[lxc-devel] [PATCH] openwrt: add common configuration file

Thu Oct 30 12:41:49 UTC 2014

This adds OpenWrt common config file.

Signed-off-by: Petar Koretic <petar.koretic at sartura.hr>
CC: Luka Perkov <luka.perkov at sartura.hr>
---

OpenWrt templates are working using 'lxc-create -t download' command. We are
running that over our server on http://virtualwrt.org/containers/. There is
only support for x86, x86_64 and ar71xx as of now. We plan to add all other
architectures supported by OpenWrt in the future. The build scripts used to
generate images can be found here:

https://github.com/VirtualWrt/misc

Note that index files on virtualwrt.org/containers are not validated.

OpenWrt now supports containers but due to platform specifics there are some limitations:

* 'tar --anchored' doesn't come with busybox's tar version, lxc is patched in
OpenWrt packages feed to ignore this functionality.
* .xz extraction is very expensive on most OpenWrt supported devices, -0 level
is used for rootfs compression to mitigate that to some extent.
* Priviliged containers are not supported at the moment since default user
is root on this platform.

I'm looking forward for your comments and suggestions to get OpenWrt images
hosted on official lxc servers.

 config/templates/Makefile.am            |  1 +
 config/templates/openwrt.common.conf.in | 56 +++++++++++++++++++++++++++++++++
 configure.ac                            |  1 +
 3 files changed, 58 insertions(+)
 create mode 100644 config/templates/openwrt.common.conf.in

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 82ca8be..fdbf9d2 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -28,4 +28,5 @@ templatesconfig_DATA = \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
 	ubuntu.userns.conf \
+	openwrt.common.conf \
 	userns.conf
diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in
new file mode 100644
index 0000000..05918f0
--- /dev/null
+++ b/config/templates/openwrt.common.conf.in
@@ -0,0 +1,56 @@
+# Default mount entries
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
+
+# Default console settings
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Default capabilities
+lxc.cap.drop = mac_admin
+lxc.cap.drop = mac_override
+lxc.cap.drop = sys_admin
+lxc.cap.drop = sys_module
+lxc.cap.drop = sys_nice
+lxc.cap.drop = sys_pacct
+lxc.cap.drop = sys_ptrace
+lxc.cap.drop = sys_rawio
+lxc.cap.drop = sys_resource
+lxc.cap.drop = sys_time
+lxc.cap.drop = sys_tty_config
+lxc.cap.drop = syslog
+lxc.cap.drop = wake_alarm
+
+# Default cgroups - all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## dev/tty0
+lxc.cgroup.devices.allow = c 4:0 rwm
+## dev/tty1
+lxc.cgroup.devices.allow = c 4:1 rwm
+
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
diff --git a/configure.ac b/configure.ac
index 5f9774b..1d9634e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -646,6 +646,7 @@ AC_CONFIG_FILES([
 	config/templates/ubuntu.common.conf
 	config/templates/ubuntu.lucid.conf
 	config/templates/ubuntu.userns.conf
+	config/templates/openwrt.common.conf
 	config/templates/userns.conf
 	config/yum/Makefile
 	config/sysconfig/Makefile
-- 
2.1.2

