Bug#772458: marked as done (unblock: lxc/1:1.0.6-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 7 Dec 2014 17:41:39 +0100
with message-id <20141207164138.GA30712@ugent.be>
and subject line Re: Bug#772458: unblock: lxc/1:1.0.6-5
has caused the Debian Bug report #772458,
regarding unblock: lxc/1:1.0.6-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772458: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772458
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unblock: lxc/1:1.0.6-5
• From: Daniel Baumann <daniel.baumann@progress-technologies.net>
• Date: Sun, 07 Dec 2014 14:27:30 +0100
• Message-id: <[🔎] 548455C2.9080209@progress-technologies.net>
• Reply-to: daniel.baumann@progress-technologies.net

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock lxc/1:1.0.6-5.

Changes since 1:1.0.6-3 (jessie) are:

  * Mounting /sys read-only in lxc-debian to prevent (one way of)
    escaping containers (Closes: #770901).
  * Adding patch from lxc 1.0.7 to make lxc-debian work with systemd
    (Closes: #766216).
  * Adding patch from lxc 1.0.7 to make lxc-debian handle switch of
    initsystem better.
  * Marking -t option in lxc-create manpage as required (Closes:
    #768778).

Regards,
Daniel

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/

diff --git a/debian/changelog b/debian/changelog
index 5e5f7ea..4b82738 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+lxc (1:1.0.6-5) unstable; urgency=low
+
+  * Mounting /sys read-only in lxc-debian to prevent (one way of) escaping
+    containers (Closes: #770901).
+  * Adding patch from lxc 1.0.7 to make lxc-debian work with systemd
+    (Closes: #766216).
+  * Adding patch from lxc 1.0.7 to make lxc-debian handle switch of
+    initsystem better.
+
+ -- Daniel Baumann <mail@daniel-baumann.ch>  Sat, 06 Dec 2014 13:00:36 +0100
+
+lxc (1:1.0.6-4) unstable; urgency=low
+
+  * Marking -t option in lxc-create manpage as required (Closes: #768778).
+
+ -- Daniel Baumann <mail@daniel-baumann.ch>  Tue, 11 Nov 2014 19:57:58 +0100
+
 lxc (1:1.0.6-3) unstable; urgency=low
 
   * Preserving setuid on lxc-user-nic (Closes: #764815).
diff --git a/debian/patches/0013-lxc-create-manpage.patch b/debian/patches/0013-lxc-create-manpage.patch
new file mode 100644
index 0000000..42ca95f
--- /dev/null
+++ b/debian/patches/0013-lxc-create-manpage.patch
@@ -0,0 +1,16 @@
+Author: Daniel Baumann <mail@daniel-baumann.ch>
+Description: Marking -t option in lxc-create manpage as required (Closes: #768778),
+ see https://github.com/lxc/lxc/issues/355.
+
+diff -Naurp lxc.orig/doc/lxc-create.sgml.in lxc/doc/lxc-create.sgml.in
+--- lxc.orig/doc/lxc-create.sgml.in
++++ lxc/doc/lxc-create.sgml.in
+@@ -51,7 +51,7 @@ Foundation, Inc., 51 Franklin Street, Fi
+       <command>lxc-create</command>
+       <arg choice="req">-n <replaceable>name</replaceable></arg>
+       <arg choice="opt">-f <replaceable>config_file</replaceable></arg>
+-      <arg choice="opt">-t <replaceable>template</replaceable></arg>
++      <arg choice="req">-t <replaceable>template</replaceable></arg>
+       <arg choice="opt">-B <replaceable>backingstore</replaceable></arg>
+       <arg choice="opt">-- <replaceable>template-options</replaceable></arg>
+     </cmdsynopsis>
diff --git a/debian/patches/0014-lxc-debian-sysfs.patch b/debian/patches/0014-lxc-debian-sysfs.patch
new file mode 100644
index 0000000..eaaac66
--- /dev/null
+++ b/debian/patches/0014-lxc-debian-sysfs.patch
@@ -0,0 +1,15 @@
+Author: Daniel Baumann <mail@daniel-baumann.ch>
+Description: Mount /sys read-only in lxc-debian to prevent (one way of) escaping containers (Closes: #770901).
+
+diff -Naurp lxc.orig/config/templates/debian.common.conf.in lxc/config/templates/debian.common.conf.in
+--- lxc.orig/config/templates/debian.common.conf.in
++++ lxc/config/templates/debian.common.conf.in
+@@ -3,7 +3,7 @@ lxc.pivotdir = lxc_putold
+ 
+ # Default mount entries
+ lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+-lxc.mount.entry = sysfs sys sysfs defaults 0 0
++lxc.mount.entry = sysfs sys sysfs ro 0 0
+ 
+ # Default console settings
+ lxc.tty = 4
diff --git a/debian/patches/0015-lxc-debian-systemd.patch b/debian/patches/0015-lxc-debian-systemd.patch
new file mode 100644
index 0000000..d2c0f16
--- /dev/null
+++ b/debian/patches/0015-lxc-debian-systemd.patch
@@ -0,0 +1,58 @@
+Author: Antonio Terceiro <terceiro@debian.org>
+Description: lxc-debian: support systemd as PID 1
+ Containers with systemd need a somewhat special setup, which I borrowed
+ and adapted from lxc-fedora. These changes are required so that Debian 8
+ (jessie) containers work properly, and are a no-op for previous Debian
+ versions.
+
+diff -Naurp lxc.orig/templates/lxc-debian.in lxc/templates/lxc-debian.in
+--- lxc.orig/templates/lxc-debian.in
++++ lxc/templates/lxc-debian.in
+@@ -159,6 +159,38 @@ EOF
+     return 0
+ }
+ 
++configure_debian_systemd()
++{
++    path=$1
++    rootfs=$2
++    init="$(chroot ${rootfs} dpkg-query --search /sbin/init | cut -d : -f 1)"
++    if [ "$init" != "systemd-sysv" ]; then
++       # systemd is not PID 1
++       return
++    fi
++
++    echo 'lxc.autodev = 1' >> "$path/config"
++    echo 'lxc.kmsg = 0' >> "$path/config"
++
++    # This function has been copied and adapted from lxc-fedora
++    rm -f ${rootfs}/etc/systemd/system/default.target
++    touch ${rootfs}/etc/fstab
++    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
++    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
++    # Make systemd honor SIGPWR
++    chroot ${rootfs} ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
++    sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
++        -e 's/After=dev-%i.device/After=/' \
++        < ${rootfs}/lib/systemd/system/getty\@.service \
++        > ${rootfs}/etc/systemd/system/getty\@.service
++    # Setup getty service on the 4 ttys we are going to allow in the
++    # default config.  Number should match lxc.tty
++    ( cd ${rootfs}/etc/systemd/system/getty.target.wants
++        for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
++
++    return 0
++}
++
+ cleanup()
+ {
+     rm -rf $cache/partial-$release-$arch
+@@ -458,6 +490,8 @@ if [ $? -ne 0 ]; then
+     exit 1
+ fi
+ 
++configure_debian_systemd $path $rootfs
++
+ if [ ! -z $clean ]; then
+     clean || exit 1
+     exit 0
diff --git a/debian/patches/0016-lxc-debian-init.patch b/debian/patches/0016-lxc-debian-init.patch
new file mode 100644
index 0000000..30365cb
--- /dev/null
+++ b/debian/patches/0016-lxc-debian-init.patch
@@ -0,0 +1,69 @@
+Author: Cameron Norman <camerontnorman@gmail.com>
+Description: lxc-debian: adjust init system configurations
+ Do as much as possible to allow containers switching from non-systemd to
+ systemd to work as intended (but nothing that will cause side effects).
+ Use update-rc.d disable instead of remove so the init scripts are not
+ re-enabled when the package is updated
+
+diff -Naurp lxc.orig/templates/lxc-debian.in lxc/templates/lxc-debian.in
+--- lxc.orig/templates/lxc-debian.in
++++ lxc/templates/lxc-debian.in
+@@ -107,10 +107,10 @@ EOF
+     fi
+ 
+     # remove pointless services in a container
+-    chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh remove
+-    chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove
+-    chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove
+-    chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove
++    chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh disable
++    chroot $rootfs /usr/sbin/update-rc.d -f umountfs disable
++    chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh disable
++    chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh disable
+ 
+     # generate new SSH keys
+     if [ -x $rootfs/var/lib/dpkg/info/openssh-server.postinst ]; then
+@@ -163,26 +163,33 @@ configure_debian_systemd()
+ {
+     path=$1
+     rootfs=$2
++
+     init="$(chroot ${rootfs} dpkg-query --search /sbin/init | cut -d : -f 1)"
+-    if [ "$init" != "systemd-sysv" ]; then
+-       # systemd is not PID 1
+-       return
++    if [ "$init" = "systemd-sysv" ]; then
++       # only appropiate when systemd is PID 1
++       echo 'lxc.autodev = 1' >> "$path/config"
++       echo 'lxc.kmsg = 0' >> "$path/config"
++    fi
++
++    # this only works if we have getty@.service to manipulate
++    if [ -f ${rootfs}/lib/systemd/system/getty\@.service ]; then
++       sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
++           -e 's/After=dev-%i.device/After=/' \
++           < ${rootfs}/lib/systemd/system/getty\@.service \
++           > ${rootfs}/etc/systemd/system/getty\@.service
+     fi
+ 
+-    echo 'lxc.autodev = 1' >> "$path/config"
+-    echo 'lxc.kmsg = 0' >> "$path/config"
++    # just in case systemd is not installed
++    mkdir -p ${rootfs}/{lib,etc}/systemd/system
++    mkdir -p ${rootfs}/etc/systemd/system/getty.target.wants
+ 
+     # This function has been copied and adapted from lxc-fedora
+     rm -f ${rootfs}/etc/systemd/system/default.target
+     touch ${rootfs}/etc/fstab
+-    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
++    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/systemd-udevd.service
+     chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+     # Make systemd honor SIGPWR
+     chroot ${rootfs} ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
+-    sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
+-        -e 's/After=dev-%i.device/After=/' \
+-        < ${rootfs}/lib/systemd/system/getty\@.service \
+-        > ${rootfs}/etc/systemd/system/getty\@.service
+     # Setup getty service on the 4 ttys we are going to allow in the
+     # default config.  Number should match lxc.tty
+     ( cd ${rootfs}/etc/systemd/system/getty.target.wants
diff --git a/debian/patches/series b/debian/patches/series
index 9e92368..44d1640 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,7 @@
 0010-lxc-debian-openssh-server.patch
 0011-lxc-debian-root-password.patch
 0012-lxc-debian-systemd.patch
+0013-lxc-create-manpage.patch
+0014-lxc-debian-sysfs.patch
+0015-lxc-debian-systemd.patch
+0016-lxc-debian-init.patch

--- End Message ---

--- Begin Message ---

• To: daniel.baumann@progress-technologies.net, 772458-done@bugs.debian.org
• Subject: Re: Bug#772458: unblock: lxc/1:1.0.6-5
• From: Ivo De Decker <ivodd@debian.org>
• Date: Sun, 7 Dec 2014 17:41:39 +0100
• Message-id: <20141207164138.GA30712@ugent.be>
• In-reply-to: <[🔎] 548455C2.9080209@progress-technologies.net>
• References: <[🔎] 548455C2.9080209@progress-technologies.net>

Hi,

On Sun, Dec 07, 2014 at 02:27:30PM +0100, Daniel Baumann wrote:
> Please unblock lxc/1:1.0.6-5.

Unblocked by Niels.

Cheers,

Ivo

--- End Message ---