Debian Patches
Status for lxc/1:6.0.4-4+deb13u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch | [nesting] Extend mount permissions in apparmor to allow systemd services' restrictions to work These options allow systemd security features to work. In particular cases, it helps with systemd-logind and program like this It's only added in nesting profile as it could pose security risks on privileged containers. mount options=(rw,rbind) -> /run/systemd/mount-rootfs/, mount options=(rw,rbind) -> /run/systemd/mount-rootfs/**, mount options=(rw,rbind) -> /run/systemd/unit-root/, mount options=(rw,rbind) -> /run/systemd/unit-root/**, mount options=(rw,rshared) -> /, mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/, |
Pierre-Elliott Bécue <peb@debian.org> | no | 2022-08-01 | ||
| 0002-lxc.service-Starts-after-remote-fs.target.patch | [lxc.service] Starts after remote-fs.target | Pierre-Elliott Bécue <peb@debian.org> | no | 2019-08-05 | ||
| 0003-apparmor-4x-userns.patch | update apparmor profile for userns permission and new abidiff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 87982fd..eb6b8ee 100644 |
Mathias Gibbens <gibmat@debian.org> | yes | |||
| 0004-cherry-pick-complex-hooks-fix.patch | start: Re-introduce first SET_DUMPABLE call Without it, we're running into issues with complex hooks like nvidia. |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-04-05 | ||
| 0005-cherry-pick-loong64.patch | Add loong64 to list of recognized architectures Debian refers to the loong architecture as "loong64". |
Mathias Gibbens <gibmat@debian.org> | no | 2025-05-21 | ||
| 0101-cherry-pick-fix-misleading-errors.patch | lxc/lxccontainer: stop printing misleading errors in enter_net_ns() In enter_net_ns() we try to enter network namespace at first, before entering a user namespace to support inherited netns case properly. It is expected to get EPERM for unprivileged container with non-shared network namespace at first try. Let's take this into account and stop misleading users with these error messages. |
Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> | no | 2025-07-28 | ||
| 0102-cherry-pick-apparmor-generation.patch | config/apparmor/abstractions: Fix meson build generation of container-base Previously, abstractions/container-base was a hand-generated concatenation of two different files, abstractions/container-base.in and container-rules. This was confusing, since the meson configuration didn't actually create abstractions/container-base from abstractions/container-base.in. Now, the previously manual step of creating abstractions/container-base is part of the meson configure step. |
Mathias Gibbens <gibmat@debian.org> | no | 2025-10-26 | ||
| 0103-cherry-pick-fix-dbus-reboots.patch | cgfsng: fix reboots when using dbus When using dbus on a systemd system, we ask systemd to create a "scope" for us to run in. We send a dbus message, and wait for the reply saying it is created. When we reboot, we were re-sending the request to create the scope. However, the scope still exists, because or single lxc-monitor (originally lxc-start) thread is still under the 'lxc.pivot' sub-directory of the scope. But, on reboot, our lxc_conf already has our scope recorded! So, just check whether that is set, and skip scope creation if so. With this patch, i can reboot ad nauseum with no apparent problems. We could probably move this check to the top of the function, but for now this fixes the bug. |
Serge Hallyn <serge@hallyn.com> | no | 2025-12-23 | ||
| 0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch | Add lxc-net as dependency in sysvinit script Otherwise containers don't start during boot, but come up fine later. |
Frost <frost@brightfur.net> | no | 2025-12-07 | ||
| 0105-cherry-pick-fix-heavy-io-pts.patch | [PATCH 1/2] lxc/{terminal, file_utils}: ensure complete data writes in ptx/peer io handlers Previously, lxc_write_nointr could return without writing all data when write() returned EAGAIN/EWOULDBLOCK due to buffer full conditions. This change: - Implements a loop to continue writing until all data is sent - Handles EINTR, EAGAIN, and EWOULDBLOCK errors appropriately - Uses poll() to wait for fd to become ready when blocked - Maintains backward compatibility while fixing partial write issues [ alex ] - introduce a separate helper lxc_write_all and use it only in ptx/peer io handlers - cleanup the code a bit |
DreamConnected <1487442471@qq.com> | no | 2025-10-26 |
All known versions for source package 'lxc'
- 1:6.0.6-1 (sid, forky)
- 1:6.0.4-4+deb13u2 (trixie)
- 1:5.0.2-1+deb12u3 (bookworm)