From d93a7dcf1ecef13816d158d4604e039d1f7a29030b6efaf96d11161beebe1569 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Wed, 3 Apr 2019 13:40:10 +0000
Subject: [PATCH] Accepting request 691258 from home:cyphar:lxc

- Make sqlite+dqlite both shared libs to avoid bloating RSS. In order to avoid
  issues with packaging new versions of libsqlite3 there are a bunch of
  DT_SONAME and DT_NEEDED hacks to ensure that rpm doesn't cause false-positive
  conflicts or other issues. This requires a new lxd-rpmlintrc to work on older
  SLE versions.

OBS-URL: https://build.opensuse.org/request/show/691258
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/lxd?expand=0&rev=5
---
 lxd-rpmlintrc |  4 ++++
 lxd.changes   |  3 ++-
 lxd.service   |  2 +-
 lxd.spec      | 23 ++++++++++++++---------
 4 files changed, 21 insertions(+), 11 deletions(-)
 create mode 100644 lxd-rpmlintrc

diff --git a/lxd-rpmlintrc b/lxd-rpmlintrc
new file mode 100644
index 0000000..0e5cd9b
--- /dev/null
+++ b/lxd-rpmlintrc
@@ -0,0 +1,4 @@
+# The linking against full paths underneath /usr/lib64/lxd/ is intentional, as
+# our shared libraries are internal and aren't meant to be used outside LXD.
+# This error only appears in old SLE versions.
+addFilter ("^lxd.* E: invalid-filepath-dependency .* /usr/lib(32|64)?/lxd/")
diff --git a/lxd.changes b/lxd.changes
index 80d5aab..a67fa37 100644
--- a/lxd.changes
+++ b/lxd.changes
@@ -4,7 +4,8 @@ Thu Mar 28 01:54:01 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 - Make sqlite+dqlite both shared libs to avoid bloating RSS. In order to avoid
   issues with packaging new versions of libsqlite3 there are a bunch of
   DT_SONAME and DT_NEEDED hacks to ensure that rpm doesn't cause false-positive
-  conflicts or other issues.
+  conflicts or other issues. This requires a new lxd-rpmlintrc to work on older
+  SLE versions.
 
 -------------------------------------------------------------------
 Tue Mar 26 02:44:05 UTC 2019 - Aleksa Sarai <asarai@suse.com>
diff --git a/lxd.service b/lxd.service
index e4b0166..f9da089 100644
--- a/lxd.service
+++ b/lxd.service
@@ -5,7 +5,7 @@ Requires=network-online.target lxcfs.service
 Documentation=man:lxd(1)
 
 [Service]
-ExecStart=/usr/bin/lxd --group lxd --logfile=/var/log/lxd/lxd.log
+ExecStart=/usr/bin/lxd --group=lxd --logfile=/var/log/lxd/lxd.log
 ExecStartPost=/usr/bin/lxd waitready --timeout=600
 TimeoutStartSec=600s
 TimeoutStopSec=30s
diff --git a/lxd.spec b/lxd.spec
index daf2dba..a703777 100644
--- a/lxd.spec
+++ b/lxd.spec
@@ -27,6 +27,7 @@ URL:            https://linuxcontainers.org/lxd
 Source:         https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz
 Source1:        https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz.asc
 Source2:        %{name}.keyring
+Source3:        %{name}-rpmlintrc
 # LXD upstream doesn't use systemd, they use snapd.
 Source100:      %{name}.service
 # Additional runtime configuration.
@@ -176,8 +177,8 @@ done
 # [1]: https://github.com/NixOS/nixpkgs/issues/24844
 
 # Give our libraries unrecognisable DT_SONAME entries.
-patchelf --set-soname '_lxd-libsqlite3.so.0' "$PKGDIR/dist/sqlite/.libs/libsqlite3.so.0"
-patchelf --set-soname '_lxd-libdqlite.so.0' "$PKGDIR/dist/dqlite/.libs/libdqlite.so.0"
+patchelf --set-soname '._LXD_INTERNAL-libsqlite3.so.0' "$PKGDIR/dist/sqlite/.libs/libsqlite3.so.0"
+patchelf --set-soname '._LXD_INTERNAL-libdqlite.so.0' "$PKGDIR/dist/dqlite/.libs/libdqlite.so.0"
 
 # Switch to absolute DT_NEEDED for the lxd binary.
 patchelf --remove-rpath bin/lxd
@@ -238,27 +239,31 @@ install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name}
 %fdupes %{buildroot}
 
 %pre
-# Set up a user with subuid mappings so we can
-getent group %{name} &>/dev/null || groupadd -r %{name}
+# Group which owns the lxd socket, which allows people to administer it.
+getent group %{name} &>/dev/null || groupadd -r %{name} ||:
 
 # /etc/sub[ug]id should exist already (it's part of shadow-utils), but older
 # distros don't have it. LXD just parses it and doesn't need any special
 # shadow-utils helpers.
-touch /etc/sub{u,g}id
+touch /etc/sub{u,g}id ||:
 
 # Add sub[ug]ids for LXD's unprivileged containers -- in order to support
 # isolated containers we add quite a few subuids. Since LXD runs as root we add
-# them for the root user (not the lxd group).
+# them for the root user (not the lxd group). We only bother if there aren't
+# any mappings available already.
 #
 # We have no guarantee that the range we pick will be unique -- which ideally
 # we would want it to be. There isn't a nice way to do this without
 # reimplementing a bunch of range-handling code for /etc/sub[ug]id in bash. So
-# we just pick the 40-80 million range, and hope for the best (most tutorials
+# we just pick the 400-900 million range, and hope for the best (most tutorials
 # use the 1-million range, so we avoid that pitfall).
+#
+# This default setting of 500 million is enough for ~8000 isolated containers,
+# which should be enough for most users.
 grep '^root:' /etc/subuid &>/dev/null || \
-	usermod -v 40000000-80000000 root
+	usermod -v 400000000-900000000 root ||:
 grep '^root:' /etc/subgid &>/dev/null || \
-	usermod -w 40000000-80000000 root
+	usermod -w 400000000-900000000 root ||:
 
 %service_add_pre %{name}.service