Changelog for
lxc-2.1.1-2.105.x86_64.rpm :
* Tue Oct 31 2017 opensuse_buildserviceAATTojkastl.de- This is the first bugfix release for LXC 2.1. Bugfixes:
* apparmor: Drop useless apparmor denies
* cgfsng: Check whether we have a conf
* cgfsng: Fail when limits fail to apply
* conf: Error out on too many mappings
* conf: Ignore lxc.kmsg and lxc.pivotdir
* conf: Make update warning opt-in
* conf: Preserve newlines in configuration file
* conf: Remove dead assignments in parse_idmaps()
* conf: Remove unnecessary zeroing
* conf: Use the proper type for rlim_t, fixing build failure on x32.
* console: Clean tty state + return 0 on peer exit
* console: Remove dead assignments
* core: Introduce userns_exec_full() and port the codebase to it
* criu: Use correct check initialization check
* doc: Add lxc.cgroup.dir to Japanese lxc.container.conf(5)
* doc: Add lxc-update-config manpage
* doc: Document missing env variables
* doc: Fix regex-typo in Japanese and Korean lxc-monitor(1)
* doc: Fix regex-typo in lxc-monitor.sgml.in
* doc: Translate lxc(7) into Japanese
* doc: Translate lxc-update-config(1) into Japanese
* execute: Enable console & standard /dev symlinks
* init: Become session leader
* log: Fix a format string build failure on x32.
* log: Prevent stack smashing
* monitor: Remove dead assignment
* network: Add missing checks for empty links
* network: Clear ifindeces
* network: Non-functional changes
* network: Remove dead assignments
* network: Use single helper to delete networks
* start: Don\'t close inherited namespace fds
* start: Move env setup before container setup
* start: Pass LXC_LOG_LEVEL to hooks
* start: Remove dead variable
* start: Set environment variables correctly
* start: Switch ids at last possible instance
* storage: Avoid segfault on missing lxc.rootfs.path
* storage: Fix typo in error message
* storage/lvm: Fix thinpool logical volumes
* storage/overlay: Do not write to invalid memory
* storage/overlay: Fix use after free()
* storage/zfs: Return error directly when zfs creation fails
* template/alpine: Change file check to also check file size (-f => -s)
* template/archlinux: Change locale \"en-US.UTF-8\" to \"en_US.UTF-8\"
* template/debian: Don\'t force gettyAATT configuration
* template/plamo: Delete unnecessary process during container shutdown
* tests: Avoid NULL pointer dereference
* tests: Remove dead assignments
* tests: Support systemd hybrid cgroups
* tools: Print \"-devel\" when LXC_DEVEL is true
* tools/lxc-unshare: Do not pass NULL pointer
* tools/lxc-update-config: Remove lxc.pivotdir and lxc.kmsg entries
* tools/lxc-update-config: Strip lxc.rootfs.backend and properly handle IPv4 addresses
* tools/lxc-user-nic: Remove double initialization
* tools/lxc-usernsexec: Remove dead assignments
* utils: Do not write to 0 sized buffer
* utils: Duplicate stderr as well in lxc_popen()
* utils: Fix lxc_popen()/lxc_pclose()
* utils: Remove dead assignments in lxc_popen()
* Sun Sep 17 2017 opensuse_buildserviceAATTojkastl.de- extended GCC7 workaround to allow builds
* Thu Sep 14 2017 opensuse_buildserviceAATTojkastl.de- added %if to use /etc/default/lxc or /etc/sysconfig/lxc, depending on Suse-or-Not
* Wed Sep 13 2017 opensuse_buildserviceAATTojkastl.de- update to LXC 2.1 New Features: - Resource limit support - Support for unprivileged openvswitch networks - New lxc.cgroup.dir key - Support for hybrid cgroup layout - Limiting the number of ptys a container can allocate - bool lxc_config_item_is_supported(const char
*key) API extension - New log API extension - Deprecation of lxc-monitord - lxc-copy create snapshots on tmpfs Configuration changes: - Network configuration - Table of changed configuration keys (see release notes on https://linuxcontainers.org/lxc/news/) - lxc-update-config script - Deprecation warnings Changelog Core: - af unix: allow for maximum socket name - af_unix: abstract lxc_abstract_unix_{send,recv}_fd - android: add prlimit implementation for 32bit - API: expose function lxc_log_init - API: add lxc_config_item_is_supported() - caps: add lxc_{proc,file}_cap_is_set() - cgroups: handle hybrid cgroup layouts - commands: handle EINTR - commands: add lxc_cmd_state_server() - commands: switch api to new callback system - conf: implement resource limits - conf: check for {filecaps,setuid} on new{g,u}idmap - conf: use bind-mount for /dev/ptmx - conf: add MS_LAZYTIME to mount options - conf: don\'t send ttys when none are configured - conf: send ttys in batches of 2 - conf: log lxc-user-nic output - conf: refactor network deletion - conf: rework core functions - conf: improve lxc_map_ids() - conf: use minimal {g,u}id map - conf: allow writing uid mappings with euid != 0 - conf: unstack all mounts atop /dev/console - conf{,ile}: warn user once about legacy config - confile: add lxc_get_idmaps() - confile: rework + extend callback system - confile: performance tweaks - confile: add \"lxc.cgroup.dir\" - confile: list namespaced keys - confile: lxc_getconfig() -> lxc_get_config() - confile: improve get_network_config_ops() - confile: move lxc_list_net() - confile: lxc_listconfigs -> lxc_list_config_items - confile: rework lxc_list_net() - confile: lxc.seccomp --> lxc.seccomp.profile - confile: lxc.pts --> lxc.pty.max - confile: lxc.tty --> lxc.tty.max - confile: lxc.net.ipv6 --> lxc.net.ipv6.address - confile: lxc.net.ipv4 --> lxc.net.ipv4.address - confile: lxc.mount --> lxc.mount.fstab - confile: lxc.console --> lxc.console.path - confile: lxc.rootfs --> lxc.rootfs.path - confile: deprecate lxc.rootfs.backend - confile: rename lxc.utsname to lxc.uts.name - confile: rename lxc.devttydir to lxc.tty.dir - confile: namespace lxc.signal keys - confile: namespace lxc.log keys - confile: namespace lxc.init keys - confile: rename lxc.limit to lxc.prlimit - confile: remove lxc.pivotdir - confile: remove lxc.kmsg - confile: properly namespace security keys - doc: adapt to new configuration keys - devpts: use max= option on mount - lsm/AppArmor: Allow containers to start in AppArmor namespaces - lxccontainer: clear whole indexed networks - lxccontainer: switch api to new callback system - lxc-init: report exec
*() failure - lxc-user-nic: keep lines from other {users,links} - lxc-user-nic: fix adding database entries - lxc-user-nic: check db before trying to delete - lxc-user-nic: test privilege over netns on delete - lxc-user-nic: rework renaming net devices - lxc-user-nic: add new {create,delete} subcommands - monitor: simplify abstract socket logic - network: don\'t delete net devs we didn\'t create - network: remove allocation from lxc_mkifname() - network: remove netpipe - network: use correct network device name - network: stop recording saved physical net devices - network: retrieve correct names and ifindices - network: use static memory for net device names - network: retrieve the host\'s veth device ifindex - network: rework network creation - network: delete ovs for unprivileged networks - network: log ifindex - network: send ifindex for unpriv networks - network: return negative idx for legacy networks - network: test new network configuration parser - network: add new network parser - network: preserve backwards compatibility - network: add test-suite for configuration items - openvswitch: delete ports intelligently - README: add CII Best Practices badge to README - seccomp: set SCMP_FLTATR_ATL_TSKIP if available - start: generalize lxc_check_inherited() - start: use separate socket on daemonized start - start: switch from SOCK_DGRAM to SOCK_STREAM - start: don\'t let data_sock users close the fd - start: ensure cgroups are cleaned up - start: remove utmp watch - start: lxc_setup() after unshare(CLONE_NEWCGROUP) - start: dup std{in,out,err} to pty slave - start: add lxc_init_handler() - start: add lxc_free_handler() - start: pin rootfs when privileged - storage: add lxc_storage_get_path() - storage: add storage_utils.{c.h} - storage: add overlay as valid backend - storage: rename files \"bdev\" -> \"storage\" - storage/aufs: mark deprecated - storage/btrfs: rework btrfs storage driver - storage/loop: rework loop storage driver - storage/lvm: rework lvm backend - storage/overlay: rework overlay storage driver - storage/overlay: correctly restore from snapshot - storage/overlay: correctly handle dependency tracking - storage/rbd: rework rbd storage driver - storage/zfs: rework zfs storage driver - tests: add tests for lxc.cgroup.dir - test: add test to get subkeys - tests: add unit tests for idmap parser - tests: enforce all methods for config items - tree-wide: struct bdev -> struct lxc_storage - utils: add lxc_nic_exists() - utils: switch to has_fs_type() - utils: add has_fs_type() + is_fs_type() - utils: rework lxc_deslashify() - utils: lxc_make_abstract_socket_name() - utils: add lxc_safe_ulong() - utils: add lxc_unstack_mountpoint() Template: - templates/Alpine: Add support for ppc64le - templates/Alpine: use dl-cdn.a.o as default mirror instead of random one - templates/Alpine: add community repository to default repositories - templates/CentOS: use altarch mirror for CentOS on arches other than i386 and x86_64 - templates/CentOS: default to CentOS 7 - templates/debian: Use deb.debian.org as the default Debian mirror - templates/debian: jessie and stretch keyring support - templates/debian: Add buster as a valid release - templates/opensuse: support leap 42.3 - templates/opensuse: fix tumbleweed software selection - templates/opensuse: add Tumbleweed as supported release - templates/ubuntu: support netplan in newer releases by default - templates/ubuntu: conditionally move upstart ssh job, as it is now optional. - userns.conf: remove obsolete bind-mounts Tools: - lxc-execute: print error message when failed - lxc-update-config: handle legacy networks - tools: add additional cgroup checks - tools: add lxc-update-config.in - tools/lxc-attach: allow for situations without /dev/tty - tools/lxc-checkconfig: Add CONFIG_NETFILTER_XT_MATCH_COMMENT - tools/lxc-checkconfig: verify new[ug]idmap are setuid-root - tools/lxc-ls: return all containers by default, new filter - list only defined containers.
* Mon May 15 2017 kastlAATTsuse- update to version 2.0.8 Important: Security fix for CVE-2017-5985 All templates have been updated to not set default passwords anymore, instead requiring lxc-attach be used to configure users. This may affect some automated environments that were relying on our default (very much insecure) users. Bugfixes: Make lxc-start-ephemeral Python 3.2-compatible Fix typo Allow build without sys/capability.h lxc-opensuse: fix default value for release code util: always malloc for setproctitle util: update setproctitle comments confile: clear lxc.network..ipv{4,6} when empty lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals Make lxc-net return non-zero on failure seccomp: allow x32 guests on amd64 hosts. Add HAVE_LIBCAP c/r: only supply --ext-mount-map for bind mounts Added \'mkdir -p\' functionality in create_or_remove_cgroup Use LXC_ROOTFS_MOUNT in clonehostname hook squeeze is not a supported release anymore, drop the key start: dumb down SIGCHLD from WARN() to NOTICE() log: fix lxc_unix_epoch_to_utc() cgfsng: make trim() safer seccomp: set SCMP_FLTATR_ATL_TSKIP if available lxc-user-nic: re-order #includes lxc-user-nic: improve + bugfix lxc-user-nic: delete link on failure conf: only try to delete veth when privileged Fix lxc-containers to support multiple bridges Fix mixed tab/spaces in previous patch lxc-alpine: use dl-cdn.a.o as default mirror instead of random one lxc-checkconfig: verify new[ug]idmap are setuid-root [templates] archlinux: resolve conflicting files [templates] archlinux: noneed default_timezone variable python3: Deal with potential NULL char
* lxc-download.in / allow setting keyserver from env lxc-download.in / Document keyserver change in help Change variable check to match existing style tree-wide: include directly conf/ile: make sure buffer is large enough tree-wide: include directly tests: Support running on IPv6 networks tests: Kill containers (don\'t wait for shutdown) Fix opening wrong file in suggest_default_idmap do not set the root password in the debian template do not set insecure passwords don\'t set a default password for altlinux, gentoo, openmandriva and pld tools: exit with return code of lxc_execute() Keep veth.pair.name on network shutdown Makefile: fix static clang init.lxc build Avoid waiting for bridge interface if disabled in sysconfig/lxc | lxc-net via USE_LXC_BRIDGE Increased buffer length in print_stats() avoid assigning to a variable which is not POSIX shell proof (bug #1498) remove obsolete note about api stability conf: less error prone pointer access conf: lxc_map_ids() non-functional changes caps: add lxc_{proc,file}_cap_is_set() conf: check for {filecaps,setuid} on new{g,u}idmap conf: improve log when mounting rootfs ls: simplify the judgment condition when list active containers fix typo introduced in #1509 attach|unshare: fix the wrong comment caps: skip file capability checks on android autotools: check for cap_get_file caps: return false if caps are not supported conf: non-functional changes to setup_pts() conf: use bind-mount for /dev/ptmx conf: non-functional changes utils: use loop device helpers from LXD create ISSUE_TEMPLATE.md cgroups: improve cgfsng debugging issue template: fix typo conf: close fd in lxc_setup_devpts() conf: non-functional changes utils: tweak lxc_mount_proc_if_needed() Change sshd template to work with Ubuntu 17.04 conf: order mount options conf: add MS_LAZYTIME to mount options monitor: report errno on exec() error af unix: allow for maximum socket name commands: avoid NULL pointer dereference commands: non-functional changes lxccontainer: avoid NULL pointer dereference monitor: simplify abstract socket logic precise is not the latest LTS, let\'s use xenial instead fix the wrong exit status conf: non-functional changes lxc_fill_autodev() conf: remove /dev/console from lxc_fill_autodev() conf: non-functional changes lxc_setup() conf: non-functional changes to console functions conf: improve lxc_setup_dev_console() conf: lxc_setup_ttydir_console() config: remove /dev/console bind mount doc: document console behavior utils: add lxc_unstack_mountpoint() conf: unstack all mounts atop /dev/console console: fail when we cannot allocate peer tty start: remove umount2() conf: non-functional changes utils: handle > 2^31 in lxc_unstack_mountpoint() Install systemd units for CentOS Merge ubuntu and debiancase start: add crucial details about lxc_spawn() Deleted patches that have been included upstream: - 0010-tree-wide-include-sys-sysmacros.h-directly.patch - 0011-tree-wide-include-sys-sysmacros.h-directly.patch
* Wed Mar 29 2017 opensuse_buildserviceAATTojkastl.de- backported two patches to get the package to build again for Tumbleweed (applied only on tumbleweed aka suse_version >1315) 0010-tree-wide-include-sys-sysmacros.h-directly.patch 0011-tree-wide-include-sys-sysmacros.h-directly.patch
* Tue Jan 24 2017 opensuse_buildserviceAATTojkastl.de- update to version 2.0.7 This is the seventh bugfix release for LXC 2.0. The main bugfixes in this release are: - attach: Close lsm label file descriptor - attach: Non-functional changes - attach: Simplify lsm_openat() - caps: Add lxc_cap_is_set() - conf: attach: Save errno across call to close - conf: Clearly report to either use drop or keep - conf: criu: Add make_anonymous_mount_file() - conf: Fix suggest_default_idmap() - configure: Add --enable-gnutls option - configure: Check for memfd_create() - configure: Check whether gettid() is declared - configure: Do not allow variable length arrays - configure: Remove -Werror=vla - configure: Use AC_HEADER_MAJOR to detect major()/minor()/makedev() - conf: Non-functional changes - conf: Remove thread-unsafe strsignal + improve log - init: Add cgroupfs-mount to Should-Start/Stop sysvinit LSB headers - log: Add lxc_unix_epoch_to_utc() - log: Annotate lxc_unix_epoch_to_utc() - log: Drop all timezone conversion functions - log: Make sure that date is correctly formatted - log: Use lxc_unix_epoch_to_utc() - log: Use N/A if getpid() != gettid() when threaded - log: Use thread-safe localtime_r() - lvm: Supress warnings about leaked files - lxccontainer: Log failure to send sig to init pid - monitor: Add more logging - monitor: Close mainloop on exit if we opened it - monitor: Improve log + set log level to DEBUG - monitor: Log which pipe fd is currently used - monitor: Make lxc-monitord async signal safe - monitor: Non-functional changes - python3-lxc: Fix api_test.py on s390x - start: Check for CAP_SETGID before setgroups() - start: Fix execute and improve setgroups() calls - state: Use async signal safe fun in lxc_wait() - templates: lxc-debian: Don\'t try to get stuff from /usr/lib/systemd on the host - templates: lxc-debian: Fix getty service startup - templates: lxc-debian: Fix typo in calling dpkg with --print-foreign-architectures option - templates: lxc-debian: Handle ppc hostarch -> powerpc - templates: lxc-opensuse: Change openSUSE default release to Leap 42.2 - templates: lxc-opensuse: Remove libgcc_s1 - templates: lxc-opensuse: Remove poweroff.target -> sigpwr.target copy - templates: lxc-opensuse: Set to be unconfined by AppArmor - templates: lxc-opensuse: Update for Leap 42.2 - tests; Don\'t cause test failures on cleanup errors - tests: Skip unpriv tests on broken overlay module - tools: Improve logging - tools: lxc-start: Remove c->is_defined(c) check - tools: lxc-start: Set configfile after load_config - tools: Only check for O_RDONLY - tree-wide: Random macro cleanups - tree-wide: Remove any variable length arrays - tree-wide: Sic semper assertis! - utils: Add macro __LXC_NUMSTRLEN - utils: Add uid, gid, group convenience wrappers