Mailinglist Archive: opensuse-commit (1903 mails)

< Previous Next >
commit lxc for openSUSE:Factory
Hello community,

here is the log from the commit of package lxc for openSUSE:Factory checked in
at 2019-04-08 20:53:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lxc (Old)
and /work/SRC/openSUSE:Factory/.lxc.new.3908 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "lxc"

Mon Apr 8 20:53:31 2019 rev:83 rq:692121 version:3.1.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2019-02-08 12:15:38.869418841
+0100
+++ /work/SRC/openSUSE:Factory/.lxc.new.3908/lxc.changes 2019-04-08
20:53:32.594568671 +0200
@@ -1,0 +2,47 @@
+Sun Apr 7 07:20:48 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+
+- Avoid wrong permissions warning by conditionally setting the setuid bit based
+ on what version of permissions is available in that distribution (makes no
+ difference but results in less confusion to users).
+
+-------------------------------------------------------------------
+Mon Apr 1 07:00:41 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+
+- Fix builds on SLE12, by depending on apparmor-profiles instead of
+ apparmor-abstractions. In addition, remove the Requires on abstractions.
+
+-------------------------------------------------------------------
+Fri Mar 29 09:14:06 UTC 2019 - Jan Engelhardt <jengelh@xxxxxxx>
+
+- Trim project history from package description.
+
+-------------------------------------------------------------------
+Tue Mar 26 02:04:57 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+
+- Update to LXC 3.1.0. The changelog is far too long to include here, please
+ look at the changelogs posted on https://linuxcontainers.org/. boo#1131762
+ * Includes fixes for CVE-2019-5736 bsc#1122185.
+ + pam_cgfs is now provided by this package, since upstream has moved the
+ sources to LXC (it used to be part of lxcfs).
+ * All of the patches have been upstreamed or are no longer relevant:
+ - 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch
+ - 0001-utils-add-LXC_PROC_PID_FD_LEN.patch
+ - 0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch
+ - 0001-Backport-autodev-fix-from-lxc-master.patch
+ - 0001-PyOS_AfterFork-python3.7.patch
+- Add a warning if lxc-user-nic is not setuid after set_permissions, to ensure
+ users actually read the warning (which means we get to remove README.SUSE).
+ It also supports people using paranoid mode, which is why it's done in
+ post-install and isn't packaged. boo#988348
+- Quite a lot of the runtime helpers and configuration have been moved to
+ liblxc, in order to allow LXD to make use of them (because, in truth, they
+ were always a requirement of liblxc and not just the lxc-* tools).
+- Add workaround for pre-15 distros, where _sharedstatedir was inexplicably
+ /usr/com, to use the correct directory of /var/lib.
+
+-------------------------------------------------------------------
+Tue Mar 26 00:09:22 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+
+- Rework packaging to be a more modern openSUSE-style.
+
+-------------------------------------------------------------------

Old:
----
0001-Backport-autodev-fix-from-lxc-master.patch
0001-PyOS_AfterFork-python3.7.patch
0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch
0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch
0001-utils-add-LXC_PROC_PID_FD_LEN.patch
README.SUSE
lxc-2.0.9.tar.gz
lxc-2.0.9.tar.gz.asc
openSUSE_apparmor_mount.conf

New:
----
lxc-3.1.0.tar.gz
lxc-3.1.0.tar.gz.asc
openSUSE-apparmor.conf

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ lxc.spec ++++++
--- /var/tmp/diff_new_pack.oDKKTq/_old 2019-04-08 20:53:33.734569508 +0200
+++ /var/tmp/diff_new_pack.oDKKTq/_new 2019-04-08 20:53:33.738569511 +0200
@@ -15,85 +15,111 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

+# On pre-15 SLE versions, _sharedstatedir was /usr/com -- which is just wrong.
+%if 0%{suse_version} < 1500
+%define _sharedstatedir /var/lib
+%endif
+
+# In later versions of openSUSE's permissions config, lxc-user-nic was
+# whitelisted with a setuid bit enabled -- but in order to allow building on
+# old distros we must not make it setuid on pre-15.1 distros. See bsc#988348.
+%if 0%{suse_version} >= 1510
+%define setuid_mode 04750
+%else
+%define setuid_mode 0750
+%endif
+
+%define _pre_update_message(B:S:n:) \
+ %%define um_pkgname %{?-n:%{-n*}}%{!?-n:%{name}} \
+ %%define um_suffix %{?-S:%{-S*}}%{!?-S:untitled} \
+ %%define um_prefix
%{?-B:%{buildroot}}/var/adm/update-messages/%{um_pkgname}-%{version}-%{release}-
\
+ %%define um_path %{um_prefix}%{um_suffix}.txt
+
+# add_update_message [-aB] [-S <suffix=untitled>] [-n <pkgname={name}>]
+# Adds new update message with the given suffix and package name.
+# Use -B to apply to the {buildroot} rather than the host system.
+%define add_update_message(BS:n:) ( \
+ %{expand:%_pre_update_message %{-B} %{-S} %{-n}} \
+ tee >>%{um_path} )
+
+# del_update_messages [-B] [-n <pkgname={name}>]
+# Delete all update-messages that exist for the given package.
+# Use -B to apply to the {buildroot} rather than the host system.
+%define del_update_messages(Bn:) ( \
+ %{expand:%_pre_update_message -S * %{-B} %{-n}} \
+ ( shopt -s nullglob ; rm -f -- %{um_path} ) )

%define shlib_version 1
Name: lxc
-Version: 2.0.9
+Version: 3.1.0
Release: 0
Url: http://linuxcontainers.org/
Summary: Userspace tools for Linux kernel containers
License: LGPL-2.1-or-later
Group: System/Management
-Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz
-Source1:
http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.asc
+Source: https://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz
+Source1:
https://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz.asc
Source2: %{name}.keyring
Source3: lxc-createconfig.in
-Source4: README.SUSE
-Source5: openSUSE_apparmor_mount.conf
-# PATCH-FIX-UPSTREAM:
0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch (boo#1099239)
-Patch0: 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch
-Patch1: 0001-utils-add-LXC_PROC_PID_FD_LEN.patch
-Patch2: 0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch
-Patch3: 0001-Backport-autodev-fix-from-lxc-master.patch
-Patch4: 0001-PyOS_AfterFork-python3.7.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-
-BuildRequires: docbook-utils
-BuildRequires: docbook2x
-BuildRequires: fdupes
-BuildRequires: git
+Source90: openSUSE-apparmor.conf
+BuildRequires: gcc
+BuildRequires: automake
+BuildRequires: libtool
+BuildRequires: pkg-config
+BuildRequires: libgnutls-devel
BuildRequires: libapparmor-devel
+BuildRequires: libselinux-devel
BuildRequires: libcap-devel
+BuildRequires: pam-devel
%ifarch %ix86 x86_64
BuildRequires: libseccomp-devel
%endif
BuildRequires: libxslt
-BuildRequires: linux-glibc-devel
-BuildRequires: lsb-release
-BuildRequires: pkg-config
-BuildRequires: python3-devel
-
-%if 0%{?suse_version} >= 1320
-BuildRequires: automake
-BuildRequires: libtool
-%endif
-
-%if 0%{?suse_version} >= 1210
+BuildRequires: fdupes
+BuildRequires: docbook-utils
+BuildRequires: docbook2x
+BuildRequires: bash-completion
BuildRequires: systemd
-%endif
-
-Requires: apparmor-abstractions
Requires: libcap-progs
Requires: lxcfs
+Requires: lxcfs-hooks-lxc
Requires: rsync
-
%{?systemd_requires}
-# needed to create openSUSE containers using template
+# Needed to create openSUSE containers using template.
Recommends: build
Recommends: criu >= 2.0

%description
-LXC provides commands to create and manage containers. Current LXC uses the
-following kernel features to contain processes:
-- Kernel namespaces (ipc, uts, mount, pid, network and user)
-- Apparmor and SELinux profiles
-- Seccomp policies
-- Chroots (using pivot_root)
-- Kernel capabilities
-- CGroups (control groups)
-LXC containers are often considered as something in the middle between a chroot
-and a full fledged virtual machine. The goal of LXC is to create an environment
-as close as possible to a standard Linux installation but without the need for
a
-separate kernel.
+LXC is the well-known and heavily tested low-level Linux container runtime.
+
+%package -n pam_cgfs
+Summary: PAM module to provide unprivileged cgroupfs
+License: LGPL-2.1-only
+Group: System/Libraries
+Supplements: lxc
+
+%description -n pam_cgfs
+When a user logs in, this PAM module will create cgroups which the user may
+administer, either for all controllers or for any controllers listed on the
+command line.

%package -n liblxc%{shlib_version}
-PreReq: permissions
Summary: LXC container runtime library
License: LGPL-2.1-only
Group: System/Libraries
+Requires(pre): permissions
+Requires(post): permissions
+# Older SLE versions didn't have -abstractions but instead had -profiles
+# (though Leap has -abstractions regardless of it being based on SLE). We only
+# need them to not have to own /etc/apparmor.d/abstractions.
+%if 0%{?is_opensuse} || %{?suse_version} >= 1500
+BuildRequires: apparmor-abstractions
+%else
+BuildRequires: apparmor-profiles
+%endif

%description -n liblxc%{shlib_version}
-Provides the LXC container runtime library.
+This package provides the LXC container runtime library.

%package -n liblxc-devel
Summary: LXC container runtime library development files
@@ -102,57 +128,56 @@
Requires: liblxc%{shlib_version} = %version

%description -n liblxc-devel
-Provides the LXC container runtime library development files
+This package provides the LXC container runtime library development files.
+
+%package bash-completion
+Summary: Bash Completion for %{name}
+Group: System/Management
+Requires: %{name} = %{version}
+Supplements: packageand(%{name}:bash-completion)
+BuildArch: noarch
+
+%description bash-completion
+Bash command line completion support for %{name}.

%prep
%setup
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1

%build
-chmod 755 configure
-%if 0%{?suse_version} >= 1320
-sed -i 's/-Werror"/-Werror -Wno-error=format-truncation"/g' configure.ac
-%define _configure ./autogen.sh
-PATH=$PATH:/usr/sbin:/sbin %configure
-
-%define _configure ./configure
-%endif
-%configure --disable-examples \
+./autogen.sh
+%configure \
+ --enable-pam \
+ --disable-static \
+ --disable-examples \
--disable-rpath \
--with-init-script=systemd \
--with-systemdsystemunitdir=%{_unitdir}
make %{?_smp_mflags}
-cp %{SOURCE4} .
-# remove lxc-user-nic from README as it is not longer necessary in Tumbleweed
-%if 0%{?suse_version} >= 1550
-sed -i '/=== lxc-user-nic ===/,+4d' ./README.SUSE
-%endif
-cp %{SOURCE5} .
-rm -rf .doc
-mkdir -p .doc/examples
-cp doc/examples/*.conf .doc/examples
+
+# openSUSE-specific templated files.
+./config.status --file=lxc-createconfig:%{S:3}

%install
%make_install
-install -d -m 755 %{buildroot}/var/lib/lxc
-find %buildroot -type f -name '*.la' -delete
-%if 0%{?suse_version} <= 1550
-chmod u-s %{buildroot}/%{_libexecdir}/%{name}/lxc-user-nic
-%endif
-./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:3}
-chmod a+x %{buildroot}%{_bindir}/lxc-createconfig
-ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc
-ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc-net
-cp %{SOURCE5} %{buildroot}/usr/share/lxc/config/common.conf.d/
-%fdupes %{buildroot}/%{_datadir}/%{name}/config/
-
-# move bash-completion to correct place
-install -d -m 755 %{buildroot}/usr/share/bash-completion/completions/
-mv -v %{buildroot}/etc/bash_completion.d/lxc
%{buildroot}/usr/share/bash-completion/completions/
+install -d -m 0755 %{buildroot}%{_sharedstatedir}/%{name}
+
+# openSUSE-specific helpers and configuration.
+install -D -m 0755 lxc-createconfig %{buildroot}%{_bindir}/lxc-createconfig
+install -D -m 0644 %{S:90}
%{buildroot}%{_datadir}/%{name}/config/common.conf.d/30-openSUSE-apparmor.conf
+
+# sysv-init compat wrappers.
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-net
+
+# Ensure we install the bash-completion to the correct place -- on some SLE
+# versions this is done for us by make_install, on others we need to do it
+# manually.
+install -D -m 0644 config/bash/lxc
%{buildroot}%{_datadir}/bash-completion/completions/%{name}
+rm -f %{buildroot}%{_sysconfdir}/bash_completion.d/%{name}
+
+# Clean up.
+find %{buildroot} -type f -name '*.la' -delete
+%fdupes %{buildroot}

%pre
%service_add_pre lxc@.service lxc.service lxc-net.service
@@ -170,76 +195,114 @@

%post -n liblxc%{shlib_version}
/sbin/ldconfig
-%set_permissions /usr/lib/lxc/lxc-user-nic
+%set_permissions %{_libexecdir}/%{name}/lxc-user-nic
+
+# Remove any existing update messages if we're reinstalling.
+[ "$1" -gt 1 ] && %{del_update_messages -n liblxc%{shlib_version}} ||:
+
+[ -u %{_libexecdir}/%{name}/lxc-user-nic ] || \
+%{add_update_message -n liblxc%{shlib_version} -S missing_setuid} <<EOF
+%if 0%{suse_version} >= 1510
+NOTE: It appears you are running on a new-enough distribution that this warning
+ should not have appeared. If you are not using a "paranoid" profile,
+ please report this as a bug at <https://bugzilla.opensuse.org/>.
+
+%endif
+Due to your /etc/permissions configuration (which might be caused by an
+outdated permissions package), the lxc-user-nic helper binary has been
+installed with a missing setuid bit. This setuid helper is required in order
+for LXC unprivileged containers to operate, and has already been reviewed by
+the SUSE security team and added to the Factory permissions setuid
+whitelist[1].

-%postun -n liblxc%{shlib_version} -p /sbin/ldconfig
+No action has been taken to fix this configuration problem (in case this was
+intentional, and to avoid breaking openSUSE packaging guidelines), so your
+administrator will have to fix this manually.
+
+In order to fix this, add the following line to /etc/permissions.local (this is
+necessary to avoid losing the setuid bit during package updates or causing
+audit warnings):
+
+ %{_libexecdir}/%{name}/lxc-user-nic root:kvm 04750
+
+and then add the setuid bit to the helper:
+
+ chmod u+s %{_libexecdir}/%{name}/lxc-user-nic
+
+... or you can re-install liblxc%{shlib_version}.
+
+[1]: https://bugzilla.opensuse.org/show_bug.cgi?id=988348
+EOF
+
+%postun -n liblxc%{shlib_version}
+/sbin/ldconfig
+# Remove update messages if we're *uninstalling* but not reinstalling.
+[ "$1" -eq 0 ] && %{del_update_messages -n liblxc%{shlib_version}} ||:

%verifyscript -n liblxc%{shlib_version}
-%verify_permissions -e /usr/lib/lxc/lxc-user-nic
+%verify_permissions -e %{_libexecdir}/%{name}/lxc-user-nic

%files
%defattr(-,root,root)
-%doc README doc/FAQ.txt
-%doc README.SUSE
+%doc doc/FAQ.txt
+
+# Configuration for LXC.
%dir %{_sysconfdir}/%{name}/
%config %{_sysconfdir}/%{name}/default.conf
%config(noreplace) %{_sysconfdir}/default/%{name}
+%{_datadir}/%{name}/

-# On non 64bit versions of SUSE {_libdir} will be /usr/lib and thus equivalent
-# to {_libexecdir}. Hence, the next directive would install everything in
-# /usr/lib but we want to exclude some files because they get installed
-# together with the liblxc subpackage on which lxc depends.
-%dir %{_libdir}/%{name}
-%{_libdir}/%{name}/rootfs
-
-%dir %{_libexecdir}/%{name}
-%{_libexecdir}/%{name}/hooks
-%{_libexecdir}/%{name}/lxc-containers
-%{_libexecdir}/%{name}/lxc-net
-%exclude %{_libexecdir}/%{name}/lxc-apparmor-load
-%exclude %{_libexecdir}/%{name}/lxc-monitord
-%exclude %{_libexecdir}/%{name}/lxc-user-nic
-
-%{_datadir}/%{name}
-%dir /var/lib/lxc
-%{_bindir}/%{name}-*
+# Binaries, man pages, and service files.
+%{_bindir}/lxc-*
%{_sbindir}/init.lxc
%{_sbindir}/rclxc
%{_sbindir}/rclxc-net
%{_mandir}/man[^3]/*
-%_unitdir/%{name}.service
-%_unitdir/%{name}-net.service
-%_unitdir/%{name}@.service
-%python3_sitearch/%{name}/
-%python3_sitearch/_%{name}*
-/usr/share/bash-completion/completions/%{name}
+%{_unitdir}/%{name}.service
+%{_unitdir}/%{name}-net.service
+%{_unitdir}/%{name}@.service
+
+# AppArmor profiles specifically for the lxc binaries.
+%config %{_sysconfdir}/apparmor.d/usr.bin.lxc-*
+
+%files -n pam_cgfs
+%defattr(-,root,root)
+/%{_lib}/security/pam_cgfs.so

%files -n liblxc%{shlib_version}
%defattr(-,root,root)
-%{_libdir}/lib%{name}.so.*
%doc AUTHORS MAINTAINERS
%license COPYING
-%doc .doc/examples
-%dir %{_sysconfdir}/apparmor.d
-%dir %{_sysconfdir}/apparmor.d/abstractions
-%dir %{_sysconfdir}/apparmor.d/abstractions/lxc
-%config %{_sysconfdir}/apparmor.d/abstractions/lxc/container-base
-%config %{_sysconfdir}/apparmor.d/abstractions/lxc/start-container
-%config %{_sysconfdir}/apparmor.d/lxc-containers
+%{_libdir}/lib%{name}.so.*
+
+# In addition to liblxc, there are a bunch of configuration and runtime
+# directories that are implicitly required by liblxc. We have to expose these
+# here, as opposed to the lxc package so that LXD (and others) can make use of
+# it.
+
+# Runtime-related directories.
+%dir %{_libdir}/%{name}
+%{_libdir}/%{name}/rootfs/
+%dir %{_sharedstatedir}/%{name}
+%{_libexecdir}/%{name}/
+# Make sure lxc-user-nic has the right mode.
+%attr(%{setuid_mode},root,kvm) %{_libexecdir}/%{name}/lxc-user-nic
+
+# AppArmor profiles and templates related to LXC.
%dir %{_sysconfdir}/apparmor.d/lxc
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-cgns
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-mounting
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-nesting
-%config %{_sysconfdir}/apparmor.d/usr.bin.lxc-start
-%{_libexecdir}/%{name}/lxc-apparmor-load
-%{_libexecdir}/%{name}/lxc-monitord
-%attr(-,root,kvm)%{_libexecdir}/%{name}/lxc-user-nic
+%dir %{_sysconfdir}/apparmor.d/abstractions/lxc
+%config %{_sysconfdir}/apparmor.d/abstractions/lxc/*
+%config %{_sysconfdir}/apparmor.d/lxc-*
+%config %{_sysconfdir}/apparmor.d/lxc/*

%files -n liblxc-devel
%defattr(-,root,root)
%{_libdir}/lib%{name}.so
-%{_includedir}/%name
+%{_includedir}/%name/
%{_libdir}/pkgconfig/%{name}.pc

+%files bash-completion
+%defattr(-,root,root)
+%{_datadir}/bash-completion/
+
%changelog

++++++ lxc-2.0.9.tar.gz -> lxc-3.1.0.tar.gz ++++++
++++ 142155 lines of diff (skipped)

++++++ openSUSE-apparmor.conf ++++++
# workaround for lxc-start problem with apparmor
lxc.aa_allow_incomplete = 1

< Previous Next >
This Thread