[lxc-devel] [RFC] [PATCH] Multiple fixes for the ArchLinux template

Leonid Isaev lisaev at umail.iu.edu
Sun Dec 29 21:53:12 UTC 2013 

Multiple fixes for the ArchLinux template:

1. Add some packages from base group to the pkg install list.

2. Better comment and clean up the default container config, namely: (i) remove
duplicate and conflicting entries, (ii) constrain list of accessible devices on
the host.

3. Do not copy the pacman keyring master key (pacman at localhost) from the host,
as this opens host to attacks. Instead, generate a new private/public keypair.

4. Be more verbose when reporting successfull creation of a container. Also,
print a BIG FAT warning about the empty root password.
---
 templates/lxc-archlinux.in | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index e3c01d5..7fc4ab3 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -49,7 +49,7 @@ base_packages=(
     "iputils"
     "inetutils"
     "dhcpcd"
-    "dnsutils"
+    "ldns"
     "nano"
     "grep"
     "less"
@@ -58,6 +58,9 @@ base_packages=(
     "tar"
     "gzip"
     "which"
+    "diffutils"
+    "file"
+    "vi"
 )
 declare -a additional_packages
 
@@ -113,6 +116,9 @@ ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
 ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
 # set default systemd target
 ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+# initialize pacman keyring
+pacman-key --init
+pacman-key --populate archlinux
 EOF
     return 0
 }
@@ -136,19 +142,21 @@ lxc.network.flags=up
 lxc.network.name=eth0
 lxc.network.mtu=1500
 #cgroups
+# please refer to kernel documentation for details:
+# https://www.kernel.org/doc/Documentation/devices.txt
+# https://www.kernel.org/doc/Documentation/cgroups/devices.txt
 lxc.cgroup.devices.deny = a
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
+# /dev/{null,zero,full,random,urandom}
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
 lxc.cgroup.devices.allow = c 1:7 rwm
 lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
+# /dev/{tty,console,ptmx}
 lxc.cgroup.devices.allow = c 5:0 rwm
 lxc.cgroup.devices.allow = c 5:1 rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
+# /dev/pts/*
 lxc.cgroup.devices.allow = c 136:* rwm
 EOF
 
@@ -166,7 +174,7 @@ EOF
 
 # install packages within container chroot
 function install_arch {
-    if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
+    if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
         echo "Failed to install container packages"
         return 1
     fi
@@ -282,4 +290,17 @@ if [ ${?} -ne 0 ]; then
     exit 1
 fi
 
-echo "container config is ${config_path}/config"
+cat << EOF
+
+ArchLinux container ${name} is successfully created! The configuration is
+stored in ${config_path}/config. Please refer to https://wiki.archlinux.org for 
+information about configuring ArchLinux.
+
+************************************************************
+* THIS CONTAINER IS VULNERABLE.                            *
+* There is *NO* default root password.                     *
+* It is highly recommended that you set it on first login. *
+************************************************************
+EOF
+
+exit 0
-- 
1.8.5.2


-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131229/7fe2b394/attachment.pgp>

More information about the lxc-devel mailing list