[lxc-devel] [lxc/lxc] 6ce8e6: attach: set no_new_privs flag after LSM label
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 6ce8e67825258fe8a38b057b1459a4f35e4b39bb https://github.com/lxc/lxc/commit/6ce8e67825258fe8a38b057b1459a4f35e4b39bb Author: Alexander Livenets Date: 2020-06-30 (Tue, 30 Jun 2020) Changed paths: M src/lxc/attach.c Log Message: --- attach: set no_new_privs flag after LSM label In `start.c:1284`, no_new_privs flag is set after LSM label is set. Also, in `lxc.container.conf` documentation it is written that: ``` Note that PR_SET_NO_NEW_PRIVS is applied after the container has changed into its intended AppArmor profile or SElinux context. ``` This commit fixes the behavior of `lxc_attach` by moving `PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured; Closes #3393 Signed-off-by: Alexander Livenets Commit: f88d8e68b0c4c3c061fa828ae8c0742326c213b4 https://github.com/lxc/lxc/commit/f88d8e68b0c4c3c061fa828ae8c0742326c213b4 Author: Christian Brauner Date: 2020-06-30 (Tue, 30 Jun 2020) Changed paths: M src/lxc/attach.c Log Message: --- Merge pull request #3466 from alivenets/fix-no-new-privs attach: set no_new_privs flag after LSM label Compare: https://github.com/lxc/lxc/compare/7c8b10e515c7...f88d8e68b0c4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Errored: lxc/lxc#7759 (master - f88d8e6)
Build Update for lxc/lxc - Build: #7759 Status: Errored Duration: 14 mins and 5 secs Commit: f88d8e6 (master) Author: Christian Brauner Message: Merge pull request #3466 from alivenets/fix-no-new-privs attach: set no_new_privs flag after LSM label View the changeset: https://github.com/lxc/lxc/compare/7c8b10e515c7...f88d8e68b0c4 View the full build log and details: https://travis-ci.org/github/lxc/lxc/builds/703445900?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the lxc/lxc repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=1693277&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] templates/lxc-download.in: fix wrong if-condition
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3468
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Use the result of the gpg command, not the result when executing the result of the gpg command.
In my understanding, we want to execute the gpg command and use its return code. We do not want to execute the gpg command, then collect its output, execute that and then return the exit code from that command.
From 18e18d4c31d39f12c87044db6d2d2f03163c8171 Mon Sep 17 00:00:00 2001
From: Johannes Kastl
Date: Tue, 30 Jun 2020 18:51:20 +0200
Subject: [PATCH] templates/lxc-download.in: fix wrong if condition (use the
result of the gpg command, not the result when executing the result of the
gpg command)
Signed-off-by: Johannes Kastl
---
templates/lxc-download.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/templates/lxc-download.in b/templates/lxc-download.in
index 58d063f4c2..f69b18fd42 100644
--- a/templates/lxc-download.in
+++ b/templates/lxc-download.in
@@ -134,8 +134,8 @@ gpg_setup() {
success=
for _ in $(seq 3); do
-if $(gpg --keyserver "${DOWNLOAD_KEYSERVER}" ${DOWNLOAD_GPG_PROXY:-} \
- --recv-keys "${DOWNLOAD_KEYID}" >/dev/null 2>&1); then
+if gpg --keyserver "${DOWNLOAD_KEYSERVER}" ${DOWNLOAD_GPG_PROXY:-} \
+ --recv-keys "${DOWNLOAD_KEYID}" >/dev/null 2>&1; then
success=1
break
fi
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] templates/lxc-download.in: use GPG option "--receive-keys"
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3469
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Using the option --recv-keys I get an error on openSUSE Tumbleweed which has `gpg2-2.2.20-1.2.x86_64`.
Not sure if this needs to be set differently for older systems, that do not have a recent gpg2 and thus might require the old behaviour.
From b9757e26c9286b63d27d3d8f9f441c24025853b3 Mon Sep 17 00:00:00 2001
From: Johannes Kastl
Date: Tue, 30 Jun 2020 19:13:04 +0200
Subject: [PATCH] templates/lxc-download.in: use GPG option --receive-keys
instead of --recv-keys
Signed-off-by: Johannes Kastl
---
templates/lxc-download.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/lxc-download.in b/templates/lxc-download.in
index 58d063f4c2..60ad7dbc86 100644
--- a/templates/lxc-download.in
+++ b/templates/lxc-download.in
@@ -135,7 +135,7 @@ gpg_setup() {
success=
for _ in $(seq 3); do
if $(gpg --keyserver "${DOWNLOAD_KEYSERVER}" ${DOWNLOAD_GPG_PROXY:-} \
- --recv-keys "${DOWNLOAD_KEYID}" >/dev/null 2>&1); then
+ --receive-keys "${DOWNLOAD_KEYID}" >/dev/null 2>&1); then
success=1
break
fi
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] lxc-create using download template errors out in GPG validation on openSUSE MicroOS with read-only filesystem
Hi guys,
I tried to use the latest LXC 4.0.x package from openSUSE on a machine with
openSUSE MicroOS.
Basically MicroOS is a openSUSE Tumbleweed installed with a read-only root file
system.
For some reason it errors out in the GPG validation step.
This one fails:
> lxc-create -n testcontainer -B btrfs -t download -- -d centos -r 7 -a x86_64
This one succeeds:
> lxc-create -n testcontainer -B btrfs -t download -- -d centos -r 7 -a x86_64
> --no-validate
I traced it down to this command:
> https://github.com/lxc/lxc/blob/master/templates/lxc-download.in#L137
> echo "Setting up the GPG keyring"
>
> mkdir -p "${DOWNLOAD_TEMP}/gpg"
> chmod 700 "${DOWNLOAD_TEMP}/gpg"
> export GNUPGHOME="${DOWNLOAD_TEMP}/gpg"
>
> success=
> for _ in $(seq 3); do
> if $(gpg --keyserver "${DOWNLOAD_KEYSERVER}" ${DOWNLOAD_GPG_PROXY:-} \
> --recv-keys "${DOWNLOAD_KEYID}" >/dev/null 2>&1); then
> success=1
> break
> fi
> break
> done
>
> if [ -z "${success}" ]; then
> echo "ERROR: Unable to fetch GPG key from keyserver"
> exit 1
> fi
I created a PR to fix the (IMHO and on first glance) wrong if condition
(https://github.com/lxc/lxc/pull/3468), but the error still persists.
I have created another PR to use the "--receive-keys" options instead of
"--recv-keys":
> https://github.com/lxc/lxc/pull/3469
Otherwise I get the following error (I removed the /dev/null part for
debugging):
> Setting up the GPG keyring
> gpg: Note: '--receive-keys' is not considered an option
I did the debugging on a normal Tumbleweed, so I have to still test this on the
MicroOS machine, I will report back. But at least a file containing both changes
worked on my Tumbleweed machine...
Kind Regards,
Johannes
--
Johannes Kastl
Linux Consultant & Trainer
Tel.: +49 (0) 151 2372 5802
Mail: ka...@b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg
http://www.b1-systems.de
GF: Ralph Dehner
Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
signature.asc
Description: OpenPGP digital signature
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 18e18d: templates/lxc-download.in: fix wrong if condition ...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 18e18d4c31d39f12c87044db6d2d2f03163c8171 https://github.com/lxc/lxc/commit/18e18d4c31d39f12c87044db6d2d2f03163c8171 Author: Johannes Kastl Date: 2020-06-30 (Tue, 30 Jun 2020) Changed paths: M templates/lxc-download.in Log Message: --- templates/lxc-download.in: fix wrong if condition (use the result of the gpg command, not the result when executing the result of the gpg command) Signed-off-by: Johannes Kastl Commit: eb44984ae51bc17650c0ba82c0431a209be51631 https://github.com/lxc/lxc/commit/eb44984ae51bc17650c0ba82c0431a209be51631 Author: Johannes Kastl Date: 2020-06-30 (Tue, 30 Jun 2020) Changed paths: M templates/lxc-download.in Log Message: --- templates/lxc-download.in: make shellcheck happy Signed-off-by: Johannes Kastl Commit: 5408652de4728a61de01981b0541f470b46fd197 https://github.com/lxc/lxc/commit/5408652de4728a61de01981b0541f470b46fd197 Author: Stéphane Graber Date: 2020-06-30 (Tue, 30 Jun 2020) Changed paths: M templates/lxc-download.in Log Message: --- Merge pull request #3468 from johanneskastl/20200630_Kastl_fix_shell_download_template templates/lxc-download.in: fix wrong if-condition Compare: https://github.com/lxc/lxc/compare/f88d8e68b0c4...5408652de472 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] lxd/storage: Fix regression in truncate handling
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7600
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Stéphane Graber
From 7f28fe06cf7888589e8d4fdaa65d537490c45438 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Tue, 30 Jun 2020 16:17:27 -0400
Subject: [PATCH] lxd/storage: Fix regression in truncate handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber
---
lxd/storage/drivers/utils.go | 7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/lxd/storage/drivers/utils.go b/lxd/storage/drivers/utils.go
index 988bf98208..d4539b693b 100644
--- a/lxd/storage/drivers/utils.go
+++ b/lxd/storage/drivers/utils.go
@@ -295,17 +295,12 @@ func deleteParentSnapshotDirIfEmpty(poolName string,
volType VolumeType, volName
// ensureSparseFile creates a sparse empty file at specified location with
specified size.
// If the path already exists, the file is truncated to the requested size.
func ensureSparseFile(filePath string, sizeBytes int64) error {
- f, err := os.Create(filePath)
+ f, err := os.OpenFile(filePath, os.O_RDWR|os.O_CREATE, 0600)
if err != nil {
return errors.Wrapf(err, "Failed to open %s", filePath)
}
defer f.Close()
- err = f.Chmod(0600)
- if err != nil {
- return errors.Wrapf(err, "Failed to chmod %s", filePath)
- }
-
err = f.Truncate(sizeBytes)
if err != nil {
return errors.Wrapf(err, "Failed to create sparse file %s",
filePath)
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Errored: lxc/lxc#7764 (master - 5408652)
Build Update for lxc/lxc - Build: #7764 Status: Errored Duration: 10 mins and 37 secs Commit: 5408652 (master) Author: Stéphane Graber Message: Merge pull request #3468 from johanneskastl/20200630_Kastl_fix_shell_download_template templates/lxc-download.in: fix wrong if-condition View the changeset: https://github.com/lxc/lxc/compare/f88d8e68b0c4...5408652de472 View the full build log and details: https://travis-ci.org/github/lxc/lxc/builds/703670289?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the lxc/lxc repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=1693277&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Passed: lxc/lxc#7764 (master - 5408652)
Build Update for lxc/lxc - Build: #7764 Status: Passed Duration: 10 mins and 8 secs Commit: 5408652 (master) Author: Stéphane Graber Message: Merge pull request #3468 from johanneskastl/20200630_Kastl_fix_shell_download_template templates/lxc-download.in: fix wrong if-condition View the changeset: https://github.com/lxc/lxc/compare/f88d8e68b0c4...5408652de472 View the full build log and details: https://travis-ci.org/github/lxc/lxc/builds/703670289?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the lxc/lxc repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=1693277&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
