[lxc-devel] [PATCH] Update Fedora and CentOS templates for common conf includes.
Michael H. Warfield
mhw at WittsEnd.com
Tue Jan 21 16:56:56 UTC 2014
Update Fedora and CentOS templates for common conf includes.
This updates the Fedora and CentOS templates to utilize a common
included config. This is largely based on the changes in the Oracle
template with some exceptions.
Dropping of setpcap (present in the Oracle template) is commented out in
the Fedora template. It seems to cause problems, such as large login
delays with Fedora 20 containers (but not Fedora 19 - strange).
The Fedora template is further modified to disable systemd-journald.service
as it is unnecessary in a container and causes serious problems when
running in a Fedora 20 container.
The Fedora template is also updated to default to Fedora 20 when running
on a non-Fedora host.
Regards,
Mike
Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
---
config/templates/Makefile.am | 4 ++
config/templates/centos.common.conf.in | 47 ++++++++++++++++++++++
config/templates/centos.userns.conf.in | 19 +++++++++
config/templates/fedora.common.conf.in | 49 +++++++++++++++++++++++
config/templates/fedora.userns.conf.in | 19 +++++++++
configure.ac | 4 ++
templates/lxc-centos.in | 48 +++++++++++-----------
templates/lxc-fedora.in | 73 +++++++++++++++++-----------------
8 files changed, 203 insertions(+), 60 deletions(-)
create mode 100644 config/templates/centos.common.conf.in
create mode 100644 config/templates/centos.userns.conf.in
create mode 100644 config/templates/fedora.common.conf.in
create mode 100644 config/templates/fedora.userns.conf.in
diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index c7f5812..bcea3c3 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -1,8 +1,12 @@
templatesconfigdir=@LXCTEMPLATECONFIG@
templatesconfig_DATA = \
+ centos.common.conf \
+ centos.userns.conf \
debian.common.conf \
debian.userns.conf \
+ fedora.common.conf \
+ fedora.userns.conf \
oracle.common.conf \
oracle.userns.conf \
plamo.common.conf \
diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
new file mode 100644
index 0000000..c0e6816
--- /dev/null
+++ b/config/templates/centos.common.conf.in
@@ -0,0 +1,47 @@
+# Taken from the oracle.common.conf.in
+# Console settings
+
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw # breaks dhcp/ping
+# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+#
+lxc.cap.drop = mac_admin mac_override setfcap setpcap
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
new file mode 100644
index 0000000..341db0b
--- /dev/null
+++ b/config/templates/centos.userns.conf.in
@@ -0,0 +1,19 @@
+# Taken from the oracle.userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+# lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
new file mode 100644
index 0000000..31b23a4
--- /dev/null
+++ b/config/templates/fedora.common.conf.in
@@ -0,0 +1,49 @@
+# Taken from the oracle.common.conf.in
+# Console settings
+
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+# lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw # breaks dhcp/ping
+# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
+#
+lxc.cap.drop = mac_admin mac_override
+lxc.cap.drop = setfcap
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
new file mode 100644
index 0000000..c33e38d
--- /dev/null
+++ b/config/templates/fedora.userns.conf.in
@@ -0,0 +1,19 @@
+# Taken from the oracle.userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
diff --git a/configure.ac b/configure.ac
index 4179dcf..e2b7e79 100644
--- a/configure.ac
+++ b/configure.ac
@@ -554,8 +554,12 @@ AC_CONFIG_FILES([
config/init/upstart/Makefile
config/etc/Makefile
config/templates/Makefile
+ config/templates/centos.common.conf
+ config/templates/centos.userns.conf
config/templates/debian.common.conf
config/templates/debian.userns.conf
+ config/templates/fedora.common.conf
+ config/templates/fedora.userns.conf
config/templates/oracle.common.conf
config/templates/oracle.userns.conf
config/templates/plamo.common.conf
diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
index bf89427..82dc651 100644
--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
@@ -315,6 +315,22 @@ EOF
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
+ # setup console and tty[1-4] for login. note that /dev/console and
+ # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
+ # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
+ # lxc will maintain these links and bind mount ptys over /dev/lxc/*
+ # since lxc.devttydir is specified in the config.
+
+ # allow root login on console, tty[1-4], and pts/0 for libvirt
+ echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
+ echo "lxc/console" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty1" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty2" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty3" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty4" >>${rootfs_path}/etc/securetty
+ echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
+ echo "pts/0" >>${rootfs_path}/etc/securetty
+
if [ ${root_display_password} = "yes" ]
then
echo "Setting root password to '$root_password'"
@@ -544,12 +560,16 @@ lxc.rootfs = $rootfs_path
rm -f $config_path/config.def
+ if [ -e "@LXCTEMPLATECONFIG@/centos.common.conf" ]; then
+ echo "
+# Include common configuration
+lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf
+" >> $config_path/config
+ fi
+
+ # Append things which require expansion here...
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
-lxc.tty = 4
-lxc.pts = 1024
-lxc.mount = $config_path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
@@ -568,26 +588,6 @@ lxc.autodev = $auto_dev
# Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0
-#cgroups
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
-EOF
-
- cat <<EOF > $config_path/fstab
-proc proc proc nodev,noexec,nosuid 0 0
-sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index a96701f..12c810d 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -259,6 +259,22 @@ EOF
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
+ # setup console and tty[1-4] for login. note that /dev/console and
+ # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
+ # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
+ # lxc will maintain these links and bind mount ptys over /dev/lxc/*
+ # since lxc.devttydir is specified in the config.
+
+ # allow root login on console, tty[1-4], and pts/0 for libvirt
+ echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
+ echo "lxc/console" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty1" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty2" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty3" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty4" >>${rootfs_path}/etc/securetty
+ echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
+ echo "pts/0" >>${rootfs_path}/etc/securetty
+
if [ ${root_display_password} = "yes" ]
then
echo "Setting root password to '$root_password'"
@@ -324,6 +340,7 @@ configure_fedora_systemd()
rm -f ${rootfs_path}/etc/systemd/system/default.target
touch ${rootfs_path}/etc/fstab
chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
+ chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/systemd-journald.service
chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
#dependency on a device unit fails it specially that we disabled udev
# sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
@@ -379,7 +396,7 @@ configure_fedora_systemd()
# and then used to build other arbitrary vesions of Fedora of a
# given architecture. Not that this only has to run once for
# Fedora on a given architecture since rpm and yum can build other
-# versions. We'll arbitrarily pick Fedora 19 to build this. This
+# versions. We'll arbitrarily pick Fedora 20 to build this. This
# will need to change as time goes on.
# Programmers Note... A future fall back may be to download the netinst
@@ -530,10 +547,10 @@ Have a beer or a cup of coffee. This will take a bit (~300MB).
"
sleep 3 # let him read it...
- # Right now, we are using Fedora 19 for the inial bootstrap.
+ # Right now, we are using Fedora 20 for the inial bootstrap.
# We could make this the "current" Fedora rev (F > 15).
- rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/LiveOS .
+ rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/LiveOS .
if [[ 0 == $? ]]
then
@@ -610,8 +627,8 @@ This will take a couple of minutes. Patience..."
# of this LiveOS image we're camped out on. This is the beginning
# of the butt ugly hack. Look close or you may missing it...
- rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
- mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/y/yum-[0-9]* .
+ rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
+ mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/y/yum-[0-9]* .
# And here it is...
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
@@ -643,7 +660,7 @@ This will take a couple of minutes. Patience..."
echo "Stage 1 creation complete. Building stage 2 Installation Bootstrap"
mount -o bind ../bootstrap run/install
- rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/f/fedora-release-19* .
+ rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/f/fedora-release-20* .
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
chroot . rpm --root /run/install --nodeps -ivh fedora-release-*
@@ -934,7 +951,7 @@ install_fedora()
{
mkdir -p @LOCALSTATEDIR@/lock/subsys/
(
- flock -x 200
+ flock -x 9
if [ $? -ne 0 ]; then
echo "Cache repository is busy."
return 1
@@ -965,7 +982,7 @@ install_fedora()
fi
return 0
- ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
+ ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
return $?
}
@@ -1017,12 +1034,16 @@ lxc.rootfs = $rootfs_path
rm -f $config_path/config.def
+ if [ -e "@LXCTEMPLATECONFIG@/fedora.common.conf" ]; then
+ echo "
+# Include common configuration
+lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf
+" >> $config_path/config
+ fi
+
+ # Append things which require expansion here...
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
-lxc.tty = 4
-lxc.pts = 1024
-lxc.mount = $config_path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
@@ -1041,26 +1062,6 @@ lxc.autodev = $auto_dev
# Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0
-#cgroups
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-EOF
-
- cat <<EOF > $config_path/fstab
-proc proc proc nodev,noexec,nosuid 0 0
-sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then
@@ -1080,7 +1081,7 @@ clean()
# lock, so we won't purge while someone is creating a repository
(
- flock -x 200
+ flock -x 9
if [ $? != 0 ]; then
echo "Cache repository is busy."
exit 1
@@ -1089,7 +1090,7 @@ clean()
echo -n "Purging the download cache for Fedora-$release..."
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
exit 0
- ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
+ ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
}
usage()
@@ -1206,8 +1207,8 @@ if [ -z "$release" ]; then
if [ "$is_fedora" -a "$fedora_host_ver" ]; then
release=$fedora_host_ver
else
- echo "This is not a fedora host and release missing, defaulting to 19. use -R|--release to specify release"
- release=19
+ echo "This is not a fedora host and release missing, defaulting to 20 use -R|--release to specify release"
+ release=20
fi
fi
--
1.8.3.1
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140121/ee07b8bb/attachment-0001.pgp>
More information about the lxc-devel
mailing list