Hello community, here is the log from the commit of package lxc for openSUSE:Factory checked in at 2019-04-08 20:53:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lxc (Old) and /work/SRC/openSUSE:Factory/.lxc.new.3908 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc" Mon Apr 8 20:53:31 2019 rev:83 rq:692121 version:3.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2019-02-08 12:15:38.869418841 +0100 +++ /work/SRC/openSUSE:Factory/.lxc.new.3908/lxc.changes 2019-04-08 20:53:32.594568671 +0200 @@ -1,0 +2,47 @@ +Sun Apr 7 07:20:48 UTC 2019 - Aleksa Sarai <[email protected]> + +- Avoid wrong permissions warning by conditionally setting the setuid bit based + on what version of permissions is available in that distribution (makes no + difference but results in less confusion to users). + +------------------------------------------------------------------- +Mon Apr 1 07:00:41 UTC 2019 - Aleksa Sarai <[email protected]> + +- Fix builds on SLE12, by depending on apparmor-profiles instead of + apparmor-abstractions. In addition, remove the Requires on abstractions. + +------------------------------------------------------------------- +Fri Mar 29 09:14:06 UTC 2019 - Jan Engelhardt <[email protected]> + +- Trim project history from package description. + +------------------------------------------------------------------- +Tue Mar 26 02:04:57 UTC 2019 - Aleksa Sarai <[email protected]> + +- Update to LXC 3.1.0. The changelog is far too long to include here, please + look at the changelogs posted on https://linuxcontainers.org/. boo#1131762 + * Includes fixes for CVE-2019-5736 bsc#1122185. + + pam_cgfs is now provided by this package, since upstream has moved the + sources to LXC (it used to be part of lxcfs). + * All of the patches have been upstreamed or are no longer relevant: + - 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch + - 0001-utils-add-LXC_PROC_PID_FD_LEN.patch + - 0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch + - 0001-Backport-autodev-fix-from-lxc-master.patch + - 0001-PyOS_AfterFork-python3.7.patch +- Add a warning if lxc-user-nic is not setuid after set_permissions, to ensure + users actually read the warning (which means we get to remove README.SUSE). + It also supports people using paranoid mode, which is why it's done in + post-install and isn't packaged. boo#988348 +- Quite a lot of the runtime helpers and configuration have been moved to + liblxc, in order to allow LXD to make use of them (because, in truth, they + were always a requirement of liblxc and not just the lxc-* tools). +- Add workaround for pre-15 distros, where _sharedstatedir was inexplicably + /usr/com, to use the correct directory of /var/lib. + +------------------------------------------------------------------- +Tue Mar 26 00:09:22 UTC 2019 - Aleksa Sarai <[email protected]> + +- Rework packaging to be a more modern openSUSE-style. + +------------------------------------------------------------------- Old: ---- 0001-Backport-autodev-fix-from-lxc-master.patch 0001-PyOS_AfterFork-python3.7.patch 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch 0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch 0001-utils-add-LXC_PROC_PID_FD_LEN.patch README.SUSE lxc-2.0.9.tar.gz lxc-2.0.9.tar.gz.asc openSUSE_apparmor_mount.conf New: ---- lxc-3.1.0.tar.gz lxc-3.1.0.tar.gz.asc openSUSE-apparmor.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ --- /var/tmp/diff_new_pack.oDKKTq/_old 2019-04-08 20:53:33.734569508 +0200 +++ /var/tmp/diff_new_pack.oDKKTq/_new 2019-04-08 20:53:33.738569511 +0200 @@ -15,85 +15,111 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # +# On pre-15 SLE versions, _sharedstatedir was /usr/com -- which is just wrong. +%if 0%{suse_version} < 1500 +%define _sharedstatedir /var/lib +%endif + +# In later versions of openSUSE's permissions config, lxc-user-nic was +# whitelisted with a setuid bit enabled -- but in order to allow building on +# old distros we must not make it setuid on pre-15.1 distros. See bsc#988348. +%if 0%{suse_version} >= 1510 +%define setuid_mode 04750 +%else +%define setuid_mode 0750 +%endif + +%define _pre_update_message(B:S:n:) \ + %%define um_pkgname %{?-n:%{-n*}}%{!?-n:%{name}} \ + %%define um_suffix %{?-S:%{-S*}}%{!?-S:untitled} \ + %%define um_prefix %{?-B:%{buildroot}}/var/adm/update-messages/%{um_pkgname}-%{version}-%{release}- \ + %%define um_path %{um_prefix}%{um_suffix}.txt + +# add_update_message [-aB] [-S <suffix=untitled>] [-n <pkgname={name}>] +# Adds new update message with the given suffix and package name. +# Use -B to apply to the {buildroot} rather than the host system. +%define add_update_message(BS:n:) ( \ + %{expand:%_pre_update_message %{-B} %{-S} %{-n}} \ + tee >>%{um_path} ) + +# del_update_messages [-B] [-n <pkgname={name}>] +# Delete all update-messages that exist for the given package. +# Use -B to apply to the {buildroot} rather than the host system. +%define del_update_messages(Bn:) ( \ + %{expand:%_pre_update_message -S * %{-B} %{-n}} \ + ( shopt -s nullglob ; rm -f -- %{um_path} ) ) %define shlib_version 1 Name: lxc -Version: 2.0.9 +Version: 3.1.0 Release: 0 Url: http://linuxcontainers.org/ Summary: Userspace tools for Linux kernel containers License: LGPL-2.1-or-later Group: System/Management -Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz -Source1: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.asc +Source: https://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz +Source1: https://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz.asc Source2: %{name}.keyring Source3: lxc-createconfig.in -Source4: README.SUSE -Source5: openSUSE_apparmor_mount.conf -# PATCH-FIX-UPSTREAM: 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch (boo#1099239) -Patch0: 0001-apparmor-Allow-usr-lib-paths-for-mount-and-pivot_roo.patch -Patch1: 0001-utils-add-LXC_PROC_PID_FD_LEN.patch -Patch2: 0001-lxc-user-nic-verify-file-descriptor-stable-2.0.patch -Patch3: 0001-Backport-autodev-fix-from-lxc-master.patch -Patch4: 0001-PyOS_AfterFork-python3.7.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build - -BuildRequires: docbook-utils -BuildRequires: docbook2x -BuildRequires: fdupes -BuildRequires: git +Source90: openSUSE-apparmor.conf +BuildRequires: gcc +BuildRequires: automake +BuildRequires: libtool +BuildRequires: pkg-config +BuildRequires: libgnutls-devel BuildRequires: libapparmor-devel +BuildRequires: libselinux-devel BuildRequires: libcap-devel +BuildRequires: pam-devel %ifarch %ix86 x86_64 BuildRequires: libseccomp-devel %endif BuildRequires: libxslt -BuildRequires: linux-glibc-devel -BuildRequires: lsb-release -BuildRequires: pkg-config -BuildRequires: python3-devel - -%if 0%{?suse_version} >= 1320 -BuildRequires: automake -BuildRequires: libtool -%endif - -%if 0%{?suse_version} >= 1210 +BuildRequires: fdupes +BuildRequires: docbook-utils +BuildRequires: docbook2x +BuildRequires: bash-completion BuildRequires: systemd -%endif - -Requires: apparmor-abstractions Requires: libcap-progs Requires: lxcfs +Requires: lxcfs-hooks-lxc Requires: rsync - %{?systemd_requires} -# needed to create openSUSE containers using template +# Needed to create openSUSE containers using template. Recommends: build Recommends: criu >= 2.0 %description -LXC provides commands to create and manage containers. Current LXC uses the -following kernel features to contain processes: -- Kernel namespaces (ipc, uts, mount, pid, network and user) -- Apparmor and SELinux profiles -- Seccomp policies -- Chroots (using pivot_root) -- Kernel capabilities -- CGroups (control groups) -LXC containers are often considered as something in the middle between a chroot -and a full fledged virtual machine. The goal of LXC is to create an environment -as close as possible to a standard Linux installation but without the need for a -separate kernel. +LXC is the well-known and heavily tested low-level Linux container runtime. + +%package -n pam_cgfs +Summary: PAM module to provide unprivileged cgroupfs +License: LGPL-2.1-only +Group: System/Libraries +Supplements: lxc + +%description -n pam_cgfs +When a user logs in, this PAM module will create cgroups which the user may +administer, either for all controllers or for any controllers listed on the +command line. %package -n liblxc%{shlib_version} -PreReq: permissions Summary: LXC container runtime library License: LGPL-2.1-only Group: System/Libraries +Requires(pre): permissions +Requires(post): permissions +# Older SLE versions didn't have -abstractions but instead had -profiles +# (though Leap has -abstractions regardless of it being based on SLE). We only +# need them to not have to own /etc/apparmor.d/abstractions. +%if 0%{?is_opensuse} || %{?suse_version} >= 1500 +BuildRequires: apparmor-abstractions +%else +BuildRequires: apparmor-profiles +%endif %description -n liblxc%{shlib_version} -Provides the LXC container runtime library. +This package provides the LXC container runtime library. %package -n liblxc-devel Summary: LXC container runtime library development files @@ -102,57 +128,56 @@ Requires: liblxc%{shlib_version} = %version %description -n liblxc-devel -Provides the LXC container runtime library development files +This package provides the LXC container runtime library development files. + +%package bash-completion +Summary: Bash Completion for %{name} +Group: System/Management +Requires: %{name} = %{version} +Supplements: packageand(%{name}:bash-completion) +BuildArch: noarch + +%description bash-completion +Bash command line completion support for %{name}. %prep %setup -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %build -chmod 755 configure -%if 0%{?suse_version} >= 1320 -sed -i 's/-Werror"/-Werror -Wno-error=format-truncation"/g' configure.ac -%define _configure ./autogen.sh -PATH=$PATH:/usr/sbin:/sbin %configure - -%define _configure ./configure -%endif -%configure --disable-examples \ +./autogen.sh +%configure \ + --enable-pam \ + --disable-static \ + --disable-examples \ --disable-rpath \ --with-init-script=systemd \ --with-systemdsystemunitdir=%{_unitdir} make %{?_smp_mflags} -cp %{SOURCE4} . -# remove lxc-user-nic from README as it is not longer necessary in Tumbleweed -%if 0%{?suse_version} >= 1550 -sed -i '/=== lxc-user-nic ===/,+4d' ./README.SUSE -%endif -cp %{SOURCE5} . -rm -rf .doc -mkdir -p .doc/examples -cp doc/examples/*.conf .doc/examples + +# openSUSE-specific templated files. +./config.status --file=lxc-createconfig:%{S:3} %install %make_install -install -d -m 755 %{buildroot}/var/lib/lxc -find %buildroot -type f -name '*.la' -delete -%if 0%{?suse_version} <= 1550 -chmod u-s %{buildroot}/%{_libexecdir}/%{name}/lxc-user-nic -%endif -./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:3} -chmod a+x %{buildroot}%{_bindir}/lxc-createconfig -ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc -ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc-net -cp %{SOURCE5} %{buildroot}/usr/share/lxc/config/common.conf.d/ -%fdupes %{buildroot}/%{_datadir}/%{name}/config/ - -# move bash-completion to correct place -install -d -m 755 %{buildroot}/usr/share/bash-completion/completions/ -mv -v %{buildroot}/etc/bash_completion.d/lxc %{buildroot}/usr/share/bash-completion/completions/ +install -d -m 0755 %{buildroot}%{_sharedstatedir}/%{name} + +# openSUSE-specific helpers and configuration. +install -D -m 0755 lxc-createconfig %{buildroot}%{_bindir}/lxc-createconfig +install -D -m 0644 %{S:90} %{buildroot}%{_datadir}/%{name}/config/common.conf.d/30-openSUSE-apparmor.conf + +# sysv-init compat wrappers. +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-net + +# Ensure we install the bash-completion to the correct place -- on some SLE +# versions this is done for us by make_install, on others we need to do it +# manually. +install -D -m 0644 config/bash/lxc %{buildroot}%{_datadir}/bash-completion/completions/%{name} +rm -f %{buildroot}%{_sysconfdir}/bash_completion.d/%{name} + +# Clean up. +find %{buildroot} -type f -name '*.la' -delete +%fdupes %{buildroot} %pre %service_add_pre [email protected] lxc.service lxc-net.service @@ -170,76 +195,114 @@ %post -n liblxc%{shlib_version} /sbin/ldconfig -%set_permissions /usr/lib/lxc/lxc-user-nic +%set_permissions %{_libexecdir}/%{name}/lxc-user-nic + +# Remove any existing update messages if we're reinstalling. +[ "$1" -gt 1 ] && %{del_update_messages -n liblxc%{shlib_version}} ||: + +[ -u %{_libexecdir}/%{name}/lxc-user-nic ] || \ +%{add_update_message -n liblxc%{shlib_version} -S missing_setuid} <<EOF +%if 0%{suse_version} >= 1510 +NOTE: It appears you are running on a new-enough distribution that this warning + should not have appeared. If you are not using a "paranoid" profile, + please report this as a bug at <https://bugzilla.opensuse.org/>. + +%endif +Due to your /etc/permissions configuration (which might be caused by an +outdated permissions package), the lxc-user-nic helper binary has been +installed with a missing setuid bit. This setuid helper is required in order +for LXC unprivileged containers to operate, and has already been reviewed by +the SUSE security team and added to the Factory permissions setuid +whitelist[1]. -%postun -n liblxc%{shlib_version} -p /sbin/ldconfig +No action has been taken to fix this configuration problem (in case this was +intentional, and to avoid breaking openSUSE packaging guidelines), so your +administrator will have to fix this manually. + +In order to fix this, add the following line to /etc/permissions.local (this is +necessary to avoid losing the setuid bit during package updates or causing +audit warnings): + + %{_libexecdir}/%{name}/lxc-user-nic root:kvm 04750 + +and then add the setuid bit to the helper: + + chmod u+s %{_libexecdir}/%{name}/lxc-user-nic + +... or you can re-install liblxc%{shlib_version}. + +[1]: https://bugzilla.opensuse.org/show_bug.cgi?id=988348 +EOF + +%postun -n liblxc%{shlib_version} +/sbin/ldconfig +# Remove update messages if we're *uninstalling* but not reinstalling. +[ "$1" -eq 0 ] && %{del_update_messages -n liblxc%{shlib_version}} ||: %verifyscript -n liblxc%{shlib_version} -%verify_permissions -e /usr/lib/lxc/lxc-user-nic +%verify_permissions -e %{_libexecdir}/%{name}/lxc-user-nic %files %defattr(-,root,root) -%doc README doc/FAQ.txt -%doc README.SUSE +%doc doc/FAQ.txt + +# Configuration for LXC. %dir %{_sysconfdir}/%{name}/ %config %{_sysconfdir}/%{name}/default.conf %config(noreplace) %{_sysconfdir}/default/%{name} +%{_datadir}/%{name}/ -# On non 64bit versions of SUSE {_libdir} will be /usr/lib and thus equivalent -# to {_libexecdir}. Hence, the next directive would install everything in -# /usr/lib but we want to exclude some files because they get installed -# together with the liblxc subpackage on which lxc depends. -%dir %{_libdir}/%{name} -%{_libdir}/%{name}/rootfs - -%dir %{_libexecdir}/%{name} -%{_libexecdir}/%{name}/hooks -%{_libexecdir}/%{name}/lxc-containers -%{_libexecdir}/%{name}/lxc-net -%exclude %{_libexecdir}/%{name}/lxc-apparmor-load -%exclude %{_libexecdir}/%{name}/lxc-monitord -%exclude %{_libexecdir}/%{name}/lxc-user-nic - -%{_datadir}/%{name} -%dir /var/lib/lxc -%{_bindir}/%{name}-* +# Binaries, man pages, and service files. +%{_bindir}/lxc-* %{_sbindir}/init.lxc %{_sbindir}/rclxc %{_sbindir}/rclxc-net %{_mandir}/man[^3]/* -%_unitdir/%{name}.service -%_unitdir/%{name}-net.service -%_unitdir/%{name}@.service -%python3_sitearch/%{name}/ -%python3_sitearch/_%{name}* -/usr/share/bash-completion/completions/%{name} +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}-net.service +%{_unitdir}/%{name}@.service + +# AppArmor profiles specifically for the lxc binaries. +%config %{_sysconfdir}/apparmor.d/usr.bin.lxc-* + +%files -n pam_cgfs +%defattr(-,root,root) +/%{_lib}/security/pam_cgfs.so %files -n liblxc%{shlib_version} %defattr(-,root,root) -%{_libdir}/lib%{name}.so.* %doc AUTHORS MAINTAINERS %license COPYING -%doc .doc/examples -%dir %{_sysconfdir}/apparmor.d -%dir %{_sysconfdir}/apparmor.d/abstractions -%dir %{_sysconfdir}/apparmor.d/abstractions/lxc -%config %{_sysconfdir}/apparmor.d/abstractions/lxc/container-base -%config %{_sysconfdir}/apparmor.d/abstractions/lxc/start-container -%config %{_sysconfdir}/apparmor.d/lxc-containers +%{_libdir}/lib%{name}.so.* + +# In addition to liblxc, there are a bunch of configuration and runtime +# directories that are implicitly required by liblxc. We have to expose these +# here, as opposed to the lxc package so that LXD (and others) can make use of +# it. + +# Runtime-related directories. +%dir %{_libdir}/%{name} +%{_libdir}/%{name}/rootfs/ +%dir %{_sharedstatedir}/%{name} +%{_libexecdir}/%{name}/ +# Make sure lxc-user-nic has the right mode. +%attr(%{setuid_mode},root,kvm) %{_libexecdir}/%{name}/lxc-user-nic + +# AppArmor profiles and templates related to LXC. %dir %{_sysconfdir}/apparmor.d/lxc -%config %{_sysconfdir}/apparmor.d/lxc/lxc-default -%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-cgns -%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-mounting -%config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-nesting -%config %{_sysconfdir}/apparmor.d/usr.bin.lxc-start -%{_libexecdir}/%{name}/lxc-apparmor-load -%{_libexecdir}/%{name}/lxc-monitord -%attr(-,root,kvm)%{_libexecdir}/%{name}/lxc-user-nic +%dir %{_sysconfdir}/apparmor.d/abstractions/lxc +%config %{_sysconfdir}/apparmor.d/abstractions/lxc/* +%config %{_sysconfdir}/apparmor.d/lxc-* +%config %{_sysconfdir}/apparmor.d/lxc/* %files -n liblxc-devel %defattr(-,root,root) %{_libdir}/lib%{name}.so -%{_includedir}/%name +%{_includedir}/%name/ %{_libdir}/pkgconfig/%{name}.pc +%files bash-completion +%defattr(-,root,root) +%{_datadir}/bash-completion/ + %changelog ++++++ lxc-2.0.9.tar.gz -> lxc-3.1.0.tar.gz ++++++ ++++ 142155 lines of diff (skipped) ++++++ openSUSE-apparmor.conf ++++++ # workaround for lxc-start problem with apparmor lxc.aa_allow_incomplete = 1
