commit lxc.3936 for openSUSE:13.1:Update

Hello community, here is the log from the commit of package lxc.3936 for openSUSE:13.1:Update checked in at 2015-07-30 13:11:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/lxc.3936 (Old) and /work/SRC/openSUSE:13.1:Update/.lxc.3936.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "lxc.3936" Changes: -------- New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.1:Update/.lxc.3936.new/lxc.changes 2015-07-30 13:11:51.000000000 +0200 @@ -0,0 +1,341 @@ +------------------------------------------------------------------- +Thu Jul 23 10:06:47 UTC 2015 - jslaby@suse.com + +- Added CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch + (bnc#938523) + +------------------------------------------------------------------- +Mon Jan 13 16:11:49 UTC 2014 - jslaby@suse.com + +- config_ipv6-run-inet_pton-on-the-addr-value-without-.patch: + config_ipv6: run inet_pton on the addr value without mask + (bnc#851760) + +------------------------------------------------------------------- +Fri Sep 20 14:46:37 UTC 2013 - jslaby@suse.com + +- lxc-opensuse-add-perl-base-to-prerequisities.patch: lxc-opensuse: + add perl-base to prerequisities (bnc#839873) + +------------------------------------------------------------------- +Tue Sep 10 15:32:28 UTC 2013 - cbosdonnat@suse.com + +- opensuse-systemd-shutdown.patch: Fixed opensuse template to + workaround lxc-shutdown problem with systemd (bnc#839388) + +------------------------------------------------------------------- +Wed Apr 24 08:58:04 UTC 2013 - jslaby@suse.com + +- update to 0.9.0 + * configure-support-suse-s-docbook-to-man.patch: added to support + our docbook-to-man + * configure-find-seccomp-using-pkg-config.patch: add support for + our libsseccomp being under /usr/include/libseccomp... + * autogenned.patch: the two above applied by autogen.sh to the sources + * remove a ton of patches which are upstream now: + 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch + lxc-autodev.patch + lxc-cgroup-already-running.patch + lxc-opensuse-12.2.patch + lxc-opensuse-12.3.patch + lxc-opensuse-clonefixes.patch + lxc-opensuse-extend-base.patch + lxc-opensuse-proper-failure.patch + lxc-opensuse-tmpfs.patch + pivot-root_shared.patch +- Remove obsolete info from README.SUSE + +------------------------------------------------------------------- +Thu Mar 7 15:34:34 UTC 2013 - fcrozat@suse.com + +- Ensure update repository directory is correctly created + (bnc#804435). + +------------------------------------------------------------------- +Tue Feb 26 14:33:41 UTC 2013 - mvyskocil@suse.com + +- clean cache if a distro version in template does not match + with files in a cache (bnc#804435#c19) + +------------------------------------------------------------------- +Tue Feb 26 09:58:10 UTC 2013 - mvyskocil@suse.com + +- run zypper ar only if .repo file does not exists + fixes a partial created repos (bnc#804435#c16) + +------------------------------------------------------------------- +Wed Feb 20 16:21:03 UTC 2013 - fcrozat@suse.com + +- Add lxc-opensuse-12.3.patch: update template to openSUSE 12.3 + +------------------------------------------------------------------- +Tue Feb 19 10:59:39 UTC 2013 - jslaby@suse.com + +- lxc-opensuse-extend-base.patch: lxc-opensuse: extend base + (bnc#804232) +- lxc-opensuse-proper-failure.patch: lxc-opensuse: proper failure +- remove change-hwaddr-on-clone.patch as it was fixed upstream + already + +------------------------------------------------------------------- +Mon Jan 21 09:26:57 UTC 2013 - fcrozat@suse.com + +- Update pivot-root_shared.patch with upstream patch to build with + old version of kernel headers. +- Check for /etc/init.d/boot.cgroup presence before starting it in + %post. + +------------------------------------------------------------------- +Fri Jan 11 15:56:54 UTC 2013 - fcrozat@suse.com + +- Release 0.8.0: + + add support for autodetection of gateway address + + add support for LVM2 and btrfs snapshot in lxc-clone + + add support for apparmor + + support nested cgroups + + lxc no longer depends on perl + + add support for container hooks (pre-start, mount, start, stop, + umount, post-stop) + + templates are moved to /usr/share/lxc/templates +- Remove + Accurately-detect-whether-a-system-supports-clone_children.patch: + merged upstream. +- Add lxc-opensuse-clonefixes.patch: fix openSUSE template + regarding cloning. +- Add 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch: fix + btrfs subvolume when removing a container. +- Add lxc-autodev.patch: fill /dev when starting container (needed + for systemd). +- Update lxc-opensuse-12.2.patch: switch to systemd in container. + +------------------------------------------------------------------- +Fri Jan 11 15:30:21 UTC 2013 - fcrozat@suse.com + +- Add lxc-opensuse-12.1-fixbuild.patch: fix openSUSE 12.1 container + build. +- Add lxc-opensuse-12.2.patch: + + switch openSUSE template to 12.2 + + install iputils in the default configuration + + autoconfigure gateway if possible + + detect if network is set to 0.0.0.0 and configure DHCP + + bind mount /etc/resolv.conf in container +- Add use-relative-paths-for-container.patch, + fix-lxc-clone-mount-entries.patch and update sles + template: use relative paths for container mount points, fixes + lxc-clone dropping some lxc.mount entries (bnc#789387). +- Add Requires(post) dependency on aaa_base (bnc#786970) for + openSUSE < 12.3. +- Add dhcpcd in default installation in openSUSE template (bnc#776169). +- Add change-hwaddr-on-clone.patch: modify MAC address when cloning + a container (git) +- Add wait-until-container-is-stopped.patch: if destroying a + running container, wait until it is stopped before destroying it. +- Ensure lxc-createconfig uses opensuse template by default. +- Ensure lxc-createconfig correctly detect cidr (bnc#773234). +- Add pivot-root_shared.patch: fix pivot root when / is mounted as + shared (default on 12.3 and later). + +------------------------------------------------------------------- +Fri Apr 20 13:53:41 UTC 2012 - fcrozat@suse.com + +- Add various fixes to opensuse template : + + create /etc/hostname as symlink to /etc/HOSTNAME + (lxc-clone fix) + + fix inadequate space in lxc.mount config (lxc-clone fix) + + disable network in container if not configured + + configure network scripts properly +- Add lxc-snapshot-btrfs-lvm.patch: backport snapshot support, + using btrfs or lvm2. +- Add lxc-opensuse-tmpfs.patch: ensure container shutting down is + correctly detected by LXC. + +------------------------------------------------------------------- +Fri Apr 13 11:36:16 UTC 2012 - fcrozat@suse.com + +- Add lxc-createconfig script to easy LXC configuration + (bnc#723950). + +------------------------------------------------------------------- +Tue Mar 6 21:11:54 CET 2012 - jslaby@suse.de + +- Accurately detect whether a system supports clone_children + (bnc#750470) + +------------------------------------------------------------------- +Tue Jan 10 15:41:45 UTC 2012 - fcrozat@suse.com + +- Drop lxc-file_caps.patch, it is SLES specific, since openSUSE is + now shipping with file capabilities enabled. + +------------------------------------------------------------------- +Fri Jan 6 15:51:32 UTC 2012 - fcrozat@suse.com + +- Update lxc-opensuse-12.1.patch to correctly generate containers + on x86 (bnc#739315). +- Backport some fixes from SLES 11 SP2: + - Add lxc-checkconfig-kernel-3.patch and lxc-file_caps.patch: + fix detection of kernel 3.x and file capabilities (bnc#720845). + - Fix example path in manpages (bnc#723946). + +------------------------------------------------------------------- +Tue Oct 25 11:35:10 UTC 2011 - fcrozat@suse.com + +- Add console to opensuse securetty, since we are in a container. + +------------------------------------------------------------------- +Tue Oct 25 09:32:01 UTC 2011 - fcrozat@suse.com + +- Add lxc-opensuse-12.1.patch: create openSUSE 12.1 containers now +- Add Recommends on build package, which is used by opensuse + template. +- Update README.SUSE to current status for cgroups mountpoint + +------------------------------------------------------------------- +Fri Sep 2 08:26:28 UTC 2011 - fcrozat@suse.com + +- Fix license tag, it is LGPLv2.1+ (using LGPLv2+ tag to be + consistent). ++++ 144 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.lxc.3936.new/lxc.changes New: ---- CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch README.SUSE autogenned.patch config_ipv6-run-inet_pton-on-the-addr-value-without-.patch configure-find-seccomp-using-pkg-config.patch configure-support-suse-s-docbook-to-man.patch lxc-0.9.0.tar.gz lxc-createconfig.in lxc-opensuse-add-perl-base-to-prerequisities.patch lxc.changes lxc.spec opensuse-systemd-shutdown.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ # # spec file for package lxc # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: lxc Version: 0.9.0 Release: 0 Url: http://lxc.sourceforge.net/ Summary: Linux containers implementation License: LGPL-2.1+ Group: System/Management Source: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz Source1: README.SUSE Source2: lxc-createconfig.in #see autogenned.patch for these two: Source3: configure-support-suse-s-docbook-to-man.patch Source4: configure-find-seccomp-using-pkg-config.patch Patch0: autogenned.patch Patch1: opensuse-systemd-shutdown.patch Patch2: lxc-opensuse-add-perl-base-to-prerequisities.patch Patch3: config_ipv6-run-inet_pton-on-the-addr-value-without-.patch Patch4: CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils BuildRequires: docbook2x BuildRequires: libapparmor-devel BuildRequires: libcap-devel %ifarch %ix86 x86_64 %if 0%{?suse_version} >= 1230 BuildRequires: libseccomp-devel %endif %endif BuildRequires: libxslt BuildRequires: lsb-release BuildRequires: pkg-config %if 0%{?suse_version} >= 1130 BuildRequires: linux-glibc-devel %else BuildRequires: linux-kernel-headers %endif Requires: /sbin/setcap Requires: rsync %if 0%{?suse_version} < 1230 Requires(post): aaa_base %endif # needed to create openSUSE containers using template Recommends: build %description It provides commands to create and manage containers. It contains a full featured container with the isolation/virtualization of the pids, the ipc, the utsname, the mount points, /proc, /sys, the network and it takes into account the control groups. It is very light, flexible, and provides a set of tools around the container like the monitoring with asynchronous events notification, or the freeze of the container. This package is useful to create Virtual Private Server, or to run isolated applications like bash or sshd. %package devel Summary: Development library for lxc License: LGPL-2.1 Group: Development/Libraries/C and C++ Requires: %name = %version %description devel Lxc header files and library needed for development of containers. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %build %configure --disable-examples %__make %{?_smp_mflags} %__cp %{SOURCE1} . %__rm -rf .doc %__mkdir_p .doc/examples %__cp doc/examples/*.conf .doc/examples %install %makeinstall install -d -m 755 %{buildroot}/var/lib/lxc find %buildroot -type f -name '*.la' -delete ./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig %clean %__rm -rf %buildroot %post /sbin/ldconfig %if 0%{?suse_version} < 1230 if [ -x /etc/init.d/boot.cgroup ]; then %fillup_and_insserv -f -Y boot.cgroup /etc/init.d/boot.cgroup start 2>/dev/null >/dev/null || : fi %endif %postun /sbin/ldconfig %if 0%{?suse_version} < 1230 %insserv_cleanup %endif %files %defattr(-,root,root) %doc AUTHORS MAINTAINERS COPYING README doc/FAQ.txt %doc README.SUSE %doc .doc/examples %dir %{_sysconfdir}/%{name}/ %config %{_sysconfdir}/%{name}/default.conf %{_libdir}/lib%{name}.so.* %{_libexecdir}/%name %{_libdir}/%name %{_datadir}/%name %dir /var/lib/lxc %{_bindir}/%{name}-* %{_mandir}/man[^3]/* %files devel %defattr(-,root,root) %{_includedir}/%name %{_libdir}/lib%{name}.so %{_libdir}/pkgconfig/%{name}.pc %changelog ++++++ CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch ++++++ From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com> Date: Thu, 16 Jul 2015 16:37:51 -0400 Subject: CVE-2015-1334: Don't use the container's /proc during attach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 5c3fcae78b63ac9dd56e36075903921bd9461f9e References: bnc#938523 A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Jiri Slaby <jslaby@suse.com> [backport to 0.9] --- src/lxc/lxc_attach.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) --- a/src/lxc/lxc_attach.c +++ b/src/lxc/lxc_attach.c @@ -24,9 +24,11 @@ #define _GNU_SOURCE #include <unistd.h> #include <errno.h> +#include <fcntl.h> #include <pwd.h> #include <stdlib.h> #include <sys/param.h> +#include <sys/stat.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> @@ -140,6 +142,48 @@ Options :\n\ .checker = NULL, }; +static int lsm_set_label_at(int procfd, char *lsm_label) +{ + int labelfd = -1; + int ret = 0; + int size; + char *command = NULL; + + labelfd = openat(procfd, "self/attr/current", O_RDWR); + if (labelfd < 0) { + SYSERROR("Unable to open LSM label"); + ret = -1; + goto out; + } + + command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); + if (!command) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + size = sprintf(command, "changeprofile %s", lsm_label); + if (size < 0) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + if (write(labelfd, command, size + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } +out: + free(command); + + if (labelfd != -1) + close(labelfd); + + return ret; +} + int main(int argc, char *argv[]) { int ret; @@ -395,10 +439,17 @@ int main(int argc, char *argv[]) close(cgroup_ipc_sockets[1]); if ((namespace_flags & CLONE_NEWNS)) { - if (attach_apparmor(init_ctx->aa_profile) < 0) { + int procfd = open("/proc", O_DIRECTORY | O_RDONLY); + if (procfd < 0) { + SYSERROR("Unable to open /proc"); + return -1; + } + if (lsm_set_label_at(procfd, init_ctx->aa_profile) < 0) { ERROR("failed switching apparmor profiles"); return -1; } + /* we don't need proc anymore */ + close(procfd); } /* A description of the purpose of this functionality is ++++++ README.SUSE ++++++ To mount the control group file system just run: /sbin/insserv boot.cgroup and /sys/fs/cgroup will be mounted for cgroup automatically. ++++++ autogenned.patch ++++++ It contains the effect of these patches: configure-find-seccomp-using-pkg-config.patch configure-support-suse-s-docbook-to-man.patch diff --git a/configure b/configure index dfb8e42..ee5faae 100755 --- a/configure +++ b/configure @@ -659,9 +659,6 @@ ENABLE_LUA_FALSE ENABLE_LUA_TRUE PYTHONDEV_LIBS PYTHONDEV_CFLAGS -PKG_CONFIG_LIBDIR -PKG_CONFIG_PATH -PKG_CONFIG pkgpyexecdir pyexecdir pkgpythondir @@ -676,6 +673,10 @@ ENABLE_PYTHON_TRUE ENABLE_EXAMPLES_FALSE ENABLE_EXAMPLES_TRUE SECCOMP_LIBS +SECCOMP_CFLAGS +PKG_CONFIG_LIBDIR +PKG_CONFIG_PATH +PKG_CONFIG ENABLE_SECCOMP_FALSE ENABLE_SECCOMP_TRUE APPARMOR_LIBS @@ -806,10 +807,12 @@ LDFLAGS LIBS CPPFLAGS CPP -PYTHON PKG_CONFIG PKG_CONFIG_PATH PKG_CONFIG_LIBDIR +SECCOMP_CFLAGS +SECCOMP_LIBS +PYTHON PYTHONDEV_CFLAGS PYTHONDEV_LIBS LUA_CFLAGS @@ -1468,12 +1471,16 @@ Some influential environment variables: CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if you have headers in a nonstandard directory <include dir> CPP C preprocessor - PYTHON the Python interpreter PKG_CONFIG path to pkg-config utility PKG_CONFIG_PATH directories to add to pkg-config's search path PKG_CONFIG_LIBDIR path overriding pkg-config's built-in search path + SECCOMP_CFLAGS + C compiler flags for SECCOMP, overriding pkg-config + SECCOMP_LIBS + linker flags for SECCOMP, overriding pkg-config + PYTHON the Python interpreter PYTHONDEV_CFLAGS C compiler flags for PYTHONDEV, overriding pkg-config PYTHONDEV_LIBS @@ -4821,7 +4828,7 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for docbook2x-man" >&5 $as_echo_n "checking for docbook2x-man... " >&6; } - for name in docbook2x-man db2x_docbook2man; do + for name in docbook2x-man db2x_docbook2man docbook-to-man; do if "$name" --help >/dev/null 2>&1; then db2xman="$name" break; @@ -5034,113 +5041,6 @@ else fi -if test -z "$ENABLE_SECCOMP_TRUE"; then : - ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" -if test "x$ac_cv_header_seccomp_h" = xyes; then : - -else - as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 -fi - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 -$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } -if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lseccomp $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char seccomp_init (); -int -main () -{ -return seccomp_init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_seccomp_seccomp_init=yes -else - ac_cv_lib_seccomp_seccomp_init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 -$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } -if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBSECCOMP 1 -_ACEOF - - LIBS="-lseccomp $LIBS" - -else - as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 -fi - - SECCOMP_LIBS=-lseccomp - -fi - -# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 -ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include <seccomp.h> -" -if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_SCMP_FILTER_CTX 1 -_ACEOF - - -fi - - -# Configuration examples -# Check whether --enable-examples was given. -if test "${enable_examples+set}" = set; then : - enableval=$enable_examples; -else - enable_examples=yes -fi - - if test "x$enable_examples" = "xyes"; then - ENABLE_EXAMPLES_TRUE= - ENABLE_EXAMPLES_FALSE='#' -else - ENABLE_EXAMPLES_TRUE='#' - ENABLE_EXAMPLES_FALSE= -fi - - -# Python3 module and scripts -# Check whether --enable-python was given. -if test "${enable_python+set}" = set; then : - enableval=$enable_python; enable_python=yes -else - enable_python=no -fi - - if test "x$enable_python" = "xyes"; then - ENABLE_PYTHON_TRUE= - ENABLE_PYTHON_FALSE='#' -else - ENABLE_PYTHON_TRUE='#' - ENABLE_PYTHON_FALSE= -fi - - @@ -5261,6 +5161,247 @@ $as_echo "no" >&6; } PKG_CONFIG="" fi fi +if test -z "$ENABLE_SECCOMP_TRUE"; then : + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SECCOMP" >&5 +$as_echo_n "checking for SECCOMP... " >&6; } + +if test -n "$SECCOMP_CFLAGS"; then + pkg_cv_SECCOMP_CFLAGS="$SECCOMP_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SECCOMP_CFLAGS=`$PKG_CONFIG --cflags "libseccomp" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$SECCOMP_LIBS"; then + pkg_cv_SECCOMP_LIBS="$SECCOMP_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SECCOMP_LIBS=`$PKG_CONFIG --libs "libseccomp" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SECCOMP_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libseccomp" 2>&1` + else + SECCOMP_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libseccomp" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$SECCOMP_PKG_ERRORS" >&5 + + + ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" +if test "x$ac_cv_header_seccomp_h" = xyes; then : + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 +$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } +if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lseccomp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char seccomp_init (); +int +main () +{ +return seccomp_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_seccomp_seccomp_init=yes +else + ac_cv_lib_seccomp_seccomp_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 +$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } +if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSECCOMP 1 +_ACEOF + + LIBS="-lseccomp $LIBS" + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + SECCOMP_LIBS=-lseccomp + + +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" +if test "x$ac_cv_header_seccomp_h" = xyes; then : + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 +$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } +if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lseccomp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char seccomp_init (); +int +main () +{ +return seccomp_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_seccomp_seccomp_init=yes +else + ac_cv_lib_seccomp_seccomp_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 +$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } +if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSECCOMP 1 +_ACEOF + + LIBS="-lseccomp $LIBS" + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + SECCOMP_LIBS=-lseccomp + + +else + SECCOMP_CFLAGS=$pkg_cv_SECCOMP_CFLAGS + SECCOMP_LIBS=$pkg_cv_SECCOMP_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + +fi + +# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 +OLD_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS $SECCOMP_CFLAGS" +ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include <seccomp.h> +" +if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_SCMP_FILTER_CTX 1 +_ACEOF + + +fi + +CFLAGS="$OLD_CFLAGS" + +# Configuration examples +# Check whether --enable-examples was given. +if test "${enable_examples+set}" = set; then : + enableval=$enable_examples; +else + enable_examples=yes +fi + + if test "x$enable_examples" = "xyes"; then + ENABLE_EXAMPLES_TRUE= + ENABLE_EXAMPLES_FALSE='#' +else + ENABLE_EXAMPLES_TRUE='#' + ENABLE_EXAMPLES_FALSE= +fi + + +# Python3 module and scripts +# Check whether --enable-python was given. +if test "${enable_python+set}" = set; then : + enableval=$enable_python; enable_python=yes +else + enable_python=no +fi + + if test "x$enable_python" = "xyes"; then + ENABLE_PYTHON_TRUE= + ENABLE_PYTHON_FALSE='#' +else + ENABLE_PYTHON_TRUE='#' + ENABLE_PYTHON_FALSE= +fi + + if test -z "$ENABLE_PYTHON_TRUE"; then : diff --git a/src/lxc/Makefile.in b/src/lxc/Makefile.in index d6841c6..b97b429 100644 --- a/src/lxc/Makefile.in +++ b/src/lxc/Makefile.in @@ -65,7 +65,7 @@ so_PROGRAMS = liblxc.so$(EXEEXT) @HAVE_FGETLN_TRUE@@HAVE_GETLINE_FALSE@am__append_4 = ../include/getline.c ../include/getline.h @ENABLE_APPARMOR_TRUE@am__append_5 = -DHAVE_APPARMOR @USE_CONFIGPATH_LOGS_TRUE@am__append_6 = -DUSE_CONFIGPATH_LOGS -@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP +@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP $(SECCOMP_CFLAGS) @ENABLE_SECCOMP_TRUE@am__append_8 = seccomp.c @ENABLE_PYTHON_TRUE@am__append_9 = lxc-device lxc-ls \ @ENABLE_PYTHON_TRUE@ lxc-start-ephemeral @@ -344,6 +344,7 @@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +SECCOMP_CFLAGS = @SECCOMP_CFLAGS@ SECCOMP_LIBS = @SECCOMP_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ ++++++ config_ipv6-run-inet_pton-on-the-addr-value-without-.patch ++++++ From: Serge Hallyn <serge.hallyn@ubuntu.com> Date: Fri, 23 Aug 2013 12:45:15 -0500 Subject: config_ipv6: run inet_pton on the addr value without mask Patch-mainline: no References: bnc#851760 otherwise a "$addr/$mask" results in failure. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- src/lxc/confile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: lxc-0.9.0/src/lxc/confile.c =================================================================== --- lxc-0.9.0.orig/src/lxc/confile.c +++ lxc-0.9.0/src/lxc/confile.c @@ -745,8 +745,8 @@ static int config_network_ipv6(const cha inet6dev->prefix = atoi(netmask); } - if (!inet_pton(AF_INET6, value, &inet6dev->addr)) { - SYSERROR("invalid ipv6 address: %s", value); + if (!inet_pton(AF_INET6, valdup, &inet6dev->addr)) { + SYSERROR("invalid ipv6 address: %s", valdup); free(valdup); return -1; } ++++++ configure-find-seccomp-using-pkg-config.patch ++++++ From: Jiri Slaby <jslaby@suse.cz> Date: Wed, 24 Apr 2013 10:46:21 +0200 Subject: configure: find seccomp using pkg-config Patch-mainline: no On suse we have the header in a subdir inside /usr/include, so pkgconfig has t obe used to find out proper CFLAGS. Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- configure.ac | 12 +++++++++--- src/lxc/Makefile.am | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index ef6122e..630027a 100644 --- a/configure.ac +++ b/configure.ac @@ -113,12 +113,18 @@ fi AM_CONDITIONAL([ENABLE_SECCOMP], [test "x$enable_seccomp" = "xyes"]) AM_COND_IF([ENABLE_SECCOMP], - [AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) - AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) - AC_SUBST([SECCOMP_LIBS], [-lseccomp])]) + [PKG_CHECK_MODULES([SECCOMP],[libseccomp],[],[ + AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) + AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) + AC_SUBST([SECCOMP_LIBS], [-lseccomp]) + ]) + ]) # HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 +OLD_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS $SECCOMP_CFLAGS" AC_CHECK_TYPES([scmp_filter_ctx], [], [], [#include <seccomp.h>]) +CFLAGS="$OLD_CFLAGS" # Configuration examples AC_ARG_ENABLE([examples], diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index ebeca466..5798c93 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -104,7 +104,7 @@ AM_CFLAGS += -DUSE_CONFIGPATH_LOGS endif if ENABLE_SECCOMP -AM_CFLAGS += -DHAVE_SECCOMP +AM_CFLAGS += -DHAVE_SECCOMP $(SECCOMP_CFLAGS) liblxc_so_SOURCES += seccomp.c endif -- 1.8.2.1 ++++++ configure-support-suse-s-docbook-to-man.patch ++++++ From: Jiri Slaby <jslaby@suse.cz> Date: Wed, 24 Apr 2013 10:33:34 +0200 Subject: configure: support suse's docbook-to-man Patch-mainline: no When finding docbook2x-man... Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/configure.ac +++ b/configure.ac @@ -67,7 +67,7 @@ if test "x$enable_doc" = "xyes" -o "x$en db2xman="" AC_MSG_CHECKING(for docbook2x-man) - for name in docbook2x-man db2x_docbook2man; do + for name in docbook2x-man db2x_docbook2man docbook-to-man; do if "$name" --help >/dev/null 2>&1; then db2xman="$name" break; ++++++ lxc-createconfig.in ++++++ #!/bin/bash # # lxc: linux Container library # Authors: # Mike Friesenegger <mikef@suse.com> # Daniel Lezcano <daniel.lezcano@free.fr> # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA usage() { echo "usage: lxc-createconfig -n <name> [-i <ipaddr/cidr>] [-b <bridge>] [-t <template]" } help() { usage echo echo "creates a lxc container config file which can be in" echo "turn used by lxc-create to create the lxc system object." echo echo "Options:" echo "name : name of the container" echo "ipaddr : ip address/cidr of the container" echo "bridge : bridge device for container (br0 if undefined)" echo "template : template is an accessible template script (opensuse if undefined)" } shortoptions='hn:i:b:t:' longoptions='help,name:,ipaddr:,bridge:,template:' lxc_confpath=$HOME templatedir=@LXCTEMPLATEDIR@ lxc_bridge=br0 lxc_template=opensuse getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") if [ $? != 0 ]; then usage exit 1; fi eval set -- "$getopt" while true; do case "$1" in -h|--help) help exit 1 ;; -n|--name) shift lxc_name=$1 lxc_confname=$lxc_name.config shift ;; -i|--ipaddr) shift lxc_ipaddr=$1 shift ;; -b|--bridge) shift lxc_bridge=$1 shift ;; -t|--template) shift lxc_template=$1 shift ;; --) shift break;; *) echo $1 usage exit 1 ;; esac done if [ -z "$lxc_name" ]; then echo "no container name specified" usage exit 1 fi if [ -f "$lxc_confpath/$lxc_confname" ]; then echo "'$lxc_confname' already exists" exit 1 fi if [ ! -z "$lxc_ipaddr" ]; then echo $lxc_ipaddr | grep -E '/(([^C9]{0,1}[0-9])|(3[0-2]))$' if [ $? -ne 0 ]; then echo "$lxc_ipaddr is missing a cidr" usage exit 1 fi fi if [ -z "$lxc_ipaddr" ]; then lxc_ipaddr=DHCP fi if [ ! -z $lxc_bridge ]; then brctl show | grep $lxc_bridge >/dev/null if [ $? -ne 0 ]; then echo "$lxc_bridge not defined" exit 1 fi fi if [ ! -z $lxc_template ]; then type ${templatedir}/lxc-$lxc_template >/dev/null if [ $? -ne 0 ]; then echo "unknown template '$lxc_template'" exit 1 fi fi echo echo "Container Name = " $lxc_name echo "IP Address = " $lxc_ipaddr echo "Bridge = " $lxc_bridge echo echo -n "Create container config? (n): " read ANSWER if [ "$ANSWER" != "y" -a "$ANSWER" != "Y" ] then exit 1 fi echo echo "Creating container config $lxc_confpath/$lxc_confname" # generate a MAC for the IP lxc_hwaddr="02:00:`(date ; cat /proc/interrupts ) | md5sum | sed -r 's/^(.{8}).*$/\1/;s/([0-9a-f]{2})/\1:/g;s/:$//;'`" cat >"$lxc_confpath/$lxc_confname" <<%% lxc.network.type = veth lxc.network.flags = up lxc.network.link = $lxc_bridge lxc.network.hwaddr = $lxc_hwaddr %% if [ ! $lxc_ipaddr = "DHCP" ]; then cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.ipv4 = $lxc_ipaddr %% fi cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.name = eth0 %% echo echo "Run 'lxc-create -n $lxc_name -f $lxc_confpath/$lxc_confname -t $lxc_template' to create the lxc system object." ++++++ lxc-opensuse-add-perl-base-to-prerequisities.patch ++++++ From: Jiri Slaby <jslaby@suse.cz> Date: Fri, 20 Sep 2013 16:39:50 +0200 Subject: lxc-opensuse: add perl-base to prerequisities Patch-mainline: submitted sep 20 2013 References: bnc#839873 It is needed by insserv-compat. Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 1fc7e21..3005e40 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -125,7 +125,7 @@ download_opensuse() zypper --root $cache/partial-$arch-packages --non-interactive in --auto-agree-with-licenses --download-only zypper lxc patterns-openSUSE-base bash iputils sed tar rsyslog || return 1 cat > $cache/partial-$arch-packages/opensuse.conf << EOF Preinstall: aaa_base bash coreutils diffutils -Preinstall: filesystem fillup glibc grep insserv-compat +Preinstall: filesystem fillup glibc grep insserv-compat perl-base Preinstall: libbz2-1 libgcc_s1 libncurses5 pam Preinstall: permissions libreadline6 rpm sed tar libz1 libselinux1 Preinstall: liblzma5 libcap2 libacl1 libattr1 -- 1.8.4 ++++++ opensuse-systemd-shutdown.patch ++++++ diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 77ef6b2..7c614c2 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -88,6 +88,9 @@ EOF ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@tty3.service ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty@tty4.service + # copy host poweroff target as sigpwr target to make shutdown work + # see https://wiki.archlinux.org/index.php/Linux_Containers#Container_cannot_be_sh... + cp /usr/lib/systemd/system/poweroff.target $rootfs/usr/lib/systemd/system/sigpwr.target touch $rootfs/etc/sysconfig/kernel
participants (1)
-
root@hilbert.suse.de