--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package lxc/1:1.0.6-6+deb8u4
- From: Evgeni Golov <evgeni@debian.org>
- Date: Sat, 12 Nov 2016 21:33:11 +0100
- Message-id: <147898279195.24961.12418142384455818025.reportbug@nana.phantasia.die-welt.net>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Ohai,
we would like to fix two bugs in LXC in stable:
#838517 lxc-alpine template broken
simple one-line patch to tell OpenSSL which hashing algo to use
#838957 read-only bind mounts are in fact read/write
another quite short patch to trigger remounting bind mounts as RO
Full debdiff attached.
Thanks in advance
Evgeni
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 3902cc0..a025ddc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+lxc (1:1.0.6-6+deb8u4) jessie; urgency=medium
+
+ * fix Alpine Linux container creation
+ (Closes: #838517)
+ * remount bind mounts if read-only flag is provided
+ (Closes: #838957)
+
+ -- Evgeni Golov <evgeni@debian.org> Sat, 12 Nov 2016 21:14:50 +0100
+
lxc (1:1.0.6-6+deb8u3) jessie; urgency=medium
* 0023-lxc-debian-make-sure-init-is-installed.patch: make sure stretch/sid
diff --git a/debian/patches/0024-lxc-alpine-fix-verification-of-apk.static-binary.patch b/debian/patches/0024-lxc-alpine-fix-verification-of-apk.static-binary.patch
new file mode 100644
index 0000000..9f58bbf
--- /dev/null
+++ b/debian/patches/0024-lxc-alpine-fix-verification-of-apk.static-binary.patch
@@ -0,0 +1,32 @@
+From e00f9e4e7ab5a76cfd4068e09579f9f471666a90 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Mon, 3 Aug 2015 13:40:25 +0200
+Subject: [PATCH] lxc-alpine: fix verification of apk.static binary
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We need specify which hashing algorithm was used to create the signature
+we check.
+
+Fixes #609
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+Acked-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ templates/lxc-alpine.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
+index 963c42a..6dcc51b 100644
+--- a/templates/lxc-alpine.in
++++ b/templates/lxc-alpine.in
+@@ -83,7 +83,7 @@ get_static_apk () {
+
+ # verify the static apk binary signature
+ APK=$rootfs/sbin/apk.static
+- openssl dgst -verify $rootfs/etc/apk/keys/$keyname \
++ openssl dgst -sha1 -verify $rootfs/etc/apk/keys/$keyname \
+ -signature "$APK.SIGN.RSA.$keyname" "$APK" || return 1
+
+ if [ "$auto_repo_dir" ]; then
diff --git a/debian/patches/0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch b/debian/patches/0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch
new file mode 100644
index 0000000..b90d2ab
--- /dev/null
+++ b/debian/patches/0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch
@@ -0,0 +1,43 @@
+From 3fb22c29dcb647826aacd227efa506b17f50fcac Mon Sep 17 00:00:00 2001
+From: Abin Shahab <ashahab@altiscale.com>
+Date: Wed, 12 Nov 2014 00:06:52 +0000
+Subject: [PATCH] Remounts bind mounts if read-only flag is provided
+
+Bind mounts do not honor filesystem mount options. This change will
+remount filesystems that are bind mounted if there are changes to
+filesystem mount options, specifically if the mount is readonly.
+
+Signed-off-by: Abin Shahab <ashahab@altiscale.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/conf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 2a4d5c5..cb30d56 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -2054,10 +2054,12 @@ static int mount_entry(const char *fsname, const char *target,
+ if ((mountflags & MS_REMOUNT) || (mountflags & MS_BIND)) {
+ DEBUG("remounting %s on %s to respect bind or remount options",
+ fsname ? fsname : "(none)", target ? target : "(none)");
+-
++ unsigned long rqd_flags = 0;
++ if (mountflags & MS_RDONLY)
++ rqd_flags |= MS_RDONLY;
+ #ifdef HAVE_STATVFS
+ if (statvfs(fsname, &sb) == 0) {
+- unsigned long required_flags = 0;
++ unsigned long required_flags = rqd_flags;
+ if (sb.f_flag & MS_NOSUID)
+ required_flags |= MS_NOSUID;
+ if (sb.f_flag & MS_NODEV)
+@@ -2073,7 +2075,7 @@ static int mount_entry(const char *fsname, const char *target,
+ * mountflags, then skip the remount
+ */
+ if (!(mountflags & MS_REMOUNT)) {
+- if (!(required_flags & ~mountflags)) {
++ if (!(required_flags & ~mountflags) && rqd_flags == 0) {
+ DEBUG("mountflags already was %lu, skipping remount",
+ mountflags);
+ goto skipremount;
diff --git a/debian/patches/series b/debian/patches/series
index 11f5062..f0fbe86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,5 @@
0021-CVE-2015-1335-2.patch
0022-CVE-2015-1335-3.patch
0023-lxc-debian-make-sure-init-is-installed.patch
+0024-lxc-alpine-fix-verification-of-apk.static-binary.patch
+0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch
--- End Message ---