Ubuntu
lxc package

Merge lp:~ubuntu-branches/ubuntu/precise/lxc/precise-201201192036 into lp:ubuntu/precise/lxc

  1. Precise (12.04)
  2. precise-201201192036
  3. Merge into precise
Proposed by Ubuntu Package Importer
Status: Rejected
Rejected by: James Westby
Proposed branch: lp:~ubuntu-branches/ubuntu/precise/lxc/precise-201201192036
Merge into: lp:ubuntu/precise/lxc
Diff against target: 595 lines (+580/-0) (has conflicts)
2 files modified
.pc/0020-drop-cap-mac-admin.patch/templates/lxc-ubuntu.in (+561/-0)
debian/patches/0020-drop-cap-mac-admin.patch (+19/-0)
Conflict adding file .pc/0020-drop-cap-mac-admin.patch.  Moved existing file to .pc/0020-drop-cap-mac-admin.patch.moved.
Conflict adding file debian/patches/0020-drop-cap-mac-admin.patch.  Moved existing file to debian/patches/0020-drop-cap-mac-admin.patch.moved.
To merge this branch: bzr merge lp:~ubuntu-branches/ubuntu/precise/lxc/precise-201201192036
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+89340@code.launchpad.net

Description of the change

The package importer has detected a possible inconsistency between the package history in the archive and the history in bzr. As the archive is authoritative the importer has made lp:ubuntu/precise/lxc reflect what is in the archive and the old bzr branch has been pushed to lp:~ubuntu-branches/ubuntu/precise/lxc/precise-201201192036. This merge proposal was created so that an Ubuntu developer can review the situations and perform a merge/upload if necessary. There are three typical cases where this can happen.
  1. Where someone pushes a change to bzr and someone else uploads the package without that change. This is the reason that this check is done by the importer. If this appears to be the case then a merge/upload should be done if the changes that were in bzr are still desirable.
  2. The importer incorrectly detected the above situation when someone made a change in bzr and then uploaded it.
  3. The importer incorrectly detected the above situation when someone just uploaded a package and didn't touch bzr.

If this case doesn't appear to be the first situation then set the status of the merge proposal to "Rejected" and help avoid the problem in future by filing a bug at https://bugs.launchpad.net/udd linking to this merge proposal.

(this is an automatically generated message)

To post a comment you must log in.

Unmerged revisions

47. By Serge Hallyn

* update 0016-nested-cgroups.patch: create cgroup dirs 0755 so that
* debian/local/lxc-start-ephemeral: support in-line commands (LP: #914169)

46. By Serge Hallyn

udpate 0016-nested-cgroups.patch: create cgroup dirs 0755 so that
unprivileged users can read them (with lxc-ls).

45. By Serge Hallyn

debian/patches/0020-drop-cap-mac-admin.patch - to prevent containers
from loading apparmor policy.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added directory '.pc/0020-drop-cap-mac-admin.patch'
=== renamed directory '.pc/0020-drop-cap-mac-admin.patch' => '.pc/0020-drop-cap-mac-admin.patch.moved'
=== added file '.pc/0020-drop-cap-mac-admin.patch/.timestamp'
=== added directory '.pc/0020-drop-cap-mac-admin.patch/templates'
=== added file '.pc/0020-drop-cap-mac-admin.patch/templates/lxc-ubuntu.in'
--- .pc/0020-drop-cap-mac-admin.patch/templates/lxc-ubuntu.in 1970-01-01 00:00:00 +0000
+++ .pc/0020-drop-cap-mac-admin.patch/templates/lxc-ubuntu.in 2012-01-19 20:42:35 +0000
@@ -0,0 +1,561 @@
1#!/bin/bash
2
3#
4# template script for generating ubuntu container for LXC
5#
6# This script consolidates and extends the existing lxc ubuntu scripts
7#
8
9# XXX todo: add -lvm option
10
11# Copyright © 2011 Serge Hallyn <serge.hallyn@canonical.com>
12# Copyright © 2010 Wilhelm Meier
13# Author: Wilhelm Meier <wilhelm.meier@fh-kl.de>
14#
15# This program is free software; you can redistribute it and/or modify
16# it under the terms of the GNU General Public License version 2, as
17# published by the Free Software Foundation.
18
19# This program is distributed in the hope that it will be useful,
20# but WITHOUT ANY WARRANTY; without even the implied warranty of
21# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22# GNU General Public License for more details.
23
24# You should have received a copy of the GNU General Public License along
25# with this program; if not, write to the Free Software Foundation, Inc.,
26# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27#
28
29if [ -r /etc/default/lxc ]; then
30 . /etc/default/lxc
31fi
32
33configure_ubuntu()
34{
35 rootfs=$1
36 hostname=$2
37
38 # configure the network using the dhcp
39 cat <<EOF > $rootfs/etc/network/interfaces
40auto lo
41iface lo inet loopback
42
43auto eth0
44iface eth0 inet dhcp
45EOF
46
47 # so you can 'ssh $hostname.' or 'ssh $hostname.local'
48 if [ -f $rootfs/etc/dhcp/dhclient.conf ]; then
49 sed -i "s/<hostname>/$hostname/" $rootfs/etc/dhcp/dhclient.conf
50 elif [ -f $rootfs/etc/dhcp3/dhclient.conf ]; then
51 sed -i "s/<hostname>/$hostname/" $rootfs/etc/dhcp3/dhclient.conf
52 fi
53
54 # set the hostname
55 cat <<EOF > $rootfs/etc/hostname
56$hostname
57EOF
58 # set minimal hosts
59 cat <<EOF > $rootfs/etc/hosts
60127.0.0.1 localhost $hostname
61EOF
62
63 # suppress log level output for udev
64 sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
65
66 # remove jobs for consoles 5 and 6 since we only create 4 consoles in
67 # this template
68 rm -f $rootfs/etc/init/tty{5,6}.conf
69
70 echo "Please change root-password !"
71 echo "root:root" | chroot $rootfs chpasswd
72
73 return 0
74}
75
76download_ubuntu()
77{
78 cache=$1
79 arch=$2
80 release=$3
81
82 if [ $release = "lucid" ]; then
83 packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg
84 elif [ $release = "maverick" ]; then
85 packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg,netbase
86 elif [ $release = "natty" ]; then
87 packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase
88 else
89 packages=dialog,apt,apt-utils,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase,ubuntu-keyring
90 fi
91 echo "installing packages: $packages"
92
93 # check the mini ubuntu was not already downloaded
94 mkdir -p "$cache/partial-$arch"
95 if [ $? -ne 0 ]; then
96 echo "Failed to create '$cache/partial-$arch' directory"
97 return 1
98 fi
99
100 # download a mini ubuntu into a cache
101 echo "Downloading ubuntu $release minimal ..."
102 debootstrap --verbose --components=main,universe --arch=$arch --include=$packages $release $cache/partial-$arch $MIRROR
103 if [ $? -ne 0 ]; then
104 echo "Failed to download the rootfs, aborting."
105 return 1
106 fi
107
108 # Serge isn't sure whether we should avoid doing this when
109 # $release == `distro-info -d`
110 echo "Installing updates"
111 case $arch in
112 amd64|i386)
113 MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu}
114 SECURITY_MIRROR=${SECURITY_MIRROR:-http://security.ubuntu.com/ubuntu}
115 ;;
116 sparc)
117 case $SUITE in
118 gutsy)
119 MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu}
120 SECURITY_MIRROR=${SECURITY_MIRRORMIRROR:-http://security.ubuntu.com/ubuntu}
121 ;;
122 *)
123 MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
124 SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
125 ;;
126 esac
127 ;;
128 *)
129 MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
130 SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
131 ;;
132 esac
133 cat >> "$1/partial-${arch}/etc/apt/sources.list" << EOF
134deb $MIRROR ${release}-updates main universe
135deb $SECURITY_MIRROR ${release}-security main universe
136EOF
137 chroot "$1/partial-${arch}" apt-get update
138 if [ $? -ne 0 ]; then
139 echo "Failed to update the apt cache"
140 return 1
141 fi
142 cat > "$1/partial-${arch}"/usr/sbin/policy-rc.d << EOF
143#!/bin/sh
144exit 101
145EOF
146 chmod +x "$1/partial-${arch}"/usr/sbin/policy-rc.d
147
148 lxc-unshare -s MOUNT -- chroot "$1/partial-${arch}" apt-get dist-upgrade -y
149 ret=$?
150 rm -f "$1/partial-${arch}"/usr/sbin/policy-rc.d
151
152 if [ $ret -ne 0 ]; then
153 echo "Failed to upgrade the cache"
154 return 1
155 fi
156
157 mv "$1/partial-$arch" "$1/rootfs-$arch"
158 echo "Download complete"
159 return 0
160}
161
162copy_ubuntu()
163{
164 cache=$1
165 arch=$2
166 rootfs=$3
167
168 # make a local copy of the miniubuntu
169 echo -n "Copying rootfs to $rootfs ..."
170 cp -a $cache/rootfs-$arch $rootfs || return 1
171 return 0
172}
173
174install_ubuntu()
175{
176 rootfs=$1
177 release=$2
178 cache="/var/cache/lxc/$release"
179 mkdir -p /var/lock/subsys/
180 (
181 flock -n -x 200
182 if [ $? -ne 0 ]; then
183 echo "Cache repository is busy."
184 return 1
185 fi
186
187
188 echo "Checking cache download in $cache/rootfs-$arch ... "
189 if [ ! -e "$cache/rootfs-$arch" ]; then
190 download_ubuntu $cache $arch $release
191 if [ $? -ne 0 ]; then
192 echo "Failed to download 'ubuntu $release base'"
193 return 1
194 fi
195 fi
196
197 echo "Copy $cache/rootfs-$arch to $rootfs ... "
198 copy_ubuntu $cache $arch $rootfs
199 if [ $? -ne 0 ]; then
200 echo "Failed to copy rootfs"
201 return 1
202 fi
203
204 return 0
205
206 ) 200>/var/lock/subsys/lxc
207
208 return $?
209}
210
211copy_configuration()
212{
213 path=$1
214 rootfs=$2
215 name=$3
216 arch=$4
217
218 if [ $arch = "i386" ]; then
219 arch="i686"
220 fi
221
222 cat <<EOF >> $path/config
223lxc.utsname = $name
224
225lxc.tty = 4
226lxc.pts = 1024
227lxc.rootfs = $rootfs
228lxc.mount = $path/fstab
229lxc.arch = $arch
230lxc.cap.drop = sys_module
231
232lxc.cgroup.devices.deny = a
233# Allow any mknod (but not using the node)
234lxc.cgroup.devices.allow = c *:* m
235lxc.cgroup.devices.allow = b *:* m
236# /dev/null and zero
237lxc.cgroup.devices.allow = c 1:3 rwm
238lxc.cgroup.devices.allow = c 1:5 rwm
239# consoles
240lxc.cgroup.devices.allow = c 5:1 rwm
241lxc.cgroup.devices.allow = c 5:0 rwm
242#lxc.cgroup.devices.allow = c 4:0 rwm
243#lxc.cgroup.devices.allow = c 4:1 rwm
244# /dev/{,u}random
245lxc.cgroup.devices.allow = c 1:9 rwm
246lxc.cgroup.devices.allow = c 1:8 rwm
247lxc.cgroup.devices.allow = c 136:* rwm
248lxc.cgroup.devices.allow = c 5:2 rwm
249# rtc
250lxc.cgroup.devices.allow = c 254:0 rwm
251#fuse
252lxc.cgroup.devices.allow = c 10:229 rwm
253#tun
254lxc.cgroup.devices.allow = c 10:200 rwm
255EOF
256
257 cat <<EOF > $path/fstab
258proc $rootfs/proc proc nodev,noexec,nosuid 0 0
259sysfs $rootfs/sys sysfs defaults 0 0
260EOF
261
262 if [ $? -ne 0 ]; then
263 echo "Failed to add configuration"
264 return 1
265 fi
266
267 return 0
268}
269
270trim()
271{
272 rootfs=$1
273 release=$2
274
275 # provide the lxc service
276 cat <<EOF > $rootfs/etc/init/lxc.conf
277# fake some events needed for correct startup other services
278
279description "Container Upstart"
280
281start on startup
282
283script
284 rm -rf /var/run/*.pid
285 rm -rf /var/run/network/*
286 /sbin/initctl emit stopped JOB=udevtrigger --no-wait
287 /sbin/initctl emit started JOB=udev --no-wait
288end script
289EOF
290
291 # fix buggus runlevel with sshd
292 cat <<EOF > $rootfs/etc/init/ssh.conf
293# ssh - OpenBSD Secure Shell server
294#
295# The OpenSSH server provides secure shell access to the system.
296
297description "OpenSSH server"
298
299start on filesystem
300stop on runlevel [!2345]
301
302expect fork
303respawn
304respawn limit 10 5
305umask 022
306# replaces SSHD_OOM_ADJUST in /etc/default/ssh
307oom never
308
309pre-start script
310 test -x /usr/sbin/sshd || { stop; exit 0; }
311 test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
312 test -c /dev/null || { stop; exit 0; }
313
314 mkdir -p -m0755 /var/run/sshd
315end script
316
317# if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
318# 'exec' line here instead
319exec /usr/sbin/sshd
320EOF
321
322 cat <<EOF > $rootfs/etc/init/console.conf
323# console - getty
324#
325# This service maintains a console on tty1 from the point the system is
326# started until it is shut down again.
327
328start on stopped rc RUNLEVEL=[2345]
329stop on runlevel [!2345]
330
331respawn
332exec /sbin/getty -8 38400 /dev/console
333EOF
334
335 cat <<EOF > $rootfs/lib/init/fstab
336# /lib/init/fstab: cleared out for bare-bones lxc
337EOF
338
339 # reconfigure some services
340 if [ -z "$LANG" ]; then
341 chroot $rootfs locale-gen en_US.UTF-8
342 chroot $rootfs update-locale LANG=en_US.UTF-8
343 else
344 chroot $rootfs locale-gen $LANG
345 chroot $rootfs update-locale LANG=$LANG
346 fi
347
348 # remove pointless services in a container
349 chroot $rootfs /usr/sbin/update-rc.d -f ondemand remove
350
351 chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls u*.conf); do mv $f $f.orig; done'
352 chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls tty[2-9].conf); do mv $f $f.orig; done'
353 chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls plymouth*.conf); do mv $f $f.orig; done'
354 chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls hwclock*.conf); do mv $f $f.orig; done'
355 chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls module*.conf); do mv $f $f.orig; done'
356
357 # if this isn't lucid, then we need to twiddle the network upstart bits :(
358 if [ $release != "lucid" ]; then
359 sed -i 's/^.*emission handled.*$/echo Emitting lo/' $rootfs/etc/network/if-up.d/upstart
360 fi
361}
362
363post_process()
364{
365 rootfs=$1
366 release=$2
367 trim_container=$3
368
369 if [ $trim_container -eq 1 ]; then
370 trim $rootfs $release
371 else
372 # for lucid and maverick, if not trimming, then add the ubuntu-virt
373 # ppa and install lxcguest
374 if [ $release = "lucid" -o $release = "maverick" ]; then
375 chroot $rootfs apt-get install --force-yes -y python-software-properties
376 chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
377 fi
378 cp /etc/resolv.conf "${rootfs}/etc"
379 chroot $rootfs apt-get update
380 chroot $rootfs apt-get install --force-yes -y lxcguest
381 fi
382}
383
384do_bindhome()
385{
386 rootfs=$1
387 user=$2
388
389 # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
390 pwd=`getent passwd $user`
391 if [ $? -ne 0 ]; then
392 echo 'Warning: failed to copy password entry for $user'
393 return
394 else
395 echo $pwd >> $rootfs/etc/passwd
396 fi
397 shad=`getent shadow $user`
398 echo $shad >> $rootfs/etc/shadow
399
400 # bind-mount the user's path into the container's /home
401 h=`getent passwd $user | cut -d: -f 6`
402 mkdir -p $rootfs/$h
403 echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
404}
405
406clean()
407{
408 release=$1
409 cache="/var/cache/lxc/$release"
410
411 if [ ! -e $cache ]; then
412 exit 0
413 fi
414
415 # lock, so we won't purge while someone is creating a repository
416 (
417 flock -n -x 200
418 if [ $? != 0 ]; then
419 echo "Cache repository is busy."
420 exit 1
421 fi
422
423 echo -n "Purging the download cache..."
424 rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
425 exit 0
426
427 ) 200>/var/lock/subsys/lxc
428}
429
430usage()
431{
432 cat <<EOF
433$1 -h|--help -p|--path=<path> --clean [-a|--arch] [-b|--bindhome <user>] [--trim] [-r|--release]
434release: lucid | maverick | natty | oneiric | precise
435trim: make a minimal (faster, but not upgrade-safe) container
436bindhome: bind <user>'s home into the container
437arch: amd64 or i386: defaults to host arch
438EOF
439 return 0
440}
441
442options=$(getopt -o a:b:hp:r:xn:c -l arch:,bindhome:,help,path:,release:,trim,name:,clean -- "$@")
443if [ $? -ne 0 ]; then
444 usage $(basename $0)
445 exit 1
446fi
447eval set -- "$options"
448
449release=lucid
450if [ -f /etc/lsb-release ]; then
451 . /etc/lsb-release
452 case "$DISTRIB_CODENAME" in
453 lucid|maverick|natty|oneiric|precise)
454 release=$DISTRIB_CODENAME
455 ;;
456 esac
457fi
458
459bindhome=
460arch=$(arch)
461
462# Code taken from debootstrap
463if [ -x /usr/bin/dpkg ] && /usr/bin/dpkg --print-architecture >/dev/null 2>&1; then
464 arch=`/usr/bin/dpkg --print-architecture`
465elif type udpkg >/dev/null 2>&1 && udpkg --print-architecture >/dev/null 2>&1; then
466 arch=`/usr/bin/udpkg --print-architecture`
467else
468 arch=$(arch)
469 if [ "$arch" = "i686" ]; then
470 arch="i386"
471 elif [ "$arch" = "x86_64" ]; then
472 arch="amd64"
473 elif [ "$arch" = "armv7l" ]; then
474 arch="armel"
475 fi
476fi
477
478trim_container=0
479hostarch=$arch
480while true
481do
482 case "$1" in
483 -h|--help) usage $0 && exit 0;;
484 -p|--path) path=$2; shift 2;;
485 -n|--name) name=$2; shift 2;;
486 -c|--clean) clean=$2; shift 2;;
487 -r|--release) release=$2; shift 2;;
488 -b|--bindhome) bindhome=$2; shift 2;;
489 -a|--arch) arch=$2; shift 2;;
490 -x|--trim) trim_container=1; shift 1;;
491 --) shift 1; break ;;
492 *) break ;;
493 esac
494done
495
496pwd=`getent passwd $bindhome`
497if [ $? -ne 0 ]; then
498 echo "Error: no password entry found for $bindhome"
499 exit 1
500fi
501
502
503if [ "$arch" == "i686" ]; then
504 arch=i386
505fi
506
507if [ ! -z "$clean" -a -z "$path" ]; then
508 clean || exit 1
509 exit 0
510fi
511
512if [ $hostarch = "i386" -a $arch = "amd64" ]; then
513 echo "can't create amd64 container on i386"
514 exit 1
515fi
516
517type debootstrap
518if [ $? -ne 0 ]; then
519 echo "'debootstrap' command is missing"
520 exit 1
521fi
522
523if [ -z "$path" ]; then
524 echo "'path' parameter is required"
525 exit 1
526fi
527
528if [ "$(id -u)" != "0" ]; then
529 echo "This script should be run as 'root'"
530 exit 1
531fi
532
533rootfs=$path/rootfs
534
535install_ubuntu $rootfs $release
536if [ $? -ne 0 ]; then
537 echo "failed to install ubuntu $release"
538 exit 1
539fi
540
541configure_ubuntu $rootfs $name
542if [ $? -ne 0 ]; then
543 echo "failed to configure ubuntu $release for a container"
544 exit 1
545fi
546
547copy_configuration $path $rootfs $name $arch
548if [ $? -ne 0 ]; then
549 echo "failed write configuration file"
550 exit 1
551fi
552
553post_process $rootfs $release $trim_container
554if [ ! -z $bindhome ]; then
555 do_bindhome $rootfs $bindhome
556fi
557
558if [ ! -z $clean ]; then
559 clean $release || exit 1
560 exit 0
561fi
0562
=== added file 'debian/patches/0020-drop-cap-mac-admin.patch'
--- debian/patches/0020-drop-cap-mac-admin.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/0020-drop-cap-mac-admin.patch 2012-01-19 20:42:35 +0000
@@ -0,0 +1,19 @@
1Description: lxc-ubuntu: drop mac_admin capability
2 This is to prevent the container from loading apparmor policy.
3 Stackable policies will be coming, but we don't have them yet.
4Author: Serge Hallyn <serge.hallyn@ubuntu.com>
5Forwarded: no
6
7Index: lxc/templates/lxc-ubuntu.in
8===================================================================
9--- lxc.orig/templates/lxc-ubuntu.in 2012-01-13 15:08:16.362152000 +0100
10+++ lxc/templates/lxc-ubuntu.in 2012-01-13 15:11:02.600363556 +0100
11@@ -227,7 +227,7 @@
12 lxc.rootfs = $rootfs
13 lxc.mount = $path/fstab
14 lxc.arch = $arch
15-lxc.cap.drop = sys_module
16+lxc.cap.drop = sys_module mac_admin
17
18 lxc.cgroup.devices.deny = a
19 # Allow any mknod (but not using the node)
020
=== renamed file 'debian/patches/0020-drop-cap-mac-admin.patch' => 'debian/patches/0020-drop-cap-mac-admin.patch.moved'

Subscribers

People subscribed via source and target branches

to all changes: