-patch-code-of-json.patch
Patch0009: 0009-fix-HOME-env-of-container-unset-error.patch
Patch0010: 0010-check-yajl-only-when-have-isulad.patch
Patch0011: 0011-drop-security_context_t.patch
Patch0012: 0012-only-set-user-or-image-set-non-empty-HOME.patch
Patch0013: 0013-return-fail-if-no-args-or-no-rootfs-path-found.patch
Patch0014: 0014-fix-tools-using-option-give-error-message.patch
Patch0015: 0015-fix-do-mask-pathes-after-parent-mounted.patch
Patch0016: 0016-skip-kill-cgroup-processes-if-no-hierarchies.patch
Patch0017: 0017-lxc-Add-sw64-architecture.patch
Patch0018: 0018-add-macro-to-adapt-musl-libc.patch
Patch0019: 0019-add-lxc-attach-add-gids-option.patch
Patch0020: 0020-add-sscanf-adapation-code-for-musl.patch
Patch0021: 0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch
Patch0022: 0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
Patch0023: 0023-fix-lxc-write-error-message.patch
Patch0024: 0024-remove-process-inheritable-capability.patch
Patch0025: 0025-fix-ops-hierarchies-cause-coredump.patch
Patch0026: 0026-meminfo-cri-1.25.patch
Patch0027: 0027-add-loongarch64-support-for-lxc.patch
Patch0028: 0028-use-ocihooks-env-after-getenv.patch
Patch0029: 0029-fix-mixed-use-of-signed-and-unsigned-type.patch
Patch0030: 0030-remove-unused-meminfo-stats.patch
Patch0031: 0031-lxc-attach-Fix-lost-return-codes-of-spawned-processe.patch
Patch0032: 0032-fix-load-bpf-failed.patch
Patch0033: 0033-fix-mount-device-path-incorrect.patch
Patch0034: 0034-add-secure-compile-macro.patch
Patch0001: 0001-iSulad-add-json-files-and-adapt-to-meson.patch
BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath
BuildRequires: pkgconfig(libseccomp)
BuildRequires: libcap libcap-devel libselinux-devel yajl yajl-devel
BuildRequires: pkgconfig(bash-completion)
BuildRequires: pkgconfig(bash-completion) meson
%ifarch riscv64
BuildRequires: libatomic_ops
%endif
Requires: lxc-libs = 4.0.3-%{release}
Requires: lxc-libs = 5.0.2-%{release}
%package libs
Summary: Runtime library files for %{name}
@ -83,7 +50,7 @@ boot an entire "containerized" system, and to manage and debug your containers.
%package devel
Summary: Development files for lxc
Requires: lxc = 4.0.3-%{release}
Requires: lxc = 5.0.2-%{release}
Requires: pkgconfig
%description devel
@ -99,19 +66,14 @@ BuildArch: noarch
This package contains documentation for lxc for creating containers.
%prep
%autosetup -n lxc-4.0.3 -Sgit -p1
%autosetup -n lxc-5.0.2 -Sgit -p1
%build
%ifarch riscv64
export LDFLAGS="%{build_ldflags} -latomic -pthread"
%endif
%configure --enable-doc --enable-api-docs \
--disable-silent-rules --docdir=%{_pkgdocdir} --disable-rpath \
--disable-static --disable-apparmor --enable-selinux \
--enable-seccomp \
--with-init-script=systemd --disable-werror
%{make_build}
meson setup -Disulad=false -Dtests=true -Dprefix=/usr build
meson compile -C build
%install
%{make_install}
@ -142,11 +104,9 @@ chrpath -d %{buildroot}/usr/lib64/liblxc.so
chmod +x %{buildroot}/usr/lib64/liblxc.so
%endif
# docs
mkdir -p %{buildroot}%{_pkgdocdir}/api
%ifarch sw_64
%else
cp -a AUTHORS README %{buildroot}%{_pkgdocdir}
cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/
cp -a AUTHORS %{buildroot}%{_pkgdocdir}
%endif
# cache dir
@ -163,7 +123,7 @@ rm -rf %{buildroot}%{_libdir}/liblxc.la
rm -rf %{buildroot}%{_sbindir}/init.%{name}.static
rm -rf %{buildroot}%{_sysconfdir}/default/%{name}
%check
%make_build check
meson test -C build
%post
@ -177,7 +137,8 @@ rm -rf %{buildroot}%{_sysconfdir}/default/%{name}
%{_datadir}/%{name}/%{name}.functions
%dir %{_datadir}/bash-completion
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/lxc
%{_datadir}/bash-completion/completions/*
%files libs
%defattr(-,root,root)
%{_libdir}/liblxc.so
@ -196,10 +157,12 @@ rm -rf %{buildroot}%{_sysconfdir}/default/%{name}
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}@.service
%{_unitdir}/%{name}-net.service
%{_unitdir}/%{name}-monitord.service
%dir %{_localstatedir}/cache/%{name}
%files devel
%defattr(-,root,root)
%{_libdir}/liblxc.a
%{_includedir}/%{name}/*
%{_libdir}/pkgconfig/%{name}.pc
%dir %{_datadir}/%{name}
@ -228,503 +191,8 @@ rm -rf %{buildroot}%{_sysconfdir}/default/%{name}
%endif
%changelog
* Mon Jul 10 2023 mzzhou<1362843687@qq.com> - 4.0.3-2022102421
* Thu Jul 13 2023 haozi007<liuhao27@huawei.com> - 5.0.2-1
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: add secure compile macro
* Fri Jun 16 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102420
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix mount device path incorrect
* Sat May 06 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102419
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix load bpf failed
* Thu May 04 2023 Jian Zhang<zhang_jian7@hoperun.com> - 4.0.3-2022102418
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix lost return codes of spawned processe
* Fri Apr 21 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102417
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: remove unused meminfo stats
* Mon Apr 17 2023 wangrunze<wangrunze13@huawei.com> - 4.0.3-2022102416
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix mixed use of signed and unsigned type
* Thu Mar 30 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102415
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: use ocihooks env after getenv
* Sat Mar 04 2023 Wenlong Zhang<zhangwenlong@loongson.cn> - 4.0.3-2022102414
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: add loongarch64 support for lxc
* Mon Feb 27 2023 Ilya.kuksenok<ilya.kuksenok@huawei.com> - 4.0.3-2022102413
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: Add meminfo required for CRI-1.25
* Wed Feb 22 2023 wangrunze<wangrunze13@huawei.com> - 4.0.3-2022102412
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix ops hierarchies cause coredump
* Wed Feb 22 2023 misaka00251 <liuxin@iscas.ac.cn> - 4.0.3-2022102411
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: fix RISC-V build errors
* Fri Feb 17 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102410
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: remove process inheritable capabilities
* Mon Feb 13 2023 jiangxinyu <jiangxinyu@kylinos.cn> - 4.0.3-2022102409
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:optimize test command
* Wed Feb 08 2023 huangsong<huangsong14@huawei.com> - 4.0.3-2022102408
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix lxc write error message
* Fri Jan 13 2023 wangrunze<wangrunze13@huawei.com> - 4.0.3-2022102407
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix cve CVE-2022-47952 log leaks root information
* Fri Dec 16 2022 huangsong<huangsong14@huawei.com> - 4.0.3-2022102406
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: change the suffi parameter in lxc attach --help output
* Thu Dec 08 2022 zhongtao<zhongtao17@huawei.com> - 4.0.3-2022102405
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add sscanf adapation code for musl
* Fri Dec 02 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102404
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add lxc-attach add-gids option
* Thu Nov 24 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102403
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add macro to adapt musl libc
* Wed Nov 9 2022 hejunjie<hejunjie10@huawei.com> - 4.0.3-2022102402
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: remove duplicated README and AUTHORS cross lxc-lib and lxc-help
* Mon Oct 24 2022 wuzx<wuzx1226@qq.com> - 4.0.3-2022102401
- Type:feature
- CVE:NA
- SUG:NA
- DESC:Add sw64 architecture
* Mon Oct 17 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022101701
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: update version to 4.0.3-2022101701
* Thu Sep 22 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022092201
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: skip kill cgroup processes if no hierarchies
* Tue Sep 20 2022 Neil.wrz<wangrunze13@huawei.com> - 4.0.3-2022092001
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: do mask pathes after parent mounted
* Fri Sep 2 2022 Neil.wrz<wangrunze13@huawei.com> - 4.0.3-2022090201
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix tools using -? option give error
* Thu Sep 1 2022 zhongtao<zhongtao17@huawei.com> - 4.0.3-2022090101
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add git config in apply-patches
* Sat Aug 20 2022 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2022082001
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: do not check rootfs.path, it may be null if rootfs is "/"
* Fri Aug 19 2022 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2022081901
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: return fail if no args or no rootfs path found
* Tue Aug 9 2022 haozi007<liuhao27@huawei.com> - 4.0.3-2022080901
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: only set user or image set non empty HOME
* Tue Jul 26 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022072601
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: drop security_context_t
* Mon Jul 25 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022072502
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: check yajl only when have isulad
* Mon Jul 25 2022 haozi007<liuhao27@huawei.com> - 4.0.3-2022072501
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix HOME env unset error
* Thu Jul 21 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022072104
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add header to fix compile error with have isulad
* Thu Jul 21 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022072103
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix compile error
* Thu Jul 21 2022 chengzeruizhi<chengzeruizhi@huawei.com> - 4.0.3-2022072102
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of json
* Thu Jul 21 2022 chengzeruizhi<chengzeruizhi@huawei.com> - 4.0.3-2022072101
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patches on terminal.c, start.c and others
* Tue Jul 19 2022 wangrunze<wangrunze13@huawei.com> - 4.0.3-2022071904
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor namespace terminal log
* Tue Jul 19 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022071903
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of attach and seccomp
* Tue Jul 19 2022 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2022071902
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of lxccontainer and so on
* Tue Jul 19 2022 haozi007<liuhao27@huawei.com> - 4.0.3-2022071901
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of isulad for selinux/attach
* Mon Jul 18 2022 haozi007<liuhao27@huawei.com> - 4.0.3-2022071801
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of isulad for conf/exec/attach and so on
* Fri Jul 15 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022071501
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of utils commands and so on
* Wed May 25 2022 hejunjie<hejunjie10@huawei.com> - 4.0.3-2022052501
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: correct license info
* Mon May 23 2022 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2022052301
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: do not operate playload and attach cgroup if no controller found
* Sat May 21 2022 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2022052101
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add x permission when create directory
* Fri Apr 15 2022 wujing<wujing50@huawei.com> - 4.0.3-2022041501
- Type:refactor
- ID:NA
- SUG:NA
- DESC: refactor the way to convert selinux label to shared mode
* Sat Apr 09 2022 wujing<wujing50@huawei.com> - 4.0.3-2022040901
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix bug of memory free
* Thu Mar 17 2022 haozi007<liuhao27@huawei.com> - 4.0.3-2022031701
- Type:improve
- ID:NA
- SUG:NA
- DESC: fix unnecessary print error message
* Mon Feb 21 2022 chegJH <hejunjie10@huawei.com> - 4.0.3-2022022101
- Type:improve
- ID:NA
- SUG:NA
- DESC: fix alwasy print and len
* Tue Feb 15 2022 chegJH <hejunjie10@huawei.com> - 4.0.3-2022021501
- Type:improve
- ID:NA
- SUG:NA
- DESC:changes for compile in android env
* Mon Dec 27 2021 haozi007 <liuhao27@huawei.com> - 4.0.3-2021122701
- Type:improve
- ID:NA
- SUG:NA
- DESC:adapt upstream compiler settings
* Thu Nov 25 2021 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2021112501
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix cgroup attach cgroup creation
* Fri Nov 19 2021 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2021111901
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:ensure that the idmap pointer itself is freed
* Thu Oct 21 2021 gaohuatao<gaohuatao@huawei.com> - 4.0.3-2021102101
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:disable lxc_keep
* Sun Sep 26 2021 chengzeruizhi<chengzeruizhi@huawei.com> - 4.0.3-2021092601
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:add dependencies under require field
* Fri Sep 17 2021 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2021091703
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix conf memory leak
* Fri Sep 17 2021 haozi007<liuhao27@huawei.com> - 4.0.3-2021091702
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:just use origin loop if do not have io
* Fri Sep 17 2021 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 4.0.3-2021091701
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:seccomp init and destroy notifier.cookie
* Thu Aug 26 2021 haozi007 <liuhao27@huawei.com> - 4.0.3-2021082601
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:add help info for new arguments
* Sat Jun 12 2021 lifeng <lifeng68@huawei.com> - 4.0.3-2021061201
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix coredump
* Tue Jun 01 2021 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 4.0.3-2021060101
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:adjust log level
* Thu May 13 2021 lifeng <lifeng68@huawei.com> - 4.0.3-2021051301
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:adjust log level
* Sat May 08 2021 haozi007 <liuhao27@huawei.com> - 4.0.3-2021050802
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:support long syslog tag
* Sat May 08 2021 wangfengtu <wangfengtu@huawei.com> - 4.0.3-2021050801
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:print error message if process workdir failed
* Wed Apr 07 2021 wangfengtu <wangfengtu@huawei.com> - 4.0.3-2021040701
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:some patches missing in series.conf
* Wed Mar 31 2021 wangfengtu <wangfengtu@huawei.com> - 4.0.3-2021033101
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: support cgroup v2
* Thu Mar 11 2021 wangfengtu <wangfengtu@huawei.com> - 4.0.3-2021031102
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: support isula exec --workdir
* Thu Jan 28 2021 lifeng <lifeng68@huawei.com> - 4.0.3-2021012801
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: add inactive file total metrics
* Thu Jan 21 2021 lifeng <lifeng68@huawei.com> - 4.0.3-2021012001
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: fix io data miss when exec with pipes
* Tue Jan 05 2021 wujing <wujing50@huawei.com> - 4.0.3-2021010501
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: fix compilation errors without libcap
* Thu Dec 24 2020 wujing <wujing50@huawei.com> - 4.0.3-2020122401
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: Streaming IO solution optimization and enhancement
* Tue Dec 15 2020 lifeng <lifeng68@huawei.com> - 4.0.3-2020121501
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: add get container metrics api to get the stat
* Mon Dec 07 2020 wujing <wujing50@huawei.com> - 4.0.3-2020120701
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: use path based unix domain sockets instead of abstract namespace sockets
* Fri Nov 27 2020 lifeng <lifeng68@openeuler.org> - 4.0.3-2020112701
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: mount: make possible to bind mount /proc and /sys/fs.
- 1. add check whether have /proc mounts entry, if has, skip the auto
- 2. mount cgroup before do mount entrys
- 3. pass if the mount on top of /proc and the source of the mount is a proc filesystem
* Fri Nov 13 2020 lifeng <lifeng68@openeuler.org> - 4.0.3-2020111701
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: add make private for root.path parent
* Fri Nov 13 2020 lifeng <lifeng68@openeuler.org> - 4.0.3-2020111301
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: adjust log level from error to warn
* Tue Nov 3 2020 lifeng <lifeng68@openeuler.org> - 4.0.3-2020110301
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: 1. fix hook root dir error and refact cgroup
* Sat Oct 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.0.3-2020101001
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: add patchs to series.conf
* Fri Sep 25 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.0.3-2020092501
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: Code optimization
* Fri Sep 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.0.3-2020091101
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: modify source0 address
* Wed Sep 02 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.0.3-2020090101
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: modify source0 address
* Mon Aug 03 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.0.3-2020080301
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: add debug packages
* Mon Apr 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.0.3-2020071501
- Type:enhancement
- ID:NA
- SUG:NA
- DESC: update lxc to 4.0.3
- DESC: update to 5.0.2