LXC 4.0.5 LTS has been released

News
,
1

Introduction

The LXC team is pleased to announce the release of LXC 4.0.5!

This is the fifth bugfix release for LXC 4.0 which is supported until June 2025.

Bugfixes

Some of the highlights for this release are:

  • Support allocating PTS devices from within the container
  • Harden more path/mount handling logics
  • Rework LSM logic to limit initializer use

The full list of commits is available below:

Detailed changelog
  • terminal: safely allocate pts devices from inside the container
  • macro: define TIOCGPTPEER if missing
  • conf: use openat() instead of open_tree()
  • seccomp: don’t close the mainloop, simply remove the handler
  • seccomp: add seccomp_notify_fd_active api extension
  • seccomp: send notify fd as part of the message
  • api-extension: add missing seccomp_proxy_send_notify_fd extension
  • Revert “templates/lxc-download.in: use GPG option --receive-keys instead of --recv-keys”
  • lxc-download: Fix retry loop
  • syscalls: add openat2()
  • utils: add safe_mount_beneath() based on openat2()
  • conf: switch mount_autodev() to new safe_mount_beneath() helper
  • cgfsng: use safe_mount_beneath()
  • utils: introduce safe_mount_beneath_at()
  • conf: stash file descriptor to root mountpoint in struct lxc_rootfs
  • conf: make use of stashed container mountpoint fd in mount_autodev()
  • file_utils: add exists_dir_at()
  • conf: harden lxc_fill_autodev() via save_mount_beneath_at()
  • conf: move /dev setup to be file descriptor based
  • terminal: harden terminal allocation
  • lsm: rework lsm handling
  • lsm: use atomic in ase we’re used multi-threaded
  • lsm: remove the need for atomic operations
  • Updated documentation to reflect lack of support for pure cgroupv2
  • cgfsng: fix cgroup attach cgroup creation
  • remove deprecated options in lxc.service fixes #3527
  • Check only rootfs as filesystem type
  • cgroups: fix armhf builds
  • remove useless parameters
  • avoid a NULL pointer dereference in lxc-attach
  • terminal: introduce lxc_terminal_signal_sigmask_safe_blocked()
  • attach: use lxc_terminal_signal_sigmask_safe_blocked()
  • commands: don’t fail if unfreeze fails
  • lxc-usernsexec: setgroups() similar to other places shouldn’t fail on EPERM
  • Remove obsolete setting regarding the Standard Output
  • seccomp: Check if syscall is supported on compat architecture.
  • seccomp: log invalid seccomp notify ids
  • seccomp: improve default notification sending
  • seccomp: fix compilation on powerpc
  • sync: switch to new error helpers
  • sync: log synchronization states
  • start: improve devpts fd sending
  • conf: always send response to parent waiting for devptfs_fd
  • conf: account for early return when sending devpts fd

Support and upgrade

The LXC 4.0 branch is supported until June 2025.
Only bugfixes and securitiy issues get included into the stable bugfix releases, so it’s always safe and recommended to keep up and run the latest bugfix release.

Downloads

1 Like