[lxc-devel] [PATCH] debian: Switch to config includes
Stéphane Graber
stgraber at ubuntu.com
Wed Jan 15 20:32:49 UTC 2014
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
config/templates/Makefile.am | 2 ++
config/templates/debian.common.conf.in | 62 ++++++++++++++++++++++++++++++++++
config/templates/debian.userns.conf.in | 9 +++++
configure.ac | 2 ++
templates/lxc-debian.in | 60 +++++++++++++++-----------------
5 files changed, 102 insertions(+), 33 deletions(-)
create mode 100644 config/templates/debian.common.conf.in
create mode 100644 config/templates/debian.userns.conf.in
diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 4c71375..c7f5812 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -1,6 +1,8 @@
templatesconfigdir=@LXCTEMPLATECONFIG@
templatesconfig_DATA = \
+ debian.common.conf \
+ debian.userns.conf \
oracle.common.conf \
oracle.userns.conf \
plamo.common.conf \
diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
new file mode 100644
index 0000000..09e5c40
--- /dev/null
+++ b/config/templates/debian.common.conf.in
@@ -0,0 +1,62 @@
+# Default pivot location
+lxc.pivotdir = lxc_putold
+
+# Default mount entries
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
+lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
+
+# Default console settings
+lxc.tty = 4
+lxc.pts = 1024
+
+# Default capabilities
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.aa_profile = unconfined
+
+# To support container nesting on an Ubuntu host while retaining most of
+# apparmor's added security, use the following two lines instead.
+#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.aa_profile = lxc-container-default-with-mounting
+
+# Default cgroup limits
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## full
+lxc.cgroup.devices.allow = c 1:7 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
new file mode 100644
index 0000000..330a2f0
--- /dev/null
+++ b/config/templates/debian.userns.conf.in
@@ -0,0 +1,9 @@
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
diff --git a/configure.ac b/configure.ac
index c34dee1..2d55cd6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -532,6 +532,8 @@ AC_CONFIG_FILES([
config/Makefile
config/etc/Makefile
config/templates/Makefile
+ config/templates/debian.common.conf
+ config/templates/debian.userns.conf
config/templates/oracle.common.conf
config/templates/oracle.userns.conf
config/templates/plamo.common.conf
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index f399c0b..5d41396 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -21,6 +21,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
MIRROR=${MIRROR:-http://cdn.debian.net/debian}
+LOCALSTATEDIR="@LOCALSTATEDIR@"
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
configure_debian()
{
@@ -202,11 +204,11 @@ copy_debian()
install_debian()
{
- cache="@LOCALSTATEDIR@/cache/lxc/debian"
+ cache="$LOCALSTATEDIR/cache/lxc/debian"
rootfs=$1
release=$2
arch=$3
- mkdir -p @LOCALSTATEDIR@/lock/subsys/
+ mkdir -p $LOCALSTATEDIR/lock/subsys/
(
flock -x 9
if [ $? -ne 0 ]; then
@@ -231,7 +233,7 @@ install_debian()
return 0
- ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
+ ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
return $?
}
@@ -243,6 +245,10 @@ copy_configuration()
hostname=$3
arch=$4
+ # Generate the configuration file
+ ## Create the fstab (empty by default)
+ touch $path/fstab
+
# if there is exactly one veth network entry, make sure it has an
# associated hwaddr.
nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
@@ -250,37 +256,25 @@ copy_configuration()
grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
fi
+ ## Add all the includes
+ echo "" >> $path/config
+ echo "# Common configuration" >> $path/config
+ if [ -e "${LXC_TEMPLATE_CONFIG}/debian.common.conf" ]; then
+ echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.common.conf" >> $path/config
+ fi
+ if [ -e "${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" ]; then
+ echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" >> $path/config
+ fi
+
+ ## Add the container-specific config
+ echo "" >> $path/config
+ echo "# Container specific configuration" >> $path/config
grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
+
cat <<EOF >> $path/config
-lxc.tty = 4
-lxc.pts = 1024
-lxc.arch = $arch
+lxc.mount = $path/fstab
lxc.utsname = $hostname
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
-
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-
-# mounts point
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
+lxc.arch = $arch
EOF
if [ $? -ne 0 ]; then
@@ -293,7 +287,7 @@ EOF
clean()
{
- cache="@LOCALSTATEDIR@/cache/lxc/debian"
+ cache="$LOCALSTATEDIR/cache/lxc/debian"
if [ ! -e $cache ]; then
exit 0
@@ -311,7 +305,7 @@ clean()
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
exit 0
- ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
+ ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
}
usage()
--
1.8.5.2
More information about the lxc-devel
mailing list