main/lxc: upgrade to 3.1

Lots of changes in the way LXC handles creations of containers.

https://discuss.linuxcontainers.org/t/lxc-3-0-0-has-been-released/1449

- fixed building of man docs
- bundled pam module
- lua module is now a seperate pkg
- python module now a seperate pkg

7 files changed, 54 insertions, 302 deletions

diff --git a/main/lxc/0001-do_lxcapi_create-set-umask.patch b/main/lxc/0001-do_lxcapi_create-set-umask.patch
deleted file mode 100644
index 050f3d844b..0000000000
--- a/main/lxc/0001-do_lxcapi_create-set-umask.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 4fc4df8ce71154eb45b7aa18b08b735d99e93eb8 Mon Sep 17 00:00:00 2001
-From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
-Date: Sun, 15 Apr 2018 14:50:28 +0300
-Subject: [PATCH] do_lxcapi_create: set umask
-
----
- src/lxc/lxccontainer.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
-index 5e8ad00f..0fe766e8 100644
---- a/src/lxc/lxccontainer.c
-+++ b/src/lxc/lxccontainer.c
-@@ -1605,6 +1605,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
- 		char *const argv[])
- {
- 	bool ret = false;
-+	mode_t mask;
- 	pid_t pid;
- 	char *tpath = NULL;
- 	int partial_fd;
-@@ -1673,6 +1674,8 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
- 
- 	/* no need to get disk lock bc we have the partial locked */
- 
-+	mask = umask(0022);
-+
- 	/*
- 	 * Create the backing store
- 	 * Note we can't do this in the same task as we use to execute the
-@@ -1732,6 +1735,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
- 	ret = load_config_locked(c, c->configfile);
- 
- out_unlock:
-+	umask(mask);
- 	if (partial_fd >= 0)
- 		remove_partial(c, partial_fd);
- out:
--- 
-2.17.0
-
diff --git a/main/lxc/APKBUILD b/main/lxc/APKBUILD
index bd4a49accf..370217ec06 100644
--- a/main/lxc/APKBUILD
+++ b/main/lxc/APKBUILD
@@ -3,35 +3,44 @@
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=lxc
-pkgver=2.1.1
+pkgver=3.1.0
 _pkgver=${pkgver/_rc/.rc}
-pkgrel=10
+pkgrel=0
 pkgdesc="Userspace interface for the Linux kernel containment features"
 url="https://linuxcontainers.org/lxc/"
 arch="all"
 license="GPL"
-depends="gzip"
-depends_dev="libcap-dev"
-makedepends="$depends_dev lvm2 util-linux automake autoconf libtool lua5.3-dev
-	linux-headers bash tar docbook2x libseccomp-dev python3-dev dnsmasq
-	py3-setuptools"
+makedepends="
+	libcap-dev
+	libseccomp-dev
+	linux-pam-dev
+	linux-headers
+	bsd-compat-headers
+	docbook2x
+	"
+
 options="suid"
-subpackages="$pkgname-dev $pkgname-doc $pkgname-lvm::noarch lua5.3-lxc:_lua53
-	$pkgname-download:_download:noarch $pkgname-templates::noarch $pkgname-libs
-	py3-$pkgname:_py3 $pkgname-bridge::noarch $pkgname-bash-completion:bashcomp:noarch"
-source="https://github.com/lxc/lxc/archive/lxc-$_pkgver.tar.gz
-	0001-do_lxcapi_create-set-umask.patch
-	make-dropping-setpcap-optional.patch
-	add-support-for-s390x-in-template.patch
-	version.patch
+subpackages="
+	$pkgname-dev
+	$pkgname-doc
+	$pkgname-openrc
+	$pkgname-lvm::noarch
+	$pkgname-libs
+	$pkgname-bridge::noarch
+	$pkgname-bash-completion:bashcomp:noarch
+	$pkgname-pam
+	$pkgname-download:_download:noarch
+	$pkgname-templates-oci:templates_oci:noarch
+	$pkgname-templates::noarch
+	"
+
+source="
+	https://linuxcontainers.org/downloads/lxc/lxc-$_pkgver.tar.gz
+
 	lxc.initd
 	lxc.confd
-	lxc.conf
-
-	download-template-tmpfs.patch
-	CVE-2018-6556.patch
 	"
-builddir="$srcdir/lxc-lxc-$_pkgver"
+builddir="$srcdir/lxc-$_pkgver"
 
 # secfixes:
 #   2.1.1-r9:
@@ -40,14 +49,8 @@ builddir="$srcdir/lxc-lxc-$_pkgver"
 
 _tmpldir="usr/share/lxc/templates"
 
-prepare() {
-	default_prepare
-	./autogen.sh
-}
-
 build() {
 	cd "$builddir"
-	LUA_VERSION=5.3 \
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -55,12 +58,11 @@ build() {
 		--sysconfdir=/etc \
 		--localstatedir=/var \
 		--disable-apparmor \
-		--enable-lua \
-		--enable-python \
-		--with-lua-pc=lua5.3 \
+		--enable-pam \
 		--with-distro=alpine \
-		--disable-werror
-	make VERSION=$pkgver
+		--disable-werror \
+		--enable-doc
+	make
 }
 
 check() {
@@ -77,29 +79,17 @@ package() {
 	install -Dm644 "$srcdir"/lxc.confd "$pkgdir"/etc/conf.d/lxc
 	install -d "$pkgdir"/var/lib/lxc
 
-	# XXX: workaround for https://github.com/lxc/lxc/issues/1095.
-	install -Dm644 "$srcdir"/lxc.conf "$pkgdir"/etc/lxc/lxc.conf
-
 	# Remove useless config for SysVinit.
 	rm -r "$pkgdir"/etc/default
 }
 
 lvm() {
 	pkgdesc="LVM support for LXC"
-	depends="lvm2 util-linux lxc"
-
+	depends="$pkgname=$pkgver-r$pkgrel lvm2 util-linux"
+	install_if="$pkgname=$pkgver-r$pkgrel lvm2"
 	mkdir "$subpkgdir"
 }
 
-_lua53() {
-	pkgdesc="Lua 5.3 module for LXC"
-
-	local dir; for dir in lib share; do
-		mkdir -p "$subpkgdir"/usr/$dir
-		mv "$pkgdir"/usr/$dir/lua "$subpkgdir"/usr/$dir/
-	done
-}
-
 _py3() {
 	pkgdesc="Python3 module for LXC"
 	depends="python3"
@@ -109,7 +99,7 @@ _py3() {
 
 _download() {
 	pkgdesc="LXC container image downloader template"
-	depends="$pkgname gnupg tar xz wget"
+	depends="$pkgname gnupg1 tar xz wget"
 
 	mkdir -p "$subpkgdir"/$_tmpldir
 	mv "$pkgdir"/$_tmpldir/lxc-download "$subpkgdir"/$_tmpldir/
@@ -117,18 +107,27 @@ _download() {
 
 templates() {
 	pkgdesc="Templates for LXC (except alpine and download)"
-	depends="bash tar"
-
+	depends="tar"
 	mkdir -p "$subpkgdir"/$_tmpldir
 	mv "$pkgdir"/$_tmpldir/* "$subpkgdir"/$_tmpldir/
+}
+
+templates_oci() {
+	pkgdesc="OCI Template for LXC"
+	depends="bash jq"
+	mkdir -p "$subpkgdir"/usr/share/lxc/templates
+	mv "$pkgdir"/usr/share/lxc/templates/lxc-oci \
+		"$subpkgdir"/usr/share/lxc/templates/
+}
 
-	# Keep alpine template in the base package (doesn't need bash or GNU tar).
-	mv "$subpkgdir"/$_tmpldir/lxc-alpine "$pkgdir"/$_tmpldir/
+pam() {
+	pkgdesc="PAM module for LXC"
+	mkdir -p "$subpkgdir"/lib/security
+	mv "$pkgdir"/lib/security/pam_cgfs.so "$subpkgdir"/lib/security/
 }
 
 dev() {
 	default_dev
-
 	# fix abuild smartness
 	mv "$subpkgdir"/usr/bin/lxc-config "$pkgdir"/usr/bin/
 	mv "$subpkgdir"/usr/bin/lxc-update-config "$pkgdir"/usr/bin/
@@ -151,11 +150,11 @@ bridge() {
 		BRIDGE_DHCP_MAX="253"
 		BRIDGE_MAC="00:16:3e:00:00:00"
 		DNSMASQ_CONFFILE="/etc/lxc/dnsmasq.conf"
-EOF
+	EOF
 	cat >>"$subpkgdir"/etc/lxc/dnsmasq.conf <<- EOF
 		#dhcp-host=somehost,10.0.3.3
 		#dhcp-host=otherhost,10.0.3.4
-EOF
+	EOF
 }
 
 bashcomp() {
@@ -167,13 +166,6 @@ bashcomp() {
 	rmdir "$pkgdir"/etc/bash_completion.d
 }
 
-sha512sums="205d30a8914013f3d31bdcae9786a13b6728ae0d3630f51c644f06e1e96d03631630569a0ce55764ff7b8ee1d1d4d723926fdb2b916396aea212d9c3040b45ab  lxc-2.1.1.tar.gz
-029473d929e74c53f27982e713eae151e4b6c61635c4b38c16510b2fa996ea6ed96f29df131e9c58ab155631fc71eeb9cd5b46bcc051a99256c1dce4b0d4d7a5  0001-do_lxcapi_create-set-umask.patch
-9000f5dc0614dfbd840c3c5e0f6a6555bd8adbc63d4ec7d70448e354d2e7f6dd13ab09d88a36fbd66181cf3cb6db2f820c43d1f2ce8fce58d19e0bc379be1d9a  make-dropping-setpcap-optional.patch
-ba540402a7d9411f1ff43e6d7e713a02ecdfc7a387d844dc972466ba6c5ca524e67b1db0e88beb9a2e388f074d0cf5395a7fdb543395f808c15ec64e15ff3c0b  add-support-for-s390x-in-template.patch
-e2ffcbf55447291a8434a4f37255c3a6a119bc4116c75d205006aa2b070bf6be28535cf6107bead14bbf64bf9fa415346ab544bd1c15e1add7d1c6380e6b2def  version.patch
+sha512sums="706cee9bc8ac57300574b59d728437e41baa4eb16c68f8548142e53b4e13679ef6698df30a4fbf8617e4f07338f898464e9f818e80d32648fe9717370dcbbb20  lxc-3.1.0.tar.gz
 b74ffe7c3e8f193265a90ffeb6e5743b1212bc1416b898e5a7e59ddd7f06fc77dc34e2dcbb3614038ac6222a95e2b9beb9f03ab734c991837203ab626b1b091f  lxc.initd
-91de43db5369a9e10102933514d674e9c875218a1ff2910dd882e5b9c308f9e430deacb13d1d7e0b2ed1ef682d0bb035aa6f8a6738f54fa2ca3a05acce04e467  lxc.confd
-5b83b0323e58bf00bd1e124c265729499cee97559b6fe18482962e3bed50d121b4c7a09f25cbce7b1e18d4234627bc4b4581ba2060e33cd022f105b4429cef01  lxc.conf
-02fd192d137cbb5b6db6959275387d05653f41dad5a5e46ae9b53cacead8cef937733927284658d3f0b910de81f9364c7f0248db990efd88806cf3029264c214  download-template-tmpfs.patch
-3e45f78358fab1ff730853c26fef8694cb90d521077e5234affb960b4b89306c7592708da9aecf462074c54fdc631457e174303db175678552d558f864d9668d  CVE-2018-6556.patch"
+91de43db5369a9e10102933514d674e9c875218a1ff2910dd882e5b9c308f9e430deacb13d1d7e0b2ed1ef682d0bb035aa6f8a6738f54fa2ca3a05acce04e467  lxc.confd"
diff --git a/main/lxc/CVE-2018-6556.patch b/main/lxc/CVE-2018-6556.patch
deleted file mode 100644
index bd669cd3f6..0000000000
--- a/main/lxc/CVE-2018-6556.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Wed, 25 Jul 2018 19:56:54 +0200
-Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
-
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
- src/lxc/utils.c        | 12 ++++++++++++
- src/lxc/utils.h        |  5 +++++
- 3 files changed, 49 insertions(+), 3 deletions(-)
-
-ADDENDUM from vdupras@gentoo.org: Original patch from Christian didn't
-include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in
-code that doesn't compile. I fetched the definition from the stable-3.0
-branch and included it to this patch. Also, this diff is regenerated
-from lxc-2.1.1 tag instead of stable-2.0 branch.
-
-Patch-Source: https://github.com/gentoo/gentoo/blob/4c6e73df9d616d5c472c276dd5bef70efea02907/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch
-
-diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
-index 6f550f0d..09a342ac 100644
---- a/src/lxc/lxc_user_nic.c
-+++ b/src/lxc/lxc_user_nic.c
-@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[])
- 			exit(EXIT_FAILURE);
- 		}
- 	} else if (request == LXC_USERNIC_DELETE) {
--		netns_fd = open(args.pid, O_RDONLY);
-+		char opath[LXC_PROC_PID_FD_LEN];
-+
-+		/* Open the path with O_PATH which will not trigger an actual
-+		 * open(). Don't report an errno to the caller to not leak
-+		 * information whether the path exists or not.
-+		 * When stracing setuid is stripped so this is not a concern
-+		 * either.
-+		 */
-+		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
- 		if (netns_fd < 0) {
--			usernic_error("Could not open \"%s\": %s\n", args.pid,
--				      strerror(errno));
-+			usernic_error("Failed to open \"%s\"\n", args.pid);
- 			exit(EXIT_FAILURE);
- 		}
-+
-+		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
-+			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
-+			close(netns_fd);
-+			exit(EXIT_FAILURE);
-+		}
-+
-+		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
-+		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
-+			close(netns_fd);
-+			exit(EXIT_FAILURE);
-+		}
-+
-+		/* Now get an fd that we can use in setns() calls. */
-+		ret = open(opath, O_RDONLY | O_CLOEXEC);
-+		if (ret < 0) {
-+			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
-+			close(netns_fd);
-+			exit(EXIT_FAILURE);
-+		}
-+		close(netns_fd);
-+		netns_fd = ret;
- 	}
- 
- 	if (!create_db_dir(LXC_USERNIC_DB)) {
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c
-index e6a44a51..c2a08a9d 100644
---- a/src/lxc/utils.c
-+++ b/src/lxc/utils.c
-@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
- 	return has_type;
- }
- 
-+bool fhas_fs_type(int fd, fs_type_magic magic_val)
-+{
-+	int ret;
-+	struct statfs sb;
-+
-+	ret = fstatfs(fd, &sb);
-+	if (ret < 0)
-+		return false;
-+
-+	return is_fs_type(&sb, magic_val);
-+}
-+
- bool lxc_nic_exists(char *nic)
- {
- #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h
-index e83ed49e..06ec74d7 100644
---- a/src/lxc/utils.h
-+++ b/src/lxc/utils.h
-@@ -46,11 +46,16 @@
- #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask))
- #endif
- 
-+#ifndef NSFS_MAGIC
-+#define NSFS_MAGIC 0x6e736673
-+#endif
-+
- /* Useful macros */
- /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
- #define LXC_NUMSTRLEN64 21
- #define LXC_LINELEN 4096
- #define LXC_IDMAPLEN 4096
-+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
- 
- /* returns 1 on success, 0 if there were any failures */
- extern int lxc_rmdir_onedev(char *path, const char *exclude);
-@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz);
- /* __typeof__ should be safe to use with all compilers. */
- typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
- extern bool has_fs_type(const char *path, fs_type_magic magic_val);
-+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
- extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
- extern bool lxc_nic_exists(char *nic);
diff --git a/main/lxc/add-support-for-s390x-in-template.patch b/main/lxc/add-support-for-s390x-in-template.patch
deleted file mode 100644
index ee2466d9cd..0000000000
--- a/main/lxc/add-support-for-s390x-in-template.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
-index 768e690..f14f4ea 100644
---- a/templates/lxc-alpine.in
-+++ b/templates/lxc-alpine.in
-@@ -130,6 +130,7 @@ parse_arch() {
- 		armv7) echo 'armv7';;
- 		arm*) echo 'armhf';;
- 		ppc64le) echo 'ppc64le';;
-+		s390x) echo 's390x';;
- 		*) return 1;;
- 	esac
- }
diff --git a/main/lxc/download-template-tmpfs.patch b/main/lxc/download-template-tmpfs.patch
deleted file mode 100644
index c3525908c9..0000000000
--- a/main/lxc/download-template-tmpfs.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/templates/lxc-download.in b/templates/lxc-download.in
-index 4905521..67a08a9 100644
---- a/templates/lxc-download.in
-+++ b/templates/lxc-download.in
-@@ -310,12 +310,15 @@ fi
- 
- # Trap all exit signals
- trap cleanup EXIT HUP INT TERM
--
--if ! command -V mktemp >/dev/null 2>&1; then
--    DOWNLOAD_TEMP=/tmp/lxc-download.$$
--    mkdir -p "${DOWNLOAD_TEMP}"
--else
--    DOWNLOAD_TEMP=$(mktemp -d)
-+if ! grep -qw '/tmp' /proc/mounts; then
-+    if ! type mktemp >/dev/null 2>&1; then
-+        DOWNLOAD_TEMP=/tmp/lxc-download.$$
-+        mkdir -p $DOWNLOAD_TEMP
-+    else
-+         DOWNLOAD_TEMP=$(mktemp -d)
-+    fi
-+else # /tmp may be mounted in tmpfs / zram or noexec
-+    DOWNLOAD_TEMP=$(mktemp -d -p $LXC_PATH)
- fi
- 
- # Simply list images
diff --git a/main/lxc/make-dropping-setpcap-optional.patch b/main/lxc/make-dropping-setpcap-optional.patch
deleted file mode 100644
index 5288d8f3b4..0000000000
--- a/main/lxc/make-dropping-setpcap-optional.patch
+++ /dev/null
@@ -1,24 +0,0 @@
---- lxc-lxc-2.1.1/config/templates/alpine.common.conf.in
-+++ lxc-lxc-2.1.1.setpcap/config/templates/alpine.common.conf.in
-@@ -8,7 +8,6 @@
- lxc.cap.drop = audit_write
- lxc.cap.drop = ipc_owner
- lxc.cap.drop = mknod
--lxc.cap.drop = setpcap
- lxc.cap.drop = sys_nice
- lxc.cap.drop = sys_pacct
- lxc.cap.drop = sys_ptrace
-Only in lxc-lxc-2.1.1.setpcap: config/templates/alpine.common.conf.in.orig
---- lxc-lxc-2.1.1/templates/lxc-alpine.in
-+++ lxc-lxc-2.1.1.setpcap/templates/lxc-alpine.in
-@@ -398,6 +398,9 @@
- 		# hostname(1).
- 		lxc.cap.drop = sys_admin
- 
-+		# Comment this out if required by your applications.
-+		lxc.cap.drop = setpcap
-+
- 		# Include common configuration.
- 		lxc.include = $LXC_TEMPLATE_CONFIG/alpine.common.conf
- 	EOF
-Only in lxc-lxc-2.1.1.setpcap: templates/lxc-alpine.in.orig
diff --git a/main/lxc/version.patch b/main/lxc/version.patch
deleted file mode 100644
index 6f61d8257a..0000000000
--- a/main/lxc/version.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Fix version so apk-tools understand the .so version
-(1.0.0.rc4 -> 1.0.0_rc4)
-
-diff --git a/configure.ac b/configure.ac
-index 498d69a..f52bf8c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -8,7 +8,8 @@ m4_define([lxc_version_beta], [rc4])
- 
- m4_define([lxc_version_base], [lxc_version_major.lxc_version_minor.lxc_version_micro])
- m4_define([lxc_version],
--	  [ifelse(lxc_version_beta, [], [lxc_version_base], [lxc_version_base.lxc_version_beta])])
-+	  [ifelse(lxc_version_beta, [], [lxc_version_base],
-+	  [lxc_version_base[_]lxc_version_beta])])])
- 
- AC_INIT([lxc], [lxc_version])
-