[lxc-devel] [PATCH] Reduce duplication in new style configs
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Jun 24 20:27:20 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> This is a rather massive cleanup of config/templates/*
>
> As new templates were added, I've noticed that we pretty much all share
> the tty/pts configs, some capabilities being dropped and most of the
> cgroup configuration. All the userns configs were also almost identical.
>
> As a result, this change introduces two new files:
> - common.conf.in
> - userns.conf.in
>
> Each is included by the relevant <template>.<type>.conf.in templates,
> this means that the individual per-template configs are now overlays on
> top of the default config.
>
> Once we see a specific key becoming popular, we ought to check whether
> it should also be applied to the other templates and if more than 50% of
> the templates have it set to the same value, that value ought to be
> moved to the master config file and then overriden for the templates
> that do not use it.
>
> This change while pretty big and scary, shouldn't be very visible from a
> user point of view, the actual changes can be summarized as:
> - Extend clonehostname to work with Debian based distros and use it for
> all containers.
> - lxc.pivotdir is now set to lxc_putold for all templates, this means
> that instead of using /mnt in the container, lxc will create and use
> /lxc_putold instead. The reason for this is to avoid failures when the
> user bind-mounts something else on top of /mnt.
> - Some minor cgroup limit changes, the main one I remember is
> /dev/console now being writable by all of the redhat based containers.
> The rest of the set should be identical with additions in the per-distro
> ones.
> - Drop binfmtmisc and efivars bind-mounts for non-mountall based
> unpriivileged containers as I assumed they got those from copy/paste
> from Ubuntu and not because they actually need those entries. (If I'm
> wrong, we probably should move those to userns.conf then).
>
> Additional investigation and changes to reduce the config delta between
> distros would be appreciated. In practice, I only expect lxc.cap.drop
> and lxc.mount.entry to really vary between distros (depending on the
> init system, the rest should be mostly common.
>
> Diff from the RFC:
> - Add archlinux to the mix
> - Drop /etc/hostname from the clone hook
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/templates/Makefile.am | 4 ++-
> config/templates/archlinux.common.conf.in | 32 +++++++----------------
> config/templates/archlinux.userns.conf.in | 22 ++--------------
> config/templates/centos.common.conf.in | 30 +++------------------
> config/templates/centos.userns.conf.in | 22 ++--------------
> config/templates/common.conf.in | 35 +++++++++++++++++++++++++
> config/templates/debian.common.conf.in | 36 +++++--------------------
> config/templates/debian.userns.conf.in | 14 ++--------
> config/templates/fedora.common.conf.in | 34 +++---------------------
> config/templates/fedora.userns.conf.in | 22 ++--------------
> config/templates/gentoo.common.conf.in | 42 ++++++------------------------
> config/templates/gentoo.moresecure.conf.in | 33 +++--------------------
> config/templates/gentoo.userns.conf.in | 21 ++-------------
> config/templates/opensuse.common.conf.in | 32 ++++-------------------
> config/templates/opensuse.userns.conf.in | 22 ++--------------
> config/templates/oracle.common.conf.in | 28 +++-----------------
> config/templates/oracle.userns.conf.in | 21 ++-------------
> config/templates/plamo.common.conf.in | 26 +++++-------------
> config/templates/plamo.userns.conf.in | 14 ++--------
> config/templates/ubuntu.common.conf.in | 32 +++--------------------
> config/templates/ubuntu.userns.conf.in | 17 ++----------
> config/templates/userns.conf.in | 15 +++++++++++
> configure.ac | 2 ++
> hooks/clonehostname | 3 ++-
> 24 files changed, 128 insertions(+), 431 deletions(-)
> create mode 100644 config/templates/common.conf.in
> create mode 100644 config/templates/userns.conf.in
>
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 3db2269..61b4b45 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -7,6 +7,7 @@ templatesconfig_DATA = \
> archlinux.userns.conf \
> centos.common.conf \
> centos.userns.conf \
> + common.conf \
> debian.common.conf \
> debian.userns.conf \
> fedora.common.conf \
> @@ -25,5 +26,6 @@ templatesconfig_DATA = \
> ubuntu-cloud.userns.conf \
> ubuntu.common.conf \
> ubuntu.lucid.conf \
> + ubuntu.priv.seccomp \
> ubuntu.userns.conf \
> - ubuntu.priv.seccomp
> + userns.conf
> diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
> index 2c49299..7c950e7 100644
> --- a/config/templates/archlinux.common.conf.in
> +++ b/config/templates/archlinux.common.conf.in
> @@ -1,11 +1,16 @@
> -# Based on fedora.common.conf.in
> -# Console settings
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>
> -lxc.autodev = 1
> +# Allow for 6 tty devices by default
> lxc.tty = 6
> -lxc.pts = 1024
> +
> +# Turn on autodev for systemd
> +lxc.autodev = 1
> +
> +# Disable kmsg
> lxc.kmsg = 0
>
> +# Set the halt/stop signals
> lxc.haltsignal=SIGRTMIN+4
> lxc.stopsignal=SIGRTMIN+14
>
> @@ -30,21 +35,4 @@ lxc.mount.auto = proc:mixed sys:ro
> # lxc.cap.drop = audit_write
> # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
> #
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = setfcap
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-6] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/archlinux.userns.conf.in b/config/templates/archlinux.userns.conf.in
> index 28b03fa..707bb30 100644
> --- a/config/templates/archlinux.userns.conf.in
> +++ b/config/templates/archlinux.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Based on fedora.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -# lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
> index c0e6816..4ce2fda 100644
> --- a/config/templates/centos.common.conf.in
> +++ b/config/templates/centos.common.conf.in
> @@ -1,16 +1,9 @@
> -# Taken from the oracle.common.conf.in
> -# Console settings
> -
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>
> # Mount entries
> lxc.mount.auto = proc:mixed sys:ro
>
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> -
> # Capabilities
> # Uncomment these if you don't run anything that needs the capability, and
> # would like the container to run with less privilege.
> @@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> # lxc.cap.drop = setuid # breaks sshd,nfs statd
> # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
> # lxc.cap.drop = audit_write
> -#
> -lxc.cap.drop = mac_admin mac_override setfcap setpcap
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> +lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
> index f6de0e9..707bb30 100644
> --- a/config/templates/centos.userns.conf.in
> +++ b/config/templates/centos.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Taken from the oracle.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
> new file mode 100644
> index 0000000..1616b4f
> --- /dev/null
> +++ b/config/templates/common.conf.in
> @@ -0,0 +1,35 @@
> +# Default configuration shared by all containers
> +
> +# Setup the LXC devices in /dev/lxc/
> +lxc.devttydir = lxc
> +
> +# Allow for 1024 pseudo terminals
> +lxc.pts = 1024
> +
> +# Setup 4 tty devices
> +lxc.tty = 4
> +
> +# Drop some harmful capabilities
> +lxc.cap.drop = mac_admin mac_override sys_time sys_module
> +
> +# Set the pivot directory
> +lxc.pivotdir = lxc_putold
> +
> +# Ensure hostname is changed on clone
> +lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +
> +# CGroup whitelist
> +lxc.cgroup.devices.deny = a
> +## Allow any mknod (but not reading/writing the node)
> +lxc.cgroup.devices.allow = c *:* m
> +lxc.cgroup.devices.allow = b *:* m
> +## Allow specific devices
> +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> +lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console
> +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx
> +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> +lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/*
> diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
> index 09e5c40..e1d421f 100644
> --- a/config/templates/debian.common.conf.in
> +++ b/config/templates/debian.common.conf.in
> @@ -1,18 +1,14 @@
> -# Default pivot location
> -lxc.pivotdir = lxc_putold
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
> +
> +# Doesn't support consoles in /dev/lxc/
> +lxc.devttydir =
>
> # Default mount entries
> lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> lxc.mount.entry = sysfs sys sysfs defaults 0 0
> lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
>
> -# Default console settings
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Default capabilities
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> -
> # When using LXC with apparmor, the container will be confined by default.
> # If you wish for it to instead run unconfined, copy the following line
> # (uncommented) to the container's configuration file.
> @@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
> # To support container nesting on an Ubuntu host while retaining most of
> # apparmor's added security, use the following two lines instead.
> #lxc.aa_profile = lxc-container-default-with-nesting
> -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
> +#lxc.mount.auto = cgroup:mixed
>
> # If you wish to allow mounting block filesystems, then use the following
> # line instead, and make sure to grant access to the block device and/or loop
> # devices below in lxc.cgroup.devices.allow.
> #lxc.aa_profile = lxc-container-default-with-mounting
>
> -# Default cgroup limits
> -lxc.cgroup.devices.deny = a
> -## Allow any mknod (but not using the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -## /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -## consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -## /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -## /dev/pts/*
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> +# Extra cgroup device access
> ## rtc
> lxc.cgroup.devices.allow = c 254:0 rm
> ## fuse
> lxc.cgroup.devices.allow = c 10:229 rwm
> ## tun
> lxc.cgroup.devices.allow = c 10:200 rwm
> -## full
> -lxc.cgroup.devices.allow = c 1:7 rwm
> ## hpet
> lxc.cgroup.devices.allow = c 10:228 rwm
> ## kvm
> diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
> index 3e9600d..707bb30 100644
> --- a/config/templates/debian.userns.conf.in
> +++ b/config/templates/debian.userns.conf.in
> @@ -1,12 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
> index 31b23a4..acebe3c 100644
> --- a/config/templates/fedora.common.conf.in
> +++ b/config/templates/fedora.common.conf.in
> @@ -1,15 +1,5 @@
> -# Taken from the oracle.common.conf.in
> -# Console settings
> -
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Mount entries
> -# lxc.mount.auto = proc:mixed sys:ro
> -
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>
> # Capabilities
> # Uncomment these if you don't run anything that needs the capability, and
> @@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
> # lxc.cap.drop = audit_write
> # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
> -#
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = setfcap
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
> index f6de0e9..707bb30 100644
> --- a/config/templates/fedora.userns.conf.in
> +++ b/config/templates/fedora.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Taken from the oracle.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
> index 5a8b231..7b96672 100644
> --- a/config/templates/gentoo.common.conf.in
> +++ b/config/templates/gentoo.common.conf.in
> @@ -1,54 +1,28 @@
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
> +
> # Gentoo common default configuration
> # This is the most feature-full container configuration
> # But security is not the goal.
> # Looking for more security, see gentoo.moresecure.conf
>
> -# sysfs
> +# Default mount entries
> lxc.mount.entry=sys sys sysfs defaults 0 0
>
> -# console access
> -lxc.pts = 1024
> -
> -# this part is based on 'linux capabilities', see: man 7 capabilities
> -# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
> -
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> +# Doesn't support consoles in /dev/lxc/
> +lxc.devttydir =
>
> -# deny access to all devices by default, explicitly grant some permissions
> -#
> -# format is [c|b] [major|*]:[minor|*] [r][w][m]
> -# ^ ^ ^
> -# char/block -' \`- device number \`-- read, write, mknod
> -#
> -# first deny all...
> -lxc.cgroup.devices.deny = a
> -## Allow any mknod (but not using the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -## /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -## consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -## /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -## /dev/pts/*
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> +# Extra cgroup device access
> ## rtc
> lxc.cgroup.devices.allow = c 254:0 rm
> ## fuse
> lxc.cgroup.devices.allow = c 10:229 rwm
> ## tun
> lxc.cgroup.devices.allow = c 10:200 rwm
> -## full
> -lxc.cgroup.devices.allow = c 1:7 rwm
> ## hpet
> lxc.cgroup.devices.allow = c 10:228 rwm
> ## kvm
> lxc.cgroup.devices.allow = c 10:232 rwm
> ## To use loop devices, copy the following line to the container's
> ## configuration file (uncommented).
> -#lxc.cgroup.devices.allow = b 7:* rwm
> \ No newline at end of file
> +#lxc.cgroup.devices.allow = b 7:* rwm
> diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
> index da68562..238303d 100644
> --- a/config/templates/gentoo.moresecure.conf.in
> +++ b/config/templates/gentoo.moresecure.conf.in
> @@ -1,3 +1,6 @@
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
> +
> # Gentoo security oriented default configuration
> # This is a more security oriented container configuration
> # "More" because this is far from fully secure
> @@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
> lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
> lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
>
> -# console access
> -lxc.pts = 1024
> -
> # this part is based on 'linux capabilities', see: man 7 capabilities
> # eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
> #
> @@ -31,29 +31,4 @@ lxc.pts = 1024
> # conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
> # aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
>
> -lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
> -
> -# deny access to all devices by default, explicitly grant some permissions
> -#
> -# format is [c|b] [major|*]:[minor|*] [r][w][m]
> -# ^ ^ ^
> -# char/block -' \`- device number \`-- read, write, mknod
> -#
> -# first deny all...
> -lxc.cgroup.devices.deny = a
> -# /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rw
> -lxc.cgroup.devices.allow = c 1:5 rw
> -# /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:9 rw
> -lxc.cgroup.devices.allow = c 1:8 r
> -# /dev/pts/*
> -lxc.cgroup.devices.allow = c 136:* rw
> -lxc.cgroup.devices.allow = c 5:2 rw
> -# /dev/tty{0,1}
> -lxc.cgroup.devices.allow = c 4:1 rwm
> -lxc.cgroup.devices.allow = c 4:0 rwm
> -# /dev/tty
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -# /dev/console
> -lxc.cgroup.devices.allow = c 5:1 rwm
> \ No newline at end of file
> +lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
> diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in
> index 5643744..707bb30 100644
> --- a/config/templates/gentoo.userns.conf.in
> +++ b/config/templates/gentoo.userns.conf.in
> @@ -1,19 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
> index 1585fb8..4026975 100644
> --- a/config/templates/opensuse.common.conf.in
> +++ b/config/templates/opensuse.common.conf.in
> @@ -1,13 +1,8 @@
> -lxc.autodev = 1
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Mount entries
> -# lxc.mount.auto = proc:mixed sys:ro
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +# Enable autodev
> +lxc.autodev = 1
>
> # Capabilities
> # Uncomment these if you don't run anything that needs the capability, and
> @@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> # lxc.cap.drop = audit_write
> # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
> # lxc.cap.drop = setfcap
> -#
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/opensuse.userns.conf.in b/config/templates/opensuse.userns.conf.in
> index f6de0e9..707bb30 100644
> --- a/config/templates/opensuse.userns.conf.in
> +++ b/config/templates/opensuse.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Taken from the oracle.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
> index ddcdc88..ec5ae94 100644
> --- a/config/templates/oracle.common.conf.in
> +++ b/config/templates/oracle.common.conf.in
> @@ -1,14 +1,9 @@
> -# Console settings
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>
> # Mount entries
> lxc.mount.auto = proc:mixed sys:ro
>
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> -
> # Capabilities
> # Uncomment these if you don't run anything that needs the capability, and
> # would like the container to run with less privilege.
> @@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> # lxc.cap.drop = setuid # breaks sshd,nfs statd
> # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
> # lxc.cap.drop = audit_write
> -#
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in
> index 5643744..707bb30 100644
> --- a/config/templates/oracle.userns.conf.in
> +++ b/config/templates/oracle.userns.conf.in
> @@ -1,19 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
> index 50783c3..483a556 100644
> --- a/config/templates/plamo.common.conf.in
> +++ b/config/templates/plamo.common.conf.in
> @@ -1,26 +1,14 @@
> -# Default console settings
> -lxc.tty = 4
> -lxc.pts = 1024
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>
> # Default mount
> lxc.mount.auto = proc sys cgroup
>
> -# Default capabilities
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> +# Doesn't support consoles in /dev/lxc/
> +lxc.devttydir =
>
> -lxc.cgroup.devices.deny = a
> -# /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -# consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -# /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> -# rtc
> +# Extra cgroup device access
> +## rtc
> lxc.cgroup.devices.allow = c 254:0 rm
> -# fuse
> +## fuse
> lxc.cgroup.devices.allow = c 10:229 rwm
> diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in
> index 3e9600d..707bb30 100644
> --- a/config/templates/plamo.userns.conf.in
> +++ b/config/templates/plamo.userns.conf.in
> @@ -1,12 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index a61ed79..ee008e2 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -1,5 +1,5 @@
> -# Default pivot location
> -lxc.pivotdir = lxc_putold
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>
> # Default mount entries
> lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> @@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
> lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
> lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
>
> -# Default console settings
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Default capabilities
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> -
> # When using LXC with apparmor, the container will be confined by default.
> # If you wish for it to instead run unconfined, copy the following line
> # (uncommented) to the container's configuration file.
> @@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
> # devices below in lxc.cgroup.devices.allow.
> #lxc.aa_profile = lxc-container-default-with-mounting
>
> -# Default cgroup limits
> -lxc.cgroup.devices.deny = a
> -## Allow any mknod (but not using the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -## /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -## consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -## /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -## /dev/pts/*
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> +# Extra cgroup device access
> ## rtc
> lxc.cgroup.devices.allow = c 254:0 rm
> ## fuse
> lxc.cgroup.devices.allow = c 10:229 rwm
> ## tun
> lxc.cgroup.devices.allow = c 10:200 rwm
> -## full
> -lxc.cgroup.devices.allow = c 1:7 rwm
> ## hpet
> lxc.cgroup.devices.allow = c 10:228 rwm
> ## kvm
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index c744b1d..e25270c 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -1,18 +1,5 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
>
> # Extra fstab entries as mountall can't mount those by itself
> lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
> new file mode 100644
> index 0000000..5dc19c7
> --- /dev/null
> +++ b/config/templates/userns.conf.in
> @@ -0,0 +1,15 @@
> +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> +lxc.cgroup.devices.deny =
> +lxc.cgroup.devices.allow =
> +
> +# We can't move bind-mounts, so don't use /dev/lxc/
> +lxc.devttydir =
> +
> +# Extra bind-mounts for userns
> +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> +lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> diff --git a/configure.ac b/configure.ac
> index 1a27e1f..baeb4a2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -598,6 +598,7 @@ AC_CONFIG_FILES([
> config/templates/archlinux.userns.conf
> config/templates/centos.common.conf
> config/templates/centos.userns.conf
> + config/templates/common.conf
> config/templates/debian.common.conf
> config/templates/debian.userns.conf
> config/templates/fedora.common.conf
> @@ -617,6 +618,7 @@ AC_CONFIG_FILES([
> config/templates/ubuntu.common.conf
> config/templates/ubuntu.lucid.conf
> config/templates/ubuntu.userns.conf
> + config/templates/userns.conf
> config/yum/Makefile
>
> doc/Makefile
> diff --git a/hooks/clonehostname b/hooks/clonehostname
> index 8865c2d..ed2765c 100755
> --- a/hooks/clonehostname
> +++ b/hooks/clonehostname
> @@ -20,7 +20,8 @@
> # Note that /etc/hostname is updated by lxc itself
> for file in \
> $LXC_ROOTFS_PATH/etc/sysconfig/network \
> - $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ;
> + $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \
> + $LXC_ROOTFS_PATH/etc/hosts ;
> do
> if [ -f $file ]; then
> sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file
> --
> 1.9.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list