[lxc-devel] [PATCH] Reduce duplication in new style configs

Serge Hallyn serge.hallyn at ubuntu.com
Tue Jun 24 20:27:20 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> This is a rather massive cleanup of config/templates/*
> 
> As new templates were added, I've noticed that we pretty much all share
> the tty/pts configs, some capabilities being dropped and most of the
> cgroup configuration. All the userns configs were also almost identical.
> 
> As a result, this change introduces two new files:
>  - common.conf.in
>  - userns.conf.in
> 
> Each is included by the relevant <template>.<type>.conf.in templates,
> this means that the individual per-template configs are now overlays on
> top of the default config.
> 
> Once we see a specific key becoming popular, we ought to check whether
> it should also be applied to the other templates and if more than 50% of
> the templates have it set to the same value, that value ought to be
> moved to the master config file and then overriden for the templates
> that do not use it.
> 
> This change while pretty big and scary, shouldn't be very visible from a
> user point of view, the actual changes can be summarized as:
>  - Extend clonehostname to work with Debian based distros and use it for
>    all containers.
>  - lxc.pivotdir is now set to lxc_putold for all templates, this means
>    that instead of using /mnt in the container, lxc will create and use
>    /lxc_putold instead. The reason for this is to avoid failures when the
>    user bind-mounts something else on top of /mnt.
>  - Some minor cgroup limit changes, the main one I remember is
>    /dev/console now being writable by all of the redhat based containers.
>    The rest of the set should be identical with additions in the per-distro
>    ones.
>  - Drop binfmtmisc and efivars bind-mounts for non-mountall based
>    unpriivileged containers as I assumed they got those from copy/paste
>    from Ubuntu and not because they actually need those entries. (If I'm
>    wrong, we probably should move those to userns.conf then).
> 
> Additional investigation and changes to reduce the config delta between
> distros would be appreciated. In practice, I only expect lxc.cap.drop
> and lxc.mount.entry to really vary between distros (depending on the
> init system, the rest should be mostly common.
> 
> Diff from the RFC:
>  - Add archlinux to the mix
>  - Drop /etc/hostname from the clone hook
> 
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  config/templates/Makefile.am               |  4 ++-
>  config/templates/archlinux.common.conf.in  | 32 +++++++----------------
>  config/templates/archlinux.userns.conf.in  | 22 ++--------------
>  config/templates/centos.common.conf.in     | 30 +++------------------
>  config/templates/centos.userns.conf.in     | 22 ++--------------
>  config/templates/common.conf.in            | 35 +++++++++++++++++++++++++
>  config/templates/debian.common.conf.in     | 36 +++++--------------------
>  config/templates/debian.userns.conf.in     | 14 ++--------
>  config/templates/fedora.common.conf.in     | 34 +++---------------------
>  config/templates/fedora.userns.conf.in     | 22 ++--------------
>  config/templates/gentoo.common.conf.in     | 42 ++++++------------------------
>  config/templates/gentoo.moresecure.conf.in | 33 +++--------------------
>  config/templates/gentoo.userns.conf.in     | 21 ++-------------
>  config/templates/opensuse.common.conf.in   | 32 ++++-------------------
>  config/templates/opensuse.userns.conf.in   | 22 ++--------------
>  config/templates/oracle.common.conf.in     | 28 +++-----------------
>  config/templates/oracle.userns.conf.in     | 21 ++-------------
>  config/templates/plamo.common.conf.in      | 26 +++++-------------
>  config/templates/plamo.userns.conf.in      | 14 ++--------
>  config/templates/ubuntu.common.conf.in     | 32 +++--------------------
>  config/templates/ubuntu.userns.conf.in     | 17 ++----------
>  config/templates/userns.conf.in            | 15 +++++++++++
>  configure.ac                               |  2 ++
>  hooks/clonehostname                        |  3 ++-
>  24 files changed, 128 insertions(+), 431 deletions(-)
>  create mode 100644 config/templates/common.conf.in
>  create mode 100644 config/templates/userns.conf.in
> 
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 3db2269..61b4b45 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -7,6 +7,7 @@ templatesconfig_DATA = \
>  	archlinux.userns.conf \
>  	centos.common.conf \
>  	centos.userns.conf \
> +	common.conf \
>  	debian.common.conf \
>  	debian.userns.conf \
>  	fedora.common.conf \
> @@ -25,5 +26,6 @@ templatesconfig_DATA = \
>  	ubuntu-cloud.userns.conf \
>  	ubuntu.common.conf \
>  	ubuntu.lucid.conf \
> +	ubuntu.priv.seccomp \
>  	ubuntu.userns.conf \
> -	ubuntu.priv.seccomp
> +	userns.conf
> diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
> index 2c49299..7c950e7 100644
> --- a/config/templates/archlinux.common.conf.in
> +++ b/config/templates/archlinux.common.conf.in
> @@ -1,11 +1,16 @@
> -# Based on fedora.common.conf.in
> -# Console settings
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
> -lxc.autodev = 1
> +# Allow for 6 tty devices by default
>  lxc.tty = 6
> -lxc.pts = 1024
> +
> +# Turn on autodev for systemd
> +lxc.autodev = 1
> +
> +# Disable kmsg
>  lxc.kmsg = 0
>  
> +# Set the halt/stop signals
>  lxc.haltsignal=SIGRTMIN+4
>  lxc.stopsignal=SIGRTMIN+14
>  
> @@ -30,21 +35,4 @@ lxc.mount.auto = proc:mixed sys:ro
>  # lxc.cap.drop = audit_write
>  # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
>  #
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = setfcap
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-6] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
> +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/archlinux.userns.conf.in b/config/templates/archlinux.userns.conf.in
> index 28b03fa..707bb30 100644
> --- a/config/templates/archlinux.userns.conf.in
> +++ b/config/templates/archlinux.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Based on fedora.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -# lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
> index c0e6816..4ce2fda 100644
> --- a/config/templates/centos.common.conf.in
> +++ b/config/templates/centos.common.conf.in
> @@ -1,16 +1,9 @@
> -# Taken from the oracle.common.conf.in
> -# Console settings
> -
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
>  # Mount entries
>  lxc.mount.auto = proc:mixed sys:ro
>  
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> -
>  # Capabilities
>  # Uncomment these if you don't run anything that needs the capability, and
>  # would like the container to run with less privilege.
> @@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
>  # lxc.cap.drop = setuid           # breaks sshd,nfs statd
>  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
>  # lxc.cap.drop = audit_write
> -#
> -lxc.cap.drop = mac_admin mac_override setfcap setpcap
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
> +lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
> index f6de0e9..707bb30 100644
> --- a/config/templates/centos.userns.conf.in
> +++ b/config/templates/centos.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Taken from the oracle.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
> new file mode 100644
> index 0000000..1616b4f
> --- /dev/null
> +++ b/config/templates/common.conf.in
> @@ -0,0 +1,35 @@
> +# Default configuration shared by all containers
> +
> +# Setup the LXC devices in /dev/lxc/
> +lxc.devttydir = lxc
> +
> +# Allow for 1024 pseudo terminals
> +lxc.pts = 1024
> +
> +# Setup 4 tty devices
> +lxc.tty = 4
> +
> +# Drop some harmful capabilities
> +lxc.cap.drop = mac_admin mac_override sys_time sys_module
> +
> +# Set the pivot directory
> +lxc.pivotdir = lxc_putold
> +
> +# Ensure hostname is changed on clone
> +lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +
> +# CGroup whitelist
> +lxc.cgroup.devices.deny = a
> +## Allow any mknod (but not reading/writing the node)
> +lxc.cgroup.devices.allow = c *:* m
> +lxc.cgroup.devices.allow = b *:* m
> +## Allow specific devices
> +lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
> +lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
> +lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
> +lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
> +lxc.cgroup.devices.allow = c 5:1 rwm	# /dev/console
> +lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx
> +lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
> +lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
> +lxc.cgroup.devices.allow = c 136:* rwm	# /dev/pts/*
> diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
> index 09e5c40..e1d421f 100644
> --- a/config/templates/debian.common.conf.in
> +++ b/config/templates/debian.common.conf.in
> @@ -1,18 +1,14 @@
> -# Default pivot location
> -lxc.pivotdir = lxc_putold
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
> +
> +# Doesn't support consoles in /dev/lxc/
> +lxc.devttydir =
>  
>  # Default mount entries
>  lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
>  lxc.mount.entry = sysfs sys sysfs defaults 0 0
>  lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
>  
> -# Default console settings
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Default capabilities
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> -
>  # When using LXC with apparmor, the container will be confined by default.
>  # If you wish for it to instead run unconfined, copy the following line
>  # (uncommented) to the container's configuration file.
> @@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  # To support container nesting on an Ubuntu host while retaining most of
>  # apparmor's added security, use the following two lines instead.
>  #lxc.aa_profile = lxc-container-default-with-nesting
> -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
> +#lxc.mount.auto = cgroup:mixed
>  
>  # If you wish to allow mounting block filesystems, then use the following
>  # line instead, and make sure to grant access to the block device and/or loop
>  # devices below in lxc.cgroup.devices.allow.
>  #lxc.aa_profile = lxc-container-default-with-mounting
>  
> -# Default cgroup limits
> -lxc.cgroup.devices.deny = a
> -## Allow any mknod (but not using the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -## /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -## consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -## /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -## /dev/pts/*
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> +# Extra cgroup device access
>  ## rtc
>  lxc.cgroup.devices.allow = c 254:0 rm
>  ## fuse
>  lxc.cgroup.devices.allow = c 10:229 rwm
>  ## tun
>  lxc.cgroup.devices.allow = c 10:200 rwm
> -## full
> -lxc.cgroup.devices.allow = c 1:7 rwm
>  ## hpet
>  lxc.cgroup.devices.allow = c 10:228 rwm
>  ## kvm
> diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
> index 3e9600d..707bb30 100644
> --- a/config/templates/debian.userns.conf.in
> +++ b/config/templates/debian.userns.conf.in
> @@ -1,12 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
> index 31b23a4..acebe3c 100644
> --- a/config/templates/fedora.common.conf.in
> +++ b/config/templates/fedora.common.conf.in
> @@ -1,15 +1,5 @@
> -# Taken from the oracle.common.conf.in
> -# Console settings
> -
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Mount entries
> -# lxc.mount.auto = proc:mixed sys:ro
> -
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
>  # Capabilities
>  # Uncomment these if you don't run anything that needs the capability, and
> @@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
>  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
>  # lxc.cap.drop = audit_write
>  # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
> -#
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = setfcap
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
> +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
> index f6de0e9..707bb30 100644
> --- a/config/templates/fedora.userns.conf.in
> +++ b/config/templates/fedora.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Taken from the oracle.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
> index 5a8b231..7b96672 100644
> --- a/config/templates/gentoo.common.conf.in
> +++ b/config/templates/gentoo.common.conf.in
> @@ -1,54 +1,28 @@
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
> +
>  # Gentoo common default configuration
>  # This is the most feature-full container configuration
>  # But security is not the goal.
>  # Looking for more security, see gentoo.moresecure.conf
>  
> -# sysfs
> +# Default mount entries
>  lxc.mount.entry=sys sys sysfs defaults 0 0
>  
> -# console access
> -lxc.pts = 1024
> -
> -# this part is based on 'linux capabilities', see: man 7 capabilities
> -#  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
> -
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> +# Doesn't support consoles in /dev/lxc/
> +lxc.devttydir =
>  
> -# deny access to all devices by default, explicitly grant some permissions
> -#
> -# format is [c|b] [major|*]:[minor|*] [r][w][m]
> -#            ^     ^                   ^
> -# char/block -'     \`- device number    \`-- read, write, mknod
> -#
> -# first deny all...
> -lxc.cgroup.devices.deny = a
> -## Allow any mknod (but not using the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -## /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -## consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -## /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -## /dev/pts/*
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> +# Extra cgroup device access
>  ## rtc
>  lxc.cgroup.devices.allow = c 254:0 rm
>  ## fuse
>  lxc.cgroup.devices.allow = c 10:229 rwm
>  ## tun
>  lxc.cgroup.devices.allow = c 10:200 rwm
> -## full
> -lxc.cgroup.devices.allow = c 1:7 rwm
>  ## hpet
>  lxc.cgroup.devices.allow = c 10:228 rwm
>  ## kvm
>  lxc.cgroup.devices.allow = c 10:232 rwm
>  ## To use loop devices, copy the following line to the container's
>  ## configuration file (uncommented).
> -#lxc.cgroup.devices.allow = b 7:* rwm
> \ No newline at end of file
> +#lxc.cgroup.devices.allow = b 7:* rwm
> diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
> index da68562..238303d 100644
> --- a/config/templates/gentoo.moresecure.conf.in
> +++ b/config/templates/gentoo.moresecure.conf.in
> @@ -1,3 +1,6 @@
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
> +
>  # Gentoo security oriented default configuration
>  # This is a more security oriented container configuration
>  # "More" because this is far from fully secure
> @@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
>  lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
>  lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
>  
> -# console access
> -lxc.pts = 1024
> -
>  # this part is based on 'linux capabilities', see: man 7 capabilities
>  #  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
>  #
> @@ -31,29 +31,4 @@ lxc.pts = 1024
>  # conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
>  # aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
>  
> -lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
> -
> -# deny access to all devices by default, explicitly grant some permissions
> -#
> -# format is [c|b] [major|*]:[minor|*] [r][w][m]
> -#            ^     ^                   ^
> -# char/block -'     \`- device number    \`-- read, write, mknod
> -#
> -# first deny all...
> -lxc.cgroup.devices.deny = a
> -# /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rw
> -lxc.cgroup.devices.allow = c 1:5 rw
> -# /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:9 rw
> -lxc.cgroup.devices.allow = c 1:8 r
> -# /dev/pts/*
> -lxc.cgroup.devices.allow = c 136:* rw
> -lxc.cgroup.devices.allow = c 5:2 rw
> -# /dev/tty{0,1}
> -lxc.cgroup.devices.allow = c 4:1 rwm
> -lxc.cgroup.devices.allow = c 4:0 rwm
> -# /dev/tty
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -# /dev/console
> -lxc.cgroup.devices.allow = c 5:1 rwm
> \ No newline at end of file
> +lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
> diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in
> index 5643744..707bb30 100644
> --- a/config/templates/gentoo.userns.conf.in
> +++ b/config/templates/gentoo.userns.conf.in
> @@ -1,19 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
> index 1585fb8..4026975 100644
> --- a/config/templates/opensuse.common.conf.in
> +++ b/config/templates/opensuse.common.conf.in
> @@ -1,13 +1,8 @@
> -lxc.autodev = 1
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Mount entries
> -# lxc.mount.auto = proc:mixed sys:ro
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> +# Enable autodev
> +lxc.autodev = 1
>  
>  # Capabilities
>  # Uncomment these if you don't run anything that needs the capability, and
> @@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
>  # lxc.cap.drop = audit_write
>  # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
>  # lxc.cap.drop = setfcap
> -#
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
> +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/opensuse.userns.conf.in b/config/templates/opensuse.userns.conf.in
> index f6de0e9..707bb30 100644
> --- a/config/templates/opensuse.userns.conf.in
> +++ b/config/templates/opensuse.userns.conf.in
> @@ -1,20 +1,2 @@
> -# Taken from the oracle.userns.conf.in
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
> index ddcdc88..ec5ae94 100644
> --- a/config/templates/oracle.common.conf.in
> +++ b/config/templates/oracle.common.conf.in
> @@ -1,14 +1,9 @@
> -# Console settings
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
>  # Mount entries
>  lxc.mount.auto = proc:mixed sys:ro
>  
> -# Ensure hostname is changed on clone
> -lxc.hook.clone = @LXCHOOKDIR@/clonehostname
> -
>  # Capabilities
>  # Uncomment these if you don't run anything that needs the capability, and
>  # would like the container to run with less privilege.
> @@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
>  # lxc.cap.drop = setuid           # breaks sshd,nfs statd
>  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
>  # lxc.cap.drop = audit_write
> -#
> -lxc.cap.drop = mac_admin mac_override
> -lxc.cap.drop = sys_module sys_nice sys_pacct
> -lxc.cap.drop = sys_rawio sys_time
> -
> -# Control Group devices: all denied except those whitelisted
> -lxc.cgroup.devices.deny = a
> -# Allow any mknod (but not reading/writing the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
> -lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
> -lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
> -lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
> -lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
> -lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
> -lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
> -lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
> +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in
> index 5643744..707bb30 100644
> --- a/config/templates/oracle.userns.conf.in
> +++ b/config/templates/oracle.userns.conf.in
> @@ -1,19 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Extra fstab entries as mountall can't mount those by itself
> -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
> index 50783c3..483a556 100644
> --- a/config/templates/plamo.common.conf.in
> +++ b/config/templates/plamo.common.conf.in
> @@ -1,26 +1,14 @@
> -# Default console settings
> -lxc.tty = 4
> -lxc.pts = 1024
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
>  # Default mount
>  lxc.mount.auto = proc sys cgroup
>  
> -# Default capabilities
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> +# Doesn't support consoles in /dev/lxc/
> +lxc.devttydir =
>  
> -lxc.cgroup.devices.deny = a
> -# /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -# consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -# /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> -# rtc
> +# Extra cgroup device access
> +## rtc
>  lxc.cgroup.devices.allow = c 254:0 rm
> -# fuse
> +## fuse
>  lxc.cgroup.devices.allow = c 10:229 rwm
> diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in
> index 3e9600d..707bb30 100644
> --- a/config/templates/plamo.userns.conf.in
> +++ b/config/templates/plamo.userns.conf.in
> @@ -1,12 +1,2 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index a61ed79..ee008e2 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -1,5 +1,5 @@
> -# Default pivot location
> -lxc.pivotdir = lxc_putold
> +# This derives from the global common config
> +lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
>  # Default mount entries
>  lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> @@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
>  lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
>  lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
>  
> -# Default console settings
> -lxc.devttydir = lxc
> -lxc.tty = 4
> -lxc.pts = 1024
> -
> -# Default capabilities
> -lxc.cap.drop = sys_module mac_admin mac_override sys_time
> -
>  # When using LXC with apparmor, the container will be confined by default.
>  # If you wish for it to instead run unconfined, copy the following line
>  # (uncommented) to the container's configuration file.
> @@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  # devices below in lxc.cgroup.devices.allow.
>  #lxc.aa_profile = lxc-container-default-with-mounting
>  
> -# Default cgroup limits
> -lxc.cgroup.devices.deny = a
> -## Allow any mknod (but not using the node)
> -lxc.cgroup.devices.allow = c *:* m
> -lxc.cgroup.devices.allow = b *:* m
> -## /dev/null and zero
> -lxc.cgroup.devices.allow = c 1:3 rwm
> -lxc.cgroup.devices.allow = c 1:5 rwm
> -## consoles
> -lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 5:1 rwm
> -## /dev/{,u}random
> -lxc.cgroup.devices.allow = c 1:8 rwm
> -lxc.cgroup.devices.allow = c 1:9 rwm
> -## /dev/pts/*
> -lxc.cgroup.devices.allow = c 5:2 rwm
> -lxc.cgroup.devices.allow = c 136:* rwm
> +# Extra cgroup device access
>  ## rtc
>  lxc.cgroup.devices.allow = c 254:0 rm
>  ## fuse
>  lxc.cgroup.devices.allow = c 10:229 rwm
>  ## tun
>  lxc.cgroup.devices.allow = c 10:200 rwm
> -## full
> -lxc.cgroup.devices.allow = c 1:7 rwm
>  ## hpet
>  lxc.cgroup.devices.allow = c 10:228 rwm
>  ## kvm
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index c744b1d..e25270c 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -1,18 +1,5 @@
> -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> -lxc.cgroup.devices.deny =
> -lxc.cgroup.devices.allow =
> -
> -# We can't move bind-mounts, so don't use /dev/lxc/
> -lxc.devttydir =
> -
> -# Extra bind-mounts for userns
> -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +# This derives from the global userns config
> +lxc.include = @LXCTEMPLATECONFIG@/userns.conf
>  
>  # Extra fstab entries as mountall can't mount those by itself
>  lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
> new file mode 100644
> index 0000000..5dc19c7
> --- /dev/null
> +++ b/config/templates/userns.conf.in
> @@ -0,0 +1,15 @@
> +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
> +lxc.cgroup.devices.deny =
> +lxc.cgroup.devices.allow =
> +
> +# We can't move bind-mounts, so don't use /dev/lxc/
> +lxc.devttydir =
> +
> +# Extra bind-mounts for userns
> +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
> +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
> +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
> +lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> diff --git a/configure.ac b/configure.ac
> index 1a27e1f..baeb4a2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -598,6 +598,7 @@ AC_CONFIG_FILES([
>  	config/templates/archlinux.userns.conf
>  	config/templates/centos.common.conf
>  	config/templates/centos.userns.conf
> +	config/templates/common.conf
>  	config/templates/debian.common.conf
>  	config/templates/debian.userns.conf
>  	config/templates/fedora.common.conf
> @@ -617,6 +618,7 @@ AC_CONFIG_FILES([
>  	config/templates/ubuntu.common.conf
>  	config/templates/ubuntu.lucid.conf
>  	config/templates/ubuntu.userns.conf
> +	config/templates/userns.conf
>  	config/yum/Makefile
>  
>  	doc/Makefile
> diff --git a/hooks/clonehostname b/hooks/clonehostname
> index 8865c2d..ed2765c 100755
> --- a/hooks/clonehostname
> +++ b/hooks/clonehostname
> @@ -20,7 +20,8 @@
>  # Note that /etc/hostname is updated by lxc itself
>  for file in \
>      $LXC_ROOTFS_PATH/etc/sysconfig/network \
> -    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ;
> +    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \
> +    $LXC_ROOTFS_PATH/etc/hosts ;
>  do
>      if [ -f $file ]; then
>          sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file
> -- 
> 1.9.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list