From 442723546eff2fff7851546c43b747d1bc2c4e173ee068deb6fd7fcd4dca76bc Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 9 Dec 2024 15:16:20 +0000 Subject: [PATCH] Add CVE-2023-46565 / bsc#1223794 reference. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/lxd?expand=0&rev=151 --- .gitattributes | 23 ++ .gitignore | 1 + lxd-5.21.1.tar.gz | 3 + lxd-5.21.1.tar.gz.asc | 16 + lxd-config.yml | 21 + lxd-rpmlintrc | 8 + lxd.changes | 933 ++++++++++++++++++++++++++++++++++++++++++ lxd.dnsmasq | 8 + lxd.keyring | 65 +++ lxd.service | 32 ++ lxd.spec | 446 ++++++++++++++++++++ lxd.sysctl | 26 ++ lxd.sysusers | 2 + 13 files changed, 1584 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 lxd-5.21.1.tar.gz create mode 100644 lxd-5.21.1.tar.gz.asc create mode 100644 lxd-config.yml create mode 100644 lxd-rpmlintrc create mode 100644 lxd.changes create mode 100644 lxd.dnsmasq create mode 100644 lxd.keyring create mode 100644 lxd.service create mode 100644 lxd.spec create mode 100644 lxd.sysctl create mode 100644 lxd.sysusers diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/lxd-5.21.1.tar.gz b/lxd-5.21.1.tar.gz new file mode 100644 index 0000000..b472c80 --- /dev/null +++ b/lxd-5.21.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f148aa7e1fc31f6cef3038e141e9bd03787274ffc506b97376d758abf1a93cb7 +size 23753867 diff --git a/lxd-5.21.1.tar.gz.asc b/lxd-5.21.1.tar.gz.asc new file mode 100644 index 0000000..7af1c6b --- /dev/null +++ b/lxd-5.21.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE7Ryh56b4DiLlyy2oSs4QZhV1RhQFAmYNR88ACgkQSs4QZhV1 +RhSTMQ/9E5mPMp0oUGAOnklusDMlyfPfY+rgYkXf73y51UuRRbO3Gb1Hz/zeamVH +CknlsThw6GWD2cBgkGwEjGHO+hBYp8Qoaxp64GGftvz09aWyXxhHZDZOJTwfodPg +0Ld+epZPfzgfQjlXlSP+s5BkRRlrvsopoqyxIUOdepJeitAMAE+mqeiLCUILJACH +jiFmS7Unu5fWs+PaT1Msqf6UFawcwdOILjALlnAWDe4g6TcHL+jQAEO5LX9npalZ +HGKytcYbtMyo8d/vXCK53qKYhGV7gR/52vgVb8N2NtUZcSPtKJAJ5PrMdwwwb8OJ +xZdpfYBsViINffLBV6nL8mIvFaN+h7b4R/bcU+lCBJtsf0Dxf7IJmysG/w9V/jKt +iKe9pNseETJyHrdL7qhKLv6QzhiogUVNGhT8IZhZM3eI9ABSpCKx222AIaDfxuMV +YepbmJCAPHGFpePzaKGgHByjh6zm9m66RXg/nxP2ElAwLuZrMt5+wHX2UJiNc6LR +H0V75WNWkWx+W2aXxBmLHk25ep3wlUpdWe3OtJIVdn47gVmjpYQawBReYDvkplAI +V65lx2FO29r8QUONRGU6nt0rL3KMG82japB4KGDRNY4MB4pKBRNO2cqBEa1xjKmf +SUrHIw7+wPruBCVpVTubunHVRb0GQ/k2Qas0I02Z4HEZ2a5lBXA= +=9TMQ +-----END PGP SIGNATURE----- diff --git a/lxd-config.yml b/lxd-config.yml new file mode 100644 index 0000000..61ec2bb --- /dev/null +++ b/lxd-config.yml @@ -0,0 +1,21 @@ +# This is an example system-wide configuration file for the lxc client. Any +# configuration entries added here will be merged with a user's configuration +# when they run "lxc". This is primarily useful for defining system-wide +# remotes, whose certificates are stored in /etc/lxd/servercerts. + +# An example configuration (from ) +# looks like the following: +# +# remotes: +# foo: +# addr: https://10.0.2.4:8443 +# auth_type: tls +# project: default +# protocol: lxd +# public: false +# bar: +# addr: https://10.0.2.5:8443 +# auth_type: tls +# project: default +# protocol: lxd +# public: false diff --git a/lxd-rpmlintrc b/lxd-rpmlintrc new file mode 100644 index 0000000..ef33556 --- /dev/null +++ b/lxd-rpmlintrc @@ -0,0 +1,8 @@ +# The linking against full paths underneath /usr/lib64/lxd/ is intentional, as +# our shared libraries are internal and aren't meant to be used outside LXD. +# This error only appears in old SLE versions. +addFilter ("^lxd.* E: invalid-filepath-dependency .* /usr/lib(32|64)?/lxd/") + +# We need lxd-agent and lxd-p2c to be statically linked. +addFilter ("^lxd.*: [EW]: statically-linked-binary /usr/bin/lxd-(agent|p2c)") +addFilter ("^lxd.*: [EW]: position-independent-executable-suggested /usr/bin/lxd-(agent|p2c)") diff --git a/lxd.changes b/lxd.changes new file mode 100644 index 0000000..ea50a15 --- /dev/null +++ b/lxd.changes @@ -0,0 +1,933 @@ +------------------------------------------------------------------- +Tue Jun 11 11:27:33 UTC 2024 - Joshua Smith + +- Change license to AGPL-3.0-only AND Apache-2.0: + + All Canonical contributions have been relicensed and are now + under AGPLv3. Community contributions remain under Apache 2.0. + +- update to 5.21.1. Full changelog at: + https://discourse.ubuntu.com/t/lxd-5-21-1-lts-has-been-released/43823 + https://discourse.ubuntu.com/t/lxd-5-21-0-lts-has-been-released/42476 + https://discourse.ubuntu.com/t/lxd-5-20-has-been-released/40865 + + Bugfixes and improvements 5.21.1: + + Restricted metrics client certificate security regression fix + + New image server remote for non-Ubuntu images + + List all storage volumes API and CLI support + + Highlights 5.21.0: + + Change of version numbering scheme + + Fine grained authorization for OIDC users + + Optimized block volume refresh for Ceph RBD + + Device config override when importing instance backups + + Highlights 5.20.0: + + LXD change to AGPLv3 + + Create metadata and data OSD pools as part of creating a cephfs + storage pool + + Debug mode for EDK2 UEFI firmware + + Authorization restructure + + Shiftfs support has been removed + + Fix CVE-2023-46565. bsc#1223794 + +------------------------------------------------------------------- +Mon Nov 20 21:51:15 UTC 2023 - Dirk Müller + +- add attr as dependency for setfattr (bsc#1190416) + +------------------------------------------------------------------- +Sun Oct 29 15:06:18 UTC 2023 - Richard Rahl + +- update to 5.19. Full changelog at: + https://discourse.ubuntu.com/t/lxd-5-19-has-been-released/39590 + + Highlights: + + Add support for per-NIC device limits.priority option + + Instance volume configuration through disk device + +------------------------------------------------------------------- +Thu Oct 5 01:18:44 UTC 2023 - Richard Rahl + +- update to 5.18. Full changelog at + https://discourse.ubuntu.com/t/lxd-5-17-has-been-released/38061 + https://discourse.ubuntu.com/t/lxd-5-18-has-been-released/38769 + + Highlights 5.18: + + Receive OVN logs into LXD and Loki + + Highlights 5.17: + + ZFS 2.2 delegation support + + Add remote copy support for custom volume snapshots + + Allow recovery of empty storage pools + +------------------------------------------------------------------- +Sat Aug 19 05:15:39 UTC 2023 - Richard Rahl + +- remove the last bit of the old repo + +------------------------------------------------------------------- +Tue Aug 8 07:15:31 UTC 2023 - Dirk Müller + +- correct source0/1 urls + +------------------------------------------------------------------- +Sun Jul 23 17:44:26 UTC 2023 - Richard Rahl + +- fix import path to the new upstream git repo +- Update to 5.16. Full upstream changelogs are at + https://discourse.ubuntu.com/t/lxd-5-16-has-been-released/37150 + + Highlights: + + ISO volumes + + IPAM information + + selection of cluster groups when moving instances + +------------------------------------------------------------------- +Sat Jul 15 15:28:06 UTC 2023 - Dirk Müller + +- update keyring + +------------------------------------------------------------------- +Wed Jul 5 07:03:20 UTC 2023 - Richard Rahl + +- Update to 5.15. Full upstream changelogs are at + https://discuss.linuxcontainers.org/t/lxd-5-14-has-been-released/17259 and + https://discuss.linuxcontainers.org/t/lxd-5-15-has-been-released/17493 + + Highlights from 5.15: + + Non-UEFI support in LXD VMs (CSM) + + Instance rebuild + + Container pinning based on NUMA nodes + + User authentication information in API + + Highlights from 5.14: + + Cluster auto-healing + + OIDC web authentication + + lxc publish --reuse + + Support for specifying the size of an LVM thinpool + + Total disk and memory reporting + +------------------------------------------------------------------- +Thu Jun 15 12:05:08 UTC 2023 - Dominique Leuenberger + +- Fix call to sysctl_apply: this macro takes a parameter. + +------------------------------------------------------------------- +Thu May 18 03:03:30 UTC 2023 - Aleksa Sarai + +- Update to LXD 5.13. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-13-has-been-released/16949 + boo#1211477 + + LXD 5.13: + + Fast live migration for virtual machines + + AMD SEV support for virtual machines + + OpenID Connect authentication + + VDPA for network acceleration on OVN + + Layer 3 only support on OVN + + Nested NIC support on OVN networks + + Per user bridge in multi-user setups + + Support for growing existing storage pools + + LXD 5.12: + + Device wipe when creating storage pools + + VM generation id + + VM block cache mode + +------------------------------------------------------------------- +Sat Feb 18 11:23:42 UTC 2023 - Jacob Hansen + +- Update to LXD 5.11. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-11-has-been-released/16443 + + + Instance placement scriptlet + + Block storage mode on ZFS pools + + lxc cluster info command + + Support for attaching managed physical networks to instances + +------------------------------------------------------------------- +Mon Feb 13 13:03:24 UTC 2023 - Jacob Hansen + +- Update to LXD 5.10. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-10-has-been-released/16143 + + + Configurable network transmit queue length on NIC devices + +------------------------------------------------------------------- +Sun Dec 25 19:01:56 UTC 2022 - Kostas Papadakis + +- Add stop entry to systemd service file so the lxc containers shutdown + gracefully + +------------------------------------------------------------------- +Mon Dec 12 04:12:54 UTC 2022 - Aleksa Sarai + +- Update to LXD 5.9. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-9-has-been-released/15907 + boo#1206296 + + + Network zones project feature + +------------------------------------------------------------------- +Tue Nov 22 06:34:14 UTC 2022 - Aleksa Sarai + +- Update to LXD 5.8. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-8-has-been-released/15686 + boo#1205623 + + + CPU hotplug in VMs + + Device override on init and launch + * Record volume creation date + +------------------------------------------------------------------- +Fri Oct 28 23:55:12 UTC 2022 - Aleksa Sarai + +- Update to LXD 5.7. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-7-has-been-released/15432 + boo#1204852 + + + ACME / Let’s Encrypt support + + Cloud-init validation + + Internal metrics + + Cluster join tokens expiry + + Proxy device hotplugging to VM + +------------------------------------------------------------------- +Mon Sep 26 02:20:04 UTC 2022 - Aleksa Sarai + +- Update to LXD 5.6. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-6-has-been-released/15191 + boo#1203731 + + LXD 5.6: + + Grafana Loki support + + Object storage on local storage pools + + Infiniband support for virtual machines + + Restricted network access in projects + + instance-ready lifecycle event + + Metric for total effective CPUs + + LXD 5.5: + + Storage buckets (on Ceph) + + Instance Ready state + + Configurable BGP hold time + + All projects queries for storage volumes + + OOM kill counter in metrics + * Database optimization + + LXD 5.4: + + Load-balancers (OVN) + + Bi-directional vsock interface (VM) + * Changes to vsock API (LXD VMs) + +------------------------------------------------------------------- +Sun Jul 17 17:06:49 UTC 2022 - Callum Farmer + +- Change to using systemd-sysusers + +------------------------------------------------------------------- +Mon Jun 27 23:57:42 UTC 2022 - Aleksa Sarai + +- Update to LXD 5.3. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-3-has-been-released/14439 + boo#1200974 + + + Extended raw.qemu support + + fscache support for cephfs storage pools + +------------------------------------------------------------------- +Sun May 29 02:18:04 UTC 2022 - Aleksa Sarai + +- Update to LXD 5.2. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-2-has-been-released/14200 + boo#1200002 + + + VPD information in resources API + * Cross-project profile copy + * HTTP streaming support in /dev/lxd API + * Use of server-side filtering in CLI + * Ceph librbd for virtual machines +- Remove upstreamed patch: + + 0001-lxd-secommp-Fix-sysinfo-syscall-interception-on-32-b.patch + +------------------------------------------------------------------- +Thu May 5 04:27:43 UTC 2022 - Aleksa Sarai + +- Update to LXD 5.1. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-5-1-has-been-released/13956 + boo#1199216 + + + Sysinfo system call interception + + lxc cluster role sub-command + * lxc storage volume info shows volume total size + + Configurable host network interface naming pattern + * Overrideable evacuation mode + * Setting profiles during an image copy +- Backport upstream patch to fix build on x32 systems. + + 0001-lxd-secommp-Fix-sysinfo-syscall-interception-on-32-b.patch +- Make CRIU a Recommends so that we can still use LXD on 32-bit openSUSE. + +------------------------------------------------------------------- +Thu May 5 03:31:24 UTC 2022 - Aleksa Sarai + +- Update to LXD 4.24. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-24-has-been-released/13550 + boo#1199215 + + This is the last release before LXD 5.0 (which does not support the Leap 15.3 + kernel -- LXD 5.0 requires kernel 5.4 or newer). Thus this will be the last + LXD release for Leap 15.3. + + + lxc file mount and new files API + + Cluster event hub role + * Reworked lxc storage volume info + + AppArmor profiles for image extractors + + Grafana dashboard + + Degraded startup (missing disk) + + restricted.containers.interception project option + + core.metrics_authentication server option + + Network interface name and MTU in virtual machines + + I/O uring support for VM storage + + ipv4.neighbor_probe and ipv6.neighbor_probe NIC options + +------------------------------------------------------------------- +Mon Dec 13 02:46:02 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.21. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-21-has-been-released/12860 + boo#1193649 + + + Cluster member groups + * Reworked cloud-init support + + Trust certificate self-renewal + + Restricted disk passthrough in projects + + Restricted idmap uid/gid in projects + + List all lxc commands with --sub-commands + + List instances across all projects with --all-projects + + New database-leader cluster role + * Consistent units for byte sizes. + * Routed networking in virtual machines + + Support for ipv4.routes and ipv6.routes on routed type NICs + + Option to skip records for NAT-ed addresses in network zones + + Allow blocking an IP address family with security filtering options + + New ceph.rbd.du storage config option to disable potentially slow rbd du + * Optimized moving of instances and volumes between projects + * Support for copying/moving custom volumes between cluster members + +------------------------------------------------------------------- +Mon Nov 8 03:24:36 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.20. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-20-has-been-released/12540 + boo#1192432 + + + Live migration of virtual machines + + Network peering for OVN + + Network zones (DNS) + + SR-IOV acceleration for OVN networking + + Linux sysctl configuration on containers + + Core scheduling for virtual machines + + Cluster member configuration + * Improvement to network leases + +------------------------------------------------------------------- +Sun Sep 5 06:43:47 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.18. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-18-has-been-released/12068/2 + boo#1190323 + + + Network forwards (floating IPs) + + Native BGP support + * NAT address customization with OVN + * lxd cluster edit for cluster disaster recovery + + Refresh support for custom volume copies + + Additional device restrictions for projects + * --minimal option for lxd init + * Additional network counters in instance state + +- Disable stripping of binaries, which seems to be causing issues at runtime + due to some ld.so assertion failing. In particular it seems that libdqlite is + getting corrupted somehow. + +------------------------------------------------------------------- +Fri Aug 20 11:59:37 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.17. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-17-has-been-released/11812 + boo#1189645 + + + lxd import replaced by new lxd recover + + Cluster member evacuation + * Reworked lxc info output + + Requestor address in lifecycle event + + USB GPU support in the resources API + + Monitoring of all projects in lxc monitor + + Alternative format options in lxc monitor + +------------------------------------------------------------------- +Sat Jul 31 04:33:50 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.16. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-16-has-been-released/11547 + boo#1188946 + + + Cluster certificate update + + Copy/move of custom volumes between projects + + lxc monitor --pretty now works with all event types + + Easier revocation of cluster join tokens + + IP filtering on unmanaged bridges + + New warnings + + New lifecycle events + +- Remove upstreamed patches: + + boo1186786-0001-forkexec-handle-broken-close_range-backport-in-openS.patch + +------------------------------------------------------------------- +Wed Jul 7 16:52:36 UTC 2021 - Bernhard Wiedemann + +- Build with go1.15 for reproducible build results (boo#1102408) + +------------------------------------------------------------------- +Fri Jun 25 09:59:23 UTC 2021 - Aleksa Sarai + +- Add backport for which fixes a + Leap-specific kernel backport bug (close_range(2) was backported but not the + flags that it supported in the first version). boo#1186786 + + boo1186786-0001-forkexec-handle-broken-close_range-backport-in-openS.patch + +------------------------------------------------------------------- +Tue Jun 8 02:25:02 UTC 2021 - Aleksa Sarai + +- Build lxd-agent and lxd-p2c statically to match upstream LXD build scripts + (and to make VMs work properly -- lxd-agent is injected into the VM). +- Update lxd-rpmlintrc to match this. + +------------------------------------------------------------------- +Sun Jun 6 07:03:53 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.15. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-15-has-been-released/11252 + bsc#1186906 + + + Network interface hotplug in VMs + + Configurable shutdown timeout + + New persistent warnings (time skew, apparmor and virtiofsd) + + Location field in /dev/lxd API + + New type and name columns in lxc config trust list + + Cluster members acting as database stand-by now visible + + lxc monitor --pretty now supported with lifecycle events + + New --expire flag for lxc publish + + Requestor now recorded in lifecyle events + + Proxy header support on main API endpoint + + Full swagger coverage of REST API + +------------------------------------------------------------------- +Tue Jun 1 20:35:20 UTC 2021 - Dirk Müller + +- fix dependencies for aarch64/armv7l + +------------------------------------------------------------------- +Tue Jun 1 11:57:52 UTC 2021 - Aleksa Sarai + +- Fix build on i586 by if_arch-ing out the VM support on non-x86_64 platforms. + +------------------------------------------------------------------- +Mon May 31 05:11:38 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.14. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-14-has-been-released/11008 + bsc#1186647 + + + ACL support on managed bridges + + Cluster member certificates + + Cluster member description + + Cluster token based join + + Server warnings + + Backup and snapshot project restrictions + + User keys in device configuration + + More auto-generated REST-API documentation + +- Remove upstreamed patches: + - boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch + +------------------------------------------------------------------- +Wed Apr 21 00:19:11 UTC 2021 - Aleksa Sarai + +- Don't use SecureBoot OVMF blobs, they don't work with LXD. +- Add backport of to fix LXD VMs on + openSUSE. boo#1181549 + + boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch + +------------------------------------------------------------------- +Mon Apr 12 05:19:43 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.13. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-13-has-been-released/10737 + boo#1184580 + + + Support for instance filters in "lxc list" + + NVIDIA MIG support for containers + + System wide configuration in /etc/lxd + + Project resource usage + + Snapshot schedule aliases (cron-like @... aliases) + + images.default_architecture for multi-architecture setups + + New description column in "lxc {project,profile,storage} list" + + Reworked handling of default action in network ACLs + + "lxc stop --console" + + More auto-generated REST-API documentation + +------------------------------------------------------------------- +Mon Mar 15 16:49:41 UTC 2021 - Callum Farmer + +- Move OVMF symlinks to /usr/share, /opt is not allowed in SUSE + packages. + +------------------------------------------------------------------- +Fri Mar 5 16:31:52 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.12. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-12-has-been-released/10424 + boo#1183111 + + + Initial Network ACLs support (OVN-only) + + Project restricted certificates + + Server configuration options now supported at the project level + + Configuration option for Ceph features + * Projects now supported by lxd init --dump and --preseed + * Initial auto-generated REST-API documentation + + + VM: Stateful stop and stateful snapshots for virtual machines +- Updated packaging to support VMs, though note that LXD's usage of QEMU causes + issues with QEMU 5.2 on openSUSE (because of how we package it). See + for more details. bsc#1181549 +- Prefix all binaries with lxd- if they don't start with "lx[cd]". This is to + avoid having cases like lxd-generate where there's a binary in /usr/bin that + has a super-generic name. + +------------------------------------------------------------------- +Fri Feb 5 07:41:04 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.11. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-11-has-been-released/10135 + boo#1181825 + + + Bulk instance state change API + + GVRP support for dynamic vlan configuration + + Server-side instance storage pool migration + + Volume usage API + + + VM: SR-IOV GPU Support + + VM: PCI Device Type + + VM: ISO images now exposed as cdrom + +------------------------------------------------------------------- +Mon Jan 11 12:53:22 UTC 2021 - Aleksa Sarai + +- Update to LXD 4.10. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-10-has-been-released/9894 + boo#1180772 + + + VLAN information in network state + + Proxy device support for VMs (NAT only) + + Bridge port isolation + + New sub-commands for image properties + + Multi-queue networking in VMs + +------------------------------------------------------------------- +Sat Dec 12 06:32:48 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.9. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-9-has-been-released/9673 + boo#1179972 + + + Mediated GPU devices for Virtual Machines + + IOMMU groups for PCI devices + + QEMU version in server environment information + * Improved lifecycle events + + "user." keys allowed on all objects + + usb_address and pci_address properties in USB/network resources + + ipv4.dhcp and ipv6.dhcp on OVN networks + + ovn.ingress_mode on physical networks + + ipv4.routes.anycast and ipv6.routes.anycast on physical networks + + limits.instances project option + + zstd compression for images and backups + +------------------------------------------------------------------- +Fri Nov 13 06:15:10 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.8. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-8-has-been-released/9458 + boo#1178759 + + + vTPM support + + VirtioFS support for virtual machines + + Full CGroup2 support + + rebase mode for zfs.clone_copy + + --reuse option in lxc snapshot and lxc storage volume snapshot + * restarted lifecycle event + * Improved logging of user requests + +------------------------------------------------------------------- +Sat Oct 17 09:03:58 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.7. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-7-has-been-released/9213 + boo#1177825 + + + Backup (export/import) of custom storage volumes + + Import of instances with alternative name + + Virtual machine memory shrinking (and re-grow) + + USB device passthrough for virtual machines + + Configurable rsync compression in migration + + Restrict available uplinks for project networks + + Add new physical managed network type + + Support for external routed addresses/subnets on OVN + +------------------------------------------------------------------- +Sat Sep 19 04:50:10 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.6. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-6-has-been-released/8981 + boo#1176737 + + + Networks in projects + + AppArmor profiles for qemu + - Removal of custom sqlite fork. + +------------------------------------------------------------------- +Sat Aug 29 02:59:26 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.5. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-5-has-been-released/8824 + boo#1175910 + + + Initial support for OVN virtual networks + + Initial bpf syscall interception + * Support for native terminal device allocation + * VGA console now working on Windows + * Improved handling of remote storage pools + * forkdns and forkproxy now running under AppArmor confinement + + lxc move now let’s you select a cluster target too + +------------------------------------------------------------------- +Sat Aug 1 07:14:32 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.4. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-4-has-been-released/8574 + boo#1174789 + + + VGA console for virtual machines + + Clustering failure domains + + /dev/lxd API in virtual machines + + Graceful daemon shutdown + + macvlan and sriov managed network types + + Disk usage limits in projects + + AppAmor confinement for dnsmasq + + GPU mediated devices in resources API + + --console option in lxc launch + +------------------------------------------------------------------- +Thu Jul 2 02:12:53 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.3. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-3-has-been-released/8303 + boo#1173608 + + + Block custom storage volumes + + VM: Initial work for graphical console + * VM: Rework of PCIe layout + + VM: GPU passthrough + * Direct console attach on lxc start and lxc restart + * Isolated CPUs reporting in resources API + +------------------------------------------------------------------- +Fri Jun 5 23:58:50 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.2. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-2-has-been-released/8071 + bsc#1172605 + + + VLAN filtering on bridges + * Expanded network state information + + Support for custom search domains + + New IPv4 and IPv6 columns in network lists + * mips & riscv64 support for containers and s390x support for VMs + * Using pidfds for all container subprocesses + * LVM volumes only active when needed + + DB query tracing support + * Better cluster life-cycle handling + * Cleaned up database functions + +------------------------------------------------------------------- +Sat May 9 03:45:46 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.1. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-1-has-been-released/7737 + + + Push and relay support for images + + Routing table support for routed NIC devices + + L2 mode for ipvlan NIC devices + * Tweaks to the resources API + * Addition of OS data in the server information + + New lxd cluster remove-raft-node command + * Improved table sorting in the command line tool + +------------------------------------------------------------------- +Fri Apr 24 06:58:55 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.0.1. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-0-1-lts-has-been-released/7515 + boo#1170404 + + * Tweaked and improved the resources API + * Added lxd cluster remove-raft-node disaster recovery function + * Implemented ceph rbd/fs disk devices can now be attached to virtual machines + * Fixed some data migration issues for users of < 3.0 upgrading to 4.0 directly + * Fixed file descriptor leakage in exec + +------------------------------------------------------------------- +Wed Apr 1 14:23:25 UTC 2020 - Aleksa Sarai + +- Update to LXD 4.0.0. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-0-lts-has-been-released/7231 + boo#1168338 + + Breaking Changes: + * Removal of --container-only, replaced by --instance-only + + + VM: Support for backup (import/export) + + PCI and USB devices in the resource API + + Support for multiple ipvlan NIC devices + + Support for host addresses on routed NIC + + Support for editing cluster roles + + Disk usage for custom volumes + + Disk usage for snapshots + + Support for passwordless PKI mode + +------------------------------------------------------------------- +Sat Mar 21 04:55:09 UTC 2020 - Aleksa Sarai + +- Update to LXD 3.23. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-23-has-been-released/7140 + boo#1167304 + + Custom storage volumes in projects + + Schedule snapshots for custom storage volumes + + Expiry for custom storage volumes + + Limits for projects + + Restrictions for projects + + Improved backup/export logic + + VM: Support for migration + + VM: Support for publishing + +------------------------------------------------------------------- +Sat Mar 7 14:49:16 UTC 2020 - Aleksa Sarai + +- Update to LXD 3.22. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-22-has-been-released/7027 + boo#1165976 + + Resource limits for projects + + nftables backend for firewalling + + Container: Hugepages in unprivileged containers + + VM: Support for 9p disk devices + + VM: File templating support + +------------------------------------------------------------------- +Fri Feb 14 07:27:24 UTC 2020 - Aleksa Sarai + +- Update to LXD 3.21. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-21-has-been-released/6802 + boo#1163651 + + New way to attach to LXD managed networks + + Clustering: Configurable number of active and standby database members + * Ceph ported to new storage driver infrastructure + * VM: CPU pinning and topology + * VM: Network and storage optimizations + * VM: Agent-less reporting of IPv6 addresses +- Remove upstreamed patch. boo#1156336 + - boo1156336-0001-vfs-vfs__delete-fix-double-unlock-of-root-mutex.patch + +------------------------------------------------------------------- +Mon Feb 3 15:03:49 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(libudev) instead of libudev-devel: Allow + OBS to shortcut through the -mini flavors. + +------------------------------------------------------------------- +Sat Feb 1 23:37:24 UTC 2020 - Aleksa Sarai + +- Fix bash-completion by installing it to the correct path. boo#1162426 + +------------------------------------------------------------------- +Fri Jan 31 10:16:27 UTC 2020 - Aleksa Sarai + +- Backport https://github.com/canonical/dqlite/pull/207 to fix boo#1156336. + + boo1156336-0001-vfs-vfs__delete-fix-double-unlock-of-root-mutex.patch + +------------------------------------------------------------------- +Fri Jan 31 00:33:47 UTC 2020 - Aleksa Sarai + +- Update to LXD 3.20. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-20-has-been-released/6673 + boo#1162299 + + Server side support of API collections + + New unix-hotplug device type + + Support for standby cluster members +- Update packaging to use GOPATH="_dist" rather than trying to move everything + to vendor/. This is the recommended approach by upstream (and makes our + specfile marginally less horrific). + +------------------------------------------------------------------- +Fri Jan 17 05:17:53 UTC 2020 - Aleksa Sarai + +- Update to LXD 3.19. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-19-has-been-released/6529 + boo#1161615 + + Virtual machine support + + Reworked storage layer + + Routed networking mode + + Custom mount options for disk devices + + Interception of the mount system call + + Multi-architecture clustering + + ... +- Rework package handling to fake Go module builds. + +------------------------------------------------------------------- +Wed Dec 11 23:55:40 UTC 2019 - Aleksa Sarai + +- Support older SLE systems which don't have "usermod -w -v". + +------------------------------------------------------------------- +Thu Oct 3 01:53:53 UTC 2019 - Aleksa Sarai + +- Update to LXD 3.18. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-18-has-been-released/5869 + boo#1152846 + + New /1.0/instances endpoint + + Support for storing VM images + + Extended disk resources information + + Modification of image expiry date + + Clustering roles + + IPv4 configuration when in Fan mode + +------------------------------------------------------------------- +Wed Sep 25 11:03:42 UTC 2019 - Aleksa Sarai + +- Clean up a few remaining specfile bits left over from the 3.17 update. + +------------------------------------------------------------------- +Tue Sep 24 12:31:21 UTC 2019 - Aleksa Sarai + +- Completely drop all stripping -- it appears to cause all sorts of problems + with unresolved symbol errors. +- Update to LXD 3.17. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-17-has-been-released/5679 + boo#1151874 + + Storage pool backed image tarballs and backups + + Container configuration as YAML on lxc init and lxc launch + * Ported to final Dqlite 1.0 + * Database rework + * Container devices rework + * Storage rework + +------------------------------------------------------------------- +Mon Jul 15 06:40:30 UTC 2019 - Aleksa Sarai + +- Update to LXD 3.15. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-15-has-been-released/5218 + + Switch to dqlite 1.0. + * Reworked DHCP lease handling + * Reworked cluster heartbeat handling + * Better syscall interception framework + * More reliable unix socket proxying + + Hardware VLAN and MAC filtering on SR-IOV + + New storage-size option for lxd-p2c + + IPv4 and IPv6 filtering (spoof protection) + * Reworked resources API (host hardware) + + Control over uid, gid and cwd during command execution + + Quota support for custom storage volumes on dir backend + * Lots of bug fixes... + +------------------------------------------------------------------- +Wed Jun 19 07:21:29 UTC 2019 - Aleksa Sarai + +- Update to LXD 3.14. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-14-has-been-released/5045 + boo#1138770 + + Cluster: Re-worked DNS forwarding + + Script to factory reset LXD + + Improvements to syscall interception + * Lots of bug fixes... + +------------------------------------------------------------------- +Wed Jun 19 03:16:40 UTC 2019 - Aleksa Sarai + +- Update build to use go_nostrip, in order to attempt to fix the broken + binaries on Leap 15.1. boo#1138769 + +------------------------------------------------------------------- +Sun Jun 9 08:21:19 UTC 2019 - Aleksa Sarai + +- Explicitly require lxcfs-hooks-lxc. LXD supports lxcfs but it requires tha + the LXC configuration files be present. + +------------------------------------------------------------------- +Sun Jun 2 17:22:35 UTC 2019 - Jan Engelhardt + +- Trim filler wording from description. +- Remove --with-pic which often has no point with --disable-static. +- Avoid bash-specific sh code. + +------------------------------------------------------------------- +Thu May 9 20:28:55 UTC 2019 - Aleksa Sarai + +- Update to LXD 3.13. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-13-has-been-released/4738 + boo#1138031 + + Cluster: Improved heartbeat interval + + Cluster Internal container copy + + Initial syscall interception support + + Role Based Access Control + + IPVLAN support + + Quota support on dir storage backend + + Routes on container NIC devices + + Configurable NAT source address + + LXC features exported in API + * Lots of bug fixes... + +------------------------------------------------------------------- +Mon Apr 8 13:18:50 UTC 2019 - Jan Engelhardt + +- %pre bash features: replace by POSIX equivalents. +- %build bash features: add %_buildshell definition for it. +- Do not ignore errors from groupadd. + +------------------------------------------------------------------- +Fri Apr 5 19:13:48 UTC 2019 - Aleksa Sarai + +- Update to LXD 3.12. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-3-12-has-been-released/4483 + + Cluster: Aggregated DHCP leases + + Cluster: Events now show location + + Cluster: Operations now show location + + Cluster: Support for --target in more commands + + Shiftfs support + + Kernel features now exported over API + + Improved CPU reporting + + GPU reporting + + Snapshot expiry now visible in lxc info + * Lots of bug fixes... + +------------------------------------------------------------------- +Thu Mar 28 01:54:01 UTC 2019 - Aleksa Sarai + +- Make sqlite+dqlite both shared libs to avoid bloating RSS. In order to avoid + issues with packaging new versions of libsqlite3 there are a bunch of + DT_SONAME and DT_NEEDED hacks to ensure that rpm doesn't cause false-positive + conflicts or other issues. This requires a new lxd-rpmlintrc to work on older + SLE versions. + +------------------------------------------------------------------- +Tue Mar 26 02:44:05 UTC 2019 - Aleksa Sarai + +- Initial packaging of LXD 3.11. diff --git a/lxd.dnsmasq b/lxd.dnsmasq new file mode 100644 index 0000000..e4461bc --- /dev/null +++ b/lxd.dnsmasq @@ -0,0 +1,8 @@ +# WARNING: DO NOT MODIFY THIS FILE. +# Changes to this file will be lost when the lxd package is updated or removed. +# Instead, add changes to /etc/dnsmasq.d/. + +# Tell any system-wide dnsmasq instance to make sure to bind to interfaces +# instead of listening on 0.0.0.0. +bind-interfaces +except-interface=lxdbr0 diff --git a/lxd.keyring b/lxd.keyring new file mode 100644 index 0000000..237e449 --- /dev/null +++ b/lxd.keyring @@ -0,0 +1,65 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFyiNooBEADCs1KhgS+tDQbEqERIL7RSB3hVrDECAAys35O7QEfnMXTaUnB1 +CVjb0gom4c+dDOLXhe4i05HWDfoc3+JJMNsSfyN2e/kocI00u9zKiDN45kZpXpC5 +3J6dUYCFDhvR/j9iAhITYJA4KgFDmEc0axocxGCkJhvdX307tInpgnuOfg8qf0Wq +wXfrCDikZhBNP4cgW12Lzc5CFhBXK6uyOOe61R4ErMZb4DGsO3RNYVS9er1QsXgV +LskKVwzbRV0oZ8rmfgOBoeuDl5KIjVrJI2xP8Sw0mQzypdZO6UjmEUA+zq2xpPoM +17DeDYdJ6LGCB04+g8utofZnFcl1VSw1dXMlLjZ71X35scEi14zE3N7Q8vOkAND9 +xmiHdCy3n2bnEdOE/ZQbh9o1ttHFE8Bkf8XDc2+sKr+unWnGhnTzemNl1EsUw1P3 +9nDV8Uv1tjcC2Vx6tGyDi/GbATdwC7yYJoMWuyP1K7RAXSlqWKZLswqILkbuyJII +ge2nQPCcJ36uf1Fph9lfXmlzrHLsvn21jNQnbUPIFmi2jFkG+ISA7LA+Df7xrYIe +Rmo/pUdnGcWdpFEd1tg84bKzi1Ue48tmRfxgf6FmchwqelSXb9uQBrjzWK1SQfwR +rpodLREyJmwSky6J+ldigUXXmnBzQ/JNFGc6po1y5BHHBRuwMhefd57LwwARAQAB +tC1UaG9tYXMgUGFycm90dCA8dGhvbWFzLnBhcnJvdHRAY2Fub25pY2FsLmNvbT6J +Ak4EEwEKADgWIQTtHKHnpvgOIuXLLahKzhBmFXVGFAUCZJVGjwIbAwULCQgHAgYV +CgkICwIEFgIDAQIeAQIXgAAKCRBKzhBmFXVGFCo3EACmUM07J7jf5HfQO9fEd8IV +3d2ff3uA5DtFulZHNLAJ/jCopeHeX7f8V0iYwpyjzcupdQJZ64my99+3z8sdAqPD +bsDedIr0Kb3gjRunGRLSla/u9hxVXbdwmqgzfcOWo1fR3crbVCSjyGhci9K5EqK4 +iquQhVmEjNMFs2i2L+OrO2NHS3mSeEDv8BhMA73OZNoIP6L0kvL1ye1sd7MbXYTh +EapnHURT4j24CTMDrCg6pVAjZDo5YIdixk7B2kM0KZANubQz278nIFdpQ07pNikk +OGMZOiuP7dYgt6dDNIRXY2oBwTefGTIRG7dW2Tlb+Pm2+0r7A28KGR8+oz+Gll7C +rfkvDx2AJqdsS166ssu81PQusdgMCSUR6+LblvlXVIMiRD9W4woZa1rpGnDrRBVT +spwb6WcNGmSXbSe2HLuPOAg6qHlchlv2ZW2S68jMgh2EGN4TIWapSkJCw0BLdNvm +Dz1vwNf6HQ8KZh2VQiRQhTNgvvmkRyVQSBfvdDvfDca1GIi4+tgd0jbr6Gy1+l1h +bv0NgJUjIRo3DLVs7dHCfr9D8CzcjCPxXpauvd6AYJ63cXkXfE6IH/+fk0M3Y+pI +6G58gNii2TG60xaQJ0+rePF1pHNIf1cEKRNjPaSTaEZBvew6r55U1N8gZwzExtsB +isJYiWMpL9BeAhJxdQBAHLQdVGhvbWFzIFBhcnJvdHQgPHRvbXBAdG9tcC51az6J +Ak4EEwEKADgWIQTtHKHnpvgOIuXLLahKzhBmFXVGFAUCXKI2igIbAwULCQgHAgYV +CgkICwIEFgIDAQIeAQIXgAAKCRBKzhBmFXVGFFCrEADBekf1mFk/RzD2eagfqIHC +LoVlJVVOUVyD/8kyYLLJFJDDp9EKJkCqM67aBYKcnM8nnuUQybJcdeC9tbXH7UfI +dFH6nO/PYOECVFHJy0UP27+x0SpG3EA4mDiEyFTnRRJIEDaH4ANMXQxKekcwqpBl +SH1TtpS3ckKiCZ016+epxj1kWuRRTy37xYrv08RvLQAVPCF7dWhOmn6AYnrNZZAt +MnZktrijHjU/ZjF7EXT+dSI1PnqHsW8AHu9dWgyXQI+e2jYPmSFPx5MFgY3GXjrC +KUhPbZ9Ctjpk3ooFrK4EcJIhpNMmB6tycSmquXRUpa+xZXIZ6gFAKYrv577oqmZe +++jneHwYzXfRIDol0rhgPbyS1FqNXGpVtNgmRS8N4yyphSSuPZPvq1lvbOFNzcqn +Zlc5QPJUW/SyrNQOM0jp5a5wLKbUo4L05nODuUG2Rqy9Qr664iv+P88IGS8QKnbX +LgRZahPTQ6cRpNmdOvY0aTaciBeBi1EyW0vywmKZEjZLdBmpzwXJUa+yLzjCOLNa +IliriIjBoMloUOT3kLGKRZ6OFBXAv4wds8U+Ac2qQnpO3P1sT3peC7oNprnhJ0Jq +WPsRtDVfgCutgtmvYn5a/NSLhFr2UmKOnLJj6VV2HMBdYTh2w/+hotbnSjLXalmi +xmkMSm7sGRBFL1natOuaybkCDQRcojaKARAAp04MWhQS/hR7OVSyu3Y2APzgketB +261q/oPFIPYUv8oaXlR3JWXvR5+NsOkwCRemgGJI73dbjLACPc2meVHngvL4PoAd +w8IPmODBpMZCK+b1sxzfo+chzihoJF8PMFVH5G+xBPwpO/nAaJjx6VJNL0pBCr0m +4sMJ9Lxr+mK4vEdGwTqbfil+/Bsk2voCwhCgXjmyNSvQuLbIhoLvbIE8Za/BAsDU +HRllnFXCFU0l/KU4IS4mczHq3Fp9ycSNYG0Q3K8wmCu/QSnilwhDV35JPMl6Vexe +ZYQ96B1cSxi1dRKA4Ckf0ISbfoECxp/jFEJelIfYSCWHeSnCMzMjbkjy+t9R79KT +xo7lRTAs3CD9+hfBSzZHBmsOS2ykC1Fa1CODIfZOwvOBX3fZyMjjlQpJfPut148R +Q5nR+4dc4t8xKMDkpImX3uODIjr2PpEvTN4ytNCZhyaNdFuMnuEGZcJkA8BfNTrS +7o2tY45zoC0S6kAMiLN/V5Td7ewi5NjGm0DGZ5QJMDLefZHitApmduPoYsGrtAmo +uueehBcaa23BRF8qzqt1hAJ+lOdkbi65X2m6ZVoUcut/qStdH46XvA5KcPVyx1xU +quZPt7H25wzp6bAZKs0XCafkfJp2ZhhpFx7CPZLLHJkszqpxrFyh/dTbgNWAv6EI +vuEGPT2p347TEX0AEQEAAYkCNgQYAQoAIBYhBO0coeem+A4i5cstqErOEGYVdUYU +BQJcojaKAhsMAAoJEErOEGYVdUYUEkIQAMB223yj+SDWn0ufG0X/8lGC7cnbfqFE +09P3BcjXLFp2qznbZ3p4utKOXVBoh17xO1MXCfakGRJkn20M/M69xuKJGB3nSRsK +daJX6JPXqlLb74s+7csC+NgnyIfISvfZ5gB8u9KjnPHFC6+COG5KdlZjY6XtbsHV +qhhCxBcKKG4c4IY3w8H/zj1Y4KZPyTWtWu9j1y+IAdSIXmJgIU+w3W1X15L5dbIH +u7Qit/h4zxA1TNYP6Lyocm+7++C2HGTEmWbbFIU0WRdcyPLAEfX2YgfOUuXCp8jY +dWyYknQ7E77KlmhQgK66MwXQPKFnvwdU4cplNsKY5l0qAT1EGPypZfvlIU1pUW+G +T7qy/6B8X8hb4ynqjL/mRsqxumV23Xhv/2S7XFXXjrebk38w1kU0kWS2s3Nqbwq1 +5szF2KWgKKO7n+KSuAjOt3p4ztZ6V041WmCL9TIjSacQRAeunIsLupx0EPnedLkO +jc8ZYFY731OF3q1DBWbKnRzPXVazMMNIYUxQ1DMaOAqFTuxEYj02lRHqIoJBCq/L +cHgyVCYmdETM7A/Wkh+iRXH6txPA64loHwEvmxrSiBhmd3T19KwBWAk/AtCnjEgL +wW0aPgVEE7KBMLpyfGHQevQVwW1YsrxncQvT7vgT+h+P9mAgOcEOPdnsGT6T1ljS +lw4DIrt30T1S +=JHs9 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/lxd.service b/lxd.service new file mode 100644 index 0000000..ef99bf3 --- /dev/null +++ b/lxd.service @@ -0,0 +1,32 @@ +[Unit] +Description=LXD Container Hypervisor +After=network-online.target lxcfs.service +Requires=network-online.target lxcfs.service +Documentation=man:lxd(1) + +[Service] +Environment=LXD_OVMF_PATH=/usr/share/lxd/ovmf +ExecStart=/usr/bin/lxd --group=lxd --logfile=/var/log/lxd/lxd.log +ExecStartPost=/usr/bin/lxd waitready --timeout=600 +ExecStop=/usr/bin/lxd shutdown --timeout=600 +TimeoutStartSec=600s +TimeoutStopSec=30s +Restart=on-failure + +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNOFILE=1048576 +LimitNPROC=infinity +LimitCORE=infinity + +# No need to add a task limit. +TasksMax=infinity + +# Set delegate yes so that systemd does not mess with LXD cgroups. +Delegate=yes + +# Kill only the LXD process, not all processes in the cgroup. +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/lxd.spec b/lxd.spec new file mode 100644 index 0000000..a3f652e --- /dev/null +++ b/lxd.spec @@ -0,0 +1,446 @@ +# +# spec file for package lxd +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# +# nodebuginfo + + +%go_nostrip + +%define _buildshell /bin/bash +%define import_path github.com/canonical/lxd + +%define lxd_datadir %{_datadir}/lxd +%define lxd_ovmfdir %{lxd_datadir}/ovmf + +# We need OVMF in order to support VMs with LXD. At the moment this means we +# can only support it on x86_64. +%ifarch x86_64 +%define arch_vm_support 1 +%else +%define arch_vm_support 0 +%endif + +Name: lxd +Version: 5.21.1 +Release: 0 +Summary: Container hypervisor based on LXC +License: AGPL-3.0-only AND Apache-2.0 +Group: System/Management +URL: https://ubuntu.com/lxd +Source: https://github.com/canonical/lxd/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/canonical/lxd/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz.asc +Source2: %{name}.keyring +Source3: %{name}-rpmlintrc +Source4: %{name}.sysusers +# LXD upstream doesn't use systemd, they use snapd. +Source100: %{name}.service +# LXD upstream doesn't have a sample config file. +Source101: %{name}-config.yml +# Additional runtime configuration. +Source200: %{name}.sysctl +Source201: %{name}.dnsmasq +BuildRequires: fdupes +BuildRequires: go >= 1.22 +BuildRequires: golang-packaging +BuildRequires: libacl-devel +BuildRequires: libcap-devel +BuildRequires: liblz4-devel +BuildRequires: patchelf +BuildRequires: pkgconfig +BuildRequires: rsync +BuildRequires: sqlite3-devel >= 3.25 +BuildRequires: sysuser-tools +BuildRequires: pkgconfig(libudev) +BuildRequires: pkgconfig(lxc) >= 4.0.0 +# Needed to build dqlite and raft. +BuildRequires: autoconf +BuildRequires: libtool +BuildRequires: pkgconfig(libuv) >= 1.8.0 +Requires: kernel-base >= 5.4 +# Bits required for images and other things at runtime. +Requires: acl +Requires: attr +Requires: ebtables +BuildRequires: dnsmasq +Requires: dnsmasq +Requires: lxcfs +Requires: lxcfs-hooks-lxc +Requires: rsync +Requires: squashfs +Requires: tar +Requires: xz +%if 0%{arch_vm_support} != 0 +# Needed for VM support. +Requires: qemu-ovmf-x86_64 +BuildRequires: qemu-ovmf-x86_64 +# QEMU spice became a separate package for QEMU 5.2, which is not in Leap 15.2. +# But it exists in Tumbleweed so only require this in Tumbleweed. +%if 0%{?suse_version} > 1500 || 0%{?sle_version} == 150300 +Requires: qemu-ui-spice-core +%else +Requires: qemu-ui-spice-app +%endif +%ifarch %ix86 x86_64 +Requires: qemu-x86 >= 6.0 +%endif +%ifarch aarch64 %arm +Requires: qemu-arm >= 6.0 +%endif +%endif +# Storage backends -- we don't recommend ZFS since it's not *technically* a +# blessed configuration. +Recommends: lvm2 +Recommends: btrfsprogs +Recommends: thin-provisioning-tools +# CRIU is used for certain operations but is not necessary (and is no longer +# shipped on 32-bit openSUSE). +Recommends: criu >= 2.0 +Suggests: zfs +%sysusers_requires + +%description +LXD is a system container manager. It offers a user experience +similar to virtual machines but uses Linux containers (LXC) instead. + +%package bash-completion +Summary: Bash Completion for %{name} +Group: System/Management +Requires: %{name} = %{version} +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +Bash command line completion support for %{name}. + +%prep +%setup -q + +%build +%sysusers_generate_pre %{SOURCE4} %{name} %{name}.conf +# Make sure any leftover go build caches are gone. +go clean -cache + +# Set up temporary installation paths. +export INSTALL_ROOT="$PWD/.install" +export INSTALL_INCLUDEDIR="$INSTALL_ROOT/%{_includedir}" +export INSTALL_LIBDIR="$INSTALL_ROOT/%{_libdir}/%{name}" + +# We first need to build all of the LXD-specific dependencies. To avoid binary +# bloat, we build them as dylibs -- but we then later need to mess around with +# the ELF headers to stop the openSUSE packaging scripts from freaking out. +export CFLAGS="%{optflags} -fPIC -DPIC" + +# We have a temporary-install directory which contains all of the dylib deps. +export PKG_CONFIG_SYSROOT_DIR="$INSTALL_ROOT" +export PKG_CONFIG_PATH="$INSTALL_LIBDIR/pkgconfig" +# For some reason, Leap need us to specify this explicitly now. +export CPPFLAGS="-I$INSTALL_INCLUDEDIR" + +# raft +pushd "vendor/raft" +autoreconf -fiv +%configure \ + --libdir="%{_libdir}/%{name}" \ + --disable-static +make %{?_smp_mflags} +make DESTDIR="$INSTALL_ROOT" install +popd + +# dqlite +pushd "vendor/dqlite" +( +autoreconf -fiv +%configure \ + --libdir="%{_libdir}/%{name}" \ + --disable-static +make clean +make %{?_smp_mflags} +make DESTDIR="$INSTALL_ROOT" install +) +popd + +# Find all of the main packages using go-list. +readarray -t mainpkgs \ + <<<"$(go list -f '{{.Name}}:{{.ImportPath}}' %{import_path}/... | \ + awk -F: '$1 == "main" { print $2 }' | \ + grep -Ev '^github.com/canonical/lxd/(test|shared)')" + +# Needed because lxd and deps use funky #cgo LDFLAGS that Go blocks by default. +export CGO_LDFLAGS_ALLOW="(-Wl,-wrap,pthread_create)|(-Wl,-z,now)" + +# And now we can finally build LXD and all of the related binaries. +mkdir bin +for mainpkg in "${mainpkgs[@]}" +do + # Make sure all binaries *except* "lxc" have an lxd- prefix. + binary="$(basename "$mainpkg")" + if ( echo "$binary" | grep -Eqv '^lx[cd].*$' ) + then + binary="lxd-$binary" + fi + case "$binary" in + lxd-agent) + build_static=1 + build_tags="agent,netgo" + ;; + lxd-p2c) + build_static=1 + build_tags="netgo" + ;; + *) + build_static= + build_tags="libsqlite3" + ;; + esac + ( + # We need to link against our particular dylib deps. + export \ + CGO_CFLAGS="-I $INSTALL_INCLUDEDIR" \ + CGO_LDFLAGS="-L $INSTALL_LIBDIR" ||: + + if [ -n "$build_static" ] + then + CGO_ENABLED=0 go build -ldflags "-extldflags -static" \ + -tags "$build_tags" -o "bin/$binary" "$mainpkg" + else + go build -buildmode=pie \ + -tags "$build_tags" -o "bin/$binary" "$mainpkg" + fi + ) +done + +# This part is quite ugly, so I apologise upfront. +# +# We want to have our vendor/* libraries be dylibs so that we don't bloat our +# lxd binary. Unfortunately, we are presented with a few challenges: +# +# * Doing this naively (put it in {_libdir}) results in sqlite3 package +# conflicts -- and we aren't going to maintain sqlite3 for all of openSUSE +# here. +# +# * Putting everything in a hidden {_libdir}/{name} with RUNPATH configured +# accordingly works a little better, but still results in lxd ending up with +# {Provides,Requires}: libsqlite3.so.0. This results in more esoteric +# conflicts but is still an issue (we'd need to add Prefer: libsqlite3-0 +# everywhere). +# +# So, the only reasonable choice left is to use absolute paths as DT_NEEDED +# entries -- which bypasses the need for RUNPATH and allows us to set garbage +# sonames for our vendor/* libraries. Absolute paths for DT_NEEDED is +# *slightly* undefined behaviour, but glibc has had this behaviour for a very +# long time -- and others have considered using it in a similar manner[1]. +# +# What F U N. +# +# [1]: https://github.com/NixOS/nixpkgs/issues/24844 + +( + # A simple check that lxd isn't broken. We can't do this after patchelf + # because we'd need to chroot(2) into {buildroot} which isn't permitted due + # to user namespaces being blocked inside rpmbuild. boo#1138769 + export LD_LIBRARY_PATH="$INSTALL_LIBDIR" + ./bin/lxd help +) + +for lib in "$INSTALL_LIBDIR"/lib*.so +do + # Strip off last two version digits. + name="$(basename "$(readlink "$lib")" | sed -E 's/\.[0-9]+\.[0-9]+$//')" + # Give our libraries unrecognisable DT_SONAME entries. + patchelf --set-soname "._LXD_INTERNAL-$name" "$lib" + # Make sure they're executable. + chmod +x "$lib" +done + +# Switch to absolute DT_NEEDED for all dylibs we have as well as the main LXD +# binary. We do this for all dylibs to make sure we don't end up with weird +# chain-loading problems. +for target in bin/* "$INSTALL_LIBDIR"/lib*.so +do + case "$(basename "$target")" in + lxd-agent|lxd-p2c) + # Cannot patch static binaries, and the patching isn't necessary + # for them anyway. + continue + ;; + *) + ;; + esac + + # Drop RPATH in case it got included during builds. + patchelf --remove-rpath "$target" + # And now replace all the possible DT_NEEDEDs to absolute paths. + for lib in "$INSTALL_LIBDIR"/lib*.so + do + # Strip off last two version digits. + name="$(basename "$(readlink "$lib")" | sed -E 's/\.[0-9]+\.[0-9]+$//')" + patchelf --replace-needed {,%{_libdir}/%{name}/}"$name" "$target" + done +done + +# Generate man pages. +mkdir man +./bin/lxc manpage man/ + +# Final sanity-check during build. +pushd bin/ +for bin in * +do + # Ensure that all our binaries are dynamic (except for lxd-p2c and + # lxd-agent, which must be static). boo#1138769 + case "$(basename $bin)" in + lxd-agent|lxd-p2c) + file "$bin" | grep 'statically linked' + ;; + *) + file "$bin" | grep 'dynamically linked' + # Check what they are linked against. + ldd "$bin" + ;; + esac +done +popd + +%install +export INSTALL_LIBDIR="$PWD/.install/%{_libdir}/%{name}" + +install -d -m 0755 %{buildroot}%{_libdir}/%{name} +# We can't use install because *.so.$n are symlinks. +cp -avt %{buildroot}%{_libdir}/%{name}/ "$INSTALL_LIBDIR"/lib*.so.* + +# Install all the binaries. +pushd bin/ +for bin in * +do + install -D -m 0755 "$bin" "%{buildroot}%{_bindir}/$bin" +done +popd + +# System-wide client configuration. +install -D -m0644 %{S:101} %{buildroot}/etc/lxd/config.yml +install -d -m0755 %{buildroot}/etc/lxd/servercerts + +# Install man pages. +pushd man/ +for man in * +do + section="${man##*.}" + install -D -m 0644 "$man" "%{buildroot}%{_mandir}/man$section/$man" +done +popd + +# bash-completion. +install -D -m 0644 scripts/bash/lxd-client %{buildroot}%{_datadir}/bash-completion/completions/lxc + +# sysv-init and systemd setup. +install -D -m 0644 %{S:100} %{buildroot}%{_unitdir}/%{name}.service +mkdir -p %{buildroot}%{_sbindir} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} + +# Run-time configuration. +install -D -m 0644 %{S:200} %{buildroot}%{_sysctldir}/60-lxd.conf +install -D -m 0644 %{S:201} %{buildroot}%{_sysconfdir}/dnsmasq.d/60-lxd.conf + +# Run-time directories. +install -d -m 0711 %{buildroot}%{_localstatedir}/lib/%{name} +install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name} + +# sysusers.d +install -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{name}.conf + +%if 0%{arch_vm_support} != 0 +# In order for VM support in LXD to function, you need to have OVMF configured +# in the way it expects. In particular, LXD depends on specific filenames for +# the firmware files so we create fake ones with symlinks. +mkdir -p %{buildroot}%{lxd_ovmfdir} +ln -s %{_datarootdir}/qemu/ovmf-x86_64-code.bin %{buildroot}%{lxd_ovmfdir}/OVMF_CODE.fd +ln -s %{_datarootdir}/qemu/ovmf-x86_64-vars.bin %{buildroot}%{lxd_ovmfdir}/OVMF_VARS.fd +ln -s OVMF_VARS.fd %{buildroot}%{lxd_ovmfdir}/OVMF_VARS.ms.fd +%endif + +%fdupes %{buildroot} + +%pre -f %{name}.pre + +# /etc/sub[ug]id should exist already (it's part of shadow-utils), but older +# distros don't have it. LXD just parses it and doesn't need any special +# shadow-utils helpers. +touch /etc/subuid /etc/subgid ||: + +# Add sub[ug]ids for LXD's unprivileged containers -- in order to support +# isolated containers we add quite a few subuids. Since LXD runs as root we add +# them for the root user (not the lxd group). We only bother if there aren't +# any mappings available already. +# +# We have no guarantee that the range we pick will be unique -- which ideally +# we would want it to be. There isn't a nice way to do this without +# reimplementing a bunch of range-handling code for /etc/sub[ug]id in bash. So +# we just pick the 400-900 million range, and hope for the best (most tutorials +# use the 1-million range, so we avoid that pitfall). +# +# This default setting of 500 million is enough for ~8000 isolated containers, +# which should be enough for most users. +grep -q '^root:' /etc/subuid || \ + usermod -v 400000000-900000000 root &>/dev/null || \ + echo "root:400000000:500000001" >>/etc/subuid ||: +grep -q '^root:' /etc/subgid || \ + usermod -w 400000000-900000000 root &>/dev/null || \ + echo "root:400000000:500000001" >>/etc/subgid ||: + +%service_add_pre %{name}.service + +%post +%sysctl_apply 60-lxd.conf +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%sysctl_apply 60-lxd.conf +%service_del_postun %{name}.service + +%files +%defattr(-,root,root) +%doc AUTHORS README.md doc/ +%license COPYING +%{_bindir}/lx{c,d}* +%{_mandir}/man*/* +%{_libdir}/%{name} + +%dir /etc/lxd +%config(noreplace) /etc/lxd/config.yml +%dir /etc/lxd/servercerts + +%if 0%{arch_vm_support} != 0 +%{lxd_datadir} +%endif + +%{_sbindir}/rc%{name} +%{_unitdir}/%{name}.service +%{_sysusersdir}/%{name}.conf + +%dir %{_localstatedir}/lib/%{name} +%dir %{_localstatedir}/log/%{name} + +%{_sysctldir}/60-lxd.conf +%config(noreplace) %{_sysconfdir}/dnsmasq.d/60-lxd.conf + +%files bash-completion +%defattr(-,root,root) +%{_datadir}/bash-completion/ + +%changelog diff --git a/lxd.sysctl b/lxd.sysctl new file mode 100644 index 0000000..0bf91f6 --- /dev/null +++ b/lxd.sysctl @@ -0,0 +1,26 @@ +# WARNING: DO NOT MODIFY THIS FILE. +# Changes to this file will be lost when the lxd package is updated or removed. +# Instead, add changes to /etc/sysctl.d/. + +# These defaults come from doc/production-setup.md, but have been slightly +# modified to be less extreme. The recommended value is included as a comment +# below each changed value. + +# inotify limits. +fs.inotify.max_queued_events = 131072 # 1048576 +fs.inotify.max_user_instances = 131072 # 1048576 +fs.inotify.max_user_watches = 131072 # 1048576 + +# Number of memory mappings a process can have (lxd can have quite a lot). +#vm.max_map_count = 262144 + +# Deny container access to kmsg, but this also blocks non-root host users so +# it's disabled by default. This isn't a bad hardening measure in general. +#kernel.dmesg_restrict = 1 + +# ARP table size (one per container) +net.ipv4.neigh.default.gc_thresh3 = 2048 # 8192 +net.ipv6.neigh.default.gc_thresh3 = 2048 # 8192 + +# Number of kernel keyrings for unprivileged users (one per container). +kernel.keys.maxkeys = 2048 diff --git a/lxd.sysusers b/lxd.sysusers new file mode 100644 index 0000000..51bfa52 --- /dev/null +++ b/lxd.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +g lxd - - - -