On Mon, Nov 1, 2021 at 6:13 AM Xu, Yanfei <[email protected]> wrote:

> update to 4.0.11
>
> 1.drop two patches that have been integrated to upstream repo.
> 2.drop tests-add-no-validate-when-using-download-template.patch
>   because it is no longer appropriate as the "download" has been
>   replaced with "busybox"
> 3.fix the apply failure of templates-use-curl-instead-of-wget.patch
> 4.update lxc from 4.0.10 to 4.0.11
>
>
Thanks for the patch! (and the explanation above).

I've merged this to master and honister.

Bruce



> Signed-off-by: Yanfei Xu <[email protected]>
> ---
>  ...omp_profile_when_compiled_libseccomp.patch | 46 ----------
>  .../lxc/files/fix_c_command.patch             | 36 --------
>  .../templates-use-curl-instead-of-wget.patch  | 23 ++---
>  ...alidate-when-using-download-template.patch | 85 -------------------
>  recipes-containers/lxc/lxc_git.bb             |  7 +-
>  5 files changed, 15 insertions(+), 182 deletions(-)
>  delete mode 100644
> recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
>  delete mode 100644 recipes-containers/lxc/files/fix_c_command.patch
>  delete mode 100644
> recipes-containers/lxc/files/tests-add-no-validate-when-using-download-template.patch
>
> diff --git
> a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
> b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
> deleted file mode 100644
> index f0a58139..00000000
> ---
> a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001
> -From: Maximilian Blenk <[email protected]>
> -Date: Mon, 23 Aug 2021 22:04:40 +0200
> -Subject: [PATCH] config: enable seccomp profile only when compiled with
> - libseccomp
> -
> -Make lxc fail if seccomp.profile is specified but lxc is compiled
> -without seccomp support. Currently, seccomp.profile is silently ignored
> -if is specified in such a scenario. This could lead to the false
> -impression that the seccomp filter is applied while it actually isn't.
> -
> -Signed-off-by: Maximilian Blenk <[email protected]>
> ----
> - src/lxc/confile.c | 8 ++++++++
> - 1 file changed, 8 insertions(+)
> -
> -Upstream-Status: Submitted [
> https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e
> ]
> -
> -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> -index d8b96c6921..1cc8da15f1 100644
> ---- a/src/lxc/confile.c
> -+++ b/src/lxc/confile.c
> -@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const
> char *key, const char *value,
> - static int set_config_seccomp_profile(const char *key, const char *value,
> -                                     struct lxc_conf *lxc_conf, void
> *data)
> - {
> -+#ifdef HAVE_SECCOMP
> -       return set_config_path_item(&lxc_conf->seccomp.seccomp, value);
> -+#else
> -+      return ret_set_errno(-1, ENOSYS);
> -+#endif
> - }
> -
> - static int set_config_execute_cmd(const char *key, const char *value,
> -@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const
> char *key, char *retv, int inle
> - static int get_config_seccomp_profile(const char *key, char *retv, int
> inlen,
> -                                     struct lxc_conf *c, void *data)
> - {
> -+#ifdef HAVE_SECCOMP
> -       return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp);
> -+#else
> -+      return ret_errno(ENOSYS);
> -+#endif
> - }
> -
> - static int get_config_autodev(const char *key, char *retv, int inlen,
> diff --git a/recipes-containers/lxc/files/fix_c_command.patch
> b/recipes-containers/lxc/files/fix_c_command.patch
> deleted file mode 100644
> index 1ed8dafd..00000000
> --- a/recipes-containers/lxc/files/fix_c_command.patch
> +++ /dev/null
> @@ -1,36 +0,0 @@
> -From 9becf309a81806ef08acf9ca99ab95c1bcfa1f65 Mon Sep 17 00:00:00 2001
> -From: Maximilian Blenk <[email protected]>
> -Date: Mon, 23 Aug 2021 15:39:28 +0200
> -Subject: [PATCH] attach: Fix -c command
> -
> -Currently, the -c command (to set the selinux context) seems to be
> -broken because the passed context is ignored and always overwritten by
> -the context specified in the config file. The intention behind the -c
> -imho was to be able to manually overwrite this behavior. This patch
> -ensures that the selinux context will be set if passed via the command
> -line.
> -
> -Signed-off-by: Maximilian Blenk <[email protected]>
> ----
> - src/lxc/tools/lxc_attach.c | 5 ++++-
> - 1 file changed, 4 insertions(+), 1 deletion(-)
> -
> -Upstream-Status: Backport [
> https://github.com/lxc/lxc/commit/9becf309a81806ef08acf9ca99ab95c1bcfa1f65.patch
> ]
> -Comment: No change in any hunk
> -
> -diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
> -index 0374d980b4..e6b388b20c 100644
> ---- a/src/lxc/tools/lxc_attach.c
> -+++ b/src/lxc/tools/lxc_attach.c
> -@@ -379,7 +379,10 @@ int main(int argc, char *argv[])
> -               attach_options.gid = my_args.gid;
> -
> -       // selinux_context will be NULL if not set
> --      attach_options.lsm_label = selinux_context;
> -+      if (selinux_context) {
> -+              attach_options.attach_flags |= LXC_ATTACH_LSM_LABEL;
> -+              attach_options.lsm_label = selinux_context;
> -+      }
> -
> -       if (command.program) {
> -               ret = c->attach_run_wait(c, &attach_options,
> command.program,
> diff --git
> a/recipes-containers/lxc/files/templates-use-curl-instead-of-wget.patch
> b/recipes-containers/lxc/files/templates-use-curl-instead-of-wget.patch
> index 156df82f..4556293a 100644
> --- a/recipes-containers/lxc/files/templates-use-curl-instead-of-wget.patch
> +++ b/recipes-containers/lxc/files/templates-use-curl-instead-of-wget.patch
> @@ -1,4 +1,4 @@
> -From 07890dd8ffdcd08b7be1ddbd9f56ac55482c76bb Mon Sep 17 00:00:00 2001
> +From 1db2db7783bd7ec2aa1da86e640019891634c659 Mon Sep 17 00:00:00 2001
>  From: Joakim Roubert <[email protected]>
>  Date: Fri, 16 Aug 2019 07:52:48 +0200
>  Subject: [PATCH] Use curl instead of wget
> @@ -7,16 +7,16 @@ When curl's MIT license is preferable to wget's GPLv3.
>
>  Change-Id: I4684ae7569704514fdcc63e0655c556efcaf44f8
>  Signed-off-by: Joakim Roubert <[email protected]>
> -
> +Signed-off-by: Yanfei Xu <[email protected]>
>  ---
>   templates/lxc-download.in | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
>
>  diff --git a/templates/lxc-download.in b/templates/lxc-download.in
> -index d7e6128..8a4b567 100644
> +index e8570692a..f7291b0cc 100755
>  --- a/templates/lxc-download.in
>  +++ b/templates/lxc-download.in
> -@@ -74,9 +74,9 @@ cleanup() {
> +@@ -75,9 +75,9 @@ cleanup() {
>     fi
>   }
>
> @@ -28,18 +28,18 @@ index d7e6128..8a4b567 100644
>         return 0
>       fi
>     done
> -@@ -85,8 +85,8 @@ wget_wrapper() {
> +@@ -86,8 +86,8 @@ wget_wrapper() {
>   }
>
>   download_file() {
> --  if ! wget_wrapper -T 30 -q "https://${DOWNLOAD_SERVER}/$1"; -O "$2"
> >/dev/null 2>&1; then
> --    if ! wget_wrapper -T 30 -q "http://${DOWNLOAD_SERVER}/$1"; -O "$2"
> >/dev/null 2>&1; then
> -+  if ! curl_wrapper -m 30 -s "https://${DOWNLOAD_SERVER}/$1"; -o "$2"
> >/dev/null 2>&1; then
> -+    if ! curl_wrapper -m 30 -s "http://${DOWNLOAD_SERVER}/$1"; -o "$2"
> >/dev/null 2>&1; then
> +-  if ! wget_wrapper --user-agent="lxc/@PACKAGE_VERSION@
> compat:${DOWNLOAD_COMPAT_LEVEL}" -T 30 -q "https://${DOWNLOAD_SERVER}/$1";
> -O "$2" >/dev/null 2>&1; then
> +-    if ! wget_wrapper --user-agent="lxc/@PACKAGE_VERSION@
> compat:${DOWNLOAD_COMPAT_LEVEL}" -T 30 -q "http://${DOWNLOAD_SERVER}/$1";
> -O "$2" >/dev/null 2>&1; then
> ++  if ! curl_wrapper --user-agent="lxc/@PACKAGE_VERSION@
> compat:${DOWNLOAD_COMPAT_LEVEL}" -m 30 -s "https://${DOWNLOAD_SERVER}/$1";
> -o "$2" >/dev/null 2>&1; then
> ++    if ! curl_wrapper --user-agent="lxc/@PACKAGE_VERSION@
> compat:${DOWNLOAD_COMPAT_LEVEL}" -m 30 -s "http://${DOWNLOAD_SERVER}/$1";
> -o "$2" >/dev/null 2>&1; then
>         if [ "$3" = "noexit" ]; then
>           return 1
>         else
> -@@ -271,7 +271,7 @@ while :; do
> +@@ -277,7 +277,7 @@ while :; do
>   done
>
>   # Check for required binaries
> @@ -48,3 +48,6 @@ index d7e6128..8a4b567 100644
>     if ! command -V "${bin}" >/dev/null 2>&1; then
>       echo "ERROR: Missing required tool: ${bin}" 1>&2
>       exit 1
> +--
> +2.27.0
> +
> diff --git
> a/recipes-containers/lxc/files/tests-add-no-validate-when-using-download-template.patch
> b/recipes-containers/lxc/files/tests-add-no-validate-when-using-download-template.patch
> deleted file mode 100644
> index f335e796..00000000
> ---
> a/recipes-containers/lxc/files/tests-add-no-validate-when-using-download-template.patch
> +++ /dev/null
> @@ -1,85 +0,0 @@
> -From 1c2506434e744d8c6a86e42c9d8bae4cde7553f6 Mon Sep 17 00:00:00 2001
> -From: Mark Asselstine <[email protected]>
> -Date: Thu, 31 May 2018 15:14:26 -0400
> -Subject: [PATCH] tests: add '--no-validate' when using download template
> -
> -We are usually running the ptests with core-image-minimal which has no
> -mechanism to validate the downloads. Validation isn't really of
> -interest to this test at any rate so simply add '--no-validate' to
> -avoid failing due to no GPG validation.
> -
> -Signed-off-by: Mark Asselstine <[email protected]>
> -
> ----
> - src/tests/lxc-test-apparmor-mount | 2 +-
> - src/tests/lxc-test-autostart      | 2 +-
> - src/tests/lxc-test-no-new-privs   | 2 +-
> - src/tests/lxc-test-unpriv         | 2 +-
> - src/tests/lxc-test-usernic.in     | 2 +-
> - 5 files changed, 5 insertions(+), 5 deletions(-)
> -
> -Index: lxc-4.0.9/src/tests/lxc-test-apparmor-mount
> -===================================================================
> ---- lxc-4.0.9.orig/src/tests/lxc-test-apparmor-mount
> -+++ lxc-4.0.9/src/tests/lxc-test-apparmor-mount
> -@@ -170,7 +170,7 @@
> -     done
> - fi
> -
> --run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a
> $ARCH
> -+run_cmd lxc-create -t download -n $cname -- --no-validate -d ubuntu -r
> $release -a $ARCH
> -
> - echo "test default confined container"
> - run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
> -Index: lxc-4.0.9/src/tests/lxc-test-autostart
> -===================================================================
> ---- lxc-4.0.9.orig/src/tests/lxc-test-autostart
> -+++ lxc-4.0.9/src/tests/lxc-test-autostart
> -@@ -55,7 +55,7 @@
> -     done
> - fi
> -
> --lxc-create -t download -n $CONTAINER_NAME -B dir -- -d ubuntu -r
> $release -a $ARCH
> -+lxc-create -t download -n $CONTAINER_NAME -B dir -- --no-validate -d
> ubuntu -r $release -a $ARCH
> - CONTAINER_PATH=$(dirname $(lxc-info -n $CONTAINER_NAME -c
> lxc.rootfs.path -H) | sed -e 's/dir://')
> - cp $CONTAINER_PATH/config $CONTAINER_PATH/config.bak
> -
> -Index: lxc-4.0.9/src/tests/lxc-test-no-new-privs
> -===================================================================
> ---- lxc-4.0.9.orig/src/tests/lxc-test-no-new-privs
> -+++ lxc-4.0.9/src/tests/lxc-test-no-new-privs
> -@@ -49,7 +49,7 @@
> -       ARCH=$(dpkg --print-architecture)
> - fi
> -
> --lxc-create -t download -n c1 -- -d ubuntu -r xenial -a $ARCH
> -+lxc-create -t download -n c1 -- --no-validate -d ubuntu -r xenial -a
> $ARCH
> - echo "lxc.no_new_privs = 1" >> /var/lib/lxc/c1/config
> -
> - lxc-start -n c1
> -Index: lxc-4.0.9/src/tests/lxc-test-unpriv
> -===================================================================
> ---- lxc-4.0.9.orig/src/tests/lxc-test-unpriv
> -+++ lxc-4.0.9/src/tests/lxc-test-unpriv
> -@@ -178,7 +178,7 @@
> -     cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
> -     chown -R $TUSER: $HDIR/.cache/lxc
> -
> --run_cmd lxc-create -t download -n c1 -l trace -o "${UNPRIV_LOG}" -- -d
> ubuntu -r $release -a $ARCH
> -+run_cmd lxc-create -t download -n c1 -l trace -o "${UNPRIV_LOG}" --
> --no-validate -d ubuntu -r $release -a $ARCH
> -
> - # Make sure we can start it - twice
> -
> -Index: lxc-4.0.9/src/tests/lxc-test-usernic.in
> -===================================================================
> ---- lxc-4.0.9.orig/src/tests/lxc-test-usernic.in
> -+++ lxc-4.0.9/src/tests/lxc-test-usernic.in
> -@@ -147,7 +147,7 @@
> - fi
> -
> - # Create three containers
> --run_cmd "lxc-create -t download -n b1 -- -d ubuntu -r $release -a $ARCH"
> -+run_cmd "lxc-create -t download -n b1 -- --no-validate -d ubuntu -r
> $release -a $ARCH"
> - run_cmd "lxc-start -n b1 -d"
> - p1=$(run_cmd "lxc-info -n b1 -p -H")
> -
> diff --git a/recipes-containers/lxc/lxc_git.bb b/recipes-containers/lxc/
> lxc_git.bb
> index f5b5128b..ba1cef5a 100644
> --- a/recipes-containers/lxc/lxc_git.bb
> +++ b/recipes-containers/lxc/lxc_git.bb
> @@ -46,15 +46,12 @@ SRC_URI = "git://
> github.com/lxc/lxc.git;branch=stable-4.0 \
>         file://template-make-busybox-template-compatible-with-core-.patch \
>         file://templates-use-curl-instead-of-wget.patch \
>         file://tests-our-init-is-not-busybox.patch \
> -       file://tests-add-no-validate-when-using-download-template.patch \
>         file://dnsmasq.conf \
>         file://lxc-net \
> -        file://enable_seccomp_profile_when_compiled_libseccomp.patch \
> -        file://fix_c_command.patch \
>         "
>
> -SRCREV = "cec7cb14b2a4367d4cb21a90e1b90d0f98a9d874"
> -PV = "4.0.10+git${SRCPV}"
> +SRCREV = "48e079bf318982ae7d5684feeb7358870fa71c10"
> +PV = "4.0.11+git${SRCPV}"
>
>  S = "${WORKDIR}/git"
>
> --
> 2.27.0
>
>
> 
>
>

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6874): 
https://lists.yoctoproject.org/g/meta-virtualization/message/6874
Mute This Topic: https://lists.yoctoproject.org/mt/86735924/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to