Accepting request 976038 from Virtualization:containers

- Update to LXD 5.1. The full upstream changelog is available from: https://discuss.linuxcontainers.org/t/lxd-5-1-has-been-released/13956 boo#1199216 + Sysinfo system call interception + lxc cluster role sub-command * lxc storage volume info shows volume total size + Configurable host network interface naming pattern * Overrideable evacuation mode * Setting profiles during an image copy - Backport upstream patch to fix build on x32 systems. + 0001-lxd-secommp-Fix-sysinfo-syscall-interception-on-32-b.patch - Make CRIU a Recommends so that we can still use LXD on 32-bit openSUSE. OBS-URL: https://build.opensuse.org/request/show/976038 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/lxd?expand=0&rev=42
2022-05-10 13:12:42 +00:00 · 2022-05-10 13:12:42 +00:00 · f8c3ee49cf
commit f8c3ee49cf
parent 9fdbeea162 ee035bec7c
7 changed files with 248 additions and 27 deletions
--- a/0001-lxd-secommp-Fix-sysinfo-syscall-interception-on-32-b.patch
+++ b/0001-lxd-secommp-Fix-sysinfo-syscall-interception-on-32-b.patch
@ -0,0 +1,174 @@
+From fd6845ddda3f80cdd24a8f94c42acce6bff0c41f Mon Sep 17 00:00:00 2001
+From: Thomas Parrott <thomas.parrott@canonical.com>
+Date: Fri, 29 Apr 2022 11:12:48 +0100
+Subject: [PATCH] lxd/secommp: Fix sysinfo syscall interception on 32 bit
+ platforms
+
+Fixes #10347
+
+Backport: <https://github.com/lxc/lxd/pull/10348>
+Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>
+---
+ lxd/seccomp/seccomp.go    | 22 ++++++++++++++--------
+ lxd/seccomp/sysinfo.go    | 13 +++++++++++++
+ lxd/seccomp/sysinfo_32.go | 19 +++++++++++++++++++
+ lxd/seccomp/sysinfo_64.go | 19 +++++++++++++++++++
+ 4 files changed, 65 insertions(+), 8 deletions(-)
+ create mode 100644 lxd/seccomp/sysinfo.go
+ create mode 100644 lxd/seccomp/sysinfo_32.go
+ create mode 100644 lxd/seccomp/sysinfo_64.go
+
+diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
+index 03fee3c71a09..203d408a8286 100644
+--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
+@@ -1709,6 +1709,7 @@ func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int {
+ 
+ 	defer l.Debug("Handling sysinfo syscall")
+ 
+	// Pre-fill sysinfo struct with metrics from host system.
+ 	info := unix.Sysinfo_t{}
+ 	err := unix.Sysinfo(&info)
+ 	if err != nil {
+@@ -1718,6 +1719,8 @@ func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int {
+ 		return 0
+ 	}
+ 
+	instMetrics := Sysinfo{} // Architecture independent place to hold instance metrics.
+
+ 	cg, err := cgroup.NewFileReadWriter(int(siov.msg.init_pid), liblxc.HasApiExtension("cgroup2"))
+ 	if err != nil {
+ 		l.Warn("Failed loading cgroup", logger.Ctx{"err": err, "pid": siov.msg.init_pid})
+@@ -1735,7 +1738,7 @@ func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int {
+ 		return 0
+ 	}
+ 
+-	info.Uptime = int64(time.Now().Sub(f.ModTime()).Seconds())
+	instMetrics.Uptime = int64(time.Now().Sub(f.ModTime()).Seconds())
+ 
+ 	// Get instance process count.
+ 	pids, err := cg.GetTotalProcesses()
+@@ -1746,7 +1749,7 @@ func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int {
+ 		return 0
+ 	}
+ 
+-	info.Procs = uint16(pids)
+	instMetrics.Procs = uint16(pids)
+ 
+ 	// Get instance memory stats.
+ 	memStats, err := cg.GetMemoryStats()
+@@ -1760,9 +1763,9 @@ func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int {
+ 	for k, v := range memStats {
+ 		switch k {
+ 		case "shmem":
+-			info.Sharedram = v
+			instMetrics.Sharedram = v
+ 		case "cache":
+-			info.Bufferram = v
+			instMetrics.Bufferram = v
+ 		}
+ 	}
+ 
+@@ -1784,8 +1787,8 @@ func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int {
+ 		return 0
+ 	}
+ 
+-	info.Totalram = uint64(memoryLimit)
+-	info.Freeram = info.Totalram - uint64(memoryUsage) - info.Bufferram
+	instMetrics.Totalram = uint64(memoryLimit)
+	instMetrics.Freeram = instMetrics.Totalram - uint64(memoryUsage) - instMetrics.Bufferram
+ 
+ 	// Get instance swap info.
+ 	if s.s.OS.CGInfo.Supports(cgroup.MemorySwapUsage, cg) {
+@@ -1805,14 +1808,17 @@ func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int {
+ 			return 0
+ 		}
+ 
+-		info.Totalswap = uint64(swapLimit)
+-		info.Freeswap = info.Totalswap - uint64(swapUsage)
+		instMetrics.Totalswap = uint64(swapLimit)
+		instMetrics.Freeswap = instMetrics.Totalswap - uint64(swapUsage)
+ 	}
+ 
+ 	// Get writable pointer to buffer of sysinfo syscall result.
+ 	const sz = int(unsafe.Sizeof(info))
+ 	var b []byte = (*(*[sz]byte)(unsafe.Pointer(&info)))[:]
+ 
+	// Write instance metrics to native sysinfo struct.
+	instMetrics.ToNative(&info)
+
+ 	// Write sysinfo response into buffer.
+ 	_, err = unix.Pwrite(siov.memFd, b, int64(siov.req.data.args[0]))
+ 	if err != nil {
+diff --git a/lxd/seccomp/sysinfo.go b/lxd/seccomp/sysinfo.go
+new file mode 100644
+index 000000000000..b255894af26e
+--- /dev/null
+++ b/lxd/seccomp/sysinfo.go
+@@ -0,0 +1,13 @@
+package seccomp
+
+// Sysinfo architecture independent sysinfo struct.
+type Sysinfo struct {
+	Uptime    int64
+	Totalram  uint64
+	Freeram   uint64
+	Sharedram uint64
+	Bufferram uint64
+	Totalswap uint64
+	Freeswap  uint64
+	Procs     uint16
+}
+diff --git a/lxd/seccomp/sysinfo_32.go b/lxd/seccomp/sysinfo_32.go
+new file mode 100644
+index 000000000000..e52808300dd0
+--- /dev/null
+++ b/lxd/seccomp/sysinfo_32.go
+@@ -0,0 +1,19 @@
+//go:build 386 || arm || ppc || s390 || mips || mipsle
+
+package seccomp
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// ToNative fills fields from s into native fields.
+func (s *Sysinfo) ToNative(n *unix.Sysinfo_t) {
+	n.Bufferram = uint32(s.Bufferram)
+	n.Freeram = uint32(s.Freeram)
+	n.Freeswap = uint32(s.Freeswap)
+	n.Procs = s.Procs
+	n.Sharedram = uint32(s.Sharedram)
+	n.Totalram = uint32(s.Totalram)
+	n.Totalswap = uint32(s.Totalswap)
+	n.Uptime = int32(s.Uptime)
+}
+diff --git a/lxd/seccomp/sysinfo_64.go b/lxd/seccomp/sysinfo_64.go
+new file mode 100644
+index 000000000000..84383b1c5a86
+--- /dev/null
+++ b/lxd/seccomp/sysinfo_64.go
+@@ -0,0 +1,19 @@
+//go:build amd64 || ppc64 || ppc64le || arm64 || s390x || mips64 || mips64le || riscv64
+
+package seccomp
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// ToNative fills fields from s into native fields.
+func (s *Sysinfo) ToNative(n *unix.Sysinfo_t) {
+	n.Bufferram = s.Bufferram
+	n.Freeram = s.Freeram
+	n.Freeswap = s.Freeswap
+	n.Procs = s.Procs
+	n.Sharedram = s.Sharedram
+	n.Totalram = s.Totalram
+	n.Totalswap = s.Totalswap
+	n.Uptime = s.Uptime
+}
+-- 
+2.35.1
+
--- a/lxd-4.21.tar.gz
+++ b/lxd-4.21.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7a6745b50a5914d6f7812ee1def103373b38ea4759593302a0eded2787a652ac
-size 15786720
--- a/lxd-4.21.tar.gz.asc
+++ b/lxd-4.21.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEYC9WdmPlk7y9FPM4xjiXTWR5LWcFAmGy10wACgkQxjiXTWR5
-LWd17A//fdMawoe2Pnih8G1sHkstk6+Ey4nL7LmAn90bX8Kx9BrjCf9NpZ5HJsK6
-l9MSUYih1Hdgh7lT8TFW8yBV7Ao/dVBr0lqmlp/3RVDgNgJTB5n20bz9Nj/E24nA
-yj46gHV7FQJsAvGXav5o1R08FYGRqOvK9w5z4dQbRJbuuDLf0NIdLcEMEsHBJSUK
-NdI3ARPP5pngMFM5PSNc2zvdwAsOBkXFNH1xJR6wJl3vhOg0UjZ50No0GqrJgnZb
-mLRKFrbcmfToIOvtoa9j7KpdvSnW4xD+MbjAKvk3jfdG8szI6NCpO+8oyv3SBzcP
-h0ZBnokVO3P0NeADZN3mtrWYfIE5wht/3C6dq5Hf6OoRPRzfSGj8TzBJD8nESlgr
-Po4A3Quc6BhtRNNimf5q/3TT8X33++wChUnK3sOh7RItMEnbYEJbYTD0cBgJ1KPB
-JTwWoTs6jO41RMLIjRFwlyzyY72P6JzNBd3lXgTcnyE8l6DALm0z4zKiTcOh1m3b
-18VNyKOcCEz+M562gl+ZvjBjDqwe2fBpEsxaUt/38n4BKQM2Hv+s+VTnVX+1apV2
-A0HdlCDNBeDMjN9YXnTZ7o47CVp1F34VkjDZH9XysvOIHsdXYMP1IrCxABktdTPL
-OicEwiiN143VKCicLCyBTj0ZoibKsu/q5PtxjWqoTWu4OM6M4xU=
-=5FDX
-----END PGP SIGNATURE-----
--- a/lxd-5.1.tar.gz
+++ b/lxd-5.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:319f4e93506e2144edaa280b0185fb37c4374cf7d7468a5e5c8c1b678189250a
+size 18017579
--- a/lxd-5.1.tar.gz.asc
+++ b/lxd-5.1.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEYC9WdmPlk7y9FPM4xjiXTWR5LWcFAmJq60YACgkQxjiXTWR5
+LWcnZA/9E3XxPxLaFVnfT16kOYIFCZX50eyumUefcS+T5qhu19yX1MdvOC3ESLIn
+bSQjK/AVjL9UgNpQQTaMYkn1FWq1ZH6jdwzB6y4hBMcP7iE3BqihCoehZk0K+oC4
+sybqSimUqt491/HNSVdDChGTHhr2BVZRTLmAo46EdBueb4WYGyTzEiiSUM0cmMF5
+Af5/MjpuYfmVxr7DfbXeBibJzhpg6x5PzyYzRvC0hMAg2qrMYZMAWhJXXFFE3VCt
+QszrMriGbOcSqfSL0VqSjGgUJW7B0StVBQq16TkdhO+oBMUvfjTCm1e11uoWNN4p
+8PS6vA9yeNIjd2+UuubsG+gGssHhgKpMSDPt0bFZNMW7y6m7OwNk0W+CUgA1bxnK
+QPn3QFfi+QkmEUCLZjVLu/pQDH46fD1RUk1G0zYHdlnVJpUCM+sH4YbKwYDax/lS
+ZaL26ihG25sZw3fESermEAUSRS8q68HDWzDad0+YE4hnQscqFo8toNxNv/+8QHx/
+b6fQM6gaEIu43u/JqAJCURtIkW0aiSRI/vcZfGnPoFA77wbzCeA0DxGJURlFsP6Q
+hbVlmunKDzDKukO5w1zKJBOjiAj/aBElRR/iRvVmwCwwAPiBXhvpn6eamGTgJNsa
+UR2a5xew76JL1yQ4ug9yi0aObXh3gULd9XuY8E1Uu5Rk16vag9U=
+=rsCN
+-----END PGP SIGNATURE-----
--- a/lxd.changes
+++ b/lxd.changes
@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Thu May  5 04:27:43 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Update to LXD 5.1. The full upstream changelog is available from:
+  https://discuss.linuxcontainers.org/t/lxd-5-1-has-been-released/13956
+  boo#1199216
+
+  + Sysinfo system call interception
+  + lxc cluster role sub-command
+  * lxc storage volume info shows volume total size
+  + Configurable host network interface naming pattern
+  * Overrideable evacuation mode
+  * Setting profiles during an image copy
+- Backport upstream patch to fix build on x32 systems.
+  + 0001-lxd-secommp-Fix-sysinfo-syscall-interception-on-32-b.patch
+- Make CRIU a Recommends so that we can still use LXD on 32-bit openSUSE.
+
+-------------------------------------------------------------------
+Thu May  5 03:31:24 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Update to LXD 4.24. The full upstream changelog is available from:
+  https://discuss.linuxcontainers.org/t/lxd-4-24-has-been-released/13550
+  boo#1199215
+
+  This is the last release before LXD 5.0 (which does not support the Leap 15.3
+  kernel -- LXD 5.0 requires kernel 5.4 or newer). Thus this will be the last
+  LXD release for Leap 15.3.
+
+  + lxc file mount and new files API
+  + Cluster event hub role
+  * Reworked lxc storage volume info
+  + AppArmor profiles for image extractors
+  + Grafana dashboard
+  + Degraded startup (missing disk)
+  + restricted.containers.interception project option
+  + core.metrics_authentication server option
+  + Network interface name and MTU in virtual machines
+  + I/O uring support for VM storage
+  + ipv4.neighbor_probe and ipv6.neighbor_probe NIC options
+
 -------------------------------------------------------------------
 Mon Dec 13 02:46:02 UTC 2021 - Aleksa Sarai <asarai@suse.com>

--- a/lxd.spec
+++ b/lxd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package lxd
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -34,7 +34,7 @@
 %endif

 Name:           lxd
-Version:        4.21
+Version:        5.1
 Release:        0
 Summary:        Container hypervisor based on LXC
 License:        Apache-2.0
@ -51,6 +51,8 @@ Source101:      %{name}-config.yml
 # Additional runtime configuration.
 Source200:      %{name}.sysctl
 Source201:      %{name}.dnsmasq
+# OPENSUSE-UPSTREAM-FIX: Backport of <https://github.com/lxc/lxd/pull/10348>.
+Patch1:         0001-lxd-secommp-Fix-sysinfo-syscall-interception-on-32-b.patch
 BuildRequires:  fdupes
 BuildRequires:  golang-packaging
 BuildRequires:  libacl-devel
@ -61,19 +63,19 @@ BuildRequires:  pkg-config
 BuildRequires:  rsync
 BuildRequires:  sqlite3-devel >= 3.25
 BuildRequires:  pkgconfig(libudev)
-BuildRequires:  pkgconfig(lxc) >= 3.0.0
+BuildRequires:  pkgconfig(lxc) >= 4.0.0
 # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
-# for 'golang(API) >= 1.14' here, so just require 1.14 exactly. bsc#1172608
-BuildRequires:  golang(API) = 1.15
+# for 'golang(API) >= 1.18' here, so just require 1.18 exactly. bsc#1172608
+BuildRequires:  golang(API) = 1.18
 # Needed to build dqlite and raft.
 BuildRequires:  autoconf
 BuildRequires:  libtool
 BuildRequires:  pkgconfig(libuv) >= 1.8.0
+Requires:       kernel-base >= 5.4
 # Bits required for images and other things at runtime.
 Requires:       acl
 Requires:       ebtables
 BuildRequires:  dnsmasq
-Requires:       criu >= 2.0
 Requires:       dnsmasq
 Requires:       lxcfs
 Requires:       lxcfs-hooks-lxc
@ -93,10 +95,10 @@ Requires:       qemu-ui-spice-core
 Requires:       qemu-ui-spice-app
 %endif
 %ifarch %ix86 x86_64
-Requires:       qemu-x86
+Requires:       qemu-x86 >= 6.0
 %endif
 %ifarch aarch64 %arm
-Requires:       qemu-arm
+Requires:       qemu-arm >= 6.0
 %endif
 %endif
 # Storage backends -- we don't recommend ZFS since it's not *technically* a
@ -104,6 +106,9 @@ Requires:       qemu-arm
 Recommends:     lvm2
 Recommends:     btrfsprogs
 Recommends:     thin-provisioning-tools
+# CRIU is used for certain operations but is not necessary (and is no longer
+# shipped on 32-bit openSUSE).
+Recommends:     criu >= 2.0
 Suggests:       zfs

 %description
@ -122,6 +127,8 @@ Bash command line completion support for %{name}.

 %prep
 %setup -q
+# https://github.com/lxc/lxd/pull/10348
+%patch1 -p1

 %build
 # Make sure any leftover go build caches are gone.