SRU of LXC 2.0.11

Bug #1816642 reported by Stéphane Graber on 2019-02-19
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
golang-gopkg-lxc-go-lxc.v2 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Stéphane Graber
Xenial
Undecided
Stéphane Graber
lxc (Ubuntu)
Undecided
Unassigned
Trusty
Medium
Stéphane Graber
Xenial
Medium
Stéphane Graber

Bug Description

LXC upstream has released a new bugfix release for the LXC 2.0 LTS branch.
This is version 2.0.10. Ubuntu never received 2.0.9 as an SRU, so the changelog for both of them can be found below:

LXC 2.0.11:
 - autotools: handle getgrgid_r on bionic
 - autotools: add memory_utils.h to Makefile.am
 - change version to 2.0.11 in configure.ac

LXC 2.0.10:
 - tools: allow lxc-attach to undefined containers
 - utils: move memfd_create() definition
 - utils: add lxc_cloexec()
 - utils: add lxc_make_tmpfile()
 - utils: add lxc_getpagesize()
 - utils: add lxc_safe_long_long()
 - utils: parse_byte_size_string()
 - utils: add lxc_find_next_power2()
 - namespace: use lxc_getpagesize()
 - lxc-debian: allow creating `testing` and `unstable`
 - Call lxc_config_define_load from lxc_execute again
 - Fix typo in lxc-net script
 - Add missing lxc_container_put
 - lxc-debian: don't write C.* locales to /etc/locale.gen
 - attach: correctly handle namespace inheritance
 - cgfsng: fix cgroup2 detection
 - cgroups: enable container without CAP_SYS_ADMIN
 - lxc-start: remove unnecessary checks
 - start: close non-needed file descriptors
 - handler: make name argument const
 - start: close data socket in parent
 - monitor: do not log useless warnings
 - network: reap child in all cases
 - conf: reap child in all cases
 - storage: switch to ext4 as default filesystem
 - tools: fix help output of lxc-create
 - attach: handle namespace inheritance
 - cgroups/cgfsng: keep mountpoint intact
 - cgroups/cgfsng: cgfsns_chown() -> cgfsng_chown()
 - cgroups/cgfsng: support MS_READONLY with cgroup ns
 - log: check for i/o error with vsnprintf()
 - cgroupfs/cgfsng: tweak logging
 - cgroups/cgfsng: remove is_lxcfs()
 - cgroups/cgfsng: fix get_controllers() for cgroup2
 - cgroupfs/cgfsng: improve cgroup2 handling
 - config: remove SIGRTMIN+14 as lxc.signal.stop
 - commands: non-functional changes
 - console: non-functional changes
 - console: non-functional changes
 - lxc-test-unpriv: fix the overlayfs mount error
 - attach: allow attach with empty conf
 - tools/lxc_attach: removed api logging
 - console: fix console info message
 - Add missing dependency libunistring
 - cgroups/cgfsng: adapt to new cgroup2 delegation
 - console: report detach message on demand
 - lxccontainer: enable daemonized app containers
 - console: use correct escape sequence check
 - console: prepare for generic signal handler
 - console: exit mainloop on SIGTERM
 - commands: non-functional changes
 - lxccontainer: non-functional changes
 - commands: fix state socket implementation
 - lxc_init: set the control terminal in the child session
 - lxc-test-unpriv: check user existence before removing it
 - Fixed typo on lxc.spec.in
 - conf: move CAP_SYS_* definitions to utils.h
 - start.c: always switch uid and gid
 - Use AX_PTHREAD config script to detect pthread api
 - utils.h: Avoid duplicated sethostname implementation
 - tools/lxc_cgroup: remove internal logging
 - tools/lxc_autostart: remove internal logging
 - tools/lxc_clone: remove internal logging
 - tools/lxc_console: remove internal logging
 - tools/lxc_create: remove internal logging
 - tools/lxc_destroy: remove internal logging
 - tools/lxc_device: remove internal logging
 - tools/lxc_execute: removed internal logging
 - tools/lxc_freeze: remove internal logging
 - tools/lxc_info: removed internal logging
 - criu: detect veth name
 - lxccontainer: various container creation fixes
 - storage: remove unused declaration
 - tools/lxc_ls: remove internal logging
 - tools/lxc_copy: remove internal logging
 - tools/lxc_monitor: removed internal logging
 - tools/lxc_snapshot: removed internal logging
 - tools/lxc_start: removed internal logging
 - tools/lxc_stop: removed internal logging
 - tools/lxc_top: removed internal logging
 - tools/lxc_unfreeze: removed internal logging
 - tools/lxc_unshare: removed internal logging
 - tools/lxc_usernsexec: removed internal logging
 - tools/lxc_wait: removed internal logging
 - confile: fix memory leak
 - utils: declare sethostname() static inline
 - lxc_unshare: Add uid_mapping when creating userns
 - Update gentoo.moresecure.conf.
 - Add new dependency to Slackware template
 - Add bash completion to list backing store types for lxc-create -B - Backing Store types are hard-coded (Not sure how to get programmatically) - Closes #1236
 - Fix SETCOLOR_FAILURE evaluation
 - Insert missing "echo" after "is_enabled"
 - conf: prevent null pointer dereference
 - criu: initialize status
 - confile: remove dead assignment
 - criu: silence static analysis
 - attach: do not fail on non-existing namespaces
 - test: reenable Coverity integration
 - lxc_execute: properly figure out number of needed arguments
 - arguments: move to tools/ subdirectory
 - start: set loglevel correctly
 - commands: don't traverse whole list
 - commands: don't lock atomic operations
 - commands: don't lock the whole command
 - start: don't lock setting the state
 - commands: allow waiting for all states
 - test: add state server tests
 - commands: tweak locking
 - lxccontainer: restore non-blocking shutdown
 - commands: tell mainloop to reap client fd on error
 - commands: return -ECONNRESET to caller
 - execute: pass logfile to lxc-init
 - lxccontainer: handle execute containers correctly
 - lxc_init: move up to src/lxc
 - init: rework dumb init
 - lxc_init: add custom argument parser
 - tests: expand tests for shortlived init processes
 - coverity: #1425734
 - coverity: #1425735
 - coverity: #1425739
 - coverity: #1425929
 - coverity: #1425923
 - coverity: #1425922
 - coverity: #1425921
 - coverity: #1425895
 - coverity: #1425890
 - coverity: #1425889
 - coverity: #1425888
 - lxc: Distinguish pthread_mutex_unlock error messages
 - travis: Fix build failure
 - coverity: #1425893
 - coverity: #1425886
 - coverity: #1428855
 - coverity: #1425884
 - coverity: #1425883
 - coverity: #1425879
 - tools: block using lxc-execute without config file
 - conf: avoid spawning unnecessary subshells
 - coverity: #1425874 + cleanup
 - lxccontainer: only attach netns on netdev detach
 - lxccontainer: cleanup {attach,detach}_interface()
 - coverity: #1425870
 - coverity: #1425869
 - coverity: #1425867
 - coverity: #1425866
 - coverity: #1425863
 - coverity: #1425862
 - coverity: #1425860
 - coverity: #1425859
 - coverity: #1425858
 - coverity: #1425857
 - start: do not unconditionally dup std{in,out,err}
 - tools: exit success when lxc-execute is daemonized
 - start: fix cgroup namespace preservation
 - init: don't kill(-1) if we aren't in a pid ns
 - SHARE_NS options should be before OPT_USAGE
 - commands: fix race when open()/close() cmd socket
 - namespace: add lxc_raw_clone()
 - utils: use lxc_raw_clone() in run_command()
 - lxc_init: fix cgroup parsing
 - tests: s/lxc.init.cmd/lxc.init_cmd/g
 - commands_utils: add missing mutex
 - [monitor] wrong statement of break
 - cgfsng: Add new macro to print errors
 - attach: simplify significantly
 - attach: use lxc_raw_clone()
 - attach: handle /proc with hidepid={1,2} property
 - tests: expand lxc_raw_clone() tests
 - namespace: add lxc_raw_getpid()
 - tree-wide: s/getpid()/lxc_raw_getpid()/g
 - namespace: comment lxc_{raw_}clone()
 - namespace: add lxc_raw_clone_cb()
 - start: use lxc_raw_clone_cb() where possible
 - start: log closing cmd socket and STOPPED state
 - start: make us dumpable
 - start: simplify cgroup namespace preservation
 - start: fix death signal
 - start: handle setting death signal smarter
 - mainloop: add mainloop macros
 - mainloop: capture output of short-lived init procs
 - lxc_config: Add -h and --help flags handler
 - start: properly cleanup mainloop
 - console: do not allow non-pty devices on open()
 - mainloop: use epoll_create1(EPOLL_CLOEXEC)
 - conf: adapt idmap helpers
 - conf: adapt userns_exec_1()
 - conf{ile}: detect ns{g,u}id mapping for root
 - cgfsng: use init {g,u}id
 - conf: detect if devpts can be mounted with gid=5
 - gentoo: Add support for .xz tarballs
 - configure.ac: fix the check for static libcap
 - conf: write "deny" to /proc/[pid]/setgroups
 - conf: non-functional changes
 - conf: rework userns_exec_1()
 - cgfsng: only establish mapping once
 - Fix broken indentation
 - Include -devel suffix in version string
 - Add return check for 'lxc_cmd_get_name'
 - fix up lxc-usernsexec's exit status
 - add some idmap parsing error messages
 - confile: improve log messages
 - console: move pty creation to separate function
 - start: non-functional changes
 - console: add some pty helpers
 - attach: cleanup attach_child_main()
 - console: adapt lxc_console_mainloop_add()
 - console: add lxc_pty_map_ids()
 - attach: minor tweaks
 - tools: honor --console and --console-log
 - start: non-functional changes
 - console: set SFD_CLOEXEC on signal fd
 - lxc-alpine: allow retaining sys_ptrace per container
 - utils: do not rely on unitialized variable
 - test: log error on failure
 - utils: check suffix length
 - lxccontainer: restore blocking wait()
 - freezer: non-functional changes
 - commands: add LXC_CMD_SERVE_STATE_CLIENTS
 - start: don't log stop/continue for non-init processes
 - fix lxc_error_set_and_log to match the docs
 - lxc.init: correctly exit with the app's error code
 - remember the exit code from the init process
 - start: don't return false when the container's init exits nonzero
 - lxc-execute: actually exit with the status of the spawned task
 - set exit status to 1 in the unknown si_code case
 - console: cleanup
 - test: fix console tests
 - attach_options: reduce delta
 - attach: reduce delta
 - cgroups: reduce delta
 - bla
 - Revert commit "bla" with bad commit message
 - cgfsng: reduce delta
 - tools: fix android
 - Create console when the rootfs is NULL
 - unlink lxc-init
 - coverity: #1427668
 - coverity: #1427639
 - coverity: #1427638
 - coverity: #1427191
 - coverity: #1427190
 - coverity: #1426734
 - coverity: #1426694
 - start: fix mainloop cleanup goto statements
 - Modify .gitignore
 - Fix comments and add check in lxc_poll.
 - lsm: non-functional changes
 - lsm: add lsm_process_label_fd_get()
 - lsm: add lsm_process_label_set_at()
 - apparmor: do not call aa_change_profile()
 - autotools: do not link against libapparmor
 - network.c: Remove ip_forward_set and callers
 - [cgfsng] show wrong errno
 - better check for lock dir
 - better unprivileged detection
 - debian: Use iproute2 instead of iproute
 - tools: make "-n" optional
 - lsm: do not #ifdefine
 - debian: We must use iproute on wheezy
 - lxc-init: use SIGKILL after alarm timeout
 - monitor: send SIGTERM to the container when SIGHUP is received
 - lxc.init: ignore SIGHUP
 - cgroups: get controllers on the unified hierarchy
 - cgroups: cgfsng_create: handle unified hierarchy
 - cgroups: cgfsng_attach: handle unified hierarchy
 - cgroups: cgfsng_get: handle unified hierarchy
 - cgroups: cgfsng_set: handle unified hierarchy
 - cgroups: handle limits on the unified hierarchy
 - cgroups: more consistent naming
 - attach: set the container's environment variables
 - attach: non-functional changes
 - cgfsng: do MS_REMOUNT
 - cgfsng: non-functional changes
 - templates: CentOS fixes
 - cgroups: add check for lxc.cgroup.use
 - selinux: simplify check for default label
 - lsm: fix missing @ in function documentation
 - cgfsng: add required remount flags
 - define am_guest_unpriv
 - Restore most cases of am_guest_unpriv
 - coverity: #1429139
 - coverity: #1426734
 - coverity: #1425971
 - fix userns helper error handling
 - console: they are really not necessary
 - Modify .gitignore
 - Fix lxc-console hang
 - conf: support mount propagation
 - lxclock: remove pthread_atfork_handlers
 - cgfsng: simplifications and fixes
 - CONTRIBUTING: update
 - CODING_STYLE: add CODING_STYLE.md
 - cgroups: use correct mask for chmod()
 - CODING_STYLE: add section for str{n}cmp()
 - tests: remove lxc-test-ubuntu
 - utils: fix lxc_p{close,open}()
 - start: don't call close on invalid file descriptor
 - console: ensure that fd is marked EBADF
 - README: add coverity
 - confile: add "force" to cgroup:{mixed,ro,rw}
 - cgfsng: order includes
 - cgfsng: fully document struct hierarchy
 - cgfsng: fully document struct cgfsng_handler_data
 - cgfsng: fully document remaining variables
 - cgfsng: free_string_list()
 - cgfsng: cg_legacy_must_prefix_named()
 - cgfsng: move cg_legacy_must_prefix_named()
 - cgfsng: add me to authors
 - cgfsng: append_null_to_list()
 - cgfsng: string_in_list()
 - cgfsng: must_append_controller()
 - cgfsng: get_hierarchy()
 - cgfsng: lxc_cpumask()
 - cgfsng: lxc_cpumask_to_cpulist()
 - cgfsng: get_max_cpus()
 - cgfsng: cg_legacy_filter_and_set_cpus()
 - cgfsng: copy_parent_file()
 - cgfsng: cg_legacy_handle_cpuset_hierarchy()
 - cgfsng: controller_lists_intersect()
 - cgfsng: controller_list_is_dup()
 - cgfsng: controller_found()
 - cgfsng: all_controllers_found()
 - cgfsng: cg_hybrid_get_controllers()
 - cgfsng: cg_hybrid_get_mountpoint()
 - cgfsng: copy_to_eol()
 - cgfsng: controller_in_clist()
 - cgfsng: cg_hybrid_get_current_cgroup()
 - cgfsng: must_append_string()
 - cgfsng: trim()
 - cgfsng: lxc_cgfsng_print_hierarchies()
 - cgfsng: lxc_cgfsng_print_basecg_debuginfo()
 - cgfsng: cg_hybrid_init()
 - cgfsng: cg_is_pure_unified()
 - cgfsng: cg_unified_get_current_cgroup()
 - cgfsng: cgfsng_init()
 - cgfsng: recursive_destroy()
 - cgfsng: cg_unified_create_cgroup()
 - cgfsng: create_path_for_hierarchy()
 - cgfsng: remove_path_for_hierarchy()
 - cgfsng: cgfsng_create()
 - cgfsng: cgfsng_enter()
 - cgfsng: cgfsng_chown()
 - cgfsng: mount_cgroup_full()
 - cgfsng: cgfsng_mount()
 - cgfsng: recursive_count_nrtasks()
 - cgfsng: recursive_count_nrtasks()
 - cgfsng: cgfsng_escape()
 - cgfsng: build_full_cgpath_from_monitorpath()
 - cgfsng: __cg_unified_attach()
 - cgfsng: cgfsng_attach()
 - cgfsng: cgfsng_get()
 - cgfsng: cgfsng_set()
 - cgfsng: convert_devpath()
 - cgfsng: cg_legacy_set_data()
 - cgfsng: __cg_legacy_setup_limits()
 - lxccontainer: use wait_for_pid()
 - start: remove duplicate lxc_monitor_send_state()
 - tree-wide: remove locking around openpty()
 - {commands,start}: remove element from list first
 - start: use correct prefix for includes
 - start: print_top_failing_dir()
 - start: close_ns()
 - start: preserve_ns()
 - start: lxc_check_inherited()
 - start: signal_handler()
 - start: lxc_poll()
 - start: lxc_init_handler()
 - start: lxc_init()
 - start: lxc_abort()
 - start: start()
 - start: post_start()
 - start: lxc_destroy_container_on_signal()
 - start: do_destroy_container()
 - cgfsng: enable "force" for "cgroup-full"
 - confile: backport parts of network parsing
 - utils: add LXC_PROC_PID_FD_LEN
 - CVE 2018-6556: verify netns fd in lxc-user-nic
 - utils: include linux/types.h
 - cgfsng: fix off-by-one error
 - lxccontainer: do_lxcapi_start()
 - lxccontainer: do_lxcapi_create()
 - lxccontainer: do_lxcapi_get_interfaces()
 - lxccontainer: do_lxcapi_get_ips()
 - lxccontainer: do_lxcapi_clone()
 - lxccontainer: do_add_remove_node()
 - lxccontainer: do_lxcapi_detach_interface()
 - lxclock: {un}lock_mutex()
 - utils: lxc_popen()
 - utils: run_command()
 - network: lxc_create_network_unpriv_exec()
 - network: lxc_delete_network_unpriv_exec()
 - lxccontainer: config_file_exists()
 - lxccontainer: ongoing_create()
 - lxccontainer: create_partial()
 - lxccontainer: create_partial()
 - lxccontainer: lxc_container_free()
 - lxccontainer: lxc_container_{get,put}()
 - lxccontainer: do_lxcapi_is_defined()
 - lxccontainer: do_lxcapi_state()
 - lxccontainer: is_stopped()
 - lxccontainer: do_lxcapi_is_running()
 - lxccontainer: do_lxcapi_freeze()
 - lxccontainer: do_lxcapi_unfreeze()
 - lxccontainer: do_lxcapi_console_getfd()
 - lxccontainer: lxcapi_console()
 - lxccontainer: load_config_locked()
 - lxccontainer: do_lxcapi_load_config()
 - lxccontainer: do_lxcapi_want_daemonize()
 - lxccontainer: do_lxcapi_want_close_all_fds()
 - lxccontainer: do_lxcapi_wait()
 - lxccontainer: am_single_threaded()
 - lxccontainer: push_arg()
 - lxccontainer: split_init_cmd()
 - lxccontainer: free_init_cmd()
 - lxccontainer: lxcapi_start()
 - lxccontainer: lxcapi_startl()
 - lxccontainer: do_create_container_dir()
 - lxccontainer: create_container_dir()
 - criu: criu_version_ok()
 - criu: do_restore()
 - criu: du_dump()
 - cgfsng: fix get_hierarchy() for unified hierarchy
 - fix download template for /tmp as tmpfs or noexec
 - CODING_STYLE: add section about _exit()
 - commands: remove mutex from state client list
 - lxc-snapshot: fix segfault
 - lxc_init: don't mount filesystems
 - cgfsng: non-functional changes
 - mainloop: add LXC_MAINLOOP_ERROR
 - config: start with a full capability set
 - CODING_STYLE: remove duplicate _exit() entry
 - CODING_STYLE: clang-format
 - CODING_STYLE: arrays of structs
 - CODING_STYLE: add languages to highlight
 - Add a workaround for a build issue with old versions of libcap
 - usernsexec: init log fd
 - cgroups: don't escape if we're not real root
 - Revert "cgroups: don't escape if we're not real root"
 - conf: fix clang warning when building w/o libcap
 - fix handler use-after-free
 - Rename ifup/down and remove usless parameter passing
 - conf: simplify lxc_fill_autodev()
 - start: always make us dumpable
 - lxclock: use thread-safe *_OFD_* fcntl() locks
 - locktests: fix test suite
 - fix signal sending in lxc.init
 - lxc init: remove dead code
 - lxc init: coding style
 - utils: define __NR_setns if missing on old glibcs
 - conf: ret-try devpts mount without gid=5 on error
 - do_lxcapi_create: set umask
 - Fix the memory leak in cgfsng_attach
 - Fix memory leak in list_active_containers
 - coverity: #1435208
 - coverity: #1435207
 - coverity: #1435205
 - coverity: #1435198
 - lxccontainer: use thread-safe *_OFD_* locks
 - lxccontainer: non-functional changes
 - lxccontainer: do_lxcapi_is_running()
 - lxccontainer: do_lxcapi_freeze()
 - lxccontainer: do_lxcapi_unfreeze()
 - lxccontainer: non-functional changes
 - lxccontainer: non-functional changes
 - lxccontainer: non-functional changes
 - coverity: #1435263
 - fix logic for execute log file
 - execute: use static buffer
 - execute: do not check inherited fds again
 - lxc-unshare: add missing declaration
 - execute: account for -o path option count
 - genl: remove
 - coverity: #1425744
 - utils: account for terminating \0 byte
 - network: silence gcc-8
 - network: adhere to IFNAMSIZ limit
 - autodev: adapt to changes in Linux 4.18
 - strlcpy: add strlcpy() implementation
 - tree-wide: s/strncpy()/strlcpy()/g
 - CODING_STYLE: add section about using strlcpy()
 - tools: s/strncpy()/strlcpy()/g
 - Revert "tools: s/strncpy()/strlcpy()/g"
 - coverity: #1435604
 - coverity: #1435603
 - coverity: #1425836
 - coverity: #1248106
 - coverity: #1425844
 - config: allow read-write /sys in user namespace
 - capabilities: raise ambient capabilities
 - coverity: #1425802
 - lxc-init: skip signals that can't be caught
 - tree-wide: s/sigprocmask/pthread_sigmask()/g
 - utils: fix task_blocking_signal()
 - lxccontainer: fix fd leaks when sending signals
 - confile: order architectures
 - tools: fix lxc-create with global config value
 - tools: fix lxc-create with global config value II
 - coverity: #1435805
 - coverity: #1435803
 - utils: fix task_blocking_signal()
 - network: fix socket handle leak
 - conf: va_end was not called.
 - confile: improve strprint()
 - start: fix waitpid() blocking issue
 - start: log unknown info.si_code
 - tree-wide: handle EINTR in some read()/write()
 - conf: copy mountinfo for remount_all_slave()
 - support tls in cross-compile
 - Fix typo
 - coverity: #1425777
 - coverity: #1425779
 - coverity: #1425794
 - coverity: #1425795
 - coverity: #1425841
 - coverity: #1425849
 - coverity: #1425836
 - conf: only use newuidmap and newgidmap when necessary
 - arguments: improve some operations
 - coverity: #1425781
 - tools: restore lxc-create log behavior
 - fix getpwnam() thread safe issue
 - attach: fix double free
 - coverity: #1436916
 - fix getpwuid() thread safe issue
 - fix getgrgid() thread safe issue
 - coverity: #1437017
 - coverity: #1425778
 - coverity: #1425760
 - coverity: #1425766
 - coverity: #1425767
 - coverity: #1425768
 - storage: Resource leak
 - include: add getgrgid_r()
 - coverity: #1425770
 - coverity: #1425771
 - coverity: #1425789
 - coverity: #1425792
 - coverity: #1425793
 - coverity: #1425799
 - coverity: #1425810
 - coverity: #1425813
 - coverity: #1425818
 - coverity: #1425819
 - coverity: #1425824
 - coverity: #1425825
 - coverity: #1425837
 - coverity: #1425840
 - coverity: #1425846
 - coverity: #1425789
 - coverity: #1425855
 - coverity: #1437027
 - secure coding: strcpy => strlcpy
 - secure coding: network: strcpy => strlcpy
 - btrfs: fix btrfs_snapshot()
 - include: add strlcat() implementation
 - btrfs: fix get_btrfs_subvol_path()
 - secure coding: #2 strcpy => strlcpy
 - fix fd handle leak
 - fix pointer c is dereferenced after checking null
 - commands: simplify lxc_cmd()
 - monitor: change exit() => _exit() system call in child process
 - move some comments in lxc.spec.in
 - log: add lxc_log_strerror_r macro
 - log: account for Android's Bionic's strerror_r()
 - CODING_STYLE: add section about using strlcat()
 - coverity: #1425816
 - start: don't unconditionally open("/dev/null")
 - log: thread-safety backports
 - attach: simplify lxc_attach_getpwshell()
 - coverity: #1437936
 - coverity: #1437935
 - lxclock: change error log using strerror to SYSERROR
 - conf: the atime flags are locked in userns
 - coverity: #1438067
 - change log macro of error case from lxc_ambient_caps_up/down
 - nl: avoid NULL pointer dereference
 - conf: s/pipe()/pipe2()/g
 - conf: always close pipe in run_userns_fn()
 - criu: s/pipe()/pipe2()/
 - lxccontainer: cleanup do_lxcapi_get_interfaces()
 - lxccontainer: s/pipe()/pipe2()/g
 - cmd: s/pipe()/pipe2()/g
 - cmd: s/write()/lxc_write_nointr()/g
 - cmd: s/read()/lxc_read_nointr()/g
 - criu: s/read()/lxc_read_nointr()/g
 - criu: s/write()/lxc_write_nointr()/g
 - lxccontainer: s/write()/lxc_write_nointr()/g
 - lxccontainer: s/read()/lxc_read_nointr()/g
 - network: s/read()/lxc_read_nointr()/g
 - network: s/write()/lxc_write_nointr()/g
 - sync: s/read()/lxc_read_nointr()/g
 - sync: s/write()/lxc_write_nointr()/g
 - log: handle EINTR in read()
 - caps: handle EINTR in read()
 - coverity: #438136
 - READEM: update Serge's mail address
 - MAINTAINERS: add Wolfgang Bumiller
 - CONTRIBUTING: Update reference to kernel coding style
 - CONTRIBUTING: Link to latest online kernel docs
 - CONTRIBUTING: Direct readers to CODING_STYLE.md
 - CODING_STYLE: Mention kernel style in introduction
 - CONTRIBUTING: Add 'be' to fix grammar
 - CODING_STLYE: Simplify explanation for use of 'extern'
 - CODING_STLYE: Remove sections implied by 'kernel style'
 - CODING_STYLE: Fix non-uniform heading level
 - CODING_STYLE: Update section header format
 - autotools: add --{disable,enable}-thread-safety
 - attach: don't shutdown ipc socket in child
 - attach: report standard shell exit codes
 - storage: src cannot be truncated
 - commands: backport robust infrastructure
 - Fixing compile error when compiling for android
 - Fixing hooks functionality Android where 'sh' is placed under /system/bin
 - caps: check uid and euid
 - CVE-2019-5736 (runC): rexec callers as memfd
 - rexec: don't include non-existing header
 - utils: add missing sealing flags
 - include: add fexecve() for Android's Bionic
 - fexecve: remove unnecessary #ifdef
 - fexecve: use correct name
 - rexec: handle legacy kernels
 - cve-2019-5736: add test for rexec
 - change version to 2.0.10 in configure.ac

LXC 2.0.9:
 - utils: fix num parsing functions
 - tests: lxc_safe_{u}int() add corner-case tests
 - lxc-attach: allow for situations without /dev/tty
 - start: don't call lxc_map_ids() without id map
 - conf: fix build without libcap
 - monitor: delete unneccessory include file
 - seccomp: s/n-new-privs/no-new-privs/g
 - seccomp: update comment for function `parse_config`
 - seccomp: print action name in log
 - conf{,ile}: allow to clear all config items
 - start: pin rootfs when privileged
 - cgfsng: log when we defer to cgfsng
 - Add cronie to the pkg list
 - utils: fix ppc64le builds
 - utils: fix lxc_mount_proc_if_needed()
 - Fix the bug of 'ts->stdoutfd' did not fill with parameters 'stdoutfd'
 - DO NOT add the handles of adjust winsize when the 'stdin' is not a tty
 - conf: non-functional changes
 - doc: Add console behavior to Japanese lxc.container.conf(5)
 - repo: add new README
 - README: reword id mapping restrictions when unpriv
 - confile: add config_value_empty()
 - confile: config_string_item()
 - confile: config_network()
 - confile: config_network_type()
 - confile: config_network_hwaddr()
 - confile: config_network_ipv4()
 - confile: config_network_ipv4_gateway()
 - confile: config_network_ipv6()
 - confile: config_network_ipv6_gateway()
 - confile: config_hook()
 - confile: config_group()
 - confile: config_environment()
 - confile: config_loglevel()
 - confile: config_cgroup()
 - confile: config_idmap()
 - confile: config_fstab()
 - confile: config_mount_auto()
 - confile: config_mount()
 - confile: config_cap_keep()
 - confile: config_cap_drop()
 - confile: config_init_uid()
 - confile: config_init_gid()
 - confile: config_personality()
 - confile: config_start()
 - confile: config_monitor()
 - confile: config_tty()
 - confile: config_ttydir()
 - confile: config_lsm_aa_incomplete()
 - confile: config_autodev()
 - confile: sig_num()
 - confile: config_haltsignal()
 - confile: config_haltsignal()
 - confile: config_rebootsignal()
 - confile: config_stopsignal()
 - confile: config_includefile()
 - confile: config_rootfs_backend()
 - confile: config_utsname()
 - confile: config_ephemeral()
 - conf: clear lxc.include
 - conf: non-functional changes
 - conf: improve write_id_mapping()
 - utils: add run_command
 - conf: rework lxc_map_ids()
 - conf: allow writing uid mappings with euid != 0
 - conf: use run_command for lxc-usernsexec
 - network: don't delete net devs we didn't create
 - confile: do not write out trailing spaces
 - confile: config_init_uid()
 - confile: config_init_gid()
 - confile: config_pts()
 - confile: config_start()
 - confile: config_monitor()
 - confile: config_tty()
 - confile: config_kmsg()
 - confile: config_lsm_aa_incomplete()
 - confile: config_loglevel()
 - confile: config_autodev()
 - confile: config_haltsignal()
 - confile: config_rebootsignal()
 - confile: config_stopsignal()
 - confile: config_fstab()
 - confile: config_includefile()
 - confile: config_utsname()
 - confile: config_ephemeral()
 - utils: add lxc_safe_ulong()
 - confile: properly parse lxc.idmap entries
 - lxc-ls: return all containers by default, new filter - list only defined containers.
 - conf: move clearing config items into one place
 - confile: add lxc_get_idmaps()
 - confile: allow to retrieve lxc.haltsignal
 - confile: allow to retrieve lxc.rebootsignal
 - confile: allow to retrieve lxc.stopsignal
 - confile: allow to get lxc.autodev
 - confile: allow to get lxc.kmsg
 - confile: extend call back system
 - confile: add prototype for getter
 - confile: prefix setters with "set_"
 - confile: add getter for lxc.arch
 - confile: add getter for lxc.pts
 - confile: add getter for lxc.tty
 - confile: add getter for lxc.devttydir
 - confile: add getter for lxc.kmsg
 - confile: add getter for lxc.aa_profile
 - confile: add getter for lxc.aa_allow_incomplete
 - confile: add getter for lxc.se_context
 - confile: add getter for lxc.cgroup{.*}
 - confile: add getter for lxc.id_map
 - confile: add getter for lxc.loglevel
 - confile: add getter for lxc.logfile
 - confile: add getter for lxc.mount
 - confile: add getter for lxc.mount.auto
 - confile: add getter for lxc.mount.entry
 - confile: add getter for lxc.rootfs
 - confile: add getter for lxc.rootfs.mount
 - confile: add getter for lxc.rootfs.options
 - confile: add getter for lxc.rootfs.backend
 - confile: add dummy getter for lxc.pivotdir
 - confile: add getter for lxc.utsname
 - confile: add getters for lxc.hook{.*}
 - confile: add getter for lxc.network
 - confile: add getters for lxc.network{.*}
 - confile: add getter for lxc.cap.drop
 - confile: add getter for lxc.cap.keep
 - confile: add getter for lxc.console
 - confile: add getter for lxc.console.logfile
 - confile: add getter for lxc.seccomp
 - confile: add getter for lxc.autodev
 - confile: add getter for lxc.haltsignal
 - confile: add getter for lxc.rebootsignal
 - confile: add getter for lxc.stopsignal
 - confile: add getters for lxc.start.*
 - confile: add getter for lxc.monitor.unshare
 - confile: add getter for lxc.group
 - confile: add getter for lxc.environment
 - confile: add getter for lxc.init_cmd
 - confile: add getter for lxc.init_uid
 - confile: add getter for lxc.init_gid
 - confile: add getter for lxc.ephemeral
 - lxccontainer: switch api to new callback system
 - confile: adapt layout of getter callback
 - commands: switch api to new callback system
 - confile: dump lxc_get_config_item()
 - test: add item clear and config file tests
 - confile: final cleanups
 - confile: implement config item clear callback
 - confile: add clearer for lxc.personality
 - confile: add clearer for lxc.pts
 - confile: add clearer for lxc.tty
 - confile: add clearer for lxc.devttydir
 - confile: add clearer for lxc.kmsg
 - confile: add clearer for lxc.aa_profile
 - confile: add clearer for lxc.lsm_aa_allow_incomplete
 - confile: add clearer for lxc.se_context
 - confile: add clearer for lxc.cgroup
 - confile: add clearer for lxc.id_map
 - confile: add clearer for lxc.loglevel
 - confile: add clearer for lxc.logfile
 - confile: add clearer for lxc.mount.entry
 - confile: add clearer for lxc.mount.auto
 - confile: add clearer for lxc.mount
 - confile: add clearer for lxc.rootfs
 - confile: add clearer for lxc.rootfs.mount
 - confile: add clearer for lxc.rootfs.options
 - confile: add clearer for lxc.rootfs.backend
 - confile: add dummy clearer for lxc.pivotdir
 - confile: add clearer for lxc.utsname
 - confile: add clearer for lxc.hook{.*}
 - confile: add clearer for lxc.network.*
 - confile: add clearer for lxc.network
 - confile: add clearer for lxc.cap.drop
 - confile: add clearer for lxc.cap.keep
 - confile: add clearer for lxc.console
 - confile: add clearer for lxc.console.logfile
 - confile: add clearer for lxc.seccomp
 - confile: add clearer for lxc.autodev
 - confile: add clearer for lxc.haltsignal
 - confile: add clearer for lxc.rebootsignal
 - confile: add clearer for lxc.stopsignal
 - confile: add clearer for lxc.start.*
 - confile: add clearer for lxc.monitor.unshare
 - confile: add clearer for lxc.group
 - confile: add clearer for lxc.environment
 - confile: add clearer for lxc.init_cmd
 - confile: add clearer for lxc.init_uid
 - confile: add clearer for lxc.init_gid
 - confile: add clearer for lxc.ephemeral
 - confile: add clearer for lxc.include
 - confile: add clearer for lxc.include
 - lxccontainer: switch api to new clearer callbacks
 - Use lxc-stop to stop systemd service
 - confile: performance tweaks
 - tests: comp retval to exp val whenever we can
 - adding warning for mtu ignoring
 - conf: use minimal {g,u}id map
 - confile: add dummy getter for lxc.include
 - tests: enforce all methods for config items
 - add probe status checking
 - confile_utils: add new file
 - tests: add unit tests for idmap parser
 - conf: non-functional changes
 - conf: rework userns_exec_1()
 - start: log sending and receiving of tty fds
 - conf: non-functional changes
 - conf: avoid double-frees in userns_exec_1()
 - tree-wide: log function called in userns_exec_1()
 - af_unix: abstract lxc_abstract_unix_{send,recv}_fd
 - conf: remove dead mount code
 - bdev: "detect" loop file
 - doc: tweak lxc.container.conf a little
 - bdev: non-functional changes
 - bdev: record output from mkfs.*
 - conf: improve tty shifting function
 - conf: improve lxc_map_ids()
 - conf: fix bionic builds
 - lxc-opensuse: add Tumbleweed as supported release
 - seccomp: export the seccomp filter after load it into kernel successful
 - Switch to a new lxc_log_init function
 - lxc-alpine: Add support for ppc64le
 - start: add lxc_init_handler()
 - lxccontainer: only spawn monitord on demand
 - commands: add TRACE()ers
 - commands: add lxc_cmd_state_server()
 - {start,lxccontainer}: add lxc_free_handler()
 - lxccontainer: cleanup + bugfixes
 - conf: fix wrong path on overlayfs
 - tests: don't fail when no processes for user exist
 - tree-wide: priority -> level
 - network: mv config_value_empty() to confile_utils
 - network: add data arg to set callback
 - network: add network counter
 - network: implement lxc_get_netdev_by_idx()
 - network: perform network validation at creation time
 - network: add lxc_log_configured_netdevs()
 - network: add arg to config clear method
 - utils: fix the way to detect blocking signal
 - utils: use 1LU otherwise we overflow
 - doc: Tweak Japanese lxc.container.conf(5)
 - Fix memory leak of 'lxc_tty_state'
 - confile: do not check for empty value twice
 - Revert "Add a prefix to the lxc.pc"
 - fix memory and resource leak
 - Use strerror(errno) instead of %m
 - update .gitignore
 - templates/debian: add aarch64 → arm64 mapping
 - use altarch mirror for CentOS on arches other than i386 and x86_64
 - API doc: update note for get_config_item
 - remove the `__func__` macro
 - lxc-monitord: exit when got a quit command
 - start: send state to legacy lxc-monitord state server even if no state clients registered
 - remove the unused macro
 - lxclock: return the right error when open lock file failed
 - lxclock: non-functional changes
 - README: add CII Best Practices badge to README
 - README: update
 - lxc-execute: print error message when failed
 - lxc-init: add comment for exclude 32 and 33 signals
 - lxc-init: non-functional changes
 - lxc-init: adjust include statements
 - lxc-init: move initialization of act to outside of the loop
 - caps.h: move ifndef/define to the top
 - use same ifndef/define format for all headers
 - Allow containers to start in AppArmor namespaces
 - af_unix: remove unlink operation
 - state: remove lxc_rmstate declaration
 - lxc_abstract_unix_connect: remove the workaround-code
 - utils: close parent end in child process after fork
 - utils: lxc_make_abstract_socket_name()
 - start: generalize lxc_check_inherited()
 - start: use separate socket on daemonized start
 - lxccontainer: make sure memory is free()ed
 - lxccontainer: non-functional changes
 - test: shortlived daemonized containers
 - lxc static init: report exec*() failure
 - commands: rename to lxc_cmd_add_state_client()
 - commands: make state server interface flexible
 - commands: mv lxc_make_abstract_socket_name()
 - commands: add missing translation
 - commands: abstract cmd socket handling + logging
 - commands: handle EINTR
 - commands: delete meaningless comments
 - commonds: fix typo
 - utils: use access instead of stat
 - start: dup std{in,out,err} to pty slave
 - utils: set_stdfds()
 - cgfsng: only output debug info when we set cgroup data
 - confile: clear ipv{4,6} gateway
 - confile: clear network flags
 - confile: clear macvlan mode
 - confile: clear vlan id
 - doc: Untabify Japanese lxc.container.conf(5)
 - cgroups: workaround gcc-7 bug
 - confile: free netdev->downscript
 - testcase: define a network before checks
 - storage: add storage_utils.{c.h}
 - storage: add lxc_storage_get_path()
 - storage: prefix all dir paths
 - storage: prefix all btrfs paths
 - storage: prefix all lvm paths
 - storage: prefix all nbd paths
 - storage: prefix all rbd paths
 - storage: prefix all zfs paths
 - storage: handle prefixed rootfs paths
 - fix some cppcheck warnings
 - tests: remove the temp container directory
 - Sanitize lxc-download script with shellcheck
 - Fix syntax error in lxc-download
 - Fix issue #1702, do remount with the MS_REMOUNT flag when mounts with MS_RDONLY
 - Add test script to test the ro option of lxc.rootfs.options
 - Using 'add-required_remount_flags' function to add required flags
 - start: lxc_setup() after unshare(CLONE_NEWCGROUP)
 - utils: move helpers from cgfsng.c to utils.{c,h}
 - cgroups: handle hybrid cgroup layouts
 - lvm: check whether lxc.bdev.lvm.vg is set
 - cgroups: use tight scoping
 - lvm: fix check
 - Use "rsync -SHaAX" to copy the cached rootfs into place
 - storage: default to orig type on identical paths
 - lxccontainer: use snprintf()
 - btrfs: simplify + bugfix
 - lvm: non-functional changes
 - overlay: simplify and adapt to "overlay"
 - tools: remove empty snap directory
 - btrfs: non-functional changes
 - btrfs: export btrfs_snapshot_wrapper()
 - btrfs: enable unprivileged snapshots
 - btrfs: non-functional changes
 - btrfs: only chown_mapped_root() if not btrfs
 - btrfs: simplify
 - btrfs: simplify
 - storage: add create_{clone,snapshot}()
 - btrfs: switch to btrfs_create_{clone,snapshot}()
 - storage: add arg to create_snapshot()
 - storage: rework lvm backend
 - dir: non-functional changes
 - dir: improvements
 - bdev: non-functional changes
 - rsync: add new rsync functions
 - storage: switch to new rsync functions
 - btrfs: switch to new rsync helpers
 - loop: rework loop storage driver
 - rbd: rbd non-functional changes
 - rbd: rework rbd storage driver
 - Revert "rbd: rework rbd storage driver"
 - Revert "rbd: rbd non-functional changes"
 - Revert "loop: rework loop storage driver"
 - Revert "btrfs: switch to new rsync helpers"
 - Revert "storage: switch to new rsync functions"
 - Revert "rsync: add new rsync functions"
 - Revert "bdev: non-functional changes"
 - Revert "dir: improvements"
 - Revert "dir: non-functional changes"
 - Revert "storage: rework lvm backend"
 - Revert "storage: add arg to create_snapshot()"
 - Revert "btrfs: switch to btrfs_create_{clone,snapshot}()"
 - Revert "storage: add create_{clone,snapshot}()"
 - Revert "btrfs: simplify"
 - Revert "btrfs: simplify"
 - Revert "btrfs: only chown_mapped_root() if not btrfs"
 - Revert "btrfs: non-functional changes"
 - Revert "btrfs: enable unprivileged snapshots"
 - Revert "btrfs: export btrfs_snapshot_wrapper()"
 - Revert "btrfs: non-functional changes"
 - Revert "tools: remove empty snap directory"
 - Revert "overlay: simplify and adapt to "overlay""
 - Revert "lvm: non-functional changes"
 - Revert "btrfs: simplify + bugfix"
 - Revert "storage: handle prefixed rootfs paths"
 - Revert "storage: prefix all zfs paths"
 - Revert "storage: prefix all rbd paths"
 - Revert "storage: prefix all nbd paths"
 - Revert "lvm: fix check"
 - Revert "lvm: check whether lxc.bdev.lvm.vg is set"
 - Revert "storage: prefix all lvm paths"
 - Revert "storage: prefix all btrfs paths"
 - Revert "storage: add lxc_storage_get_path()"
 - Revert "storage: prefix all dir paths"
 - storage: handle overlay for stable 2.0
 - storage: rename files "bdev" -> "storage"
 - tree-wide: struct bdev -> struct lxc_storage
 - utils: rework lxc_deslashify()
 - templates/opensuse: tumbleweed has no update repo
 - templates/opensuse: fix tumbleweed software selection
 - templates/opensuse: getty.target.wants does not always exists
 - templates/opensuse: support leap 42.3
 - conf: mount_file_entries()
 - conf: setup_mount()
 - conf: make_anonymous_mount_file()
 - conf: setup_mount_entries()
 - conf: mount_entry_on_absolute_rootfs()
 - conf: mount_entry_on_systemfs()
 - conf: mount_entry_on_generic()
 - android: include custom mntent
 - conf: mount_entry_create_dir_file()
 - conf: cull_mntent_opt()
 - conf: mount_entry()
 - conf: lxchook_names
 - conf: mount_autodev()
 - utils: add has_fs_type() + is_fs_type()
 - utils: switch to has_fs_type()
 - conf: lxc_fill_autodev()
 - conf: NOTICE() on mounts on container's /dev
 - userns.conf: remove obsolete bind-mounts
 - travis: fix builds
 - start: ensure cgroups are cleaned up
 - debian: Add buster as a valid release
 - debian: jessie and stretch keyring support
 - lxccontainer: remove 5s timeout
 - android: fix includes
 - Fix mem leak with realpath
 - Revert "debian: jessie and stretch keyring support"
 - confile: non-functional changes
 - confile: lxc_listconfigs -> lxc_list_config_items
 - Add CONFIG_NETFILTER_XT_MATCH_COMMENT to lxc-checkconfig
 - tools: use "which"
 - tools: add additional cgroup checks
 - conf: non-functional fixup
 - cgroups: non-functional changes
 - Use deb.debian.org as the default Debian mirror
 - network: log cleanup thread pid for openswitch
 - conf: non-functional changes
 - conf: log lxc-user-nic output
 - rtnl: non-functional changes
 - af_unix: non-functional changes
 - arguments: non-functional changes
 - templates/ubuntu: conditionally move upstart ssh job, as it is now optional.
 - openvswitch: delete ports intelligently
 - conf: refactor network deletion
 - conf: do not check union on wrong net type
 - attach: non-functional changes
 - conf: non-functional changes
 - conf: do not deref null pointer
 - cgfsng: non-functional changes
 - lxc-user-nic: non-functional changes
 - lxc-user-nic: fix memleak
 - lxc-user-nic: add new {create,delete} subcommands
 - tests: adapt lxc-user-nic tests to new syntax
 - conf: adapt to lxc-user-nic usage
 - lxc-user-nic: rework renaming net devices
 - network: send ifindex for unpriv networks
 - network: log ifindex
 - network: delete ovs for unprivileged networks
 - lxc-user-nic: non-functional changes
 - lxc-user-nic: check db before trying to delete
 - conf: increase lxc-user-nic buffer
 - network: non-functional changes
 - lxc-user-nic: remove delta between master + stable
 - lxc-user-nic: test privilege over netns on delete
 - network: log veth_attr.pair and veth_attr.veth1
 - network: add ifindex field for host veth device
 - network: document all fields in struct lxc_netdev
 - network: log ifindex for host side veth device
 - network: rework network creation
 - network: retrieve the host's veth device ifindex
 - start: non-functional changes
 - lxc-user-nic: free memory and check for error
 - lxc-user-nic: initialize vars to silence gcc-7
 - network: use static memory for net device names
 - network: non-functional changes
 - start: non-functional changes
 - network: retrieve correct names and ifindices
 - network: stop recording saved physical net devices
 - network: use correct network device name
 - templates/ubuntu: support netplan in newer releases by default
 - Check that there is netplan binary, rather than just just a config directory.
 - network: remove netpipe
 - lxc-user-nic: fix adding database entries
 - lxc-user-nic: keep lines from other {users,links}
 - utils: add lxc_nic_exists()
 - lxc-user-nic: bugfixes
 - handler: root -> am_root
 - network: user send()/recv()
 - network: fix grammar
 - network: remove allocation from lxc_mkifname()
 - lxc-user-nic: simplify
 - conf: send ttys in batches of 2
 - start: switch from SOCK_DGRAM to SOCK_STREAM
 - conf: do not free static memory
 - conf: don't send ttys when none are configured
 - start: don't let data_sock users close the fd
 - criu: add cmp_version()
 - start: document all handler fields
 - conf: record idmap that gets written
 - console: non-functional change
 - conf: non-functional changes
 - conf: do not log uninitialized memory
 - conf: fix userns_exec_1()
 - console: clean tty state + return 0 on peer exit
 - conf: fix tty creation
 - network: add missing checks for empty links
 - conf: add userns_exec_full()
 - lxccontainer: use userns_exec_full()
 - start: userns_exec_full()
 - console: remove dead assignments
 - monitor: remove dead assignment
 - start: remove dead variable
 - criu: use correct check initialization check
 - utils: do not write to 0 sized buffer
 - confile: parse_idmaps() remove dead assignments
 - lxc-unshare: do not pass NULL pointer
 - lxc_usernsexec: remove dead assignments
 - tests: remove dead assignments
 - tests: avoid NULL pointer dereference
 - utils: lxc_popen() remove dead assignments
 - lxc-user-nic: remove double initialization
 - start: switch ids at last possible instance
 - plamo: Delete unnecessary process during container shutdown
 - fix regex-typo in lxc-monitor.sgml.in
 - start: move env setup before container setup
 - start: set environment variables correctly
 - start: pass LXC_LOG_LEVEL to hooks
 - utils: duplicate stderr as well in lxc_popen()
 - utils: fix lxc_popen()/lxc_pclose()
 - Change file check to also check file size (`-f` => `-s`)
 - tests: Support systemd hybrid cgroups
 - doc: fix regex-typo in Japanese and Korean lxc-monitor(1)
 - storage: use userns_exec_full()
 - network: remove dead assignments
 - confile: preserve newlines
 - execute: enable console & standard /dev symlinks
 - storage: avoid segfault
 - doc: document missing env variables
 - cgfsng: fail when limits fail to apply
 - start: don't close inherited namespace fds
 - network: use single helper to delete networks
 - network: non-functional changes
 - network: clear ifindeces
 - drop useless apparmor denies
 - Don't force getty@ configuration
 - init: become session leader
 - arguments: print "-devel" when LXC_DEVEL is true
 - log: prevent stack smashing
 - conf: error out on too many mappings
 - confile: use correct check on char array
 - Change locale "en-US.UTF-8" to "en_US.UTF-8"
 - Fix a format string build failure on x32.
 - change version to 2.0.9 in configure.ac

As this is our previous LTS branch, all updates from this point on will be critical bug fixes or security updates only, we will not be performing additional bugfix cherry-picks in this series.

Upstream CI has been run on both releases and 2.0.9 has been shipping in a number of other Linux distributions in the past, we are not expecting this to cause any user visible changes and to only lead to bugfixes and easier maintenance for us.

CVE References

Changed in lxc (Ubuntu):
status: New → Fix Released
Changed in lxc (Ubuntu Trusty):
assignee: nobody → Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Xenial):
assignee: nobody → Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Trusty):
importance: Undecided → Medium
Changed in lxc (Ubuntu Xenial):
importance: Undecided → Medium
Changed in lxc (Ubuntu Trusty):
status: New → Triaged
Changed in lxc (Ubuntu Xenial):
status: New → In Progress
Stéphane Graber (stgraber) wrote :

We'll have to make that 2.0.11 as unfortunately the 2.0.10 release tarball is bad, waiting for the new release to unblock this bug.

summary: - SRU of LXC 2.0.10
+ SRU of LXC 2.0.11
description: updated
Stéphane Graber (stgraber) wrote :

The upstream announcement is now available here:
  https://discuss.linuxcontainers.org/t/lxc-2-0-11-has-been-released/4238

Stéphane Graber (stgraber) wrote :

Uploaded to the SRU queue for Ubuntu 16.04 LTS.

Hello Stéphane, or anyone else affected,

Accepted lxc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.11-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in lxc (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Stéphane, or anyone else affected,

Accepted lxc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.11-0ubuntu1~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Stéphane Graber (stgraber) wrote :

Adding go-lxc to this as the fixes in 2.0.11 ended up showing bugs in go-lxc's test logic, so we'll have to cherry-pick a couple of fixes from upstream to have it be happy and give us a meaningful test result.

Changed in golang-gopkg-lxc-go-lxc.v2 (Ubuntu):
status: New → Fix Released
Changed in golang-gopkg-lxc-go-lxc.v2 (Ubuntu Trusty):
status: New → Triaged
Changed in golang-gopkg-lxc-go-lxc.v2 (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Stéphane Graber (stgraber)
Changed in golang-gopkg-lxc-go-lxc.v2 (Ubuntu Trusty):
assignee: nobody → Stéphane Graber (stgraber)
Stéphane Graber (stgraber) wrote :

For go-lxc, the goal is to get a clean autopkgtest result on all arches, manual testing of the package did show that we should be getting that now.

Brian Murray (brian-murray) wrote :

Hello Stéphane, or anyone else affected,

Accepted lxc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.11-0ubuntu1~16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Brian Murray (brian-murray) wrote :

Hello Stéphane, or anyone else affected,

Accepted golang-gopkg-lxc-go-lxc.v2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/golang-gopkg-lxc-go-lxc.v2/0.0~git20161126.1.82a07a6-0ubuntu1~ubuntu16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in golang-gopkg-lxc-go-lxc.v2 (Ubuntu Xenial):
status: In Progress → Fix Committed
Stéphane Graber (stgraber) wrote :

Did manual testing on LXC 2.0.11 both using it directly and through LXD with pre-existing and new containers.

Also tested LXD on top of the updated go-lxc.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial

The verification of the Stable Release Update for lxc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package golang-gopkg-lxc-go-lxc.v2 - 0.0~git20161126.1.82a07a6-0ubuntu1~ubuntu16.04.2

---------------
golang-gopkg-lxc-go-lxc.v2 (0.0~git20161126.1.82a07a6-0ubuntu1~ubuntu16.04.2) xenial; urgency=medium

  * Cherry-pick fixes from recent go-lxc (LP: #1816642):
    - Actually start the container in shutdown test
    - Make sure the container has a config when calling Execute()

 -- Stéphane Graber <email address hidden> Tue, 09 Apr 2019 14:14:00 -0400

Changed in golang-gopkg-lxc-go-lxc.v2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 2.0.11-0ubuntu1~16.04.3

---------------
lxc (2.0.11-0ubuntu1~16.04.3) xenial; urgency=medium

  * Cherry-pick upstream bugfix (fixes regression on attach with uid/gid):
    - attach: improve id switching
    - utils: make id switching functions return bool

lxc (2.0.11-0ubuntu1~16.04.2) xenial; urgency=medium

  * Use clean LDFLAGS when building the static init.lxc, otherwise we
    end up with broken binaries on some architectures.

lxc (2.0.11-0ubuntu1~16.04.1) xenial; urgency=medium

  * New upstream bugfix release (2.0.11) (LP: #1816642)
    - Security fix for CVE-2018-6556 (affecting 2.0.9+)
    - Mitigation for CVE-2019-5736

    - Full changelog available at:
      https://discuss.linuxcontainers.org/t/lxc-2-0-11-has-been-released/4238

 -- Stéphane Graber <email address hidden> Tue, 09 Apr 2019 13:58:10 -0400

Changed in lxc (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers