Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock lxc/1:1.0.6-5.
Changes since 1:1.0.6-3 (jessie) are:
* Mounting /sys read-only in lxc-debian to prevent (one way of)
escaping containers (Closes: #770901).
* Adding patch from lxc 1.0.7 to make lxc-debian work with systemd
(Closes: #766216).
* Adding patch from lxc 1.0.7 to make lxc-debian handle switch of
initsystem better.
* Marking -t option in lxc-create manpage as required (Closes:
#768778).
Regards,
Daniel
--
Address: Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email: daniel.baum...@progress-technologies.net
Internet: http://people.progress-technologies.net/~daniel.baumann/
diff --git a/debian/changelog b/debian/changelog
index 5e5f7ea..4b82738 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+lxc (1:1.0.6-5) unstable; urgency=low
+
+ * Mounting /sys read-only in lxc-debian to prevent (one way of) escaping
+ containers (Closes: #770901).
+ * Adding patch from lxc 1.0.7 to make lxc-debian work with systemd
+ (Closes: #766216).
+ * Adding patch from lxc 1.0.7 to make lxc-debian handle switch of
+ initsystem better.
+
+ -- Daniel Baumann <m...@daniel-baumann.ch> Sat, 06 Dec 2014 13:00:36 +0100
+
+lxc (1:1.0.6-4) unstable; urgency=low
+
+ * Marking -t option in lxc-create manpage as required (Closes: #768778).
+
+ -- Daniel Baumann <m...@daniel-baumann.ch> Tue, 11 Nov 2014 19:57:58 +0100
+
lxc (1:1.0.6-3) unstable; urgency=low
* Preserving setuid on lxc-user-nic (Closes: #764815).
diff --git a/debian/patches/0013-lxc-create-manpage.patch b/debian/patches/0013-lxc-create-manpage.patch
new file mode 100644
index 0000000..42ca95f
--- /dev/null
+++ b/debian/patches/0013-lxc-create-manpage.patch
@@ -0,0 +1,16 @@
+Author: Daniel Baumann <m...@daniel-baumann.ch>
+Description: Marking -t option in lxc-create manpage as required (Closes: #768778),
+ see https://github.com/lxc/lxc/issues/355.
+
+diff -Naurp lxc.orig/doc/lxc-create.sgml.in lxc/doc/lxc-create.sgml.in
+--- lxc.orig/doc/lxc-create.sgml.in
++++ lxc/doc/lxc-create.sgml.in
+@@ -51,7 +51,7 @@ Foundation, Inc., 51 Franklin Street, Fi
+ <command>lxc-create</command>
+ <arg choice="req">-n <replaceable>name</replaceable></arg>
+ <arg choice="opt">-f <replaceable>config_file</replaceable></arg>
+- <arg choice="opt">-t <replaceable>template</replaceable></arg>
++ <arg choice="req">-t <replaceable>template</replaceable></arg>
+ <arg choice="opt">-B <replaceable>backingstore</replaceable></arg>
+ <arg choice="opt">-- <replaceable>template-options</replaceable></arg>
+ </cmdsynopsis>
diff --git a/debian/patches/0014-lxc-debian-sysfs.patch b/debian/patches/0014-lxc-debian-sysfs.patch
new file mode 100644
index 0000000..eaaac66
--- /dev/null
+++ b/debian/patches/0014-lxc-debian-sysfs.patch
@@ -0,0 +1,15 @@
+Author: Daniel Baumann <m...@daniel-baumann.ch>
+Description: Mount /sys read-only in lxc-debian to prevent (one way of) escaping containers (Closes: #770901).
+
+diff -Naurp lxc.orig/config/templates/debian.common.conf.in lxc/config/templates/debian.common.conf.in
+--- lxc.orig/config/templates/debian.common.conf.in
++++ lxc/config/templates/debian.common.conf.in
+@@ -3,7 +3,7 @@ lxc.pivotdir = lxc_putold
+
+ # Default mount entries
+ lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+-lxc.mount.entry = sysfs sys sysfs defaults 0 0
++lxc.mount.entry = sysfs sys sysfs ro 0 0
+
+ # Default console settings
+ lxc.tty = 4
diff --git a/debian/patches/0015-lxc-debian-systemd.patch b/debian/patches/0015-lxc-debian-systemd.patch
new file mode 100644
index 0000000..d2c0f16
--- /dev/null
+++ b/debian/patches/0015-lxc-debian-systemd.patch
@@ -0,0 +1,58 @@
+Author: Antonio Terceiro <terce...@debian.org>
+Description: lxc-debian: support systemd as PID 1
+ Containers with systemd need a somewhat special setup, which I borrowed
+ and adapted from lxc-fedora. These changes are required so that Debian 8
+ (jessie) containers work properly, and are a no-op for previous Debian
+ versions.
+
+diff -Naurp lxc.orig/templates/lxc-debian.in lxc/templates/lxc-debian.in
+--- lxc.orig/templates/lxc-debian.in
++++ lxc/templates/lxc-debian.in
+@@ -159,6 +159,38 @@ EOF
+ return 0
+ }
+
++configure_debian_systemd()
++{
++ path=$1
++ rootfs=$2
++ init="$(chroot ${rootfs} dpkg-query --search /sbin/init | cut -d : -f 1)"
++ if [ "$init" != "systemd-sysv" ]; then
++ # systemd is not PID 1
++ return
++ fi
++
++ echo 'lxc.autodev = 1' >> "$path/config"
++ echo 'lxc.kmsg = 0' >> "$path/config"
++
++ # This function has been copied and adapted from lxc-fedora
++ rm -f ${rootfs}/etc/systemd/system/default.target
++ touch ${rootfs}/etc/fstab
++ chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
++ chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
++ # Make systemd honor SIGPWR
++ chroot ${rootfs} ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
++ sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
++ -e 's/After=dev-%i.device/After=/' \
++ < ${rootfs}/lib/systemd/system/getty\@.service \
++ > ${rootfs}/etc/systemd/system/getty\@.service
++ # Setup getty service on the 4 ttys we are going to allow in the
++ # default config. Number should match lxc.tty
++ ( cd ${rootfs}/etc/systemd/system/getty.target.wants
++ for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
++
++ return 0
++}
++
+ cleanup()
+ {
+ rm -rf $cache/partial-$release-$arch
+@@ -458,6 +490,8 @@ if [ $? -ne 0 ]; then
+ exit 1
+ fi
+
++configure_debian_systemd $path $rootfs
++
+ if [ ! -z $clean ]; then
+ clean || exit 1
+ exit 0
diff --git a/debian/patches/0016-lxc-debian-init.patch b/debian/patches/0016-lxc-debian-init.patch
new file mode 100644
index 0000000..30365cb
--- /dev/null
+++ b/debian/patches/0016-lxc-debian-init.patch
@@ -0,0 +1,69 @@
+Author: Cameron Norman <camerontnor...@gmail.com>
+Description: lxc-debian: adjust init system configurations
+ Do as much as possible to allow containers switching from non-systemd to
+ systemd to work as intended (but nothing that will cause side effects).
+ Use update-rc.d disable instead of remove so the init scripts are not
+ re-enabled when the package is updated
+
+diff -Naurp lxc.orig/templates/lxc-debian.in lxc/templates/lxc-debian.in
+--- lxc.orig/templates/lxc-debian.in
++++ lxc/templates/lxc-debian.in
+@@ -107,10 +107,10 @@ EOF
+ fi
+
+ # remove pointless services in a container
+- chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh remove
+- chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove
+- chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove
+- chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove
++ chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh disable
++ chroot $rootfs /usr/sbin/update-rc.d -f umountfs disable
++ chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh disable
++ chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh disable
+
+ # generate new SSH keys
+ if [ -x $rootfs/var/lib/dpkg/info/openssh-server.postinst ]; then
+@@ -163,26 +163,33 @@ configure_debian_systemd()
+ {
+ path=$1
+ rootfs=$2
++
+ init="$(chroot ${rootfs} dpkg-query --search /sbin/init | cut -d : -f 1)"
+- if [ "$init" != "systemd-sysv" ]; then
+- # systemd is not PID 1
+- return
++ if [ "$init" = "systemd-sysv" ]; then
++ # only appropiate when systemd is PID 1
++ echo 'lxc.autodev = 1' >> "$path/config"
++ echo 'lxc.kmsg = 0' >> "$path/config"
++ fi
++
++ # this only works if we have getty@.service to manipulate
++ if [ -f ${rootfs}/lib/systemd/system/getty\@.service ]; then
++ sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
++ -e 's/After=dev-%i.device/After=/' \
++ < ${rootfs}/lib/systemd/system/getty\@.service \
++ > ${rootfs}/etc/systemd/system/getty\@.service
+ fi
+
+- echo 'lxc.autodev = 1' >> "$path/config"
+- echo 'lxc.kmsg = 0' >> "$path/config"
++ # just in case systemd is not installed
++ mkdir -p ${rootfs}/{lib,etc}/systemd/system
++ mkdir -p ${rootfs}/etc/systemd/system/getty.target.wants
+
+ # This function has been copied and adapted from lxc-fedora
+ rm -f ${rootfs}/etc/systemd/system/default.target
+ touch ${rootfs}/etc/fstab
+- chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
++ chroot ${rootfs} ln -s /dev/null /etc/systemd/system/systemd-udevd.service
+ chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+ # Make systemd honor SIGPWR
+ chroot ${rootfs} ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
+- sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
+- -e 's/After=dev-%i.device/After=/' \
+- < ${rootfs}/lib/systemd/system/getty\@.service \
+- > ${rootfs}/etc/systemd/system/getty\@.service
+ # Setup getty service on the 4 ttys we are going to allow in the
+ # default config. Number should match lxc.tty
+ ( cd ${rootfs}/etc/systemd/system/getty.target.wants
diff --git a/debian/patches/series b/debian/patches/series
index 9e92368..44d1640 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,7 @@
0010-lxc-debian-openssh-server.patch
0011-lxc-debian-root-password.patch
0012-lxc-debian-systemd.patch
+0013-lxc-create-manpage.patch
+0014-lxc-debian-sysfs.patch
+0015-lxc-debian-systemd.patch
+0016-lxc-debian-init.patch
