From: John Audia Date: Sun, 21 Jun 2026 10:18:22 +0000 (-0400) Subject: lxc: update to 7.0.0 X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=e5b32b606d7581114ce294de0a0c0daf58fc331b;p=openwrt-packages.git lxc: update to 7.0.0 Swtich to upstream recommended 7.0 LTS branch[1] which includes a fix for CVE-2026-39402. Full changelog: https://github.com/lxc/lxc/releases/tag/v7.0.0 - Removed patches/021-remove-legacy-cgroup-support.patch due upstream deprecated CGroupV1 support. - Modified files/lxc-auto.init to remove the boot() function which mounted legacy cgroup1 stuff as well. This PR will superceed https://github.com/openwrt/packages/pull/27757 as a result. - Added a version check script for the CI. - Fix another CI failure with -Dmemfd-rexec=false Note this release adds the ability to introduce landlock-sandboxing the monitor process but that would depend on CONFIG_SECURITY_LANDLOCK in the kernel. This can be added in a future PR if there is interest. 1. https://discuss.linuxcontainers.org/t/lxc-7-0-lts-has-been-released/26612#p-90585-support-and-upgrade-8 Build system: x86/64 Build-tested: x86/64-glibc Run-tested: x86/64-glibc Signed-off-by: John Audia --- diff --git a/utils/lxc/Makefile b/utils/lxc/Makefile index 592d1a184..cd31125f9 100644 --- a/utils/lxc/Makefile +++ b/utils/lxc/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lxc -PKG_VERSION:=6.0.6 +PKG_VERSION:=7.0.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://linuxcontainers.org/downloads/lxc/ -PKG_HASH:=b0ba4537258d2b848fd07dedb1044dab132de3fb3f1976d240da40a7dee1b8cf +PKG_HASH:=ba0c860626efbac6683f351dd718edb062065e919716d787b89e3d547c5d9493 PKG_MAINTAINER:=Alexandru Ardelean PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause GPL-2.0 @@ -36,6 +36,7 @@ MESON_ARGS += \ -Dseccomp=$(if $(CONFIG_LXC_SECCOMP),true,false) \ -Dexamples=false \ -Db_pie=true \ + -Dmemfd-rexec=false \ -Druntime-path=/var/run LXC_APPLETS_BIN += \ diff --git a/utils/lxc/files/lxc-auto.init b/utils/lxc/files/lxc-auto.init index bda36bd22..584a30b2a 100755 --- a/utils/lxc/files/lxc-auto.init +++ b/utils/lxc/files/lxc-auto.init @@ -88,12 +88,3 @@ stop() { fi } -#Export systemd cgroups -boot() { - if [ ! -d /sys/fs/cgroup/systemd ]; then - mkdir -p /sys/fs/cgroup/systemd - mount -t cgroup -o rw,nosuid,nodev,noexec,relatime,none,name=systemd cgroup /sys/fs/cgroup/systemd - fi - - start -} diff --git a/utils/lxc/patches/021-remove-legacy-cgroup-support.patch b/utils/lxc/patches/021-remove-legacy-cgroup-support.patch deleted file mode 100644 index 081b45faf..000000000 --- a/utils/lxc/patches/021-remove-legacy-cgroup-support.patch +++ /dev/null @@ -1,38 +0,0 @@ ---- a/config/templates/common.conf.in -+++ b/config/templates/common.conf.in -@@ -15,35 +15,6 @@ lxc.cap.drop = mac_admin mac_override sy - # Ensure hostname is changed on clone - lxc.hook.clone = @LXCHOOKDIR@/clonehostname - --# Default legacy cgroup configuration --# --# CGroup allowlist --lxc.cgroup.devices.deny = a --## Allow any mknod (but not reading/writing the node) --lxc.cgroup.devices.allow = c *:* m --lxc.cgroup.devices.allow = b *:* m --## Allow specific devices --### /dev/null --lxc.cgroup.devices.allow = c 1:3 rwm --### /dev/zero --lxc.cgroup.devices.allow = c 1:5 rwm --### /dev/full --lxc.cgroup.devices.allow = c 1:7 rwm --### /dev/tty --lxc.cgroup.devices.allow = c 5:0 rwm --### /dev/console --lxc.cgroup.devices.allow = c 5:1 rwm --### /dev/ptmx --lxc.cgroup.devices.allow = c 5:2 rwm --### /dev/random --lxc.cgroup.devices.allow = c 1:8 rwm --### /dev/urandom --lxc.cgroup.devices.allow = c 1:9 rwm --### /dev/pts/* --lxc.cgroup.devices.allow = c 136:* rwm --### fuse --lxc.cgroup.devices.allow = c 10:229 rwm -- - # Default unified cgroup configuration - # - # CGroup allowlist diff --git a/utils/lxc/patches/030-start-re-introduce-first-SET_DUMPABLE-call.patch b/utils/lxc/patches/030-start-re-introduce-first-SET_DUMPABLE-call.patch index bbd47a87a..5a8e421f1 100644 --- a/utils/lxc/patches/030-start-re-introduce-first-SET_DUMPABLE-call.patch +++ b/utils/lxc/patches/030-start-re-introduce-first-SET_DUMPABLE-call.patch @@ -15,7 +15,7 @@ Signed-off-by: Stéphane Graber --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1127,6 +1127,11 @@ static int do_start(void *data) +@@ -1319,6 +1319,11 @@ static int do_start(void *data) if (ret < 0) goto out_warn_father; diff --git a/utils/lxc/test-version.sh b/utils/lxc/test-version.sh new file mode 100755 index 000000000..0bc97259e --- /dev/null +++ b/utils/lxc/test-version.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +# shellcheck shell=busybox +# +# Generic version-check override. +# +# The CI test framework (test_entrypoint.sh) runs this once per sub-package +# with PKG_NAME / PKG_VERSION exported. Returning 0 means "version OK / not +# applicable"; a non-zero exit fails the package. +# +# Most lxc-* tool binaries print only the bare version number (e.g. "7.0.0") +# on --version via the shared tools/arguments.c parser, which we match below. +# The exceptions, which expose no usable version string, are skipped: +# lxc-config - custom arg parser, no --version (prints config items) +# lxc-usernsexec - plain getopt ("m:hsu:g:"), no --version flag +# lxc-checkconfig - shell script, prints no machine-readable version +# lxc-monitord - libexec helper, no --version flag +# lxc-user-nic - libexec helper, no --version flag +# +# Meta/library/script packages that ship no versioned executable are also +# skipped; their functionality is covered by the build itself. + +case "$PKG_NAME" in +lxc|\ +lxc-common|\ +lxc-hooks|\ +lxc-templates|\ +lxc-configs|\ +lxc-init|\ +lxc-auto|\ +lxc-unprivileged|\ +liblxc|\ +lxc-checkconfig|\ +lxc-config|\ +lxc-usernsexec|\ +lxc-monitord|\ +lxc-user-nic) + # No machine-readable version output; skip generic version check. + exit 0 + ;; + +lxc-attach|\ +lxc-autostart|\ +lxc-cgroup|\ +lxc-copy|\ +lxc-console|\ +lxc-create|\ +lxc-destroy|\ +lxc-device|\ +lxc-execute|\ +lxc-freeze|\ +lxc-info|\ +lxc-monitor|\ +lxc-snapshot|\ +lxc-start|\ +lxc-stop|\ +lxc-unfreeze|\ +lxc-unshare|\ +lxc-wait|\ +lxc-top|\ +lxc-ls) + # These binaries print just the version number to stdout on --version. + "$PKG_NAME" --version | grep -F "$PKG_VERSION" + ;; + +*) + echo "test-version.sh: unhandled sub-package '$PKG_NAME'" >&2 + exit 1 + ;; +esac