Hello community, here is the log from the commit of package lxc for openSUSE:Factory checked in at 2015-07-27 09:13:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lxc (Old) and /work/SRC/openSUSE:Factory/.lxc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc" Changes: -------- --- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2014-12-30 00:50:49.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.lxc.new/lxc.changes 2015-07-27 09:13:52.000000000 +0200 @@ -1,0 +2,20 @@ +Thu Jul 23 07:56:32 UTC 2015 - [email protected] + +- Added CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch + (bnc#938522) +- Added attach-mount-a-sane-prox-for-LSM-setup.patch (bnc#938523) +- Added CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch + (bnc#938523) + +------------------------------------------------------------------- +Tue Jul 21 13:31:42 UTC 2015 - [email protected] + +- update to 1.1.2 +- Removed 0001-added-upstream-action-fallback-create-directory-loca.patch +- Removed 0003-lxc-opensuse-template-now-understands-release-argume.patch +- Removed 0004-lxc-opensuse.in-Added-explanation-on-how-to-use-the-.patch +- Removed 0005-lxc-opensuse.in-Check-if-given-argument-is-a-valid-r.patch +- Removed 0006-lxc-opensuse-default-release-changed-to-13.1-as-12.3.patch +- Removed 0007-lxc-opensuse-Disabling-builds-on-13.2-Tumbleweed-onl.patch + +------------------------------------------------------------------- Old: ---- 0001-added-upstream-action-fallback-create-directory-loca.patch 0003-lxc-opensuse-template-now-understands-release-argume.patch 0004-lxc-opensuse.in-Added-explanation-on-how-to-use-the-.patch 0005-lxc-opensuse.in-Check-if-given-argument-is-a-valid-r.patch 0006-lxc-opensuse-default-release-changed-to-13.1-as-12.3.patch 0007-lxc-opensuse-Disabling-builds-on-13.2-Tumbleweed-onl.patch lxc-1.0.7.tar.gz New: ---- CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch attach-mount-a-sane-prox-for-LSM-setup.patch lxc-1.1.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ --- /var/tmp/diff_new_pack.ymXkbN/_old 2015-07-27 09:13:53.000000000 +0200 +++ /var/tmp/diff_new_pack.ymXkbN/_new 2015-07-27 09:13:53.000000000 +0200 @@ -17,7 +17,7 @@ Name: lxc -Version: 1.0.7 +Version: 1.1.2 Release: 0 Url: http://linuxcontainers.org/ Summary: Userspace tools for the Linux kernel containers @@ -26,18 +26,16 @@ Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Source1: README.SUSE Source2: lxc-createconfig.in -Patch1: 0001-added-upstream-action-fallback-create-directory-loca.patch -Patch4: 0003-lxc-opensuse-template-now-understands-release-argume.patch -Patch3: 0004-lxc-opensuse.in-Added-explanation-on-how-to-use-the-.patch -Patch5: 0005-lxc-opensuse.in-Check-if-given-argument-is-a-valid-r.patch -Patch6: 0006-lxc-opensuse-default-release-changed-to-13.1-as-12.3.patch -Patch7: 0007-lxc-opensuse-Disabling-builds-on-13.2-Tumbleweed-onl.patch -Patch9: lxc-1.0.7-fix-bashisms.patch +Patch0: lxc-1.0.7-fix-bashisms.patch +Patch1: CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch +Patch2: attach-mount-a-sane-prox-for-LSM-setup.patch +Patch3: CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils BuildRequires: docbook2x +BuildRequires: fdupes BuildRequires: libapparmor-devel BuildRequires: libcap-devel %ifarch %ix86 x86_64 @@ -81,17 +79,17 @@ %prep %setup -q +%patch0 -p1 %patch1 -p1 +%patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch9 -p1 %build chmod 755 configure -%configure --disable-examples --with-init-script=systemd +%configure --disable-examples \ + --disable-rpath \ + --with-init-script=systemd \ + --with-systemdsystemunitdir=%{_unitdir} %__make %{?_smp_mflags} %__cp %{SOURCE1} . %__rm -rf .doc @@ -105,24 +103,26 @@ chmod u-s %{buildroot}/usr/lib/lxc/lxc-user-nic ./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig -ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rc%name +ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc +ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc-net +%fdupes %{buildroot}/%{_datadir}/%{name}/config/ %clean %__rm -rf %buildroot %pre -%service_add_pre lxc.service +%service_add_pre lxc.service lxc-net.service %post /sbin/ldconfig -%service_add_post lxc.service +%service_add_post lxc.service lxc-net.service %preun -%service_del_preun lxc.service +%service_del_preun lxc.service lxc-net.service %postun /sbin/ldconfig -%service_del_postun lxc.service +%service_del_postun lxc.service lxc-net.service %files %defattr(-,root,root) @@ -131,17 +131,19 @@ %doc .doc/examples %dir %{_sysconfdir}/%{name}/ %config %{_sysconfdir}/%{name}/default.conf +%config(noreplace) %{_sysconfdir}/default/%{name} %{_libdir}/lib%{name}.so.* %{_libexecdir}/%name %{_libdir}/%name %{_datadir}/%name %dir /var/lib/lxc %{_bindir}/%{name}-* -%exclude %{_bindir}/%{name}-top %{_sbindir}/init.lxc %{_sbindir}/rclxc +%{_sbindir}/rclxc-net %{_mandir}/man[^3]/* %_unitdir/%{name}.service +%_unitdir/%{name}-net.service %python3_sitearch/%{name}/ %python3_sitearch/_%{name}* %dir %{_sysconfdir}/apparmor.d ++++++ CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch ++++++ From: Serge Hallyn <[email protected]> Date: Fri, 3 Jul 2015 09:26:17 -0500 Subject: CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes References: bnc#938522 This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by: Serge Hallyn <[email protected]> Signed-off-by: Tyler Hicks <[email protected]> Acked-by: Stéphane Graber <[email protected]> Signed-off-by: Jiri Slaby <[email protected]> --- src/lxc/lxclock.c | 47 ++++++++++------------------------------------- src/tests/locktests.c | 2 +- 2 files changed, 11 insertions(+), 38 deletions(-) diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c index fe13898df98f..e9e95f7a01d9 100644 --- a/src/lxc/lxclock.c +++ b/src/lxc/lxclock.c @@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n) char *rundir; /* lockfile will be: - * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root + * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root * or - * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root + * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root */ - /* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */ - len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3; + /* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */ + len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3; rundir = get_rundir(); if (!rundir) return NULL; @@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n) return NULL; } - ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p); + ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p); if (ret < 0 || ret >= len) { free(dest); free(rundir); @@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n) } ret = mkdir_p(dest, 0755); if (ret < 0) { - /* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0' - * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1) - * * lxcpath always starts with '/' - */ - int l2 = 22 + strlen(n) + strlen(p); - if (l2 > len) { - char *d; - d = realloc(dest, l2); - if (!d) { - free(dest); - free(rundir); - return NULL; - } - len = l2; - dest = d; - } - ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p); - if (ret < 0 || ret >= len) { - free(dest); - free(rundir); - return NULL; - } - ret = mkdir_p(dest, 0755); - if (ret < 0) { - free(dest); - free(rundir); - return NULL; - } - ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n); - } else - ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n); + free(dest); + free(rundir); + return NULL; + } + ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n); free(rundir); - if (ret < 0 || ret >= len) { free(dest); return NULL; diff --git a/src/tests/locktests.c b/src/tests/locktests.c index dd3393a89334..233ca127c6de 100644 --- a/src/tests/locktests.c +++ b/src/tests/locktests.c @@ -122,7 +122,7 @@ int main(int argc, char *argv[]) exit(1); } struct stat sb; - char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/"; + char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/"; ret = stat(pathname, &sb); if (ret != 0) { fprintf(stderr, "%d: filename %s not created\n", __LINE__, -- 2.4.5 ++++++ CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch ++++++ From: =?UTF-8?q?St=C3=A9phane=20Graber?= <[email protected]> Date: Thu, 16 Jul 2015 16:37:51 -0400 Subject: CVE-2015-1334: Don't use the container's /proc during attach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes References: bnc#938523 A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: Stéphane Graber <[email protected]> Signed-off-by: Jiri Slaby <[email protected]> --- src/lxc/attach.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 93 insertions(+), 13 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 731d7a632940..436ae7a56a9e 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -76,6 +76,82 @@ lxc_log_define(lxc_attach, lxc); +int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) { + int labelfd = -1; + int ret = 0; + const char* name; + char* command = NULL; + + name = lsm_name(); + + if (strcmp(name, "nop") == 0) + goto out; + + if (strcmp(name, "none") == 0) + goto out; + + /* We don't support on-exec with AppArmor */ + if (strcmp(name, "AppArmor") == 0) + on_exec = 0; + + if (on_exec) { + labelfd = openat(procfd, "self/attr/exec", O_RDWR); + } + else { + labelfd = openat(procfd, "self/attr/current", O_RDWR); + } + + if (labelfd < 0) { + SYSERROR("Unable to open LSM label"); + ret = -1; + goto out; + } + + if (strcmp(name, "AppArmor") == 0) { + int size; + + command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); + if (!command) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + size = sprintf(command, "changeprofile %s", lsm_label); + if (size < 0) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + if (write(labelfd, command, size + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } + } + else if (strcmp(name, "SELinux") == 0) { + if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } + } + else { + ERROR("Unable to restore label for unknown LSM: %s", name); + ret = -1; + goto out; + } + +out: + free(command); + + if (labelfd != -1) + close(labelfd); + + return ret; +} + static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid) { struct lxc_proc_context_info *info = calloc(1, sizeof(*info)); @@ -570,6 +646,7 @@ struct attach_clone_payload { struct lxc_proc_context_info* init_ctx; lxc_attach_exec_t exec_function; void* exec_payload; + int procfd; }; static int attach_child_main(void* data); @@ -622,6 +699,7 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun char* cwd; char* new_cwd; int ipc_sockets[2]; + int procfd; signed long personality; if (!options) @@ -833,6 +911,13 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun rexit(-1); } + procfd = open("/proc", O_DIRECTORY | O_RDONLY); + if (procfd < 0) { + SYSERROR("Unable to open /proc"); + shutdown(ipc_sockets[1], SHUT_RDWR); + rexit(-1); + } + /* attach now, create another subprocess later, since pid namespaces * only really affect the children of the current process */ @@ -860,7 +945,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun .options = options, .init_ctx = init_ctx, .exec_function = exec_function, - .exec_payload = exec_payload + .exec_payload = exec_payload, + .procfd = procfd }; /* We use clone_parent here to make this subprocess a direct child of * the initial process. Then this intermediate process can exit and @@ -898,6 +984,7 @@ static int attach_child_main(void* data) { struct attach_clone_payload* payload = (struct attach_clone_payload*)data; int ipc_socket = payload->ipc_socket; + int procfd = payload->procfd; lxc_attach_options_t* options = payload->options; struct lxc_proc_context_info* init_ctx = payload->init_ctx; #if HAVE_SYS_PERSONALITY_H @@ -1038,21 +1125,11 @@ static int attach_child_main(void* data) close(ipc_socket); /* set new apparmor profile/selinux context */ - if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) { + if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { int on_exec; - int proc_mounted; on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; - proc_mounted = mount_proc_if_needed("/"); - if (proc_mounted == -1) { - ERROR("Error mounting a sane /proc"); - rexit(-1); - } - ret = lsm_process_label_set(init_ctx->lsm_label, - init_ctx->container->lxc_conf, 0, on_exec); - if (proc_mounted) - umount("/proc"); - if (ret < 0) { + if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) { rexit(-1); } } @@ -1103,6 +1180,9 @@ static int attach_child_main(void* data) } } + /* we don't need proc anymore */ + close(procfd); + /* we're done, so we can now do whatever the user intended us to do */ rexit(payload->exec_function(payload->exec_payload)); } -- 2.4.5 ++++++ attach-mount-a-sane-prox-for-LSM-setup.patch ++++++ From: Serge Hallyn <[email protected]> Date: Sun, 17 May 2015 13:04:47 +0000 Subject: attach: mount a sane prox for LSM setup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: no References: bnc#938523 To set lsm labels, a namespace-local proc mount is needed. If a container does not have a lxc.mount.auto = proc set, then tasks in the container do not have a correct /proc mount until init feels like doing the mount. At startup we handlie this by mounting a temporary /proc if needed. We weren't doing this at attach, though, so that lxc-start -n $container lxc-wait -t 5 -s RUNNING -n $container lxc-attach -n $container -- uname -a could in a racy way fail with something like lxc-attach: lsm/apparmor.c: apparmor_process_label_set: 183 No such file or directory - failed to change apparmor profile to lxc-container-default Thanks to Chris Townsend for finding this bug at https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1452451 Signed-off-by: Serge Hallyn <[email protected]> Acked-by: Stéphane Graber <[email protected]> Signed-off-by: Jiri Slaby <[email protected]> --- src/lxc/attach.c | 8 ++++++++ src/lxc/conf.c | 44 +------------------------------------------- src/lxc/utils.c | 43 +++++++++++++++++++++++++++++++++++++++++++ src/lxc/utils.h | 1 + 4 files changed, 53 insertions(+), 43 deletions(-) --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -1040,10 +1040,18 @@ static int attach_child_main(void* data) /* set new apparmor profile/selinux context */ if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) { int on_exec; + int proc_mounted; on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; + proc_mounted = mount_proc_if_needed("/"); + if (proc_mounted == -1) { + ERROR("Error mounting a sane /proc"); + rexit(-1); + } ret = lsm_process_label_set(init_ctx->lsm_label, init_ctx->container->lxc_conf, 0, on_exec); + if (proc_mounted) + umount("/proc"); if (ret < 0) { rexit(-1); } --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -3545,48 +3545,6 @@ int ttys_shift_ids(struct lxc_conf *c) return 0; } -/* - * _do_tmp_proc_mount: Mount /proc inside container if not already - * mounted - * - * @rootfs : the rootfs where proc should be mounted - * - * Returns < 0 on failure, 0 if the correct proc was already mounted - * and 1 if a new proc was mounted. - */ -static int do_tmp_proc_mount(const char *rootfs) -{ - char path[MAXPATHLEN]; - char link[20]; - int linklen, ret; - - ret = snprintf(path, MAXPATHLEN, "%s/proc/self", rootfs); - if (ret < 0 || ret >= MAXPATHLEN) { - SYSERROR("proc path name too long"); - return -1; - } - memset(link, 0, 20); - linklen = readlink(path, link, 20); - INFO("I am %d, /proc/self points to '%s'", getpid(), link); - ret = snprintf(path, MAXPATHLEN, "%s/proc", rootfs); - if (linklen < 0) /* /proc not mounted */ - goto domount; - /* can't be longer than rootfs/proc/1 */ - if (strncmp(link, "1", linklen) != 0) { - /* wrong /procs mounted */ - umount2(path, MNT_DETACH); /* ignore failure */ - goto domount; - } - /* the right proc is already mounted */ - return 0; - -domount: - if (mount("proc", path, "proc", 0, NULL)) - return -1; - INFO("Mounted /proc in container for security transition"); - return 1; -} - int tmp_proc_mount(struct lxc_conf *lxc_conf) { int mounted; @@ -3598,7 +3556,7 @@ int tmp_proc_mount(struct lxc_conf *lxc_ } else mounted = 1; } else - mounted = do_tmp_proc_mount(lxc_conf->rootfs.mount); + mounted = mount_proc_if_needed(lxc_conf->rootfs.mount); if (mounted == -1) { SYSERROR("failed to mount /proc in the container."); return -1; --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1656,3 +1656,46 @@ int setproctitle(char *title) return ret; } + +/* + * Mount a proc under @rootfs if proc self points to a pid other than + * my own. This is needed to have a known-good proc mount for setting + * up LSMs both at container startup and attach. + * + * @rootfs : the rootfs where proc should be mounted + * + * Returns < 0 on failure, 0 if the correct proc was already mounted + * and 1 if a new proc was mounted. + */ +int mount_proc_if_needed(const char *rootfs) +{ + char path[MAXPATHLEN]; + char link[20]; + int linklen, ret; + + ret = snprintf(path, MAXPATHLEN, "%s/proc/self", rootfs); + if (ret < 0 || ret >= MAXPATHLEN) { + SYSERROR("proc path name too long"); + return -1; + } + memset(link, 0, 20); + linklen = readlink(path, link, 20); + INFO("I am %d, /proc/self points to '%s'", getpid(), link); + ret = snprintf(path, MAXPATHLEN, "%s/proc", rootfs); + if (linklen < 0) /* /proc not mounted */ + goto domount; + /* can't be longer than rootfs/proc/1 */ + if (strncmp(link, "1", linklen) != 0) { + /* wrong /procs mounted */ + umount2(path, MNT_DETACH); /* ignore failure */ + goto domount; + } + /* the right proc is already mounted */ + return 0; + +domount: + if (mount("proc", path, "proc", 0, NULL)) + return -1; + INFO("Mounted /proc in container for security transition"); + return 1; +} --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -287,3 +287,4 @@ bool switch_to_ns(pid_t pid, const char int is_dir(const char *path); char *get_template_path(const char *t); int setproctitle(char *title); +int mount_proc_if_needed(const char *rootfs); ++++++ lxc-1.0.7-fix-bashisms.patch ++++++ --- /var/tmp/diff_new_pack.ymXkbN/_old 2015-07-27 09:13:53.000000000 +0200 +++ /var/tmp/diff_new_pack.ymXkbN/_new 2015-07-27 09:13:53.000000000 +0200 @@ -1,60 +1,23 @@ -diff -Ndur lxc-1.0.7/config/init/sysvinit/lxc lxc-1.0.7-fix-bashisms/config/init/sysvinit/lxc ---- lxc-1.0.7/config/init/sysvinit/lxc 2014-12-05 22:50:37.000000000 +0200 -+++ lxc-1.0.7-fix-bashisms/config/init/sysvinit/lxc 2014-12-28 00:33:22.878089828 +0200 -@@ -85,6 +85,8 @@ - done - } +--- + config/init/sysvinit/lxc-containers.in | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/config/init/sysvinit/lxc-containers.in ++++ b/config/init/sysvinit/lxc-containers.in +@@ -29,12 +29,14 @@ if ! type action >/dev/null 2>&1; then + } + fi +. /usr/bin/gettext.sh + - # See how we were called. - case "$1" in - start) -@@ -98,7 +100,7 @@ - # Start containers - wait_for_bridge - # Start autoboot containers first then the NULL group "onboot,". -- action $"Starting LXC autoboot containers: " "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS -+ action "$(eval_gettext "Starting LXC autoboot containers: ")" "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS - touch "$localstatedir"/lock/subsys/lxc - ;; - stop) -@@ -110,7 +112,7 @@ - # The stop is serialized and can take excessive time. We need to avoid - # delaying the system shutdown / reboot as much as we can since it's not - # parallelized... Even 5 second timout may be too long. -- action $"Stopping LXC containers: " "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY -+ action "$(eval_gettext "Stopping LXC containers: ")" "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY - rm -f "$localstatedir"/lock/subsys/lxc - ;; - restart|reload|force-reload) -diff -Ndur lxc-1.0.7/config/init/sysvinit/lxc.in lxc-1.0.7-fix-bashisms/config/init/sysvinit/lxc.in ---- lxc-1.0.7/config/init/sysvinit/lxc.in 2014-12-05 22:50:20.000000000 +0200 -+++ lxc-1.0.7-fix-bashisms/config/init/sysvinit/lxc.in 2014-12-28 00:32:48.532092151 +0200 -@@ -85,6 +85,8 @@ - done + start() { +- action $"Starting LXC autoboot containers: " @LIBEXECDIR@/lxc/lxc-containers start ++ action "$(eval_gettext "Starting LXC autoboot containers: ")" @LIBEXECDIR@/lxc/lxc-containers start + } + + stop() { +- action $"Stopping LXC containers: " @LIBEXECDIR@/lxc/lxc-containers stop ++ action "$(eval_gettext "Stopping LXC containers: ")" @LIBEXECDIR@/lxc/lxc-containers stop } -+. /usr/bin/gettext.sh -+ # See how we were called. - case "$1" in - start) -@@ -98,7 +100,7 @@ - # Start containers - wait_for_bridge - # Start autoboot containers first then the NULL group "onboot,". -- action $"Starting LXC autoboot containers: " "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS -+ action "$(eval_gettext "Starting LXC autoboot containers: ")" "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS - touch "$localstatedir"/lock/subsys/lxc - ;; - stop) -@@ -110,7 +112,7 @@ - # The stop is serialized and can take excessive time. We need to avoid - # delaying the system shutdown / reboot as much as we can since it's not - # parallelized... Even 5 second timout may be too long. -- action $"Stopping LXC containers: " "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY -+ action "$(eval_gettext "Stopping LXC containers: ")" "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY - rm -f "$localstatedir"/lock/subsys/lxc - ;; - restart|reload|force-reload) ++++++ lxc-1.0.7.tar.gz -> lxc-1.1.2.tar.gz ++++++ ++++ 22028 lines of diff (skipped)
