Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package lxc for openSUSE:Factory checked in at 2024-12-22 18:03:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lxc (Old) and /work/SRC/openSUSE:Factory/.lxc.new.1881 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc" Sun Dec 22 18:03:43 2024 rev:110 rq:1232909 version:6.0.3 Changes: -------- --- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2024-09-24 17:35:12.953951136 +0200 +++ /work/SRC/openSUSE:Factory/.lxc.new.1881/lxc.changes 2024-12-22 18:04:00.147270307 +0100 @@ -1,0 +2,37 @@ +Fri Dec 20 05:52:32 UTC 2024 - Johannes Kastl <[email protected]> + +- update to 6.0.3: + The LXC team is pleased to announce the release of LXC 6.0.3! + This is the third bugfix release for LXC 6.0 which is supported + until June 2029. + As usual this bugfix releases focus on stability and hardening. + * Changes + - Added support for PuzzleFS images in lxc-oci + - SIGHUP is now propagated through lxc.init + - Reworked testsuite including support for 64-bit Arm + * Detailed changelog + - meson.build: add -ffat-lto-objects + - meson.build: drop suggest-attribute=noreturn build option + - Add suppport for PuzzleFS images in the oci template + - create_run_template: don't use txtuid and txtguid out of + scope + - Avoid null pointer dereference when using shared rootfs. + rootfs->storage not set by lxc_storage_prepare when using a + shared rootfs. + - meson: fix minor typo + - lxc-net: Replace random IPv6 subnet + - fix return code of recursive all of cgroup_tree_prune + - lxccontainer: fix enter_net_ns helper to work when netns is + inherited + - lxc.init: Switch to sigaction + - lxc.init: Ignore user signals coming from inside the + contianer + - lxc.init: Allow SIGHUP from outside the container + - github: Update coverity workflow + - github: Introduce shared build logic + - github: Introduce shared testsuite logic + - github: Rework test workflow + - github: Cleanup OSS-fuzz + - github: Improve progress reporting + +------------------------------------------------------------------- Old: ---- lxc-6.0.2.tar.gz lxc-6.0.2.tar.gz.asc New: ---- lxc-6.0.3.tar.gz lxc-6.0.3.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ --- /var/tmp/diff_new_pack.0G1SVe/_old 2024-12-22 18:04:01.127310556 +0100 +++ /var/tmp/diff_new_pack.0G1SVe/_new 2024-12-22 18:04:01.131310720 +0100 @@ -18,7 +18,7 @@ %define shlib_version 1 Name: lxc -Version: 6.0.2 +Version: 6.0.3 Release: 0 URL: http://linuxcontainers.org/ Summary: Userspace tools for Linux kernel containers ++++++ lxc-6.0.2.tar.gz -> lxc-6.0.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/actions/build/action.yml new/lxc-6.0.3/.github/actions/build/action.yml --- old/lxc-6.0.2/.github/actions/build/action.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/lxc-6.0.3/.github/actions/build/action.yml 2024-12-19 16:48:59.000000000 +0100 @@ -0,0 +1,79 @@ +name: Build LXC +description: Install dependencies and build the codebase +inputs: + compiler: + required: true + os: + required: true + variant: + required: true + +runs: + using: "composite" + steps: + - name: Install dependencies + shell: bash + run: | + echo "::group::Installing dependencies" + + sudo apt-get update -qq + sudo apt-get install -qq \ + ${{ inputs.compiler }} \ + meson \ + pkg-config \ + uuid-runtime \ + docbook2x \ + linux-libc-dev \ + llvm \ + libapparmor-dev \ + libcap-dev \ + libdbus-1-dev \ + libpam0g-dev \ + libseccomp-dev \ + libselinux1-dev + + echo "::endgroup::" + + - name: Compiler version + shell: bash + env: + CC: ${{ inputs.compiler }} + run: | + echo "::group::Compiler version" + + ${CC} --version + + echo "::endgroup::" + + - name: Build + shell: bash + env: + CC: ${{ inputs.compiler }} + run: | + echo "::group::Building LXC" + + # Standard build + if [ "${{ inputs.variant }}" = "default" ]; then + meson setup build \ + -Dprefix=/usr \ + -Dtests=true \ + -Dpam-cgroup=true \ + -Dtools-multicall=true \ + -Dwerror=true \ + -Db_lto_mode=default + elif [ "${{ inputs.variant }}" = "sanitizer" ]; then + meson setup build \ + -Dprefix=/usr \ + -Dtests=true \ + -Dpam-cgroup=true \ + -Dtools-multicall=true \ + -Dwerror=true \ + -Db_lto_mode=default \ + -Dio-uring-event-loop=false \ + -Db_lundef=false \ + -Db_sanitize=address,undefined + fi + + meson compile -C build + + echo "::endgroup::" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/actions/testsuite/action.yml new/lxc-6.0.3/.github/actions/testsuite/action.yml --- old/lxc-6.0.2/.github/actions/testsuite/action.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/lxc-6.0.3/.github/actions/testsuite/action.yml 2024-12-19 16:48:59.000000000 +0100 @@ -0,0 +1,82 @@ +name: Test suite +description: Runs the testsuite +inputs: + compiler: + required: true + os: + required: true + variant: + required: true +runs: + using: "composite" + steps: + - name: Build LXC + uses: ./.github/actions/build + with: + compiler: ${{ inputs.compiler }} + os: ${{ inputs.os }} + variant: ${{ inputs.variant }} + + - name: Remove existing installation + shell: bash + run: | + echo "::group::Removing existing installation" + + sudo apt-get remove --purge -qq \ + liblxc1 \ + liblxc-common \ + liblxc-dev \ + lxc-utils + + echo "::endgroup::" + + - name: Install dependencies + shell: bash + run: | + echo "::group::Installing dependencies" + + sudo apt-get install --purge -qq \ + apparmor \ + acl \ + busybox-static \ + dnsmasq-base \ + iptables \ + rsync \ + uidmap + + echo "::endgroup::" + + - name: Test + shell: bash + env: + CC: ${{ inputs.compiler }} + run: | + echo "::group::Running the testsuite" + + # Install LXC on the system + sudo meson install -C build + + if [ "${{ inputs.variant }}" = "sanitizer" ]; then + # Set sanitizer configuration + export ASAN_OPTIONS="detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:strict_string_checks=1:detect_odr_violation=0" + export UBSAN_OPTIONS="print_stacktrace=1:print_summary=1:halt_on_error=1" + + # Disable problematic tests + sudo rm /usr/bin/lxc-test-concurrent + sudo rm /usr/bin/lxc-test-share-ns + fi + + # Bring up systemd units + sudo sed -i 's/USE_LXC_BRIDGE="false"/USE_LXC_BRIDGE="true"/' /etc/default/lxc + sudo systemctl daemon-reload + sudo systemctl restart apparmor + sudo systemctl restart lxc-net + + # Undo default ACLs from Github + sudo setfacl -b -R /home + + # Run the testsuite + git clone --depth=1 https://github.com/lxc/lxc-ci + sudo -E lxc-ci/deps/lxc-exercise + + echo "::endgroup::" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/build.yml new/lxc-6.0.3/.github/workflows/build.yml --- old/lxc-6.0.2/.github/workflows/build.yml 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/.github/workflows/build.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,62 +0,0 @@ -name: Simple test build -on: - - push - - pull_request -permissions: - contents: read - -jobs: - test: - strategy: - fail-fast: false - matrix: - compiler: - - gcc - - clang - os: - - ubuntu-22.04 - - ubuntu-24.04 - # temporary workaround for https://bugs.launchpad.net/ubuntu/+source/llvm-toolchain-18/+bug/2064187 - exclude: - - compiler: clang - os: ubuntu-24.04 - runs-on: ${{ matrix.os }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install dependencies - run: | - sudo apt-get update -qq - sudo apt-get install -qq gcc clang meson llvm - sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libdbus-1-dev - - - name: Compiler version - env: - CC: ${{ matrix.compiler }} - run: | - ${CC} --version - - - name: Kernel version - run: | - uname -a - - - name: Mount table - run: | - findmnt - - - name: Build - env: - CC: ${{ matrix.compiler }} - run: | - # Standard build - meson setup build \ - -Dtests=true \ - -Dpam-cgroup=true \ - -Dtools-multicall=true \ - -Dwerror=true \ - -Db_lto_mode=default - ninja -C build - DESTDIR=build_install ninja -C build install diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/cifuzz.yml new/lxc-6.0.3/.github/workflows/cifuzz.yml --- old/lxc-6.0.2/.github/workflows/cifuzz.yml 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/.github/workflows/cifuzz.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,46 +0,0 @@ -name: Fuzzing with OSS-fuzz -on: - push: - pull_request: - paths: - - '**/meson.build' - - '.github/workflows/**' - - 'meson_options.txt' - - 'src/**' - branches: - - main -permissions: - contents: read -jobs: - Fuzzing: - runs-on: ubuntu-24.04 - if: github.repository == 'lxc/lxc' - strategy: - fail-fast: false - matrix: - sanitizer: [address, undefined, memory] - steps: - - name: Install dependencies not yet listed in ubuntu pkg source - run: | - sudo apt-get install -qq libdbus-1-dev - - name: Build Fuzzers (${{ matrix.sanitizer }}) - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master - with: - oss-fuzz-project-name: 'lxc' - dry-run: false - allowed-broken-targets-percentage: 0 - sanitizer: ${{ matrix.sanitizer }} - - name: Run Fuzzers (${{ matrix.sanitizer }}) - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master - with: - oss-fuzz-project-name: 'lxc' - fuzz-seconds: 360 - dry-run: false - sanitizer: ${{ matrix.sanitizer }} - - name: Upload Crash - uses: actions/upload-artifact@v4 - if: failure() && steps.build.outcome == 'success' - with: - name: ${{ matrix.sanitizer }}-artifacts - path: ./out/artifacts diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/coverity.yml new/lxc-6.0.3/.github/workflows/coverity.yml --- old/lxc-6.0.2/.github/workflows/coverity.yml 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/.github/workflows/coverity.yml 2024-12-19 16:48:59.000000000 +0100 @@ -1,14 +1,17 @@ -name: Coverity build and upload +name: Coverity on: push: branches: - main + permissions: contents: read jobs: - test: + coverity: + name: Build and upload runs-on: ubuntu-24.04 + if: github.repository == 'lxc/lxc' steps: - name: Checkout code uses: actions/checkout@v4 @@ -27,18 +30,6 @@ sudo apt-get install -qq gcc clang meson sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libdbus-1-dev - - name: Compiler version - run: | - gcc --version - - - name: Kernel version - run: | - uname -a - - - name: Mount table - run: | - findmnt - - name: Run coverity run: | # Configure @@ -51,14 +42,14 @@ # Build cov-build --dir cov-int ninja -C ${BUILD} - tar czvf lxc.tgz cov-int + tar czvf upload.tgz cov-int # Submit the results curl \ --form project=lxc/lxc \ --form token=${TOKEN} \ --form [email protected] \ - --form [email protected] \ + --form [email protected] \ --form version=main \ --form description="${GITHUB_SHA}" \ https://scan.coverity.com/builds?project=lxc/lxc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/fuzzing.yml new/lxc-6.0.3/.github/workflows/fuzzing.yml --- old/lxc-6.0.2/.github/workflows/fuzzing.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/lxc-6.0.3/.github/workflows/fuzzing.yml 2024-12-19 16:48:59.000000000 +0100 @@ -0,0 +1,44 @@ +name: Fuzzing +on: + push: + branches: + +permissions: + contents: read + +jobs: + fuzzing: + name: OSS-Fuzz + runs-on: ubuntu-24.04 + if: github.repository == 'lxc/lxc' + strategy: + fail-fast: false + matrix: + sanitizer: + - address + - undefined + - memory + steps: + - name: Build Fuzzers (${{ matrix.sanitizer }}) + id: build + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + with: + oss-fuzz-project-name: 'lxc' + dry-run: false + allowed-broken-targets-percentage: 0 + sanitizer: ${{ matrix.sanitizer }} + + - name: Run Fuzzers (${{ matrix.sanitizer }}) + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + with: + oss-fuzz-project-name: 'lxc' + fuzz-seconds: 360 + dry-run: false + sanitizer: ${{ matrix.sanitizer }} + + - name: Upload Crash + uses: actions/upload-artifact@v4 + if: failure() && steps.build.outcome == 'success' + with: + name: ${{ matrix.sanitizer }}-artifacts + path: ./out/artifacts diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/sanitizers.sh new/lxc-6.0.3/.github/workflows/sanitizers.sh --- old/lxc-6.0.2/.github/workflows/sanitizers.sh 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/.github/workflows/sanitizers.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,54 +0,0 @@ -#!/bin/bash -set -eux -set -o pipefail - -export ASAN_OPTIONS=detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:strict_string_checks=1 - -# https://github.com/lxc/lxc/issues/3757 -ASAN_OPTIONS="$ASAN_OPTIONS:detect_odr_violation=0" - -export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 - -apt-get update -qq -apt-get install --yes --no-install-recommends \ - apparmor bash-completion bridge-utils build-essential \ - busybox-static clang cloud-image-utils curl dbus debhelper debootstrap \ - devscripts dnsmasq-base docbook2x doxygen ed fakeroot file gcc graphviz \ - git iptables meson net-tools libapparmor-dev libcap-dev libgnutls28-dev liblua5.2-dev \ - libpam0g-dev libseccomp-dev libselinux1-dev libtool linux-libc-dev \ - llvm lsb-release make openssl pkg-config python3-all-dev \ - python3-setuptools rsync squashfs-tools uidmap unzip uuid-runtime \ - wget xz-utils systemd-coredump libdbus-1-dev -apt-get remove --yes lxc-utils liblxc-common liblxc1 liblxc-dev - -ARGS="-Dprefix=/usr -Dtests=true -Dpam-cgroup=false -Dwerror=true -Dio-uring-event-loop=false -Db_lto_mode=default -Db_lundef=false" -case "$CC" in clang*) - ARGS="$ARGS -Db_sanitize=address,undefined" -esac -meson setup san_build $ARGS -ninja -C san_build -ninja -C san_build install - -cat <<'EOF' >/usr/bin/lxc-test-share-ns -#!/bin/bash -printf "The test is skipped due to https://github.com/lxc/lxc/issues/3798.\n"; -EOF - -mv /usr/bin/{lxc-test-concurrent,test-concurrent.orig} -cat <<EOF >/usr/bin/lxc-test-concurrent -#!/bin/bash -printf "Memory leaks are ignored due to https://github.com/lxc/lxc/issues/3788.\n"; -ASAN_OPTIONS=$ASAN_OPTIONS:detect_leaks=0 UBSAN_OPTIONS=$UBSAN_OPTIONS /usr/bin/test-concurrent.orig -EOF -chmod +x /usr/bin/lxc-test-concurrent - -sed -i 's/USE_LXC_BRIDGE="false"/USE_LXC_BRIDGE="true"/' /etc/default/lxc -systemctl daemon-reload -systemctl restart apparmor -systemctl restart lxc-net - -# Undo default ACLs from Github -setfacl -b -R /home - -git clone --depth=1 https://github.com/lxc/lxc-ci -timeout 30m bash -x lxc-ci/deps/lxc-exercise diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/sanitizers.yml new/lxc-6.0.3/.github/workflows/sanitizers.yml --- old/lxc-6.0.2/.github/workflows/sanitizers.yml 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/.github/workflows/sanitizers.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,43 +0,0 @@ -name: Sanitizers build -on: - - push - - pull_request -permissions: - contents: read - -jobs: - sanitizers: - strategy: - fail-fast: false - matrix: - compiler: - - gcc - - clang - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install dependencies - run: | - sudo apt-get update -qq - sudo apt-get install -qq gcc clang meson llvm - sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libdbus-1-dev - - - name: Compiler version - env: - CC: ${{ matrix.compiler }} - run: | - ${CC} --version - - - name: Kernel version - run: | - uname -a - - - name: Mount table - run: | - findmnt - - - name: Build - run: | - sudo CC=${{ matrix.compiler }} CXX=${{ matrix.compiler }}++ .github/workflows/sanitizers.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/static-analysis.yml new/lxc-6.0.3/.github/workflows/static-analysis.yml --- old/lxc-6.0.2/.github/workflows/static-analysis.yml 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/.github/workflows/static-analysis.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,30 +0,0 @@ -name: Static analysis -on: - - push - - pull_request -permissions: - contents: read - -jobs: - test: - runs-on: ubuntu-24.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install dependencies - run: | - sudo apt-get update -qq - sudo apt-get install -qq coccinelle - - - name: Confirm coccinelle output is clean - run: | - ./coccinelle/run-coccinelle.sh -i - git diff --exit-code - - - name: Confirm apparmor profile is up to date - run: | - cd config/apparmor/ - ./lxc-generate-aa-rules.py container-rules.base > container-rules - cat abstractions/container-base.in container-rules > abstractions/container-base - git diff --exit-code diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/.github/workflows/tests.yml new/lxc-6.0.3/.github/workflows/tests.yml --- old/lxc-6.0.2/.github/workflows/tests.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/lxc-6.0.3/.github/workflows/tests.yml 2024-12-19 16:48:59.000000000 +0100 @@ -0,0 +1,92 @@ +name: Tests +on: + - push + - pull_request + +permissions: + contents: read + +jobs: + code-tests: + name: Code + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install dependencies + run: | + sudo apt-get update -qq + sudo apt-get install -qq coccinelle + + - name: Confirm coccinelle output is clean + run: | + ./coccinelle/run-coccinelle.sh -i + git diff --exit-code + + - name: Confirm apparmor profile is up to date + run: | + cd config/apparmor/ + ./lxc-generate-aa-rules.py container-rules.base > container-rules + cat abstractions/container-base.in container-rules > abstractions/container-base + git diff --exit-code + + testsuite-hosted: + name: Test suite (x86_64) + strategy: + fail-fast: false + matrix: + compiler: + - gcc + - clang + os: + - ubuntu-22.04 + - ubuntu-24.04 + variant: + - default + - sanitizer + exclude: + - variant: sanitizer + compiler: gcc + runs-on: ${{ matrix.os }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run the testsuite + uses: ./.github/actions/testsuite + with: + compiler: ${{ matrix.compiler }} + os: ${{ matrix.os }} + variant: ${{ matrix.variant }} + + testsuite-self-hosted: + name: Test suite (aarch64) + strategy: + fail-fast: false + matrix: + compiler: + - gcc + - clang + os: + - ubuntu-22.04 + - ubuntu-24.04 + variant: + - default + runs-on: + - self-hosted + - cpu-4 + - mem-4G + - disk-50G + - arch-arm64 + - image-${{ matrix.os }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run the testsuite + uses: ./.github/actions/testsuite + with: + compiler: ${{ matrix.compiler }} + os: ${{ matrix.os }} + variant: ${{ matrix.variant }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/config/init/common/lxc-net.in new/lxc-6.0.3/config/init/common/lxc-net.in --- old/lxc-6.0.2/config/init/common/lxc-net.in 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/config/init/common/lxc-net.in 2024-12-19 16:48:59.000000000 +0100 @@ -21,9 +21,9 @@ LXC_USE_NFT="true" # IPv6 connectivity -LXC_IPV6_ADDR="fc11:4514:1919:810::1" +LXC_IPV6_ADDR="fc42:5009:ba4b:5ab0::1" LXC_IPV6_MASK="64" -LXC_IPV6_NETWORK="fc11:4514:1919:810::/64" +LXC_IPV6_NETWORK="fc42:5009:ba4b:5ab0::/64" LXC_IPV6_NAT="true" [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/meson.build new/lxc-6.0.3/meson.build --- old/lxc-6.0.2/meson.build 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/meson.build 2024-12-19 16:48:59.000000000 +0100 @@ -4,7 +4,7 @@ project( 'lxc', 'c', - version: '6.0.2', + version: '6.0.3', license: 'LGPLv2+', default_options: [ 'b_lto=true', @@ -30,7 +30,7 @@ version_data = configuration_data() version_data.set('LXC_VERSION_MAJOR', '6') version_data.set('LXC_VERSION_MINOR', '0') -version_data.set('LXC_VERSION_MICRO', '2') +version_data.set('LXC_VERSION_MICRO', '3') version_data.set('LXC_VERSION_BETA', '') version_data.set('LXC_ABI', liblxc_version) version_data.set('LXC_DEVEL', '0') @@ -204,7 +204,6 @@ '-Wunused-but-set-variable', '-Wno-unused-parameter', '-Wfloat-equal', - '-Wsuggest-attribute=noreturn', '-Werror=return-type', '-Werror=incompatible-pointer-types', '-Wformat=2', @@ -249,6 +248,9 @@ '-Wno-gnu-variable-sized-type-not-at-end', ] endif +possible_cc_flags += [ + '-ffat-lto-objects', +] if meson.version().version_compare('>=0.46') add_project_link_arguments(cc.get_supported_link_arguments(possible_link_flags), language: 'c') @@ -689,7 +691,7 @@ if cc.get_define('FS_CONFIG_SET_CMD_CREATE', prefix: decl_headers) != '' srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_CREATE'.underscorify().to_upper(), true) - found_types += 'FS_CONFIG_SET_CMD_CREAT (sys/mount.h)' + found_types += 'FS_CONFIG_SET_CMD_CREATE (sys/mount.h)' else srcconf.set10('HAVE_' + 'FS_CONFIG_SET_CMD_CREATE'.underscorify().to_upper(), false) missing_types += 'FS_CONFIG_SET_CMD_CREATE (sys/mount.h)' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/src/lxc/cgroups/cgroup_utils.c new/lxc-6.0.3/src/lxc/cgroups/cgroup_utils.c --- old/lxc-6.0.2/src/lxc/cgroups/cgroup_utils.c 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/src/lxc/cgroups/cgroup_utils.c 2024-12-19 16:48:59.000000000 +0100 @@ -83,7 +83,7 @@ ret = cgroup_tree_prune(dfd_dup, direntp->d_name); if (ret < 0) - return -errno; + return ret; } ret = unlinkat(dfd, path, AT_REMOVEDIR); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/src/lxc/conf.c new/lxc-6.0.3/src/lxc/conf.c --- old/lxc-6.0.2/src/lxc/conf.c 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/src/lxc/conf.c 2024-12-19 16:48:59.000000000 +0100 @@ -341,6 +341,10 @@ ret = lxc_storage_prepare(conf); if (ret) return syserror_set(-EINVAL, "Failed to prepare rootfs storage"); + + if (!rootfs->storage) + return log_trace(0, "Not pinning because container does not have storage"); + type = rootfs->storage->type; if (!type) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/src/lxc/initutils.c new/lxc-6.0.3/src/lxc/initutils.c --- old/lxc-6.0.2/src/lxc/initutils.c 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/src/lxc/initutils.c 2024-12-19 16:48:59.000000000 +0100 @@ -425,8 +425,13 @@ static sig_atomic_t was_interrupted; -static void interrupt_handler(int sig) +static void interrupt_handler(int sig, siginfo_t *info, void *context) { + // Only forward signals if they didn't originate from our own PID + // namespace and if no other signal is already being processed. + if (info->si_code == SI_USER && info->si_pid > 1) + return; + if (!was_interrupted) was_interrupted = sig; } @@ -528,8 +533,8 @@ if (ret < 0) exit(EXIT_FAILURE); - act.sa_flags = 0; - act.sa_handler = interrupt_handler; + act.sa_flags = SA_SIGINFO; + act.sa_sigaction = interrupt_handler; for (i = 1; i < NSIG; i++) { /* Exclude some signals: ILL, SEGV and BUS are likely to reveal @@ -632,17 +637,6 @@ switch (was_interrupted) { case 0: - /* Some applications send SIGHUP in order to get init to reload - * its configuration. We don't want to forward this onto the - * application itself, because it probably isn't expecting this - * signal since it was expecting init to do something with it. - * - * Instead, let's explicitly ignore it here. The actual - * terminal case is handled in the monitor's handler, which - * sends this task a SIGTERM in the case of a SIGHUP, which is - * what we want. - */ - case SIGHUP: break; case SIGPWR: case SIGTERM: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/src/lxc/lxccontainer.c new/lxc-6.0.3/src/lxc/lxccontainer.c --- old/lxc-6.0.2/src/lxc/lxccontainer.c 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/src/lxc/lxccontainer.c 2024-12-19 16:48:59.000000000 +0100 @@ -1455,7 +1455,7 @@ if (!list_empty(&conf->id_map)) { int extraargs, hostuid_mapped, hostgid_mapped; char **n2; - char txtuid[20], txtgid[20]; + char *txtuid = NULL, *txtgid = NULL; struct id_map *map; int n2args = 1; @@ -1556,6 +1556,12 @@ /* note n2[n2args-1] is NULL */ n2[n2args - 5] = "--mapped-uid"; + txtuid = malloc(20); + if (!txtuid) { + free(newargv); + free(n2); + _exit(EXIT_FAILURE); + } ret = strnprintf(txtuid, 20, "%d", hostuid_mapped); if (ret < 0) { free(newargv); @@ -1566,6 +1572,12 @@ n2[n2args - 4] = txtuid; n2[n2args - 3] = "--mapped-gid"; + txtgid = malloc(20); + if (!txtgid) { + free(newargv); + free(n2); + _exit(EXIT_FAILURE); + } ret = strnprintf(txtgid, 20, "%d", hostgid_mapped); if (ret < 0) { free(newargv); @@ -2207,17 +2219,23 @@ static inline bool enter_net_ns(struct lxc_container *c) { + bool net_ns_entered; pid_t pid = do_lxcapi_init_pid(c); if (pid < 0) return false; + net_ns_entered = switch_to_ns(pid, "net"); + if ((geteuid() != 0 || (c->lxc_conf && !list_empty(&c->lxc_conf->id_map))) && (access("/proc/self/ns/user", F_OK) == 0)) if (!switch_to_ns(pid, "user")) return false; - return switch_to_ns(pid, "net"); + if (!net_ns_entered) + return switch_to_ns(pid, "net"); + + return true; } /* Used by qsort and bsearch functions for comparing names. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-6.0.2/templates/lxc-oci.in new/lxc-6.0.3/templates/lxc-oci.in --- old/lxc-6.0.2/templates/lxc-oci.in 2024-09-16 17:52:57.000000000 +0200 +++ new/lxc-6.0.3/templates/lxc-oci.in 2024-12-19 16:48:59.000000000 +0100 @@ -20,7 +20,7 @@ LOCALSTATEDIR=@LOCALSTATEDIR@ LXC_TEMPLATE_CONFIG=@LXCTEMPLATECONFIG@ LXC_HOOK_DIR=@LXCHOOKDIR@ -MOUNT_HELPER="atomfs" +MOUNT_HELPER="" MOUNTED_WORKDIR="" # Some useful functions @@ -60,6 +60,12 @@ getconfigpath() { local basedir="$1" mfpath="$2" cdigest="" + mtdigest=$(jq -c -r '.config.mediaType' < "$mfpath") + if [ "$mtdigest" = "application/vnd.oci.empty.v1+json" ]; then + echo "" + return 0 + fi + # Ok we have the image config digest, now get the config ref from the manifest. # shellcheck disable=SC2039 cdigest=$(jq -c -r '.config.digest' < "$mfpath") @@ -113,6 +119,10 @@ fi configpath="$1" + if [ "${configpath}" = "" ]; then + echo "/bin/sh" + return + fi ep=$(jq -c '.config.Entrypoint[]?'< "${configpath}" | tr '\n' ' ') cmd=$(jq -c '.config.Cmd[]?'< "${configpath}" | tr '\n' ' ') @@ -136,6 +146,9 @@ fi configpath="$1" + if [ "${configpath}" = "" ]; then + return + fi env=$(jq -c -r '.config.Env[]'< "${configpath}") @@ -160,6 +173,12 @@ passwdpath="${rootpath}/etc/passwd" grouppath="${rootpath}/etc/group" + if [ "${configpath}" = "" ]; then + user=0 + group=0 + echo "${user:-0} ${group:-0}" + return + fi usergroup=$(jq -c -r '.config.User' < "${configpath}") # shellcheck disable=SC2039 usergroup=(${usergroup//:/ }) @@ -200,6 +219,10 @@ fi configpath="$1" + if [ "${configpath}" = "" ]; then + echo "/" + return + fi cwd=$(jq -c -r '.config.WorkingDir // "/"' < "${configpath}") @@ -232,14 +255,17 @@ Optional arguments: [ --username <username> ]: The username for the registry [ --password <password> ]: The password for the registry -[ --mount-helper <command> ]: program that will be used to mount. default is 'atomfs' +[ --mount-helper <command> ]: program that will be used to mount. default will be detected from mediatype mount-helper is expected to support being called with 'mount' and 'umount' subcommands as below: - mount-helper mount oci:<oci_dir>:<oci_name> <mountpoint> + mount-helper mount --persist <upperdir> <oci_dir>:<oci_name> <mountpoint> mount-helper umount <mountpoint> + The --persist <upperdir> flag tells the mount helper to create a writable overlay, with a read-only + filesystem as lowerdir and <upperdir> as upperdir, where <upperdir> is a filesystem path + LXC internal arguments (do not pass manually!): [ --name <name> ]: The container name [ --path <path> ]: The path to the container @@ -371,6 +397,15 @@ echo "mediatype=$mediatype" >&2 case "$mediatype" in + application/vnd.*.image.layer.squashfs*) + MOUNT_HELPER="atomfs" + ;; + application/vnd.puzzlefs.image.rootfs.*) + MOUNT_HELPER="puzzlefs" + ;; +esac + +case "$mediatype" in #application/vnd.oci.image.layer.v1.tar+gzip application/vnd.oci.image.layer.v1.tar*) echo "Unpacking tar rootfs" 2>&1 @@ -386,13 +421,18 @@ find "${LXC_ROOTFS}.tmp/rootfs" -mindepth 1 -maxdepth 1 -exec mv '{}' "${LXC_ROOTFS}/" \; ;; #application/vnd.stacker.image.layer.squashfs+zstd+verity - application/vnd.*.image.layer.squashfs*) + application/vnd.*.image.layer.squashfs*|application/vnd.puzzlefs.image.rootfs.*) + if [ -z "${MOUNT_HELPER}" ]; then + echo "MOUNT_HELPER not detected for $mediatype" + exit 1 + fi if ! command -v "${MOUNT_HELPER}" >/dev/null 2>&1; then echo "media type $mediatype requires $MOUNT_HELPER" >&2 exit 1 fi - echo "$MOUNT_HELPER mount ${OCI_DIR}:${OCI_NAME} $LXC_ROOTFS" >&2 - "$MOUNT_HELPER" mount "${OCI_DIR}:${OCI_NAME}" "$LXC_ROOTFS" + MOUNT_HELPER_UPPERDIR="$LXC_PATH/upper" + echo "$MOUNT_HELPER mount --persist ${MOUNT_HELPER_UPPERDIR} ${OCI_DIR}:${OCI_NAME} $LXC_ROOTFS" >&2 + "$MOUNT_HELPER" mount --persist "${MOUNT_HELPER_UPPERDIR}" "${OCI_DIR}:${OCI_NAME}" "$LXC_ROOTFS" MOUNTED_WORKDIR="$LXC_ROOTFS" ;; *) @@ -407,10 +447,10 @@ echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}" case "$mediatype" in - application/vnd.*.image.layer.squashfs*) + application/vnd.*.image.layer.squashfs*|application/vnd.puzzlefs.image.rootfs.*) echo "lxc.hook.version = 1" >> "${LXC_CONF_FILE}" # shellcheck disable=SC2016 - echo "lxc.hook.pre-mount = $MOUNT_HELPER mount" \ + echo "lxc.hook.pre-mount = $MOUNT_HELPER mount --persist ${MOUNT_HELPER_UPPERDIR}" \ '${LXC_ROOTFS_PATH}/../oci:${LXC_NAME} ${LXC_ROOTFS_PATH}' \ >> "${LXC_CONF_FILE}";; esac
