Backport fixes from upstream, including one to not break host systems if lxc-start is launched in the old (pre-0.6.4) way. Thanks to Andrian Nord in bug #296030.

Package-Manager: portage-2.2_rc56/cvs/Linux x86_64

4 files changed, 452 insertions, 19 deletions

diff --git a/app-emulation/lxc/files/0.6.2-as-needed.patch b/app-emulation/lxc/files/0.6.2-as-needed.patch
deleted file mode 100644
index 45e6c4cfa7c9..000000000000
--- a/app-emulation/lxc/files/0.6.2-as-needed.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff -Naur lxc-0.6.2.orig/src/lxc/Makefile.am lxc-0.6.2/src/lxc/Makefile.am
---- lxc-0.6.2.orig/src/lxc/Makefile.am	2009-05-21 11:26:06.527984732 +0200
-+++ lxc-0.6.2/src/lxc/Makefile.am	2009-05-21 11:30:21.774641310 +0200
-@@ -1,7 +1,6 @@
- INCLUDES= -I$(top_srcdir)/src -DLXCPATH="\"@LXCPATH@\"" \
- 	  -DLXCBINDIR="\"$(bindir)\"" \
- 	  -DLXCLIBEXECDIR="\"$(libexecdir)\""
--AM_LDFLAGS= -lutil
- lib_LTLIBRARIES = liblxc.la
- pkginclude_HEADERS = \
- 		error.h \
-@@ -51,6 +50,7 @@
- 	cr_plugin_columbia.c lxc_plugin.h
- 
- liblxc_la_LDFLAGS = -release @PACKAGE_VERSION@
-+liblxc_la_LIBADD = -lutil
- 
- bin_SCRIPTS = \
- 	lxc-ps \
diff --git a/app-emulation/lxc/files/lxc-0.6.4-fix-full-system.patch b/app-emulation/lxc/files/lxc-0.6.4-fix-full-system.patch
new file mode 100644
index 000000000000..553bf20e08bd
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-0.6.4-fix-full-system.patch
@@ -0,0 +1,44 @@
+From f2ae79a04567fb8c1181f4d3331d2b7a48889cf3 Mon Sep 17 00:00:00 2001
+From: Andrian Nord <nightnord@gmail.com>
+Date: Thu, 26 Nov 2009 15:46:25 +0000
+Subject: "Default" configuration may destroy host system
+
+If you're running (by mistake or typo) (via lxc-start) container that does not
+exists it will run with lxc.rootfs=/, meaning that /sbin/init will
+restart initialization procedure, efficiently messing host's system,
+that may lead to unpredictable results or even destroy (make inaccessible) host
+system (by reseting network configuration or something like that).
+
+(Actually, it _did_ destroy system of everyone who tested this).
+
+Actually, I finally lost any meaning of having such a feature for
+full-system containers. You may not use hosts's FS - it's described at
+above. You may not use some temporary directory - that's nonsense.
+
+This patch forbinds starting container via lxc-start without rcfile and
+custom start program, but probably it fixes only small part of problem.
+I really don't see much sense in such a feature without ability of
+overriding 'default' setting with command line switches. Anyway, default
+behaviour should be as save as possible.
+
+Signed-off-by: Andrian Nord <NightNord@gmail.com>
+Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
+---
+diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
+index b8d03e8..d2471eb 100644
+--- a/src/lxc/lxc_start.c
++++ b/src/lxc/lxc_start.c
+@@ -173,6 +173,11 @@ int main(int argc, char *argv[])
+ 		return err;
+ 	}
+ 
++	if (!rcfile && !strcmp("/sbin/init", args[0])) {
++		ERROR("no configuration file for '/sbin/init' (may crash the host)");
++		return err;
++	}
++
+ 	if (my_args.daemonize) {
+ 
+                 /* do not chdir as we want to open the log file,
+--
+cgit v0.8.3
diff --git a/app-emulation/lxc/files/lxc-0.6.4-lxc.network.pair.patch b/app-emulation/lxc/files/lxc-0.6.4-lxc.network.pair.patch
new file mode 100644
index 000000000000..9c7ab1ab2158
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-0.6.4-lxc.network.pair.patch
@@ -0,0 +1,103 @@
+From 8634bc197f742267b2eabd8543265ba93177b529 Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Thu, 26 Nov 2009 15:46:23 +0000
+Subject: allow lxc.network.pair to specify host-side name for veth interface
+
+Currently we allocate veth device with random name on host side,
+so that things like firewall rules or accounting does not work
+at all.  Fix this by recognizing yet anothe keyword to specify
+the host-side device name: lxc.network.pair, and use it instead
+of random name if specified.
+
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
+---
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 9c3a558..523270e 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -829,14 +829,19 @@ int lxc_conf_init(struct lxc_conf *conf)
+ 
+ static int instanciate_veth(struct lxc_netdev *netdev)
+ {
+-	char veth1[IFNAMSIZ];
++	char veth1buf[IFNAMSIZ], *veth1;
+ 	char veth2[IFNAMSIZ];
+ 	int ret = -1;
+ 
+-	snprintf(veth1, sizeof(veth1), "vethXXXXXX");
+-	snprintf(veth2, sizeof(veth2), "vethXXXXXX");
++	if (netdev->pair)
++		veth1 = netdev->pair;
++	else {
++		snprintf(veth1buf, sizeof(veth1buf), "vethXXXXXX");
++		mktemp(veth1buf);
++		veth1 = veth1buf;
++	}
+ 
+-	mktemp(veth1);
++	snprintf(veth2, sizeof(veth2), "vethXXXXXX");
+ 	mktemp(veth2);
+ 
+ 	if (!strlen(veth1) || !strlen(veth2)) {
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 0b8d732..bb38206 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -73,6 +73,7 @@ struct lxc_route6 {
+  * Defines a structure to configure a network device
+  * @link   : lxc.network.link, name of bridge or host iface to attach if any
+  * @name   : lxc.network.name, name of iface on the container side
++ * @pair   : lxc.network.pair, name of host-side iface in case of veth etc
+  * @flags  : flag of the network device (IFF_UP, ... )
+  * @ipv4   : a list of ipv4 addresses to be set on the network device
+  * @ipv6   : a list of ipv6 addresses to be set on the network device
+@@ -83,6 +84,7 @@ struct lxc_netdev {
+ 	int ifindex;
+ 	char *link;
+ 	char *name;
++	char *pair;
+ 	char *hwaddr;
+ 	char *mtu;
+ 	struct lxc_list ipv4;
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index 39a8e2c..3a9a86d 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -49,6 +49,7 @@ static int config_network_type(const char *, char *, struct lxc_conf *);
+ static int config_network_flags(const char *, char *, struct lxc_conf *);
+ static int config_network_link(const char *, char *, struct lxc_conf *);
+ static int config_network_name(const char *, char *, struct lxc_conf *);
++static int config_network_pair(const char *, char *, struct lxc_conf *);
+ static int config_network_hwaddr(const char *, char *, struct lxc_conf *);
+ static int config_network_mtu(const char *, char *, struct lxc_conf *);
+ static int config_network_ipv4(const char *, char *, struct lxc_conf *);
+@@ -73,6 +74,7 @@ static struct config config[] = {
+ 	{ "lxc.network.flags",  config_network_flags  },
+ 	{ "lxc.network.link",   config_network_link   },
+ 	{ "lxc.network.name",   config_network_name   },
++	{ "lxc.network.pair",   config_network_pair   },
+ 	{ "lxc.network.hwaddr", config_network_hwaddr },
+ 	{ "lxc.network.mtu",    config_network_mtu    },
+ 	{ "lxc.network.ipv4",   config_network_ipv4   },
+@@ -221,6 +223,18 @@ static int config_network_name(const char *key, char *value,
+ 	return network_ifname(&netdev->name, value);
+ }
+ 
++static int config_network_pair(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	return network_ifname(&netdev->pair, value);
++}
++
+ static int config_network_hwaddr(const char *key, char *value,
+ 				 struct lxc_conf *lxc_conf)
+ {
+--
+cgit v0.8.3
diff --git a/app-emulation/lxc/files/lxc-0.6.4-move-rcfile.patch b/app-emulation/lxc/files/lxc-0.6.4-move-rcfile.patch
new file mode 100644
index 000000000000..6d2bb09843ea
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-0.6.4-move-rcfile.patch
@@ -0,0 +1,305 @@
+From fae349da89b9ad063f0080970558b7f02ce233c2 Mon Sep 17 00:00:00 2001
+From: Daniel Lezcano <daniel.lezcano@free.fr>
+Date: Thu, 26 Nov 2009 15:46:24 +0000
+Subject: pass lxc_conf to the lxc_start function instead of the rcfile
+
+The rcfile is parsed in the lxc_start function. This is not the place
+to do that. Let's the caller to do that.
+
+In the meantime, we have the lxc_conf structure filled right before
+calling the lxc_start function so we can do some sanity check on the
+configuration to not break the system when we launch the container.
+
+Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> 
+---
+diff --git a/src/lxc/commands.c b/src/lxc/commands.c
+index 02239e5..4c48571 100644
+--- a/src/lxc/commands.c
++++ b/src/lxc/commands.c
+@@ -135,7 +135,7 @@ static int trigger_command(int fd, struct lxc_request *request,
+ static void command_fd_cleanup(int fd, struct lxc_handler *handler,
+ 			       struct lxc_epoll_descr *descr)
+ {
+-	lxc_console_remove_fd(fd, &handler->conf.tty_info);
++	lxc_console_remove_fd(fd, &handler->conf->tty_info);
+ 	lxc_mainloop_del_handler(descr, fd);
+ 	close(fd);
+ }
+diff --git a/src/lxc/console.c b/src/lxc/console.c
+index 52f6cec..96a6edd 100644
+--- a/src/lxc/console.c
++++ b/src/lxc/console.c
+@@ -98,7 +98,7 @@ extern int lxc_console_callback(int fd, struct lxc_request *request,
+ 			struct lxc_handler *handler)
+ {
+ 	int ttynum = request->data;
+-	struct lxc_tty_info *tty_info = &handler->conf.tty_info;
++	struct lxc_tty_info *tty_info = &handler->conf->tty_info;
+ 
+ 	if (ttynum > 0) {
+ 		if (ttynum > tty_info->nbtty)
+diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h
+index 66cb3b8..8cf21c1 100644
+--- a/src/lxc/lxc.h
++++ b/src/lxc/lxc.h
+@@ -31,6 +31,7 @@ extern "C" {
+ #include <lxc/state.h>
+ 
+ struct lxc_msg;
++struct lxc_conf;
+ 
+ /**
+  Following code is for liblxc.
+@@ -44,7 +45,7 @@ struct lxc_msg;
+  * @argv     : an array of char * corresponding to the commande line
+  * Returns 0 on sucess, < 0 otherwise
+  */
+-extern int lxc_start(const char *name, char *const argv[], const char *rcfile);
++extern int lxc_start(const char *name, char *const argv[], struct lxc_conf *);
+ 
+ /*
+  * Stop the container previously started with lxc_start, all
+diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c
+index 846a96f..40a4b93 100644
+--- a/src/lxc/lxc_execute.c
++++ b/src/lxc/lxc_execute.c
+@@ -31,10 +31,11 @@
+ #include <sys/stat.h>
+ #include <sys/param.h>
+ 
+-#include <lxc/log.h>
+-#include <lxc/confile.h>
+-#include <lxc/lxc.h>
+ 
++#include "lxc.h"
++#include "log.h"
++#include "conf.h"
++#include "confile.h"
+ #include "arguments.h"
+ #include "config.h"
+ 
+@@ -83,6 +84,7 @@ int main(int argc, char *argv[])
+ {
+ 	static char **args;
+ 	char *rcfile;
++	struct lxc_conf conf;
+ 
+ 	if (lxc_arguments_parse(&my_args, argc, argv))
+ 		return -1;
+@@ -111,6 +113,16 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	return lxc_start(my_args.name, args, my_args.rcfile);
++	if (lxc_conf_init(&conf)) {
++		ERROR("failed to initialze configuration");
++		return -1;
++	}
++
++	if (rcfile && lxc_config_read(rcfile, &conf)) {
++		ERROR("failed to read configuration file");
++		return -1;
++	}
++
++	return lxc_start(my_args.name, args, &conf);
+ }
+ 
+diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
+index cf87abf..b8d03e8 100644
+--- a/src/lxc/lxc_start.c
++++ b/src/lxc/lxc_start.c
+@@ -40,12 +40,13 @@
+ #include <netinet/in.h>
+ #include <net/if.h>
+ 
+-#include <lxc/lxc.h>
+-#include <lxc/log.h>
+-#include <lxc/utils.h>
+-
+-#include "arguments.h"
++#include "log.h"
++#include "lxc.h"
++#include "conf.h"
++#include "utils.h"
+ #include "config.h"
++#include "confile.h"
++#include "arguments.h"
+ 
+ lxc_log_define(lxc_start, lxc);
+ 
+@@ -132,6 +133,7 @@ int main(int argc, char *argv[])
+ 	};
+ 
+ 	char *rcfile = NULL;
++	struct lxc_conf conf;
+ 
+ 	if (lxc_arguments_parse(&my_args, argc, argv))
+ 		return err;
+@@ -161,6 +163,16 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
++	if (lxc_conf_init(&conf)) {
++		ERROR("failed to initialze configuration");
++		return err;
++	}
++
++	if (rcfile && lxc_config_read(rcfile, &conf)) {
++		ERROR("failed to read configuration file");
++		return err;
++	}
++
+ 	if (my_args.daemonize) {
+ 
+                 /* do not chdir as we want to open the log file,
+@@ -187,7 +199,7 @@ int main(int argc, char *argv[])
+ 
+ 	save_tty(&tios);
+ 
+-	err = lxc_start(my_args.name, args, rcfile);
++	err = lxc_start(my_args.name, args, &conf);
+ 
+ 	restore_tty(&tios);
+ 
+diff --git a/src/lxc/start.c b/src/lxc/start.c
+index 7143421..7e9d924 100644
+--- a/src/lxc/start.c
++++ b/src/lxc/start.c
+@@ -230,7 +230,7 @@ static int console_init(char *console, size_t size)
+ 	return 0;
+ }
+ 
+-struct lxc_handler *lxc_init(const char *name, const char *rcfile)
++struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf)
+ {
+ 	struct lxc_handler *handler;
+ 
+@@ -240,36 +240,20 @@ struct lxc_handler *lxc_init(const char *name, const char *rcfile)
+ 
+ 	memset(handler, 0, sizeof(*handler));
+ 
++	handler->conf = conf;
++
+ 	/* Begin the set the state to STARTING*/
+ 	if (lxc_set_state(name, handler, STARTING)) {
+ 		ERROR("failed to set state '%s'", lxc_state2str(STARTING));
+ 		goto out_free;
+ 	}
+ 
+-	if (lxc_conf_init(&handler->conf)) {
+-		ERROR("failed to initialize the configuration");
+-		goto out_aborting;
+-	}
+-
+-	if (rcfile) {
+-		if (access(rcfile, F_OK)) {
+-			ERROR("failed to access '%s'", rcfile);
+-			goto out_aborting;
+-		}
+-
+-		if (lxc_config_read(rcfile, &handler->conf)) {
+-			ERROR("failed to read '%s'", rcfile);
+-			goto out_aborting;
+-		}
+-	}
+-
+-	if (console_init(handler->conf.console,
+-			 sizeof(handler->conf.console))) {
++	if (console_init(conf->console, sizeof(conf->console))) {
+ 		ERROR("failed to initialize the console");
+ 		goto out_aborting;
+ 	}
+ 
+-	if (lxc_create_tty(name, &handler->conf)) {
++	if (lxc_create_tty(name, conf)) {
+ 		ERROR("failed to create the ttys");
+ 		goto out_aborting;
+ 	}
+@@ -294,7 +278,7 @@ out:
+ 	return handler;
+ 
+ out_delete_tty:
+-	lxc_delete_tty(&handler->conf.tty_info);
++	lxc_delete_tty(&conf->tty_info);
+ out_aborting:
+ 	lxc_set_state(name, handler, ABORTING);
+ out_free:
+@@ -313,7 +297,7 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
+ 	lxc_unlink_nsgroup(name);
+ 
+ 	if (handler) {
+-		lxc_delete_tty(&handler->conf.tty_info);
++		lxc_delete_tty(&handler->conf->tty_info);
+ 		free(handler);
+ 	}
+ 
+@@ -366,7 +350,7 @@ static int do_start(void *arg)
+ 	}
+ 
+ 	/* Setup the container, ip, names, utsname, ... */
+-	if (lxc_setup(name, &handler->conf)) {
++	if (lxc_setup(name, handler->conf)) {
+ 		ERROR("failed to setup the container");
+ 		goto out_warn_father;
+ 	}
+@@ -414,14 +398,14 @@ int lxc_spawn(const char *name, struct lxc_handler *handler, char *const argv[])
+ 	}
+ 
+ 	clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
+-	if (!lxc_list_empty(&handler->conf.network)) {
++	if (!lxc_list_empty(&handler->conf->network)) {
+ 
+ 		clone_flags |= CLONE_NEWNET;
+ 
+ 		/* that should be done before the clone because we will
+ 		 * fill the netdev index and use them in the child
+ 		 */
+-		if (lxc_create_network(&handler->conf.network)) {
++		if (lxc_create_network(&handler->conf->network)) {
+ 			ERROR("failed to create the network");
+ 			goto out_close;
+ 		}
+@@ -447,7 +431,7 @@ int lxc_spawn(const char *name, struct lxc_handler *handler, char *const argv[])
+ 
+ 	/* Create the network configuration */
+ 	if (clone_flags & CLONE_NEWNET) {
+-		if (lxc_assign_network(&handler->conf.network, handler->pid)) {
++		if (lxc_assign_network(&handler->conf->network, handler->pid)) {
+ 			ERROR("failed to create the configured network");
+ 			goto out_abort;
+ 		}
+@@ -486,13 +470,13 @@ out_abort:
+ 	goto out_close;
+ }
+ 
+-int lxc_start(const char *name, char *const argv[], const char *rcfile)
++int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf)
+ {
+ 	struct lxc_handler *handler;
+ 	int err = -1;
+ 	int status;
+ 
+-	handler = lxc_init(name, rcfile);
++	handler = lxc_init(name, conf);
+ 	if (!handler) {
+ 		ERROR("failed to initialize the container");
+ 		return -1;
+diff --git a/src/lxc/start.h b/src/lxc/start.h
+index 3390411..ba55562 100644
+--- a/src/lxc/start.h
++++ b/src/lxc/start.h
+@@ -34,10 +34,10 @@ struct lxc_handler {
+ 	int sigfd;
+ 	char nsgroup[MAXPATHLEN];
+ 	sigset_t oldmask;
+-	struct lxc_conf conf;
++	struct lxc_conf *conf;
+ };
+ 
+-extern struct lxc_handler *lxc_init(const char *name, const char *rcfile);
++extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);
+ extern int lxc_spawn(const char *name, struct lxc_handler *handler,
+ 		     char *const argv[]);
+ 
+--
+cgit v0.8.3