[lxc-devel] [RFC] [PATCH] Multiple fixes for the ArchLinux template

Leonid Isaev lisaev at umail.iu.edu
Thu Jan 2 16:30:58 UTC 2014


On Thu, 2 Jan 2014 10:14:41 -0600
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Leonid Isaev (lisaev at umail.iu.edu):
> > Multiple fixes for the ArchLinux template:
> > 
> > 1. Add some packages from base group to the pkg install list.
> > 
> > 2. Better comment and clean up the default container config, namely: (i)
> > remove duplicate and conflicting entries, (ii) constrain list of
> > accessible devices on the host.
> > 
> > 3. Do not copy the pacman keyring master key (pacman at localhost) from the
> > host, as this opens host to attacks. Instead, generate a new
> > private/public keypair.
> > 
> > 4. Be more verbose when reporting successfull creation of a container.
> > Also, print a BIG FAT warning about the empty root password.
> 
> Thanks, Leonid.  Some of the changes look great, but I'm a little
> worried about some of these - Alexander, could you please confirm that
> these won't break your containers?

FWIW, I didn't notice any breakage in my tests but perhaps I wasn't looking
for the right thing.

> 
> Leonid, please make sure to add Signed-off-by: line right above the
> diffstat.

Sorry, completely forgot that. I'll resend whenever the patch is reviewed...

Happy new year,
Leonid.

> 
> > ---
> >  templates/lxc-archlinux.in | 35 ++++++++++++++++++++++++++++-------
> >  1 file changed, 28 insertions(+), 7 deletions(-)
> > 
> > diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> > index e3c01d5..7fc4ab3 100644
> > --- a/templates/lxc-archlinux.in
> > +++ b/templates/lxc-archlinux.in
> > @@ -49,7 +49,7 @@ base_packages=(
> >      "iputils"
> >      "inetutils"
> >      "dhcpcd"
> > -    "dnsutils"
> > +    "ldns"
> >      "nano"
> >      "grep"
> >      "less"
> > @@ -58,6 +58,9 @@ base_packages=(
> >      "tar"
> >      "gzip"
> >      "which"
> > +    "diffutils"
> > +    "file"
> > +    "vi"
> >  )
> >  declare -a additional_packages
> >  
> > @@ -113,6 +116,9 @@ ln
> > -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket ln
> > -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount # set
> > default systemd target ln
> > -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> > +# initialize pacman keyring +pacman-key --init
> > +pacman-key --populate archlinux
> >  EOF
> >      return 0
> >  }
> > @@ -136,19 +142,21 @@ lxc.network.flags=up
> >  lxc.network.name=eth0
> >  lxc.network.mtu=1500
> >  #cgroups
> > +# please refer to kernel documentation for details:
> > +# https://www.kernel.org/doc/Documentation/devices.txt
> > +# https://www.kernel.org/doc/Documentation/cgroups/devices.txt
> >  lxc.cgroup.devices.deny = a
> > -lxc.cgroup.devices.allow = c *:* m
> > -lxc.cgroup.devices.allow = b *:* m
> > +# /dev/{null,zero,full,random,urandom}
> >  lxc.cgroup.devices.allow = c 1:3 rwm
> >  lxc.cgroup.devices.allow = c 1:5 rwm
> >  lxc.cgroup.devices.allow = c 1:7 rwm
> >  lxc.cgroup.devices.allow = c 1:8 rwm
> >  lxc.cgroup.devices.allow = c 1:9 rwm
> > -lxc.cgroup.devices.allow = c 1:9 rwm
> > -lxc.cgroup.devices.allow = c 4:1 rwm
> > +# /dev/{tty,console,ptmx}
> >  lxc.cgroup.devices.allow = c 5:0 rwm
> >  lxc.cgroup.devices.allow = c 5:1 rwm
> >  lxc.cgroup.devices.allow = c 5:2 rwm
> > +# /dev/pts/*
> >  lxc.cgroup.devices.allow = c 136:* rwm
> >  EOF
> >  
> > @@ -166,7 +174,7 @@ EOF
> >  
> >  # install packages within container chroot
> >  function install_arch {
> > -    if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}"
> > ${base_packages[@]}; then
> > +    if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}"
> > ${base_packages[@]}; then echo "Failed to install container packages"
> >          return 1
> >      fi
> > @@ -282,4 +290,17 @@ if [ ${?} -ne 0 ]; then
> >      exit 1
> >  fi
> >  
> > -echo "container config is ${config_path}/config"
> > +cat << EOF
> > +
> > +ArchLinux container ${name} is successfully created! The configuration is
> > +stored in ${config_path}/config. Please refer to
> > https://wiki.archlinux.org for +information about configuring ArchLinux.
> > +
> > +************************************************************
> > +* THIS CONTAINER IS VULNERABLE.                            *
> > +* There is *NO* default root password.                     *
> > +* It is highly recommended that you set it on first login. *
> > +************************************************************
> > +EOF
> > +
> > +exit 0
> > -- 
> > 1.8.5.2
> > 
> > 
> > -- 
> > Leonid Isaev
> > GnuPG key: 0x164B5A6D
> > Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
> 
> 
> 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140102/7d56c74e/attachment-0001.pgp>


More information about the lxc-devel mailing list