4th of August 2020

The LXC team is pleased to announce the release of LXC 4.0.4!

This is the fourth bugfix release for LXC 4.0 which is supported until June 2025.

Some of the highlights for this release are:

Support for new Linux clone flags (clone into cgroup)

Support for new Linux VFS system calls

Internal symbols are now properly hidden from external consumers

The full list of commits is available below:

get the right path in get_cgroup command

lxc: support CLONE_INTO_CGROUP

start: initialize cgroup_fd

start: use __aligned_u64

attach: set no_new_privs flag after LSM label

templates/lxc-download.in: fix wrong if condition (use the result of the gpg command, not the result when executing the result of the gpg command)

templates/lxc-download.in: make shellcheck happy

templates/lxc-download.in: use GPG option --receive-keys instead of --recv-keys

cgroups: update terminology

cgroups: update terminology II

seccomp: support allowlist/denylist in profiles

cgroups: use empty {} to initialize struct

cgroup2_devices: fix access rule parsing

api-extensions: add seccomp_allow_deny_syntax extension

cgroups: fix bpf device program generation

cgroups: handle empty bpf log buffer

tree-wide: s/ptmx/ptx/g

tree-wide: s/pts/pty/g

openpty: fix faulty rename

openpty: improve implementation and handling of platforms without it

checkconfig: Show LXC version in output.

autotools: include COPYING file

Improve efficiency of lxc_ifname_alnum_case_sensitive

network: remove unused variable

compiler: add and use __hidden visbility

string_utils: make all helpers hidden

af_unix: hide unnecessary symbols

attach: hide unnecessary symbols

caps: hide unnecessary symbols

commands: hide unnecessary symbols

commands_utils: hide unnecessary symbols

conf: hide unnecessary symbols

Makefile.am: Fix typo

start: check correct flags when receiving network devices

lxc-ls: bugfixes

confile: hide unnecessary symbols

confile_utils: hide unnecessary symbols

criu: hide unnecessary symbols

error: hide unnecessary symbols

file_utils: hide unnecessary symbols

initutils: hide unnecessary symbols

log: hide unnecessary symbols

lxclock: hide unnecessary symbols

lxcseccomp: hide unnecessary symbols

mainloop: hide unnecessary symbols

monitor: hide unnecessary symbols

namespace: hide unnecessary symbols

network: hide unnecessary symbols

parse: hide unnecessary symbols

process_utils: hide unnecessary symbols

rexec: hide unnecessary symbols

ringbuf: hide unnecessary symbols

start: hide unnecessary symbols

state: hide unnecessary symbols

sync: hide unnecessary symbols

terminal: hide unnecessary symbols

utils: hide unnecessary symbols

uuid: hide unnecessary symbols

cgroups: hide unnecessary symbols

lsm: hide unnecessary symbols

arguments: hide unnecessary symbols

storage: hide unnecessary symbols

tree-wide: hide further unnecessary symbols

start: simplify gotos

apparmor: Allow ro remount of boot_id

syscalls: add fsopen()

syscalls: add fspick()

syscalls: add fsconfig()

syscalls: add fsmount()

mount_utils: add mount utils

mount_utils: add mount_filesystem() helper

attach: use new mount api

log: don't break logging by hiding symbols

Makefile: fix Makefile

selinux: remove security_context_t usage as it's deprecated

seccomp: remove seccomp fd from event loop after task exited

seccomp: add missing header

syscall: don't fail if __NR_signalfd is not defined

conf: ensure that the idmap pointer itself is freed

Support and upgrade¶

The LXC 4.0 branch is supported until June 2025. Only bugfixes and securitiy issues get included into the stable bugfix releases, so it's always safe and recommended to keep up and run the latest bugfix release.

Main release tarball: lxc-4.0.4.tar.gz

GPG signature: lxc-4.0.4.tar.gz.asc

29th of June 2020

The LXC team is pleased to announce the release of LXC 4.0.3!

This is the third bugfix release for LXC 4.0 which is supported until June 2025.

Some of the highlights for this release are:

Improvement to cgroupv1/cgroupv2 handling

Various improvements and tests for lxc-usernsexec

The full list of commits is available below:

apparmor: Allow boot_id

src/lxc/network: Fixes netlink attribute type 1 has an invalid length message

cgroups: ignore cgroup2 limits on non-cgroup2 layouts

common.conf: add cgroup2 default device limits

cgroups: premount cgroups on cgroup2-only systems

conf: introduce userns_exec_mapped_root()

conf: support console setup on containers without rootfs

terminal: remove unneeded if condition

gcc: add -Warray-bounds, -Wrestrict, -Wreturn-local-addr, -Wstringop-overflow

compiler: support new access attributes

tree-wide: this is all rather TODO than FIXME

yum: remove unused module

tools/lxc-ls: shutup lgtm

tools/lxc-ls: shut up lgtm more

confile: fix order independence of network keys

lxccontainer: small cleanup to lxc_check_inherited() calls

start: remove unused lxc_zero_handler()

lxccontainer: use close_prot_errno_disarm() on state_socket_pair

start: fix container reboot

start: cleanup file descriptor inheritance

log: cleanup syslog handling

console: only create detached mount when a console is requested

syscall_numbers: handle ia64 syscall numbers correctly

syscall_numbers: add clone3()

process_utils: introduce new process_utils.{c,h}

process_utils: add clone3() support

mainloop: add lxc_mainloop_add_handler_events

cgfsng: deduplicate freeze code

cgfsng: use EPOLLPRI when polling cgroup.events

process_utils: make lxc use clone3() whenever possible

network: restore old behavior

network: fix {mac,ip,v}lan device creation

bionic: s/lxc_raw_execveat()/execveat()/g

network: use __instantiate_ns_common() in instantiate_ns_phys() too

lxc-usernsexec: dumb down from error to warning message

lxc-usernsexec: don't fail on setgroups()

travis: Restrict coverity to gcc on bionic on amd64

introduce lxc.cgroup.dir.{monitor,container,container.inner}

cgroups: remove unused variable

cgroup isolation: handle devices cgroup early

improve LXC_CMD_GET_CGROUP compatibility

cgroups: be less alarming when creating cgroups

commands: make limiting cgroup callbacks unreachable

api_extensions: add "pidfd"

Add test of lxc-usernsexec

lxc-test-usernsexec: If user is root, then create and use non-root user.

.gitignore: Ignores COPYING file created by make

macro: Adds UINT_TO_PTR and PTR_TO_USHORT helpers

network: Adds check for bridge link interface existence in instantiate_veth

network: Updates netlink_open handling in lxc_ipvlan_create

network: Removes unused ip_proxy_args

cgroups: initialize lxc.pivot cpuset

conf: remove faulty flags

conf: always use target_fd in userns_exec_mapped_root()

conf: add some more logging to userns_exec_mapped_root()

conf: kill old chown_mapped_root()

lxccontainer: remove pointless string duplication

containertests: fix null pointer defereference

tree-wide: use "ptmx" and "pts" as terminal terms

tree-wide: wipe references to questionable apis from our public logs

tree-wide: use "primary" in networking code

network: Rename primary to master

openpty: adapt variable naming

CODING_STYLE: adapt code example

doc: update terminology

test: update terminology

lxccontainer: fix non-blocking container stop

lxc-net: Set broadcast

commands: don't flood logs

Support and upgrade¶

The LXC 4.0 branch is supported until June 2025. Only bugfixes and securitiy issues get included into the stable bugfix releases, so it's always safe and recommended to keep up and run the latest bugfix release.

Main release tarball: lxc-4.0.3.tar.gz

GPG signature: lxc-4.0.3.tar.gz.asc

16th of April 2020

The LXC team is pleased to announce the release of LXC 4.0.2!

This is the second bugfix release for LXC 4.0 which is supported until June 2025.

This release fixes a number of issues that were reported shortly following the original 4.0.0 and 4.0.1 releases. Some of the highlights include:

RISC-V 64bit support

Better group handling in lxc-user-nic

Seccomp syscall interception fix for newer kernels

CGroup v1 limits are now automatically skipped on v2 systems

Fix a variety of issues identified by the Coverity Scan service

The full list of commits is available below:

start: ensure all file descriptors are closed during exec

syscall_numbers: handle riscv

lxc_user_nic: simplify group retrieval

lxc_user_nic: continue when we failed to find a group

cgroups: whitespace fixes

seccomp: newer kernels require the buffer to be zeroed

network: Make it possible to set the mode of IPVLAN to L2

src/lxc/network: ipvlan comment and code style tweak

conf: tweak get_minimal_idmap()

conf: use macros all around in lxc_map_ids()

conf: move_ptr() in all cases in mapped_hostid_add()

lxc-update-config: Fix bad handling of lxc.logfile

tests/no-new-privs: Don't mess with /etc/lxc

cgroups: ignore legacy limits on pure cgroup2 systems

Fix lxc-oci template with loop backingstore

cgroup: fix wrong use of cgfd_con in cgroup_exit

travis: add back coverity

memory_utils: directly NULL ptr in free_disarm()

conf: fix tty cleanup

cgroups: do not pass NULL pointer

uuid: close fd

cgroups: fix cgroup2 devices

rexec: avoid double-close

cgroups: use correct NULL pointer check

conf: don't double free in get_minimal_idmap()

criu: make explicit that we're ignoring rmdir() return value

zfs: fix resource leak

commands: add additional check to lxc_cmd_sock_get_state()

network: log warning on network deconfiguration failures

log: restore non-local value

attach: move check for valid config earlier

rexec: free argv array on failure

conf: correctly cleanup memory in get_minimal_idmap()

log: set GNU_SOURCE as it might help coverity along

travis: coverity gets confused about the %m printf extension in glibc

cgroups: fix cgroup limit braino

configure: fix coverity builds

Support and upgrade¶

The LXC 4.0 branch is supported until June 2025. Only bugfixes and securitiy issues get included into the stable bugfix releases, so it's always safe and recommended to keep up and run the latest bugfix release.

Main release tarball: lxc-4.0.2.tar.gz

GPG signature: lxc-4.0.2.tar.gz.asc

6th of April 2020

The LXC team is pleased to announce the release of LXC 4.0.1!

This is the first bugfix release for LXC 4.0 which is supported until June 2025.

This release fixes a number of issues that were reported shortly following the original 4.0.0 release. Some of the highlights include:

Tweak systemd ordering (start after remote-fs.target)

Fix various issues around attach and cgroups

Fix shutdown timeout not working on pidfd systems

Fix cgroup issue on 4.9 kernel

Fix write issues in /dev/stdout

The full list of commits is available below:

lxc_init: move main() down

lxc_init: add missing O_CLOEXEC

[lxc.service] Starts after remote-fs.target to allow containers relying on remote FS to work

tree-wide: harden mount option parsing

dir: use cleanup macro in dir_mount()

dir: improve dir backend

cgroups: fix attaching to the unified cgroup

conf: rework and fix leak in userns_exec_1()

commands: log actual errno when lxc_cmd_get_cgroup2_fd() fails

cgroups: move pointer dereference after check

cgroups: rework __cg_unified_attach()

attach: use close_prot_errno_disarm()

cgroups: remove unused variable

cgroups: fix unified cgroup attach

fixup i/o handler return values

Revert "cgroups: fix unified cgroup attach"

conf: introduce and use userns_exec_minimal()

conf: simplify userns_exec_minimal()

cgroups: use hidden directory for attaching cgroup

cgroups: please compilers

monitor process exited by signal SIGKILL, clean cgroup resource by third party

cgroups: move check for valid monitor process up

cgroups: better helper naming

tree-wide: s/recursive_destroy/lxc_rm_rf/g

verify cgroup controller name

cgroups: handle older kernels (e.g. v4.9)

start: log error when failing to create cgroup

cgroups: send two attach fds

cgroups: send two fds to attach to unified cgroup

start: remove unnecessary check for valid cgroup_ops

init: add ExecReload to lxc.service to only reload profiles

apparmor: generate ro,bind,remount rule list

autotools: don't install run-coccinelle.sh

systemd: Add Documentation key

fix non-root user cannot write /dev/stdout

cgroups: fix "uninitialized transient_len" warning

utils: rework fix_stdio_permissions()

utils: use setres{u,g}id() in lxc_switch_uid_gid()

cgroups: fix build warning on GCC 7

lxccontainer: poll takes millisecond not seconds

Revert "start: remove unnecessary check for valid cgroup_ops"

Support and upgrade¶

The LXC 4.0 branch is supported until June 2025. Only bugfixes and securitiy issues get included into the stable bugfix releases, so it's always safe and recommended to keep up and run the latest bugfix release.

Main release tarball: lxc-4.0.1.tar.gz

GPG signature: lxc-4.0.1.tar.gz.asc

25th of March 2020

The LXC team is pleased to announce the release of LXC 4.0.0!

This is the result of two years of work since the LXC 3.0.0 release and is the third LTS release for the LXC project. This release will be supported until June 2025.

Major changes¶

cgroups: Full cgroup2 support¶

LXC 4.0 now fully supports the unified cgroup hierarchy. For this to work the whole cgroup driver had to be rewritten. A consequence of this work is that the cgroup layout for LXC containers had to be changed. Older versions of LXC used the layout:

/sys/fs/cgroup/<controller>/<container-name>/

For example, in the legacy cgroup hierarchy the cpuset hierarchy would place the container 's init process into

/sys/fs/cgroup/cpuset/c1/

The supervising monitor process would stay in

/sys/fs/cgroup/cpuset/

LXC 4.0 uses the layout:

/sys/fs/cgroup/<controller>/lxc.payload.<container-name>/

For the cpuset controller in the legacy cgroup hierarchy for the container f2 the cgroup would be:

/sys/fs/cgroup/cpuset/lxc.payload.f2/

The monitor process now moves into a separate cgroup as well:

/sys/fs/cgroup/<controller>/lxc.monitor.<container-name>/

For our example this would be:

/sys/fs/cgroup/cpuset/lxc.monitor.f2/

The monitor's and the container's cgroup will be placed on the same level in the corresponding cgroup hierarchy. These changes apply to the legacy and the unified hierarchy alike and are not arbitrary. The new, unified cgroup hierarchy imposes specific restrictions where and how a process can be migrated in the cgroup hierarchy. The most important restriction is the leaf-node restriction. This means that only leaf nodes can contain live processes, i.e. if you have the following cgroup tree

/sys/fs/cgroup/a/f2-monitor/f2-container/

then only f2-container can contain live processes whereas non-leaf nodes a and f2-monitor do not. This has the consequence that the old cgroup layout LXC used where the monitor process would have lived in f2-monitor and the container's init process would have lived in f2-container is not possible anymore. The kernel disallows this layout. Instead, the monitor process and the container's init process need to be moved into two leaf-node cgroups on the same level in the cgroup hierarchy. This would mean for a container f2 the layout will be:

/sys/fs/cgroup/lxc.monitor.f2/

and

/sys/fs/cgroup/lxc.payload.f2/

The restrictions enforced by the unified cgroup hierarchy also mean, that in order to start fully unprivileged containers cooperation is needed on distributions that make use of an init system which manages cgroups. This applies to all distributions that use systemd as their init system. When a container is started from the shell via lxc-start or other means one either needs to be root to allow LXC to escape to the root cgroup or the init system needs to be instructed to delegate an empty cgroup. In such scenarios it is wise to set the configuration key lxc.cgroup.relative to 1 to prevent LXC from escaping to the root cgroup.

cgroups: Freezer support in CGroup2¶

As part of the cgroup2 support work for LXC 4.0 we also added support for cgroup2's implementation of the freezer controller which allows to poll until the cgroup is frozen or unfrozen making freezing and unfreezing container's way more reliable than before.

cgroups: eBPF device controller support in CGroup2¶

LXC 4.0 can now make proper use of the cgroup2 device controller. It will automatically create, load, and attach a eBPF program to the container's cgroup and supports dynamic additional and removal of rules. The configuration format is the same as for the legacy cgroup controller. Only the lxc.cgroup2.devices. prefix instead of the legacy lxc.cgroup.devices prefix needs to be used. LXC continues to support both black- and whitelists.

AppArmor: Deny access to /proc/acpi/** ¶

The default AppArmor profile now denies access to /proc/acpi/ improving safety.

config: Add lxc.autodev.tmpfs.size configuration key¶

LXC supports creating a useable minimal /dev directory for the container by setting lxc.autodev = 1 in the container's config file. To do this LXC sets up a tmpfs mount on /dev . This tmpfs mount could not be restricted in prior releases. Now it is possible to set a limit on the size of the tmpfs mount by setting lxc.autodev.tmpfs.size to the number of bytes that the tmpfs should be restricted to use.

config: Add lxc.selinux.context.keyring key¶

This allows to specify the selinux context to be used for the keyring the container uses.

Setting this to 1 (default) will cause LXC to create a new session keyring.

file utils: Add fopen_cached() and fdopen_cached ¶

These helpers first read a whole file and then make it available as a stream to be read via regular file-based libc apis. This makes LXC's handling of various files more robust where the underlying file can change while it is read.

api: Add new init_pidfd() member¶

LXC 4.0 fully supports the new pidfd kernel api the LXC team has merged in the upstream Linux kernel. The pidfd of the container's init process can be requested via c->init_pidfd(c) .

memory utils: Add new cleanup api¶

LXC 4.0 expands the usage of the compiler's cleanup attribute by introducing new internal apis to define and call cleanup macros for complex resource allocations. We have had extremely positive results decreasing bugs around file descriptor and memory leaks significantly by switching to this new way of cleaning up resources.

lxc-usernsexec: Make it easy to map own uid¶

The lxc-usernsexec binary now finds a default mapping as specified in /etc/subuid and /etc/subgid and writes it via newuidmap and newgidmap .

seccomp: Add s390 support¶

LXC 4.0's seccomp implementation now supports s390 as architecture.

syscalls: Improve manual syscall implementations¶

Whenever a given syscall is not supported or exposed by the underlying C library of the system LXC will define syscall stubs for important syscalls or new features it deems extremely valuable. This used to be done by checking for __NR_<syscall-name> being defined. But __NR_<syscall-name> being defined depended on the correct headers for the currently running kernel LXC was compiled on being installed and would be problematic whenever LXC was compiled on a system running an older kernel but used or deployed on systems that use a new kernel. In such scenarios LXC could not make use of new kernel features even though it should. We now introduce definitions for __NR_<syscall-name> whenever the system does not define it already and it is an architecture we support (which is basically any architecture). This way we better handle kernel <-> header version mismatches and compilation <-> deployment kernel mismatches.

network: Improved network device creation and removal¶

We have reworked how network devices are created, tracked, moved between network namespaces, and are removed making low-level network management way more reliable.

network: Allow moving wireless devices¶

LXC allowed to move wireless network devices ( nl80211 ) into containers. This was broken for a while. With 4.0 the ability to move wireless network devices is restored and improved.

Complete changelog¶

Here is a complete list of all changes in this release:

cgroups: fix attaching to the unified cgroup

dir: improve dir backend

dir: use cleanup macro in dir_mount()

tree-wide: harden mount option parsing

lxc_init: add missing O_CLOEXEC

lxc_init: move main() down

configure.ac: Reset devel flag post-release

make dist: add missing files

lxc-download: Pre-release bump of compat

conf: fix read-only bind mounts

utils: allow removal of immutable files

lxc-local: remove -l/--list from help

lvm: don't generate uuid for ext4 snapshots

lxc-update-config: handle lxc.rootfs.backend correctly

lxc_copy: only overmount overlay subdirectory with tmpfs

overlay: rewrite and simplify

lxc-user-nic: enable uid-marked veth devices for uids with 5 digits

network: introduce lxc_ifname_alnum_case_sensitive()

log: fix cmd logging

cgroups: simplify

ringbuf: fix cleanup operations

mainloop: cleanup

log: add missing variable and fix CMD_SYSINFO()

log: cleanup

log: add missing \

start: move reading seccomp profile after pre-start hook

lxc_user_nic: rework device creation

nl: improve how we surface errors

network: use cleanup macros

network: use cleanup attributes

network: cleanup galore

network: use is_empty_string() everywhere

network: fix ovs removal

log: use global variable to catch statements in loggers

cgroups: don't call statements from loggers

conf: flatten logic in mount_entry()

conf: don't accidently double-mount

network: fix moving network devices with custom name

network: introduce and use is_empty_string()

Makefile: fix typo

lxc-unshare: add syscall_wrappers.h to build requirements

tree-wide: introduce and use syscall number header

raw_syscalls: define __NR_pidfd_send_signal if missing

tools: fix -g -u parameters for lxc-execute and lxc-attach

ISSUE_TEMPLATE: fix -l -o order

lxc_user_nic: don't depend on MAP_FIXED

busybox: Mark mqueue optional

Auto-create /dev/shm and /dev/mqueue

busybox: Fix bad lxc.mount.entry

doc: Fix grammar

Trigger the mounting of shm file system

tree-wide: s/lxc_fini()/lxc_end()/g

tree-wide: remove "name" argument from lxc_{fini,abort}()

{_}lxc_start: remove "name" argument

start: add missing TRACE() call

start: better goto target naming in __lxc_start()

start: rework cleanup code in __lxc_start()

start: simplify lxc_init()

conf: don't wrap strings

tree-wide: remove last -1 fd initialization with cleanup macros in favor of -EBADF

tree-wide: s/__do_close_prot_errno/__do_close/g

memory_utils: adapt to new infrastructure

tree-wide: port cgroup cleanup to call_cleaner(cgroup_exit)

caps: port to call_cleaner() based cleanup

memory_utils: add call_cleaner() helper

travis: enable all architectures

travis: remove libgnutls-dev

utils: cleanup

file_utils: cleanup macros and improvements

api-extensions: use correct headings

api-extensions: document "network_veth_router" api extension

api-extensions: reflow "seccomp_allow_nesting" api extension

api-extensions: reflow "seccomp_notify" api extension

api-extensions: reflow "cgroup2_devices" extensions

api-extensions: reflow "cgroup2" api extension

api-extensions: add "pidfd" api extension

lxccontainer: switch to pidfd polling when shutting down containers

lxccontainer: switch to pidfds whenever possible

start: add ability to detect whether kernel supports pidfds

lxccontainer: add init_pidfd() API extension

commands: LXC_CMD_GET_INIT_PIDFD

lxccontainer.h: document seccomp_notify_fd()

commands: use LXC_CMD_REAP_CLIENT_FD in lxc_cmd_get_cgroup2_fd_callback()

commands: add ability to audit fd connection and cleanup path

doc: Fix typo

doc: Add keyring options to Japanese lxc.containers.conf(5)

commands: simplify lxc_cmd_fd_cleanup()

commands_utils: fix command socket hashing

af_unix: fix return value

start: cleanup file descriptor closing

commands: make sure to always close the client fd

commands: improve state client cleanup

commands: switch to pid_t to send around pid

share_ns: improve error handling

share_ns: improve error handling

file_utils: handle libcs without fmemopen()

cgroups: cleanup

cgfsng: use __do_free_string_list all over

file_utils: include stdio.h for fmemopen()

tests/share_ns: always call pthread_exit()

memory_utils: remove unneeded inclusion of mntent.h

cgroups: fix memory leak and simplify code

tests/share_ns: bugfixes

conf: cleanup

commands_utils: cleanup

commands: cleanup

tree-wide: more cleanup macros

lxccontainer: increase cleanup macro usage

autotools: fix lxc-init build with clang-10

tree-wide: improve logging

tree-wide: make files cloexec whenever possible

attach: cleanup various helpers

attach: use logging helpers when handling no new privileges

attach: use cleanup macros and logging helpers when fetching seccomp

attach: use LXC_INVALID_{G,U}ID macros

attach: use cleanup macros in lxc_attach_getpwshell()

attach: fix fd leak

attach: cleanup

cgroup2_devices: fix logic error

commands: remove unused variables

commands_utils: fix socket leak when adding state client

commands_utils: indicate taking ownership of state_client_fd in

lxc_add_state_client()

commands_utils: fix socket leak in when adding state client

af_unix: cleanup

network: Uses netlink for IP neighbour proxy management

utils: only move_fd() when fdopen() has been successful

api-extensions: document cgroup2_devices and cgroup2 api extensions

src/lxc/raw_syscalls.c: fix sparc assembly

cgroups: honor lxc.cgroup.pattern if set explicitly II

cgroups: honor lxc.cgroup.pattern if set explicitly

cgroups: remove unused method and cleanup cgroup_exit()

tree-wide: improve setgroups() dropping

lxclock: fix a small memory leak

container.conf: Document that order is important in config_jump_table

container.conf: Fix option ordering in config_jump_table

Currently lxc.selinux.context.keyring is placed after

container.conf: Fix off by 2 in option parsing

doc: Add doc for keyring options

container.conf: Add option to disable session keyring creation

container.conf: Add option to set keyring SELinux context

cgroups: fix default cgroup pattern

start: fix container killing logic

network: Restore fixed MTU functionality

test: increase timeout for api reboot tests

cgroup.c: fix memory leak at cgroup init failed

network: rework network device creation

network: fix network device removal

tests: log api reboot test failures

network: fix typ and formatting in comment

network: improve veth device creation

start: handle kernel header and kernel incompatability

tests: timeout after 60 seconds

mainloop: add missing



Suppress useless udhcpc directory

start: remove procfs pidfd support

create_run_template(): Double "will mount" in a comment

cmd: fix shebang

travis: enable -fsanitize=undefined

fd: only add valid fd to mainloop

seccomp: support s390 seccomp

api_extensions: advertise cgroup2 support

cgroups/cgfsng: do not prematurely close file descriptors

cgroups/cgfsng: improve cgroup creation and removal

cgroups/cgfsng: rework cgroup removal

cgroups/cgfsng: rework legacy cpuset handling

cgroupfs/cgfsng: pass cgroup to cg_legacy_handle_cpuset_hierarchy() as const char *

cgroups: use explicit unsigned type for bitfield

cgroups: flatten hierarchy

file_utils: use O_NOCTTY | O_NOFOLLOW

cgroups/devices: enable devpath semantics for cgroup2 device controller

cgroups/cgfsng: replace lxc_write_file()

cgroups/cgfsng: cgfsng_devices_activate()

cgroups/cgfsng: rework cgfsng_nrtasks()

cgroups/cgfsng: rework cgfsng_mount()

cgroups/cgfsng: rework cgfsng_chown()

cgroups/cgfsng: rework cgfsng_attach()

cgroups/cgfsng: rework cgfsng_setup_limits()

cgroups/cgfsng: rework cgfsng_setup_limits_legacy()

cgroups/cgfsng: rework cgfsng_{get,set}()

cgroups/cgfsng: rework cgfsng_unfreeze()

cgroups/cgfsng: rework cgfsng_get_hierarchies()

cgroups/cgfsng: rework cgfsng_num_hierarchies()

cgroups/cgfsng: rework cgfsng_escape()

cgroups/cgfsng: rework cgfsng_payload_enter()

cgroups/cgfsng: rework cgfsng_payload_create()

tree-wide: s/__unused/__lxc_unused/g

cgroups/cgfsng: rework cgroup attach

cgroups/cgfsng: don't dereference NULL-pointer

cgroups/cgfsng: log chown_cgroup_wrapper()

cgroups/cgfsng: rework cgroup2 unprivileged delegation

cgroups/cgfsng: rework cgfsng_{monitor,payload}_delegate_controllers()

cgroups/cgfsng: rework cgfsng_monitor_enter()

cgroups/cgfsng: rework cgfsng_monitor_create()

cgroups/cgfsng: rework cgfsng_monitor_destroy()

cgroups/cgfsng: rework cgfsng_payload_destroy()

log: remove unused compiler attribute

start: replace compiler attributes

log: replace compiler attributes

attach: replace closing helpers

compiler: add __unused attribute

{log, macro}: remove unused logging functions

lxccontainer: replace logging functions

confile_utils: replace logging functions

cgroups: rework return values of some functions

cgroups/cgroup2_devices: replace logging functions

cgroups/cgroup: replace logging functions

cgroups/cgfsng: replace logging functions

confile: replace logging helpers

network: replace logging helpers

commands: replace logging helpers

attach: s/minus_one_set_errno(/ret_set_errno(-1, /g

af_unix: s/minus_one_set_errno(/ret_set_errno(-1, /g

macro: add ret_errno()

log: rearrange

cgroup2: rework controller delegation

"busy" field set to -1 instead of 0

"busy" field set to 1 instead of 0

Init "busy" field to -1 as 0 is valid fd

config: Fix parsing of mount options

cgroups/devices: correctly verify bpf device useability in cgfsng_devices_activate()

cgroups: improve container cgroup attaching

lxc: switch to SPDX

commands: use logging return helpers

cgfsng: rework cgroup2 attach

cgroups/devices: do not log error when bpf device feature is not available

freezer: cleanup

cgroups/freezer: fix and improve cgroup2 freezer implementation

cgroups: add DEFAULT_MOUNTPOINT #define

cgroups/devices: use dedicated enums

cgroups/devices: introduce ebpf device cgroup global rule types

cgroups/devices: handle NULL

configure: enable -Wunused-but-set-variable

cgroups/cgfsng: implement cgroup2 device controller live update

conf: record cgroup2 devices in parsed format

cgroups/cgfsng: "atomically" replace bpf device programs

macro: remove unused macros

api_extension: add cgroup2_devices api extension

cgroups: add cgroup2 device controller support

cgfsng: return attach fail if container stopped

conf: fix memory leak for set config rootfs options

fix wrong order of bridge/nic in error message

Typo in a comment

tests: use /dev/loop-control instead of /dev/network_latency

configure.ac: fix build on toolchain without SSP

Update cgroup.h

terminal: prevent returning invalid pointer

terminal: make lxc_terminal_signal_fini() static

lxc-usernsexec: support easily mapping own uid

tests: add tests making sure the exit code is appropriate.

terminal: return NULL on error in terminal_signal_init

terminal: prevent memory leak for lxc_terminal_state

apparmor: Prevent writes to /proc/acpi/**

syscall_wrappers: rename internal memfd_create to memfd_create_lxc

lxc/tools/lxc/destroy: Restores error message on container destroy

Update lxc.containers.conf(5) in Japanese

Bad sgml/man translation

Add more info about lxc.start.order in Japanese man

Add autodev.tmpfs.size to Japanese lxc.container.conf(5)

lxc-destroy: send successful output messages to log info instead of error.

doc: Add more info about 'lxc.start.order'

update obsolete functions

Add autodev.tmpfs.size config parameter

start: handle setting pdeath signal in new pidns

start: pidfds obviously start - like any fd - at 0

Fix lxc-update-config in network.address

allow users to configure the option --enable-feature or --with-package, if an option is given run shell commands action-if-given

Set minimun autoconf version to 2.69 and change obsolete function AC_HELP_STRING for AS_HELP_STRING

doc: Add the lxc.net.[i].veth.mode option in Japanese lxc.container.conf(5)

doc: Add Japanese pam_cgfs(8) man page

doc: add man page for pam_cgfs

Ensures OpenSSL compatibility with older versions of EVP API.

utils: Copying source filename to avoid missing info.

cgroups: unify cgfsng_{un}freeze()

cgroups: initialize cgroup root directory - encore

cgroups: check for empty cgroups on freeze/unfreeze

cgroups: initialize cgroup root directory

[aa-profile] Deny access to /proc/acpi/**

lxc-attach: make sure exit status of command is returned

cgfsng: mount pure unified cgroup layout correctly

lxc-create: check absoule path for param '--dir'

cgroups: support cgroup2 freezer

attach: don't close stdout of getent

utils: Fix wrong integer of a function parameter.

try to fix search user instead of search substring

lxccontainer: do_lxcapi_detach_interface to support detaching wlan devices

cgroups: initialize cpuset properly

network: restore ability to move nl80211 devices

pidfds: don't print a scary warning on ENOSYS

tree-wide: initialize all auto-cleanup variables

suppress false-negative error in templates and nvidia hook

Container's specific file/directory names

Use file/directory names from macro.h

tree-wide: fix wrong copy-paste for licenses

Support and upgrade¶

LXC 4.0.0 will be supported until June 2025 and our current LTS release, LXC 3.0 will now switch to a slower maintenance pace, only getting critical bugfixes and security updates.

We strongly recommend all LXC users to plan an upgrade to the 4.0 branch.

Main release tarball: lxc-4.0.0.tar.gz

GPG signature: lxc-4.0.0.tar.gz.asc

The LXC 4.0.0 release was brought to you by a total of 30 contributors.

24th of July 2019

The LXC team is pleased to announce the release of LXC 3.2.1!

Because of an issue in the 3.2.0 release process, we ended up having to roll a 3.2.1 release almost immediately, fixing an issue in the configure.ac file identifying the release as stable.

New features¶

seccomp: Support syscall forwarding to userspace¶

Newer kernels allow seccomp to forward intercepted syscalls to a dedicated file descriptor. These messages can be read, the syscall arguments inspected, and if found secure, a sufficiently privileged userspace process can perform the actions normally done by the kernel for the container. LXC introduces a new protocol to send and receive messages to another process. User can specify a unix socket address via lxc.seccomp.notify.proxy in the format unix:<path> to which LXC will forward the intercepted syscalls and will wait for an appropriate response. User can set a cookie via lxc.seccomp.notify.cookie that LXC will send back to process that reads forwarded syscalls. This will e.g. allow the listening process to identify which container sent a message. With this feature LXD e.g. supports device node creation via the mknod() and mknodat() system calls that are usually forbidden in containers for a well-defined set of secure devices.

Add lxc.seccomp.allow_nesting configuration key¶

This release adds the lxc.seccomp.allow_nesting api extension. If lxc.seccomp.allow_nesting is set to 1 then seccomp profiles will be stacked. This way nested containers can load their own seccomp policy on top of the policy that the outer container might have applied.

Networking: Add IPVLAN support¶

LXC has gained support for IPVLAN. Here is an example how to setup the network:

lxc.net[i].type=ipvlan lxc.net[i].ipvlan.mode=[l3|l3s|l2] (defaults to l3) lxc.net[i].ipvlan.flags=[bridge|private|vepa] (defaults to bridge) lxc.net[i].link=eth0 lxc.net[i].flags=up

Networking: Add layer 2 (ARP/NDP) proxy mode¶

LXC now supports layer 2 ARP/NDP proxy mode. This can be enabled by using:

lxc.net.[i].l2proxy = [0,1] (defaults to 0)

Networking: Add gateway device route mode¶

LXC now supports specifying lxc.net.[i].ipv4.gateway and/or lxc.net.[i].ipv6.gateway with a value of dev . This will cause LXC to set a device route as default gateway.

Networking: Add support for static routes¶

This release introudces two new configuration keys

lxc.net.[i].veth.ipv4.route lxc.net.[i].veth.ipv6.route

which allow users to set static routes on a veth type interfaces.

Networking: Add router veth mode¶

LXC has gained a new router mode for veth networking. This "router" mode will configure the host machine as a router for the container by adding static routes for the container's IPs on the host pointing to the container's host-side veth interface. It will also add static IP proxy entries of either the host's link interface IP or a statically set IP on the host-side veth interface to provide the container a gateway to the host.

Here is an example how to setup the network:

lxc.net.0.type = veth lxc.net.0.veth.mode = router lxc.net.0.link = eth0 lxc.net.0.flags = up lxc.net.0.ipv4.address = 192.168.1.x/32 lxc.net.0.ipv6.address = 2a02:xxx:xxx:1::x/128 lxc.net.0.ipv4.gateway = auto lxc.net.0.ipv6.gateway = auto lxc.net.0.link = host-eth0 lxc.net.0.l2proxy = 1

This provides an ipvlan-like networking mode that has the following properties:

Works on older kernels.

Uses the host's routing table (and netfilter rules) to route packets (potentially out of different interfaces or between containers), unlike ipvlan.

Prevents containers from altering their IP.

Prevents broadcast/multicast traffic to/from containers.

Provides same MAC externally for all containers.

No bridge interface to manage.

Supports layer 3 only mode for setups where BGP (or other routing protocols) are running on the host to distribute container's IPs in the local routing table to the wider network.

Containers can optionally have IPs accessible on local LAN at layer 2 using the existing l2proxy and link settings.

pidfd: Add initial support for the new pidfd api¶

Newer kernel versions allow interaction with processes through process file descriptors (pidfds). This eliminates various race conditions when e.g. sending signals or retrieving process information. This LXC version make use of the pidfd_send_signal() syscall and the CLONE_PIDFD flag with the clone() syscall.

Hardening: Add more compiler based hardening¶

Over the last few releases we enabled options compilers provide to harden C codebases. This release enables:

-Wlogical-op -Wmissing-include-dirs -Wold-style-definition -Winit-self -Wfloat-equal -Wsuggest-attribute=noreturn -Werror=return-type -Werror=incompatible-pointer-types -Wformat=2 -Wimplicit-fallthrough=5 -Wshadow -Wendif-labels -Werror=overflow -fdiagnostics-show-option -fstack-protector-strong -Werror=shift-count-overflow -Werror=shift-overflow=2 -Wdate-time -Wnested-externs -fasynchronous-unwind-tables -pipe -fexceptions

Hardening: Remove all stack allocations¶

Stack-based memory allocations (e.g. through alloca() ) can cause quite severe memory bugs. LXC has therefore removed all stack-based memory allocations and will not allow new code to add any.

Hardening: Add support for LGTM¶

LXC has gained support for the LGTM code analysis tool. We're happy that LXC's code is currently ranked as A+.

Hardening: Add support for coccinelle¶

LXC has gained support for the coccinelle code transformation tool. This allows us to automatically change code eliminating error caused by manually replacing e.g. deprecated functions such as alloca() .

Hardening: Compiler based resource cleanup¶

The codebase will be slowly switched over to make user of cleanup attributes supported by compilers such as gcc and clang .

Hardening: Remove fgets() from the codebase¶

To improve security all uses of fgets() have been removed from the codebase. Use of this function in new code is strongly discouraged.

Hardening: Expand close-on-exec usage¶

All file descriptors that can be made close-on-exec are now close-on-exec.

Use /sys/kernel/cgroup/delegate file for cgroup v2¶

This file exports a list of the cgroups v2 files (one per line) that are delegatable (i.e., whose ownership should be changed to the user ID of the delegatee). LXC will use this to determine how to correctly delegate cgroups.

Handle layouts without cgroups¶

This lets LXC start containers on systems without writable cgroups.

Handle offline cpus in cpuset¶

In addition to removing isolated cpus from a container's cgroup LXC will now also remove offline cpus from the container's cpuset.

Generate new boot id for each container¶

LXC will now generate a new random boot id for each container and mount it to /proc/sys/kernel/random/boot_id . This will allow systemd to recognize the boots of each container.

Unified network creation¶

LXC has a new unified way of creating networks for privileged and unprivileged containers greatly simplifying the code.

This release comes with a fix for the privileged container breakout discovered earlier this year. As per our policy we don't consider privileged containers root safe and thus LXC as not received a CVE for this. However, we still provide a fix in this release. For more details see this blog post.

lxc-download: Pre-release bump of compat

seccomp: open memfd read-write

doc: Documents the lxc.net.[i].veth.mode option

network: Adds veth router mode static routes and proxy entries

network: Adds mode param (bridge, router) to veth network setting

lxc/log: Adds error_log_errno macro

doc: Add lxc.comp.notify.cookie to Japanese lxc.container.conf(5)

cgroup: check for non-empty conf

seccomp: coding style

af_unix: remove unused variable

seccomp: send caller pidfd along with proxied requests

seccomp: recvmsg with MSG_TRUNC

doc: document lxc.seccomp.notify.cookie

seccomp: defer reconnecting to the proxy

seccomp: keep retrying to reconnect to proxy

seccomp: send default response when there's no proxy

seccomp: retry connecting to the proxy once

seccomp: don't ignore syscalls when there's no proxy

seccomp: remove reconnect-loop

seccomp: use SOCK_SEQPACKET for the notify proxy

seccomp: assert that __reserved is 0 in notify responses

seccomp: update notify api

conf: add lxc.seccomp.notify.cookie

file_utils: add lxc_recvmsg_nointr_iov

af_unix: add lxc_unix_connect_type

af_unix: add lxc_abstract_unix_recv_fds_iov()

af_unix: add lxc_abstract_unix_send_fds_iov

pidf_send_signal: fix return value

lxccontainer: properly cleanup on mount injection failure

start: call lxc_find_gateway_addresses early

network: simplify lxc_network_move_created_netdev_priv()

network: send names for all non-trivial network types

network: record created_name for instantiate_phys()

network: simplify instantiate_phys()

network: record created_name for instantiate_vlan()

network: simplify instantiate_vlan()

network: record created_name for instantiate_ipvlan()

network: simplify instantiate_ipvlan()

network: stash created_name in instantiate_macvlan()

network: simplify instantiate_macvlan()

network: s/loDev/loop_device/g

cgroups: hande cpuset initialization race

network: remove faulty restriction

fix memory leak in do_storage_create

cgroups: move variable into tighter scope

cgroups: correctly order variables

cgroups: simplify cgfsng_nrtasks()

cgroups: simplify cgfsng_setup_limits()

cgfsng: fix memory leak in lxc_cpumask_to_cpulist

lxccontainer: rework seccomp notify api function

cgfsng: write cpuset.mems of correct ancestor

parse.c: fix fd leak from memfd_create

lxc.pc.in: add libs.private for static linking

Fixed file descriptor leak for network namespace

network: fix lxc_netdev_rename_by_index()

Switch from gnutls to openssl for sha1

doc: add a note about shared ns + LSMs to Japanese doc

seccomp: do not set SECCOMP_FILTER_FLAG_NEW_LISTENER

Centralize hook names

seccomp: add ifdefine for SECCOMP_FILTER_FLAG_NEW_LISTENER

seccomp: s/SCMP_FLTATR_NEW_LISTENER/SECCOMP_FILTER_FLAG_NEW_LISTENER/g

seccomp: s/HAVE_DECL_SECCOMP_NOTIF_GET_FD/HAVE_DECL_SECCOMP_NOTIFY_FD/g

seccomp: /sseccomp_notif_free/seccomp_notify_free/g

seccomp: s/seccomp_notif_alloc/seccomp_notify_alloc/g

seccomp: s/seccomp_notif_id_valid/seccomp_notify_id_valid/g

seccomp: s/seccomp_notif_send_resp/seccomp_notify_respond/g

seccomp: s/seccomp_notif_receive/seccomp_notify_receive/g

seccomp: s/seccomp_notif_get_fd/seccomp_notify_fd/g

seccomp: s/SCMP_ACT_USER_NOTIF/SCMP_ACT_NOTIFY/g

cgroups: prevent segfault

start: fix handler memory leak at lxc_init failed

lxc_usernsexec: continuing after unshare fails leads to confusing and misleading error messages

getgrgid_r fails with ERANGE if buffer is too small. Retry with a larger buffer.

lxc_clone: add a comment about stack size

lxc_clone: bump stack size to 8MB

configure: remove additional comma

lxccontainer: cleanup attach functions

attach: do not reload container

network: Fixes bug that stopped down hook from running for phys netdevs

network: move phys netdevs back to monitor's net ns rather than pid 1's

lxc_clone: get rid of some indirection

doc: add a little note about shared ns + LSMs

lxc_clone: pass non-stack allocated stack to clone

configure: handle checks when cross-compiling

Use %m instead of strerror() when available

Config: check for %m availability

initutils: Fix memleak on realloc failure

zfs: Fix return value on zfs_snapshot error

lvm: Fix return value if lvm_create_clone fails

criu: Remove unnecessary return after _exit()

criu: Use -v4 instead of -vvvvvv

Option --busybox-path instead of --bbpath

New --bbpath option and unecessary --rootfs checks

coding style: update

start: use CLONE_PIDFD

api: Adds the network_phys_macvlan_mtu extension

network: Restores phys device MTU on container shutdown

network: Adds mtu support for phys and macvlan types

raw_syscalls: simplify assembly

utils: improve switch_to_ns()

doc: Fix and improve Japanese translation

doc: Update Japanese lxc.container.conf(5)

network: Re-works veth gateway logic

network: Makes vlan network interfaces set mtu before upscript called

network: Adds custom mtu support for ipvlan interfaces

seccomp: document path calculation

compiler: add __returns_twice attribute

seccomp: send process memory fd

namespaces: allow a pathname to a nsfd for namespace to share

seccomp: ensure fields are set to 0

seccomp: remove alignment requirements

seccomp: notifier fixes

network: Makes some routing functions static

network: Fixes bug in macvlan mode selection

network: Fixes vlan hook script

network: Fixes a little typo in an error message

start: silence clang

Fix 'zfs get' command order

lxc-start: remove bad doc

netns_getifaddrs: adapt to kernel changes

configure: s/LDLAGS/LDFLAGS/

conf: do lxc.mount.entry mounts right after lxc.mount.fstab

raw_syscalls: lxc_raw_clone()

hooks/nvidia: handle spaces in NVIDIA_REQUIRE variables

storage: update zfs

storage: prevent unitialized variable warning

cgroups: fix potential nullderef

attach: use tighter scope for fd variable

fix: #2927 api doc generation fails under out of source build.

Fix monitor pdeathsig handling

Fix user namespace pdeathsig handling

network: fix network device removal

doc: Add the description of apparmor profile generation to man pages

doc: Add lxc.rootfs.managed to lxc.container.conf(5)

doc: Add lxc.cgroup.relative to lxc.container.conf(5)

lvm: Updates lvcreate to wipe signatures if supported, fallbacks to old command if not.

lxccontainer: check do_lxcapi_init_pid() for failure

start: fix parent PID passed to lxc_set_death_signal

utils: fix handling of PID namespaces in lxc_set_death_signal

btrfs: ensure \0 byte at end

Fix lxc.cgroup2. on cgroup2-only systems

conf: avoid compiler warning

confile: make parse_limit_value() static

confile_utils: make update_hwaddr() static

confile_utils: lxc_config_net_is_hwaddr()

cgroups: remove unused variables

attach: remove unused variable

Fix android compilation

CODING_STYLE: update

conf: remove unused variable

gpg: use proxy, if http_proxy is set

conf: simplify idmaptool_on_path_and_privileged

lxc-attach: switch to attach_run_wait

travis: run coccinelle

Fix existing mount target check

cve-2019-5736: add test

rexec: try sendfile() fallback to fd_to_fd()

[V2] rexec: handle legacy kernels

rexec: use __do_close_prot_errno

memory_utils: introduce __do_close_prot_errno

macro: introduce steal_fd()

commands: move declaration into tighter scope

start: move variable into tighter scope

mount: Cleanup allow over-mounting

mount: Allow over-mounting

network: do not log false friends

conf: do not log devpts umount2() failure

rexec: remove envp parsing in favour of environ

apparmor: Improve testing on apparmor python script

apparmor: catch config file opening error

rexec: make rexecution opt-in for library callers

include: add fexecve() for Android's Bionic

parse: handle \r

cgfsng: fix cgroup creation

coccinelle: use standard exit identifiers

coccinelle: s/while({1,true})/for(;;)/

lxc-init: exit with error on wait failure

start: prevent signed-issues

cgfsng: remove unnecessary check

commands: remove unnecessary check

caps: check uid and euid

memory_utils: add memory_utils.h

fix rpm packaging for bash completion directory.

cgroups: use of /sys/kernel/cgroup/delegate file

doc: Add lxc.seccomp.allow_nesting to Japanese lxc.container.conf(5)

prlimit: remove deprecated and unneeded header

compiler: remove deprecated and unneeded header

conf: append 0 0 to nesting helpers mount entries

Use BUSYBOX_EXE variable in configure_busybox()

conf: check for successful mount entry parse

Installation of default.script for udhcpc

Avoid double lxc-freeze/unfreeze

Update freezer.c

Handle alternative loop device location on Android

Fixing hooks functionality Android where 'sh' is placed under /system/bin

Fix memory leak in cgroup_exit

conf.c: fix memory leak and mount error

start: __lxc_start return -1 when start fails

network: prefix veth interface name with uid info

start: handle missing CLONE_NEWCGROUP

Fixing compile error when compiling for android

Merge pull request #2774 from hn/master

fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' character in the randomly generated device name part because for modulo one does not need to substract 1 from strlen().

cgfsng: do not free container_full_path on error

confile: add lxc.seccomp.allow_nesting

lxccontainer: fix container copy

conf: use SYSERROR on lxc_write_to_file errors

lxccontainer: fix mount api (mount_injection_file)

storage: do not destroy pre-existing rootfs

terminal: remove sigwinch command

Support and upgrade¶

LXC 3.2 isn't a LTS release and so will only be supported until such time as LXC 3.3 is released. We recommend users that need a stronger support commitment to stay on one of our LTS releases.

26th of June 2019

The LXC 1.0 LTS branch has reached its end of life.

Released on the 20th of February 2014, it received over 5 years of bugfixes and security updates from the LXC team as part of our commitment to Long Term Stable releases.

With it reaching the end of its supported life, we will no longer be accepting fixes to the stable-1.0 branch, nor run CI on this branch.

All remaining users should upgrade to a supported release as soon as possible.

Long term support releases¶

LXC upstream commits to 5 years support for its LTS branches. Such branches exist for LXC, LXCFS and LXD and see bugfixes and security fixes backported to them.

No new features get added to those branches and only the latest LTS branch sees most bugfixes backported, once a new LTS branch is released, the previous one will only get security and critical bugfixes.

Migration paths¶

LXC 1.0 users can upgrade to LXC 2.0 LTS without any expected disruption nor configuration changes required.

Upgrading to LXC 3.0 LTS is also possible and doesn't require an intermediate upgrade to 2.0, however as 3.0 has a number of updated configuration options, you will need to run lxc-update-config and may need to manually handle some changes yourself.

Currently supported releases¶

There are currently 3 supported releases of LXC:

LXC 2.0 LTS (supported until June 2021)

LXC 3.0 LTS (supported until June 2023)

LXC 3.1 (feature release, end of life when 3.2 is released)

21st of June 2019

The LXC team is pleased to announce the release of LXC 3.0.4!

As a stable bugfix release, no major changes have been done, instead focusing on bugfixes and minor usability improvements.

This release comes with a fix for the privileged container breakout discovered earlier this year. As per our policy we don't consider privileged containers root safe and thus LXC as not received a CVE for this. However, we still provide a fix in this release. For more details see this blog post.

Prefix veth interface names with caller's uid¶

To make it easier for users to inspect veth devices LXC will now prefix the uid of the caller for the host veth device.

Improve using LXC on Android devices¶

This makes LXC look for standard tools in locations such as /system/bin that are specific to Android. Additionally, it is now possible to correctly allocate loop devices on Android.

Backport all compiler hardening options which are standard on current master.¶

This backports:

-fdiagnostics-color -Wimplicit-fallthrough=5 -Wcast-align -Wstrict-prototypes -fno-strict-aliasing -fstack-clash-protection -fstack-protector-strong --param=ssp-buffer-size=4 -g --mcet -fcf-protection -Werror=implicit-function-declaration -Wlogical-op -Wmissing-include-dirs -Wold-style-definition -Winit-self -Wfloat-equal -Wsuggest-attribute=noreturn -Werror=return-type -Werror=incompatible-pointer-types -Wformat=2 -Wshadow -Wendif-labels -Werror=overflow -fdiagnostics-show-option -Werror=shift-count-overflow -Werror=shift-overflow=2 -Wdate-time -Wnested-externs -fasynchronous-unwind-tables -pipe -fexceptions -z relro -z now

Remove all stack allocation ( alloca() )¶

As is already the case on master, all stack allocations via alloca() have been wiped from the codebase to increase security.

Added support for LGTM¶

This adds support for the LGTM code quality checker.

Add support for coccinelle code transformation tool¶

This allows us to automatically detect, remove, or add code to the LXC codebase to improve security and reliability.

Compiler based resource cleanup¶

The codebase will be slowly switched over to make user of cleanup attributes supported by compilers such as gcc and clang .

Remove fgets() from the codebase¶

To improve security all uses of fgets() have been removed from the codebase. Use of this function in new code is strongly discouraged.

Improve cgroup2 handling¶

With this release cgroup2 layouts will be better supported.

Setup lxc.mount.entry right after lxc.mount.fstab ¶

This allows us to unify the mounting logic in LXC.

Expand namespace sharing options¶

When inheriting a namespace a pathname to a namespace file descriptor can now be specified.

Expand close-on-exec usage¶

All file descriptors that can be made close-on-exec are now close-on-exec.

Support pidfd api¶

Newer kernel versions allow interaction with processes through process file descriptors ( pidfd s). This eliminates various race conditions when e.g. sending signals or retrieving process information. This LXC version make use of the pidfd_send_signal() syscall and the CLONE_PIDFD flag with the clone() syscall.

Fix cgroup deletion by not prematurely freeing the path to delete

Fix lxc-usernsexec when falling back to the default id mapping

when falling back to the default id mapping Fix building LXC when the stack-protector option is not supported by the compiler

option is not supported by the compiler Remove various unused functions from the codebase

Make sure that lxc-cgroup gives output in all relevant cases

gives output in all relevant cases Remove the handler for the SIGWINCH signal from the internal command handler since this is now handled via signalfd

signal from the internal command handler since this is now handled via Fix copying containers by stripping the storage type prefix from the target path

Ensure that veth device names can container all ASCII alphabetical characters

Fix Android builds

Handle kernels that do not support CLONE_NEWCGROUP

Free memory used to record inherited namespaces

Remove various deprecated headers

Ensure lxc-init reports error in all failure paths

reports error in all failure paths Make various functions static

Improve setting the parent death handling

Fix network device removal

Update zfs storage backend to new zfs tool syntax

storage backend to new tool syntax Fix vlan device handling through upscripts

device handling through upscripts Dynamically allocate a stack for clone() and use standard 8MB stack size

and use standard 8MB stack size Improve static linking

Ensure that the cgroup.mems value of the correct ancestor is initialized in the cpuset cgroup

Full commit list:

apparmor: allow various remount,bind options

Merge pull request #2758 from Blub/2018-12-17/stable-3.0/apparmor-bind-remount

cgfsng: do not free container_full_path on error

Merge pull request #2772 from brauner/2018-01-09/fix_cgroup_deletion_stable-3.0

caps: check uid and euid

Merge pull request #2830 from brauner/2019-02-08/capabilities_stable-3.0

CVE-2019-5736 (runC): rexec callers as memfd

include: add fexecve() for Android's Bionic

rexec: handle old kernels

lxc-usernsexec: fix default map functionality

fix install error when using --disable-commands option

Add template-options to help output

stringutils: include stdarg for va_list

configure.ac: fix build without stack-protector

storage: remove unused function

fix lxc-cgroup not giving output

tools: add newline to lxc-cgroup output

terminal: remove sigwinch command

Set c to NULL after freeing it

conf: use SYSERROR on lxc_write_to_file errors

Revert "Set c to NULL after freeing it"

lxccontainer: fix container copy

fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' character in the randomly generated device name part because for modulo one does not need to substract 1 from strlen().

Fixing compile error when compiling for android

start: handle missing CLONE_NEWCGROUP

network: prefix veth interface name with uid info

Revert "conf: remove extra MS_BIND with sysfs:mixed"

conf.c: fix memory leak and mount error

Fix memory leak in cgroup_exit

Fixing hooks functionality Android where 'sh' is placed under /system/bin

Handle alternative loop device location on Android

Avoid risk of "too far memory read"

Installation of default.script for udhcpc

conf: check for successful mount entry parse

Use BUSYBOX_EXE variable in configure_busybox()

Create /var/run

/etc/resolv.conf grows indefinitely

compiler: remove deprecated and unneeded header

prlimit: remove deprecated and unneeded header

More accurate error msg for template file

fix rpm packaging for bash completion directory.

compiler: -Wlogical-op hardening

compiler: -Wmissing-include-dirs hardening

compiler: -Wold-style-definition hardening

compiler: -Winit-self hardening

compiler: -Wfloat-equal hardening

compiler: -Wsuggest-attribute=noreturn hardening

compiler: -Werror=return-type hardening

compiler: -Werror=incompatible-pointer-types

compiler: -Wformat=2 hardening

compiler: set -Wimplicit-fallthrough to 5

compiler: -Wshadow hardening

compiler: -Wendif-labels hardening

compiler: -Werror=overflow hardening

compiler: -fdiagnostics-show-option

compiler: fix -fstack-protector-strong

compiler: -Werror=shift-count-overflow hardening

compiler: -Werror=shift-overflow=2 hardening

compiler: -Wdate-time hardening

compiler: -Wnested-externs hardening

lxcmntent: remove stack allocations

cgroups: remove stack allocations

lxc_user_nic: remove stack allocations

commands: remove stack allocations

commands_utils: remove stack allocations

conf: remove stack allocations

confile: remove stack allocations

lxccontainer: remove stack allocations

monitor: remove stack allocations

namespace: remove stack allocations

network: remove stack allocations

pam_cgfs: remove stack allocations

start: remove stack allocations

storage: remove stack allocations

string_utils: remove stack allocations

terminal: remove stack allocations

loop: remove stack allocations

lvm: remove stack allocations

nbd: remove stack allocations

rbd: remove stack allocations

overlay: remove stack allocations

lxc-unshare: remove stack allocations

README: add LGTM

commands: remove unnecessary check

cgfsng: remove unnecessary check

start: prevent signed-issues

lxc-init: exit with error on wait failure

coccinelle: add coccinelle support

coccinelle: s/while({1,true})/for(;;)/

coccinelle: use standard exit identifiers

parse: handle \r

compiler: fix wrong licensing

ringbuf.h: fix wrong licensing

syscall_wrappers: fix wrong licensing

string_utils.h: fix wrong licensing

apparmor: catch config file opening error

apparmor: Improve testing on apparmor python script

conf: do not log devpts umount2() failure

network: do not log false friends

start: move variable into tighter scope

af_unix: use __do_free

attach: use __do_free

cgroup_utils: use __do_free

lxc-init: use cleanup macros

lxc-user-nic: use cleanup macros

lxc-usernsexec: use cleanup macros

commands: move declaration into tighter scope

commands: cleanup macros in lxc_cmd_console()

macro: introduce steal_fd()

commands: use __do_close_prot_errno

commands: cleanup macros lxc_cmd()

commands: cleanup macros lxc_cmd_add_state_client

commands: cleanup macros lxc_cmd_accept()

commands: cleanup macros lxc_cmd_init

commands: cleanup macros lxc_cmd_init()

tree-wide: s/steal_fd/move_fd/g

cve-2019-5736: add test

commands_utils: auto close lxc_cmd_sock_get_state

commands_utils: auto free lxc_add_state_client

conf: auto free run_buffer

conf: cleanup macros run_script_argv

conf: cleanup macros pin_rootfs

conf: cleanup macros lxc_mount_auto_mounts

conf: cleanup macros lxc_chroot

conf: cleanup macros parse_mntopts

conf: cleanup macros parse_propagationopts

conf: cleanup macros mount_entry_create_dir_file

conf: cleanup macros mount_entry_on_generic

conf: cleanup macros setup_sysctl_parameters

conf: cleanup macros setup_proc_filesystem

conf: cleanup macros idmaptool_on_path_[...]

conf: cleanup macros remount_all_slave

conf: cleanup macros lxc_execute_bind_init

conf: cleanup macros get_minimal_idmap

conf: cleanup macros get{g,u}name

conf: cleanup macros suggest_default_idmap

travis: run coccinelle

travis: run coccinelle

attach: cleanup macros lxc_proc_close_ns_fd

attach: cleanup macros in_same_namespace

attach: cleanup macros lxc_put_attach_clone_[...]

attach: cleanup macros lxc_attach_terminal_[...]

.travis: give coverity one more try

.travis: remove coverity

lxc-attach: switch to attach_run_wait

conf: simplify idmaptool_on_path_and_privileged

conf: cleanup macros remount_all_slave

conf: cleanup macros lxc_chroot

conf: cleanup macros lxc_pivot_root

conf: cleanup macros lxc_fill_autodev

conf: cleanup macros make_anonymous_mount_file

conf: cleanup macros setup_mount_entries

conf: cleanup macros write_id_mapping

conf: cleanup macros suggest_default_idmap

attach: use move_fd in lxc_proc_close_ns_fd

gpg: use proxy, if http_proxy is set

conf: remove fgets() from run_buffer()

conf: remove fgets() from lxc_chroot()

initutils: remove fgets() from lxc_global_con[...]

initutils: remove fgets() from setproctitle()

conf: remove unused variable

confile: shut up gcc

CODING_STYLE: update

Fix android compilation

commands_utils.c: fix wrong licensing

commands_utils.h: fix wrong licensing

file_utils.c: fix wrong licensing

string_utils.c: fix wrong licensing

attach: remove unused variable

attacg: shut up gcc

lxccontainer: shut up gcc and remove unused variables.

network: shut up gcc.

monitor: shut up gcc.

start: shut up gcc.

storage: shut up gcc and remove unused variables.

cmd: shut up gcc.

confile_utils: lxc_config_net_is_hwaddr()

confile_utils: make update_hwaddr() static

confile: make parse_limit_value() static

conf: Fixes unitialised variable.

Revert "conf: Fixes unitialised variable."

conf: avoid compiler warning

Fix lxc.cgroup2. on cgroup2-only systems

hooks: drop namespace references before post-stop

btrfs: ensure \0 byte at end

compiler: -fasynchronous-unwind-tables hardening

compiler: -pipe

compiler: -fexceptions hardening

utils: fix handling of PID namespaces in lxc_set_death_signal

start: fix parent PID passed to lxc_set_death_signal

hardening: enable address sanitizer build

start: backport monitor_pid handling

cgfsng: fix cgroup2 handling

cgroups: fix potential nullderef

cgfsng: backport new cgroup handling logic

Merge pull request #2944 from brauner/lxc/stable-3.0

raw_syscalls: lxc_raw_clone()

hooks/nvidia: handle spaces in NVIDIA_REQUIRE variables

Travis: Adds -Wall and -Werror gcc flags to automatic build.

travis: Attempt to fix src/lxc/cmd/lxc_init.c:251: undefined reference to `pthread_sigmask

lvm: Updates lvcreate to wipe signatures if supported, fallbacks to old command if not.

network: fix network device removal

Fix user namespace pdeathsig handling

lxc-user-nic: small tweaks

doc: update lxc-user-nic manpage

lxc-user-nic: validate request

doc: update Japanese lxc-user-nic manpage

fix: #2927 api doc generation fails under out of source build.

storage: prevent unitialized variable warning

storage: update zfs

conf: do lxc.mount.entry mounts right after lxc.mount.fstab

netns_getifaddrs: adapt to kernel changes

lxc-start: remove bad doc

Fix 'zfs get' command order

commands: partially backport seccomp notify

af_unix: backport helper functions

start: silence clang

network: Fixes a little typo in an error message

network: Adds upscript handling for vlan network type

network: Fixes vlan hook script

tests: Updates .gitignore to ignore test build artefacts

network: Fixes bug in macvlan mode selection

seccomp: notifier fixes

namespaces: allow a pathname to a nsfd for namespace to share

tree-wide: make socket SOCK_CLOEXEC

compiler: add __returns_twice attribute

raw_syscalls: add initial support for pidfd_send_signal()

Devices created in rootfs instead of rootfs/dev

utils: improve switch_to_ns()

raw_syscalls: simplify assembly

clone: add infrastructure for CLONE_PIDFD

network: Adds mtu support for phys and macvlan types

namespace: support CLONE_PIDFD with lxc_clone()

network: Restores phys device MTU on container shutdown

start: use CLONE_PIDFD

Redirect error messages to stderr

coding style: update

New --bbpath option and unecessary --rootfs checks

lxccontainer: do not display if missing privileges

Option --busybox-path instead of --bbpath

criu: Use -v4 instead of -vvvvvv

criu: Remove unnecessary return after _exit()

lvm: Fix return value if lvm_create_clone fails

zfs: Fix return value on zfs_snapshot error

initutils: Fix memleak on realloc failure

Config: check for %m availability

Use %m instead of strerror() when available

Error prone semicolon

configure: handle checks when cross-compiling

network: move phys netdevs back to monitor's net ns rather than pid 1's

network: Fixes bug that stopped down hook from running for phys netdevs

attach: do not reload container

lxccontainer: cleanup attach functions

lxccontainer: remove unused function

start: remove unused label

configure: remove additional comma

lxc_clone: pass non-stack allocated stack to clone

doc: add a little note about shared ns + LSMs

lxc_clone: get rid of some indirection

cgroups: handle offline cpus in v1 hierarchy

fix issue 2765

lxc_clone: bump stack size to 8MB

lxc_clone: add a comment about stack size

getgrgid_r fails with ERANGE if buffer is too small. Retry with a larger buffer.

lxc_usernsexec: continuing after unshare fails leads to confusing and misleading error messages

start: fix handler memory leak at lxc_init failed

cgroups: prevent segfault

Make /tmp accessible to any user

proposed fix for #2892 - fix lxcbasename in lxc/lxccontainer.c

start: generate new boot id on container start

Centralize hook names

doc: add a note about shared ns + LSMs to Japanese doc

Switch from gnutls to openssl for sha1

network: fix lxc_netdev_rename_by_index()

Fixed file descriptor leak for network namespace

lxc.pc.in: add libs.private for static linking

parse.c: fix fd leak from memfd_create

cgfsng: write cpuset.mems of correct ancestor

Add new dependency for wget for lxc-slackware template

plamo: Workaround for building plamo 32bit 6.x container on current 7.x

plamo: Support https as download scheme and default to https

No changes in this release, version bump only

Support and upgrade¶

LXC 3.0.4 is supported until June 2023 and is our current LTS release, users are encouraged to update to the latest bugfix releases as they're made available.

Main release tarball: lxc-3.0.4.tar.gz (GPG: lxc-3.0.4.tar.gz.asc)

LXC templates tarball: lxc-templates-3.0.4.tar.gz (GPG: lxc-templates-3.0.4.tar.gz.asc)

LXC python3 bindings tarball: python3-lxc-3.0.4.tar.gz (GPG: python3-lxc-3.0.4.tar.gz.asc)

12th of March 2019 This is the eleventh bugfix release for LXC 2.0.

Note that LXC 2.0.10 was released a few days before 2.0.11 but the release tarball was missing some files and wasn't buildable on Android, so we ended up releasing 2.0.11 to address that.

The changelog below is for everything which happened between 2.0.9 and 2.0.11.

Security fixes¶

lxc-user-nic when asked to delete a network interface would unconditionally open a user provided path. This code path could be used by an unprivileged user to check for the existence of a path which they wouldn't otherwise be able to reach. It may also be used to trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys). For more details see here.

This release fixes CVE-2019-5736. It is a major security issue afflicting all container runtimes and is exploitable when attaching to privileged containers. More details on the the bug and how it is fixed can be found here.

Main bugfixes¶

Allow attaching to undefined containers¶

For example the following sequence is now expected to work:

lxc-start -n <container-name> -f /path/to/conf \ -s 'lxc.id_map = u 0 100000 65536' \ -s 'lxc.id_map = g 0 100000 65536' \ -s 'lxc.rootfs = /path/to/rootfs' \ -s 'lxc.init_cmd = /path/to/initcmd'

Correctly handle namespace inheritance in attach¶

lxc_attach will now correctly distinguish between a caller specifying specific namespaces to attach to and a caller not requesting specific namespaces. The latter is taken by lxc_attach to mean that all namespaces will be attached. This also needs to include all inherited namespaces.

Allow the creation of testing and unstable Debian containers¶

Being able to create testing containers, regardless of what's the name of the next stable, is useful in several contexts, included but not limited to testing purposes. i.e. one won't need to explicitly switch to bullseye once buster is released to be able to continue tracking testing . While we are at it, let's also enable unstable , which is exactly the same as sid , but there is no reason for not being able to.

Enable container without CAP_SYS_ADMIN (cgroup handling)¶

In case cgroup namespaces are supported but we do not have CAP_SYS_ADMIN we need to mount cgroups for the container. This patch enables both privileged and unprivileged containers without CAP_SYS_ADMIN .

Improved cgroup2 handling¶

Since cgroup2 is becoming more common LXC 2.0.11 comes with a wide range of improvements in that area.

Support read-only mounts of cgroups¶

This is especially useful if the container lacks CAP_SYS_ADMIN and thus cannot remount.

Allow to exit from console via SIGTERM ¶

This allows cleanly exiting a console session without control sequences. Instead SIGTERM can be sent to the affected process and it will cause LXC to cleanly terminate the console session.

Correctly calculate the number of arguments passed when running application containers¶

The number of arguments passed to exec was miscalculated under certain conditions. This release ensure that the correct number of arguments is calculated and passed to exec.

Remove all unneeded locking from the codebase¶

Older version of LXC used mutexes in various places to ensure thread-safety. Careful redesign of these codepaths has enabled us to remove all mutextes from the codebase. This has led to simplifications and speedups for various operations such as container start and stop.

Fix cgroup namespace preservation¶

This eliminates a race and makes sure that the cached file descriptor refers to the container's cgroup namespace and not to the hosts'.

Allow application to share the hosts' pid namespace¶

Prior versions of LXC did not allow to share the hosts' pid namespace. Starting with this bugfix release it is possible to do this correctly.

Correctly handle very short-lived application containers¶

Prior versions had trouble to correctly handle extremely short-lived application containers. For example, LXC could incorrectly report that a container is still running when it had already shut down due to a TOCTU and refuse to restart it. This caused unnecessary delay. Also, output of such short-lived containers written to stdout could get lost or truncated. This release fixes both issues.

Correctly handle containers where /proc has been mount with hidepid=1 or hidepid=2 ¶

In prior versions attaching to unprivileged containers as an unprivileged user with /proc mounted with hidepid=1 or hidepid=2 would fail since LXC could not retrieve needed information from /proc . This is now fixed.

Allow to force mount cgroups even when cgroup namespaces are supported¶

This lets users specify lxc.mount.auto = cgroup:mixed:force or lxc.mount.auto = cgroup:ro:force or lxc.mount.auto = cgroup:rw:force .

When cgroup namespaces are supported LXC will not mount cgroups for the container since it assumes that the init system will mount cgroups itself if it wants to. This assumption already broke when users wanted to run containers without CAP_SYS_ADMIN.

For example, systemd based containers wouldn't start since systemd needs to mount cgroups (named systemd hierarchy for legacy cgroups and the unified hierarchy for unified cgroups) to track processes. This problem was solved by detecting whether the container had CAP_SYS_ADMIN. If it didn't we performed the cgroup mounts for it.

However, there are more cases when we should be able to mount cgroups for the container when cgroup namespaces are supported:

init systems not mounting cgroups themselves: A init system that doesn't mount cgroups would not have cgroups available especially when combined with custom LSM profiles to prevent cgroup {u}mount()ing inside containers.

application containers: Application containers will usually not mount by cgroups themselves.

read-only cgroups: It is useful to be able to mount cgroups read-only to e.g. prevent changing cgroup limits from inside the container while at the same time allowing the applications to perform introspection on their own cgroups. This again is mostly useful for application containers. System containers running systemd will usually not work correctly when cgroups are mounted read-only.

Everything else¶

2.0.11 includes almost a year and a half of bugfixes cherry-picked from current LXC, the entire list can be found below.

tools: allow lxc-attach to undefined containers

utils: move memfd_create() definition

utils: add lxc_cloexec()

utils: add lxc_make_tmpfile()

utils: add lxc_getpagesize()

utils: add lxc_safe_long_long()

utils: parse_byte_size_string()

utils: add lxc_find_next_power2()

namespace: use lxc_getpagesize()

lxc-debian: allow creating testing and unstable

and Call lxc_config_define_load from lxc_execute again

Fix typo in lxc-net script

Add missing lxc_container_put

lxc-debian: don't write C.* locales to /etc/locale.gen

attach: correctly handle namespace inheritance

cgfsng: fix cgroup2 detection

cgroups: enable container without CAP_SYS_ADMIN

lxc-start: remove unnecessary checks

start: close non-needed file descriptors

handler: make name argument const

start: close data socket in parent

monitor: do not log useless warnings

network: reap child in all cases

conf: reap child in all cases

storage: switch to ext4 as default filesystem

tools: fix help output of lxc-create

attach: handle namespace inheritance

cgroups/cgfsng: keep mountpoint intact

cgroups/cgfsng: cgfsns_chown() -> cgfsng_chown()

cgroups/cgfsng: support MS_READONLY with cgroup ns

log: check for i/o error with vsnprintf()

cgroupfs/cgfsng: tweak logging

cgroups/cgfsng: remove is_lxcfs()

cgroups/cgfsng: fix get_controllers() for cgroup2

cgroupfs/cgfsng: improve cgroup2 handling

config: remove SIGRTMIN+14 as lxc.signal.stop

commands: non-functional changes

console: non-functional changes

console: non-functional changes

lxc-test-unpriv: fix the overlayfs mount error

attach: allow attach with empty conf

tools/lxc_attach: removed api logging

console: fix console info message

Add missing dependency libunistring

cgroups/cgfsng: adapt to new cgroup2 delegation

console: report detach message on demand

lxccontainer: enable daemonized app containers

console: use correct escape sequence check

console: prepare for generic signal handler

console: exit mainloop on SIGTERM

commands: non-functional changes

lxccontainer: non-functional changes

commands: fix state socket implementation

lxc_init: set the control terminal in the child session

lxc-test-unpriv: check user existence before removing it

Fixed typo on lxc.spec.in

conf: move CAP_SYS_* definitions to utils.h

start.c: always switch uid and gid

Use AX_PTHREAD config script to detect pthread api

utils.h: Avoid duplicated sethostname implementation

tools/lxc_cgroup: remove internal logging

tools/lxc_autostart: remove internal logging

tools/lxc_clone: remove internal logging

tools/lxc_console: remove internal logging

tools/lxc_create: remove internal logging

tools/lxc_destroy: remove internal logging

tools/lxc_device: remove internal logging

tools/lxc_execute: removed internal logging

tools/lxc_freeze: remove internal logging

tools/lxc_info: removed internal logging

criu: detect veth name

lxccontainer: various container creation fixes

storage: remove unused declaration

tools/lxc_ls: remove internal logging

tools/lxc_copy: remove internal logging

tools/lxc_monitor: removed internal logging

tools/lxc_snapshot: removed internal logging

tools/lxc_start: removed internal logging

tools/lxc_stop: removed internal logging

tools/lxc_top: removed internal logging

tools/lxc_unfreeze: removed internal logging

tools/lxc_unshare: removed internal logging

tools/lxc_usernsexec: removed internal logging

tools/lxc_wait: removed internal logging

confile: fix memory leak

utils: declare sethostname() static inline

lxc_unshare: Add uid_mapping when creating userns

Update gentoo.moresecure.conf.

Add new dependency to Slackware template

Add bash completion to list backing store types for lxc-create -B - Backing Store types are hard-coded (Not sure how to get programmatically) - Closes #1236

Fix SETCOLOR_FAILURE evaluation

Insert missing "echo" after "is_enabled"

conf: prevent null pointer dereference

criu: initialize status

confile: remove dead assignment

criu: silence static analysis

attach: do not fail on non-existing namespaces

test: reenable Coverity integration

lxc_execute: properly figure out number of needed arguments

arguments: move to tools/ subdirectory

start: set loglevel correctly

commands: don't traverse whole list

commands: don't lock atomic operations

commands: don't lock the whole command

start: don't lock setting the state

commands: allow waiting for all states

test: add state server tests

commands: tweak locking

lxccontainer: restore non-blocking shutdown

commands: tell mainloop to reap client fd on error

commands: return -ECONNRESET to caller

execute: pass logfile to lxc-init

lxccontainer: handle execute containers correctly

lxc_init: move up to src/lxc

init: rework dumb init

lxc_init: add custom argument parser

tests: expand tests for shortlived init processes

coverity: #1425734

coverity: #1425735

coverity: #1425739

coverity: #1425929

coverity: #1425923

coverity: #1425922

coverity: #1425921

coverity: #1425895

coverity: #1425890

coverity: #1425889

coverity: #1425888

lxc: Distinguish pthread_mutex_unlock error messages

travis: Fix build failure

coverity: #1425893

coverity: #1425886

coverity: #1428855

coverity: #1425884

coverity: #1425883

coverity: #1425879

tools: block using lxc-execute without config file

conf: avoid spawning unnecessary subshells

coverity: #1425874 + cleanup

lxccontainer: only attach netns on netdev detach

lxccontainer: cleanup {attach,detach}_interface()

coverity: #1425870

coverity: #1425869

coverity: #1425867

coverity: #1425866

coverity: #1425863

coverity: #1425862

coverity: #1425860

coverity: #1425859

coverity: #1425858

coverity: #1425857

start: do not unconditionally dup std{in,out,err}

tools: exit success when lxc-execute is daemonized

start: fix cgroup namespace preservation

init: don't kill(-1) if we aren't in a pid ns

SHARE_NS options should be before OPT_USAGE

commands: fix race when open()/close() cmd socket

namespace: add lxc_raw_clone()

utils: use lxc_raw_clone() in run_command()

lxc_init: fix cgroup parsing

tests: s/lxc.init.cmd/lxc.init_cmd/g

commands_utils: add missing mutex

[monitor] wrong statement of break

cgfsng: Add new macro to print errors

attach: simplify significantly

attach: use lxc_raw_clone()

attach: handle /proc with hidepid={1,2} property

tests: expand lxc_raw_clone() tests

namespace: add lxc_raw_getpid()

tree-wide: s/getpid()/lxc_raw_getpid()/g

namespace: comment lxc_{raw_}clone()

namespace: add lxc_raw_clone_cb()

start: use lxc_raw_clone_cb() where possible

start: log closing cmd socket and STOPPED state

start: make us dumpable

start: simplify cgroup namespace preservation

start: fix death signal

start: handle setting death signal smarter

mainloop: add mainloop macros

mainloop: capture output of short-lived init procs

lxc_config: Add -h and --help flags handler

start: properly cleanup mainloop

console: do not allow non-pty devices on open()

mainloop: use epoll_create1(EPOLL_CLOEXEC)

conf: adapt idmap helpers

conf: adapt userns_exec_1()

conf{ile}: detect ns{g,u}id mapping for root

cgfsng: use init {g,u}id

conf: detect if devpts can be mounted with gid=5

gentoo: Add support for .xz tarballs

configure.ac: fix the check for static libcap

conf: write "deny" to /proc/[pid]/setgroups

conf: non-functional changes

conf: rework userns_exec_1()

cgfsng: only establish mapping once

Fix broken indentation

Include -devel suffix in version string

Add return check for 'lxc_cmd_get_name'

fix up lxc-usernsexec's exit status

add some idmap parsing error messages

confile: improve log messages

console: move pty creation to separate function

start: non-functional changes

console: add some pty helpers

attach: cleanup attach_child_main()

console: adapt lxc_console_mainloop_add()

console: add lxc_pty_map_ids()

attach: minor tweaks

tools: honor --console and --console-log

start: non-functional changes

console: set SFD_CLOEXEC on signal fd

lxc-alpine: allow retaining sys_ptrace per container

utils: do not rely on unitialized variable

test: log error on failure

utils: check suffix length

lxccontainer: restore blocking wait()

freezer: non-functional changes

commands: add LXC_CMD_SERVE_STATE_CLIENTS

start: don't log stop/continue for non-init processes

fix lxc_error_set_and_log to match the docs

lxc.init: correctly exit with the app's error code

remember the exit code from the init process

start: don't return false when the container's init exits nonzero

lxc-execute: actually exit with the status of the spawned task

set exit status to 1 in the unknown si_code case

console: cleanup

test: fix console tests

attach_options: reduce delta

attach: reduce delta

cgroups: reduce delta

bla

Revert commit "bla" with bad commit message

cgfsng: reduce delta

tools: fix android

Create console when the rootfs is NULL

unlink lxc-init

coverity: #1427668

coverity: #1427639

coverity: #1427638

coverity: #1427191

coverity: #1427190

coverity: #1426734

coverity: #1426694

start: fix mainloop cleanup goto statements

Modify .gitignore

Fix comments and add check in lxc_poll.

lsm: non-functional changes

lsm: add lsm_process_label_fd_get()

lsm: add lsm_process_label_set_at()

apparmor: do not call aa_change_profile()

autotools: do not link against libapparmor

network.c: Remove ip_forward_set and callers

[cgfsng] show wrong errno

better check for lock dir

better unprivileged detection

debian: Use iproute2 instead of iproute

tools: make "-n" optional

lsm: do not #ifdefine

debian: We must use iproute on wheezy

lxc-init: use SIGKILL after alarm timeout

monitor: send SIGTERM to the container when SIGHUP is received

lxc.init: ignore SIGHUP

cgroups: get controllers on the unified hierarchy

cgroups: cgfsng_create: handle unified hierarchy

cgroups: cgfsng_attach: handle unified hierarchy

cgroups: cgfsng_get: handle unified hierarchy

cgroups: cgfsng_set: handle unified hierarchy

cgroups: handle limits on the unified hierarchy

cgroups: more consistent naming

attach: set the container's environment variables

attach: non-functional changes

cgfsng: do MS_REMOUNT

cgfsng: non-functional changes

templates: CentOS fixes

cgroups: add check for lxc.cgroup.use

selinux: simplify check for default label

lsm: fix missing @ in function documentation

cgfsng: add required remount flags

define am_guest_unpriv

Restore most cases of am_guest_unpriv

coverity: #1429139

coverity: #1426734

coverity: #1425971

fix userns helper error handling

console: they are really not necessary

Modify .gitignore

Fix lxc-console hang

conf: support mount propagation

lxclock: remove pthread_atfork_handlers

cgfsng: simplifications and fixes

CONTRIBUTING: update

CODING_STYLE: add CODING_STYLE.md

cgroups: use correct mask for chmod()

CODING_STYLE: add section for str{n}cmp()

tests: remove lxc-test-ubuntu

utils: fix lxc_p{close,open}()

start: don't call close on invalid file descriptor

console: ensure that fd is marked EBADF

README: add coverity

confile: add "force" to cgroup:{mixed,ro,rw}

cgfsng: order includes

cgfsng: fully document struct hierarchy

cgfsng: fully document struct cgfsng_handler_data

cgfsng: fully document remaining variables

cgfsng: free_string_list()

cgfsng: cg_legacy_must_prefix_named()

cgfsng: move cg_legacy_must_prefix_named()

cgfsng: add me to authors

cgfsng: append_null_to_list()

cgfsng: string_in_list()

cgfsng: must_append_controller()

cgfsng: get_hierarchy()

cgfsng: lxc_cpumask()

cgfsng: lxc_cpumask_to_cpulist()

cgfsng: get_max_cpus()

cgfsng: cg_legacy_filter_and_set_cpus()

cgfsng: copy_parent_file()

cgfsng: cg_legacy_handle_cpuset_hierarchy()

cgfsng: controller_lists_intersect()

cgfsng: controller_list_is_dup()

cgfsng: controller_found()

cgfsng: all_controllers_found()

cgfsng: cg_hybrid_get_controllers()

cgfsng: cg_hybrid_get_mountpoint()

cgfsng: copy_to_eol()

cgfsng: controller_in_clist()

cgfsng: cg_hybrid_get_current_cgroup()

cgfsng: must_append_string()

cgfsng: trim()

cgfsng: lxc_cgfsng_print_hierarchies()

cgfsng: lxc_cgfsng_print_basecg_debuginfo()

cgfsng: cg_hybrid_init()

cgfsng: cg_is_pure_unified()

cgfsng: cg_unified_get_current_cgroup()

cgfsng: cgfsng_init()

cgfsng: recursive_destroy()

cgfsng: cg_unified_create_cgroup()

cgfsng: create_path_for_hierarchy()

cgfsng: remove_path_for_hierarchy()

cgfsng: cgfsng_create()

cgfsng: cgfsng_enter()

cgfsng: cgfsng_chown()

cgfsng: mount_cgroup_full()

cgfsng: cgfsng_mount()

cgfsng: recursive_count_nrtasks()

cgfsng: recursive_count_nrtasks()

cgfsng: cgfsng_escape()

cgfsng: build_full_cgpath_from_monitorpath()

cgfsng: __cg_unified_attach()

cgfsng: cgfsng_attach()

cgfsng: cgfsng_get()

cgfsng: cgfsng_set()

cgfsng: convert_devpath()

cgfsng: cg_legacy_set_data()

cgfsng: __cg_legacy_setup_limits()

lxccontainer: use wait_for_pid()

start: remove duplicate lxc_monitor_send_state()

tree-wide: remove locking around openpty()

{commands,start}: remove element from list first

start: use correct prefix for includes

start: print_top_failing_dir()

start: close_ns()

start: preserve_ns()

start: lxc_check_inherited()

start: signal_handler()

start: lxc_poll()

start: lxc_init_handler()

start: lxc_init()

start: lxc_abort()

start: start()

start: post_start()

start: lxc_destroy_container_on_signal()

start: do_destroy_container()

cgfsng: enable "force" for "cgroup-full"

confile: backport parts of network parsing

utils: add LXC_PROC_PID_FD_LEN

CVE 2018-6556: verify netns fd in lxc-user-nic

utils: include linux/types.h

cgfsng: fix off-by-one error

lxccontainer: do_lxcapi_start()

lxccontainer: do_lxcapi_create()

lxccontainer: do_lxcapi_get_interfaces()

lxccontainer: do_lxcapi_get_ips()

lxccontainer: do_lxcapi_clone()

lxccontainer: do_add_remove_node()

lxccontainer: do_lxcapi_detach_interface()

lxclock: {un}lock_mutex()

utils: lxc_popen()

utils: run_command()

network: lxc_create_network_unpriv_exec()

network: lxc_delete_network_unpriv_exec()

lxccontainer: config_file_exists()

lxccontainer: ongoing_create()

lxccontainer: create_partial()

lxccontainer: create_partial()

lxccontainer: lxc_container_free()

lxccontainer: lxc_container_{get,put}()

lxccontainer: do_lxcapi_is_defined()

lxccontainer: do_lxcapi_state()

lxccontainer: is_stopped()

lxccontainer: do_lxcapi_is_running()

lxccontainer: do_lxcapi_freeze()

lxccontainer: do_lxcapi_unfreeze()

lxccontainer: do_lxcapi_console_getfd()

lxccontainer: lxcapi_console()

lxccontainer: load_config_locked()

lxccontainer: do_lxcapi_load_config()

lxccontainer: do_lxcapi_want_daemonize()

lxccontainer: do_lxcapi_want_close_all_fds()

lxccontainer: do_lxcapi_wait()

lxccontainer: am_single_threaded()

lxccontainer: push_arg()

lxccontainer: split_init_cmd()

lxccontainer: free_init_cmd()

lxccontainer: lxcapi_start()

lxccontainer: lxcapi_startl()

lxccontainer: do_create_container_dir()

lxccontainer: create_container_dir()

criu: criu_version_ok()

criu: do_restore()

criu: du_dump()

cgfsng: fix get_hierarchy() for unified hierarchy

fix download template for /tmp as tmpfs or noexec

CODING_STYLE: add section about _exit()

commands: remove mutex from state client list

lxc-snapshot: fix segfault

lxc_init: don't mount filesystems

cgfsng: non-functional changes

mainloop: add LXC_MAINLOOP_ERROR

config: start with a full capability set

CODING_STYLE: remove duplicate _exit() entry

CODING_STYLE: clang-format

CODING_STYLE: arrays of structs

CODING_STYLE: add languages to highlight

Add a workaround for a build issue with old versions of libcap

usernsexec: init log fd

cgroups: don't escape if we're not real root

Revert "cgroups: don't escape if we're not real root"

conf: fix clang warning when building w/o libcap

fix handler use-after-free

Rename ifup/down and remove usless parameter passing

conf: simplify lxc_fill_autodev()

start: always make us dumpable

lxclock: use thread-safe OFD fcntl() locks

locktests: fix test suite

fix signal sending in lxc.init

lxc init: remove dead code

lxc init: coding style

utils: define __NR_setns if missing on old glibcs

conf: ret-try devpts mount without gid=5 on error

do_lxcapi_create: set umask

Fix the memory leak in cgfsng_attach

Fix memory leak in list_active_containers

coverity: #1435208

coverity: #1435207

coverity: #1435205

coverity: #1435198

lxccontainer: use thread-safe OFD locks

lxccontainer: non-functional changes

lxccontainer: do_lxcapi_is_running()

lxccontainer: do_lxcapi_freeze()

lxccontainer: do_lxcapi_unfreeze()

lxccontainer: non-functional changes

lxccontainer: non-functional changes

lxccontainer: non-functional changes

coverity: #1435263

fix logic for execute log file

execute: use static buffer

execute: do not check inherited fds again

lxc-unshare: add missing declaration

execute: account for -o path option count

genl: remove

coverity: #1425744

utils: account for terminating \0 byte

network: silence gcc-8

network: adhere to IFNAMSIZ limit

autodev: adapt to changes in Linux 4.18

strlcpy: add strlcpy() implementation

tree-wide: s/strncpy()/strlcpy()/g

CODING_STYLE: add section about using strlcpy()

tools: s/strncpy()/strlcpy()/g

Revert "tools: s/strncpy()/strlcpy()/g"

coverity: #1435604

coverity: #1435603

coverity: #1425836

coverity: #1248106

coverity: #1425844

config: allow read-write /sys in user namespace

capabilities: raise ambient capabilities

coverity: #1425802

lxc-init: skip signals that can't be caught

tree-wide: s/sigprocmask/pthread_sigmask()/g

utils: fix task_blocking_signal()

lxccontainer: fix fd leaks when sending signals

confile: order architectures

tools: fix lxc-create with global config value

tools: fix lxc-create with global config value II

coverity: #1435805

coverity: #1435803

utils: fix task_blocking_signal()

network: fix socket handle leak

conf: va_end was not called.

confile: improve strprint()

start: fix waitpid() blocking issue

start: log unknown info.si_code

tree-wide: handle EINTR in some read()/write()

conf: copy mountinfo for remount_all_slave()

support tls in cross-compile

Fix typo

coverity: #1425777

coverity: #1425779

coverity: #1425794

coverity: #1425795

coverity: #1425841

coverity: #1425849

coverity: #1425836

conf: only use newuidmap and newgidmap when necessary

arguments: improve some operations

coverity: #1425781

tools: restore lxc-create log behavior

fix getpwnam() thread safe issue

attach: fix double free

coverity: #1436916

fix getpwuid() thread safe issue

fix getgrgid() thread safe issue

coverity: #1437017

coverity: #1425778

coverity: #1425760

coverity: #1425766

coverity: #1425767

coverity: #1425768

storage: Resource leak

include: add getgrgid_r()

coverity: #1425770

coverity: #1425771

coverity: #1425789

coverity: #1425792

coverity: #1425793

coverity: #1425799

coverity: #1425810

coverity: #1425813

coverity: #1425818

coverity: #1425819

coverity: #1425824

coverity: #1425825

coverity: #1425837

coverity: #1425840

coverity: #1425846

coverity: #1425789

coverity: #1425855

coverity: #1437027

secure coding: strcpy => strlcpy

secure coding: network: strcpy => strlcpy

btrfs: fix btrfs_snapshot()

include: add strlcat() implementation

btrfs: fix get_btrfs_subvol_path()

secure coding: #2 strcpy => strlcpy

fix fd handle leak

fix pointer c is dereferenced after checking null

commands: simplify lxc_cmd()

monitor: change exit() => _exit() system call in child process

move some comments in lxc.spec.in

log: add lxc_log_strerror_r macro

log: account for Android's Bionic's strerror_r()

CODING_STYLE: add section about using strlcat()

coverity: #1425816

start: don't unconditionally open("/dev/null")

log: thread-safety backports

attach: simplify lxc_attach_getpwshell()

coverity: #1437936

coverity: #1437935

lxclock: change error log using strerror to SYSERROR

conf: the atime flags are locked in userns

coverity: #1438067

change log macro of error case from lxc_ambient_caps_up/down

nl: avoid NULL pointer dereference

conf: s/pipe()/pipe2()/g

conf: always close pipe in run_userns_fn()

criu: s/pipe()/pipe2()/

lxccontainer: cleanup do_lxcapi_get_interfaces()

lxccontainer: s/pipe()/pipe2()/g

cmd: s/pipe()/pipe2()/g

cmd: s/write()/lxc_write_nointr()/g

cmd: s/read()/lxc_read_nointr()/g

criu: s/read()/lxc_read_nointr()/g

criu: s/write()/lxc_write_nointr()/g

lxccontainer: s/write()/lxc_write_nointr()/g

lxccontainer: s/read()/lxc_read_nointr()/g

network: s/read()/lxc_read_nointr()/g

network: s/write()/lxc_write_nointr()/g

sync: s/read()/lxc_read_nointr()/g

sync: s/write()/lxc_write_nointr()/g

log: handle EINTR in read()

caps: handle EINTR in read()

coverity: #438136

READEM: update Serge's mail address

MAINTAINERS: add Wolfgang Bumiller

CONTRIBUTING: Update reference to kernel coding style

CONTRIBUTING: Link to latest online kernel docs

CONTRIBUTING: Direct readers to CODING_STYLE.md

CODING_STYLE: Mention kernel style in introduction

CONTRIBUTING: Add 'be' to fix grammar

CODING_STLYE: Simplify explanation for use of 'extern'

CODING_STLYE: Remove sections implied by 'kernel style'

CODING_STYLE: Fix non-uniform heading level

CODING_STYLE: Update section header format

autotools: add --{disable,enable}-thread-safety

attach: don't shutdown ipc socket in child

attach: report standard shell exit codes

storage: src cannot be truncated

commands: backport robust infrastructure

Fixing compile error when compiling for android

Fixing hooks functionality Android where 'sh' is placed under /system/bin

caps: check uid and euid

CVE-2019-5736 (runC): rexec callers as memfd

rexec: don't include non-existing header

utils: add missing sealing flags

include: add fexecve() for Android's Bionic

fexecve: remove unnecessary #ifdef

fexecve: use correct name

rexec: handle legacy kernels

cve-2019-5736: add test for rexec

change version to 2.0.10 in configure.ac

autotools: handle getgrgid_r on bionic

autotools: add memory_utils.h to Makefile.am

change version to 2.0.11 in configure.ac

The release tarballs may be found on our download page and we expect most distributions will very soon ship a packaged version of LXC 2.0.11.

Should you be interested in individual changes or just looking at the detailed development history, our stable branch is on Github.

14th of December 2018

The LXC team is pleased to announce the release of LXC 3.1.0!

This is an intermediary feature release and not one of our major LTS releases or LTS bugfix releases. We plan on doing more of those in the future, but note that support on those releases will be limited as we mostly focus on LTS for production environments.

New features¶

enable various remount options with AppArmor¶

Read-write bind mounts need to be restricted for some paths in order to avoid MAC restriction bypasses, but read-only bind mounts shouldn't have that problem. Additionally, combinations of nosuid , nodev and noexec flags shouldn't be a problem either and are required with newer systemd versions, so let's allow those as long as they're combined with ro,remount,bind .

Make use of the new socket option, NETLINK_DUMP_STRICT_CHK , that userspace can use via setsockopt() to request strict checking of headers and attributes on dump requests.

To get dump features such as kernel side filtering based on data in the header or attributes appended to the dump request, userspace must call setsockopt() for NETLINK_DUMP_STRICT_CHK and a non-zero value. This is necessary to make use of the IFA_TARGET_NETNSID property used to efficiently retrieve information from network namespaces by LXC.

allocate new keyring on startup¶

To isolate and protect the hosts keyring each LXC container will try to allocate a new keyring for itself on startup.

full cgroup2 support¶

LXC has supported cgroup2 for a while now without adhering to its strict delegation model. Now, LXC is ready to fully support it.

implement efficient way to retrieve network devices and addresses from containers¶

Based on kernel work done by the LXD team it is now possible to query a network namespace without having to perform costly fork() and setns() syscalls. Instead, the network namespace is identified by a network namespace identifier. As such a new network namespace aware version and very improved and safe version of getifaddrs() named netns_getifaddrs() is introduced that LXC uses. It is a strict superset of getifaddrs() .

introduce lxc_has_api_extension() into the API¶

Going forward each new API addition will be given a unique name that can be passed to lxc_has_api_extension() . This is modeled after LXD's API extension checks. This allows API users to query the given LXC instanc