Hello community,
here is the log from the commit of package lxc.3936 for openSUSE:13.1:Update checked in at 2015-07-30 13:11:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1:Update/lxc.3936 (Old)
and /work/SRC/openSUSE:13.1:Update/.lxc.3936.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc.3936"
Changes:
--------
New Changes file:
--- /dev/null 2015-07-22 21:25:44.928025004 +0200
+++ /work/SRC/openSUSE:13.1:Update/.lxc.3936.new/lxc.changes 2015-07-30 13:11:51.000000000 +0200
@@ -0,0 +1,341 @@
+-------------------------------------------------------------------
+Thu Jul 23 10:06:47 UTC 2015 - jslaby@suse.com
+
+- Added CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch
+ (bnc#938523)
+
+-------------------------------------------------------------------
+Mon Jan 13 16:11:49 UTC 2014 - jslaby@suse.com
+
+- config_ipv6-run-inet_pton-on-the-addr-value-without-.patch:
+ config_ipv6: run inet_pton on the addr value without mask
+ (bnc#851760)
+
+-------------------------------------------------------------------
+Fri Sep 20 14:46:37 UTC 2013 - jslaby@suse.com
+
+- lxc-opensuse-add-perl-base-to-prerequisities.patch: lxc-opensuse:
+ add perl-base to prerequisities (bnc#839873)
+
+-------------------------------------------------------------------
+Tue Sep 10 15:32:28 UTC 2013 - cbosdonnat@suse.com
+
+- opensuse-systemd-shutdown.patch: Fixed opensuse template to
+ workaround lxc-shutdown problem with systemd (bnc#839388)
+
+-------------------------------------------------------------------
+Wed Apr 24 08:58:04 UTC 2013 - jslaby@suse.com
+
+- update to 0.9.0
+ * configure-support-suse-s-docbook-to-man.patch: added to support
+ our docbook-to-man
+ * configure-find-seccomp-using-pkg-config.patch: add support for
+ our libsseccomp being under /usr/include/libseccomp...
+ * autogenned.patch: the two above applied by autogen.sh to the sources
+ * remove a ton of patches which are upstream now:
+ 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch
+ lxc-autodev.patch
+ lxc-cgroup-already-running.patch
+ lxc-opensuse-12.2.patch
+ lxc-opensuse-12.3.patch
+ lxc-opensuse-clonefixes.patch
+ lxc-opensuse-extend-base.patch
+ lxc-opensuse-proper-failure.patch
+ lxc-opensuse-tmpfs.patch
+ pivot-root_shared.patch
+- Remove obsolete info from README.SUSE
+
+-------------------------------------------------------------------
+Thu Mar 7 15:34:34 UTC 2013 - fcrozat@suse.com
+
+- Ensure update repository directory is correctly created
+ (bnc#804435).
+
+-------------------------------------------------------------------
+Tue Feb 26 14:33:41 UTC 2013 - mvyskocil@suse.com
+
+- clean cache if a distro version in template does not match
+ with files in a cache (bnc#804435#c19)
+
+-------------------------------------------------------------------
+Tue Feb 26 09:58:10 UTC 2013 - mvyskocil@suse.com
+
+- run zypper ar only if .repo file does not exists
+ fixes a partial created repos (bnc#804435#c16)
+
+-------------------------------------------------------------------
+Wed Feb 20 16:21:03 UTC 2013 - fcrozat@suse.com
+
+- Add lxc-opensuse-12.3.patch: update template to openSUSE 12.3
+
+-------------------------------------------------------------------
+Tue Feb 19 10:59:39 UTC 2013 - jslaby@suse.com
+
+- lxc-opensuse-extend-base.patch: lxc-opensuse: extend base
+ (bnc#804232)
+- lxc-opensuse-proper-failure.patch: lxc-opensuse: proper failure
+- remove change-hwaddr-on-clone.patch as it was fixed upstream
+ already
+
+-------------------------------------------------------------------
+Mon Jan 21 09:26:57 UTC 2013 - fcrozat@suse.com
+
+- Update pivot-root_shared.patch with upstream patch to build with
+ old version of kernel headers.
+- Check for /etc/init.d/boot.cgroup presence before starting it in
+ %post.
+
+-------------------------------------------------------------------
+Fri Jan 11 15:56:54 UTC 2013 - fcrozat@suse.com
+
+- Release 0.8.0:
+ + add support for autodetection of gateway address
+ + add support for LVM2 and btrfs snapshot in lxc-clone
+ + add support for apparmor
+ + support nested cgroups
+ + lxc no longer depends on perl
+ + add support for container hooks (pre-start, mount, start, stop,
+ umount, post-stop)
+ + templates are moved to /usr/share/lxc/templates
+- Remove
+ Accurately-detect-whether-a-system-supports-clone_children.patch:
+ merged upstream.
+- Add lxc-opensuse-clonefixes.patch: fix openSUSE template
+ regarding cloning.
+- Add 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch: fix
+ btrfs subvolume when removing a container.
+- Add lxc-autodev.patch: fill /dev when starting container (needed
+ for systemd).
+- Update lxc-opensuse-12.2.patch: switch to systemd in container.
+
+-------------------------------------------------------------------
+Fri Jan 11 15:30:21 UTC 2013 - fcrozat@suse.com
+
+- Add lxc-opensuse-12.1-fixbuild.patch: fix openSUSE 12.1 container
+ build.
+- Add lxc-opensuse-12.2.patch:
+ + switch openSUSE template to 12.2
+ + install iputils in the default configuration
+ + autoconfigure gateway if possible
+ + detect if network is set to 0.0.0.0 and configure DHCP
+ + bind mount /etc/resolv.conf in container
+- Add use-relative-paths-for-container.patch,
+ fix-lxc-clone-mount-entries.patch and update sles
+ template: use relative paths for container mount points, fixes
+ lxc-clone dropping some lxc.mount entries (bnc#789387).
+- Add Requires(post) dependency on aaa_base (bnc#786970) for
+ openSUSE < 12.3.
+- Add dhcpcd in default installation in openSUSE template (bnc#776169).
+- Add change-hwaddr-on-clone.patch: modify MAC address when cloning
+ a container (git)
+- Add wait-until-container-is-stopped.patch: if destroying a
+ running container, wait until it is stopped before destroying it.
+- Ensure lxc-createconfig uses opensuse template by default.
+- Ensure lxc-createconfig correctly detect cidr (bnc#773234).
+- Add pivot-root_shared.patch: fix pivot root when / is mounted as
+ shared (default on 12.3 and later).
+
+-------------------------------------------------------------------
+Fri Apr 20 13:53:41 UTC 2012 - fcrozat@suse.com
+
+- Add various fixes to opensuse template :
+ + create /etc/hostname as symlink to /etc/HOSTNAME
+ (lxc-clone fix)
+ + fix inadequate space in lxc.mount config (lxc-clone fix)
+ + disable network in container if not configured
+ + configure network scripts properly
+- Add lxc-snapshot-btrfs-lvm.patch: backport snapshot support,
+ using btrfs or lvm2.
+- Add lxc-opensuse-tmpfs.patch: ensure container shutting down is
+ correctly detected by LXC.
+
+-------------------------------------------------------------------
+Fri Apr 13 11:36:16 UTC 2012 - fcrozat@suse.com
+
+- Add lxc-createconfig script to easy LXC configuration
+ (bnc#723950).
+
+-------------------------------------------------------------------
+Tue Mar 6 21:11:54 CET 2012 - jslaby@suse.de
+
+- Accurately detect whether a system supports clone_children
+ (bnc#750470)
+
+-------------------------------------------------------------------
+Tue Jan 10 15:41:45 UTC 2012 - fcrozat@suse.com
+
+- Drop lxc-file_caps.patch, it is SLES specific, since openSUSE is
+ now shipping with file capabilities enabled.
+
+-------------------------------------------------------------------
+Fri Jan 6 15:51:32 UTC 2012 - fcrozat@suse.com
+
+- Update lxc-opensuse-12.1.patch to correctly generate containers
+ on x86 (bnc#739315).
+- Backport some fixes from SLES 11 SP2:
+ - Add lxc-checkconfig-kernel-3.patch and lxc-file_caps.patch:
+ fix detection of kernel 3.x and file capabilities (bnc#720845).
+ - Fix example path in manpages (bnc#723946).
+
+-------------------------------------------------------------------
+Tue Oct 25 11:35:10 UTC 2011 - fcrozat@suse.com
+
+- Add console to opensuse securetty, since we are in a container.
+
+-------------------------------------------------------------------
+Tue Oct 25 09:32:01 UTC 2011 - fcrozat@suse.com
+
+- Add lxc-opensuse-12.1.patch: create openSUSE 12.1 containers now
+- Add Recommends on build package, which is used by opensuse
+ template.
+- Update README.SUSE to current status for cgroups mountpoint
+
+-------------------------------------------------------------------
+Fri Sep 2 08:26:28 UTC 2011 - fcrozat@suse.com
+
+- Fix license tag, it is LGPLv2.1+ (using LGPLv2+ tag to be
+ consistent).
++++ 144 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.1:Update/.lxc.3936.new/lxc.changes
New:
----
CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch
README.SUSE
autogenned.patch
config_ipv6-run-inet_pton-on-the-addr-value-without-.patch
configure-find-seccomp-using-pkg-config.patch
configure-support-suse-s-docbook-to-man.patch
lxc-0.9.0.tar.gz
lxc-createconfig.in
lxc-opensuse-add-perl-base-to-prerequisities.patch
lxc.changes
lxc.spec
opensuse-systemd-shutdown.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lxc.spec ++++++
#
# spec file for package lxc
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: lxc
Version: 0.9.0
Release: 0
Url: http://lxc.sourceforge.net/
Summary: Linux containers implementation
License: LGPL-2.1+
Group: System/Management
Source: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz
Source1: README.SUSE
Source2: lxc-createconfig.in
#see autogenned.patch for these two:
Source3: configure-support-suse-s-docbook-to-man.patch
Source4: configure-find-seccomp-using-pkg-config.patch
Patch0: autogenned.patch
Patch1: opensuse-systemd-shutdown.patch
Patch2: lxc-opensuse-add-perl-base-to-prerequisities.patch
Patch3: config_ipv6-run-inet_pton-on-the-addr-value-without-.patch
Patch4: CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: docbook-utils
BuildRequires: docbook2x
BuildRequires: libapparmor-devel
BuildRequires: libcap-devel
%ifarch %ix86 x86_64
%if 0%{?suse_version} >= 1230
BuildRequires: libseccomp-devel
%endif
%endif
BuildRequires: libxslt
BuildRequires: lsb-release
BuildRequires: pkg-config
%if 0%{?suse_version} >= 1130
BuildRequires: linux-glibc-devel
%else
BuildRequires: linux-kernel-headers
%endif
Requires: /sbin/setcap
Requires: rsync
%if 0%{?suse_version} < 1230
Requires(post): aaa_base
%endif
# needed to create openSUSE containers using template
Recommends: build
%description
It provides commands to create and manage containers. It contains a
full featured container with the isolation/virtualization of the pids,
the ipc, the utsname, the mount points, /proc, /sys, the network and it
takes into account the control groups. It is very light, flexible, and
provides a set of tools around the container like the monitoring with
asynchronous events notification, or the freeze of the container. This
package is useful to create Virtual Private Server, or to run isolated
applications like bash or sshd.
%package devel
Summary: Development library for lxc
License: LGPL-2.1
Group: Development/Libraries/C and C++
Requires: %name = %version
%description devel
Lxc header files and library needed for development of containers.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
%configure --disable-examples
%__make %{?_smp_mflags}
%__cp %{SOURCE1} .
%__rm -rf .doc
%__mkdir_p .doc/examples
%__cp doc/examples/*.conf .doc/examples
%install
%makeinstall
install -d -m 755 %{buildroot}/var/lib/lxc
find %buildroot -type f -name '*.la' -delete
./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2}
chmod a+x %{buildroot}%{_bindir}/lxc-createconfig
%clean
%__rm -rf %buildroot
%post
/sbin/ldconfig
%if 0%{?suse_version} < 1230
if [ -x /etc/init.d/boot.cgroup ]; then
%fillup_and_insserv -f -Y boot.cgroup
/etc/init.d/boot.cgroup start 2>/dev/null >/dev/null || :
fi
%endif
%postun
/sbin/ldconfig
%if 0%{?suse_version} < 1230
%insserv_cleanup
%endif
%files
%defattr(-,root,root)
%doc AUTHORS MAINTAINERS COPYING README doc/FAQ.txt
%doc README.SUSE
%doc .doc/examples
%dir %{_sysconfdir}/%{name}/
%config %{_sysconfdir}/%{name}/default.conf
%{_libdir}/lib%{name}.so.*
%{_libexecdir}/%name
%{_libdir}/%name
%{_datadir}/%name
%dir /var/lib/lxc
%{_bindir}/%{name}-*
%{_mandir}/man[^3]/*
%files devel
%defattr(-,root,root)
%{_includedir}/%name
%{_libdir}/lib%{name}.so
%{_libdir}/pkgconfig/%{name}.pc
%changelog
++++++ CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch ++++++
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Thu, 16 Jul 2015 16:37:51 -0400
Subject: CVE-2015-1334: Don't use the container's /proc during attach
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Patch-mainline: yes
Git-commit: 5c3fcae78b63ac9dd56e36075903921bd9461f9e
References: bnc#938523
A user could otherwise over-mount /proc and prevent the apparmor profile
or selinux label from being written which combined with a modified
/bin/sh or other commonly used binary would lead to unconfined code
execution.
Reported-by: Roman Fiedler
Signed-off-by: Stéphane Graber
Signed-off-by: Jiri Slaby [backport to 0.9]
---
src/lxc/lxc_attach.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 52 insertions(+), 1 deletion(-)
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -24,9 +24,11 @@
#define _GNU_SOURCE
#include
#include
+#include
#include
#include
#include
+#include
#include
#include
#include
@@ -140,6 +142,48 @@ Options :\n\
.checker = NULL,
};
+static int lsm_set_label_at(int procfd, char *lsm_label)
+{
+ int labelfd = -1;
+ int ret = 0;
+ int size;
+ char *command = NULL;
+
+ labelfd = openat(procfd, "self/attr/current", O_RDWR);
+ if (labelfd < 0) {
+ SYSERROR("Unable to open LSM label");
+ ret = -1;
+ goto out;
+ }
+
+ command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1);
+ if (!command) {
+ SYSERROR("Failed to write apparmor profile");
+ ret = -1;
+ goto out;
+ }
+
+ size = sprintf(command, "changeprofile %s", lsm_label);
+ if (size < 0) {
+ SYSERROR("Failed to write apparmor profile");
+ ret = -1;
+ goto out;
+ }
+
+ if (write(labelfd, command, size + 1) < 0) {
+ SYSERROR("Unable to set LSM label");
+ ret = -1;
+ goto out;
+ }
+out:
+ free(command);
+
+ if (labelfd != -1)
+ close(labelfd);
+
+ return ret;
+}
+
int main(int argc, char *argv[])
{
int ret;
@@ -395,10 +439,17 @@ int main(int argc, char *argv[])
close(cgroup_ipc_sockets[1]);
if ((namespace_flags & CLONE_NEWNS)) {
- if (attach_apparmor(init_ctx->aa_profile) < 0) {
+ int procfd = open("/proc", O_DIRECTORY | O_RDONLY);
+ if (procfd < 0) {
+ SYSERROR("Unable to open /proc");
+ return -1;
+ }
+ if (lsm_set_label_at(procfd, init_ctx->aa_profile) < 0) {
ERROR("failed switching apparmor profiles");
return -1;
}
+ /* we don't need proc anymore */
+ close(procfd);
}
/* A description of the purpose of this functionality is
++++++ README.SUSE ++++++
To mount the control group file system just run:
/sbin/insserv boot.cgroup
and /sys/fs/cgroup will be mounted for cgroup automatically.
++++++ autogenned.patch ++++++
It contains the effect of these patches:
configure-find-seccomp-using-pkg-config.patch
configure-support-suse-s-docbook-to-man.patch
diff --git a/configure b/configure
index dfb8e42..ee5faae 100755
--- a/configure
+++ b/configure
@@ -659,9 +659,6 @@ ENABLE_LUA_FALSE
ENABLE_LUA_TRUE
PYTHONDEV_LIBS
PYTHONDEV_CFLAGS
-PKG_CONFIG_LIBDIR
-PKG_CONFIG_PATH
-PKG_CONFIG
pkgpyexecdir
pyexecdir
pkgpythondir
@@ -676,6 +673,10 @@ ENABLE_PYTHON_TRUE
ENABLE_EXAMPLES_FALSE
ENABLE_EXAMPLES_TRUE
SECCOMP_LIBS
+SECCOMP_CFLAGS
+PKG_CONFIG_LIBDIR
+PKG_CONFIG_PATH
+PKG_CONFIG
ENABLE_SECCOMP_FALSE
ENABLE_SECCOMP_TRUE
APPARMOR_LIBS
@@ -806,10 +807,12 @@ LDFLAGS
LIBS
CPPFLAGS
CPP
-PYTHON
PKG_CONFIG
PKG_CONFIG_PATH
PKG_CONFIG_LIBDIR
+SECCOMP_CFLAGS
+SECCOMP_LIBS
+PYTHON
PYTHONDEV_CFLAGS
PYTHONDEV_LIBS
LUA_CFLAGS
@@ -1468,12 +1471,16 @@ Some influential environment variables:
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
- PYTHON the Python interpreter
PKG_CONFIG path to pkg-config utility
PKG_CONFIG_PATH
directories to add to pkg-config's search path
PKG_CONFIG_LIBDIR
path overriding pkg-config's built-in search path
+ SECCOMP_CFLAGS
+ C compiler flags for SECCOMP, overriding pkg-config
+ SECCOMP_LIBS
+ linker flags for SECCOMP, overriding pkg-config
+ PYTHON the Python interpreter
PYTHONDEV_CFLAGS
C compiler flags for PYTHONDEV, overriding pkg-config
PYTHONDEV_LIBS
@@ -4821,7 +4828,7 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for docbook2x-man" >&5
$as_echo_n "checking for docbook2x-man... " >&6; }
- for name in docbook2x-man db2x_docbook2man; do
+ for name in docbook2x-man db2x_docbook2man docbook-to-man; do
if "$name" --help >/dev/null 2>&1; then
db2xman="$name"
break;
@@ -5034,113 +5041,6 @@ else
fi
-if test -z "$ENABLE_SECCOMP_TRUE"; then :
- ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default"
-if test "x$ac_cv_header_seccomp_h" = xyes; then :
-
-else
- as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5
-$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; }
-if ${ac_cv_lib_seccomp_seccomp_init+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lseccomp $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char seccomp_init ();
-int
-main ()
-{
-return seccomp_init ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_seccomp_seccomp_init=yes
-else
- ac_cv_lib_seccomp_seccomp_init=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5
-$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; }
-if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBSECCOMP 1
-_ACEOF
-
- LIBS="-lseccomp $LIBS"
-
-else
- as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5
-fi
-
- SECCOMP_LIBS=-lseccomp
-
-fi
-
-# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
-ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include
-"
-if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then :
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE_SCMP_FILTER_CTX 1
-_ACEOF
-
-
-fi
-
-
-# Configuration examples
-# Check whether --enable-examples was given.
-if test "${enable_examples+set}" = set; then :
- enableval=$enable_examples;
-else
- enable_examples=yes
-fi
-
- if test "x$enable_examples" = "xyes"; then
- ENABLE_EXAMPLES_TRUE=
- ENABLE_EXAMPLES_FALSE='#'
-else
- ENABLE_EXAMPLES_TRUE='#'
- ENABLE_EXAMPLES_FALSE=
-fi
-
-
-# Python3 module and scripts
-# Check whether --enable-python was given.
-if test "${enable_python+set}" = set; then :
- enableval=$enable_python; enable_python=yes
-else
- enable_python=no
-fi
-
- if test "x$enable_python" = "xyes"; then
- ENABLE_PYTHON_TRUE=
- ENABLE_PYTHON_FALSE='#'
-else
- ENABLE_PYTHON_TRUE='#'
- ENABLE_PYTHON_FALSE=
-fi
-
-
@@ -5261,6 +5161,247 @@ $as_echo "no" >&6; }
PKG_CONFIG=""
fi
fi
+if test -z "$ENABLE_SECCOMP_TRUE"; then :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SECCOMP" >&5
+$as_echo_n "checking for SECCOMP... " >&6; }
+
+if test -n "$SECCOMP_CFLAGS"; then
+ pkg_cv_SECCOMP_CFLAGS="$SECCOMP_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_SECCOMP_CFLAGS=`$PKG_CONFIG --cflags "libseccomp" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+if test -n "$SECCOMP_LIBS"; then
+ pkg_cv_SECCOMP_LIBS="$SECCOMP_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_SECCOMP_LIBS=`$PKG_CONFIG --libs "libseccomp" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+ _pkg_short_errors_supported=yes
+else
+ _pkg_short_errors_supported=no
+fi
+ if test $_pkg_short_errors_supported = yes; then
+ SECCOMP_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libseccomp" 2>&1`
+ else
+ SECCOMP_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libseccomp" 2>&1`
+ fi
+ # Put the nasty error message in config.log where it belongs
+ echo "$SECCOMP_PKG_ERRORS" >&5
+
+
+ ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default"
+if test "x$ac_cv_header_seccomp_h" = xyes; then :
+
+else
+ as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5
+fi
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5
+$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; }
+if ${ac_cv_lib_seccomp_seccomp_init+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lseccomp $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char seccomp_init ();
+int
+main ()
+{
+return seccomp_init ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_seccomp_seccomp_init=yes
+else
+ ac_cv_lib_seccomp_seccomp_init=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5
+$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; }
+if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSECCOMP 1
+_ACEOF
+
+ LIBS="-lseccomp $LIBS"
+
+else
+ as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5
+fi
+
+ SECCOMP_LIBS=-lseccomp
+
+
+elif test $pkg_failed = untried; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+ ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default"
+if test "x$ac_cv_header_seccomp_h" = xyes; then :
+
+else
+ as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5
+fi
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5
+$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; }
+if ${ac_cv_lib_seccomp_seccomp_init+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lseccomp $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char seccomp_init ();
+int
+main ()
+{
+return seccomp_init ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_seccomp_seccomp_init=yes
+else
+ ac_cv_lib_seccomp_seccomp_init=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5
+$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; }
+if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSECCOMP 1
+_ACEOF
+
+ LIBS="-lseccomp $LIBS"
+
+else
+ as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5
+fi
+
+ SECCOMP_LIBS=-lseccomp
+
+
+else
+ SECCOMP_CFLAGS=$pkg_cv_SECCOMP_CFLAGS
+ SECCOMP_LIBS=$pkg_cv_SECCOMP_LIBS
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+fi
+
+# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
+OLD_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $SECCOMP_CFLAGS"
+ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include
+"
+if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_SCMP_FILTER_CTX 1
+_ACEOF
+
+
+fi
+
+CFLAGS="$OLD_CFLAGS"
+
+# Configuration examples
+# Check whether --enable-examples was given.
+if test "${enable_examples+set}" = set; then :
+ enableval=$enable_examples;
+else
+ enable_examples=yes
+fi
+
+ if test "x$enable_examples" = "xyes"; then
+ ENABLE_EXAMPLES_TRUE=
+ ENABLE_EXAMPLES_FALSE='#'
+else
+ ENABLE_EXAMPLES_TRUE='#'
+ ENABLE_EXAMPLES_FALSE=
+fi
+
+
+# Python3 module and scripts
+# Check whether --enable-python was given.
+if test "${enable_python+set}" = set; then :
+ enableval=$enable_python; enable_python=yes
+else
+ enable_python=no
+fi
+
+ if test "x$enable_python" = "xyes"; then
+ ENABLE_PYTHON_TRUE=
+ ENABLE_PYTHON_FALSE='#'
+else
+ ENABLE_PYTHON_TRUE='#'
+ ENABLE_PYTHON_FALSE=
+fi
+
+
if test -z "$ENABLE_PYTHON_TRUE"; then :
diff --git a/src/lxc/Makefile.in b/src/lxc/Makefile.in
index d6841c6..b97b429 100644
--- a/src/lxc/Makefile.in
+++ b/src/lxc/Makefile.in
@@ -65,7 +65,7 @@ so_PROGRAMS = liblxc.so$(EXEEXT)
@HAVE_FGETLN_TRUE@@HAVE_GETLINE_FALSE@am__append_4 = ../include/getline.c ../include/getline.h
@ENABLE_APPARMOR_TRUE@am__append_5 = -DHAVE_APPARMOR
@USE_CONFIGPATH_LOGS_TRUE@am__append_6 = -DUSE_CONFIGPATH_LOGS
-@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP
+@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP $(SECCOMP_CFLAGS)
@ENABLE_SECCOMP_TRUE@am__append_8 = seccomp.c
@ENABLE_PYTHON_TRUE@am__append_9 = lxc-device lxc-ls \
@ENABLE_PYTHON_TRUE@ lxc-start-ephemeral
@@ -344,6 +344,7 @@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+SECCOMP_CFLAGS = @SECCOMP_CFLAGS@
SECCOMP_LIBS = @SECCOMP_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
++++++ config_ipv6-run-inet_pton-on-the-addr-value-without-.patch ++++++
From: Serge Hallyn
Date: Fri, 23 Aug 2013 12:45:15 -0500
Subject: config_ipv6: run inet_pton on the addr value without mask
Patch-mainline: no
References: bnc#851760
otherwise a "$addr/$mask" results in failure.
Signed-off-by: Serge Hallyn
Signed-off-by: Jiri Slaby
---
src/lxc/confile.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: lxc-0.9.0/src/lxc/confile.c
===================================================================
--- lxc-0.9.0.orig/src/lxc/confile.c
+++ lxc-0.9.0/src/lxc/confile.c
@@ -745,8 +745,8 @@ static int config_network_ipv6(const cha
inet6dev->prefix = atoi(netmask);
}
- if (!inet_pton(AF_INET6, value, &inet6dev->addr)) {
- SYSERROR("invalid ipv6 address: %s", value);
+ if (!inet_pton(AF_INET6, valdup, &inet6dev->addr)) {
+ SYSERROR("invalid ipv6 address: %s", valdup);
free(valdup);
return -1;
}
++++++ configure-find-seccomp-using-pkg-config.patch ++++++
From: Jiri Slaby
Date: Wed, 24 Apr 2013 10:46:21 +0200
Subject: configure: find seccomp using pkg-config
Patch-mainline: no
On suse we have the header in a subdir inside /usr/include, so
pkgconfig has t obe used to find out proper CFLAGS.
Signed-off-by: Jiri Slaby
---
configure.ac | 12 +++++++++---
src/lxc/Makefile.am | 2 +-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index ef6122e..630027a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,12 +113,18 @@ fi
AM_CONDITIONAL([ENABLE_SECCOMP], [test "x$enable_seccomp" = "xyes"])
AM_COND_IF([ENABLE_SECCOMP],
- [AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
- AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
- AC_SUBST([SECCOMP_LIBS], [-lseccomp])])
+ [PKG_CHECK_MODULES([SECCOMP],[libseccomp],[],[
+ AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
+ AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
+ AC_SUBST([SECCOMP_LIBS], [-lseccomp])
+ ])
+ ])
# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
+OLD_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $SECCOMP_CFLAGS"
AC_CHECK_TYPES([scmp_filter_ctx], [], [], [#include ])
+CFLAGS="$OLD_CFLAGS"
# Configuration examples
AC_ARG_ENABLE([examples],
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index ebeca466..5798c93 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -104,7 +104,7 @@ AM_CFLAGS += -DUSE_CONFIGPATH_LOGS
endif
if ENABLE_SECCOMP
-AM_CFLAGS += -DHAVE_SECCOMP
+AM_CFLAGS += -DHAVE_SECCOMP $(SECCOMP_CFLAGS)
liblxc_so_SOURCES += seccomp.c
endif
--
1.8.2.1
++++++ configure-support-suse-s-docbook-to-man.patch ++++++
From: Jiri Slaby
Date: Wed, 24 Apr 2013 10:33:34 +0200
Subject: configure: support suse's docbook-to-man
Patch-mainline: no
When finding docbook2x-man...
Signed-off-by: Jiri Slaby
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/configure.ac
+++ b/configure.ac
@@ -67,7 +67,7 @@ if test "x$enable_doc" = "xyes" -o "x$en
db2xman=""
AC_MSG_CHECKING(for docbook2x-man)
- for name in docbook2x-man db2x_docbook2man; do
+ for name in docbook2x-man db2x_docbook2man docbook-to-man; do
if "$name" --help >/dev/null 2>&1; then
db2xman="$name"
break;
++++++ lxc-createconfig.in ++++++
#!/bin/bash
#
# lxc: linux Container library
# Authors:
# Mike Friesenegger
# Daniel Lezcano
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
usage() {
echo "usage: lxc-createconfig -n <name> [-i ] [-b <bridge>] [-t /dev/null
if [ $? -ne 0 ]; then
echo "$lxc_bridge not defined"
exit 1
fi
fi
if [ ! -z $lxc_template ]; then
type ${templatedir}/lxc-$lxc_template >/dev/null
if [ $? -ne 0 ]; then
echo "unknown template '$lxc_template'"
exit 1
fi
fi
echo
echo "Container Name = " $lxc_name
echo "IP Address = " $lxc_ipaddr
echo "Bridge = " $lxc_bridge
echo
echo -n "Create container config? (n): "
read ANSWER
if [ "$ANSWER" != "y" -a "$ANSWER" != "Y" ]
then
exit 1
fi
echo
echo "Creating container config $lxc_confpath/$lxc_confname"
# generate a MAC for the IP
lxc_hwaddr="02:00:`(date ; cat /proc/interrupts ) | md5sum | sed -r 's/^(.{8}).*$/\1/;s/([0-9a-f]{2})/\1:/g;s/:$//;'`"
cat >"$lxc_confpath/$lxc_confname" <<%%
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = $lxc_bridge
lxc.network.hwaddr = $lxc_hwaddr
%%
if [ ! $lxc_ipaddr = "DHCP" ]; then
cat >>"$lxc_confpath/$lxc_confname" <<%%
lxc.network.ipv4 = $lxc_ipaddr
%%
fi
cat >>"$lxc_confpath/$lxc_confname" <<%%
lxc.network.name = eth0
%%
echo
echo "Run 'lxc-create -n $lxc_name -f $lxc_confpath/$lxc_confname -t $lxc_template' to create the lxc system object."
++++++ lxc-opensuse-add-perl-base-to-prerequisities.patch ++++++
From: Jiri Slaby
Date: Fri, 20 Sep 2013 16:39:50 +0200
Subject: lxc-opensuse: add perl-base to prerequisities
Patch-mainline: submitted sep 20 2013
References: bnc#839873
It is needed by insserv-compat.
Signed-off-by: Jiri Slaby
---
templates/lxc-opensuse.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index 1fc7e21..3005e40 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -125,7 +125,7 @@ download_opensuse()
zypper --root $cache/partial-$arch-packages --non-interactive in --auto-agree-with-licenses --download-only zypper lxc patterns-openSUSE-base bash iputils sed tar rsyslog || return 1
cat > $cache/partial-$arch-packages/opensuse.conf << EOF
Preinstall: aaa_base bash coreutils diffutils
-Preinstall: filesystem fillup glibc grep insserv-compat
+Preinstall: filesystem fillup glibc grep insserv-compat perl-base
Preinstall: libbz2-1 libgcc_s1 libncurses5 pam
Preinstall: permissions libreadline6 rpm sed tar libz1 libselinux1
Preinstall: liblzma5 libcap2 libacl1 libattr1
--
1.8.4
++++++ opensuse-systemd-shutdown.patch ++++++
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index 77ef6b2..7c614c2 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -88,6 +88,9 @@ EOF
ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@tty3.service
ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@tty4.service
+ # copy host poweroff target as sigpwr target to make shutdown work
+ # see https://wiki.archlinux.org/index.php/Linux_Containers#Container_cannot_be_sh...
+ cp /usr/lib/systemd/system/poweroff.target $rootfs/usr/lib/systemd/system/sigpwr.target
touch $rootfs/etc/sysconfig/kernel