[lxc-devel] [PATCH] openwrt: add common configuration file

Stéphane Graber stgraber at ubuntu.com
Mon Nov 24 21:35:56 UTC 2014 

On Thu, Oct 30, 2014 at 12:41:49PM +0000, Petar Koretic wrote:
> This adds OpenWrt common config file.
> 
> Signed-off-by: Petar Koretic <petar.koretic at sartura.hr>
> CC: Luka Perkov <luka.perkov at sartura.hr>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
> 
> OpenWrt templates are working using 'lxc-create -t download' command. We are
> running that over our server on http://virtualwrt.org/containers/. There is
> only support for x86, x86_64 and ar71xx as of now. We plan to add all other
> architectures supported by OpenWrt in the future. The build scripts used to
> generate images can be found here:
> 
> https://github.com/VirtualWrt/misc
> 
> Note that index files on virtualwrt.org/containers are not validated.
> 
> OpenWrt now supports containers but due to platform specifics there are some limitations:
> 
> * 'tar --anchored' doesn't come with busybox's tar version, lxc is patched in
> OpenWrt packages feed to ignore this functionality.

How did you workaround this? The goal for the download template is to
work with busybox, so it'd be nice if this could be resolved upstream
too.

> * .xz extraction is very expensive on most OpenWrt supported devices, -0 level
> is used for rootfs compression to mitigate that to some extent.
> * Priviliged containers are not supported at the moment since default user
> is root on this platform.
> 
> I'm looking forward for your comments and suggestions to get OpenWrt images
> hosted on official lxc servers.

So the first step to get images on the official lxc server would be to
add support for OpenWRT to github.com/lxc/lxc-ci so that build-image can
be used to build OpenWRT images. Then once we've got that, it should
just be a matter of adding that to jenkins.linuxcontainers.org and we'll
get daily builds.

> 
>  config/templates/Makefile.am            |  1 +
>  config/templates/openwrt.common.conf.in | 56 +++++++++++++++++++++++++++++++++
>  configure.ac                            |  1 +
>  3 files changed, 58 insertions(+)
>  create mode 100644 config/templates/openwrt.common.conf.in
> 
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 82ca8be..fdbf9d2 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -28,4 +28,5 @@ templatesconfig_DATA = \
>  	ubuntu.common.conf \
>  	ubuntu.lucid.conf \
>  	ubuntu.userns.conf \
> +	openwrt.common.conf \
>  	userns.conf
> diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in
> new file mode 100644
> index 0000000..05918f0
> --- /dev/null
> +++ b/config/templates/openwrt.common.conf.in
> @@ -0,0 +1,56 @@
> +# Default mount entries
> +lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> +lxc.mount.entry = sysfs sys sysfs defaults 0 0
> +
> +# Default console settings
> +lxc.devttydir = lxc
> +lxc.tty = 4
> +lxc.pts = 1024
> +
> +# Default capabilities
> +lxc.cap.drop = mac_admin
> +lxc.cap.drop = mac_override
> +lxc.cap.drop = sys_admin
> +lxc.cap.drop = sys_module
> +lxc.cap.drop = sys_nice
> +lxc.cap.drop = sys_pacct
> +lxc.cap.drop = sys_ptrace
> +lxc.cap.drop = sys_rawio
> +lxc.cap.drop = sys_resource
> +lxc.cap.drop = sys_time
> +lxc.cap.drop = sys_tty_config
> +lxc.cap.drop = syslog
> +lxc.cap.drop = wake_alarm
> +
> +# Default cgroups - all denied except those whitelisted
> +lxc.cgroup.devices.deny = a
> +## /dev/null and zero
> +lxc.cgroup.devices.allow = c 1:3 rwm
> +lxc.cgroup.devices.allow = c 1:5 rwm
> +## consoles
> +lxc.cgroup.devices.allow = c 5:0 rwm
> +lxc.cgroup.devices.allow = c 5:1 rwm
> +## /dev/{,u}random
> +lxc.cgroup.devices.allow = c 1:8 rwm
> +lxc.cgroup.devices.allow = c 1:9 rwm
> +## /dev/pts/*
> +lxc.cgroup.devices.allow = c 5:2 rwm
> +lxc.cgroup.devices.allow = c 136:* rwm
> +## rtc
> +lxc.cgroup.devices.allow = c 254:0 rm
> +## fuse
> +lxc.cgroup.devices.allow = c 10:229 rwm
> +## tun
> +lxc.cgroup.devices.allow = c 10:200 rwm
> +## dev/tty0
> +lxc.cgroup.devices.allow = c 4:0 rwm
> +## dev/tty1
> +lxc.cgroup.devices.allow = c 4:1 rwm
> +
> +## To use loop devices, copy the following line to the container's
> +## configuration file (uncommented).
> +#lxc.cgroup.devices.allow = b 7:* rwm
> +
> +# Blacklist some syscalls which are not safe in privileged
> +# containers
> +lxc.seccomp = /usr/share/lxc/config/common.seccomp
> diff --git a/configure.ac b/configure.ac
> index 5f9774b..1d9634e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -646,6 +646,7 @@ AC_CONFIG_FILES([
>  	config/templates/ubuntu.common.conf
>  	config/templates/ubuntu.lucid.conf
>  	config/templates/ubuntu.userns.conf
> +	config/templates/openwrt.common.conf
>  	config/templates/userns.conf
>  	config/yum/Makefile
>  	config/sysconfig/Makefile
> -- 
> 2.1.2
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20141124/0a2b7026/attachment.sig>

More information about the lxc-devel mailing list