[lxc-devel] [PATCH] Update Fedora and CentOS templates for common conf includes.
Stéphane Graber
stgraber at ubuntu.com
Wed Jan 22 01:25:01 UTC 2014
On Tue, Jan 21, 2014 at 11:56:56AM -0500, Michael H. Warfield wrote:
> Update Fedora and CentOS templates for common conf includes.
>
> This updates the Fedora and CentOS templates to utilize a common
> included config. This is largely based on the changes in the Oracle
> template with some exceptions.
>
> Dropping of setpcap (present in the Oracle template) is commented out in
> the Fedora template. It seems to cause problems, such as large login
> delays with Fedora 20 containers (but not Fedora 19 - strange).
>
> The Fedora template is further modified to disable systemd-journald.service
> as it is unnecessary in a container and causes serious problems when
> running in a Fedora 20 container.
>
> The Fedora template is also updated to default to Fedora 20 when running
> on a non-Fedora host.
>
> Regards,
> Mike
>
> Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
I'll setup builds for CentOS 6.5 on amd64 and i386 and for Fedora 19 and
20 also on amd64 and i386.
I believe Fedora 20 also supports armhf but that one may need a bit more
work to get going (do you know if your template works with armhf?).
> ---
> config/templates/Makefile.am | 4 ++
> config/templates/centos.common.conf.in | 47 ++++++++++++++++++++++
> config/templates/centos.userns.conf.in | 19 +++++++++
> config/templates/fedora.common.conf.in | 49 +++++++++++++++++++++++
> config/templates/fedora.userns.conf.in | 19 +++++++++
> configure.ac | 4 ++
> templates/lxc-centos.in | 48 +++++++++++-----------
> templates/lxc-fedora.in | 73 +++++++++++++++++-----------------
> 8 files changed, 203 insertions(+), 60 deletions(-)
> create mode 100644 config/templates/centos.common.conf.in
> create mode 100644 config/templates/centos.userns.conf.in
> create mode 100644 config/templates/fedora.common.conf.in
> create mode 100644 config/templates/fedora.userns.conf.in
>
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index c7f5812..bcea3c3 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -1,8 +1,12 @@
> templatesconfigdir=@LXCTEMPLATECONFIG@
>
> templatesconfig_DATA = \
> + centos.common.conf \
> + centos.userns.conf \
> debian.common.conf \
> debian.userns.conf \
> + fedora.common.conf \
> + fedora.userns.conf \
> oracle.common.conf \
> oracle.userns.conf \
> plamo.common.conf \
> diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
> new file mode 100644
> index 0000000..c0e6816
> --- /dev/null
> +++ b/config/templates/centos.common.conf.in
> @@ -0,0 +1,47 @@
> +# Taken from the oracle.common.conf.in
> +# Console settings
> +
> +lxc.devttydir = lxc
> +lxc.tty = 4
> +lxc.pts = 1024
> +
> +# Mount entries
> +lxc.mount.auto = proc:mixed sys:ro
> +
> +# Ensure hostname is changed on clone
> +lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +
> +# Capabilities
> +# Uncomment these if you don't run anything that needs the capability, and
> +# would like the container to run with less privilege.
> +#
> +# Dropping sys_admin disables container root from doing a lot of things
> +# that could be bad like re-mounting lxc fstab entries rw for example,
> +# but also disables some useful things like being able to nfs mount, and
> +# things that are already namespaced with ns_capable() kernel checks, like
> +# hostname(1).
> +# lxc.cap.drop = sys_admin
> +# lxc.cap.drop = net_raw # breaks dhcp/ping
> +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
> +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
> +# lxc.cap.drop = setuid # breaks sshd,nfs statd
> +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
> +# lxc.cap.drop = audit_write
> +#
> +lxc.cap.drop = mac_admin mac_override setfcap setpcap
> +lxc.cap.drop = sys_module sys_nice sys_pacct
> +lxc.cap.drop = sys_rawio sys_time
> +
> +# Control Group devices: all denied except those whitelisted
> +lxc.cgroup.devices.deny = a
> +# Allow any mknod (but not reading/writing the node)
> +lxc.cgroup.devices.allow = c *:* m
> +lxc.cgroup.devices.allow = b *:* m
> +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> +lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
> +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
> new file mode 100644
> index 0000000..341db0b
> --- /dev/null
> +++ b/config/templates/centos.userns.conf.in
> @@ -0,0 +1,19 @@
> +# Taken from the oracle.userns.conf.in
> +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> +lxc.cgroup.devices.deny =
> +lxc.cgroup.devices.allow =
> +
> +# We can't move bind-mounts, so don't use /dev/lxc/
> +# lxc.devttydir =
> +
> +# Extra bind-mounts for userns
> +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> +
> +# Extra fstab entries as mountall can't mount those by itself
> +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
> new file mode 100644
> index 0000000..31b23a4
> --- /dev/null
> +++ b/config/templates/fedora.common.conf.in
> @@ -0,0 +1,49 @@
> +# Taken from the oracle.common.conf.in
> +# Console settings
> +
> +lxc.devttydir = lxc
> +lxc.tty = 4
> +lxc.pts = 1024
> +
> +# Mount entries
> +# lxc.mount.auto = proc:mixed sys:ro
> +
> +# Ensure hostname is changed on clone
> +lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +
> +# Capabilities
> +# Uncomment these if you don't run anything that needs the capability, and
> +# would like the container to run with less privilege.
> +#
> +# Dropping sys_admin disables container root from doing a lot of things
> +# that could be bad like re-mounting lxc fstab entries rw for example,
> +# but also disables some useful things like being able to nfs mount, and
> +# things that are already namespaced with ns_capable() kernel checks, like
> +# hostname(1).
> +# lxc.cap.drop = sys_admin
> +# lxc.cap.drop = net_raw # breaks dhcp/ping
> +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
> +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
> +# lxc.cap.drop = setuid # breaks sshd,nfs statd
> +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
> +# lxc.cap.drop = audit_write
> +# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
> +#
> +lxc.cap.drop = mac_admin mac_override
> +lxc.cap.drop = setfcap
> +lxc.cap.drop = sys_module sys_nice sys_pacct
> +lxc.cap.drop = sys_rawio sys_time
> +
> +# Control Group devices: all denied except those whitelisted
> +lxc.cgroup.devices.deny = a
> +# Allow any mknod (but not reading/writing the node)
> +lxc.cgroup.devices.allow = c *:* m
> +lxc.cgroup.devices.allow = b *:* m
> +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> +lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
> +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
> new file mode 100644
> index 0000000..c33e38d
> --- /dev/null
> +++ b/config/templates/fedora.userns.conf.in
> @@ -0,0 +1,19 @@
> +# Taken from the oracle.userns.conf.in
> +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> +lxc.cgroup.devices.deny =
> +lxc.cgroup.devices.allow =
> +
> +# We can't move bind-mounts, so don't use /dev/lxc/
> +lxc.devttydir =
> +
> +# Extra bind-mounts for userns
> +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> +
> +# Extra fstab entries as mountall can't mount those by itself
> +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> diff --git a/configure.ac b/configure.ac
> index 4179dcf..e2b7e79 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -554,8 +554,12 @@ AC_CONFIG_FILES([
> config/init/upstart/Makefile
> config/etc/Makefile
> config/templates/Makefile
> + config/templates/centos.common.conf
> + config/templates/centos.userns.conf
> config/templates/debian.common.conf
> config/templates/debian.userns.conf
> + config/templates/fedora.common.conf
> + config/templates/fedora.userns.conf
> config/templates/oracle.common.conf
> config/templates/oracle.userns.conf
> config/templates/plamo.common.conf
> diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> index bf89427..82dc651 100644
> --- a/templates/lxc-centos.in
> +++ b/templates/lxc-centos.in
> @@ -315,6 +315,22 @@ EOF
> mknod -m 600 ${dev_path}/initctl p
> mknod -m 666 ${dev_path}/ptmx c 5 2
>
> + # setup console and tty[1-4] for login. note that /dev/console and
> + # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
> + # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
> + # lxc will maintain these links and bind mount ptys over /dev/lxc/*
> + # since lxc.devttydir is specified in the config.
> +
> + # allow root login on console, tty[1-4], and pts/0 for libvirt
> + echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
> + echo "lxc/console" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty1" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty2" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty3" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty4" >>${rootfs_path}/etc/securetty
> + echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
> + echo "pts/0" >>${rootfs_path}/etc/securetty
> +
> if [ ${root_display_password} = "yes" ]
> then
> echo "Setting root password to '$root_password'"
> @@ -544,12 +560,16 @@ lxc.rootfs = $rootfs_path
>
> rm -f $config_path/config.def
>
> + if [ -e "@LXCTEMPLATECONFIG@/centos.common.conf" ]; then
> + echo "
> +# Include common configuration
> +lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf
> +" >> $config_path/config
> + fi
> +
> + # Append things which require expansion here...
> cat <<EOF >> $config_path/config
> lxc.utsname = $utsname
> -lxc.tty = 4
> -lxc.pts = 1024
> -lxc.mount = $config_path/fstab
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
>
> lxc.autodev = $auto_dev
>
> @@ -568,26 +588,6 @@ lxc.autodev = $auto_dev
> # Note: This may potentially collide with other containers of same name!
> #lxc.network.veth.pair = v-$name-e0
>
> -#cgroups
> -lxc.cgroup.devices.deny = a
> -# /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -# consoles
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -# /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -# rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> -EOF
> -
> - cat <<EOF > $config_path/fstab
> -proc proc proc nodev,noexec,nosuid 0 0
> -sysfs sys sysfs defaults 0 0
> EOF
>
> if [ $? -ne 0 ]; then
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index a96701f..12c810d 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -259,6 +259,22 @@ EOF
> mknod -m 600 ${dev_path}/initctl p
> mknod -m 666 ${dev_path}/ptmx c 5 2
>
> + # setup console and tty[1-4] for login. note that /dev/console and
> + # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
> + # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
> + # lxc will maintain these links and bind mount ptys over /dev/lxc/*
> + # since lxc.devttydir is specified in the config.
> +
> + # allow root login on console, tty[1-4], and pts/0 for libvirt
> + echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
> + echo "lxc/console" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty1" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty2" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty3" >>${rootfs_path}/etc/securetty
> + echo "lxc/tty4" >>${rootfs_path}/etc/securetty
> + echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
> + echo "pts/0" >>${rootfs_path}/etc/securetty
> +
> if [ ${root_display_password} = "yes" ]
> then
> echo "Setting root password to '$root_password'"
> @@ -324,6 +340,7 @@ configure_fedora_systemd()
> rm -f ${rootfs_path}/etc/systemd/system/default.target
> touch ${rootfs_path}/etc/fstab
> chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
> + chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/systemd-journald.service
> chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> #dependency on a device unit fails it specially that we disabled udev
> # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
> @@ -379,7 +396,7 @@ configure_fedora_systemd()
> # and then used to build other arbitrary vesions of Fedora of a
> # given architecture. Not that this only has to run once for
> # Fedora on a given architecture since rpm and yum can build other
> -# versions. We'll arbitrarily pick Fedora 19 to build this. This
> +# versions. We'll arbitrarily pick Fedora 20 to build this. This
> # will need to change as time goes on.
>
> # Programmers Note... A future fall back may be to download the netinst
> @@ -530,10 +547,10 @@ Have a beer or a cup of coffee. This will take a bit (~300MB).
> "
> sleep 3 # let him read it...
>
> - # Right now, we are using Fedora 19 for the inial bootstrap.
> + # Right now, we are using Fedora 20 for the inial bootstrap.
> # We could make this the "current" Fedora rev (F > 15).
>
> - rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/LiveOS .
> + rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/LiveOS .
>
> if [[ 0 == $? ]]
> then
> @@ -610,8 +627,8 @@ This will take a couple of minutes. Patience..."
> # of this LiveOS image we're camped out on. This is the beginning
> # of the butt ugly hack. Look close or you may missing it...
>
> - rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
> - mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/y/yum-[0-9]* .
> + rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
> + mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/y/yum-[0-9]* .
>
> # And here it is...
> # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
> @@ -643,7 +660,7 @@ This will take a couple of minutes. Patience..."
> echo "Stage 1 creation complete. Building stage 2 Installation Bootstrap"
>
> mount -o bind ../bootstrap run/install
> - rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/f/fedora-release-19* .
> + rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/f/fedora-release-20* .
>
> # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
> chroot . rpm --root /run/install --nodeps -ivh fedora-release-*
> @@ -934,7 +951,7 @@ install_fedora()
> {
> mkdir -p @LOCALSTATEDIR@/lock/subsys/
> (
> - flock -x 200
> + flock -x 9
> if [ $? -ne 0 ]; then
> echo "Cache repository is busy."
> return 1
> @@ -965,7 +982,7 @@ install_fedora()
> fi
>
> return 0
> - ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
> + ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
>
> return $?
> }
> @@ -1017,12 +1034,16 @@ lxc.rootfs = $rootfs_path
>
> rm -f $config_path/config.def
>
> + if [ -e "@LXCTEMPLATECONFIG@/fedora.common.conf" ]; then
> + echo "
> +# Include common configuration
> +lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf
> +" >> $config_path/config
> + fi
> +
> + # Append things which require expansion here...
> cat <<EOF >> $config_path/config
> lxc.utsname = $utsname
> -lxc.tty = 4
> -lxc.pts = 1024
> -lxc.mount = $config_path/fstab
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
>
> lxc.autodev = $auto_dev
>
> @@ -1041,26 +1062,6 @@ lxc.autodev = $auto_dev
> # Note: This may potentially collide with other containers of same name!
> #lxc.network.veth.pair = v-$name-e0
>
> -#cgroups
> -lxc.cgroup.devices.deny = a
> -# /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -# consoles
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -# /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -# rtc
> -lxc.cgroup.devices.allow = c 254:0 rm
> -EOF
> -
> - cat <<EOF > $config_path/fstab
> -proc proc proc nodev,noexec,nosuid 0 0
> -sysfs sys sysfs defaults 0 0
> EOF
>
> if [ $? -ne 0 ]; then
> @@ -1080,7 +1081,7 @@ clean()
>
> # lock, so we won't purge while someone is creating a repository
> (
> - flock -x 200
> + flock -x 9
> if [ $? != 0 ]; then
> echo "Cache repository is busy."
> exit 1
> @@ -1089,7 +1090,7 @@ clean()
> echo -n "Purging the download cache for Fedora-$release..."
> rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
> exit 0
> - ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
> + ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
> }
>
> usage()
> @@ -1206,8 +1207,8 @@ if [ -z "$release" ]; then
> if [ "$is_fedora" -a "$fedora_host_ver" ]; then
> release=$fedora_host_ver
> else
> - echo "This is not a fedora host and release missing, defaulting to 19. use -R|--release to specify release"
> - release=19
> + echo "This is not a fedora host and release missing, defaulting to 20 use -R|--release to specify release"
> + release=20
> fi
> fi
>
> --
> 1.8.3.1
>
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140121/9a1845a5/attachment.pgp>
More information about the lxc-devel
mailing list