LXC 3.0.2 has been released

Introduction

The LXC team is pleased to announce the release of LXC 3.0.2!

As a stable bugfix release, no major changes have been done, instead focusing on bugfixes and minor usability improvements.

Highlights

  • Adapt to changes in Linux 4.18 which allows to create but not to open devices nodes in user namespaces
  • Allocate network namespace id on container startup
  • Build a static liblxc
    This is helpful to efficiently retrieve network interfaces and their addresses via Netlink.
  • Hardened thread-safety across the whole codebase
  • Added efficient strlcpy() and strlcat() implementations to all instances of strncpy() and strncat() to make string handling more secure
  • The lxc-* tools (e.g. lxc-attach, lxc-start) share symbols with the liblxc shared library
    This significantly reduced the size of the codebase.
  • Tree-wide coding style fixes

CVE-2018-6556

This release fixes CVE-2018-6556 via commit CVE 2018-6556: verify netns fd in lxc-user-nic: lxc-user-nic when asked to delete a network interface will unconditionally open a user provided path.

This code path may be used by an unprivileged user to check for the existence of a path which they wouldn’t otherwise be able to reach. It may also be used to trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys).

Affected releases are LXC: 2.0 versions above and including 2.0.9; 3.0 versions above and including 3.0.0, prior to 3.0.2.

Bugfixes (LXC)

  • fixed a range of bugs found by Coverity
  • lxc-usernsexec: cleanup and bugfixes
  • log: add CMD_SYSINFO()
  • log: add CMD_SYSERROR()
  • state: s/sleep()/nanosleep()/
  • lxclock: improve file locking
  • lxccontainer: improve file locking
  • lxccontainer: fix F_OFD_GETLK checks
  • netlink: add __netlink_{send,recv,transaction}
  • netns: allocate network namespace id
  • MAINTAINERS: add Wolfgang Bumiller
  • CVE 2018-6556: verify netns fd in lxc-user-nic
  • pam_cgfs: cleanups
  • log: add default log priority
  • tree-wide: pass unsigned long to prctl()
  • macro: add new macro header
  • conf: mount devpts without “max” on EINVAL
  • tree-wide: handle EINTR in read() and write()
  • tree-wide: replace pipe() with pipe2()
  • confile: split mount options into flags and data
  • conf: improve rootfs setup
  • autotools: default to -Wvla -std=gnu11
  • tree-wide: remove VLAs
  • tree-wide: replace strtok_r() with lxc_iterate_parts()
  • utils: add lxc_iterate_parts()
  • apparmor: allow start-container to change to lxc-**
  • apparmor: update current profiles
  • apparmor: Allow /usr/lib* paths for mount and pivot_root
  • conf: the atime flags are locked in userns
  • conf: handle partially functional device nodes
  • conf: create /dev directory
  • autotools: build both a shared and static liblxc
  • namespace: add api to convert namespaces to standard identifiers
  • tree-wide: set MSG_NOSIGNAL
  • tree-wide: use mknod() to create dummy files
  • cgfsng: respect lxc.cgroup.use
  • cgroups: remove is_crucial_cgroup_subsystem()
  • tree-wide: remove unneeded log prefixes
  • tests: cleanup all tests
  • terminal: set FD_CLOEXEC on pty file descriptors
  • conf: simplify lxc_setup_dev_console()
  • tools: rework tools
  • autodev: adapt to changes in Linux 4.18
  • log: change DEBUG, INFO, TRACE, NOTICE macro using strerror to SYS* macro
  • log: add lxc_log_strerror_r macro
  • network: unpriv lxc will run lxc.net.[i].script.up now
  • conf: only use newuidmap and newgidmap when necessary
  • autotools: support tls in cross-compile

Bugfixes (LXC templates)

  • fedora: support Fedora 28
  • templates: opensuse: Add support for openSUSE Leap 15
  • templates: opensuse: Drop support for EOL distributions
  • templates: lxc-opensuse.in: Ensure cache is fully populated
  • templates: lxc-opensuse.in: Fix openSUSE Leap 15 cache url

Bugfixes (python3 binding)

  • Fix typo in README.md

Support and upgrade

LXC 3.0.2 is supported until June 2023 and is our current LTS release, users are encouraged to update to the latest bugfix releases as they’re made available.

Downloads

1 Like

Thank you for good news!
When deb packages will be available for Ubuntu 18.0.4?

I’m preparing the deb for Ubuntu 18.10 now, once that’s done and all tests pass on it, I’ll prepare the one for Ubuntu 18.04. As that one needs to go through the stable update process, it can take a couple of weeks for it to be reviewed, then allow enough testing time in bionic-proposed.

1 Like

Ok, thanks.

I cannot find LXD 3.0.2 in Ubuntu 18.04.1, nor in bionic-proposed.
I think it has not been updated yet into 18.04.1.

Just landed, installed here without problems.

1 Like

I see there is a reference on this at Weekly status #67