[lxc-devel] [PATCH] [RFC] Reduce duplication in new style configs
Stéphane Graber
stgraber at ubuntu.com
Fri Jun 20 21:30:33 UTC 2014
This is a rather massive cleanup of config/templates/*
As new templates were added, I've noticed that we pretty much all share
the tty/pts configs, some capabilities being dropped and most of the
cgroup configuration. All the userns configs were also almost identical.
As a result, this change introduces two new files:
- common.conf.in
- userns.conf.in
Each is included by the relevant <template>.<type>.conf.in templates,
this means that the individual per-template configs are now overlays on
top of the default config.
Once we see a specific key becoming popular, we ought to check whether
it should also be applied to the other templates and if more than 50% of
the templates have it set to the same value, that value ought to be
moved to the master config file and then overriden for the templates
that do not use it.
This change while pretty big and scary, shouldn't be very visible from a
user point of view, the actual changes can be summarized as:
- Extend clonehostname to work with Debian based distros and use it for
all containers.
- lxc.pivotdir is now set to lxc_putold for all templates, this means
that instead of using /mnt in the container, lxc will create and use
/lxc_putold instead. The reason for this is to avoid failures when the
user bind-mounts something else on top of /mnt.
- Some minor cgroup limit changes, the main one I remember is
/dev/console now being writable by all of the redhat based containers.
The rest of the set should be identical with additions in the per-distro
ones.
- Drop binfmtmisc and efivars bind-mounts for non-mountall based
unpriivileged containers as I assumed they got those from copy/paste
from Ubuntu and not because they actually need those entries. (If I'm
wrong, we probably should move those to userns.conf then).
Additional investigation and changes to reduce the config delta between
distros would be appreciated. In practice, I only expect lxc.cap.drop
and lxc.mount.entry to really vary between distros (depending on the
init system, the rest should be mostly common.
I'm marking this as RFC because I haven't done any testing on this yet
and I've got to work on something else right now. I'd appreciate the
input from the affected template maintainers!
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
config/templates/Makefile.am | 4 ++-
config/templates/centos.common.conf.in | 30 +++------------------
config/templates/centos.userns.conf.in | 22 ++--------------
config/templates/common.conf.in | 35 +++++++++++++++++++++++++
config/templates/debian.common.conf.in | 36 +++++--------------------
config/templates/debian.userns.conf.in | 14 ++--------
config/templates/fedora.common.conf.in | 34 +++---------------------
config/templates/fedora.userns.conf.in | 22 ++--------------
config/templates/gentoo.common.conf.in | 42 ++++++------------------------
config/templates/gentoo.moresecure.conf.in | 33 +++--------------------
config/templates/gentoo.userns.conf.in | 21 ++-------------
config/templates/opensuse.common.conf.in | 32 ++++-------------------
config/templates/opensuse.userns.conf.in | 22 ++--------------
config/templates/oracle.common.conf.in | 28 +++-----------------
config/templates/oracle.userns.conf.in | 21 ++-------------
config/templates/plamo.common.conf.in | 26 +++++-------------
config/templates/plamo.userns.conf.in | 14 ++--------
config/templates/ubuntu.common.conf.in | 32 +++--------------------
config/templates/ubuntu.userns.conf.in | 17 ++----------
config/templates/userns.conf.in | 15 +++++++++++
configure.ac | 2 ++
hooks/clonehostname | 4 ++-
22 files changed, 117 insertions(+), 389 deletions(-)
create mode 100644 config/templates/common.conf.in
create mode 100644 config/templates/userns.conf.in
diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index d0b1c87..d48384f 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -3,6 +3,7 @@ templatesconfigdir=@LXCTEMPLATECONFIG@
templatesconfig_DATA = \
centos.common.conf \
centos.userns.conf \
+ common.conf \
debian.common.conf \
debian.userns.conf \
fedora.common.conf \
@@ -21,4 +22,5 @@ templatesconfig_DATA = \
ubuntu-cloud.userns.conf \
ubuntu.common.conf \
ubuntu.lucid.conf \
- ubuntu.userns.conf
+ ubuntu.userns.conf \
+ userns.conf
diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
index c0e6816..4ce2fda 100644
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
@@ -1,16 +1,9 @@
-# Taken from the oracle.common.conf.in
-# Console settings
-
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
-
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
@@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override setfcap setpcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
index f6de0e9..707bb30 100644
--- a/config/templates/centos.userns.conf.in
+++ b/config/templates/centos.userns.conf.in
@@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
new file mode 100644
index 0000000..1616b4f
--- /dev/null
+++ b/config/templates/common.conf.in
@@ -0,0 +1,35 @@
+# Default configuration shared by all containers
+
+# Setup the LXC devices in /dev/lxc/
+lxc.devttydir = lxc
+
+# Allow for 1024 pseudo terminals
+lxc.pts = 1024
+
+# Setup 4 tty devices
+lxc.tty = 4
+
+# Drop some harmful capabilities
+lxc.cap.drop = mac_admin mac_override sys_time sys_module
+
+# Set the pivot directory
+lxc.pivotdir = lxc_putold
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# CGroup whitelist
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## Allow specific devices
+lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
+lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console
+lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx
+lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/*
diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
index 09e5c40..e1d421f 100644
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -1,18 +1,14 @@
-# Default pivot location
-lxc.pivotdir = lxc_putold
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
-# Default console settings
-lxc.tty = 4
-lxc.pts = 1024
-
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
@@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
#lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+#lxc.mount.auto = cgroup:mixed
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
index 3e9600d..707bb30 100644
--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
@@ -1,12 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
index 31b23a4..acebe3c 100644
--- a/config/templates/fedora.common.conf.in
+++ b/config/templates/fedora.common.conf.in
@@ -1,15 +1,5 @@
-# Taken from the oracle.common.conf.in
-# Console settings
-
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
-
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
@@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = setfcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
index f6de0e9..707bb30 100644
--- a/config/templates/fedora.userns.conf.in
+++ b/config/templates/fedora.userns.conf.in
@@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
index 5a8b231..7b96672 100644
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -1,54 +1,28 @@
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
# Gentoo common default configuration
# This is the most feature-full container configuration
# But security is not the goal.
# Looking for more security, see gentoo.moresecure.conf
-# sysfs
+# Default mount entries
lxc.mount.entry=sys sys sysfs defaults 0 0
-# console access
-lxc.pts = 1024
-
-# this part is based on 'linux capabilities', see: man 7 capabilities
-# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
-
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-# ^ ^ ^
-# char/block -' \`- device number \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
-#lxc.cgroup.devices.allow = b 7:* rwm
\ No newline at end of file
+#lxc.cgroup.devices.allow = b 7:* rwm
diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
index da68562..238303d 100644
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@@ -1,3 +1,6 @@
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
# Gentoo security oriented default configuration
# This is a more security oriented container configuration
# "More" because this is far from fully secure
@@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
-# console access
-lxc.pts = 1024
-
# this part is based on 'linux capabilities', see: man 7 capabilities
# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
#
@@ -31,29 +31,4 @@ lxc.pts = 1024
# conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
# aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
-lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
-
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-# ^ ^ ^
-# char/block -' \`- device number \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rw
-lxc.cgroup.devices.allow = c 1:5 rw
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rw
-lxc.cgroup.devices.allow = c 1:8 r
-# /dev/pts/*
-lxc.cgroup.devices.allow = c 136:* rw
-lxc.cgroup.devices.allow = c 5:2 rw
-# /dev/tty{0,1}
-lxc.cgroup.devices.allow = c 4:1 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-# /dev/tty
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/console
-lxc.cgroup.devices.allow = c 5:1 rwm
\ No newline at end of file
+lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in
index 5643744..707bb30 100644
--- a/config/templates/gentoo.userns.conf.in
+++ b/config/templates/gentoo.userns.conf.in
@@ -1,19 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
index 1585fb8..4026975 100644
--- a/config/templates/opensuse.common.conf.in
+++ b/config/templates/opensuse.common.conf.in
@@ -1,13 +1,8 @@
-lxc.autodev = 1
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# Enable autodev
+lxc.autodev = 1
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
@@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
# lxc.cap.drop = setfcap
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
diff --git a/config/templates/opensuse.userns.conf.in b/config/templates/opensuse.userns.conf.in
index f6de0e9..707bb30 100644
--- a/config/templates/opensuse.userns.conf.in
+++ b/config/templates/opensuse.userns.conf.in
@@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
index ddcdc88..ec5ae94 100644
--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
@@ -1,14 +1,9 @@
-# Console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
-
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
@@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in
index 5643744..707bb30 100644
--- a/config/templates/oracle.userns.conf.in
+++ b/config/templates/oracle.userns.conf.in
@@ -1,19 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
index 50783c3..483a556 100644
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@@ -1,26 +1,14 @@
-# Default console settings
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Default mount
lxc.mount.auto = proc sys cgroup
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-# rtc
+# Extra cgroup device access
+## rtc
lxc.cgroup.devices.allow = c 254:0 rm
-# fuse
+## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in
index 3e9600d..707bb30 100644
--- a/config/templates/plamo.userns.conf.in
+++ b/config/templates/plamo.userns.conf.in
@@ -1,12 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index 1ec323f..631b4bb 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -1,5 +1,5 @@
-# Default pivot location
-lxc.pivotdir = lxc_putold
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
@@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
-# Default console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
@@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
index 5643744..0d73464 100644
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -1,18 +1,5 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
new file mode 100644
index 0000000..5dc19c7
--- /dev/null
+++ b/config/templates/userns.conf.in
@@ -0,0 +1,15 @@
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
diff --git a/configure.ac b/configure.ac
index 5ade4b5..fcc1402 100644
--- a/configure.ac
+++ b/configure.ac
@@ -583,6 +583,7 @@ AC_CONFIG_FILES([
config/templates/Makefile
config/templates/centos.common.conf
config/templates/centos.userns.conf
+ config/templates/common.conf
config/templates/debian.common.conf
config/templates/debian.userns.conf
config/templates/fedora.common.conf
@@ -602,6 +603,7 @@ AC_CONFIG_FILES([
config/templates/ubuntu.common.conf
config/templates/ubuntu.lucid.conf
config/templates/ubuntu.userns.conf
+ config/templates/userns.conf
config/yum/Makefile
doc/Makefile
diff --git a/hooks/clonehostname b/hooks/clonehostname
index 8865c2d..e5676af 100755
--- a/hooks/clonehostname
+++ b/hooks/clonehostname
@@ -20,7 +20,9 @@
# Note that /etc/hostname is updated by lxc itself
for file in \
$LXC_ROOTFS_PATH/etc/sysconfig/network \
- $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ;
+ $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \
+ $LXC_ROOTFS_PATH/etc/hostname \
+ $LXC_ROOTFS_PATH/etc/hosts ;
do
if [ -f $file ]; then
sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file
--
1.9.1
More information about the lxc-devel
mailing list