[lxc-devel] [RFC] [PATCH] Multiple fixes for the ArchLinux template
Leonid Isaev
lisaev at umail.iu.edu
Sun Dec 29 21:53:12 UTC 2013
Multiple fixes for the ArchLinux template:
1. Add some packages from base group to the pkg install list.
2. Better comment and clean up the default container config, namely: (i) remove
duplicate and conflicting entries, (ii) constrain list of accessible devices on
the host.
3. Do not copy the pacman keyring master key (pacman at localhost) from the host,
as this opens host to attacks. Instead, generate a new private/public keypair.
4. Be more verbose when reporting successfull creation of a container. Also,
print a BIG FAT warning about the empty root password.
---
templates/lxc-archlinux.in | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index e3c01d5..7fc4ab3 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -49,7 +49,7 @@ base_packages=(
"iputils"
"inetutils"
"dhcpcd"
- "dnsutils"
+ "ldns"
"nano"
"grep"
"less"
@@ -58,6 +58,9 @@ base_packages=(
"tar"
"gzip"
"which"
+ "diffutils"
+ "file"
+ "vi"
)
declare -a additional_packages
@@ -113,6 +116,9 @@ ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
# set default systemd target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+# initialize pacman keyring
+pacman-key --init
+pacman-key --populate archlinux
EOF
return 0
}
@@ -136,19 +142,21 @@ lxc.network.flags=up
lxc.network.name=eth0
lxc.network.mtu=1500
#cgroups
+# please refer to kernel documentation for details:
+# https://www.kernel.org/doc/Documentation/devices.txt
+# https://www.kernel.org/doc/Documentation/cgroups/devices.txt
lxc.cgroup.devices.deny = a
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
+# /dev/{null,zero,full,random,urandom}
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
+# /dev/{tty,console,ptmx}
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
+# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
EOF
@@ -166,7 +174,7 @@ EOF
# install packages within container chroot
function install_arch {
- if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
+ if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
echo "Failed to install container packages"
return 1
fi
@@ -282,4 +290,17 @@ if [ ${?} -ne 0 ]; then
exit 1
fi
-echo "container config is ${config_path}/config"
+cat << EOF
+
+ArchLinux container ${name} is successfully created! The configuration is
+stored in ${config_path}/config. Please refer to https://wiki.archlinux.org for
+information about configuring ArchLinux.
+
+************************************************************
+* THIS CONTAINER IS VULNERABLE. *
+* There is *NO* default root password. *
+* It is highly recommended that you set it on first login. *
+************************************************************
+EOF
+
+exit 0
--
1.8.5.2
--
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131229/7fe2b394/attachment.pgp>
More information about the lxc-devel
mailing list