[lxc-devel] [PATCH] Updated lxc-opensuse for common configuration changes.

Michael H. Warfield mhw at WittsEnd.com
Wed Jun 18 21:00:09 UTC 2014


On Wed, 2014-06-18 at 16:48 -0400, Stéphane Graber wrote:
> On Wed, Jun 18, 2014 at 03:31:44PM -0400, Michael H. Warfield wrote:
> > Updated lxc-opensuse for common configuration changes.
> > 
> > Updated the lxc-opensuse template for the changes for the common
> > configuration used by the download template.  Changed the default
> > network mode in the container to dhcp.
> > 
> > Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>

> Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> When applying I'll bump the lxc-download compat level to 2 since
> existing LXC 1.0.x installs will be lacking the opensuse.*.conf files
> and so won't be able to create OpenSUSE containers.

Cool.

> I also really wish we could get rid of all that network stuff in the
> templates and just rely on distros shipping a reasonable default.conf
> using the template-based hwaddr setting...

I know.  Concur.  We can dream and we can wish.

Regards,
Mike

> > ---
> >  config/templates/Makefile.am             |   2 +
> >  config/templates/opensuse.common.conf.in |  47 ++++++++++++
> >  config/templates/opensuse.userns.conf.in |  20 ++++++
> >  configure.ac                             |   2 +
> >  templates/lxc-opensuse.in                | 119 ++++++++++++++++++-------------
> >  5 files changed, 141 insertions(+), 49 deletions(-)
> >  create mode 100644 config/templates/opensuse.common.conf.in
> >  create mode 100644 config/templates/opensuse.userns.conf.in
> > 
> > diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> > index 47969a9..d0b1c87 100644
> > --- a/config/templates/Makefile.am
> > +++ b/config/templates/Makefile.am
> > @@ -10,6 +10,8 @@ templatesconfig_DATA = \
> >  	gentoo.common.conf \
> >  	gentoo.moresecure.conf \
> >  	gentoo.userns.conf \
> > +	opensuse.common.conf \
> > +	opensuse.userns.conf \
> >  	oracle.common.conf \
> >  	oracle.userns.conf \
> >  	plamo.common.conf \
> > diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
> > new file mode 100644
> > index 0000000..1585fb8
> > --- /dev/null
> > +++ b/config/templates/opensuse.common.conf.in
> > @@ -0,0 +1,47 @@
> > +lxc.autodev = 1
> > +lxc.devttydir = lxc
> > +lxc.tty = 4
> > +lxc.pts = 1024
> > +
> > +# Mount entries
> > +# lxc.mount.auto = proc:mixed sys:ro
> > +
> > +# Ensure hostname is changed on clone
> > +lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> > +
> > +# Capabilities
> > +# Uncomment these if you don't run anything that needs the capability, and
> > +# would like the container to run with less privilege.
> > +#
> > +# Dropping sys_admin disables container root from doing a lot of things
> > +# that could be bad like re-mounting lxc fstab entries rw for example,
> > +# but also disables some useful things like being able to nfs mount, and
> > +# things that are already namespaced with ns_capable() kernel checks, like
> > +# hostname(1).
> > +# lxc.cap.drop = sys_admin
> > +# lxc.cap.drop = net_raw          # breaks dhcp/ping
> > +# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
> > +# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
> > +# lxc.cap.drop = setuid           # breaks sshd,nfs statd
> > +# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
> > +# lxc.cap.drop = audit_write
> > +# lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
> > +# lxc.cap.drop = setfcap
> > +#
> > +lxc.cap.drop = mac_admin mac_override
> > +lxc.cap.drop = sys_module sys_nice sys_pacct
> > +lxc.cap.drop = sys_rawio sys_time
> > +
> > +# Control Group devices: all denied except those whitelisted
> > +lxc.cgroup.devices.deny = a
> > +# Allow any mknod (but not reading/writing the node)
> > +lxc.cgroup.devices.allow = c *:* m
> > +lxc.cgroup.devices.allow = b *:* m
> > +lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
> > +lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
> > +lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
> > +lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
> > +lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
> > +lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
> > +lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
> > +lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
> > diff --git a/config/templates/opensuse.userns.conf.in b/config/templates/opensuse.userns.conf.in
> > new file mode 100644
> > index 0000000..f6de0e9
> > --- /dev/null
> > +++ b/config/templates/opensuse.userns.conf.in
> > @@ -0,0 +1,20 @@
> > +# Taken from the oracle.userns.conf.in
> > +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> > +lxc.cgroup.devices.deny =
> > +lxc.cgroup.devices.allow =
> > +
> > +# We can't move bind-mounts, so don't use /dev/lxc/
> > +lxc.devttydir =
> > +
> > +# Extra bind-mounts for userns
> > +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> > +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> > +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> > +lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> > +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> > +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> > +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> > +
> > +# Extra fstab entries as mountall can't mount those by itself
> > +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> > +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> > diff --git a/configure.ac b/configure.ac
> > index ab6c481..be54043 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -590,6 +590,8 @@ AC_CONFIG_FILES([
> >  	config/templates/gentoo.common.conf
> >  	config/templates/gentoo.moresecure.conf
> >  	config/templates/gentoo.userns.conf
> > +	config/templates/opensuse.common.conf
> > +	config/templates/opensuse.userns.conf
> >  	config/templates/oracle.common.conf
> >  	config/templates/oracle.userns.conf
> >  	config/templates/plamo.common.conf
> > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> > index 3999df6..c4dce5d 100644
> > --- a/templates/lxc-opensuse.in
> > +++ b/templates/lxc-opensuse.in
> > @@ -1,7 +1,7 @@
> >  #!/bin/bash
> >  
> >  #
> > -# template script for generating suse container for LXC
> > +# template script for generating OpenSUSE container for LXC
> >  #
> >  
> >  #
> > @@ -10,6 +10,7 @@
> >  # Authors:
> >  # Daniel Lezcano <daniel.lezcano at free.fr>
> >  # Frederic Crozat <fcrozat at suse.com>
> > +# Michael H. Warfield <mhw at WittsEnd.com>
> >  
> >  # This library is free software; you can redistribute it and/or
> >  # modify it under the terms of the GNU Lesser General Public
> > @@ -45,10 +46,10 @@ configure_opensuse()
> >      rootfs=$1
> >      hostname=$2
> >  
> > -   # set network as static, but everything is done by LXC outside the container
> > +   # set first network adapter as dhcp.  This is the most common config.
> >     cat <<EOF > $rootfs/etc/sysconfig/network/ifcfg-eth0
> >  STARTMODE='auto'
> > -BOOTPROTO='none'
> > +BOOTPROTO='dhcp'
> >  EOF
> >  
> >     # create empty fstab
> > @@ -171,7 +172,7 @@ EOF
> >          mkdir -p $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686
> >          for i in "$cache/partial-$arch-packages/var/cache/zypp/packages/update/i586/*" ; do
> >              ln -s $i $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686/
> > -	done
> > +        done
> >      fi
> >  
> >      CLEAN_BUILD=1 BUILD_ARCH="$arch" BUILD_ROOT="$cache/partial-$arch" BUILD_DIST="$cache/partial-$arch-packages/opensuse.conf" PATH="$PATH:/usr/lib/build" /usr/lib/build/init_buildsystem  --clean --configdir /usr/lib/build/configs --cachedir $cache/partial-$arch-cache --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/noarch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/noarch || return 1
> > @@ -228,8 +229,6 @@ install_opensuse()
> >              return 1
> >          fi
> >  
> > -        arch=$(uname -m)
> > -
> >          echo "Checking cache download in $cache/rootfs-$arch ... "
> >          if [ ! -e "$cache/rootfs-$arch" ]; then
> >              download_opensuse $cache $arch
> > @@ -252,66 +251,85 @@ install_opensuse()
> >      return $?
> >  }
> >  
> > +# Generate a random hardware (MAC) address composed of FE followed by
> > +# 5 random bytes...
> > +create_hwaddr()
> > +{
> > +    openssl rand -hex 5 | sed -e 's/\(..\)/:\1/g; s/^/fe/'
> > +}
> > +
> >  copy_configuration()
> >  {
> >      path=$1
> >      rootfs=$2
> >      name=$3
> >  
> > -    if grep -q "^lxc.network.type" $path/config; then
> > -        TYPE=$(sed '/^#/d; /lxc.network.type/!d; s/.*=[ \t]*//' $path/config)
> > -        grep -q "^lxc.network.ipv4" $path/config
> > -        IPV4_NOT_CONFIGURED=$?
> > -
> > -        if ! grep -q "^lxc.network.*.gateway" $path/config; then
> > -            [ $IPV4_NOT_CONFIGURED -eq 0 ] && IPV4=$(sed '/^#/d; /lxc.network.ipv4/!d; /gateway/d; s/.*=[ \t]*//; s/\([[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\).*/\1/' $path/config)
> > -            if [ "$TYPE" = "veth" -o "$TYPE" = "macvlan" ]; then
> > -                if [ $IPV4_NOT_CONFIGURED -eq 0 -a "$IPV4" != "0.0.0.0" ]; then
> > -                    # set default route
> > -                    IP=$(/sbin/ip route | awk '/default/ { print $3 }')
> > -                    echo "lxc.network.ipv4.gateway = $IP " >> $path/config
> > -                else
> > -                    # set network as dhcp
> > -                    sed -i -e 's/BOOTPROTO=.*/BOOTPROTO=dhcp/' $rootfs/etc/sysconfig/network/ifcfg-eth0
> > -                fi
> > -            fi
> > +    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "
> > +lxc.rootfs = $rootfs_path
> > +" >> $path/config
> > +
> > +    # The following code is to create static MAC addresses for each
> > +    # interface in the container.  This code will work for multiple
> > +    # interfaces in the default config.  It will also strip any
> > +    # hwaddr stanzas out of the default config since we can not share
> > +    # MAC addresses between containers.
> > +    #
> > +    # This code is largely mimiced from the Fedora Template.
> > +    mv $path/config $path/config.def
> > +    while read LINE
> > +    do
> > +        # This should catch variable expansions from the default config...
> > +        if expr "${LINE}" : '.*\$' > /dev/null 2>&1
> > +        then
> > +                LINE=$(eval "echo \"${LINE}\"")
> >          fi
> > -        if [ "$TYPE" != "empty" ]; then
> > -            echo "#remove next line if host DNS configuration should not be available to container" >> $path/config
> > -            echo "lxc.mount.entry = /etc/resolv.conf etc/resolv.conf none bind,ro 0 0" >> $path/config
> > +
> > +        # There is a tab and a space in the regex bracket below!
> > +        # Seems that \s doesn't work in brackets.
> > +        KEY=$(expr "${LINE}" : '\s*\([^	 ]*\)\s*=')
> > +
> > +        if [[ "${KEY}" != "lxc.network.hwaddr" ]]
> > +        then
> > +            echo "${LINE}" >> $path/config
> > +
> > +            if [[ "${KEY}" == "lxc.network.link" ]]
> > +            then
> > +                echo "lxc.network.hwaddr = $(create_hwaddr)" >> $path/config
> > +            fi
> >          fi
> > -    else
> > -        echo 'lxc.network.type = empty' >> $path/config
> > +    done < $path/config.def
> > +
> > +    rm -f $path/config.def
> > +
> > +    if [ -e "@LXCTEMPLATECONFIG@/opensuse.common.conf" ]; then
> > +        echo "
> > +# Include common configuration
> > +lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
> > +" >> $path/config
> >      fi
> >  
> > -    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
> > +    # Append things which require expansion here...
> >      cat <<EOF >> $path/config
> > +lxc.arch = $arch
> >  lxc.utsname = $name
> > -lxc.autodev=1
> > -lxc.tty = 4
> > -lxc.pts = 1024
> > +
> >  lxc.mount = $path/fstab
> > -lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
> >  
> >  # When using LXC with apparmor, uncomment the next line to run unconfined:
> >  #lxc.aa_profile = unconfined
> >  
> > -lxc.cgroup.devices.deny = a
> > -# /dev/null and zero
> > -lxc.cgroup.devices.allow = c 1:3 rwm
> > -lxc.cgroup.devices.allow = c 1:5 rwm
> > -# consoles
> > -lxc.cgroup.devices.allow = c 5:1 rwm
> > -lxc.cgroup.devices.allow = c 5:0 rwm
> > -lxc.cgroup.devices.allow = c 4:0 rwm
> > -lxc.cgroup.devices.allow = c 4:1 rwm
> > -# /dev/{,u}random
> > -lxc.cgroup.devices.allow = c 1:9 rwm
> > -lxc.cgroup.devices.allow = c 1:8 rwm
> > -lxc.cgroup.devices.allow = c 136:* rwm
> > -lxc.cgroup.devices.allow = c 5:2 rwm
> > -# rtc
> > -lxc.cgroup.devices.allow = c 254:0 rm
> > +# example simple networking setup, uncomment to enable
> > +#lxc.network.type = $lxc_network_type
> > +#lxc.network.flags = up
> > +#lxc.network.link = $lxc_network_link
> > +#lxc.network.name = eth0
> > +# Additional example for veth network type
> > +#    static MAC address,
> > +#lxc.network.hwaddr = 00:16:3e:77:52:20
> > +#    persistent veth device name on host side
> > +#        Note: This may potentially collide with other containers of same name!
> > +#lxc.network.veth.pair = v-$name-e0
> > +
> >  EOF
> >  
> >      cat <<EOF > $path/fstab
> > @@ -358,6 +376,9 @@ EOF
> >      return 0
> >  }
> >  
> > +# Make arch a global.  This may become configurable?
> > +arch=$(uname -m)
> > +
> >  options=$(getopt -o hp:n:c -l help,rootfs:,path:,name:,clean -- "$@")
> >  if [ $? -ne 0 ]; then
> >      usage $(basename $0)
> > -- 
> > 1.9.3
> > 
> > 
> > -- 
> > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > 
> 
> 
> 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140618/9bc2ead5/attachment.sig>


More information about the lxc-devel mailing list