Mailinglist Archive: opensuse-commit (1903 mails)

< Previous Next >
commit lxc for openSUSE:Factory
Hello community,

here is the log from the commit of package lxc for openSUSE:Factory checked in
at 2019-04-08 20:53:31
Comparing /work/SRC/openSUSE:Factory/lxc (Old)
and /work/SRC/openSUSE:Factory/ (New)

Package is "lxc"

Mon Apr 8 20:53:31 2019 rev:83 rq:692121 version:3.1.0

--- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2019-02-08 12:15:38.869418841
+++ /work/SRC/openSUSE:Factory/ 2019-04-08
20:53:32.594568671 +0200
@@ -1,0 +2,47 @@
+Sun Apr 7 07:20:48 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+- Avoid wrong permissions warning by conditionally setting the setuid bit based
+ on what version of permissions is available in that distribution (makes no
+ difference but results in less confusion to users).
+Mon Apr 1 07:00:41 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+- Fix builds on SLE12, by depending on apparmor-profiles instead of
+ apparmor-abstractions. In addition, remove the Requires on abstractions.
+Fri Mar 29 09:14:06 UTC 2019 - Jan Engelhardt <jengelh@xxxxxxx>
+- Trim project history from package description.
+Tue Mar 26 02:04:57 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+- Update to LXC 3.1.0. The changelog is far too long to include here, please
+ look at the changelogs posted on boo#1131762
+ * Includes fixes for CVE-2019-5736 bsc#1122185.
+ + pam_cgfs is now provided by this package, since upstream has moved the
+ sources to LXC (it used to be part of lxcfs).
+ * All of the patches have been upstreamed or are no longer relevant:
+ - 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch
+ - 0001-utils-add-LXC_PROC_PID_FD_LEN.patch
+ - 0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch
+ - 0001-Backport-autodev-fix-from-lxc-master.patch
+ - 0001-PyOS_AfterFork-python3.7.patch
+- Add a warning if lxc-user-nic is not setuid after set_permissions, to ensure
+ users actually read the warning (which means we get to remove README.SUSE).
+ It also supports people using paranoid mode, which is why it's done in
+ post-install and isn't packaged. boo#988348
+- Quite a lot of the runtime helpers and configuration have been moved to
+ liblxc, in order to allow LXD to make use of them (because, in truth, they
+ were always a requirement of liblxc and not just the lxc-* tools).
+- Add workaround for pre-15 distros, where _sharedstatedir was inexplicably
+ /usr/com, to use the correct directory of /var/lib.
+Tue Mar 26 00:09:22 UTC 2019 - Aleksa Sarai <asarai@xxxxxxxx>
+- Rework packaging to be a more modern openSUSE-style.




Other differences:
++++++ lxc.spec ++++++
--- /var/tmp/diff_new_pack.oDKKTq/_old 2019-04-08 20:53:33.734569508 +0200
+++ /var/tmp/diff_new_pack.oDKKTq/_new 2019-04-08 20:53:33.738569511 +0200
@@ -15,85 +15,111 @@
# Please submit bugfixes or comments via

+# On pre-15 SLE versions, _sharedstatedir was /usr/com -- which is just wrong.
+%if 0%{suse_version} < 1500
+%define _sharedstatedir /var/lib
+# In later versions of openSUSE's permissions config, lxc-user-nic was
+# whitelisted with a setuid bit enabled -- but in order to allow building on
+# old distros we must not make it setuid on pre-15.1 distros. See bsc#988348.
+%if 0%{suse_version} >= 1510
+%define setuid_mode 04750
+%define setuid_mode 0750
+%define _pre_update_message(B:S:n:) \
+ %%define um_pkgname %{?-n:%{-n*}}%{!?-n:%{name}} \
+ %%define um_suffix %{?-S:%{-S*}}%{!?-S:untitled} \
+ %%define um_prefix
+ %%define um_path %{um_prefix}%{um_suffix}.txt
+# add_update_message [-aB] [-S <suffix=untitled>] [-n <pkgname={name}>]
+# Adds new update message with the given suffix and package name.
+# Use -B to apply to the {buildroot} rather than the host system.
+%define add_update_message(BS:n:) ( \
+ %{expand:%_pre_update_message %{-B} %{-S} %{-n}} \
+ tee >>%{um_path} )
+# del_update_messages [-B] [-n <pkgname={name}>]
+# Delete all update-messages that exist for the given package.
+# Use -B to apply to the {buildroot} rather than the host system.
+%define del_update_messages(Bn:) ( \
+ %{expand:%_pre_update_message -S * %{-B} %{-n}} \
+ ( shopt -s nullglob ; rm -f -- %{um_path} ) )

%define shlib_version 1
Name: lxc
-Version: 2.0.9
+Version: 3.1.0
Release: 0
Summary: Userspace tools for Linux kernel containers
License: LGPL-2.1-or-later
Group: System/Management
Source2: %{name}.keyring
-Source5: openSUSE_apparmor_mount.conf
0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch (boo#1099239)
-Patch0: 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch
-Patch1: 0001-utils-add-LXC_PROC_PID_FD_LEN.patch
-Patch2: 0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch
-Patch3: 0001-Backport-autodev-fix-from-lxc-master.patch
-Patch4: 0001-PyOS_AfterFork-python3.7.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: docbook-utils
-BuildRequires: docbook2x
-BuildRequires: fdupes
-BuildRequires: git
+Source90: openSUSE-apparmor.conf
+BuildRequires: gcc
+BuildRequires: automake
+BuildRequires: libtool
+BuildRequires: pkg-config
+BuildRequires: libgnutls-devel
BuildRequires: libapparmor-devel
+BuildRequires: libselinux-devel
BuildRequires: libcap-devel
+BuildRequires: pam-devel
%ifarch %ix86 x86_64
BuildRequires: libseccomp-devel
BuildRequires: libxslt
-BuildRequires: linux-glibc-devel
-BuildRequires: lsb-release
-BuildRequires: pkg-config
-BuildRequires: python3-devel
-%if 0%{?suse_version} >= 1320
-BuildRequires: automake
-BuildRequires: libtool
-%if 0%{?suse_version} >= 1210
+BuildRequires: fdupes
+BuildRequires: docbook-utils
+BuildRequires: docbook2x
+BuildRequires: bash-completion
BuildRequires: systemd
-Requires: apparmor-abstractions
Requires: libcap-progs
Requires: lxcfs
+Requires: lxcfs-hooks-lxc
Requires: rsync
-# needed to create openSUSE containers using template
+# Needed to create openSUSE containers using template.
Recommends: build
Recommends: criu >= 2.0

-LXC provides commands to create and manage containers. Current LXC uses the
-following kernel features to contain processes:
-- Kernel namespaces (ipc, uts, mount, pid, network and user)
-- Apparmor and SELinux profiles
-- Seccomp policies
-- Chroots (using pivot_root)
-- Kernel capabilities
-- CGroups (control groups)
-LXC containers are often considered as something in the middle between a chroot
-and a full fledged virtual machine. The goal of LXC is to create an environment
-as close as possible to a standard Linux installation but without the need for
-separate kernel.
+LXC is the well-known and heavily tested low-level Linux container runtime.
+%package -n pam_cgfs
+Summary: PAM module to provide unprivileged cgroupfs
+License: LGPL-2.1-only
+Group: System/Libraries
+Supplements: lxc
+%description -n pam_cgfs
+When a user logs in, this PAM module will create cgroups which the user may
+administer, either for all controllers or for any controllers listed on the
+command line.

%package -n liblxc%{shlib_version}
-PreReq: permissions
Summary: LXC container runtime library
License: LGPL-2.1-only
Group: System/Libraries
+Requires(pre): permissions
+Requires(post): permissions
+# Older SLE versions didn't have -abstractions but instead had -profiles
+# (though Leap has -abstractions regardless of it being based on SLE). We only
+# need them to not have to own /etc/apparmor.d/abstractions.
+%if 0%{?is_opensuse} || %{?suse_version} >= 1500
+BuildRequires: apparmor-abstractions
+BuildRequires: apparmor-profiles

%description -n liblxc%{shlib_version}
-Provides the LXC container runtime library.
+This package provides the LXC container runtime library.

%package -n liblxc-devel
Summary: LXC container runtime library development files
@@ -102,57 +128,56 @@
Requires: liblxc%{shlib_version} = %version

%description -n liblxc-devel
-Provides the LXC container runtime library development files
+This package provides the LXC container runtime library development files.
+%package bash-completion
+Summary: Bash Completion for %{name}
+Group: System/Management
+Requires: %{name} = %{version}
+Supplements: packageand(%{name}:bash-completion)
+BuildArch: noarch
+%description bash-completion
+Bash command line completion support for %{name}.

-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1

-chmod 755 configure
-%if 0%{?suse_version} >= 1320
-sed -i 's/-Werror"/-Werror -Wno-error=format-truncation"/g'
-%define _configure ./
-PATH=$PATH:/usr/sbin:/sbin %configure
-%define _configure ./configure
-%configure --disable-examples \
+%configure \
+ --enable-pam \
+ --disable-static \
+ --disable-examples \
--disable-rpath \
--with-init-script=systemd \
make %{?_smp_mflags}
-cp %{SOURCE4} .
-# remove lxc-user-nic from README as it is not longer necessary in Tumbleweed
-%if 0%{?suse_version} >= 1550
-sed -i '/=== lxc-user-nic ===/,+4d' ./README.SUSE
-cp %{SOURCE5} .
-rm -rf .doc
-mkdir -p .doc/examples
-cp doc/examples/*.conf .doc/examples
+# openSUSE-specific templated files.
+./config.status --file=lxc-createconfig:%{S:3}

-install -d -m 755 %{buildroot}/var/lib/lxc
-find %buildroot -type f -name '*.la' -delete
-%if 0%{?suse_version} <= 1550
-chmod u-s %{buildroot}/%{_libexecdir}/%{name}/lxc-user-nic
-./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:3}
-chmod a+x %{buildroot}%{_bindir}/lxc-createconfig
-ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc
-ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc-net
-cp %{SOURCE5} %{buildroot}/usr/share/lxc/config/common.conf.d/
-%fdupes %{buildroot}/%{_datadir}/%{name}/config/
-# move bash-completion to correct place
-install -d -m 755 %{buildroot}/usr/share/bash-completion/completions/
-mv -v %{buildroot}/etc/bash_completion.d/lxc
+install -d -m 0755 %{buildroot}%{_sharedstatedir}/%{name}
+# openSUSE-specific helpers and configuration.
+install -D -m 0755 lxc-createconfig %{buildroot}%{_bindir}/lxc-createconfig
+install -D -m 0644 %{S:90}
+# sysv-init compat wrappers.
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-net
+# Ensure we install the bash-completion to the correct place -- on some SLE
+# versions this is done for us by make_install, on others we need to do it
+# manually.
+install -D -m 0644 config/bash/lxc
+rm -f %{buildroot}%{_sysconfdir}/bash_completion.d/%{name}
+# Clean up.
+find %{buildroot} -type f -name '*.la' -delete
+%fdupes %{buildroot}

%service_add_pre lxc@.service lxc.service lxc-net.service
@@ -170,76 +195,114 @@

%post -n liblxc%{shlib_version}
-%set_permissions /usr/lib/lxc/lxc-user-nic
+%set_permissions %{_libexecdir}/%{name}/lxc-user-nic
+# Remove any existing update messages if we're reinstalling.
+[ "$1" -gt 1 ] && %{del_update_messages -n liblxc%{shlib_version}} ||:
+[ -u %{_libexecdir}/%{name}/lxc-user-nic ] || \
+%{add_update_message -n liblxc%{shlib_version} -S missing_setuid} <<EOF
+%if 0%{suse_version} >= 1510
+NOTE: It appears you are running on a new-enough distribution that this warning
+ should not have appeared. If you are not using a "paranoid" profile,
+ please report this as a bug at <>.
+Due to your /etc/permissions configuration (which might be caused by an
+outdated permissions package), the lxc-user-nic helper binary has been
+installed with a missing setuid bit. This setuid helper is required in order
+for LXC unprivileged containers to operate, and has already been reviewed by
+the SUSE security team and added to the Factory permissions setuid

-%postun -n liblxc%{shlib_version} -p /sbin/ldconfig
+No action has been taken to fix this configuration problem (in case this was
+intentional, and to avoid breaking openSUSE packaging guidelines), so your
+administrator will have to fix this manually.
+In order to fix this, add the following line to /etc/permissions.local (this is
+necessary to avoid losing the setuid bit during package updates or causing
+audit warnings):
+ %{_libexecdir}/%{name}/lxc-user-nic root:kvm 04750
+and then add the setuid bit to the helper:
+ chmod u+s %{_libexecdir}/%{name}/lxc-user-nic
+... or you can re-install liblxc%{shlib_version}.
+%postun -n liblxc%{shlib_version}
+# Remove update messages if we're *uninstalling* but not reinstalling.
+[ "$1" -eq 0 ] && %{del_update_messages -n liblxc%{shlib_version}} ||:

%verifyscript -n liblxc%{shlib_version}
-%verify_permissions -e /usr/lib/lxc/lxc-user-nic
+%verify_permissions -e %{_libexecdir}/%{name}/lxc-user-nic

-%doc README doc/FAQ.txt
+%doc doc/FAQ.txt
+# Configuration for LXC.
%dir %{_sysconfdir}/%{name}/
%config %{_sysconfdir}/%{name}/default.conf
%config(noreplace) %{_sysconfdir}/default/%{name}

-# On non 64bit versions of SUSE {_libdir} will be /usr/lib and thus equivalent
-# to {_libexecdir}. Hence, the next directive would install everything in
-# /usr/lib but we want to exclude some files because they get installed
-# together with the liblxc subpackage on which lxc depends.
-%dir %{_libdir}/%{name}
-%dir %{_libexecdir}/%{name}
-%exclude %{_libexecdir}/%{name}/lxc-apparmor-load
-%exclude %{_libexecdir}/%{name}/lxc-monitord
-%exclude %{_libexecdir}/%{name}/lxc-user-nic
-%dir /var/lib/lxc
+# Binaries, man pages, and service files.
+# AppArmor profiles specifically for the lxc binaries.
+%config %{_sysconfdir}/apparmor.d/usr.bin.lxc-*
+%files -n pam_cgfs

%files -n liblxc%{shlib_version}
%license COPYING
-%doc .doc/examples
-%dir %{_sysconfdir}/apparmor.d
-%dir %{_sysconfdir}/apparmor.d/abstractions
-%dir %{_sysconfdir}/apparmor.d/abstractions/lxc
-%config %{_sysconfdir}/apparmor.d/abstractions/lxc/container-base
-%config %{_sysconfdir}/apparmor.d/abstractions/lxc/start-container
-%config %{_sysconfdir}/apparmor.d/lxc-containers
+# In addition to liblxc, there are a bunch of configuration and runtime
+# directories that are implicitly required by liblxc. We have to expose these
+# here, as opposed to the lxc package so that LXD (and others) can make use of
+# it.
+# Runtime-related directories.
+%dir %{_libdir}/%{name}
+%dir %{_sharedstatedir}/%{name}
+# Make sure lxc-user-nic has the right mode.
+%attr(%{setuid_mode},root,kvm) %{_libexecdir}/%{name}/lxc-user-nic
+# AppArmor profiles and templates related to LXC.
%dir %{_sysconfdir}/apparmor.d/lxc
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-cgns
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-mounting
-%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-nesting
-%config %{_sysconfdir}/apparmor.d/usr.bin.lxc-start
+%dir %{_sysconfdir}/apparmor.d/abstractions/lxc
+%config %{_sysconfdir}/apparmor.d/abstractions/lxc/*
+%config %{_sysconfdir}/apparmor.d/lxc-*
+%config %{_sysconfdir}/apparmor.d/lxc/*

%files -n liblxc-devel

+%files bash-completion

++++++ lxc-2.0.9.tar.gz -> lxc-3.1.0.tar.gz ++++++
++++ 142155 lines of diff (skipped)

++++++ openSUSE-apparmor.conf ++++++
# workaround for lxc-start problem with apparmor
lxc.aa_allow_incomplete = 1

< Previous Next >
This Thread