!539 sync patch from master to add fPIC compile option

From: @jikai11 
Reviewed-by: @taotao-sauce 
Signed-off-by: @taotao-sauce

0016-unfreeze-freezing-container-and-bugfix-for-files.lim.patch

@@ -0,0 +1,228 @@
+From 26e0dea1270556b08c37c20da9db229de664dbd1 Mon Sep 17 00:00:00 2001
+From: jikai <jikai11@huawei.com>
+Date: Fri, 23 Feb 2024 17:30:12 +0800
+Subject: [PATCH] unfreeze freezing container and bugfix for files.limit and
+ syscontainer
+
+1. container in the freezing state must be unfreeze
+https://gitee.com/src-openeuler/lxc/pulls/498
+
+2. bugfix for files.limit invalid
+should return false if failed to write cgroup.procs after max times,
+or will lead to files.limit invalid
+
+3. run oci-prestart hook before switch root
+In: https://gitee.com/src-openeuler/lxc/pulls/513, we move oci-prestart hook
+after sync_cgroup_limits, for sync_cgroup_limits will write a *:* rwm device rule
+which will lead the device rule we write in oci-prestart hook useless.
+However the modification move oci-prestart hook after change root.
+We restore the changes. Since setup_limits_legacy will do the a *:* rwm write,
+we only ensure that setup_limits_legacy executes before oci-prestart.
+
+Signed-off-by: jikai <jikai11@huawei.com>
+---
+ src/lxc/cgroups/cgfsng.c |  2 ++
+ src/lxc/conf.c           |  6 ++++
+ src/lxc/lxccontainer.c   |  7 +++++
+ src/lxc/start.c          | 61 +++++++++++++++++++++++++---------------
+ src/lxc/sync.c           |  6 ++--
+ src/lxc/sync.h           | 10 ++++---
+ 6 files changed, 62 insertions(+), 30 deletions(-)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index 471c281..311bdf7 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -1889,6 +1889,8 @@ retry:
+ 				retry_count++;
+ 				goto retry;
+ 			}
++			SYSERROR("Failed to enter cgroup \"%s/cgroup.procs\"", h->path_con);
++			return false;
+ 		}
+ #else
+ 		ret = lxc_writeat(h->dfd_con, "cgroup.procs", pidstr, len);
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 595e605..9e7f6a2 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -4900,6 +4900,12 @@ int lxc_setup(struct lxc_handler *handler)
+ 	if (ret < 0)
+ 		return log_error(-1, "Failed to setup \"/dev\" symlinks");
+ 
++#ifdef HAVE_ISULAD
++	/* Ask parent to run oci prestart hooks and wait for him to finish. */
++	if (!lxc_sync_barrier_parent(handler, START_SYNC_OCI_PRESTART_HOOK)) {
++		return log_error(-1, "Failed to sync parent to start host hook");
++	}
++#endif
+ 	ret = lxc_setup_rootfs_switch_root(&lxc_conf->rootfs);
+ 	if (ret < 0)
+ 		return log_error(-1, "Failed to pivot root into rootfs");
+diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
+index 5720cf7..318b7f5 100644
+--- a/src/lxc/lxccontainer.c
++++ b/src/lxc/lxccontainer.c
+@@ -560,7 +560,14 @@ static bool do_lxcapi_unfreeze(struct lxc_container *c)
+ 		return false;
+ 
+ 	s = lxc_getstate(c->name, c->config_path);
++#ifdef HAVE_ISULAD
++	// Prevent lxc from unexpectedly exiting when executing freeze,
++	// causing the container to be in the FREEZING state,
++	// making normal life cycle management impossible.
++	if (s == FROZEN || s == FREEZING) {
++#else
+ 	if (s == FROZEN) {
++#endif
+ 		ret = cgroup_unfreeze(c->name, c->config_path, -1);
+ 		if (ret == -ENOCGROUP2)
+ 			ret = lxc_unfreeze(c->lxc_conf, c->name, c->config_path);
+diff --git a/src/lxc/start.c b/src/lxc/start.c
+index 0a5cb26..2fea7b0 100644
+--- a/src/lxc/start.c
++++ b/src/lxc/start.c
+@@ -1643,11 +1643,6 @@ static int do_start(void *data)
+ 	}
+ 
+ #ifdef HAVE_ISULAD
+-	/* Ask father to run oci prestart hooks and wait for him to finish. */
+-	if (!lxc_sync_barrier_parent(handler, START_SYNC_OCI_PRESTART_HOOK)) {
+-		return log_error(-1, "Failed to sync parent to start host hook");
+-	}
+-
+ 	/* close pipes after sync fds */
+ 	/* isulad: dup2 pipe[0][0] to container stdin, pipe[1][1] to container stdout, pipe[2][1] to container stderr */
+ 	if (handler->disable_pty) {
+@@ -2383,7 +2378,9 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		goto out_delete_net;
+ 	}
+ 
+-	if (!lxc_sync_wait_child(handler, START_SYNC_CGROUP_LIMITS))
++#ifdef HAVE_ISULAD
++	// OCI prestart hook should run before lxc_setup_rootfs_switch_root.
++	if (!lxc_sync_wait_child(handler, START_SYNC_OCI_PRESTART_HOOK))
+ 		goto out_delete_net;
+ 
+ 	/*
+@@ -2403,25 +2400,8 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 	}
+ 	TRACE("Set up cgroup2 device controller limits");
+ 
+-	cgroup_ops->finalize(cgroup_ops);
+-	TRACE("Finished setting up cgroups");
+-
+-	/* Run any host-side start hooks */
+-	ret = run_lxc_hooks(name, "start-host", conf, NULL);
+-	if (ret < 0) {
+-		ERROR("Failed to run lxc.hook.start-host");
+-		goto out_delete_net;
+-	}
+-
+-	if (!lxc_sync_wake_child(handler, START_SYNC_FDS))
+-		goto out_delete_net;
+-
+-#ifdef HAVE_ISULAD
+ 	// OCI prestart hook should run after setup_limits_legacy.
+ 	// Otherwise 'syscontainer-hooks' write devices rule will be useless.
+-	if (!lxc_sync_wait_child(handler, START_SYNC_OCI_PRESTART_HOOK))
+-		goto out_delete_net;
+-
+ 	/* isulad: Run oci prestart hook at here */
+ 	ret = run_oci_hooks(name, "oci-prestart", conf, lxcpath);
+ 	if (ret < 0) {
+@@ -2442,6 +2422,41 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		goto out_delete_net;
+ #endif
+ 
++	if (!lxc_sync_wait_child(handler, START_SYNC_CGROUP_LIMITS))
++		goto out_delete_net;
++
++#ifndef HAVE_ISULAD
++	/*
++	 * With isolation the limiting devices cgroup was already setup, so
++	 * only setup devices here if we have no namespace directory.
++	 */
++	if (!handler->conf->cgroup_meta.namespace_dir &&
++	    !cgroup_ops->setup_limits_legacy(cgroup_ops, handler->conf, true)) {
++		ERROR("Failed to setup legacy device cgroup controller limits");
++		goto out_delete_net;
++	}
++	TRACE("Set up legacy device cgroup controller limits");
++
++	if (!cgroup_ops->devices_activate(cgroup_ops, handler)) {
++		ERROR("Failed to setup cgroup2 device controller limits");
++		goto out_delete_net;
++	}
++	TRACE("Set up cgroup2 device controller limits");
++#endif
++
++	cgroup_ops->finalize(cgroup_ops);
++	TRACE("Finished setting up cgroups");
++
++	/* Run any host-side start hooks */
++	ret = run_lxc_hooks(name, "start-host", conf, NULL);
++	if (ret < 0) {
++		ERROR("Failed to run lxc.hook.start-host");
++		goto out_delete_net;
++	}
++
++	if (!lxc_sync_wake_child(handler, START_SYNC_FDS))
++		goto out_delete_net;
++
+ 	if (handler->ns_unshare_flags & CLONE_NEWCGROUP) {
+ 		/* Now we're ready to preserve the cgroup namespace */
+ 		ret = lxc_try_preserve_namespace(handler, LXC_NS_CGROUP, "cgroup");
+diff --git a/src/lxc/sync.c b/src/lxc/sync.c
+index f156809..09d932b 100644
+--- a/src/lxc/sync.c
++++ b/src/lxc/sync.c
+@@ -66,16 +66,16 @@ static inline const char *start_sync_to_string(int state)
+ 		return "configure";
+ 	case START_SYNC_POST_CONFIGURE:
+ 		return "post-configure";
+-	case START_SYNC_CGROUP_LIMITS:
+-		return "cgroup-limits";
+ 	case START_SYNC_IDMAPPED_MOUNTS:
+ 		return "idmapped-mounts";
+-#ifdef HAVE_ISULAd
++#ifdef HAVE_ISULAD
+ 	case START_SYNC_OCI_PRESTART_HOOK:
+ 		return "oci-prestart-hook";
+ 	case START_SYNC_POST_OCI_PRESTART_HOOK:
+ 		return "post-oci-prestart-hook";
+ #endif
++	case START_SYNC_CGROUP_LIMITS:
++		return "cgroup-limits";
+ 	case START_SYNC_FDS:
+ 		return "fds";
+ 	case START_SYNC_READY_START:
+diff --git a/src/lxc/sync.h b/src/lxc/sync.h
+index b6080dd..6802d32 100644
+--- a/src/lxc/sync.h
++++ b/src/lxc/sync.h
+@@ -20,15 +20,17 @@ enum /* start */ {
+ 	START_SYNC_CONFIGURE		=  1,
+ 	START_SYNC_POST_CONFIGURE	=  2,
+ 	START_SYNC_IDMAPPED_MOUNTS	=  3,
+-	START_SYNC_CGROUP_LIMITS	=  4,
+-	START_SYNC_FDS			=  5,
+ #ifdef HAVE_ISULAD
+-	START_SYNC_OCI_PRESTART_HOOK = 6,
+-	START_SYNC_POST_OCI_PRESTART_HOOK = 7,
++	START_SYNC_OCI_PRESTART_HOOK = 4,
++	START_SYNC_POST_OCI_PRESTART_HOOK = 5,
++	START_SYNC_CGROUP_LIMITS	=  6,
++	START_SYNC_FDS			=  7,
+ 	START_SYNC_READY_START		=  8,
+ 	START_SYNC_RESTART		=  9,
+ 	START_SYNC_POST_RESTART		=  10,
+ #else
++	START_SYNC_CGROUP_LIMITS	=  4,
++	START_SYNC_FDS			=  5,
+ 	START_SYNC_READY_START		=  6,
+ 	START_SYNC_RESTART		=  7,
+ 	START_SYNC_POST_RESTART		=  8,
+-- 
+2.33.0
+

0017-fix-error-of-cc.compiles-on-aarch.patch

@@ -0,0 +1,29 @@
+From a65709b18943fd2f5859738c5000f22e07529967 Mon Sep 17 00:00:00 2001
+From: yuncang123 <1050706328@qq.com>
+Date: Sun, 15 Sep 2024 02:06:07 +0800
+Subject: [PATCH] fix-error-of-cc.compiles-on-aarch
+
+---
+ meson.build | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 1b2d673..1b4e369 100644
+--- a/meson.build
++++ b/meson.build
+@@ -538,7 +538,11 @@ int func (void) {
+ }
+ '''
+ 
+-have_func_strerror_r_char_p = cc.compiles(code, name : 'strerror_r() returns char *')
++    if cc.get_id() == 'clang'
++        have_func_strerror_r_char_p = cc.compiles(code, args : '-Wno-error=unused-command-line-argument', name : 'strerror_r() returns char *')
++    else
++        have_func_strerror_r_char_p = cc.compiles(code, name : 'strerror_r() returns char *')
++    endif
+ endif
+ 
+ srcconf.set10('STRERROR_R_CHAR_P', have_func_strerror_r_char_p)
+-- 
+2.43.0
+

0018-add-fPIC-compile-option.patch

@@ -0,0 +1,25 @@
+From 03e6b2afddf816e9931ae0eb463ead33ceaaea98 Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Wed, 9 Oct 2024 10:12:34 +0800
+Subject: [PATCH] add fPIC compile option
+
+Signed-off-by: zhongtao <zhongtao17@huawei.com>
+---
+ meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/meson.build b/meson.build
+index 05bcbb2..2954422 100644
+--- a/meson.build
++++ b/meson.build
+@@ -235,6 +235,7 @@ if want_isulad
+     yajldep = dependency('yajl', version : '>=2')
+     srcconf.set('HAVE_ISULAD', yajldep.found())
+     liblxc_dependencies += yajldep
++    possible_link_flags += ['-fPIC']
+ else
+     srcconf.set('HAVE_ISULAD', false)
+ endif
+-- 
+2.25.1
+

lxc.spec

@@ -1,5 +1,5 @@
-%global _release 12
-%global enable_isulad 1
+%global _release 17
+%bcond isulad 1
 
 Name:           lxc
 Version:        5.0.2
@@ -24,6 +24,9 @@ Patch0012:	0012-fix-dev-mount-failed-and-skip-send-recv-devpts_fd-if.patch
 Patch0013:	0013-ensure-cpuset-cgroup-built-while-writing-cgroup.proc.patch
 Patch0014:	0014-fix-cpuset-cgroup-error.patch
 Patch0015:	0015-append-mntopt-to-mntdata-if-not-found-in-mount_opt.patch
+Patch0016:	0016-unfreeze-freezing-container-and-bugfix-for-files.lim.patch
+Patch0017: 	0017-fix-error-of-cc.compiles-on-aarch.patch
+Patch0018:	0018-add-fPIC-compile-option.patch
 
 BuildRequires:  systemd-units git libtool graphviz docbook2X doxygen chrpath
 BuildRequires:  pkgconfig(libseccomp)
@@ -87,11 +90,13 @@ This package contains documentation for lxc for creating containers.
 %ifarch riscv64
 export LDFLAGS="%{build_ldflags} -latomic -pthread"
 %endif
-%if 0%{?enable_isulad}
-meson setup -Disulad=true -Dtests=true -Dprefix=/usr build
-%else
-meson setup -Disulad=false -Dtests=true -Dprefix=/usr build
+meson setup \
+    %{?with_isulad:-Disulad=true} \
+    %{!?with_isulad:-Disulad=false} \
+%if "%{?toolchain}" == "clang"
+    -Db_lto=false \
 %endif
+    -Dprefix=/usr build
 meson compile -C build
 
 %install
@@ -192,7 +197,7 @@ meson test -C build
 %{_datadir}/%{name}/config/*
 %dir %{_datadir}/%{name}/__pycache__
 %{_datadir}/%{name}/__pycache__/*
-%if !0%{?enable_isulad}
+%if %{without isulad}
 %{_datadir}/%{name}/hooks
 %endif
 
@@ -211,6 +216,36 @@ meson test -C build
 %endif
 
 %changelog
+* Mon Nov 25 2024 jikai <jikai11@huawei.com> - 5.0.2-17
+- Type: bugfix
+- ID:NA
+- SUG:NA
+- DESC: sync patch from master to add fPIC compile option
+
+* Sun Sep 15 2024 yuanchao <1050706328@qq.com> - 5.0.2-16
+- Type: bugfix
+- ID:NA
+- SUG:NA
+- DESC: fix error of cc.compiles in meson.build on aarch cased by '-fstack-clash-protection' and '-Werror'
+
+* Mon Jul 29 2024 jikai <jikai11@huawei.com> - 5.0.2-15
+- Type: bugfix
+- ID:NA
+- SUG:NA
+- DESC: disable tests while building lxc
+
+* Mon Mar 11 2024 jchzhou <zhoujiacheng@iscas.ac.cn> - 5.0.2-14
+- Type: bugfix
+- ID:NA
+- SUG:NA
+- DESC: update meson parameters for disabling LTO when building with clang & ld.bfd
+
+* Mon Feb 26 2024 jikai<jikai11@huawei.com> - 5.0.2-13
+- Type: bugfix
+- ID:NA
+- SUG:NA
+- DESC: unfreeze freezing container and bugfix for files.limit and syscontainer
+
 * Thu Feb 22 2024 jikai<jikai11@huawei.com> - 5.0.2-12
 - Type: bugfix
 - ID:NA