[lxc-devel] [PATCH] Various fixes for Fedora/CentOS/OpenSUSE templates and systemd.

Stéphane Graber stgraber at ubuntu.com
Wed Oct 1 15:34:14 UTC 2014


On Wed, Oct 01, 2014 at 08:15:04AM -0400, Michael H. Warfield wrote:
> Responding to my own hasty post from last night...
> 
> On Tue, 2014-09-30 at 17:13 -0400, Michael H. Warfield wrote:
> > Sorry, I was completely out of touch from the net for several days and
> > then I totally missed this when I got back...  I should have responded
> > to this days ago...  Sigh...
> > 
> > On Fri, 2014-09-19 at 17:15 -0400, Stéphane Graber wrote:
> > > On Sun, Sep 14, 2014 at 08:57:58PM -0400, Michael H. Warfield wrote:
> > > > Various fixes for Fedora/CentOS/OpenSUSE templates and systemd.
> > > > 
> > > > This patch integrates several fixes for several template issues
> > > > and open bugzilla bugs at the Fedora project.
> > > > 
> > > > The lxc-centos template now supports CentOS 7 and correct configuration
> > > > of systemd in CentOS.
> > > > 
> > > > The CentOS and Fedora template have been fixed for a rootfs bug that
> > > > was a skew between the parsed parameter (rootfs) and the working variable
> > > > (rootfs_path) by normalizing to "rootfs", congruent with several other
> > > > templates.  This should fix the backing store problem.
> > > > 
> > > > The user password generation logic has been refactored out of the
> > > > Fedora and CentOS templates into a new template/functions file.  This
> > > > is the beginning of a security fix that has been reported as a bug in
> > > > Fedora and Debian.  The functions support random password generation
> > > > and/or disabled password on accounts.  Templates need to convert over
> > > > and avoid static passwords like "root:root" or "ubuntu:ubuntu" in order
> > > > to avoid this security issue.  Function supports multiple user setup.
> > > > 
> > > > The template/functions file includes a function for static MAC address
> > > > generation (not yet used) and may contain other common functions we
> > > > standardize on.
> > 
> > > Can we stop including MAc address generation everywhere now that we have
> > > the MAC address templating stuff done in C? :)
> 
> > Does no harm and I'm still running into the perpetual "recreate new Mac"
> > addresses on my Ubuntu containers (which screws up IPv6 royally).
> > Probably because I have an old default and older containers but I don't
> > particularly mind double fixing something like this...  The function is
> > there in a common location but it's not currently called by anything and
> > I've left the current generating logic in the templates themselves
> > alone, so there was no change there at all.  Pull that little function
> > if you like but it won't make any difference to any live code, since
> > it's not currently called.
> 
> > > > Added "fedora" user to lxc-fedora template.
> > > > 
> > > > Added "centos" user to lxc-centos template.
> > > > 
> > > > Dropping "setfcap" has been moved to a comment for Fedora, CentOS,
> > > > and SUSE due to it's interference with yum update in containers
> > > > (yum fails to update several packages including httpd).
> > > > 
> > > > Added "sudo" to the package list for CentOS and Fedora.
> > > > 
> > > > Set the apparmor profile for CentOS, Fedora, and SUSE containers to
> > > > "unconfined", until someone comes up with something better, in order
> > > > to have containers run out of the box on apparmor hosts.  Commented
> > > > code in the individual templates has been moved to explicit settings
> > > > in the common config files.
> > 
> > > From a security point of view, I much prefer things to fail badly than
> > > be able to wreak havoc on my system, so I'd prefer we don't do that.
> > 
> > This came up months ago and there was all sorts of discussions over on
> > the -user list of profiles and options and I even pinged you and Serge
> > in private E-Mail asking if a consensus was agreed on.  All I got were
> > crickets and, in the mean time, we still have failing containers.  We
> > got nowhere then.  Where are we now?  It's been months.  In the absence
> > of any more constructive solutions or feedback, I went with this.  I
> > don't use apparmour so I can't test or resolve the problem and I have no
> > better solution.  Failing badly is an understatement and we have had
> > complaints and we have no better solution to the complaints.
> > 
> > > Instead, let's land the rest of your systemd fixes and then I can spend
> > > a few minutes figure out exactly what's failing when running on current
> > > Ubuntu and come up with a proper profile for it which still prevents
> > > most of the usual issues (proc, sys, ...).
> 
> Ah, ok, you're going to look into is, I see.  That's good.

Yeah, we'll also need that to run Ubuntu+systemd itself inside LXC, what
we need to figure out is what bits are safe to allow in the apparmor
profile and what bits are just plain wrong and need to be fixed in
systemd.

> 
> > 
> > Ok, but we need something in the next cuts of both 1.1 and 1.0.  The
> > gods-be-damned systemd-journald is causing bugzilla bug reports (one
> > report was complaining of CPU heating problems from that nonsense) and
> > the password problem is the subject of bugzilla security reports in both
> > Fedora and Debian that I can't even begin to address till we move
> > forward on this (CentOS and Fedora are fine...  I'll fix the others if I
> > have to just to clear the security flags).  I've cleared a few bugzilla
> > reports over at the Fedora but I would really like to clear these things
> > that are flagged as security issues.
> > 
> > > > Addressed systemd-journald runaway CPU issue by setting lxc.kmsg = 0
> > > > in affected template (including Mandriva) and establishing a run time
> > > > default to autoswitch lxc.kmsg depending on the state of lxc.autodev
> > > > (systemd case).  lxc.kmsg will be set to 0 in the case of lxc.autodev = 1
> > > > and set to 1 in the case of lxc.autodev = 0, unless overridden in
> > > > the config file.
> > 
> > > I think if our long term goal is to switch to autodev by default (and I
> > > believe that was the long term plan), then making that kind of
> > > assumption seems wrong to me.
> 
> > None the less...  This is causing serious and confusing active problems
> > and I'm not sure what the advantage is, since it can be clearly
> > overridden in the configuration file or in the templates.  I'm trying to
> > cover a legacy case that is clearly broken, much like the autodetection
> > of systemd and autodev was.
> 
> > > What I think we should do instead is introduce a
> > > systemd.common.conf file setting the usual things for systemd systems
> > > (autodev and kmsg as a start) and then have the various templates
> > > include that config when building a container which uses systemd.
> 
> > That's fine and I would support that moving forward but we have bug
> > reports now and legacy containers, to say nothing of upgrading
> > containers that change from non-systemd to systemd.  How do you address
> > the upgrade issue from a non-systemd to a systemd container in run-time
> > when it crushes the load average of the host and nobody understands why
> > journald has gone rogue?
> 
> Would this be better if this paralleled autodev an we only disabled kmsg
> by default if and when systemd was detected as the init system?  The
> situation is very analogous to the autodev situation.  If a user were to
> switch from say upstart to systemd and autodev is not specified in the
> config, we default that to enabled when we detect systemd as the init
> system at run time.  We could also default kmsg to 0 in the case of
> systemd being the run time init system manager to prevent journald from
> going into it's console message loop and burning CPU.  Would that work
> better for you?  Since you can switch init systems from within the
> container and may not have access to the container config file that's in
> the host, something should be done to cover the run time case, like we
> do with autodev.  That's what I was attempting to do...

I'm not very much fond of having to do per-init system config changes
but yeah, that sounds like a reasonable way to go.

If we start getting more and more of those cases we may want to make
things slightly more configurable by just having LXC include some
default configuration files based on that detection.

> 
> This bug is now closed, after I explained to the originator what the
> problem was, but it points out the problem we're seeing from having kmsg
> being a symlink to console and having journald run crazy in the
> container...
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1141456
> 
> -- 
> 
> > (1) Starting a basic LXC container, which is not configured to do anything at all, *immediately* (and without delay) raises the temperature *substantially* of one of the cores.
> > 
> > (2) Starting a second LXC container (also not configured to do anything), does the same as (1), but on a different core (i.e. the one that that LXC uses).
> -- 
> 
> > > > 
> > > > Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
> > 
> > > Nack for now. I however don't see a problem acking this if you resubmit without
> > > the MAC address generation function, without the aa_profile part and
> > > without the autodev == kmsg=0 part.
> > 
> > I can easily drop the mac address generation from the function file.
> > Are you also asking me to remove it from the existing code, adding to
> > the patch changes?  I didn't even touch those regions of code for the
> > Fedora, or CentOS templates.
> > 
> > The aa_profile needs a solution and I've asked before and gotten
> > nowhere.  What is your solution to the existing problem.  You don't want
> > this but the other is broken and I'm not getting any traction on solving
> > the problem.  When someone complains, the best solution we have to offer
> > is to recommend uncommenting the existing line, that's been in there
> > forever, to enable the "unconfined" profile.  This is just doing what we
> > have (and are going to) recommend to the users until we come up with
> > something better.  Still waiting...
> > 
> > The kmsg=0 really needs to be there.  What's the downside?  What problem
> > does it cause when we invoke autodev and do not explicitly set kmsg?  If
> > we're all moving to systemd, it's going to have to be the default
> > anyways.  It's required for systemd.  Journald goes ape shit on the CPU
> > if that symlink is there.  What problems is it causing if we have
> > autodev enabled for sysvinit or upstart?  Which would be better to
> > recommend that users change their configurations?  In my mind, eating up
> > CPU, running the load average to 30+ and making the processor chips warm
> > up the datacenter and fire up the CPU fans is a bad thing.  Blame it on
> > Lennart and the systemd crowd with their arbitrary design decisions if
> > you like but we're stuck with it.
> > 
> > > Thanks!
> > 
> > Regards,
> > Mike
> > 
> > > > ---
> > > >  config/templates/centos.common.conf.in   |   8 +-
> > > >  config/templates/fedora.common.conf.in   |   8 +-
> > > >  config/templates/opensuse.common.conf.in |   7 +-
> > > >  configure.ac                             |   1 +
> > > >  src/lxc/conf.c                           |  23 +-
> > > >  templates/Makefile.am                    |   1 +
> > > >  templates/functions.in                   | 208 +++++++++++++++++
> > > >  templates/lxc-centos.in                  | 387 ++++++++++++++++---------------
> > > >  templates/lxc-fedora.in                  | 318 ++++++++++---------------
> > > >  templates/lxc-openmandriva.in            |   1 +
> > > >  templates/lxc-opensuse.in                |  50 +++-
> > > >  11 files changed, 612 insertions(+), 400 deletions(-)
> > > >  create mode 100644 templates/functions.in
> > > > 
> > > > diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
> > > > index 4ce2fda..7f39ddf 100644
> > > > --- a/config/templates/centos.common.conf.in
> > > > +++ b/config/templates/centos.common.conf.in
> > > > @@ -20,4 +20,10 @@ lxc.mount.auto = proc:mixed sys:ro
> > > >  # lxc.cap.drop = setuid           # breaks sshd,nfs statd
> > > >  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
> > > >  # lxc.cap.drop = audit_write
> > > > -lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
> > > > +# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
> > > > +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> > > > +
> > > > +# This lets LXC CentOS containers run on hosts with apparmor.
> > > > +# It does nothing on hosts which do not have apparmor enabled.
> > > > +lxc.aa_profile = unconfined
> > > > +
> > > > diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
> > > > index acebe3c..7794945 100644
> > > > --- a/config/templates/fedora.common.conf.in
> > > > +++ b/config/templates/fedora.common.conf.in
> > > > @@ -18,4 +18,10 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
> > > >  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
> > > >  # lxc.cap.drop = audit_write
> > > >  # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
> > > > -lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
> > > > +# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
> > > > +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> > > > +
> > > > +# This lets LXC Fedora containers run on hosts with apparmor.
> > > > +# It does nothing on hosts which do not have apparmor enabled.
> > > > +lxc.aa_profile = unconfined
> > > > +
> > > > diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
> > > > index 4026975..813d296 100644
> > > > --- a/config/templates/opensuse.common.conf.in
> > > > +++ b/config/templates/opensuse.common.conf.in
> > > > @@ -21,5 +21,10 @@ lxc.autodev = 1
> > > >  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
> > > >  # lxc.cap.drop = audit_write
> > > >  # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
> > > > -# lxc.cap.drop = setfcap
> > > > +# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
> > > >  lxc.cap.drop = sys_nice sys_pacct sys_rawio
> > > > +
> > > > +# This lets LXC SUSE containers run on hosts with apparmor.
> > > > +# It does nothing on hosts which do not have apparmor enabled.
> > > > +lxc.aa_profile = unconfined
> > > > +
> > > > diff --git a/configure.ac b/configure.ac
> > > > index 5d5f974..c1a575b 100644
> > > > --- a/configure.ac
> > > > +++ b/configure.ac
> > > > @@ -731,6 +731,7 @@ AC_CONFIG_FILES([
> > > >  	hooks/Makefile
> > > >  
> > > >  	templates/Makefile
> > > > +	templates/functions
> > > >  	templates/lxc-alpine
> > > >  	templates/lxc-altlinux
> > > >  	templates/lxc-archlinux
> > > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > > index 5e61c35..7e1e564 100644
> > > > --- a/src/lxc/conf.c
> > > > +++ b/src/lxc/conf.c
> > > > @@ -2862,7 +2862,8 @@ struct lxc_conf *lxc_conf_init(void)
> > > >  		free(new);
> > > >  		return NULL;
> > > >  	}
> > > > -	new->kmsg = 1;
> > > > +	/* Unless this is overriden, decide this based on autodev */
> > > > +	new->kmsg = -1;
> > > >  	lxc_list_init(&new->cgroup);
> > > >  	lxc_list_init(&new->network);
> > > >  	lxc_list_init(&new->mount_list);
> > > > @@ -4159,6 +4160,26 @@ int lxc_setup(struct lxc_handler *handler)
> > > >  			ERROR("failed to mount /dev in the container");
> > > >  			return -1;
> > > >  		}
> > > > +		if (lxc_conf->kmsg < 0) {
> > > > +			/*
> > > > +			 * Autodev is generally used for systemd.  If systemd
> > > > +			 * is running then journald is likely to be running.  If
> > > > +			 * journald is running we should NOT symlink /dev/kmsg!
> > > > +			 * If we do set the symlink, a logging loop is created
> > > > +			 * and journald eats CPU time for lunch!
> > > > +			 */
> > > > +			lxc_conf->kmsg = 0;
> > > > +
> > > > +			/*
> > > > +			 * Note: This can be overridden by those who know what
> > > > +			 *	they are doing and why by explicitly setting
> > > > +			 *	lxc.autodev in the container config and setting
> > > > +			 *	lxc.kmsg to what ever they like.  Then it's a
> > > > +			 *	self-inflicted injury.
> > > > +			 */
> > > > +		}
> > > > +	} else if (lxc_conf->kmsg < 0) {
> > > > +			lxc_conf->kmsg = 1;
> > > >  	}
> > > >  
> > > >  	/* do automatic mounts (mainly /proc and /sys), but exclude
> > > > diff --git a/templates/Makefile.am b/templates/Makefile.am
> > > > index ac870a1..4f05069 100644
> > > > --- a/templates/Makefile.am
> > > > +++ b/templates/Makefile.am
> > > > @@ -1,6 +1,7 @@
> > > >  templatesdir=@LXCTEMPLATEDIR@
> > > >  
> > > >  templates_SCRIPTS = \
> > > > +	functions \
> > > >  	lxc-alpine \
> > > >  	lxc-altlinux \
> > > >  	lxc-archlinux \
> > > > diff --git a/templates/functions.in b/templates/functions.in
> > > > new file mode 100644
> > > > index 0000000..ee80120
> > > > --- /dev/null
> > > > +++ b/templates/functions.in
> > > > @@ -0,0 +1,208 @@
> > > > +#!/bin/sh -
> > > > +
> > > > +# templates/functions
> > > > +
> > > > +# Misc functions for template support.
> > > > +
> > > > +# Authors:
> > > > +# Michael H. Warfield <mhw at WittsEnd.com>
> > > > +
> > > > +# This library is free software; you can redistribute it and/or
> > > > +# modify it under the terms of the GNU Lesser General Public
> > > > +# License as published by the Free Software Foundation; either
> > > > +# version 2.1 of the License, or (at your option) any later version.
> > > > +
> > > > +# This library is distributed in the hope that it will be useful,
> > > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> > > > +# Lesser General Public License for more details.
> > > > +
> > > > +# You should have received a copy of the GNU Lesser General Public
> > > > +# License along with this library; if not, write to the Free Software
> > > > +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> > > > +
> > > > +###
> > > > +# User creation and password support.
> > > > +###
> > > > +
> > > > +# Some combinations of the tuning knobs below do not exactly make sense.
> > > > +# but that's ok.
> > > > +#
> > > > +# If the "root_password" is non-blank, use it, else set a default.
> > > > +# This can be passed to the script as an environment variable and is
> > > > +# set by a shell conditional assignment.  Looks weird but it is what it is.
> > > > +#
> > > > +# If the root password contains a ding ($) then try to expand it.
> > > > +# That will pick up things like ${name} and ${RANDOM}.
> > > > +# If the root password contians more than 3 consecutive X's, pass it as
> > > > +# a template to mktemp and take the result.
> > > > +#
> > > > +# If root_display_password = yes, display the temporary root password at exit.
> > > > +# If root_store_password = yes, store it in the configuration directory
> > > > +# If root_prompt_password = yes, invoke "passwd" to force the user to change
> > > > +# the root password after the container is created.
> > > > +# If root_expire_password = yes, you will be prompted to change the root
> > > > +# password at the first login.
> > > > +#
> > > > +# These are conditional assignments...  The can be overridden from the
> > > > +# preexisting environment variables in the calling template or from
> > > > +# the user environment...
> > > > +#
> > > > +# Default user...
> > > > +: ${LXC_DEFAULT_USER='root'}
> > > > +# Make sure this is in single quotes to defer expansion to later!
> > > > +# :{root_password='Root-${name}-${RANDOM}'}
> > > > +: ${LXC_PASSWORD='Root-${name}-XXXXXX'}
> > > > +
> > > > +# Now, it doesn't make much sense to display, store, and force change
> > > > +# together.  But, we gotta test, right???
> > > > +: ${LXC_DISPLAY_PASSWORD='no'}
> > > > +: ${LXC_STORE_PASSWORD='yes'}
> > > > +
> > > > +# Expire root password? Default to yes, but can be overridden from
> > > > +# the environment variable
> > > > +: ${LXC_EXPIRE_PASSWORD='yes'}
> > > > +
> > > > +
> > > > +# Then above environment variables are for convention and for
> > > > +# convenience of use by the calling template.  They may be
> > > > +# overriden by the environment, calling line parameters, or the
> > > > +# whim of the template writer.  They can be ignored entirely.
> > > > +# The values used in setting up a user are the values passed in
> > > > +# calling lxc_setup_user().
> > > > +
> > > > +# lxc_setup_user username password/hash display store expire
> > > > +#
> > > > +#   Set the user password, creating the user if necessary...
> > > > +#
> > > > +
> > > > +lxc_setup_user() {
> > > > +    local CONTAINER_NAME="${1}"
> > > > +    local ROOTFS="${2}"
> > > > +    local CONFIG_PATH="${3}"
> > > > +    local USER="${4}"
> > > > +    local PASSWD="${5}"
> > > > +    local DISPLAY="${6}"
> > > > +    local STORE="${7}"
> > > > +    local EXPIRE="${8}"
> > > > +
> > > > +    # The required groups in this list should alraedy be created.
> > > > +    # Groups that don't exist will not be created and will be ignored.
> > > > +    # Might be worth making that a tunable parameter as well.  Maybe...
> > > > +    local groups="sudo admin wheel"
> > > > +
> > > > +    # See if the user exists.  For root, this should not be a question.
> > > > +    # for non-root defaults (like ubuntu) we may need to create the user.
> > > > +    PWENT=$(chroot ${ROOTFS} getent passwd ${USER})
> > > > +
> > > > +    if [ "$?" != 0 ]
> > > > +    then
> > > > +        chroot ${ROOTFS} useradd ${USER}
> > > > +        for group in $groups; do
> > > > +            # We do this individually so that, if a group doesn't exist,
> > > > +            # all the groups that do exist have the user added.
> > > > +            chroot ${ROOTFS} usermod -a -G ${group} ${USER} >/dev/null 2>&1 || true
> > > > +        done
> > > > +    fi
> > > > +
> > > > +    if [ ${PASSWD} = "PROMPT" ]
> > > > +    then
> > > > +        echo "Invoking the passwd command in the container to set the ${USER} password.
> > > > +
> > > > +        chroot ${ROOTFS} passwd ${USER}
> > > > +"
> > > > +        chroot ${ROOTFS} passwd ${USER}
> > > > +    elif [ $(expr "${PASSWD}" : '$$') != 0 -o \
> > > > +           $(expr "${PASSWD}" : '*$') != 0 -o \
> > > > +           $(expr "${PASSWD}" : '!!$') != 0 ]
> > > > +    then
> > > > +        # Matches one of 3 common "disabled" conventions so treat them
> > > > +        # as if they were "hashed" passwords to be copied literally
> > > > +        # by chpasswd.  Result is an account with no valid password.
> > > > +        if [ ${DISPLAY} = "yes" ]
> > > > +        then
> > > > +            echo "Disabling ${USER} password"
> > > > +        fi
> > > > +        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd -e
> > > > +    elif [ $(expr "${PASSWD}" : '$[0-9][0-9]*$.') != 0 ]
> > > > +    then
> > > > +        # Matches on a $[0-9]$ hash indicator for a real password hash.
> > > > +        if [ ${DISPLAY} = "yes" ]
> > > > +        then
> > > > +            echo "Setting ${USER} password hash to ${PASSWORD}"
> > > > +        fi
> > > > +        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd -e
> > > > +    else
> > > > +        # Anything else, assume a clear text password template...
> > > > +
> > > > +        # Let's do something better for the initial user password.
> > > > +        # It's not perfect but it will defeat common scanning brute force
> > > > +        # attacks in the case where ssh is exposed.  It may also be set to
> > > > +        # expired, forcing the user to change it at first login.
> > > > +        if [ "${PASSWD}" = "" ]
> > > > +        then
> > > > +            PASSWD=${USER}-${CONTAINER_NAME}-${RANDOM}
> > > > +        fi
> > > > +
> > > > +        # If it's got a ding in it, try and expand it!
> > > > +        # In theory, this could also access and external program.
> > > > +        if [ $(expr "${PASSWD}" : '.*$.') != 0 ]
> > > > +        then
> > > > +            PASSWD=$(eval echo "${PASSWD}")
> > > > +        fi
> > > > +
> > > > +        # If it has more than 3 consequtive X's in it, feed it
> > > > +        # through mktemp as a template.
> > > > +        if [ $(expr "${PASSWD}" : '.*XXXX') != 0 ]
> > > > +        then
> > > > +            PASSWD=$(mktemp -u ${PASSWD})
> > > > +        fi
> > > > +        if [ ${STORE} = "yes" ]
> > > > +        then
> > > > +            touch ${config_path}/tmp_pass
> > > > +            chmod 600 ${config_path}/tmp_pass
> > > > +            # Append the user and password to the file.
> > > > +            # We might be ultimately adding more than one.
> > > > +            echo ${USER}:${PASSWD} >> ${config_path}/tmp_pass
> > > > +
> > > > +            echo "The temporary password for ${USER} is stored in:
> > > > +
> > > > +        '${config_path}/tmp_pass'
> > > > +"
> > > > +        fi
> > > > +
> > > > +        if [ ${DISPLAY} = "yes" ]
> > > > +        then
> > > > +            echo "Setting ${USER} password to '$PASSWORD'"
> > > > +        fi
> > > > +        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd
> > > > +    fi
> > > > +
> > > > +    if [ ${EXPIRE} = "yes" ]
> > > > +    then
> > > > +        # Also set this password as expired to force the user to change it!
> > > > +        chroot ${ROOTFS} passwd -e ${USER}
> > > > +        echo "
> > > > +The password for ${USER} is set up as "expired" and will require it to be changed
> > > > +at first login, which you should do as soon as possible.  If you lose the
> > > > +${USER} password or wish to change it without starting the container, you
> > > > +can change it from the host by running the following command (which will
> > > > +also reset the expired flag):
> > > > +
> > > > +    chroot ${ROOTFS} passwd
> > > > +"
> > > > +    fi
> > > > +}
> > > > +
> > > > +
> > > > +###
> > > > +# HW Mac address generation support.
> > > > +###
> > > > +
> > > > +# Generate a random hardware (MAC) address composed of FE followed by
> > > > +# 5 random bytes...
> > > > +lxc_create_hwaddr()
> > > > +{
> > > > +    openssl rand -hex 5 | sed -e 's/\(..\)/:\1/g; s/^/fe/'
> > > > +}
> > > > +
> > > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> > > > index 1586a90..3f9ef4d 100644
> > > > --- a/templates/lxc-centos.in
> > > > +++ b/templates/lxc-centos.in
> > > > @@ -1,7 +1,7 @@
> > > >  #!/bin/bash
> > > >  
> > > >  #
> > > > -# template script for generating centos container for LXC
> > > > +# template script for generating a CentOS container for LXC
> > > >  
> > > >  #
> > > >  # lxc: linux Container library
> > > > @@ -28,44 +28,13 @@
> > > >  
> > > >  #Configurations
> > > >  default_path=@LXCPATH@
> > > > +template_path=@LXCTEMPLATEDIR@
> > > >  
> > > > -# Some combinations of the tuning knobs below do not exactly make sense.
> > > > -# but that's ok.
> > > > -#
> > > > -# If the "root_password" is non-blank, use it, else set a default.
> > > > -# This can be passed to the script as an environment variable and is
> > > > -# set by a shell conditional assignment.  Looks weird but it is what it is.
> > > > -#
> > > > -# If the root password contains a ding ($) then try to expand it.
> > > > -# That will pick up things like ${name} and ${RANDOM}.
> > > > -# If the root password contians more than 3 consecutive X's, pass it as
> > > > -# a template to mktemp and take the result.
> > > > -#
> > > > -# If root_display_password = yes, display the temporary root password at exit.
> > > > -# If root_store_password = yes, store it in the configuration directory
> > > > -# If root_prompt_password = yes, invoke "passwd" to force the user to change
> > > > -# the root password after the container is created.
> > > > -# If root_expire_password = yes, you will be prompted to change the root
> > > > -# password at the first login.
> > > > -#
> > > > -# These are conditional assignments...  The can be overridden from the
> > > > -# preexisting environment variables...
> > > > -#
> > > > -# Make sure this is in single quotes to defer expansion to later!
> > > > -# :{root_password='Root-${name}-${RANDOM}'}
> > > > -: ${root_password='Root-${name}-XXXXXX'}
> > > > -
> > > > -# Now, it doesn't make much sense to display, store, and force change
> > > > -# together.  But, we gotta test, right???
> > > > -: ${root_display_password='no'}
> > > > -: ${root_store_password='yes'}
> > > > -# Prompting for something interactive has potential for mayhem
> > > > -# with users running under the API...  Don't default to "yes"
> > > > -: ${root_prompt_password='no'}
> > > > -
> > > > -# Expire root password? Default to yes, but can be overridden from
> > > > -# the environment variable
> > > > -: ${root_expire_password='yes'}
> > > > +# Load up some common functions
> > > > +if [ -f ${template_path}/functions ]
> > > > +then
> > > > +    . ${template_path}/functions
> > > > +fi
> > > >  
> > > >  # These are only going into comments in the resulting config...
> > > >  lxc_network_type=veth
> > > > @@ -161,31 +130,31 @@ configure_centos()
> > > >  {
> > > >  
> > > >      # disable selinux in centos
> > > > -    mkdir -p $rootfs_path/selinux
> > > > -    echo 0 > $rootfs_path/selinux/enforce
> > > > +    mkdir -p ${rootfs}/selinux
> > > > +    echo 0 > ${rootfs}/selinux/enforce
> > > >  
> > > >      # Also kill it in the /etc/selinux/config file if it's there...
> > > > -    if [ -f $rootfs_path/etc/selinux/config ]
> > > > +    if [ -f ${rootfs}/etc/selinux/config ]
> > > >      then
> > > > -        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
> > > > +        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' ${rootfs}/etc/selinux/config
> > > >      fi
> > > >  
> > > >      # Nice catch from Dwight Engen in the Oracle template.
> > > >      # Wantonly plagerized here with much appreciation.
> > > > -    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
> > > > -        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
> > > > -        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
> > > > +    if [ -f ${rootfs}/usr/sbin/selinuxenabled ]; then
> > > > +        mv ${rootfs}/usr/sbin/selinuxenabled ${rootfs}/usr/sbin/selinuxenabled.lxcorig
> > > > +        ln -s /bin/false ${rootfs}/usr/sbin/selinuxenabled
> > > >      fi
> > > >  
> > > >      # This is a known problem and documented in RedHat bugzilla as relating
> > > >      # to a problem with auditing enabled.  This prevents an error in
> > > >      # the container "Cannot make/remove an entry for the specified session"
> > > > -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> > > > -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> > > > +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/login
> > > > +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/sshd
> > > >  
> > > > -    if [ -f ${rootfs_path}/etc/pam.d/crond ]
> > > > +    if [ -f ${rootfs}/etc/pam.d/crond ]
> > > >      then
> > > > -        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
> > > > +        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/crond
> > > >      fi
> > > >  
> > > >      # In addition to disabling pam_loginuid in the above config files
> > > > @@ -193,27 +162,27 @@ configure_centos()
> > > >      # we missed or any that get installed after the container is built.
> > > >      #
> > > >      # Catch either or both 32 and 64 bit archs.
> > > > -    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
> > > > +    if [ -f ${rootfs}/lib/security/pam_loginuid.so ]
> > > >      then
> > > > -        ( cd ${rootfs_path}/lib/security/
> > > > +        ( cd ${rootfs}/lib/security/
> > > >          mv pam_loginuid.so pam_loginuid.so.disabled
> > > >          ln -s pam_permit.so pam_loginuid.so
> > > >          )
> > > >      fi
> > > >  
> > > > -    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
> > > > +    if [ -f ${rootfs}/lib64/security/pam_loginuid.so ]
> > > >      then
> > > > -        ( cd ${rootfs_path}/lib64/security/
> > > > +        ( cd ${rootfs}/lib64/security/
> > > >          mv pam_loginuid.so pam_loginuid.so.disabled
> > > >          ln -s pam_permit.so pam_loginuid.so
> > > >          )
> > > >      fi
> > > >  
> > > >      # Set default localtime to the host localtime if not set...
> > > > -    if [ -e /etc/localtime -a ! -e ${rootfs_path}/etc/localtime ]
> > > > +    if [ -e /etc/localtime -a ! -e ${rootfs}/etc/localtime ]
> > > >      then
> > > >          # if /etc/localtime is a symlink, this should preserve it.
> > > > -        cp -a /etc/localtime ${rootfs_path}/etc/localtime
> > > > +        cp -a /etc/localtime ${rootfs}/etc/localtime
> > > >      fi
> > > >  
> > > >      # Deal with some dain bramage in the /etc/init.d/halt script.
> > > > @@ -226,26 +195,26 @@ configure_centos()
> > > >      # So we just eliminate the whole bottom half of that script in making
> > > >      # ourselves a copy.  That way a major update to the init scripts won't
> > > >      # trash what we've set up.
> > > > -    if [ -f ${rootfs_path}/etc/init.d/halt ]
> > > > +    if [ -f ${rootfs}/etc/init.d/halt ]
> > > >      then
> > > >          sed -e '/hwclock/,$d' \
> > > > -            < ${rootfs_path}/etc/init.d/halt \
> > > > -            > ${rootfs_path}/etc/init.d/lxc-halt
> > > > +            < ${rootfs}/etc/init.d/halt \
> > > > +            > ${rootfs}/etc/init.d/lxc-halt
> > > >  
> > > > -        echo '$command -f' >> ${rootfs_path}/etc/init.d/lxc-halt
> > > > -        chmod 755 ${rootfs_path}/etc/init.d/lxc-halt
> > > > +        echo '$command -f' >> ${rootfs}/etc/init.d/lxc-halt
> > > > +        chmod 755 ${rootfs}/etc/init.d/lxc-halt
> > > >  
> > > >          # Link them into the rc directories...
> > > >          (
> > > > -             cd ${rootfs_path}/etc/rc.d/rc0.d
> > > > +             cd ${rootfs}/etc/rc.d/rc0.d
> > > >               ln -s ../init.d/lxc-halt S00lxc-halt
> > > > -             cd ${rootfs_path}/etc/rc.d/rc6.d
> > > > +             cd ${rootfs}/etc/rc.d/rc6.d
> > > >               ln -s ../init.d/lxc-halt S00lxc-reboot
> > > >          )
> > > >      fi
> > > >  
> > > >      # configure the network using the dhcp
> > > > -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> > > > +    cat <<EOF > ${rootfs}/etc/sysconfig/network-scripts/ifcfg-eth0
> > > >  DEVICE=eth0
> > > >  BOOTPROTO=dhcp
> > > >  ONBOOT=yes
> > > > @@ -257,25 +226,30 @@ DHCP_HOSTNAME=$name
> > > >  EOF
> > > >  
> > > >      # set the hostname
> > > > -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
> > > > +    cat <<EOF > ${rootfs}/etc/sysconfig/network
> > > >  NETWORKING=yes
> > > >  HOSTNAME=${UTSNAME}
> > > >  EOF
> > > >  
> > > > +    # set hostname on systemd systems
> > > > +    if [ $release -gt 6 ]; then
> > > > +        echo "${utsname}" > ${rootfs}/etc/hostname
> > > > +    fi
> > > > +
> > > >      # set minimal hosts
> > > > -    cat <<EOF > $rootfs_path/etc/hosts
> > > > +    cat <<EOF > ${rootfs}/etc/hosts
> > > >  127.0.0.1 localhost $name
> > > >  EOF
> > > >  
> > > >      # set minimal fstab
> > > > -    cat <<EOF > $rootfs_path/etc/fstab
> > > > +    cat <<EOF > ${rootfs}/etc/fstab
> > > >  /dev/root               /                       rootfs   defaults        0 0
> > > >  none                    /dev/shm                tmpfs    nosuid,nodev    0 0
> > > >  EOF
> > > >  
> > > >      # create lxc compatibility init script
> > > >      if [ "$release" = "6" ]; then
> > > > -        cat <<EOF > $rootfs_path/etc/init/lxc-sysinit.conf
> > > > +        cat <<EOF > ${rootfs}/etc/init/lxc-sysinit.conf
> > > >  start on startup
> > > >  env container
> > > >  
> > > > @@ -291,23 +265,23 @@ pre-start script
> > > >  end script
> > > >  EOF
> > > >      elif [ "$release" = "5" ]; then
> > > > -        cat <<EOF > $rootfs_path/etc/rc.d/lxc.sysinit
> > > > +        cat <<EOF > ${rootfs}/etc/rc.d/lxc.sysinit
> > > >  #! /bin/bash
> > > >  rm -f /etc/mtab /var/run/*.{pid,lock} /var/lock/subsys/*
> > > >  rm -rf {/,/var}/tmp/*
> > > >  echo "/dev/root               /                       rootfs   defaults        0 0" > /etc/mtab
> > > >  exit 0
> > > >  EOF
> > > > -        chmod 755 $rootfs_path/etc/rc.d/lxc.sysinit
> > > > -        sed -i 's|si::sysinit:/etc/rc.d/rc.sysinit|si::bootwait:/etc/rc.d/lxc.sysinit|'  $rootfs_path/etc/inittab
> > > > +        chmod 755 ${rootfs}/etc/rc.d/lxc.sysinit
> > > > +        sed -i 's|si::sysinit:/etc/rc.d/rc.sysinit|si::bootwait:/etc/rc.d/lxc.sysinit|'  ${rootfs}/etc/inittab
> > > >          # prevent mingetty from calling vhangup(2) since it fails with userns.
> > > >          # Same issue as oracle template: prevent mingetty from calling vhangup(2)
> > > >          # commit 2e83f7201c5d402478b9849f0a85c62d5b9f1589.
> > > > -        sed -i 's|^1:|co:2345:respawn:/sbin/mingetty --nohangup console\n1:|' $rootfs_path/etc/inittab
> > > > -        sed -i 's|^\([56]:\)|#\1|' $rootfs_path/etc/inittab
> > > > +        sed -i 's|^1:|co:2345:respawn:/sbin/mingetty --nohangup console\n1:|' ${rootfs}/etc/inittab
> > > > +        sed -i 's|^\([56]:\)|#\1|' ${rootfs}/etc/inittab
> > > >      fi
> > > >  
> > > > -    dev_path="${rootfs_path}/dev"
> > > > +    dev_path="${rootfs}/dev"
> > > >      rm -rf $dev_path
> > > >      mkdir -p $dev_path
> > > >      mknod -m 666 ${dev_path}/null c 1 3
> > > > @@ -334,59 +308,39 @@ EOF
> > > >      # since lxc.devttydir is specified in the config.
> > > >  
> > > >      # allow root login on console, tty[1-4], and pts/0 for libvirt
> > > > -    echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/console"  >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty1"     >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty2"     >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty3"     >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty4"     >>${rootfs_path}/etc/securetty
> > > > -    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
> > > > -    echo "pts/0"        >>${rootfs_path}/etc/securetty
> > > > +    echo "# LXC (Linux Containers)" >>${rootfs}/etc/securetty
> > > > +    echo "lxc/console"  >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty1"     >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty2"     >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty3"     >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty4"     >>${rootfs}/etc/securetty
> > > > +    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs}/etc/securetty
> > > > +    echo "pts/0"        >>${rootfs}/etc/securetty
> > > >  
> > > >      # prevent mingetty from calling vhangup(2) since it fails with userns.
> > > >      # Same issue as oracle template: prevent mingetty from calling vhangup(2)
> > > >      # commit 2e83f7201c5d402478b9849f0a85c62d5b9f1589.
> > > > -    sed -i 's|mingetty|mingetty --nohangup|' $container_rootfs/etc/init/tty.conf
> > > > -
> > > > -    if [ ${root_display_password} = "yes" ]
> > > > -    then
> > > > -        echo "Setting root password to '$root_password'"
> > > > -    fi
> > > > -    if [ ${root_store_password} = "yes" ]
> > > > +    if [ -f ${rootfs}/etc/init/tty.conf ]
> > > >      then
> > > > -        touch ${config_path}/tmp_root_pass
> > > > -        chmod 600 ${config_path}/tmp_root_pass
> > > > -        echo ${root_password} > ${config_path}/tmp_root_pass
> > > > -        echo "Storing root password in '${config_path}/tmp_root_pass'"
> > > > +        sed -i 's|mingetty|mingetty --nohangup|' ${rootfs}/etc/init/tty.conf
> > > >      fi
> > > >  
> > > > -    echo "root:$root_password" | chroot $rootfs_path chpasswd
> > > > -
> > > > -    if [ ${root_expire_password} = "yes" ]
> > > > -    then
> > > > -        # Also set this password as expired to force the user to change it!
> > > > -        chroot $rootfs_path passwd -e root
> > > > -    fi
> > > > -
> > > > -    # This will need to be enhanced for CentOS 7 when systemd
> > > > -    # comes into play...   /\/\|=mhw=|\/\/
> > > > -
> > > >      return 0
> > > >  }
> > > >  
> > > >  configure_centos_init()
> > > >  {
> > > > -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
> > > > -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
> > > > +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.sysinit
> > > > +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.d/rc.sysinit
> > > >      if [ "$release" = "6" ]; then
> > > > -        chroot ${rootfs_path} chkconfig udev-post off
> > > > +        chroot ${rootfs} chkconfig udev-post off
> > > >      fi
> > > > -    chroot ${rootfs_path} chkconfig network on
> > > > +    chroot ${rootfs} chkconfig network on
> > > >  
> > > > -    if [ -d ${rootfs_path}/etc/init ]
> > > > +    if [ -d ${rootfs}/etc/init ]
> > > >      then
> > > >         # This is to make upstart honor SIGPWR
> > > > -        cat <<EOF >${rootfs_path}/etc/init/power-status-changed.conf
> > > > +        cat <<EOF >${rootfs}/etc/init/power-status-changed.conf
> > > >  #  power-status-changed - shutdown on SIGPWR
> > > >  #
> > > >  start on power-status-changed
> > > > @@ -396,6 +350,35 @@ EOF
> > > >      fi
> > > >  }
> > > >  
> > > > +configure_centos_systemd()
> > > > +{
> > > > +    rm -f ${rootfs}/etc/systemd/system/default.target
> > > > +    touch ${rootfs}/etc/fstab
> > > > +    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
> > > > +    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> > > > +    # Make systemd honor SIGPWR
> > > > +    chroot ${rootfs} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
> > > > +    #dependency on a device unit fails it specially that we disabled udev
> > > > +    # sed -i 's/After=dev-%i.device/After=/' ${rootfs}/lib/systemd/system/getty\@.service
> > > > +    #
> > > > +    # Actually, the After=dev-%i.device line does not appear in the
> > > > +    # Fedora 17 or Fedora 18 systemd getty\@.service file.  It may be left
> > > > +    # over from an earlier version and it's not doing any harm.  We do need
> > > > +    # to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are
> > > > +    # started on the ttys in the container.  Lets do it in an override copy of
> > > > +    # the service so it can still pass rpm verifies and not be automatically
> > > > +    # updated by a new systemd version.  --  mhw  /\/\|=mhw=|\/\/
> > > > +
> > > > +    sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
> > > > +        -e 's/After=dev-%i.device/After=/' \
> > > > +        < ${rootfs}/lib/systemd/system/getty\@.service \
> > > > +        > ${rootfs}/etc/systemd/system/getty\@.service
> > > > +    # Setup getty service on the 4 ttys we are going to allow in the
> > > > +    # default config.  Number should match lxc.tty
> > > > +    ( cd ${rootfs}/etc/systemd/system/getty.target.wants
> > > > +        for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty at tty${i}.service; done )
> > > > +}
> > > > +
> > > >  download_centos()
> > > >  {
> > > >  
> > > > @@ -410,19 +393,19 @@ download_centos()
> > > >      # download a mini centos into a cache
> > > >      echo "Downloading centos minimal ..."
> > > >      YUM="yum --installroot $INSTALL_ROOT -y --nogpgcheck"
> > > > -    PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils"
> > > > +    PKG_LIST="yum initscripts passwd rsyslog vim-minimal sudo openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils"
> > > >  
> > > >      # use temporary repository definition
> > > >      REPO_FILE=$INSTALL_ROOT/etc/yum.repos.d/lxc-centos-temp.repo
> > > >      mkdir -p $(dirname $REPO_FILE)
> > > >      if [ -n "$repo" ]; then
> > > > -	cat <<EOF > $REPO_FILE
> > > > +        cat <<EOF > $REPO_FILE
> > > >  [base]
> > > >  name=local repository
> > > >  baseurl="$repo"
> > > >  EOF
> > > >  else
> > > > -	cat <<EOF > $REPO_FILE
> > > > +        cat <<EOF > $REPO_FILE
> > > >  [base]
> > > >  name=CentOS-$release - Base
> > > >  mirrorlist=http://mirrorlist.centos.org/?release=$release&arch=$basearch&repo=os
> > > > @@ -434,20 +417,23 @@ EOF
> > > >      fi
> > > >  
> > > >      # create minimal device nodes, needed for "yum install" and "yum update" process
> > > > -    mkdir -p $INSTALL_ROOT/dev
> > > > -    force_mknod 666 $INSTALL_ROOT/dev/null c 1 3
> > > > -    force_mknod 666 $INSTALL_ROOT/dev/urandom c 1 9
> > > > +    mkdir -p $INSTALL_ROOT/dev $INSTALL_ROOT/proc
> > > > +
> > > > +    # CentOS7 needs these, even if they are overkill for 5&6.
> > > > +    mount -o bind /dev ${INSTALL_ROOT}/dev
> > > > +    mount -t proc proc ${INSTALL_ROOT}/proc
> > > > +    # Always make sure /etc/resolv.conf is up to date in the target!
> > > > +    cp /etc/resolv.conf ${INSTALL_ROOT}/etc/
> > > >  
> > > >      $YUM install $PKG_LIST
> > > >  
> > > >      if [ $? -ne 0 ]; then
> > > >          echo "Failed to download the rootfs, aborting."
> > > > +        umount ${INSTALL_ROOT}/proc
> > > > +        umount ${INSTALL_ROOT}/dev
> > > >          return 1
> > > >      fi
> > > >  
> > > > -    # use same nameservers as hosts, needed for "yum update later"
> > > > -    cp /etc/resolv.conf $INSTALL_ROOT/etc/
> > > > -
> > > >      # check whether rpmdb is under $HOME
> > > >      if [ ! -e $INSTALL_ROOT/var/lib/rpm/Packages -a -e $INSTALL_ROOT/$HOME/.rpmdb/Packages ]; then
> > > >          echo "Fixing rpmdb location ..."
> > > > @@ -469,17 +455,26 @@ EOF
> > > >          mv $INSTALL_ROOT/etc/yum.repos.d/*.repo $INSTALL_ROOT/etc/yum.repos.disabled/
> > > >          mv $REPO_FILE.tmp $REPO_FILE
> > > >          mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/etc
> > > > -        cp /etc/resolv.conf $INSTALL_ROOT/$INSTALL_ROOT/etc/
> > > >          mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/dev
> > > > -        mknod -m 666 $INSTALL_ROOT/$INSTALL_ROOT/dev/null c 1 3
> > > > -        mknod -m 666 $INSTALL_ROOT/$INSTALL_ROOT/dev/urandom c 1 9
> > > > +        mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/proc
> > > > +        # CentOS7 needs these, even if they are overkill for 5&6.
> > > > +        mount -o bind /dev ${INSTALL_ROOT}/${INSTALL_ROOT}/dev
> > > > +        mount -t proc proc ${INSTALL_ROOT}/${INSTALL_ROOT}/proc
> > > > +        # Always make sure /etc/resolv.conf is up to date in the target!
> > > > +        cp /etc/resolv.conf $INSTALL_ROOT/$INSTALL_ROOT/etc/
> > > >          mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/var/cache/yum
> > > >          cp -al $INSTALL_ROOT/var/cache/yum/* $INSTALL_ROOT/$INSTALL_ROOT/var/cache/yum/
> > > >          chroot $INSTALL_ROOT $YUM install $PKG_LIST
> > > >          if [ $? -ne 0 ]; then
> > > >              echo "Failed to download the rootfs, aborting."
> > > > +            umount ${INSTALL_ROOT}/${INSTALL_ROOT}/proc
> > > > +            umount ${INSTALL_ROOT}/${INSTALL_ROOT}/dev
> > > > +            umount ${INSTALL_ROOT}/proc
> > > > +            umount ${INSTALL_ROOT}/dev
> > > >              return 1
> > > >          fi
> > > > +        umount ${INSTALL_ROOT}/proc
> > > > +        umount ${INSTALL_ROOT}/dev
> > > >          mv $INSTALL_ROOT/$INSTALL_ROOT $INSTALL_ROOT.tmp
> > > >          rm -rf $INSTALL_ROOT
> > > >          mv $INSTALL_ROOT.tmp $INSTALL_ROOT
> > > > @@ -488,6 +483,9 @@ EOF
> > > >      rm -f $REPO_FILE
> > > >      rm -rf $INSTALL_ROOT/var/cache/yum/*
> > > >  
> > > > +    umount ${INSTALL_ROOT}/proc
> > > > +    umount ${INSTALL_ROOT}/dev
> > > > +
> > > >      mv "$INSTALL_ROOT" "$cache/rootfs"
> > > >      echo "Download complete."
> > > >  
> > > > @@ -498,11 +496,11 @@ copy_centos()
> > > >  {
> > > >  
> > > >      # make a local copy of the mini centos
> > > > -    echo -n "Copying rootfs to $rootfs_path ..."
> > > > -    #cp -a $cache/rootfs-$arch $rootfs_path || return 1
> > > > +    echo -n "Copying rootfs to ${rootfs} ..."
> > > > +    #cp -a $cache/rootfs-$arch ${rootfs} || return 1
> > > >      # i prefer rsync (no reason really)
> > > > -    mkdir -p $rootfs_path
> > > > -    rsync -a $cache/rootfs/ $rootfs_path/
> > > > +    mkdir -p ${rootfs}
> > > > +    rsync -a $cache/rootfs/ ${rootfs}/
> > > >      echo
> > > >      return 0
> > > >  }
> > > > @@ -510,11 +508,24 @@ copy_centos()
> > > >  update_centos()
> > > >  {
> > > >      YUM="chroot $cache/rootfs yum -y --nogpgcheck"
> > > > +
> > > > +    # CentOS7 needs these, even if they are overkill for 5&6.
> > > > +    mount -o bind /dev ${cache}/rootfs/dev
> > > > +    mount -t proc proc ${cache}/rootfs/proc
> > > > +    # Always make sure /etc/resolv.conf is up to date in the target!
> > > > +    cp /etc/resolv.conf ${cache}/rootfs/etc/
> > > > +
> > > >      $YUM update
> > > >      if [ $? -ne 0 ]; then
> > > > +        umount ${cache}/rootfs/dev
> > > > +        umount ${cache}/rootfs/proc
> > > >          return 1
> > > >      fi
> > > >      $YUM clean packages
> > > > +
> > > > +    echo
> > > > +    umount ${cache}/rootfs/dev
> > > > +    umount ${cache}/rootfs/proc
> > > >  }
> > > >  
> > > >  install_centos()
> > > > @@ -544,7 +555,7 @@ install_centos()
> > > >          fi
> > > >      fi
> > > >  
> > > > -    echo "Copy $cache/rootfs to $rootfs_path ... "
> > > > +    echo "Copy $cache/rootfs to ${rootfs} ... "
> > > >      copy_centos
> > > >      if [ $? -ne 0 ]; then
> > > >          echo "Failed to copy rootfs"
> > > > @@ -568,7 +579,7 @@ copy_configuration()
> > > >      mkdir -p $config_path
> > > >  
> > > >      grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "
> > > > -lxc.rootfs = $rootfs_path
> > > > +lxc.rootfs = ${rootfs}
> > > >  " >> $config_path/config
> > > >  
> > > >      # The following code is to create static MAC addresses for each
> > > > @@ -612,11 +623,19 @@ lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf
> > > >  lxc.arch = $arch
> > > >  lxc.utsname = $utsname
> > > >  
> > > > -lxc.autodev = $auto_dev
> > > > +EOF
> > > >  
> > > > -# When using LXC with apparmor, uncomment the next line to run unconfined:
> > > > -#lxc.aa_profile = unconfined
> > > > +    if [ "${auto_dev}" != "0" ]
> > > > +    then
> > > > +        # Keep systemd and journald happy...
> > > > +        echo "\
> > > > +lxc.autodev = 1
> > > > +lxc.kmsg = 0
> > > > +" >> $config_path/config
> > > > +    fi
> > > >  
> > > > +    # Throw on some commments...
> > > > +    cat <<EOF >> $config_path/config
> > > >  # example simple networking setup, uncomment to enable
> > > >  #lxc.network.type = $lxc_network_type
> > > >  #lxc.network.flags = up
> > > > @@ -699,7 +718,7 @@ do
> > > >          -n|--name)      name=$2; shift 2;;
> > > >          -c|--clean)     clean=$2; shift 2;;
> > > >          -R|--release)   release=$2; shift 2;;
> > > > -	--repo)		repo="$2"; shift 2;;
> > > > +        --repo)         repo="$2"; shift 2;;
> > > >          -a|--arch)      newarch=$2; shift 2;;
> > > >          --fqdn)         utsname=$2; shift 2;;
> > > >          --)             shift 1; break ;;
> > > > @@ -757,28 +776,6 @@ fi
> > > >  
> > > >  cache_base=@LOCALSTATEDIR@/cache/lxc/centos/$basearch
> > > >  
> > > > -# Let's do something better for the initial root password.
> > > > -# It's not perfect but it will defeat common scanning brute force
> > > > -# attacks in the case where ssh is exposed.  It will also be set to
> > > > -# expired, forcing the user to change it at first login.
> > > > -if [ "${root_password}" = "" ]
> > > > -then
> > > > -    root_password=Root-${name}-${RANDOM}
> > > > -else
> > > > -    # If it's got a ding in it, try and expand it!
> > > > -    if [ $(expr "${root_password}" : '.*$.') != 0 ]
> > > > -    then
> > > > -        root_password=$(eval echo "${root_password}")
> > > > -    fi
> > > > -
> > > > -    # If it has more than 3 consequtive X's in it, feed it
> > > > -    # through mktemp as a template.
> > > > -    if [ $(expr "${root_password}" : '.*XXXX') != 0 ]
> > > > -    then
> > > > -        root_password=$(mktemp -u ${root_password})
> > > > -    fi
> > > > -fi
> > > > -
> > > >  if [ -z "${utsname}" ]; then
> > > >      utsname=${name}
> > > >  fi
> > > > @@ -844,14 +841,15 @@ if [ "$(id -u)" != "0" ]; then
> > > >  fi
> > > >  
> > > >  
> > > > -if [ -z "$rootfs_path" ]; then
> > > > -    rootfs_path=$path/rootfs
> > > > +if [ -z "${rootfs}" ]; then
> > > > +    rootfs=$path/rootfs
> > > >      # check for 'lxc.rootfs' passed in through default config by lxc-create
> > > >      if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
> > > > -        rootfs_path=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
> > > > +        rootfs=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
> > > >              -e 's/^lxc.rootfs\s*=\s*//' -e q $path/config)
> > > >      fi
> > > >  fi
> > > > +
> > > >  config_path=$path
> > > >  cache=$cache_base/$release
> > > >  
> > > > @@ -885,51 +883,54 @@ if [ $? -ne 0 ]; then
> > > >      exit 1
> > > >  fi
> > > >  
> > > > -configure_centos_init
> > > > +# If the systemd configuration directory exists - set it up for what we need.
> > > > +if [ -d ${rootfs}/etc/systemd/system ]
> > > > +then
> > > > +    configure_centos_systemd
> > > > +fi
> > > > +
> > > > +# This configuration (rc.sysinit) is not inconsistent with the systemd stuff
> > > > +# above and may actually coexist on some upgraded systems.  Let's just make
> > > > +# sure that, if it exists, we update this file, even if it's not used...
> > > > +if [ -f ${rootfs}/etc/rc.sysinit ]
> > > > +then
> > > > +    configure_centos_init
> > > > +fi
> > > >  
> > > >  if [ ! -z $clean ]; then
> > > >      clean || exit 1
> > > >      exit 0
> > > >  fi
> > > > +
> > > >  echo "
> > > >  Container rootfs and config have been created.
> > > >  Edit the config file to check/enable networking setup.
> > > >  "
> > > >  
> > > > -if [ ${root_display_password} = "yes" ]
> > > > -then
> > > > -    echo "The temporary password for root is: '$root_password'
> > > > +# Set up the superuser user.
> > > > +# Several of the LXC_ variables are environment variables set up
> > > > +# in the "functions" file but can be overriden byt the calling environment
> > > > +# or by the template or ignored in calling this function.
> > > > +lxc_setup_user \
> > > > +    "${name}" \
> > > > +    "${rootfs}" \
> > > > +    "${config_path}" \
> > > > +    "${LXC_DEFAULT_USER}" \
> > > > +    "${LXC_PASSWORD}" \
> > > > +    "${LXC_DISPLAY_PASSWORD}" \
> > > > +    "${LXC_STORE_PASSWORD}" \
> > > > +    "${LXC_EXPIRE_PASSWORD}"
> > > > +
> > > > +# Add a "centos" user using the same template and config.
> > > > +# This is congruent with several other templates...
> > > > +lxc_setup_user \
> > > > +    "${name}" \
> > > > +    "${rootfs}" \
> > > > +    "${config_path}" \
> > > > +    "centos" \
> > > > +    "${LXC_PASSWORD}" \
> > > > +    "${LXC_DISPLAY_PASSWORD}" \
> > > > +    "${LXC_STORE_PASSWORD}" \
> > > > +    "${LXC_EXPIRE_PASSWORD}"
> > > >  
> > > > -You may want to note that password down before starting the container.
> > > > -"
> > > > -fi
> > > > -
> > > > -if [ ${root_store_password} = "yes" ]
> > > > -then
> > > > -    echo "The temporary root password is stored in:
> > > > -
> > > > -        '${config_path}/tmp_root_pass'
> > > > -"
> > > > -fi
> > > > -
> > > > -if [ ${root_prompt_password} = "yes" ]
> > > > -then
> > > > -    echo "Invoking the passwd command in the container to set the root password.
> > > > -
> > > > -        chroot ${rootfs_path} passwd
> > > > -"
> > > > -    chroot ${rootfs_path} passwd
> > > > -else
> > > > -    if [ ${root_expire_password} = "yes" ]
> > > > -    then
> > > > -        echo "
> > > > -The root password is set up as "expired" and will require it to be changed
> > > > -at first login, which you should do as soon as possible.  If you lose the
> > > > -root password or wish to change it without starting the container, you
> > > > -can change it from the host by running the following command (which will
> > > > -also reset the expired flag):
> > > > -
> > > > -        chroot ${rootfs_path} passwd
> > > > -"
> > > > -    fi
> > > > -fi
> > > > +exit 0
> > > > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> > > > index a56e7ec..bfc2fc7 100644
> > > > --- a/templates/lxc-fedora.in
> > > > +++ b/templates/lxc-fedora.in
> > > > @@ -28,44 +28,13 @@
> > > >  
> > > >  #Configurations
> > > >  default_path=@LXCPATH@
> > > > +template_path=@LXCTEMPLATEDIR@
> > > >  
> > > > -# Some combinations of the tuning knobs below do not exactly make sense.
> > > > -# but that's ok.
> > > > -#
> > > > -# If the "root_password" is non-blank, use it, else set a default.
> > > > -# This can be passed to the script as an environment variable and is
> > > > -# set by a shell conditional assignment.  Looks weird but it is what it is.
> > > > -#
> > > > -# If the root password contains a ding ($) then try to expand it.
> > > > -# That will pick up things like ${name} and ${RANDOM}.
> > > > -# If the root password contians more than 3 consecutive X's, pass it as
> > > > -# a template to mktemp and take the result.
> > > > -#
> > > > -# If root_display_password = yes, display the temporary root password at exit.
> > > > -# If root_store_password = yes, store it in the configuration directory
> > > > -# If root_prompt_password = yes, invoke "passwd" to force the user to change
> > > > -# the root password after the container is created.
> > > > -# If root_expire_password = yes, you will be prompted to change the root
> > > > -# password at the first login.
> > > > -#
> > > > -# These are conditional assignments...  The can be overridden from the
> > > > -# preexisting environment variables...
> > > > -#
> > > > -# Make sure this is in single quotes to defer expansion to later!
> > > > -# :{root_password='Root-${name}-${RANDOM}'}
> > > > -: ${root_password='Root-${name}-XXXXXX'}
> > > > -
> > > > -# Now, it doesn't make much sense to display, store, and force change
> > > > -# together.  But, we gotta test, right???
> > > > -: ${root_display_password='no'}
> > > > -: ${root_store_password='yes'}
> > > > -# Prompting for something interactive has potential for mayhem
> > > > -# with users running under the API...  Don't default to "yes"
> > > > -: ${root_prompt_password='no'}
> > > > -
> > > > -# Expire root password? Default to yes, but can be overridden from
> > > > -# the environment variable
> > > > -: ${root_expire_password='yes'}
> > > > +# Load up some common functions
> > > > +if [ -f ${template_path}/functions ]
> > > > +then
> > > > +    . ${template_path}/functions
> > > > +fi
> > > >  
> > > >  # These are only going into comments in the resulting config...
> > > >  lxc_network_type=veth
> > > > @@ -134,31 +103,31 @@ configure_fedora()
> > > >  {
> > > >  
> > > >      # disable selinux in fedora
> > > > -    mkdir -p $rootfs_path/selinux
> > > > -    echo 0 > $rootfs_path/selinux/enforce
> > > > +    mkdir -p ${rootfs}/selinux
> > > > +    echo 0 > ${rootfs}/selinux/enforce
> > > >  
> > > >      # Also kill it in the /etc/selinux/config file if it's there...
> > > > -    if [[ -f $rootfs_path/etc/selinux/config ]]
> > > > +    if [[ -f ${rootfs}/etc/selinux/config ]]
> > > >      then
> > > > -        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
> > > > +        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' ${rootfs}/etc/selinux/config
> > > >      fi
> > > >  
> > > >      # Nice catch from Dwight Engen in the Oracle template.
> > > >      # Wantonly plagerized here with much appreciation.
> > > > -    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
> > > > -        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
> > > > -        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
> > > > +    if [ -f ${rootfs}/usr/sbin/selinuxenabled ]; then
> > > > +        mv ${rootfs}/usr/sbin/selinuxenabled ${rootfs}/usr/sbin/selinuxenabled.lxcorig
> > > > +        ln -s /bin/false ${rootfs}/usr/sbin/selinuxenabled
> > > >      fi
> > > >  
> > > >      # This is a known problem and documented in RedHat bugzilla as relating
> > > >      # to a problem with auditing enabled.  This prevents an error in
> > > >      # the container "Cannot make/remove an entry for the specified session"
> > > > -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> > > > -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> > > > +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/login
> > > > +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/sshd
> > > >  
> > > > -    if [ -f ${rootfs_path}/etc/pam.d/crond ]
> > > > +    if [ -f ${rootfs}/etc/pam.d/crond ]
> > > >      then
> > > > -        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
> > > > +        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/crond
> > > >      fi
> > > >  
> > > >      # In addition to disabling pam_loginuid in the above config files
> > > > @@ -166,27 +135,27 @@ configure_fedora()
> > > >      # we missed or any that get installed after the container is built.
> > > >      #
> > > >      # Catch either or both 32 and 64 bit archs.
> > > > -    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
> > > > +    if [ -f ${rootfs}/lib/security/pam_loginuid.so ]
> > > >      then
> > > > -        ( cd ${rootfs_path}/lib/security/
> > > > +        ( cd ${rootfs}/lib/security/
> > > >          mv pam_loginuid.so pam_loginuid.so.disabled
> > > >          ln -s pam_permit.so pam_loginuid.so
> > > >          )
> > > >      fi
> > > >  
> > > > -    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
> > > > +    if [ -f ${rootfs}/lib64/security/pam_loginuid.so ]
> > > >      then
> > > > -        ( cd ${rootfs_path}/lib64/security/
> > > > +        ( cd ${rootfs}/lib64/security/
> > > >          mv pam_loginuid.so pam_loginuid.so.disabled
> > > >          ln -s pam_permit.so pam_loginuid.so
> > > >          )
> > > >      fi
> > > >  
> > > >      # Set default localtime to the host localtime if not set...
> > > > -    if [ -e /etc/localtime -a ! -e ${rootfs_path}/etc/localtime ]
> > > > +    if [ -e /etc/localtime -a ! -e ${rootfs}/etc/localtime ]
> > > >      then
> > > >          # if /etc/localtime is a symlink, this should preserve it.
> > > > -        cp -a /etc/localtime ${rootfs_path}/etc/localtime
> > > > +        cp -a /etc/localtime ${rootfs}/etc/localtime
> > > >      fi
> > > >  
> > > >      # Deal with some dain bramage in the /etc/init.d/halt script.
> > > > @@ -202,26 +171,26 @@ configure_fedora()
> > > >      #
> > > >      # This is mostly for legacy distros since any modern systemd Fedora
> > > >      # release will not have this script so we won't try to intercept it.
> > > > -    if [ -f ${rootfs_path}/etc/init.d/halt ]
> > > > +    if [ -f ${rootfs}/etc/init.d/halt ]
> > > >      then
> > > >          sed -e '/hwclock/,$d' \
> > > > -            < ${rootfs_path}/etc/init.d/halt \
> > > > -            > ${rootfs_path}/etc/init.d/lxc-halt
> > > > +            < ${rootfs}/etc/init.d/halt \
> > > > +            > ${rootfs}/etc/init.d/lxc-halt
> > > >  
> > > > -        echo '$command -f' >> ${rootfs_path}/etc/init.d/lxc-halt
> > > > -        chmod 755 ${rootfs_path}/etc/init.d/lxc-halt
> > > > +        echo '$command -f' >> ${rootfs}/etc/init.d/lxc-halt
> > > > +        chmod 755 ${rootfs}/etc/init.d/lxc-halt
> > > >  
> > > >          # Link them into the rc directories...
> > > >          (
> > > > -             cd ${rootfs_path}/etc/rc.d/rc0.d
> > > > +             cd ${rootfs}/etc/rc.d/rc0.d
> > > >               ln -s ../init.d/lxc-halt S00lxc-halt
> > > > -             cd ${rootfs_path}/etc/rc.d/rc6.d
> > > > +             cd ${rootfs}/etc/rc.d/rc6.d
> > > >               ln -s ../init.d/lxc-halt S00lxc-reboot
> > > >          )
> > > >      fi
> > > >  
> > > >      # configure the network using the dhcp
> > > > -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> > > > +    cat <<EOF > ${rootfs}/etc/sysconfig/network-scripts/ifcfg-eth0
> > > >  DEVICE=eth0
> > > >  BOOTPROTO=dhcp
> > > >  ONBOOT=yes
> > > > @@ -232,18 +201,18 @@ MTU=${MTU}
> > > >  EOF
> > > >  
> > > >      # set the hostname
> > > > -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
> > > > +    cat <<EOF > ${rootfs}/etc/sysconfig/network
> > > >  NETWORKING=yes
> > > >  HOSTNAME=${utsname}
> > > >  EOF
> > > >  
> > > >      # set hostname on systemd Fedora systems
> > > >      if [ $release -gt 14 ]; then
> > > > -        echo "${utsname}" > ${rootfs_path}/etc/hostname
> > > > +        echo "${utsname}" > ${rootfs}/etc/hostname
> > > >      fi
> > > >  
> > > >      # set minimal hosts
> > > > -    cat <<EOF > $rootfs_path/etc/hosts
> > > > +    cat <<EOF > ${rootfs}/etc/hosts
> > > >  127.0.0.1 localhost.localdomain localhost $utsname
> > > >  ::1                 localhost6.localdomain6 localhost6
> > > >  EOF
> > > > @@ -251,7 +220,7 @@ EOF
> > > >      # These mknod's really don't make any sense with modern releases of
> > > >      # Fedora with systemd, devtmpfs, and autodev enabled.  They are left
> > > >      # here for legacy reasons and older releases with upstart and sysv init.
> > > > -    dev_path="${rootfs_path}/dev"
> > > > +    dev_path="${rootfs}/dev"
> > > >      rm -rf $dev_path
> > > >      mkdir -p $dev_path
> > > >      mknod -m 666 ${dev_path}/null c 1 3
> > > > @@ -278,83 +247,63 @@ EOF
> > > >      # since lxc.devttydir is specified in the config.
> > > >  
> > > >      # allow root login on console, tty[1-4], and pts/0 for libvirt
> > > > -    echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/console"  >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty1"     >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty2"     >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty3"     >>${rootfs_path}/etc/securetty
> > > > -    echo "lxc/tty4"     >>${rootfs_path}/etc/securetty
> > > > -    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
> > > > -    echo "pts/0"        >>${rootfs_path}/etc/securetty
> > > > -
> > > > -    if [ ${root_display_password} = "yes" ]
> > > > -    then
> > > > -        echo "Setting root password to '$root_password'"
> > > > -    fi
> > > > -    if [ ${root_store_password} = "yes" ]
> > > > -    then
> > > > -        touch ${config_path}/tmp_root_pass
> > > > -        chmod 600 ${config_path}/tmp_root_pass
> > > > -        echo ${root_password} > ${config_path}/tmp_root_pass
> > > > -        echo "Storing root password in '${config_path}/tmp_root_pass'"
> > > > -    fi
> > > > -
> > > > -    echo "root:$root_password" | chroot $rootfs_path chpasswd
> > > > -
> > > > -    if [ ${root_expire_password} = "yes" ]
> > > > -    then
> > > > -        # Also set this password as expired to force the user to change it!
> > > > -        chroot $rootfs_path passwd -e root
> > > > -    fi
> > > > +    echo "# LXC (Linux Containers)" >>${rootfs}/etc/securetty
> > > > +    echo "lxc/console"  >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty1"     >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty2"     >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty3"     >>${rootfs}/etc/securetty
> > > > +    echo "lxc/tty4"     >>${rootfs}/etc/securetty
> > > > +    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs}/etc/securetty
> > > > +    echo "pts/0"        >>${rootfs}/etc/securetty
> > > >  
> > > >      # specifying this in the initial packages doesn't always work.
> > > >      # Even though it should have...
> > > >      echo "installing fedora-release package"
> > > > -    mount -o bind /dev ${rootfs_path}/dev
> > > > -    mount -t proc proc ${rootfs_path}/proc
> > > > +    mount -o bind /dev ${rootfs}/dev
> > > > +    mount -t proc proc ${rootfs}/proc
> > > >      # Always make sure /etc/resolv.conf is up to date in the target!
> > > > -    cp /etc/resolv.conf ${rootfs_path}/etc/
> > > > +    cp /etc/resolv.conf ${rootfs}/etc/
> > > >      # Rebuild the rpm database based on the target rpm version...
> > > > -    rm -f ${rootfs_path}/var/lib/rpm/__db*
> > > > -    chroot ${rootfs_path} rpm --rebuilddb
> > > > -    chroot ${rootfs_path} yum -y install fedora-release
> > > > +    rm -f ${rootfs}/var/lib/rpm/__db*
> > > > +    chroot ${rootfs} rpm --rebuilddb
> > > > +    chroot ${rootfs} yum -y install fedora-release
> > > >  
> > > > -    if [[ ! -e ${rootfs_path}/sbin/NetworkManager ]]
> > > > +    if [[ ! -e ${rootfs}/sbin/NetworkManager ]]
> > > >      then
> > > >          # NetworkManager has not been installed.  Use the
> > > >          # legacy chkconfig command to enable the network startup
> > > >          # scripts in the container.
> > > > -        chroot ${rootfs_path} chkconfig network on
> > > > +        chroot ${rootfs} chkconfig network on
> > > >      fi
> > > >  
> > > > -    umount ${rootfs_path}/proc
> > > > -    umount ${rootfs_path}/dev
> > > > +    umount ${rootfs}/proc
> > > > +    umount ${rootfs}/dev
> > > >  
> > > >      # silence some needless startup errors
> > > > -    touch ${rootfs_path}/etc/fstab
> > > > +    touch ${rootfs}/etc/fstab
> > > >  
> > > >      # give us a console on /dev/console
> > > >      sed -i 's/ACTIVE_CONSOLES=.*$/ACTIVE_CONSOLES="\/dev\/console \/dev\/tty[1-4]"/' \
> > > > -        ${rootfs_path}/etc/sysconfig/init
> > > > +        ${rootfs}/etc/sysconfig/init
> > > >  
> > > >      return 0
> > > >  }
> > > >  
> > > >  configure_fedora_init()
> > > >  {
> > > > -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
> > > > -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
> > > > +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.sysinit
> > > > +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.d/rc.sysinit
> > > >      # don't mount devpts, for pete's sake
> > > > -    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.sysinit
> > > > -    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.d/rc.sysinit
> > > > -    chroot ${rootfs_path} chkconfig udev-post off
> > > > -    chroot ${rootfs_path} chkconfig network on
> > > > +    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs}/etc/rc.sysinit
> > > > +    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs}/etc/rc.d/rc.sysinit
> > > > +    chroot ${rootfs} chkconfig udev-post off
> > > > +    chroot ${rootfs} chkconfig network on
> > > >  
> > > > -    if [ -d ${rootfs_path}/etc/init ]
> > > > +    if [ -d ${rootfs}/etc/init ]
> > > >      then
> > > >         # This is to make upstart honor SIGPWR.  Should do no harm
> > > >         # on systemd systems and some systems may have both.
> > > > -        cat <<EOF >${rootfs_path}/etc/init/power-status-changed.conf
> > > > +        cat <<EOF >${rootfs}/etc/init/power-status-changed.conf
> > > >  #  power-status-changed - shutdown on SIGPWR
> > > >  #
> > > >  start on power-status-changed
> > > > @@ -366,14 +315,14 @@ EOF
> > > >  
> > > >  configure_fedora_systemd()
> > > >  {
> > > > -    rm -f ${rootfs_path}/etc/systemd/system/default.target
> > > > -    touch ${rootfs_path}/etc/fstab
> > > > -    chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
> > > > -    chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> > > > +    rm -f ${rootfs}/etc/systemd/system/default.target
> > > > +    touch ${rootfs}/etc/fstab
> > > > +    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
> > > > +    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> > > >      # Make systemd honor SIGPWR
> > > > -    chroot ${rootfs_path} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
> > > > +    chroot ${rootfs} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
> > > >      #dependency on a device unit fails it specially that we disabled udev
> > > > -    # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
> > > > +    # sed -i 's/After=dev-%i.device/After=/' ${rootfs}/lib/systemd/system/getty\@.service
> > > >      #
> > > >      # Actually, the After=dev-%i.device line does not appear in the
> > > >      # Fedora 17 or Fedora 18 systemd getty\@.service file.  It may be left
> > > > @@ -385,11 +334,11 @@ configure_fedora_systemd()
> > > >  
> > > >      sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
> > > >          -e 's/After=dev-%i.device/After=/' \
> > > > -        < ${rootfs_path}/lib/systemd/system/getty\@.service \
> > > > -        > ${rootfs_path}/etc/systemd/system/getty\@.service
> > > > +        < ${rootfs}/lib/systemd/system/getty\@.service \
> > > > +        > ${rootfs}/etc/systemd/system/getty\@.service
> > > >      # Setup getty service on the 4 ttys we are going to allow in the
> > > >      # default config.  Number should match lxc.tty
> > > > -    ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
> > > > +    ( cd ${rootfs}/etc/systemd/system/getty.target.wants
> > > >          for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty at tty${i}.service; done )
> > > >  }
> > > >  
> > > > @@ -970,11 +919,11 @@ copy_fedora()
> > > >  {
> > > >  
> > > >      # make a local copy of the minifedora
> > > > -    echo -n "Copying rootfs to $rootfs_path ..."
> > > > -    #cp -a $cache/rootfs-$basearch $rootfs_path || return 1
> > > > +    echo -n "Copying rootfs to ${rootfs} ..."
> > > > +    #cp -a $cache/rootfs-$basearch ${rootfs} || return 1
> > > >      # i prefer rsync (no reason really)
> > > > -    mkdir -p $rootfs_path
> > > > -    rsync -Ha $cache/rootfs/ $rootfs_path/
> > > > +    mkdir -p ${rootfs}
> > > > +    rsync -Ha $cache/rootfs/ ${rootfs}/
> > > >      echo
> > > >      return 0
> > > >  }
> > > > @@ -1017,7 +966,7 @@ install_fedora()
> > > >              fi
> > > >          fi
> > > >  
> > > > -        echo "Copy $cache/rootfs to $rootfs_path ... "
> > > > +        echo "Copy $cache/rootfs to ${rootfs} ... "
> > > >          copy_fedora
> > > >          if [ $? -ne 0 ]; then
> > > >              echo "Failed to copy rootfs"
> > > > @@ -1042,7 +991,7 @@ copy_configuration()
> > > >      mkdir -p $config_path
> > > >  
> > > >      grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "
> > > > -lxc.rootfs = $rootfs_path
> > > > +lxc.rootfs = ${rootfs}
> > > >  " >> $config_path/config
> > > >  
> > > >      # The following code is to create static MAC addresses for each
> > > > @@ -1088,11 +1037,19 @@ lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf
> > > >  lxc.arch = $arch
> > > >  lxc.utsname = $utsname
> > > >  
> > > > -lxc.autodev = $auto_dev
> > > > +EOF
> > > >  
> > > > -# When using LXC with apparmor, uncomment the next line to run unconfined:
> > > > -#lxc.aa_profile = unconfined
> > > > +    if [ "${auto_dev}" != "0" ]
> > > > +    then
> > > > +        # Keep systemd and journald happy...
> > > > +        echo "\
> > > > +lxc.autodev = 1
> > > > +lxc.kmsg = 0
> > > > +" >> $config_path/config
> > > > +    fi
> > > >  
> > > > +    # Throw on some commments...
> > > > +    cat <<EOF >> $config_path/config
> > > >  # example simple networking setup, uncomment to enable
> > > >  #lxc.network.type = $lxc_network_type
> > > >  #lxc.network.flags = up
> > > > @@ -1232,28 +1189,6 @@ fi
> > > >  
> > > >  cache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$basearch
> > > >  
> > > > -# Let's do something better for the initial root password.
> > > > -# It's not perfect but it will defeat common scanning brute force
> > > > -# attacks in the case where ssh is exposed.  It will also be set to
> > > > -# expired, forcing the user to change it at first login.
> > > > -if [ "${root_password}" = "" ]
> > > > -then
> > > > -    root_password=Root-${name}-${RANDOM}
> > > > -else
> > > > -    # If it's got a ding in it, try and expand it!
> > > > -    if [ $(expr "${root_password}" : '.*$.') != 0 ]
> > > > -    then
> > > > -        root_password=$(eval echo "${root_password}")
> > > > -    fi
> > > > -
> > > > -    # If it has more than 3 consequtive X's in it, feed it
> > > > -    # through mktemp as a template.
> > > > -    if [ $(expr "${root_password}" : '.*XXXX') != 0 ]
> > > > -    then
> > > > -        root_password=$(mktemp -u ${root_password})
> > > > -    fi
> > > > -fi
> > > > -
> > > >  if [ -z "${utsname}" ]; then
> > > >      utsname=${name}
> > > >  fi
> > > > @@ -1317,11 +1252,11 @@ if [ "$(id -u)" != "0" ]; then
> > > >  fi
> > > >  
> > > >  
> > > > -if [ -z "$rootfs_path" ]; then
> > > > -    rootfs_path=$path/rootfs
> > > > +if [ -z "${rootfs}" ]; then
> > > > +    rootfs=$path/rootfs
> > > >      # check for 'lxc.rootfs' passed in through default config by lxc-create
> > > >      if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
> > > > -        rootfs_path=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
> > > > +        rootfs=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
> > > >              -e 's/^lxc.rootfs\s*=\s*//' -e q $path/config)
> > > >      fi
> > > >  fi
> > > > @@ -1359,7 +1294,7 @@ if [ $? -ne 0 ]; then
> > > >  fi
> > > >  
> > > >  # If the systemd configuration directory exists - set it up for what we need.
> > > > -if [ -d ${rootfs_path}/etc/systemd/system ]
> > > > +if [ -d ${rootfs}/etc/systemd/system ]
> > > >  then
> > > >      configure_fedora_systemd
> > > >  fi
> > > > @@ -1367,7 +1302,7 @@ fi
> > > >  # This configuration (rc.sysinit) is not inconsistent with the systemd stuff
> > > >  # above and may actually coexist on some upgraded systems.  Let's just make
> > > >  # sure that, if it exists, we update this file, even if it's not used...
> > > > -if [ -f ${rootfs_path}/etc/rc.sysinit ]
> > > > +if [ -f ${rootfs}/etc/rc.sysinit ]
> > > >  then
> > > >      configure_fedora_init
> > > >  fi
> > > > @@ -1376,6 +1311,7 @@ if [ ! -z $clean ]; then
> > > >      clean || exit 1
> > > >      exit 0
> > > >  fi
> > > > +
> > > >  echo "
> > > >  Container rootfs and config have been created.
> > > >  Edit the config file to check/enable networking setup.
> > > > @@ -1398,40 +1334,30 @@ and may be removed.
> > > >  "
> > > >  fi
> > > >  
> > > > -if [ ${root_display_password} = "yes" ]
> > > > -then
> > > > -    echo "The temporary password for root is: '$root_password'
> > > > -
> > > > -You may want to note that password down before starting the container.
> > > > -"
> > > > -fi
> > > > -
> > > > -if [ ${root_store_password} = "yes" ]
> > > > -then
> > > > -    echo "The temporary root password is stored in:
> > > > -
> > > > -        '${config_path}/tmp_root_pass'
> > > > -"
> > > > -fi
> > > > -
> > > > -if [ ${root_prompt_password} = "yes" ]
> > > > -then
> > > > -    echo "Invoking the passwd command in the container to set the root password.
> > > > -
> > > > -        chroot ${rootfs_path} passwd
> > > > -"
> > > > -    chroot ${rootfs_path} passwd
> > > > -else
> > > > -    if [ ${root_expire_password} = "yes" ]
> > > > -    then
> > > > -        echo "
> > > > -The root password is set up as "expired" and will require it to be changed
> > > > -at first login, which you should do as soon as possible.  If you lose the
> > > > -root password or wish to change it without starting the container, you
> > > > -can change it from the host by running the following command (which will
> > > > -also reset the expired flag):
> > > > -
> > > > -        chroot ${rootfs_path} passwd
> > > > -"
> > > > -    fi
> > > > -fi
> > > > +# Set up the superuser user.
> > > > +# Several of the LXC_ variables are environment variables set up
> > > > +# in the "functions" file but can be overriden byt the calling environment
> > > > +# or by the template or ignored in calling this function.
> > > > +lxc_setup_user \
> > > > +    "${name}" \
> > > > +    "${rootfs}" \
> > > > +    "${config_path}" \
> > > > +    "${LXC_DEFAULT_USER}" \
> > > > +    "${LXC_PASSWORD}" \
> > > > +    "${LXC_DISPLAY_PASSWORD}" \
> > > > +    "${LXC_STORE_PASSWORD}" \
> > > > +    "${LXC_EXPIRE_PASSWORD}"
> > > > +
> > > > +# Add a "fedora" user using the same template and config.
> > > > +# This is congruent with several other templates...
> > > > +lxc_setup_user \
> > > > +    "${name}" \
> > > > +    "${rootfs}" \
> > > > +    "${config_path}" \
> > > > +    "fedora" \
> > > > +    "${LXC_PASSWORD}" \
> > > > +    "${LXC_DISPLAY_PASSWORD}" \
> > > > +    "${LXC_STORE_PASSWORD}" \
> > > > +    "${LXC_EXPIRE_PASSWORD}"
> > > > +
> > > > +exit 0
> > > > diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
> > > > index 4fdaece..fb47957 100644
> > > > --- a/templates/lxc-openmandriva.in
> > > > +++ b/templates/lxc-openmandriva.in
> > > > @@ -230,6 +230,7 @@ copy_configuration()
> > > >      cat <<EOF >> $config_path/config
> > > >  lxc.utsname = $name
> > > >  lxc.autodev = 1
> > > > +lxc.kmsg = 0
> > > >  lxc.tty = 4
> > > >  lxc.pts = 1024
> > > >  lxc.mount = $config_path/fstab
> > > > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> > > > index c4dce5d..cc43aa0 100644
> > > > --- a/templates/lxc-opensuse.in
> > > > +++ b/templates/lxc-opensuse.in
> > > > @@ -26,6 +26,16 @@
> > > >  # License along with this library; if not, write to the Free Software
> > > >  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> > > >  
> > > > +#Configurations
> > > > +default_path=@LXCPATH@
> > > > +template_path=@LXCTEMPLATEDIR@
> > > > +
> > > > +# Load up some common functions
> > > > +if [ -f ${template_path}/functions ]
> > > > +then
> > > > +    . ${template_path}/functions
> > > > +fi
> > > > +
> > > >  # Detect use under userns (unsupported)
> > > >  for arg in "$@"; do
> > > >      [ "$arg" = "--" ] && break
> > > > @@ -108,9 +118,6 @@ EOF
> > > >  
> > > >      touch $rootfs/etc/sysconfig/kernel
> > > >  
> > > > -    echo "Please change root-password !"
> > > > -    echo "root:root" | chpasswd -R $rootfs
> > > > -
> > > >      return 0
> > > >  }
> > > >  
> > > > @@ -265,7 +272,7 @@ copy_configuration()
> > > >      name=$3
> > > >  
> > > >      grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "
> > > > -lxc.rootfs = $rootfs_path
> > > > +lxc.rootfs = ${rootfs}
> > > >  " >> $path/config
> > > >  
> > > >      # The following code is to create static MAC addresses for each
> > > > @@ -313,10 +320,11 @@ lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
> > > >  lxc.arch = $arch
> > > >  lxc.utsname = $name
> > > >  
> > > > -lxc.mount = $path/fstab
> > > > +# Keep systemd and journald happy...
> > > > +lxc.autodev = 1
> > > > +lxc.kmsg = 0
> > > >  
> > > > -# When using LXC with apparmor, uncomment the next line to run unconfined:
> > > > -#lxc.aa_profile = unconfined
> > > > +lxc.mount = $path/fstab
> > > >  
> > > >  # example simple networking setup, uncomment to enable
> > > >  #lxc.network.type = $lxc_network_type
> > > > @@ -452,3 +460,31 @@ if [ ! -z $clean ]; then
> > > >      clean || exit 1
> > > >      exit 0
> > > >  fi
> > > > +
> > > > +# Set up the superuser user.
> > > > +# Several of the LXC_ variables are environment variables set up
> > > > +# in the "functions" file but can be overriden byt the calling environment
> > > > +# or by the template or ignored in calling this function.
> > > > +lxc_setup_user \
> > > > +    "${name}" \
> > > > +    "${rootfs}" \
> > > > +    "${config_path}" \
> > > > +    "${LXC_DEFAULT_USER}" \
> > > > +    "${LXC_PASSWORD}" \
> > > > +    "${LXC_DISPLAY_PASSWORD}" \
> > > > +    "${LXC_STORE_PASSWORD}" \
> > > > +    "${LXC_EXPIRE_PASSWORD}"
> > > > +
> > > > +# Add a "suse" user using the same template and config.
> > > > +# This is congruent with several other templates...
> > > > +lxc_setup_user \
> > > > +    "${name}" \
> > > > +    "${rootfs}" \
> > > > +    "${config_path}" \
> > > > +    "suse" \
> > > > +    "${LXC_PASSWORD}" \
> > > > +    "${LXC_DISPLAY_PASSWORD}" \
> > > > +    "${LXC_STORE_PASSWORD}" \
> > > > +    "${LXC_EXPIRE_PASSWORD}"
> > > > +
> > > > +exit 0
> > > > -- 
> > > > 1.9.3
> > > > 
> > > > 
> > > > 
> > > > Regards,
> > > > Mike
> > > > -- 
> > > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> > > >    NIC whois: MHW9          | An optimist believes we live in the best of all
> > > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > > > 
> > > 
> > > 
> > > 
> > > > _______________________________________________
> > > > lxc-devel mailing list
> > > > lxc-devel at lists.linuxcontainers.org
> > > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > > 
> > > 
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > 
> 
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20141001/62fd867e/attachment-0001.sig>


More information about the lxc-devel mailing list