[lxc-devel] [PATCH] debian: Switch to config includes
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Jan 15 20:39:03 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/templates/Makefile.am | 2 ++
> config/templates/debian.common.conf.in | 62 ++++++++++++++++++++++++++++++++++
> config/templates/debian.userns.conf.in | 9 +++++
> configure.ac | 2 ++
> templates/lxc-debian.in | 60 +++++++++++++++-----------------
> 5 files changed, 102 insertions(+), 33 deletions(-)
> create mode 100644 config/templates/debian.common.conf.in
> create mode 100644 config/templates/debian.userns.conf.in
>
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 4c71375..c7f5812 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -1,6 +1,8 @@
> templatesconfigdir=@LXCTEMPLATECONFIG@
>
> templatesconfig_DATA = \
> + debian.common.conf \
> + debian.userns.conf \
> oracle.common.conf \
> oracle.userns.conf \
> plamo.common.conf \
> diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
> new file mode 100644
> index 0000000..09e5c40
> --- /dev/null
> +++ b/config/templates/debian.common.conf.in
> @@ -0,0 +1,62 @@
> +# Default pivot location
> +lxc.pivotdir = lxc_putold
> +
> +# Default mount entries
> +lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> +lxc.mount.entry = sysfs sys sysfs defaults 0 0
> +lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
> +
> +# Default console settings
> +lxc.tty = 4
> +lxc.pts = 1024
> +
> +# Default capabilities
> +lxc.cap.drop = sys_module mac_admin mac_override sys_time
> +
> +# When using LXC with apparmor, the container will be confined by default.
> +# If you wish for it to instead run unconfined, copy the following line
> +# (uncommented) to the container's configuration file.
> +#lxc.aa_profile = unconfined
> +
> +# To support container nesting on an Ubuntu host while retaining most of
> +# apparmor's added security, use the following two lines instead.
> +#lxc.aa_profile = lxc-container-default-with-nesting
> +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
> +
> +# If you wish to allow mounting block filesystems, then use the following
> +# line instead, and make sure to grant access to the block device and/or loop
> +# devices below in lxc.cgroup.devices.allow.
> +#lxc.aa_profile = lxc-container-default-with-mounting
> +
> +# Default cgroup limits
> +lxc.cgroup.devices.deny = a
> +## Allow any mknod (but not using the node)
> +lxc.cgroup.devices.allow = c *:* m
> +lxc.cgroup.devices.allow = b *:* m
> +## /dev/null and zero
> +lxc.cgroup.devices.allow = c 1:3 rwm
> +lxc.cgroup.devices.allow = c 1:5 rwm
> +## consoles
> +lxc.cgroup.devices.allow = c 5:0 rwm
> +lxc.cgroup.devices.allow = c 5:1 rwm
> +## /dev/{,u}random
> +lxc.cgroup.devices.allow = c 1:8 rwm
> +lxc.cgroup.devices.allow = c 1:9 rwm
> +## /dev/pts/*
> +lxc.cgroup.devices.allow = c 5:2 rwm
> +lxc.cgroup.devices.allow = c 136:* rwm
> +## rtc
> +lxc.cgroup.devices.allow = c 254:0 rm
> +## fuse
> +lxc.cgroup.devices.allow = c 10:229 rwm
> +## tun
> +lxc.cgroup.devices.allow = c 10:200 rwm
> +## full
> +lxc.cgroup.devices.allow = c 1:7 rwm
> +## hpet
> +lxc.cgroup.devices.allow = c 10:228 rwm
> +## kvm
> +lxc.cgroup.devices.allow = c 10:232 rwm
> +## To use loop devices, copy the following line to the container's
> +## configuration file (uncommented).
> +#lxc.cgroup.devices.allow = b 7:* rwm
> diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
> new file mode 100644
> index 0000000..330a2f0
> --- /dev/null
> +++ b/config/templates/debian.userns.conf.in
> @@ -0,0 +1,9 @@
> +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> +lxc.cgroup.devices.deny =
> +lxc.cgroup.devices.allow =
> +
> +# Extra bind-mounts for userns
> +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> diff --git a/configure.ac b/configure.ac
> index c34dee1..2d55cd6 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -532,6 +532,8 @@ AC_CONFIG_FILES([
> config/Makefile
> config/etc/Makefile
> config/templates/Makefile
> + config/templates/debian.common.conf
> + config/templates/debian.userns.conf
> config/templates/oracle.common.conf
> config/templates/oracle.userns.conf
> config/templates/plamo.common.conf
> diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> index f399c0b..5d41396 100644
> --- a/templates/lxc-debian.in
> +++ b/templates/lxc-debian.in
> @@ -21,6 +21,8 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> MIRROR=${MIRROR:-http://cdn.debian.net/debian}
> +LOCALSTATEDIR="@LOCALSTATEDIR@"
> +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
>
> configure_debian()
> {
> @@ -202,11 +204,11 @@ copy_debian()
>
> install_debian()
> {
> - cache="@LOCALSTATEDIR@/cache/lxc/debian"
> + cache="$LOCALSTATEDIR/cache/lxc/debian"
> rootfs=$1
> release=$2
> arch=$3
> - mkdir -p @LOCALSTATEDIR@/lock/subsys/
> + mkdir -p $LOCALSTATEDIR/lock/subsys/
> (
> flock -x 9
> if [ $? -ne 0 ]; then
> @@ -231,7 +233,7 @@ install_debian()
>
> return 0
>
> - ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
> + ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
>
> return $?
> }
> @@ -243,6 +245,10 @@ copy_configuration()
> hostname=$3
> arch=$4
>
> + # Generate the configuration file
> + ## Create the fstab (empty by default)
> + touch $path/fstab
> +
> # if there is exactly one veth network entry, make sure it has an
> # associated hwaddr.
> nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
> @@ -250,37 +256,25 @@ copy_configuration()
> grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
> fi
>
> + ## Add all the includes
> + echo "" >> $path/config
> + echo "# Common configuration" >> $path/config
> + if [ -e "${LXC_TEMPLATE_CONFIG}/debian.common.conf" ]; then
> + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.common.conf" >> $path/config
> + fi
> + if [ -e "${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" ]; then
> + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" >> $path/config
> + fi
> +
> + ## Add the container-specific config
> + echo "" >> $path/config
> + echo "# Container specific configuration" >> $path/config
> grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
> +
> cat <<EOF >> $path/config
> -lxc.tty = 4
> -lxc.pts = 1024
> -lxc.arch = $arch
> +lxc.mount = $path/fstab
> lxc.utsname = $hostname
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> -
> -# When using LXC with apparmor, uncomment the next line to run unconfined:
> -#lxc.aa_profile = unconfined
> -
> -lxc.cgroup.devices.deny = a
> -# /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -# consoles
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 4:0 rwm
> -lxc.cgroup.devices.allow = c 4:1 rwm
> -# /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -# rtc
> -lxc.cgroup.devices.allow = c 254:0 rm
> -
> -# mounts point
> -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> -lxc.mount.entry = sysfs sys sysfs defaults 0 0
> +lxc.arch = $arch
> EOF
>
> if [ $? -ne 0 ]; then
> @@ -293,7 +287,7 @@ EOF
>
> clean()
> {
> - cache="@LOCALSTATEDIR@/cache/lxc/debian"
> + cache="$LOCALSTATEDIR/cache/lxc/debian"
>
> if [ ! -e $cache ]; then
> exit 0
> @@ -311,7 +305,7 @@ clean()
> rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
> exit 0
>
> - ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
> + ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
> }
>
> usage()
> --
> 1.8.5.2
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list