app-containers/lxc: new package

It's from Gentoo commit 91137d52c4f6307b512c6f447236bc75e8f8b3ec.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

sdk_container/src/third_party/portage-stable/app-containers/lxc/Manifest

@@ -0,0 +1,6 @@
+DIST lxc-5.0.3.tar.gz 975269 BLAKE2B 533d97fe4d986acbf5d562bb2c295a63df2a9a8bfc27aeff5056e4235f667102500debc586c5698482ec048c1b222a0fdc234db6fd6648c4b649f87a85de18f8 SHA512 0553be317431ab7ec0c450c0f85724a53de1f251c39c9716168e17cda6a8daec70b8221228c4be64027df28a327e0f1fd508e6bb48348ab540bbfeaf2b9ac974
+DIST lxc-5.0.3.tar.gz.asc 833 BLAKE2B c35278ed17cad76d2ea94b3985e0110731efea751fb5f1c2d1c9db71486e4844285f372a94c8611dcfe91fdb16459694843b9e0a8273cfc68a56f549c7162cfb SHA512 a5ce5769d49abdf35d94de8273fd3e9c2a8ba4fafea71cf33ee6bce1d83531c8b550d972f7080409a4cc5a92e9d04ece50ed108f92c6aec4868d150e58d7d11a
+DIST lxc-6.0.3.tar.gz 964210 BLAKE2B 8d5dec7f088111a2ca82aadd6cd90eb30a3a1b61900aa47123caba2ff95d10e68cfcd6a94ec6b3e36657777578c8b113c95aad9112b48b9dc964e4ed73783b48 SHA512 4ed41155b74afa135ae8e01f55a8cbbc7284a80e9789aaa2e69264d6b90a6527baf51f9c68dd3364aa83e7939d070f5c7dad924c751927783e883adce539fbdf
+DIST lxc-6.0.3.tar.gz.asc 833 BLAKE2B 3a23eacfdd248a95c9fa41a6edcb55abb07abc81314fa227649663ac264a9e5fdcf81cb38b79f1bd51b9172a70a0aee5bf65ecfdaf438c944c25f11c882ab562 SHA512 5de32e772bd2864e3b688a90fd9f08d98829d61ba3e1cc76a9b403fc005256149f55ad034e186c3329f3abe52a8815f60c5027b16de46be0bc81b14d0134babd
+DIST lxc-6.0.4.tar.gz 964064 BLAKE2B f8911993ce333300e68fe3d817cceb49d6c18f83e5fec1ab2da8ba6f0820808883cf73ce1f7dea2725c6279d87e6fcc0a3feeaeadad76112a47ef69265dbef50 SHA512 8ccdd9cf37b8b75e1e58021bc9bd7841faf3a2790d07f0214b6c8bde7a23e579345f576079a541dba5e71361bf5672af9d482a9e82323068ca0f7291f6063aaf
+DIST lxc-6.0.4.tar.gz.asc 833 BLAKE2B 4600373e9534515fe3ec0c41ebe5b17ee8c4e7ab125e3a211ed300f0fdd79a04a9c183b903e1b6600d7b7ce4d9f2e66451326c473beb02b4a83a7200764e56e7 SHA512 2efe6e06b33a34fdf7ba1393b5e07aa1a18f189b2e43673b4f9bbdc7cf0fcb9ad47b99ebbd08e910e139047d54b1104f098cbbef586796767b9dd1a4a99ca748

sdk_container/src/third_party/portage-stable/app-containers/lxc/files/lxc-6.0.4-start-Re-introduce-first-SET_DUMPABLE-call.patch

@@ -0,0 +1,34 @@
+From 2663712e8fa8f37e0bb873185e2d4526dc644764 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Sat, 5 Apr 2025 01:11:18 -0400
+Subject: [PATCH] start: Re-introduce first SET_DUMPABLE call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Without it, we're running into issues with complex hooks like nvidia.
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ src/lxc/start.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lxc/start.c b/src/lxc/start.c
+index f28bceaba..ee4bf4003 100644
+--- a/src/lxc/start.c
++++ b/src/lxc/start.c
+@@ -1125,6 +1125,11 @@ static int do_start(void *data)
+ 		if (!lxc_switch_uid_gid(nsuid, nsgid))
+ 			goto out_warn_father;
+ 
++		ret = prctl(PR_SET_DUMPABLE, prctl_arg(1), prctl_arg(0),
++			    prctl_arg(0), prctl_arg(0));
++		if (ret < 0)
++			goto out_warn_father;
++
+ 		/* set{g,u}id() clears deathsignal */
+ 		ret = lxc_set_death_signal(SIGKILL, handler->monitor_pid, status_fd);
+ 		if (ret < 0) {
+-- 
+2.48.1
+

sdk_container/src/third_party/portage-stable/app-containers/lxc/files/lxc-monitord.service.5.0.0

@@ -0,0 +1,11 @@
+[Unit]
+Description=LXC Container Monitoring Daemon
+After=syslog.service network.target
+Documentation=man:lxc
+
+[Service]
+Type=simple
+ExecStart=/usr/libexec/lxc/lxc-monitord --daemon
+
+[Install]
+WantedBy=multi-user.target

sdk_container/src/third_party/portage-stable/app-containers/lxc/files/lxc-net.service.5.0.0

@@ -0,0 +1,15 @@
+[Unit]
+Description=LXC network bridge setup
+After=network-online.target
+Before=lxc.service
+Documentation=man:lxc
+ConditionVirtualization=!lxc
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/lxc/lxc-net start
+ExecStop=/usr/libexec/lxc/lxc-net stop
+
+[Install]
+WantedBy=multi-user.target

sdk_container/src/third_party/portage-stable/app-containers/lxc/files/lxc.initd.9

@@ -0,0 +1,132 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+CONTAINER=${SVCNAME#*.}
+
+LXC_PATH=`lxc-config lxc.lxcpath`
+
+lxc_get_configfile() {
+	if [ -f "${LXC_PATH}/${CONTAINER}.conf" ]; then
+		echo "${LXC_PATH}/${CONTAINER}.conf"
+	elif [ -f "${LXC_PATH}/${CONTAINER}/config" ]; then
+		echo "${LXC_PATH}/${CONTAINER}/config"
+	else
+		eerror "Unable to find a suitable configuration file."
+		eerror "If you set up the container in a non-standard"
+		eerror "location, please set the CONFIGFILE variable."
+		return 1
+	fi
+}
+
+[ $CONTAINER != $SVCNAME ] && CONFIGFILE=${CONFIGFILE:-$(lxc_get_configfile)}
+
+lxc_get_var() {
+	awk 'BEGIN { FS="[ \t]*=[ \t]*" } $1 == "'$1'" { print $2; exit }' ${CONFIGFILE}
+}
+
+lxc_get_net_link_type() {
+		# gentoo bugfix 909640, drop commented lines before awk
+		grep -v '^#' ${CONFIGFILE} | awk 'BEGIN { FS="[ \t]*=[ \t]*"; _link=""; _type="" }
+		$1 == "lxc.network.type" {_type=$2;}
+		$1 == "lxc.network.link" {_link=$2;}
+		match($1, /lxc\.net\.[[:digit:]]+\.type/) {_type=$2;}
+		match($1, /lxc\.net\.[[:digit:]]+\.link/) {_link=$2;}
+		{if(_link != "" && _type != ""){
+			printf("%s:%s\n", _link, _type );
+			_link=""; _type="";
+		}; }'
+}
+
+checkconfig() {
+	if [ ${CONTAINER} = ${SVCNAME} ]; then
+		eerror "You have to create an init script for each container:"
+		eerror " ln -s lxc /etc/init.d/lxc.container"
+		return 1
+	fi
+
+	# no need to output anything, the function takes care of that.
+	[ -z "${CONFIGFILE}" ] && return 1
+
+	utsname=$(lxc_get_var lxc.uts.name)
+	if [ -z "$utsname" ] ; then
+		utsname=$(lxc_get_var lxc.utsname)
+	fi
+
+	if [ "${CONTAINER}" != "${utsname}" ]; then
+	    eerror "You should use the same name for the service and the"
+	    eerror "container. Right now the container is called ${utsname}"
+	    return 1
+	fi
+}
+
+depend() {
+	# be quiet, since we have to run depend() also for the
+	# non-muxed init script, unfortunately.
+	checkconfig 2>/dev/null || return 0
+
+	config ${CONFIGFILE}
+	need localmount
+	use lxcfs
+
+	local _x _if
+	for _x in $(lxc_get_net_link_type); do
+		_if=${_x%:*}
+		case "${_x##*:}" in
+			# when the network type is set to phys, we can make use of a
+			# network service (for instance to set it up before we disable
+			# the net_admin capability), but we might also  not set it up
+			# at all on the host and leave the net_admin capable service
+			# to take care of it.
+			phys)	use net.${_if} ;;
+			*)	need net.${_if} ;;
+		esac
+	done
+}
+
+start() {
+	checkconfig || return 1
+	rm -f /var/log/lxc/${CONTAINER}.log
+
+	rootpath=$(lxc_get_var lxc.rootfs)
+
+	# Check the format of our init and the chroot's init, to see
+	# if we have to use linux32 or linux64; always use setarch
+	# when required, as that makes it easier to deal with
+	# x32-based containers.
+	case $(scanelf -BF '%a#f' ${rootpath}/sbin/init) in
+		EM_X86_64)	setarch=linux64;;
+		EM_386)		setarch=linux32;;
+	esac
+
+	ebegin "Starting LXC container ${CONTAINER}"
+	env -i ${setarch} $(which lxc-start) -n ${CONTAINER} -f ${CONFIGFILE} -d -o /var/log/lxc/${CONTAINER}.log
+	sleep 1
+
+	# lxc-start -d will _always_ report a correct startup, even if it
+	# failed, so rather than trust that, check that the cgroup exists.
+	# fix for LXC 3.1	
+
+	STATE="$(lxc-info -s -H ${CONTAINER})"
+	[ "$STATE" = "RUNNING" ]
+	
+	eend $?
+}
+
+stop() {
+	checkconfig || return 1
+
+	STATE="$(lxc-info -s -H ${CONTAINER})"
+	
+	if ! [ "$STATE" = "RUNNING" ]; then
+	    ewarn "${CONTAINER} doesn't seem to be started."
+	    return 0
+	fi
+
+	# 30s should be enough to shut everything down
+	# lxc-stop will return back anyway as soon as successful shutdown
+	# after 30s, lxc-stop sends SIGKILL (dirty shotdown)
+	ebegin "Stopping LXC container ${CONTAINER}"
+	lxc-stop -t 30 -n ${CONTAINER}
+	eend $?
+}

sdk_container/src/third_party/portage-stable/app-containers/lxc/files/lxc.service-5.0.0

@@ -0,0 +1,19 @@
+[Unit]
+Description=LXC Container Initialization and Autoboot Code
+After=network.target lxc-net.service remote-fs.target
+Wants=lxc-net.service
+Documentation=man:lxc-autostart man:lxc
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=/usr/libexec/lxc/lxc-apparmor-load
+ExecStart=/usr/libexec//lxc/lxc-containers start
+ExecStop=/usr/libexec/lxc/lxc-containers stop
+ExecReload=/usr/libexec/lxc/lxc-apparmor-load
+# Environment=BOOTUP=serial
+# Environment=CONSOLETYPE=serial
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target

sdk_container/src/third_party/portage-stable/app-containers/lxc/files/lxc_at.service.5.0.0

@@ -0,0 +1,19 @@
+[Unit]
+Description=LXC Container: %i
+# This pulls in apparmor, dev-setup, lxc-net
+After=lxc.service
+Wants=lxc.service
+Documentation=man:lxc-start man:lxc
+
+[Service]
+Type=simple
+KillMode=mixed
+TimeoutStopSec=120s
+ExecStart=/usr/bin/lxc-start -F -n %i
+ExecStop=/usr/bin/lxc-stop -n %i
+# Environment=BOOTUP=serial
+# Environment=CONSOLETYPE=serial
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target

sdk_container/src/third_party/portage-stable/app-containers/lxc/lxc-5.0.3.ebuild

@@ -0,0 +1,169 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 linux-info meson optfeature systemd toolchain-funcs verify-sig
+
+DESCRIPTION="A userspace interface for the Linux kernel containment features"
+HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc"
+SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz
+	verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )"
+
+LICENSE="GPL-2 LGPL-2.1 LGPL-3"
+SLOT="0/1.502" # SONAME liblxc.so.1 + ${PV//./} _if_ breaking ABI change while bumping.
+KEYWORDS="amd64 ~arm ~arm64 ~ppc64 ~riscv x86"
+IUSE="apparmor +caps examples io-uring lto man pam seccomp selinux ssl systemd test +tools"
+
+RDEPEND="acct-group/lxc
+	acct-user/lxc
+	apparmor? ( sys-libs/libapparmor )
+	caps? ( sys-libs/libcap[static-libs] )
+	io-uring? ( >=sys-libs/liburing-2:= )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	ssl? ( dev-libs/openssl:0= )
+	systemd? ( sys-apps/systemd:= )
+	tools? ( sys-libs/libcap[static-libs] )"
+DEPEND="${RDEPEND}
+	sys-kernel/linux-headers"
+BDEPEND="virtual/pkgconfig
+	man? ( app-text/docbook2X )
+	verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
+
+RESTRICT="!test? ( test )"
+
+CONFIG_CHECK="~!NETPRIO_CGROUP
+	~CGROUPS
+	~CGROUP_CPUACCT
+	~CGROUP_DEVICE
+	~CGROUP_FREEZER
+
+	~CGROUP_SCHED
+	~CPUSETS
+	~IPC_NS
+	~MACVLAN
+
+	~MEMCG
+	~NAMESPACES
+	~NET_NS
+	~PID_NS
+
+	~POSIX_MQUEUE
+	~USER_NS
+	~UTS_NS
+	~VETH"
+
+ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers"
+ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking"
+ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers"
+ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network"
+ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command"
+ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info"
+ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
+
+DOCS=( AUTHORS CONTRIBUTING MAINTAINERS README.md doc/FAQ.txt )
+
+pkg_setup() {
+	linux-info_pkg_setup
+}
+
+src_configure() {
+	local emesonargs=(
+		--localstatedir "${EPREFIX}/var"
+
+		-Dcoverity-build=false
+		-Doss-fuzz=false
+
+		-Dcommands=true
+		-Dmemfd-rexec=true
+		-Dthread-safety=true
+
+		$(meson_use apparmor)
+		$(meson_use caps capabilities)
+		$(meson_use examples)
+		$(meson_use io-uring io-uring-event-loop)
+		$(meson_use lto b_lto)
+		$(meson_use man)
+		$(meson_use pam pam-cgroup)
+		$(meson_use seccomp)
+		$(meson_use selinux)
+		$(meson_use ssl openssl)
+		$(meson_use test tests)
+		$(meson_use tools)
+
+		-Ddata-path=/var/lib/lxc
+		-Ddoc-path=/usr/share/doc/${PF}
+		-Dlog-path=/var/log/lxc
+		-Drootfs-mount-path=/var/lib/lxc/rootfs
+		-Druntime-path=/run
+	)
+
+	if use systemd; then
+		local emesonargs+=( -Dinit-script="systemd" )
+		local emesonargs+=( -Dsd-bus=enabled )
+	else
+		local emesonargs+=( -Dinit-script="sysvinit" )
+		local emesonargs+=( -Dsd-bus=disabled )
+	fi
+
+	use tools && local emesonargs+=( -Dcapabilities=true )
+
+	if $(tc-ld-is-gold) || $(tc-ld-is-lld); then
+		local emesonargs+=( -Db_lto_mode=thin )
+	else
+		local emesonargs+=( -Db_lto_mode=default )
+	fi
+
+	meson_src_configure
+}
+
+src_install() {
+	meson_src_install
+
+	# The main bash-completion file will collide with lxd, need to relocate and update symlinks.
+	mkdir -p "${ED}"/$(get_bashcompdir) || die "Failed to create bashcompdir."
+
+	if use tools; then
+		bashcomp_alias lxc-start lxc-{attach,autostart,cgroup,checkpoint,config,console,copy,create,destroy,device,execute,freeze,info,ls,monitor,snapshot,stop,top,unfreeze,unshare,usernsexec,wait}
+	else
+		bashcomp_alias lxc-start lxc-usernsexec
+	fi
+
+	keepdir /var/lib/cache/lxc /var/lib/lib/lxc
+
+	find "${ED}" -name '*.la' -delete -o -name '*.a' -delete || die
+
+	# Replace upstream sysvinit/systemd files.
+	if use systemd; then
+		rm -r "${D}$(systemd_get_systemunitdir)" || die "Failed to remove systemd lib dir"
+	else
+		rm "${ED}"/etc/init.d/lxc-{containers,net} || die "Failed to remove sysvinit scripts"
+	fi
+
+	newinitd "${FILESDIR}/${PN}.initd.9" ${PN}
+	systemd_newunit "${FILESDIR}"/lxc-monitord.service.5.0.0 lxc-monitord.service
+	systemd_newunit "${FILESDIR}"/lxc-net.service.5.0.0 lxc-net.service
+	systemd_newunit "${FILESDIR}"/lxc.service-5.0.0 lxc.service
+	systemd_newunit "${FILESDIR}"/lxc_at.service.5.0.0 "lxc@.service"
+
+	if ! use apparmor; then
+		sed -i '/lxc-apparmor-load/d' "${D}$(systemd_get_systemunitdir)/lxc.service" ||
+			die "Failed to remove apparmor references from lxc.service systemd unit."
+	fi
+}
+
+pkg_postinst() {
+	elog "Please refer to "
+	elog "https://wiki.gentoo.org/wiki/LXC for introduction and usage guide."
+	elog
+	elog "Run 'lxc-checkconfig' to see optional kernel features."
+	elog
+
+	optfeature "automatic template scripts" app-containers/lxc-templates
+	optfeature "Debian-based distribution container image support" dev-util/debootstrap
+	optfeature "snapshot & restore functionality" sys-process/criu
+}

sdk_container/src/third_party/portage-stable/app-containers/lxc/lxc-6.0.3.ebuild

@@ -0,0 +1,168 @@
+# Copyright 2022-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 linux-info meson optfeature systemd verify-sig
+
+DESCRIPTION="A userspace interface for the Linux kernel containment features"
+HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc"
+SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz
+	verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )"
+
+LICENSE="GPL-2 LGPL-2.1 LGPL-3"
+SLOT="0/1.8" # SONAME liblxc.so.1 + ${PV//./} _if_ breaking ABI change while bumping.
+KEYWORDS="amd64 ~arm ~arm64 ~ppc64 ~riscv x86"
+IUSE="apparmor +caps examples io-uring man pam seccomp selinux ssl systemd test +tools"
+
+RDEPEND="acct-group/lxc
+	acct-user/lxc
+	apparmor? ( sys-libs/libapparmor )
+	caps? ( sys-libs/libcap )
+	io-uring? ( >=sys-libs/liburing-2:= )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	ssl? ( dev-libs/openssl:0= )
+	systemd? (
+		sys-apps/dbus
+		sys-apps/systemd:=
+	)
+	tools? ( sys-libs/libcap )"
+DEPEND="${RDEPEND}
+	caps? ( sys-libs/libcap[static-libs] )
+	tools? ( sys-libs/libcap[static-libs] )
+	sys-kernel/linux-headers"
+BDEPEND="virtual/pkgconfig
+	man? ( app-text/docbook2X )
+	verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
+
+RESTRICT="!test? ( test )"
+
+CONFIG_CHECK="~!NETPRIO_CGROUP
+	~CGROUPS
+	~CGROUP_CPUACCT
+	~CGROUP_DEVICE
+	~CGROUP_FREEZER
+
+	~CGROUP_SCHED
+	~CPUSETS
+	~IPC_NS
+	~MACVLAN
+
+	~MEMCG
+	~NAMESPACES
+	~NET_NS
+	~PID_NS
+
+	~POSIX_MQUEUE
+	~USER_NS
+	~UTS_NS
+	~VETH"
+
+ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers"
+ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking"
+ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers"
+ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network"
+ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command"
+ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info"
+ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
+
+DOCS=( AUTHORS CONTRIBUTING MAINTAINERS README.md doc/FAQ.txt )
+
+pkg_setup() {
+	linux-info_pkg_setup
+}
+
+src_configure() {
+
+	# -Dtools-multicall=false: will create a single binary called 'lxc' that conflicts with LXD.
+	local emesonargs=(
+		--localstatedir "${EPREFIX}/var"
+
+		-Dcoverity-build=false
+		-Dinstall-state-dirs=false
+		-Doss-fuzz=false
+		-Dspecfile=false
+		-Dtools-multicall=false
+
+		-Dcommands=true
+		-Dinstall-init-files=true
+		-Dmemfd-rexec=true
+		-Dthread-safety=true
+
+		$(meson_use apparmor)
+		$(meson_use caps capabilities)
+		$(meson_use examples)
+		$(meson_use io-uring io-uring-event-loop)
+		$(meson_use man)
+		$(meson_use pam pam-cgroup)
+		$(meson_use seccomp)
+		$(meson_use selinux)
+		$(meson_use ssl openssl)
+		$(meson_use test tests)
+		$(meson_use tools)
+
+		$(usex systemd -Ddbus=true -Ddbus=false)
+		$(usex systemd -Dinit-script="systemd" -Dinit-script="sysvinit")
+
+		-Ddata-path=/var/lib/lxc
+		-Ddoc-path=/usr/share/doc/${PF}
+		-Dlog-path=/var/log/lxc
+		-Drootfs-mount-path=/var/lib/lxc/rootfs
+		-Druntime-path=/run
+	)
+
+	use tools && local emesonargs+=( -Dcapabilities=true )
+
+	meson_src_configure
+}
+
+src_install() {
+	meson_src_install
+
+	# The main bash-completion file will collide with lxd, need to relocate and update symlinks.
+	local lxcbashcompdir="${D}/$(get_bashcompdir)"
+	mkdir -p "${lxcbashcompdir}" || die "Failed to create bashcompdir."
+	mv "${lxcbashcompdir}"/_lxc "${lxcbashcompdir}"/lxc-start || die "Failed to move _lxc bash completion file."
+
+	# Build system will install all bash completion files regardless of our 'tools' use flag.
+	# Though installing them all will add bash completions for commands that don't exist, it's
+	# cleaner than dealing with individual files based on the use flag status.
+	bashcomp_alias lxc-start lxc-{attach,autostart,cgroup,checkpoint,config,console,copy,create,destroy,device,execute,freeze,info,ls,monitor,snapshot,stop,top,unfreeze,unshare,update-config,usernsexec,wait}
+
+	find "${ED}" -name '*.la' -delete -o -name '*.a' -delete || die
+
+	# Replace upstream sysvinit/systemd files.
+	if use systemd ; then
+		rm -r "${D}$(systemd_get_systemunitdir)" || die "Failed to remove systemd lib dir"
+	else
+		rm "${ED}"/etc/init.d/lxc-{containers,net} || die "Failed to remove sysvinit scripts"
+	fi
+
+	newinitd "${FILESDIR}/${PN}.initd.9" ${PN}
+	systemd_newunit "${FILESDIR}"/lxc-monitord.service.5.0.0 lxc-monitord.service
+	systemd_newunit "${FILESDIR}"/lxc-net.service.5.0.0 lxc-net.service
+	systemd_newunit "${FILESDIR}"/lxc.service-5.0.0 lxc.service
+	systemd_newunit "${FILESDIR}"/lxc_at.service.5.0.0 "lxc@.service"
+
+	if ! use apparmor; then
+		sed -i '/lxc-apparmor-load/d' "${D}$(systemd_get_systemunitdir)/lxc.service" ||
+			die "Failed to remove apparmor references from lxc.service systemd unit."
+	fi
+}
+
+pkg_postinst() {
+	elog "Please refer to "
+	elog "https://wiki.gentoo.org/wiki/LXC for introduction and usage guide."
+	elog
+	elog "Run 'lxc-checkconfig' to see optional kernel features."
+	elog
+
+	optfeature "creating your own LXC containers" app-containers/distrobuilder
+	optfeature "automatic template scripts" app-containers/lxc-templates
+	optfeature "Debian-based distribution container image support" dev-util/debootstrap
+	optfeature "snapshot & restore functionality" sys-process/criu
+}

sdk_container/src/third_party/portage-stable/app-containers/lxc/lxc-6.0.4-r1.ebuild

@@ -0,0 +1,172 @@
+# Copyright 2022-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 linux-info meson optfeature systemd verify-sig
+
+DESCRIPTION="A userspace interface for the Linux kernel containment features"
+HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc"
+SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz
+	verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )"
+
+LICENSE="GPL-2 LGPL-2.1 LGPL-3"
+SLOT="0/1.8" # SONAME liblxc.so.1 + ${PV//./} _if_ breaking ABI change while bumping.
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor +caps examples io-uring man pam seccomp selinux ssl systemd test +tools"
+
+RDEPEND="acct-group/lxc
+	acct-user/lxc
+	apparmor? ( sys-libs/libapparmor )
+	caps? ( sys-libs/libcap )
+	io-uring? ( >=sys-libs/liburing-2:= )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	ssl? ( dev-libs/openssl:0= )
+	systemd? (
+		sys-apps/dbus
+		sys-apps/systemd:=
+	)
+	tools? ( sys-libs/libcap )"
+DEPEND="${RDEPEND}
+	caps? ( sys-libs/libcap[static-libs] )
+	tools? ( sys-libs/libcap[static-libs] )
+	sys-kernel/linux-headers"
+BDEPEND="virtual/pkgconfig
+	man? ( app-text/docbook2X )
+	verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
+
+RESTRICT="!test? ( test )"
+
+CONFIG_CHECK="~!NETPRIO_CGROUP
+	~CGROUPS
+	~CGROUP_CPUACCT
+	~CGROUP_DEVICE
+	~CGROUP_FREEZER
+
+	~CGROUP_SCHED
+	~CPUSETS
+	~IPC_NS
+	~MACVLAN
+
+	~MEMCG
+	~NAMESPACES
+	~NET_NS
+	~PID_NS
+
+	~POSIX_MQUEUE
+	~USER_NS
+	~UTS_NS
+	~VETH"
+
+ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers"
+ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking"
+ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers"
+ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network"
+ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command"
+ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info"
+ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
+
+DOCS=( AUTHORS CONTRIBUTING MAINTAINERS README.md doc/FAQ.txt )
+
+PATCHES=(
+	"${FILESDIR}"/${P}-start-Re-introduce-first-SET_DUMPABLE-call.patch
+)
+
+pkg_setup() {
+	linux-info_pkg_setup
+}
+
+src_configure() {
+
+	# -Dtools-multicall=false: will create a single binary called 'lxc' that conflicts with LXD.
+	local emesonargs=(
+		--localstatedir "${EPREFIX}/var"
+
+		-Dcoverity-build=false
+		-Dinstall-state-dirs=false
+		-Doss-fuzz=false
+		-Dspecfile=false
+		-Dtools-multicall=false
+
+		-Dcommands=true
+		-Dinstall-init-files=true
+		-Dmemfd-rexec=true
+		-Dthread-safety=true
+
+		$(meson_use apparmor)
+		$(meson_use caps capabilities)
+		$(meson_use examples)
+		$(meson_use io-uring io-uring-event-loop)
+		$(meson_use man)
+		$(meson_use pam pam-cgroup)
+		$(meson_use seccomp)
+		$(meson_use selinux)
+		$(meson_use ssl openssl)
+		$(meson_use test tests)
+		$(meson_use tools)
+
+		$(usex systemd -Ddbus=true -Ddbus=false)
+		$(usex systemd -Dinit-script="systemd" -Dinit-script="sysvinit")
+
+		-Ddata-path=/var/lib/lxc
+		-Ddoc-path=/usr/share/doc/${PF}
+		-Dlog-path=/var/log/lxc
+		-Drootfs-mount-path=/var/lib/lxc/rootfs
+		-Druntime-path=/run
+	)
+
+	use tools && local emesonargs+=( -Dcapabilities=true )
+
+	meson_src_configure
+}
+
+src_install() {
+	meson_src_install
+
+	# The main bash-completion file will collide with lxd, need to relocate and update symlinks.
+	local lxcbashcompdir="${D}/$(get_bashcompdir)"
+	mkdir -p "${lxcbashcompdir}" || die "Failed to create bashcompdir."
+	mv "${lxcbashcompdir}"/_lxc "${lxcbashcompdir}"/lxc-start || die "Failed to move _lxc bash completion file."
+
+	# Build system will install all bash completion files regardless of our 'tools' use flag.
+	# Though installing them all will add bash completions for commands that don't exist, it's
+	# cleaner than dealing with individual files based on the use flag status.
+	bashcomp_alias lxc-start lxc-{attach,autostart,cgroup,checkpoint,config,console,copy,create,destroy,device,execute,freeze,info,ls,monitor,snapshot,stop,top,unfreeze,unshare,update-config,usernsexec,wait}
+
+	find "${ED}" -name '*.la' -delete -o -name '*.a' -delete || die
+
+	# Replace upstream sysvinit/systemd files.
+	if use systemd ; then
+		rm -r "${D}$(systemd_get_systemunitdir)" || die "Failed to remove systemd lib dir"
+	else
+		rm "${ED}"/etc/init.d/lxc-{containers,net} || die "Failed to remove sysvinit scripts"
+	fi
+
+	newinitd "${FILESDIR}/${PN}.initd.9" ${PN}
+	systemd_newunit "${FILESDIR}"/lxc-monitord.service.5.0.0 lxc-monitord.service
+	systemd_newunit "${FILESDIR}"/lxc-net.service.5.0.0 lxc-net.service
+	systemd_newunit "${FILESDIR}"/lxc.service-5.0.0 lxc.service
+	systemd_newunit "${FILESDIR}"/lxc_at.service.5.0.0 "lxc@.service"
+
+	if ! use apparmor; then
+		sed -i '/lxc-apparmor-load/d' "${D}$(systemd_get_systemunitdir)/lxc.service" ||
+			die "Failed to remove apparmor references from lxc.service systemd unit."
+	fi
+}
+
+pkg_postinst() {
+	elog "Please refer to "
+	elog "https://wiki.gentoo.org/wiki/LXC for introduction and usage guide."
+	elog
+	elog "Run 'lxc-checkconfig' to see optional kernel features."
+	elog
+
+	optfeature "creating your own LXC containers" app-containers/distrobuilder
+	optfeature "automatic template scripts" app-containers/lxc-templates
+	optfeature "Debian-based distribution container image support" dev-util/debootstrap
+	optfeature "snapshot & restore functionality" sys-process/criu
+}

sdk_container/src/third_party/portage-stable/app-containers/lxc/metadata.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person">
+    <email>juippis@gentoo.org</email>
+    <name>Joonas Niilola</name>
+  </maintainer>
+  <maintainer type="project">
+    <email>virtualization@gentoo.org</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+  <use>
+    <flag name="tools">Build and install additional command line tools</flag>
+  </use>
+  <upstream>
+    <remote-id type="github">lxc/lxc</remote-id>
+    <remote-id type="cpe">cpe:/a:linuxcontainers:lxc</remote-id>
+  </upstream>
+</pkgmetadata>