From 0e26eef81850827e688efe189f9d31012f079dd7 Mon Sep 17 00:00:00 2001 From: Leonid Plyushch Date: Sat, 13 Jul 2019 21:11:25 +0300 Subject: [PATCH] lxc: enable libseccomp usage + add helper script for setting up cgroups --- root-packages/libseccomp/build.sh | 7 ++ root-packages/lxc/build.sh | 15 +++- root-packages/lxc/lxc-setup-cgroups.sh | 18 +++++ .../lxc/src-lxc-cgroups-cgfsng.c.patch | 68 +++++++++++++++++++ .../lxc/src-lxc-pam-pam_cgfs.c.patch | 50 ++++++++++++++ 5 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 root-packages/libseccomp/build.sh create mode 100644 root-packages/lxc/lxc-setup-cgroups.sh create mode 100644 root-packages/lxc/src-lxc-cgroups-cgfsng.c.patch create mode 100644 root-packages/lxc/src-lxc-pam-pam_cgfs.c.patch diff --git a/root-packages/libseccomp/build.sh b/root-packages/libseccomp/build.sh new file mode 100644 index 000000000..a929666a2 --- /dev/null +++ b/root-packages/libseccomp/build.sh @@ -0,0 +1,7 @@ +TERMUX_PKG_HOMEPAGE=https://github.com/seccomp/libseccomp +TERMUX_PKG_DESCRIPTION="Enhanced seccomp library" +TERMUX_PKG_LICENSE="LGPL-2.1" +TERMUX_PKG_MAINTAINER="Leonid Plyushch @xeffyr" +TERMUX_PKG_VERSION=2.4.1 +TERMUX_PKG_SRCURL=https://github.com/seccomp/libseccomp/releases/download/v${TERMUX_PKG_VERSION}/libseccomp-${TERMUX_PKG_VERSION}.tar.gz +TERMUX_PKG_SHA256=1ca3735249af66a1b2f762fe6e710fcc294ad7185f1cc961e5bd83f9988006e8 diff --git a/root-packages/lxc/build.sh b/root-packages/lxc/build.sh index 5e195da9c..97523a3d7 100644 --- a/root-packages/lxc/build.sh +++ b/root-packages/lxc/build.sh @@ -3,15 +3,28 @@ TERMUX_PKG_DESCRIPTION="Linux Containers" TERMUX_PKG_LICENSE="LGPL-2.1" TERMUX_PKG_MAINTAINER="Leonid Plyushch " TERMUX_PKG_VERSION=3.1.0 +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://linuxcontainers.org/downloads/lxc-$TERMUX_PKG_VERSION.tar.gz TERMUX_PKG_SHA256=4d8772c25baeaea2c37a954902b88c05d1454c91c887cb6a0997258cfac3fdc5 -TERMUX_PKG_DEPENDS="dirmngr, gnupg, libcap, rsync, wget" +TERMUX_PKG_DEPENDS="dirmngr, gnupg, libcap, libseccomp, rsync, wget" TERMUX_PKG_EXTRA_CONFIGURE_ARGS=" --with-distro=termux --with-runtime-path=$TERMUX_PREFIX/var/run +--disable-apparmor +--disable-selinux +--enable-seccomp +--enable-capabilities +--disable-examples " termux_step_pre_configure() { export LIBS="-llog" } + +termux_step_post_make_install() { + # Simple helper script for mounting cgroups. + install -Dm755 "$TERMUX_PKG_BUILDER_DIR"/lxc-setup-cgroups.sh \ + "$TERMUX_PREFIX"/bin/lxc-setup-cgroups + sed -i "s|@TERMUX_PREFIX@|$TERMUX_PREFIX|" "$TERMUX_PREFIX"/bin/lxc-setup-cgroups +} diff --git a/root-packages/lxc/lxc-setup-cgroups.sh b/root-packages/lxc/lxc-setup-cgroups.sh new file mode 100644 index 000000000..7ca36571d --- /dev/null +++ b/root-packages/lxc/lxc-setup-cgroups.sh @@ -0,0 +1,18 @@ +#!@TERMUX_PREFIX@/bin/sh +set -e + +export PATH=$PATH:/system/xbin:/system/bin + +if ! mountpoint -q /sys/fs/cgroup; then + mount -t tmpfs -o mode=755,nodev,noexec,nosuid tmpfs /sys/fs/cgroup +fi + +for cg in blkio cpu cpuacct cpuset devices freezer memory; do + if [ ! -d "/sys/fs/cgroup/${cg}" ]; then + mkdir -p "/sys/fs/cgroup/${cg}" + fi + + if ! mountpoint -q "/sys/fs/cgroup/${cg}"; then + mount -t cgroup -o "${cg}" cgroup "/sys/fs/cgroup/${cg}" || true + fi +done diff --git a/root-packages/lxc/src-lxc-cgroups-cgfsng.c.patch b/root-packages/lxc/src-lxc-cgroups-cgfsng.c.patch new file mode 100644 index 000000000..593b78f08 --- /dev/null +++ b/root-packages/lxc/src-lxc-cgroups-cgfsng.c.patch @@ -0,0 +1,68 @@ +diff -uNr lxc-3.1.0/src/lxc/cgroups/cgfsng.c lxc-3.1.0.mod/src/lxc/cgroups/cgfsng.c +--- lxc-3.1.0/src/lxc/cgroups/cgfsng.c 2018-12-14 01:13:51.000000000 +0200 ++++ lxc-3.1.0.mod/src/lxc/cgroups/cgfsng.c 2019-07-13 20:47:37.511164109 +0300 +@@ -395,7 +395,7 @@ + } + oldv = *lastslash; + *lastslash = '\0'; +- fpath = must_make_path(path, "cpuset.cpus", NULL); ++ fpath = must_make_path(path, "cpus", NULL); + posscpus = read_file(fpath); + if (!posscpus) { + SYSERROR("Failed to read file \"%s\"", fpath); +@@ -412,7 +412,7 @@ + DEBUG("The path \""__ISOL_CPUS"\" to read isolated cpus from does not exist"); + cpulist = posscpus; + /* No isolated cpus but we weren't already initialized by +- * someone. We should simply copy the parents cpuset.cpus ++ * someone. We should simply copy the parents cpus + * values. + */ + if (!am_initialized) { +@@ -434,7 +434,7 @@ + TRACE("No isolated cpus detected"); + cpulist = posscpus; + /* No isolated cpus but we weren't already initialized by +- * someone. We should simply copy the parents cpuset.cpus ++ * someone. We should simply copy the parents cpus + * values. + */ + if (!am_initialized) { +@@ -491,7 +491,7 @@ + copy_parent: + *lastslash = oldv; + free(fpath); +- fpath = must_make_path(path, "cpuset.cpus", NULL); ++ fpath = must_make_path(path, "cpus", NULL); + ret = lxc_write_to_file(fpath, cpulist, strlen(cpulist), false, 0666); + if (ret < 0) { + SYSERROR("Failed to write cpu list to \"%s\"", fpath); +@@ -606,7 +606,7 @@ + return false; + } + +- /* Make sure any isolated cpus are removed from cpuset.cpus. */ ++ /* Make sure any isolated cpus are removed from cpus. */ + if (!cg_legacy_filter_and_set_cpus(cgpath, v == '1')) { + SYSERROR("Failed to remove isolated cpus"); + free(clonechildrenpath); +@@ -623,8 +623,8 @@ + } + + /* copy parent's settings */ +- if (!copy_parent_file(cgpath, "cpuset.mems")) { +- SYSERROR("Failed to copy \"cpuset.mems\" settings"); ++ if (!copy_parent_file(cgpath, "mems")) { ++ SYSERROR("Failed to copy \"mems\" settings"); + free(cgpath); + free(clonechildrenpath); + return false; +@@ -742,7 +742,7 @@ + * verify /sys/fs/cgroup/ in this field. + */ + if (strncmp(p, "/sys/fs/cgroup/", 15) != 0) { +- ERROR("Found hierarchy not under /sys/fs/cgroup: \"%s\"", p); ++ WARN("Found hierarchy not under /sys/fs/cgroup: \"%s\"", p); + return NULL; + } + diff --git a/root-packages/lxc/src-lxc-pam-pam_cgfs.c.patch b/root-packages/lxc/src-lxc-pam-pam_cgfs.c.patch new file mode 100644 index 000000000..bed65353f --- /dev/null +++ b/root-packages/lxc/src-lxc-pam-pam_cgfs.c.patch @@ -0,0 +1,50 @@ +diff -uNr lxc-3.1.0/src/lxc/pam/pam_cgfs.c lxc-3.1.0.mod/src/lxc/pam/pam_cgfs.c +--- lxc-3.1.0/src/lxc/pam/pam_cgfs.c 2018-12-14 01:13:51.000000000 +0200 ++++ lxc-3.1.0.mod/src/lxc/pam/pam_cgfs.c 2019-07-13 20:47:50.341249255 +0300 +@@ -1749,7 +1749,7 @@ + oldv = *lastslash; + *lastslash = '\0'; + +- fpath = must_make_path(path, "cpuset.cpus", NULL); ++ fpath = must_make_path(path, "cpus", NULL); + posscpus = read_file(fpath); + if (!posscpus) { + pam_cgfs_debug("Could not read file: %s\n", fpath); +@@ -1767,7 +1767,7 @@ + cpulist = posscpus; + + /* No isolated cpus but we weren't already initialized by +- * someone. We should simply copy the parents cpuset.cpus ++ * someone. We should simply copy the parents cpus + * values. + */ + if (!am_initialized) { +@@ -1792,7 +1792,7 @@ + cpulist = posscpus; + + /* No isolated cpus but we weren't already initialized by +- * someone. We should simply copy the parents cpuset.cpus ++ * someone. We should simply copy the parents cpus + * values. + */ + if (!am_initialized) { +@@ -1851,7 +1851,7 @@ + + free(fpath); + +- fpath = must_make_path(path, "cpuset.cpus", NULL); ++ fpath = must_make_path(path, "cpus", NULL); + ret = lxc_write_to_file(fpath, cpulist, strlen(cpulist), false, 0660); + if (ret < 0) { + pam_cgfs_debug("Could not write cpu list to: %s\n", fpath); +@@ -2020,8 +2020,8 @@ + } + + /* copy parent's settings */ +- if (!cg_copy_parent_file(cgpath, "cpuset.mems")) { +- pam_cgfs_debug("%s", "Failed to copy \"cpuset.mems\" settings\n"); ++ if (!cg_copy_parent_file(cgpath, "mems")) { ++ pam_cgfs_debug("%s", "Failed to copy \"mems\" settings\n"); + free(cgpath); + free(clonechildrenpath); + return false;