Accepting request 691258 from home:cyphar:lxc

- Make sqlite+dqlite both shared libs to avoid bloating RSS. In order to avoid issues with packaging new versions of libsqlite3 there are a bunch of DT_SONAME and DT_NEEDED hacks to ensure that rpm doesn't cause false-positive conflicts or other issues. This requires a new lxd-rpmlintrc to work on older SLE versions. OBS-URL: https://build.opensuse.org/request/show/691258 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/lxd?expand=0&rev=5
2019-04-03 13:40:10 +00:00 · 2019-04-03 13:40:10 +00:00 · d93a7dcf1e
commit d93a7dcf1e
parent a02b7f74de
4 changed files with 21 additions and 11 deletions
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+# The linking against full paths underneath /usr/lib64/lxd/ is intentional, as
+# our shared libraries are internal and aren't meant to be used outside LXD.
+# This error only appears in old SLE versions.
+addFilter ("^lxd.* E: invalid-filepath-dependency .* /usr/lib(32|64)?/lxd/")
--- a/lxd.changes
+++ b/lxd.changes
@ -4,7 +4,8 @@ Thu Mar 28 01:54:01 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 - Make sqlite+dqlite both shared libs to avoid bloating RSS. In order to avoid
  issues with packaging new versions of libsqlite3 there are a bunch of
  DT_SONAME and DT_NEEDED hacks to ensure that rpm doesn't cause false-positive
-  conflicts or other issues.
+  conflicts or other issues. This requires a new lxd-rpmlintrc to work on older
+  SLE versions.

 -------------------------------------------------------------------
 Tue Mar 26 02:44:05 UTC 2019 - Aleksa Sarai <asarai@suse.com>
--- a/lxd.service
+++ b/lxd.service
@ -5,7 +5,7 @@ Requires=network-online.target lxcfs.service
 Documentation=man:lxd(1)

 [Service]
-ExecStart=/usr/bin/lxd --group lxd --logfile=/var/log/lxd/lxd.log
+ExecStart=/usr/bin/lxd --group=lxd --logfile=/var/log/lxd/lxd.log
 ExecStartPost=/usr/bin/lxd waitready --timeout=600
 TimeoutStartSec=600s
 TimeoutStopSec=30s
--- a/lxd.spec
+++ b/lxd.spec
@ -27,6 +27,7 @@ URL:            https://linuxcontainers.org/lxd
 Source:         https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz
 Source1:        https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz.asc
 Source2:        %{name}.keyring
+Source3:        %{name}-rpmlintrc
 # LXD upstream doesn't use systemd, they use snapd.
 Source100:      %{name}.service
 # Additional runtime configuration.
@ -176,8 +177,8 @@ done
 # [1]: https://github.com/NixOS/nixpkgs/issues/24844

 # Give our libraries unrecognisable DT_SONAME entries.
-patchelf --set-soname '_lxd-libsqlite3.so.0' "$PKGDIR/dist/sqlite/.libs/libsqlite3.so.0"
-patchelf --set-soname '_lxd-libdqlite.so.0' "$PKGDIR/dist/dqlite/.libs/libdqlite.so.0"
+patchelf --set-soname '._LXD_INTERNAL-libsqlite3.so.0' "$PKGDIR/dist/sqlite/.libs/libsqlite3.so.0"
+patchelf --set-soname '._LXD_INTERNAL-libdqlite.so.0' "$PKGDIR/dist/dqlite/.libs/libdqlite.so.0"

 # Switch to absolute DT_NEEDED for the lxd binary.
 patchelf --remove-rpath bin/lxd
@ -238,27 +239,31 @@ install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name}
 %fdupes %{buildroot}

 %pre
-# Set up a user with subuid mappings so we can
-getent group %{name} &>/dev/null || groupadd -r %{name}
+# Group which owns the lxd socket, which allows people to administer it.
+getent group %{name} &>/dev/null || groupadd -r %{name} ||:

 # /etc/sub[ug]id should exist already (it's part of shadow-utils), but older
 # distros don't have it. LXD just parses it and doesn't need any special
 # shadow-utils helpers.
-touch /etc/sub{u,g}id
+touch /etc/sub{u,g}id ||:

 # Add sub[ug]ids for LXD's unprivileged containers -- in order to support
 # isolated containers we add quite a few subuids. Since LXD runs as root we add
-# them for the root user (not the lxd group).
+# them for the root user (not the lxd group). We only bother if there aren't
+# any mappings available already.
 #
 # We have no guarantee that the range we pick will be unique -- which ideally
 # we would want it to be. There isn't a nice way to do this without
 # reimplementing a bunch of range-handling code for /etc/sub[ug]id in bash. So
-# we just pick the 40-80 million range, and hope for the best (most tutorials
+# we just pick the 400-900 million range, and hope for the best (most tutorials
 # use the 1-million range, so we avoid that pitfall).
+#
+# This default setting of 500 million is enough for ~8000 isolated containers,
+# which should be enough for most users.
 grep '^root:' /etc/subuid &>/dev/null || \
-	usermod -v 40000000-80000000 root
+	usermod -v 400000000-900000000 root ||:
 grep '^root:' /etc/subgid &>/dev/null || \
-	usermod -w 40000000-80000000 root
+	usermod -w 400000000-900000000 root ||:

 %service_add_pre %{name}.service