--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:lxc
[ Reason ]
Fix a handful of minor bugs affecting the version of lxc in trixie:
* Add lxc-net dependency to sysvinit script
* Stop printing misleading errors in enter_net_ns()
* Fix generation of apparmor.d/abstractions/lxc/container-base
* Fix restarting unprivileged containers
[ Impact ]
Users running lxc in trixie currently encounter small but annoying
bugs.
[ Tests ]
The sysvinit fix was provided by an affected user, and is a trivial
patch. I have tested the other three patches myself to verify that they
properly fix the associated bugs.
[ Risks ]
Minor/none -- the sysvinit patch is trivial and the other three are
targeted fixes cherry-picked from the upstream git repo.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
Four patches as outlined above.
[ Other info ]
The source debdiff is attached.
diff -Nru lxc-6.0.4/debian/changelog lxc-6.0.4/debian/changelog
--- lxc-6.0.4/debian/changelog 2025-05-30 12:58:12.000000000 +0000
+++ lxc-6.0.4/debian/changelog 2025-12-26 19:02:22.000000000 +0000
@@ -1,3 +1,18 @@
+lxc (1:6.0.4-4+deb13u1) trixie; urgency=medium
+
+ [ Frost ]
+ * Add lxc-net dependency to sysvinit script (Closes: #1122149)
+
+ [ Mathias Gibbens ]
+ * Cherry-pick upstream fix to stop printing misleading errors in
+ enter_net_ns() (Closes: #1118024)
+ * Cherry-pick upstream fix for generating
+ apparmor.d/abstractions/lxc/container-base (partially addresses: #1111087)
+ * Cherry-pick upstream fix for restarting unprivileged containers
+ (Closes: #1123979)
+
+ -- Mathias Gibbens <[email protected]> Fri, 26 Dec 2025 19:02:22 +0000
+
lxc (1:6.0.4-4) unstable; urgency=medium
[ Aurelien Jarno ]
diff -Nru lxc-6.0.4/debian/gbp.conf lxc-6.0.4/debian/gbp.conf
--- lxc-6.0.4/debian/gbp.conf 2025-05-30 12:58:12.000000000 +0000
+++ lxc-6.0.4/debian/gbp.conf 2025-12-26 19:02:22.000000000 +0000
@@ -1,3 +1,3 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/trixie
diff -Nru lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch
--- lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch 1970-01-01 00:00:00.000000000 +0000
+++ lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch 2025-12-26 19:02:22.000000000 +0000
@@ -0,0 +1,82 @@
+From a53589e0636b42a2816375c9a2c1c4be09100297 Mon Sep 17 00:00:00 2001
+From: Alexander Mikhalitsyn <[email protected]>
+Date: Mon, 28 Jul 2025 19:00:29 +0200
+Subject: [PATCH] lxc/lxccontainer: stop printing misleading errors in
+ enter_net_ns()
+
+In enter_net_ns() we try to enter network namespace at first, before
+entering a user namespace to support inherited netns case properly.
+It is expected to get EPERM for unprivileged container with non-shared
+network namespace at first try. Let's take this into account
+and stop misleading users with these error messages.
+
+Link: https://discuss.linuxcontainers.org/t/lxc-ls-fancy-command-shows-operation-not-permitted/24080
+Fixes: 3011e79f92ef ("lxccontainer: fix enter_net_ns helper to work when netns is inherited")
+Fixes: #4560
+Signed-off-by: Alexander Mikhalitsyn <[email protected]>
+---
+ src/lxc/lxccontainer.c | 2 +-
+ src/lxc/utils.c | 10 +++++++---
+ src/lxc/utils.h | 8 +++++++-
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
+index 7b9ff9641d..6c80065a65 100644
+--- a/src/lxc/lxccontainer.c
++++ b/src/lxc/lxccontainer.c
+@@ -2220,7 +2220,7 @@ static inline bool enter_net_ns(struct lxc_container *c)
+ if (pid < 0)
+ return false;
+
+- net_ns_entered = switch_to_ns(pid, "net");
++ net_ns_entered = try_switch_to_ns(pid, "net", true);
+
+ if ((geteuid() != 0 || (c->lxc_conf && !list_empty(&c->lxc_conf->id_map))) &&
+ (access("/proc/self/ns/user", F_OK) == 0))
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 60f2b70003..af276a3b55 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -878,7 +878,7 @@ int detect_shared_rootfs(void)
+ return 0;
+ }
+
+-bool switch_to_ns(pid_t pid, const char *ns)
++bool try_switch_to_ns(pid_t pid, const char *ns, bool optional)
+ {
+ __do_close int fd = -EBADF;
+ int ret;
+@@ -896,8 +896,12 @@ bool switch_to_ns(pid_t pid, const char *ns)
+ return log_error_errno(false, errno, "Failed to open \"%s\"", nspath);
+
+ ret = setns(fd, 0);
+- if (ret)
+- return log_error_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd);
++ if (ret) {
++ if (optional)
++ return log_trace_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd);
++ else
++ return log_error_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd);
++ }
+
+ return true;
+ }
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index 0007b51a60..e72582aa24 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -134,7 +134,13 @@ __hidden extern bool is_shared_mountpoint(const char *path);
+ __hidden extern int detect_shared_rootfs(void);
+ __hidden extern bool detect_ramfs_rootfs(void);
+ __hidden extern char *on_path(const char *cmd, const char *rootfs);
+-__hidden extern bool switch_to_ns(pid_t pid, const char *ns);
++
++__hidden extern bool try_switch_to_ns(pid_t pid, const char *ns, bool optional);
++inline static bool switch_to_ns(pid_t pid, const char *ns)
++{
++ return try_switch_to_ns(pid, ns, false);
++}
++
+ __hidden extern char *get_template_path(const char *t);
+ __hidden extern int safe_mount(const char *src, const char *dest, const char *fstype,
+ unsigned long flags, const void *data, const char *rootfs);
diff -Nru lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch
--- lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch 1970-01-01 00:00:00.000000000 +0000
+++ lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch 2025-12-26 19:02:22.000000000 +0000
@@ -0,0 +1,56 @@
+From 52929fc21809d57bb57f86142bc8d84223d44b7f Mon Sep 17 00:00:00 2001
+From: Mathias Gibbens <[email protected]>
+Date: Sun, 26 Oct 2025 20:02:29 +0000
+Subject: [PATCH] config/apparmor/abstractions: Fix meson build generation of
+ container-base
+
+Previously, abstractions/container-base was a hand-generated concatenation of
+two different files, abstractions/container-base.in and container-rules. This
+was confusing, since the meson configuration didn't actually create
+abstractions/container-base from abstractions/container-base.in. Now, the
+previously manual step of creating abstractions/container-base is part of the
+meson configure step.
+
+Signed-off-by: Mathias Gibbens <[email protected]>
+---
+ config/apparmor/README | 14 ++++----------
+ config/apparmor/abstractions/meson.build | 5 +++--
+ 2 files changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/config/apparmor/README b/config/apparmor/README
+index 432956b9ae..76031601ad 100644
+--- a/config/apparmor/README
++++ b/config/apparmor/README
+@@ -1,12 +1,6 @@
+-The abstractions/container-base file is partially automatically
+-generated. The two source files are container-rules.base and
+-abstractions/container-base.in. If these file are updated,
+-then
+-
+-1. Generate a new container-rules file using
++The abstractions/container-base file installed is automatically
++generated. Its two source files are container-rules.base and
++abstractions/container-base.in. If container-rules.base is updated,
++generate a new container-rules file using
+
+ ./lxc-generate-aa-rules.py container-rules.base > container-rules
+-
+-2. Concatenate container-base.in with container-rules using
+-
+-cat abstractions/container-base.in container-rules > abstractions/container-base
+diff --git a/config/apparmor/abstractions/meson.build b/config/apparmor/abstractions/meson.build
+index b8a8e40339..8424c38b0b 100644
+--- a/config/apparmor/abstractions/meson.build
++++ b/config/apparmor/abstractions/meson.build
+@@ -2,8 +2,9 @@
+
+ if libapparmor.found()
+ configure_file(
+- configuration: conf,
+- input: 'container-base',
++ command: ['cat', '@INPUT@'],
++ capture: true,
++ input: ['container-base.in', '../container-rules'],
+ output: 'container-base',
+ install: true,
+ install_dir: join_paths(sysconfdir, 'apparmor.d', 'abstractions', 'lxc'))
diff -Nru lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch
--- lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch 1970-01-01 00:00:00.000000000 +0000
+++ lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch 2025-12-26 19:02:22.000000000 +0000
@@ -0,0 +1,43 @@
+From 0f5852edfad06fe4e9f00aaddd3d93576269729e Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <[email protected]>
+Date: Tue, 23 Dec 2025 13:56:31 -0600
+Subject: [PATCH] cgfsng: fix reboots when using dbus
+
+When using dbus on a systemd system, we ask systemd to create a
+"scope" for us to run in. We send a dbus message, and wait
+for the reply saying it is created.
+
+When we reboot, we were re-sending the request to create the
+scope. However, the scope still exists, because or single
+lxc-monitor (originally lxc-start) thread is still under the
+'lxc.pivot' sub-directory of the scope.
+
+But, on reboot, our lxc_conf already has our scope recorded!
+So, just check whether that is set, and skip scope creation
+if so.
+
+With this patch, i can reboot ad nauseum with no apparent
+problems.
+
+We could probably move this check to the top of the function,
+but for now this fixes the bug.
+
+Signed-off-by: Serge Hallyn <[email protected]>
+---
+ src/lxc/cgroups/cgfsng.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index eea2b1f6d9..81994817c5 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -1521,6 +1521,9 @@ static int unpriv_systemd_create_scope(struct cgroup_ops *ops, struct lxc_conf *
+ dbus_threads_initialized = true;
+ }
+
++ if (conf->cgroup_meta.systemd_scope != NULL)
++ return log_error(true, "Already in a scope, must be a reboot.");
++
+ connection = open_systemd();
+ if (connection == NULL)
+ return log_error(false, "Failed opening dbus connection");
diff -Nru lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch
--- lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch 1970-01-01 00:00:00.000000000 +0000
+++ lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch 2025-12-26 19:02:22.000000000 +0000
@@ -0,0 +1,28 @@
+From 8f67650034c0b031cc2b24314c8167baaa8fbe44 Mon Sep 17 00:00:00 2001
+From: Frost <[email protected]>
+Date: Sun, 7 Dec 2025 15:56:49 -0800
+Subject: [PATCH] Add lxc-net as dependency in sysvinit script
+
+Otherwise containers don't start during boot, but come up fine later.
+---
+ config/init/sysvinit/lxc-containers.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/init/sysvinit/lxc-containers.in b/config/init/sysvinit/lxc-containers.in
+index f793d20..5543b05 100644
+--- a/config/init/sysvinit/lxc-containers.in
++++ b/config/init/sysvinit/lxc-containers.in
+@@ -9,8 +9,8 @@
+ # Provides: lxc
+ # Required-Start: $syslog $remote_fs
+ # Required-Stop: $syslog $remote_fs
+-# Should-Start: cgroupfs-mount
+-# Should-Stop: cgroupfs-mount
++# Should-Start: cgroupfs-mount lxc-net
++# Should-Stop: cgroupfs-mount lxc-net
+ # Default-Start: 2 3 4 5
+ # Default-Stop: 0 1 6
+ # Short-Description: Bring up/down LXC autostart containers
+--
+2.51.0
+
diff -Nru lxc-6.0.4/debian/patches/series lxc-6.0.4/debian/patches/series
--- lxc-6.0.4/debian/patches/series 2025-05-30 12:58:12.000000000 +0000
+++ lxc-6.0.4/debian/patches/series 2025-12-26 19:02:22.000000000 +0000
@@ -3,3 +3,7 @@
0003-apparmor-4x-userns.patch
0004-cherry-pick-complex-hooks-fix.patch
0005-cherry-pick-loong64.patch
+0101-cherry-pick-fix-misleading-errors.patch
+0102-cherry-pick-apparmor-generation.patch
+0103-cherry-pick-fix-dbus-reboots.patch
+0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
