[lxc-devel] [PATCH] Reduce duplication in new style configs

Stéphane Graber stgraber at ubuntu.com
Tue Jun 24 20:13:26 UTC 2014


This is a rather massive cleanup of config/templates/*

As new templates were added, I've noticed that we pretty much all share
the tty/pts configs, some capabilities being dropped and most of the
cgroup configuration. All the userns configs were also almost identical.

As a result, this change introduces two new files:
 - common.conf.in
 - userns.conf.in

Each is included by the relevant <template>.<type>.conf.in templates,
this means that the individual per-template configs are now overlays on
top of the default config.

Once we see a specific key becoming popular, we ought to check whether
it should also be applied to the other templates and if more than 50% of
the templates have it set to the same value, that value ought to be
moved to the master config file and then overriden for the templates
that do not use it.

This change while pretty big and scary, shouldn't be very visible from a
user point of view, the actual changes can be summarized as:
 - Extend clonehostname to work with Debian based distros and use it for
   all containers.
 - lxc.pivotdir is now set to lxc_putold for all templates, this means
   that instead of using /mnt in the container, lxc will create and use
   /lxc_putold instead. The reason for this is to avoid failures when the
   user bind-mounts something else on top of /mnt.
 - Some minor cgroup limit changes, the main one I remember is
   /dev/console now being writable by all of the redhat based containers.
   The rest of the set should be identical with additions in the per-distro
   ones.
 - Drop binfmtmisc and efivars bind-mounts for non-mountall based
   unpriivileged containers as I assumed they got those from copy/paste
   from Ubuntu and not because they actually need those entries. (If I'm
   wrong, we probably should move those to userns.conf then).

Additional investigation and changes to reduce the config delta between
distros would be appreciated. In practice, I only expect lxc.cap.drop
and lxc.mount.entry to really vary between distros (depending on the
init system, the rest should be mostly common.

Diff from the RFC:
 - Add archlinux to the mix
 - Drop /etc/hostname from the clone hook

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 config/templates/Makefile.am               |  4 ++-
 config/templates/archlinux.common.conf.in  | 32 +++++++----------------
 config/templates/archlinux.userns.conf.in  | 22 ++--------------
 config/templates/centos.common.conf.in     | 30 +++------------------
 config/templates/centos.userns.conf.in     | 22 ++--------------
 config/templates/common.conf.in            | 35 +++++++++++++++++++++++++
 config/templates/debian.common.conf.in     | 36 +++++--------------------
 config/templates/debian.userns.conf.in     | 14 ++--------
 config/templates/fedora.common.conf.in     | 34 +++---------------------
 config/templates/fedora.userns.conf.in     | 22 ++--------------
 config/templates/gentoo.common.conf.in     | 42 ++++++------------------------
 config/templates/gentoo.moresecure.conf.in | 33 +++--------------------
 config/templates/gentoo.userns.conf.in     | 21 ++-------------
 config/templates/opensuse.common.conf.in   | 32 ++++-------------------
 config/templates/opensuse.userns.conf.in   | 22 ++--------------
 config/templates/oracle.common.conf.in     | 28 +++-----------------
 config/templates/oracle.userns.conf.in     | 21 ++-------------
 config/templates/plamo.common.conf.in      | 26 +++++-------------
 config/templates/plamo.userns.conf.in      | 14 ++--------
 config/templates/ubuntu.common.conf.in     | 32 +++--------------------
 config/templates/ubuntu.userns.conf.in     | 17 ++----------
 config/templates/userns.conf.in            | 15 +++++++++++
 configure.ac                               |  2 ++
 hooks/clonehostname                        |  3 ++-
 24 files changed, 128 insertions(+), 431 deletions(-)
 create mode 100644 config/templates/common.conf.in
 create mode 100644 config/templates/userns.conf.in

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 3db2269..61b4b45 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -7,6 +7,7 @@ templatesconfig_DATA = \
 	archlinux.userns.conf \
 	centos.common.conf \
 	centos.userns.conf \
+	common.conf \
 	debian.common.conf \
 	debian.userns.conf \
 	fedora.common.conf \
@@ -25,5 +26,6 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
+	ubuntu.priv.seccomp \
 	ubuntu.userns.conf \
-	ubuntu.priv.seccomp
+	userns.conf
diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
index 2c49299..7c950e7 100644
--- a/config/templates/archlinux.common.conf.in
+++ b/config/templates/archlinux.common.conf.in
@@ -1,11 +1,16 @@
-# Based on fedora.common.conf.in
-# Console settings
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
-lxc.autodev = 1
+# Allow for 6 tty devices by default
 lxc.tty = 6
-lxc.pts = 1024
+
+# Turn on autodev for systemd
+lxc.autodev = 1
+
+# Disable kmsg
 lxc.kmsg = 0
 
+# Set the halt/stop signals
 lxc.haltsignal=SIGRTMIN+4
 lxc.stopsignal=SIGRTMIN+14
 
@@ -30,21 +35,4 @@ lxc.mount.auto = proc:mixed sys:ro
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
 #
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = setfcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-6] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
diff --git a/config/templates/archlinux.userns.conf.in b/config/templates/archlinux.userns.conf.in
index 28b03fa..707bb30 100644
--- a/config/templates/archlinux.userns.conf.in
+++ b/config/templates/archlinux.userns.conf.in
@@ -1,20 +1,2 @@
-# Based on fedora.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-# lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
index c0e6816..4ce2fda 100644
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
@@ -1,16 +1,9 @@
-# Taken from the oracle.common.conf.in
-# Console settings
-
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
 
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
-
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
@@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override setfcap setpcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
index f6de0e9..707bb30 100644
--- a/config/templates/centos.userns.conf.in
+++ b/config/templates/centos.userns.conf.in
@@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
new file mode 100644
index 0000000..1616b4f
--- /dev/null
+++ b/config/templates/common.conf.in
@@ -0,0 +1,35 @@
+# Default configuration shared by all containers
+
+# Setup the LXC devices in /dev/lxc/
+lxc.devttydir = lxc
+
+# Allow for 1024 pseudo terminals
+lxc.pts = 1024
+
+# Setup 4 tty devices
+lxc.tty = 4
+
+# Drop some harmful capabilities
+lxc.cap.drop = mac_admin mac_override sys_time sys_module
+
+# Set the pivot directory
+lxc.pivotdir = lxc_putold
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# CGroup whitelist
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## Allow specific devices
+lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
+lxc.cgroup.devices.allow = c 5:1 rwm	# /dev/console
+lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx
+lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm	# /dev/pts/*
diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
index 09e5c40..e1d421f 100644
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -1,18 +1,14 @@
-# Default pivot location
-lxc.pivotdir = lxc_putold
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
 
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs defaults 0 0
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 
-# Default console settings
-lxc.tty = 4
-lxc.pts = 1024
-
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
@@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+#lxc.mount.auto = cgroup:mixed
 
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
 #lxc.aa_profile = lxc-container-default-with-mounting
 
-# Default cgroup limits
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
index 3e9600d..707bb30 100644
--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
@@ -1,12 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
index 31b23a4..acebe3c 100644
--- a/config/templates/fedora.common.conf.in
+++ b/config/templates/fedora.common.conf.in
@@ -1,15 +1,5 @@
-# Taken from the oracle.common.conf.in
-# Console settings
-
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
-
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
@@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = setfcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
index f6de0e9..707bb30 100644
--- a/config/templates/fedora.userns.conf.in
+++ b/config/templates/fedora.userns.conf.in
@@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
index 5a8b231..7b96672 100644
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -1,54 +1,28 @@
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
 # Gentoo common default configuration
 # This is the most feature-full container configuration
 # But security is not the goal.
 # Looking for more security, see gentoo.moresecure.conf
 
-# sysfs
+# Default mount entries
 lxc.mount.entry=sys sys sysfs defaults 0 0
 
-# console access
-lxc.pts = 1024
-
-# this part is based on 'linux capabilities', see: man 7 capabilities
-#  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
-
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
 
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-#            ^     ^                   ^
-# char/block -'     \`- device number    \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
 lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
-#lxc.cgroup.devices.allow = b 7:* rwm
\ No newline at end of file
+#lxc.cgroup.devices.allow = b 7:* rwm
diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
index da68562..238303d 100644
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@@ -1,3 +1,6 @@
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
 # Gentoo security oriented default configuration
 # This is a more security oriented container configuration
 # "More" because this is far from fully secure
@@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
 
-# console access
-lxc.pts = 1024
-
 # this part is based on 'linux capabilities', see: man 7 capabilities
 #  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
 #
@@ -31,29 +31,4 @@ lxc.pts = 1024
 # conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
 # aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
 
-lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
-
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-#            ^     ^                   ^
-# char/block -'     \`- device number    \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rw
-lxc.cgroup.devices.allow = c 1:5 rw
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rw
-lxc.cgroup.devices.allow = c 1:8 r
-# /dev/pts/*
-lxc.cgroup.devices.allow = c 136:* rw
-lxc.cgroup.devices.allow = c 5:2 rw
-# /dev/tty{0,1}
-lxc.cgroup.devices.allow = c 4:1 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-# /dev/tty
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/console
-lxc.cgroup.devices.allow = c 5:1 rwm
\ No newline at end of file
+lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in
index 5643744..707bb30 100644
--- a/config/templates/gentoo.userns.conf.in
+++ b/config/templates/gentoo.userns.conf.in
@@ -1,19 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
index 1585fb8..4026975 100644
--- a/config/templates/opensuse.common.conf.in
+++ b/config/templates/opensuse.common.conf.in
@@ -1,13 +1,8 @@
-lxc.autodev = 1
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# Enable autodev
+lxc.autodev = 1
 
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
@@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
 # lxc.cap.drop = setfcap
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
diff --git a/config/templates/opensuse.userns.conf.in b/config/templates/opensuse.userns.conf.in
index f6de0e9..707bb30 100644
--- a/config/templates/opensuse.userns.conf.in
+++ b/config/templates/opensuse.userns.conf.in
@@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
index ddcdc88..ec5ae94 100644
--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
@@ -1,14 +1,9 @@
-# Console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
 
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
-
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
@@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in
index 5643744..707bb30 100644
--- a/config/templates/oracle.userns.conf.in
+++ b/config/templates/oracle.userns.conf.in
@@ -1,19 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
index 50783c3..483a556 100644
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@@ -1,26 +1,14 @@
-# Default console settings
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Default mount
 lxc.mount.auto = proc sys cgroup
 
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
 
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-# rtc
+# Extra cgroup device access
+## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-# fuse
+## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in
index 3e9600d..707bb30 100644
--- a/config/templates/plamo.userns.conf.in
+++ b/config/templates/plamo.userns.conf.in
@@ -1,12 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index a61ed79..ee008e2 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -1,5 +1,5 @@
-# Default pivot location
-lxc.pivotdir = lxc_putold
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
@@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
 lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
 
-# Default console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
@@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # devices below in lxc.cgroup.devices.allow.
 #lxc.aa_profile = lxc-container-default-with-mounting
 
-# Default cgroup limits
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
index c744b1d..e25270c 100644
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -1,18 +1,5 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
new file mode 100644
index 0000000..5dc19c7
--- /dev/null
+++ b/config/templates/userns.conf.in
@@ -0,0 +1,15 @@
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
diff --git a/configure.ac b/configure.ac
index 1a27e1f..baeb4a2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -598,6 +598,7 @@ AC_CONFIG_FILES([
 	config/templates/archlinux.userns.conf
 	config/templates/centos.common.conf
 	config/templates/centos.userns.conf
+	config/templates/common.conf
 	config/templates/debian.common.conf
 	config/templates/debian.userns.conf
 	config/templates/fedora.common.conf
@@ -617,6 +618,7 @@ AC_CONFIG_FILES([
 	config/templates/ubuntu.common.conf
 	config/templates/ubuntu.lucid.conf
 	config/templates/ubuntu.userns.conf
+	config/templates/userns.conf
 	config/yum/Makefile
 
 	doc/Makefile
diff --git a/hooks/clonehostname b/hooks/clonehostname
index 8865c2d..ed2765c 100755
--- a/hooks/clonehostname
+++ b/hooks/clonehostname
@@ -20,7 +20,8 @@
 # Note that /etc/hostname is updated by lxc itself
 for file in \
     $LXC_ROOTFS_PATH/etc/sysconfig/network \
-    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ;
+    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \
+    $LXC_ROOTFS_PATH/etc/hosts ;
 do
     if [ -f $file ]; then
         sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file
-- 
1.9.1



More information about the lxc-devel mailing list