Package: release.debian.org Severity: normal Tags: trixie User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:lxc
[ Reason ] Fix a handful of minor bugs affecting the version of lxc in trixie: * Add lxc-net dependency to sysvinit script * Stop printing misleading errors in enter_net_ns() * Fix generation of apparmor.d/abstractions/lxc/container-base * Fix restarting unprivileged containers [ Impact ] Users running lxc in trixie currently encounter small but annoying bugs. [ Tests ] The sysvinit fix was provided by an affected user, and is a trivial patch. I have tested the other three patches myself to verify that they properly fix the associated bugs. [ Risks ] Minor/none -- the sysvinit patch is trivial and the other three are targeted fixes cherry-picked from the upstream git repo. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] Four patches as outlined above. [ Other info ] The source debdiff is attached.
diff -Nru lxc-6.0.4/debian/changelog lxc-6.0.4/debian/changelog --- lxc-6.0.4/debian/changelog 2025-05-30 12:58:12.000000000 +0000 +++ lxc-6.0.4/debian/changelog 2025-12-26 19:02:22.000000000 +0000 @@ -1,3 +1,18 @@ +lxc (1:6.0.4-4+deb13u1) trixie; urgency=medium + + [ Frost ] + * Add lxc-net dependency to sysvinit script (Closes: #1122149) + + [ Mathias Gibbens ] + * Cherry-pick upstream fix to stop printing misleading errors in + enter_net_ns() (Closes: #1118024) + * Cherry-pick upstream fix for generating + apparmor.d/abstractions/lxc/container-base (partially addresses: #1111087) + * Cherry-pick upstream fix for restarting unprivileged containers + (Closes: #1123979) + + -- Mathias Gibbens <[email protected]> Fri, 26 Dec 2025 19:02:22 +0000 + lxc (1:6.0.4-4) unstable; urgency=medium [ Aurelien Jarno ] diff -Nru lxc-6.0.4/debian/gbp.conf lxc-6.0.4/debian/gbp.conf --- lxc-6.0.4/debian/gbp.conf 2025-05-30 12:58:12.000000000 +0000 +++ lxc-6.0.4/debian/gbp.conf 2025-12-26 19:02:22.000000000 +0000 @@ -1,3 +1,3 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/sid +debian-branch = debian/trixie diff -Nru lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch --- lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxc-6.0.4/debian/patches/0101-cherry-pick-fix-misleading-errors.patch 2025-12-26 19:02:22.000000000 +0000 @@ -0,0 +1,82 @@ +From a53589e0636b42a2816375c9a2c1c4be09100297 Mon Sep 17 00:00:00 2001 +From: Alexander Mikhalitsyn <[email protected]> +Date: Mon, 28 Jul 2025 19:00:29 +0200 +Subject: [PATCH] lxc/lxccontainer: stop printing misleading errors in + enter_net_ns() + +In enter_net_ns() we try to enter network namespace at first, before +entering a user namespace to support inherited netns case properly. +It is expected to get EPERM for unprivileged container with non-shared +network namespace at first try. Let's take this into account +and stop misleading users with these error messages. + +Link: https://discuss.linuxcontainers.org/t/lxc-ls-fancy-command-shows-operation-not-permitted/24080 +Fixes: 3011e79f92ef ("lxccontainer: fix enter_net_ns helper to work when netns is inherited") +Fixes: #4560 +Signed-off-by: Alexander Mikhalitsyn <[email protected]> +--- + src/lxc/lxccontainer.c | 2 +- + src/lxc/utils.c | 10 +++++++--- + src/lxc/utils.h | 8 +++++++- + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 7b9ff9641d..6c80065a65 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -2220,7 +2220,7 @@ static inline bool enter_net_ns(struct lxc_container *c) + if (pid < 0) + return false; + +- net_ns_entered = switch_to_ns(pid, "net"); ++ net_ns_entered = try_switch_to_ns(pid, "net", true); + + if ((geteuid() != 0 || (c->lxc_conf && !list_empty(&c->lxc_conf->id_map))) && + (access("/proc/self/ns/user", F_OK) == 0)) +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 60f2b70003..af276a3b55 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -878,7 +878,7 @@ int detect_shared_rootfs(void) + return 0; + } + +-bool switch_to_ns(pid_t pid, const char *ns) ++bool try_switch_to_ns(pid_t pid, const char *ns, bool optional) + { + __do_close int fd = -EBADF; + int ret; +@@ -896,8 +896,12 @@ bool switch_to_ns(pid_t pid, const char *ns) + return log_error_errno(false, errno, "Failed to open \"%s\"", nspath); + + ret = setns(fd, 0); +- if (ret) +- return log_error_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd); ++ if (ret) { ++ if (optional) ++ return log_trace_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd); ++ else ++ return log_error_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd); ++ } + + return true; + } +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 0007b51a60..e72582aa24 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -134,7 +134,13 @@ __hidden extern bool is_shared_mountpoint(const char *path); + __hidden extern int detect_shared_rootfs(void); + __hidden extern bool detect_ramfs_rootfs(void); + __hidden extern char *on_path(const char *cmd, const char *rootfs); +-__hidden extern bool switch_to_ns(pid_t pid, const char *ns); ++ ++__hidden extern bool try_switch_to_ns(pid_t pid, const char *ns, bool optional); ++inline static bool switch_to_ns(pid_t pid, const char *ns) ++{ ++ return try_switch_to_ns(pid, ns, false); ++} ++ + __hidden extern char *get_template_path(const char *t); + __hidden extern int safe_mount(const char *src, const char *dest, const char *fstype, + unsigned long flags, const void *data, const char *rootfs); diff -Nru lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch --- lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxc-6.0.4/debian/patches/0102-cherry-pick-apparmor-generation.patch 2025-12-26 19:02:22.000000000 +0000 @@ -0,0 +1,56 @@ +From 52929fc21809d57bb57f86142bc8d84223d44b7f Mon Sep 17 00:00:00 2001 +From: Mathias Gibbens <[email protected]> +Date: Sun, 26 Oct 2025 20:02:29 +0000 +Subject: [PATCH] config/apparmor/abstractions: Fix meson build generation of + container-base + +Previously, abstractions/container-base was a hand-generated concatenation of +two different files, abstractions/container-base.in and container-rules. This +was confusing, since the meson configuration didn't actually create +abstractions/container-base from abstractions/container-base.in. Now, the +previously manual step of creating abstractions/container-base is part of the +meson configure step. + +Signed-off-by: Mathias Gibbens <[email protected]> +--- + config/apparmor/README | 14 ++++---------- + config/apparmor/abstractions/meson.build | 5 +++-- + 2 files changed, 7 insertions(+), 12 deletions(-) + +diff --git a/config/apparmor/README b/config/apparmor/README +index 432956b9ae..76031601ad 100644 +--- a/config/apparmor/README ++++ b/config/apparmor/README +@@ -1,12 +1,6 @@ +-The abstractions/container-base file is partially automatically +-generated. The two source files are container-rules.base and +-abstractions/container-base.in. If these file are updated, +-then +- +-1. Generate a new container-rules file using ++The abstractions/container-base file installed is automatically ++generated. Its two source files are container-rules.base and ++abstractions/container-base.in. If container-rules.base is updated, ++generate a new container-rules file using + + ./lxc-generate-aa-rules.py container-rules.base > container-rules +- +-2. Concatenate container-base.in with container-rules using +- +-cat abstractions/container-base.in container-rules > abstractions/container-base +diff --git a/config/apparmor/abstractions/meson.build b/config/apparmor/abstractions/meson.build +index b8a8e40339..8424c38b0b 100644 +--- a/config/apparmor/abstractions/meson.build ++++ b/config/apparmor/abstractions/meson.build +@@ -2,8 +2,9 @@ + + if libapparmor.found() + configure_file( +- configuration: conf, +- input: 'container-base', ++ command: ['cat', '@INPUT@'], ++ capture: true, ++ input: ['container-base.in', '../container-rules'], + output: 'container-base', + install: true, + install_dir: join_paths(sysconfdir, 'apparmor.d', 'abstractions', 'lxc')) diff -Nru lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch --- lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxc-6.0.4/debian/patches/0103-cherry-pick-fix-dbus-reboots.patch 2025-12-26 19:02:22.000000000 +0000 @@ -0,0 +1,43 @@ +From 0f5852edfad06fe4e9f00aaddd3d93576269729e Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <[email protected]> +Date: Tue, 23 Dec 2025 13:56:31 -0600 +Subject: [PATCH] cgfsng: fix reboots when using dbus + +When using dbus on a systemd system, we ask systemd to create a +"scope" for us to run in. We send a dbus message, and wait +for the reply saying it is created. + +When we reboot, we were re-sending the request to create the +scope. However, the scope still exists, because or single +lxc-monitor (originally lxc-start) thread is still under the +'lxc.pivot' sub-directory of the scope. + +But, on reboot, our lxc_conf already has our scope recorded! +So, just check whether that is set, and skip scope creation +if so. + +With this patch, i can reboot ad nauseum with no apparent +problems. + +We could probably move this check to the top of the function, +but for now this fixes the bug. + +Signed-off-by: Serge Hallyn <[email protected]> +--- + src/lxc/cgroups/cgfsng.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index eea2b1f6d9..81994817c5 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1521,6 +1521,9 @@ static int unpriv_systemd_create_scope(struct cgroup_ops *ops, struct lxc_conf * + dbus_threads_initialized = true; + } + ++ if (conf->cgroup_meta.systemd_scope != NULL) ++ return log_error(true, "Already in a scope, must be a reboot."); ++ + connection = open_systemd(); + if (connection == NULL) + return log_error(false, "Failed opening dbus connection"); diff -Nru lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch --- lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxc-6.0.4/debian/patches/0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch 2025-12-26 19:02:22.000000000 +0000 @@ -0,0 +1,28 @@ +From 8f67650034c0b031cc2b24314c8167baaa8fbe44 Mon Sep 17 00:00:00 2001 +From: Frost <[email protected]> +Date: Sun, 7 Dec 2025 15:56:49 -0800 +Subject: [PATCH] Add lxc-net as dependency in sysvinit script + +Otherwise containers don't start during boot, but come up fine later. +--- + config/init/sysvinit/lxc-containers.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/config/init/sysvinit/lxc-containers.in b/config/init/sysvinit/lxc-containers.in +index f793d20..5543b05 100644 +--- a/config/init/sysvinit/lxc-containers.in ++++ b/config/init/sysvinit/lxc-containers.in +@@ -9,8 +9,8 @@ + # Provides: lxc + # Required-Start: $syslog $remote_fs + # Required-Stop: $syslog $remote_fs +-# Should-Start: cgroupfs-mount +-# Should-Stop: cgroupfs-mount ++# Should-Start: cgroupfs-mount lxc-net ++# Should-Stop: cgroupfs-mount lxc-net + # Default-Start: 2 3 4 5 + # Default-Stop: 0 1 6 + # Short-Description: Bring up/down LXC autostart containers +-- +2.51.0 + diff -Nru lxc-6.0.4/debian/patches/series lxc-6.0.4/debian/patches/series --- lxc-6.0.4/debian/patches/series 2025-05-30 12:58:12.000000000 +0000 +++ lxc-6.0.4/debian/patches/series 2025-12-26 19:02:22.000000000 +0000 @@ -3,3 +3,7 @@ 0003-apparmor-4x-userns.patch 0004-cherry-pick-complex-hooks-fix.patch 0005-cherry-pick-loong64.patch +0101-cherry-pick-fix-misleading-errors.patch +0102-cherry-pick-apparmor-generation.patch +0103-cherry-pick-fix-dbus-reboots.patch +0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch
signature.asc
Description: This is a digitally signed message part
