[lxc-devel] [RFC] [PATCH] Multiple fixes for the ArchLinux template
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jan 2 16:14:41 UTC 2014
Quoting Leonid Isaev (lisaev at umail.iu.edu):
> Multiple fixes for the ArchLinux template:
>
> 1. Add some packages from base group to the pkg install list.
>
> 2. Better comment and clean up the default container config, namely: (i) remove
> duplicate and conflicting entries, (ii) constrain list of accessible devices on
> the host.
>
> 3. Do not copy the pacman keyring master key (pacman at localhost) from the host,
> as this opens host to attacks. Instead, generate a new private/public keypair.
>
> 4. Be more verbose when reporting successfull creation of a container. Also,
> print a BIG FAT warning about the empty root password.
Thanks, Leonid. Some of the changes look great, but I'm a little
worried about some of these - Alexander, could you please confirm that
these won't break your containers?
Leonid, please make sure to add Signed-off-by: line right above the
diffstat.
> ---
> templates/lxc-archlinux.in | 35 ++++++++++++++++++++++++++++-------
> 1 file changed, 28 insertions(+), 7 deletions(-)
>
> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> index e3c01d5..7fc4ab3 100644
> --- a/templates/lxc-archlinux.in
> +++ b/templates/lxc-archlinux.in
> @@ -49,7 +49,7 @@ base_packages=(
> "iputils"
> "inetutils"
> "dhcpcd"
> - "dnsutils"
> + "ldns"
> "nano"
> "grep"
> "less"
> @@ -58,6 +58,9 @@ base_packages=(
> "tar"
> "gzip"
> "which"
> + "diffutils"
> + "file"
> + "vi"
> )
> declare -a additional_packages
>
> @@ -113,6 +116,9 @@ ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
> ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
> # set default systemd target
> ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> +# initialize pacman keyring
> +pacman-key --init
> +pacman-key --populate archlinux
> EOF
> return 0
> }
> @@ -136,19 +142,21 @@ lxc.network.flags=up
> lxc.network.name=eth0
> lxc.network.mtu=1500
> #cgroups
> +# please refer to kernel documentation for details:
> +# https://www.kernel.org/doc/Documentation/devices.txt
> +# https://www.kernel.org/doc/Documentation/cgroups/devices.txt
> lxc.cgroup.devices.deny = a
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> +# /dev/{null,zero,full,random,urandom}
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
> lxc.cgroup.devices.allow = c 1:7 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 1:9 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -lxc.cgroup.devices.allow = c 4:1 rwm
> +# /dev/{tty,console,ptmx}
> lxc.cgroup.devices.allow = c 5:0 rwm
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> +# /dev/pts/*
> lxc.cgroup.devices.allow = c 136:* rwm
> EOF
>
> @@ -166,7 +174,7 @@ EOF
>
> # install packages within container chroot
> function install_arch {
> - if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
> + if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
> echo "Failed to install container packages"
> return 1
> fi
> @@ -282,4 +290,17 @@ if [ ${?} -ne 0 ]; then
> exit 1
> fi
>
> -echo "container config is ${config_path}/config"
> +cat << EOF
> +
> +ArchLinux container ${name} is successfully created! The configuration is
> +stored in ${config_path}/config. Please refer to https://wiki.archlinux.org for
> +information about configuring ArchLinux.
> +
> +************************************************************
> +* THIS CONTAINER IS VULNERABLE. *
> +* There is *NO* default root password. *
> +* It is highly recommended that you set it on first login. *
> +************************************************************
> +EOF
> +
> +exit 0
> --
> 1.8.5.2
>
>
> --
> Leonid Isaev
> GnuPG key: 0x164B5A6D
> Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list