[lxc-devel] [PATCH] Various fixes for Fedora/CentOS/OpenSUSE templates and systemd.

Stéphane Graber stgraber at ubuntu.com
Fri Sep 19 21:15:49 UTC 2014


On Sun, Sep 14, 2014 at 08:57:58PM -0400, Michael H. Warfield wrote:
> Various fixes for Fedora/CentOS/OpenSUSE templates and systemd.
> 
> This patch integrates several fixes for several template issues
> and open bugzilla bugs at the Fedora project.
> 
> The lxc-centos template now supports CentOS 7 and correct configuration
> of systemd in CentOS.
> 
> The CentOS and Fedora template have been fixed for a rootfs bug that
> was a skew between the parsed parameter (rootfs) and the working variable
> (rootfs_path) by normalizing to "rootfs", congruent with several other
> templates.  This should fix the backing store problem.
> 
> The user password generation logic has been refactored out of the
> Fedora and CentOS templates into a new template/functions file.  This
> is the beginning of a security fix that has been reported as a bug in
> Fedora and Debian.  The functions support random password generation
> and/or disabled password on accounts.  Templates need to convert over
> and avoid static passwords like "root:root" or "ubuntu:ubuntu" in order
> to avoid this security issue.  Function supports multiple user setup.
> 
> The template/functions file includes a function for static MAC address
> generation (not yet used) and may contain other common functions we
> standardize on.

Can we stop including MAc address generation everywhere now that we have
the MAC address templating stuff done in C? :)

> Added "fedora" user to lxc-fedora template.
> 
> Added "centos" user to lxc-centos template.
> 
> Dropping "setfcap" has been moved to a comment for Fedora, CentOS,
> and SUSE due to it's interference with yum update in containers
> (yum fails to update several packages including httpd).
> 
> Added "sudo" to the package list for CentOS and Fedora.
> 
> Set the apparmor profile for CentOS, Fedora, and SUSE containers to
> "unconfined", until someone comes up with something better, in order
> to have containers run out of the box on apparmor hosts.  Commented
> code in the individual templates has been moved to explicit settings
> in the common config files.

From a security point of view, I much prefer things to fail badly than
be able to wreak havoc on my system, so I'd prefer we don't do that.

Instead, let's land the rest of your systemd fixes and then I can spend
a few minutes figure out exactly what's failing when running on current
Ubuntu and come up with a proper profile for it which still prevents
most of the usual issues (proc, sys, ...).

> Addressed systemd-journald runaway CPU issue by setting lxc.kmsg = 0
> in affected template (including Mandriva) and establishing a run time
> default to autoswitch lxc.kmsg depending on the state of lxc.autodev
> (systemd case).  lxc.kmsg will be set to 0 in the case of lxc.autodev = 1
> and set to 1 in the case of lxc.autodev = 0, unless overridden in
> the config file.

I think if our long term goal is to switch to autodev by default (and I
believe that was the long term plan), then making that kind of
assumption seems wrong to me.

What I think we should do instead is introduce a
systemd.common.conf file setting the usual things for systemd systems
(autodev and kmsg as a start) and then have the various templates
include that config when building a container which uses systemd.

> 
> Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>

Nack for now. I however don't see a problem acking this if you resubmit without
the MAC address generation function, without the aa_profile part and
without the autodev == kmsg=0 part.

Thanks!

> ---
>  config/templates/centos.common.conf.in   |   8 +-
>  config/templates/fedora.common.conf.in   |   8 +-
>  config/templates/opensuse.common.conf.in |   7 +-
>  configure.ac                             |   1 +
>  src/lxc/conf.c                           |  23 +-
>  templates/Makefile.am                    |   1 +
>  templates/functions.in                   | 208 +++++++++++++++++
>  templates/lxc-centos.in                  | 387 ++++++++++++++++---------------
>  templates/lxc-fedora.in                  | 318 ++++++++++---------------
>  templates/lxc-openmandriva.in            |   1 +
>  templates/lxc-opensuse.in                |  50 +++-
>  11 files changed, 612 insertions(+), 400 deletions(-)
>  create mode 100644 templates/functions.in
> 
> diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
> index 4ce2fda..7f39ddf 100644
> --- a/config/templates/centos.common.conf.in
> +++ b/config/templates/centos.common.conf.in
> @@ -20,4 +20,10 @@ lxc.mount.auto = proc:mixed sys:ro
>  # lxc.cap.drop = setuid           # breaks sshd,nfs statd
>  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
>  # lxc.cap.drop = audit_write
> -lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
> +# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
> +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> +
> +# This lets LXC CentOS containers run on hosts with apparmor.
> +# It does nothing on hosts which do not have apparmor enabled.
> +lxc.aa_profile = unconfined
> +
> diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
> index acebe3c..7794945 100644
> --- a/config/templates/fedora.common.conf.in
> +++ b/config/templates/fedora.common.conf.in
> @@ -18,4 +18,10 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
>  # lxc.cap.drop = audit_write
>  # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
> -lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
> +# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
> +lxc.cap.drop = sys_nice sys_pacct sys_rawio
> +
> +# This lets LXC Fedora containers run on hosts with apparmor.
> +# It does nothing on hosts which do not have apparmor enabled.
> +lxc.aa_profile = unconfined
> +
> diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
> index 4026975..813d296 100644
> --- a/config/templates/opensuse.common.conf.in
> +++ b/config/templates/opensuse.common.conf.in
> @@ -21,5 +21,10 @@ lxc.autodev = 1
>  # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
>  # lxc.cap.drop = audit_write
>  # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
> -# lxc.cap.drop = setfcap
> +# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
>  lxc.cap.drop = sys_nice sys_pacct sys_rawio
> +
> +# This lets LXC SUSE containers run on hosts with apparmor.
> +# It does nothing on hosts which do not have apparmor enabled.
> +lxc.aa_profile = unconfined
> +
> diff --git a/configure.ac b/configure.ac
> index 5d5f974..c1a575b 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -731,6 +731,7 @@ AC_CONFIG_FILES([
>  	hooks/Makefile
>  
>  	templates/Makefile
> +	templates/functions
>  	templates/lxc-alpine
>  	templates/lxc-altlinux
>  	templates/lxc-archlinux
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 5e61c35..7e1e564 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -2862,7 +2862,8 @@ struct lxc_conf *lxc_conf_init(void)
>  		free(new);
>  		return NULL;
>  	}
> -	new->kmsg = 1;
> +	/* Unless this is overriden, decide this based on autodev */
> +	new->kmsg = -1;
>  	lxc_list_init(&new->cgroup);
>  	lxc_list_init(&new->network);
>  	lxc_list_init(&new->mount_list);
> @@ -4159,6 +4160,26 @@ int lxc_setup(struct lxc_handler *handler)
>  			ERROR("failed to mount /dev in the container");
>  			return -1;
>  		}
> +		if (lxc_conf->kmsg < 0) {
> +			/*
> +			 * Autodev is generally used for systemd.  If systemd
> +			 * is running then journald is likely to be running.  If
> +			 * journald is running we should NOT symlink /dev/kmsg!
> +			 * If we do set the symlink, a logging loop is created
> +			 * and journald eats CPU time for lunch!
> +			 */
> +			lxc_conf->kmsg = 0;
> +
> +			/*
> +			 * Note: This can be overridden by those who know what
> +			 *	they are doing and why by explicitly setting
> +			 *	lxc.autodev in the container config and setting
> +			 *	lxc.kmsg to what ever they like.  Then it's a
> +			 *	self-inflicted injury.
> +			 */
> +		}
> +	} else if (lxc_conf->kmsg < 0) {
> +			lxc_conf->kmsg = 1;
>  	}
>  
>  	/* do automatic mounts (mainly /proc and /sys), but exclude
> diff --git a/templates/Makefile.am b/templates/Makefile.am
> index ac870a1..4f05069 100644
> --- a/templates/Makefile.am
> +++ b/templates/Makefile.am
> @@ -1,6 +1,7 @@
>  templatesdir=@LXCTEMPLATEDIR@
>  
>  templates_SCRIPTS = \
> +	functions \
>  	lxc-alpine \
>  	lxc-altlinux \
>  	lxc-archlinux \
> diff --git a/templates/functions.in b/templates/functions.in
> new file mode 100644
> index 0000000..ee80120
> --- /dev/null
> +++ b/templates/functions.in
> @@ -0,0 +1,208 @@
> +#!/bin/sh -
> +
> +# templates/functions
> +
> +# Misc functions for template support.
> +
> +# Authors:
> +# Michael H. Warfield <mhw at WittsEnd.com>
> +
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +# Lesser General Public License for more details.
> +
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +
> +###
> +# User creation and password support.
> +###
> +
> +# Some combinations of the tuning knobs below do not exactly make sense.
> +# but that's ok.
> +#
> +# If the "root_password" is non-blank, use it, else set a default.
> +# This can be passed to the script as an environment variable and is
> +# set by a shell conditional assignment.  Looks weird but it is what it is.
> +#
> +# If the root password contains a ding ($) then try to expand it.
> +# That will pick up things like ${name} and ${RANDOM}.
> +# If the root password contians more than 3 consecutive X's, pass it as
> +# a template to mktemp and take the result.
> +#
> +# If root_display_password = yes, display the temporary root password at exit.
> +# If root_store_password = yes, store it in the configuration directory
> +# If root_prompt_password = yes, invoke "passwd" to force the user to change
> +# the root password after the container is created.
> +# If root_expire_password = yes, you will be prompted to change the root
> +# password at the first login.
> +#
> +# These are conditional assignments...  The can be overridden from the
> +# preexisting environment variables in the calling template or from
> +# the user environment...
> +#
> +# Default user...
> +: ${LXC_DEFAULT_USER='root'}
> +# Make sure this is in single quotes to defer expansion to later!
> +# :{root_password='Root-${name}-${RANDOM}'}
> +: ${LXC_PASSWORD='Root-${name}-XXXXXX'}
> +
> +# Now, it doesn't make much sense to display, store, and force change
> +# together.  But, we gotta test, right???
> +: ${LXC_DISPLAY_PASSWORD='no'}
> +: ${LXC_STORE_PASSWORD='yes'}
> +
> +# Expire root password? Default to yes, but can be overridden from
> +# the environment variable
> +: ${LXC_EXPIRE_PASSWORD='yes'}
> +
> +
> +# Then above environment variables are for convention and for
> +# convenience of use by the calling template.  They may be
> +# overriden by the environment, calling line parameters, or the
> +# whim of the template writer.  They can be ignored entirely.
> +# The values used in setting up a user are the values passed in
> +# calling lxc_setup_user().
> +
> +# lxc_setup_user username password/hash display store expire
> +#
> +#   Set the user password, creating the user if necessary...
> +#
> +
> +lxc_setup_user() {
> +    local CONTAINER_NAME="${1}"
> +    local ROOTFS="${2}"
> +    local CONFIG_PATH="${3}"
> +    local USER="${4}"
> +    local PASSWD="${5}"
> +    local DISPLAY="${6}"
> +    local STORE="${7}"
> +    local EXPIRE="${8}"
> +
> +    # The required groups in this list should alraedy be created.
> +    # Groups that don't exist will not be created and will be ignored.
> +    # Might be worth making that a tunable parameter as well.  Maybe...
> +    local groups="sudo admin wheel"
> +
> +    # See if the user exists.  For root, this should not be a question.
> +    # for non-root defaults (like ubuntu) we may need to create the user.
> +    PWENT=$(chroot ${ROOTFS} getent passwd ${USER})
> +
> +    if [ "$?" != 0 ]
> +    then
> +        chroot ${ROOTFS} useradd ${USER}
> +        for group in $groups; do
> +            # We do this individually so that, if a group doesn't exist,
> +            # all the groups that do exist have the user added.
> +            chroot ${ROOTFS} usermod -a -G ${group} ${USER} >/dev/null 2>&1 || true
> +        done
> +    fi
> +
> +    if [ ${PASSWD} = "PROMPT" ]
> +    then
> +        echo "Invoking the passwd command in the container to set the ${USER} password.
> +
> +        chroot ${ROOTFS} passwd ${USER}
> +"
> +        chroot ${ROOTFS} passwd ${USER}
> +    elif [ $(expr "${PASSWD}" : '$$') != 0 -o \
> +           $(expr "${PASSWD}" : '*$') != 0 -o \
> +           $(expr "${PASSWD}" : '!!$') != 0 ]
> +    then
> +        # Matches one of 3 common "disabled" conventions so treat them
> +        # as if they were "hashed" passwords to be copied literally
> +        # by chpasswd.  Result is an account with no valid password.
> +        if [ ${DISPLAY} = "yes" ]
> +        then
> +            echo "Disabling ${USER} password"
> +        fi
> +        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd -e
> +    elif [ $(expr "${PASSWD}" : '$[0-9][0-9]*$.') != 0 ]
> +    then
> +        # Matches on a $[0-9]$ hash indicator for a real password hash.
> +        if [ ${DISPLAY} = "yes" ]
> +        then
> +            echo "Setting ${USER} password hash to ${PASSWORD}"
> +        fi
> +        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd -e
> +    else
> +        # Anything else, assume a clear text password template...
> +
> +        # Let's do something better for the initial user password.
> +        # It's not perfect but it will defeat common scanning brute force
> +        # attacks in the case where ssh is exposed.  It may also be set to
> +        # expired, forcing the user to change it at first login.
> +        if [ "${PASSWD}" = "" ]
> +        then
> +            PASSWD=${USER}-${CONTAINER_NAME}-${RANDOM}
> +        fi
> +
> +        # If it's got a ding in it, try and expand it!
> +        # In theory, this could also access and external program.
> +        if [ $(expr "${PASSWD}" : '.*$.') != 0 ]
> +        then
> +            PASSWD=$(eval echo "${PASSWD}")
> +        fi
> +
> +        # If it has more than 3 consequtive X's in it, feed it
> +        # through mktemp as a template.
> +        if [ $(expr "${PASSWD}" : '.*XXXX') != 0 ]
> +        then
> +            PASSWD=$(mktemp -u ${PASSWD})
> +        fi
> +        if [ ${STORE} = "yes" ]
> +        then
> +            touch ${config_path}/tmp_pass
> +            chmod 600 ${config_path}/tmp_pass
> +            # Append the user and password to the file.
> +            # We might be ultimately adding more than one.
> +            echo ${USER}:${PASSWD} >> ${config_path}/tmp_pass
> +
> +            echo "The temporary password for ${USER} is stored in:
> +
> +        '${config_path}/tmp_pass'
> +"
> +        fi
> +
> +        if [ ${DISPLAY} = "yes" ]
> +        then
> +            echo "Setting ${USER} password to '$PASSWORD'"
> +        fi
> +        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd
> +    fi
> +
> +    if [ ${EXPIRE} = "yes" ]
> +    then
> +        # Also set this password as expired to force the user to change it!
> +        chroot ${ROOTFS} passwd -e ${USER}
> +        echo "
> +The password for ${USER} is set up as "expired" and will require it to be changed
> +at first login, which you should do as soon as possible.  If you lose the
> +${USER} password or wish to change it without starting the container, you
> +can change it from the host by running the following command (which will
> +also reset the expired flag):
> +
> +    chroot ${ROOTFS} passwd
> +"
> +    fi
> +}
> +
> +
> +###
> +# HW Mac address generation support.
> +###
> +
> +# Generate a random hardware (MAC) address composed of FE followed by
> +# 5 random bytes...
> +lxc_create_hwaddr()
> +{
> +    openssl rand -hex 5 | sed -e 's/\(..\)/:\1/g; s/^/fe/'
> +}
> +
> diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> index 1586a90..3f9ef4d 100644
> --- a/templates/lxc-centos.in
> +++ b/templates/lxc-centos.in
> @@ -1,7 +1,7 @@
>  #!/bin/bash
>  
>  #
> -# template script for generating centos container for LXC
> +# template script for generating a CentOS container for LXC
>  
>  #
>  # lxc: linux Container library
> @@ -28,44 +28,13 @@
>  
>  #Configurations
>  default_path=@LXCPATH@
> +template_path=@LXCTEMPLATEDIR@
>  
> -# Some combinations of the tuning knobs below do not exactly make sense.
> -# but that's ok.
> -#
> -# If the "root_password" is non-blank, use it, else set a default.
> -# This can be passed to the script as an environment variable and is
> -# set by a shell conditional assignment.  Looks weird but it is what it is.
> -#
> -# If the root password contains a ding ($) then try to expand it.
> -# That will pick up things like ${name} and ${RANDOM}.
> -# If the root password contians more than 3 consecutive X's, pass it as
> -# a template to mktemp and take the result.
> -#
> -# If root_display_password = yes, display the temporary root password at exit.
> -# If root_store_password = yes, store it in the configuration directory
> -# If root_prompt_password = yes, invoke "passwd" to force the user to change
> -# the root password after the container is created.
> -# If root_expire_password = yes, you will be prompted to change the root
> -# password at the first login.
> -#
> -# These are conditional assignments...  The can be overridden from the
> -# preexisting environment variables...
> -#
> -# Make sure this is in single quotes to defer expansion to later!
> -# :{root_password='Root-${name}-${RANDOM}'}
> -: ${root_password='Root-${name}-XXXXXX'}
> -
> -# Now, it doesn't make much sense to display, store, and force change
> -# together.  But, we gotta test, right???
> -: ${root_display_password='no'}
> -: ${root_store_password='yes'}
> -# Prompting for something interactive has potential for mayhem
> -# with users running under the API...  Don't default to "yes"
> -: ${root_prompt_password='no'}
> -
> -# Expire root password? Default to yes, but can be overridden from
> -# the environment variable
> -: ${root_expire_password='yes'}
> +# Load up some common functions
> +if [ -f ${template_path}/functions ]
> +then
> +    . ${template_path}/functions
> +fi
>  
>  # These are only going into comments in the resulting config...
>  lxc_network_type=veth
> @@ -161,31 +130,31 @@ configure_centos()
>  {
>  
>      # disable selinux in centos
> -    mkdir -p $rootfs_path/selinux
> -    echo 0 > $rootfs_path/selinux/enforce
> +    mkdir -p ${rootfs}/selinux
> +    echo 0 > ${rootfs}/selinux/enforce
>  
>      # Also kill it in the /etc/selinux/config file if it's there...
> -    if [ -f $rootfs_path/etc/selinux/config ]
> +    if [ -f ${rootfs}/etc/selinux/config ]
>      then
> -        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
> +        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' ${rootfs}/etc/selinux/config
>      fi
>  
>      # Nice catch from Dwight Engen in the Oracle template.
>      # Wantonly plagerized here with much appreciation.
> -    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
> -        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
> -        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
> +    if [ -f ${rootfs}/usr/sbin/selinuxenabled ]; then
> +        mv ${rootfs}/usr/sbin/selinuxenabled ${rootfs}/usr/sbin/selinuxenabled.lxcorig
> +        ln -s /bin/false ${rootfs}/usr/sbin/selinuxenabled
>      fi
>  
>      # This is a known problem and documented in RedHat bugzilla as relating
>      # to a problem with auditing enabled.  This prevents an error in
>      # the container "Cannot make/remove an entry for the specified session"
> -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/login
> +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/sshd
>  
> -    if [ -f ${rootfs_path}/etc/pam.d/crond ]
> +    if [ -f ${rootfs}/etc/pam.d/crond ]
>      then
> -        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
> +        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/crond
>      fi
>  
>      # In addition to disabling pam_loginuid in the above config files
> @@ -193,27 +162,27 @@ configure_centos()
>      # we missed or any that get installed after the container is built.
>      #
>      # Catch either or both 32 and 64 bit archs.
> -    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
> +    if [ -f ${rootfs}/lib/security/pam_loginuid.so ]
>      then
> -        ( cd ${rootfs_path}/lib/security/
> +        ( cd ${rootfs}/lib/security/
>          mv pam_loginuid.so pam_loginuid.so.disabled
>          ln -s pam_permit.so pam_loginuid.so
>          )
>      fi
>  
> -    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
> +    if [ -f ${rootfs}/lib64/security/pam_loginuid.so ]
>      then
> -        ( cd ${rootfs_path}/lib64/security/
> +        ( cd ${rootfs}/lib64/security/
>          mv pam_loginuid.so pam_loginuid.so.disabled
>          ln -s pam_permit.so pam_loginuid.so
>          )
>      fi
>  
>      # Set default localtime to the host localtime if not set...
> -    if [ -e /etc/localtime -a ! -e ${rootfs_path}/etc/localtime ]
> +    if [ -e /etc/localtime -a ! -e ${rootfs}/etc/localtime ]
>      then
>          # if /etc/localtime is a symlink, this should preserve it.
> -        cp -a /etc/localtime ${rootfs_path}/etc/localtime
> +        cp -a /etc/localtime ${rootfs}/etc/localtime
>      fi
>  
>      # Deal with some dain bramage in the /etc/init.d/halt script.
> @@ -226,26 +195,26 @@ configure_centos()
>      # So we just eliminate the whole bottom half of that script in making
>      # ourselves a copy.  That way a major update to the init scripts won't
>      # trash what we've set up.
> -    if [ -f ${rootfs_path}/etc/init.d/halt ]
> +    if [ -f ${rootfs}/etc/init.d/halt ]
>      then
>          sed -e '/hwclock/,$d' \
> -            < ${rootfs_path}/etc/init.d/halt \
> -            > ${rootfs_path}/etc/init.d/lxc-halt
> +            < ${rootfs}/etc/init.d/halt \
> +            > ${rootfs}/etc/init.d/lxc-halt
>  
> -        echo '$command -f' >> ${rootfs_path}/etc/init.d/lxc-halt
> -        chmod 755 ${rootfs_path}/etc/init.d/lxc-halt
> +        echo '$command -f' >> ${rootfs}/etc/init.d/lxc-halt
> +        chmod 755 ${rootfs}/etc/init.d/lxc-halt
>  
>          # Link them into the rc directories...
>          (
> -             cd ${rootfs_path}/etc/rc.d/rc0.d
> +             cd ${rootfs}/etc/rc.d/rc0.d
>               ln -s ../init.d/lxc-halt S00lxc-halt
> -             cd ${rootfs_path}/etc/rc.d/rc6.d
> +             cd ${rootfs}/etc/rc.d/rc6.d
>               ln -s ../init.d/lxc-halt S00lxc-reboot
>          )
>      fi
>  
>      # configure the network using the dhcp
> -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> +    cat <<EOF > ${rootfs}/etc/sysconfig/network-scripts/ifcfg-eth0
>  DEVICE=eth0
>  BOOTPROTO=dhcp
>  ONBOOT=yes
> @@ -257,25 +226,30 @@ DHCP_HOSTNAME=$name
>  EOF
>  
>      # set the hostname
> -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
> +    cat <<EOF > ${rootfs}/etc/sysconfig/network
>  NETWORKING=yes
>  HOSTNAME=${UTSNAME}
>  EOF
>  
> +    # set hostname on systemd systems
> +    if [ $release -gt 6 ]; then
> +        echo "${utsname}" > ${rootfs}/etc/hostname
> +    fi
> +
>      # set minimal hosts
> -    cat <<EOF > $rootfs_path/etc/hosts
> +    cat <<EOF > ${rootfs}/etc/hosts
>  127.0.0.1 localhost $name
>  EOF
>  
>      # set minimal fstab
> -    cat <<EOF > $rootfs_path/etc/fstab
> +    cat <<EOF > ${rootfs}/etc/fstab
>  /dev/root               /                       rootfs   defaults        0 0
>  none                    /dev/shm                tmpfs    nosuid,nodev    0 0
>  EOF
>  
>      # create lxc compatibility init script
>      if [ "$release" = "6" ]; then
> -        cat <<EOF > $rootfs_path/etc/init/lxc-sysinit.conf
> +        cat <<EOF > ${rootfs}/etc/init/lxc-sysinit.conf
>  start on startup
>  env container
>  
> @@ -291,23 +265,23 @@ pre-start script
>  end script
>  EOF
>      elif [ "$release" = "5" ]; then
> -        cat <<EOF > $rootfs_path/etc/rc.d/lxc.sysinit
> +        cat <<EOF > ${rootfs}/etc/rc.d/lxc.sysinit
>  #! /bin/bash
>  rm -f /etc/mtab /var/run/*.{pid,lock} /var/lock/subsys/*
>  rm -rf {/,/var}/tmp/*
>  echo "/dev/root               /                       rootfs   defaults        0 0" > /etc/mtab
>  exit 0
>  EOF
> -        chmod 755 $rootfs_path/etc/rc.d/lxc.sysinit
> -        sed -i 's|si::sysinit:/etc/rc.d/rc.sysinit|si::bootwait:/etc/rc.d/lxc.sysinit|'  $rootfs_path/etc/inittab
> +        chmod 755 ${rootfs}/etc/rc.d/lxc.sysinit
> +        sed -i 's|si::sysinit:/etc/rc.d/rc.sysinit|si::bootwait:/etc/rc.d/lxc.sysinit|'  ${rootfs}/etc/inittab
>          # prevent mingetty from calling vhangup(2) since it fails with userns.
>          # Same issue as oracle template: prevent mingetty from calling vhangup(2)
>          # commit 2e83f7201c5d402478b9849f0a85c62d5b9f1589.
> -        sed -i 's|^1:|co:2345:respawn:/sbin/mingetty --nohangup console\n1:|' $rootfs_path/etc/inittab
> -        sed -i 's|^\([56]:\)|#\1|' $rootfs_path/etc/inittab
> +        sed -i 's|^1:|co:2345:respawn:/sbin/mingetty --nohangup console\n1:|' ${rootfs}/etc/inittab
> +        sed -i 's|^\([56]:\)|#\1|' ${rootfs}/etc/inittab
>      fi
>  
> -    dev_path="${rootfs_path}/dev"
> +    dev_path="${rootfs}/dev"
>      rm -rf $dev_path
>      mkdir -p $dev_path
>      mknod -m 666 ${dev_path}/null c 1 3
> @@ -334,59 +308,39 @@ EOF
>      # since lxc.devttydir is specified in the config.
>  
>      # allow root login on console, tty[1-4], and pts/0 for libvirt
> -    echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
> -    echo "lxc/console"  >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty1"     >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty2"     >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty3"     >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty4"     >>${rootfs_path}/etc/securetty
> -    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
> -    echo "pts/0"        >>${rootfs_path}/etc/securetty
> +    echo "# LXC (Linux Containers)" >>${rootfs}/etc/securetty
> +    echo "lxc/console"  >>${rootfs}/etc/securetty
> +    echo "lxc/tty1"     >>${rootfs}/etc/securetty
> +    echo "lxc/tty2"     >>${rootfs}/etc/securetty
> +    echo "lxc/tty3"     >>${rootfs}/etc/securetty
> +    echo "lxc/tty4"     >>${rootfs}/etc/securetty
> +    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs}/etc/securetty
> +    echo "pts/0"        >>${rootfs}/etc/securetty
>  
>      # prevent mingetty from calling vhangup(2) since it fails with userns.
>      # Same issue as oracle template: prevent mingetty from calling vhangup(2)
>      # commit 2e83f7201c5d402478b9849f0a85c62d5b9f1589.
> -    sed -i 's|mingetty|mingetty --nohangup|' $container_rootfs/etc/init/tty.conf
> -
> -    if [ ${root_display_password} = "yes" ]
> -    then
> -        echo "Setting root password to '$root_password'"
> -    fi
> -    if [ ${root_store_password} = "yes" ]
> +    if [ -f ${rootfs}/etc/init/tty.conf ]
>      then
> -        touch ${config_path}/tmp_root_pass
> -        chmod 600 ${config_path}/tmp_root_pass
> -        echo ${root_password} > ${config_path}/tmp_root_pass
> -        echo "Storing root password in '${config_path}/tmp_root_pass'"
> +        sed -i 's|mingetty|mingetty --nohangup|' ${rootfs}/etc/init/tty.conf
>      fi
>  
> -    echo "root:$root_password" | chroot $rootfs_path chpasswd
> -
> -    if [ ${root_expire_password} = "yes" ]
> -    then
> -        # Also set this password as expired to force the user to change it!
> -        chroot $rootfs_path passwd -e root
> -    fi
> -
> -    # This will need to be enhanced for CentOS 7 when systemd
> -    # comes into play...   /\/\|=mhw=|\/\/
> -
>      return 0
>  }
>  
>  configure_centos_init()
>  {
> -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
> -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
> +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.sysinit
> +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.d/rc.sysinit
>      if [ "$release" = "6" ]; then
> -        chroot ${rootfs_path} chkconfig udev-post off
> +        chroot ${rootfs} chkconfig udev-post off
>      fi
> -    chroot ${rootfs_path} chkconfig network on
> +    chroot ${rootfs} chkconfig network on
>  
> -    if [ -d ${rootfs_path}/etc/init ]
> +    if [ -d ${rootfs}/etc/init ]
>      then
>         # This is to make upstart honor SIGPWR
> -        cat <<EOF >${rootfs_path}/etc/init/power-status-changed.conf
> +        cat <<EOF >${rootfs}/etc/init/power-status-changed.conf
>  #  power-status-changed - shutdown on SIGPWR
>  #
>  start on power-status-changed
> @@ -396,6 +350,35 @@ EOF
>      fi
>  }
>  
> +configure_centos_systemd()
> +{
> +    rm -f ${rootfs}/etc/systemd/system/default.target
> +    touch ${rootfs}/etc/fstab
> +    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
> +    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> +    # Make systemd honor SIGPWR
> +    chroot ${rootfs} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
> +    #dependency on a device unit fails it specially that we disabled udev
> +    # sed -i 's/After=dev-%i.device/After=/' ${rootfs}/lib/systemd/system/getty\@.service
> +    #
> +    # Actually, the After=dev-%i.device line does not appear in the
> +    # Fedora 17 or Fedora 18 systemd getty\@.service file.  It may be left
> +    # over from an earlier version and it's not doing any harm.  We do need
> +    # to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are
> +    # started on the ttys in the container.  Lets do it in an override copy of
> +    # the service so it can still pass rpm verifies and not be automatically
> +    # updated by a new systemd version.  --  mhw  /\/\|=mhw=|\/\/
> +
> +    sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
> +        -e 's/After=dev-%i.device/After=/' \
> +        < ${rootfs}/lib/systemd/system/getty\@.service \
> +        > ${rootfs}/etc/systemd/system/getty\@.service
> +    # Setup getty service on the 4 ttys we are going to allow in the
> +    # default config.  Number should match lxc.tty
> +    ( cd ${rootfs}/etc/systemd/system/getty.target.wants
> +        for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty at tty${i}.service; done )
> +}
> +
>  download_centos()
>  {
>  
> @@ -410,19 +393,19 @@ download_centos()
>      # download a mini centos into a cache
>      echo "Downloading centos minimal ..."
>      YUM="yum --installroot $INSTALL_ROOT -y --nogpgcheck"
> -    PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils"
> +    PKG_LIST="yum initscripts passwd rsyslog vim-minimal sudo openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils"
>  
>      # use temporary repository definition
>      REPO_FILE=$INSTALL_ROOT/etc/yum.repos.d/lxc-centos-temp.repo
>      mkdir -p $(dirname $REPO_FILE)
>      if [ -n "$repo" ]; then
> -	cat <<EOF > $REPO_FILE
> +        cat <<EOF > $REPO_FILE
>  [base]
>  name=local repository
>  baseurl="$repo"
>  EOF
>  else
> -	cat <<EOF > $REPO_FILE
> +        cat <<EOF > $REPO_FILE
>  [base]
>  name=CentOS-$release - Base
>  mirrorlist=http://mirrorlist.centos.org/?release=$release&arch=$basearch&repo=os
> @@ -434,20 +417,23 @@ EOF
>      fi
>  
>      # create minimal device nodes, needed for "yum install" and "yum update" process
> -    mkdir -p $INSTALL_ROOT/dev
> -    force_mknod 666 $INSTALL_ROOT/dev/null c 1 3
> -    force_mknod 666 $INSTALL_ROOT/dev/urandom c 1 9
> +    mkdir -p $INSTALL_ROOT/dev $INSTALL_ROOT/proc
> +
> +    # CentOS7 needs these, even if they are overkill for 5&6.
> +    mount -o bind /dev ${INSTALL_ROOT}/dev
> +    mount -t proc proc ${INSTALL_ROOT}/proc
> +    # Always make sure /etc/resolv.conf is up to date in the target!
> +    cp /etc/resolv.conf ${INSTALL_ROOT}/etc/
>  
>      $YUM install $PKG_LIST
>  
>      if [ $? -ne 0 ]; then
>          echo "Failed to download the rootfs, aborting."
> +        umount ${INSTALL_ROOT}/proc
> +        umount ${INSTALL_ROOT}/dev
>          return 1
>      fi
>  
> -    # use same nameservers as hosts, needed for "yum update later"
> -    cp /etc/resolv.conf $INSTALL_ROOT/etc/
> -
>      # check whether rpmdb is under $HOME
>      if [ ! -e $INSTALL_ROOT/var/lib/rpm/Packages -a -e $INSTALL_ROOT/$HOME/.rpmdb/Packages ]; then
>          echo "Fixing rpmdb location ..."
> @@ -469,17 +455,26 @@ EOF
>          mv $INSTALL_ROOT/etc/yum.repos.d/*.repo $INSTALL_ROOT/etc/yum.repos.disabled/
>          mv $REPO_FILE.tmp $REPO_FILE
>          mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/etc
> -        cp /etc/resolv.conf $INSTALL_ROOT/$INSTALL_ROOT/etc/
>          mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/dev
> -        mknod -m 666 $INSTALL_ROOT/$INSTALL_ROOT/dev/null c 1 3
> -        mknod -m 666 $INSTALL_ROOT/$INSTALL_ROOT/dev/urandom c 1 9
> +        mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/proc
> +        # CentOS7 needs these, even if they are overkill for 5&6.
> +        mount -o bind /dev ${INSTALL_ROOT}/${INSTALL_ROOT}/dev
> +        mount -t proc proc ${INSTALL_ROOT}/${INSTALL_ROOT}/proc
> +        # Always make sure /etc/resolv.conf is up to date in the target!
> +        cp /etc/resolv.conf $INSTALL_ROOT/$INSTALL_ROOT/etc/
>          mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/var/cache/yum
>          cp -al $INSTALL_ROOT/var/cache/yum/* $INSTALL_ROOT/$INSTALL_ROOT/var/cache/yum/
>          chroot $INSTALL_ROOT $YUM install $PKG_LIST
>          if [ $? -ne 0 ]; then
>              echo "Failed to download the rootfs, aborting."
> +            umount ${INSTALL_ROOT}/${INSTALL_ROOT}/proc
> +            umount ${INSTALL_ROOT}/${INSTALL_ROOT}/dev
> +            umount ${INSTALL_ROOT}/proc
> +            umount ${INSTALL_ROOT}/dev
>              return 1
>          fi
> +        umount ${INSTALL_ROOT}/proc
> +        umount ${INSTALL_ROOT}/dev
>          mv $INSTALL_ROOT/$INSTALL_ROOT $INSTALL_ROOT.tmp
>          rm -rf $INSTALL_ROOT
>          mv $INSTALL_ROOT.tmp $INSTALL_ROOT
> @@ -488,6 +483,9 @@ EOF
>      rm -f $REPO_FILE
>      rm -rf $INSTALL_ROOT/var/cache/yum/*
>  
> +    umount ${INSTALL_ROOT}/proc
> +    umount ${INSTALL_ROOT}/dev
> +
>      mv "$INSTALL_ROOT" "$cache/rootfs"
>      echo "Download complete."
>  
> @@ -498,11 +496,11 @@ copy_centos()
>  {
>  
>      # make a local copy of the mini centos
> -    echo -n "Copying rootfs to $rootfs_path ..."
> -    #cp -a $cache/rootfs-$arch $rootfs_path || return 1
> +    echo -n "Copying rootfs to ${rootfs} ..."
> +    #cp -a $cache/rootfs-$arch ${rootfs} || return 1
>      # i prefer rsync (no reason really)
> -    mkdir -p $rootfs_path
> -    rsync -a $cache/rootfs/ $rootfs_path/
> +    mkdir -p ${rootfs}
> +    rsync -a $cache/rootfs/ ${rootfs}/
>      echo
>      return 0
>  }
> @@ -510,11 +508,24 @@ copy_centos()
>  update_centos()
>  {
>      YUM="chroot $cache/rootfs yum -y --nogpgcheck"
> +
> +    # CentOS7 needs these, even if they are overkill for 5&6.
> +    mount -o bind /dev ${cache}/rootfs/dev
> +    mount -t proc proc ${cache}/rootfs/proc
> +    # Always make sure /etc/resolv.conf is up to date in the target!
> +    cp /etc/resolv.conf ${cache}/rootfs/etc/
> +
>      $YUM update
>      if [ $? -ne 0 ]; then
> +        umount ${cache}/rootfs/dev
> +        umount ${cache}/rootfs/proc
>          return 1
>      fi
>      $YUM clean packages
> +
> +    echo
> +    umount ${cache}/rootfs/dev
> +    umount ${cache}/rootfs/proc
>  }
>  
>  install_centos()
> @@ -544,7 +555,7 @@ install_centos()
>          fi
>      fi
>  
> -    echo "Copy $cache/rootfs to $rootfs_path ... "
> +    echo "Copy $cache/rootfs to ${rootfs} ... "
>      copy_centos
>      if [ $? -ne 0 ]; then
>          echo "Failed to copy rootfs"
> @@ -568,7 +579,7 @@ copy_configuration()
>      mkdir -p $config_path
>  
>      grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "
> -lxc.rootfs = $rootfs_path
> +lxc.rootfs = ${rootfs}
>  " >> $config_path/config
>  
>      # The following code is to create static MAC addresses for each
> @@ -612,11 +623,19 @@ lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf
>  lxc.arch = $arch
>  lxc.utsname = $utsname
>  
> -lxc.autodev = $auto_dev
> +EOF
>  
> -# When using LXC with apparmor, uncomment the next line to run unconfined:
> -#lxc.aa_profile = unconfined
> +    if [ "${auto_dev}" != "0" ]
> +    then
> +        # Keep systemd and journald happy...
> +        echo "\
> +lxc.autodev = 1
> +lxc.kmsg = 0
> +" >> $config_path/config
> +    fi
>  
> +    # Throw on some commments...
> +    cat <<EOF >> $config_path/config
>  # example simple networking setup, uncomment to enable
>  #lxc.network.type = $lxc_network_type
>  #lxc.network.flags = up
> @@ -699,7 +718,7 @@ do
>          -n|--name)      name=$2; shift 2;;
>          -c|--clean)     clean=$2; shift 2;;
>          -R|--release)   release=$2; shift 2;;
> -	--repo)		repo="$2"; shift 2;;
> +        --repo)         repo="$2"; shift 2;;
>          -a|--arch)      newarch=$2; shift 2;;
>          --fqdn)         utsname=$2; shift 2;;
>          --)             shift 1; break ;;
> @@ -757,28 +776,6 @@ fi
>  
>  cache_base=@LOCALSTATEDIR@/cache/lxc/centos/$basearch
>  
> -# Let's do something better for the initial root password.
> -# It's not perfect but it will defeat common scanning brute force
> -# attacks in the case where ssh is exposed.  It will also be set to
> -# expired, forcing the user to change it at first login.
> -if [ "${root_password}" = "" ]
> -then
> -    root_password=Root-${name}-${RANDOM}
> -else
> -    # If it's got a ding in it, try and expand it!
> -    if [ $(expr "${root_password}" : '.*$.') != 0 ]
> -    then
> -        root_password=$(eval echo "${root_password}")
> -    fi
> -
> -    # If it has more than 3 consequtive X's in it, feed it
> -    # through mktemp as a template.
> -    if [ $(expr "${root_password}" : '.*XXXX') != 0 ]
> -    then
> -        root_password=$(mktemp -u ${root_password})
> -    fi
> -fi
> -
>  if [ -z "${utsname}" ]; then
>      utsname=${name}
>  fi
> @@ -844,14 +841,15 @@ if [ "$(id -u)" != "0" ]; then
>  fi
>  
>  
> -if [ -z "$rootfs_path" ]; then
> -    rootfs_path=$path/rootfs
> +if [ -z "${rootfs}" ]; then
> +    rootfs=$path/rootfs
>      # check for 'lxc.rootfs' passed in through default config by lxc-create
>      if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
> -        rootfs_path=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
> +        rootfs=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
>              -e 's/^lxc.rootfs\s*=\s*//' -e q $path/config)
>      fi
>  fi
> +
>  config_path=$path
>  cache=$cache_base/$release
>  
> @@ -885,51 +883,54 @@ if [ $? -ne 0 ]; then
>      exit 1
>  fi
>  
> -configure_centos_init
> +# If the systemd configuration directory exists - set it up for what we need.
> +if [ -d ${rootfs}/etc/systemd/system ]
> +then
> +    configure_centos_systemd
> +fi
> +
> +# This configuration (rc.sysinit) is not inconsistent with the systemd stuff
> +# above and may actually coexist on some upgraded systems.  Let's just make
> +# sure that, if it exists, we update this file, even if it's not used...
> +if [ -f ${rootfs}/etc/rc.sysinit ]
> +then
> +    configure_centos_init
> +fi
>  
>  if [ ! -z $clean ]; then
>      clean || exit 1
>      exit 0
>  fi
> +
>  echo "
>  Container rootfs and config have been created.
>  Edit the config file to check/enable networking setup.
>  "
>  
> -if [ ${root_display_password} = "yes" ]
> -then
> -    echo "The temporary password for root is: '$root_password'
> +# Set up the superuser user.
> +# Several of the LXC_ variables are environment variables set up
> +# in the "functions" file but can be overriden byt the calling environment
> +# or by the template or ignored in calling this function.
> +lxc_setup_user \
> +    "${name}" \
> +    "${rootfs}" \
> +    "${config_path}" \
> +    "${LXC_DEFAULT_USER}" \
> +    "${LXC_PASSWORD}" \
> +    "${LXC_DISPLAY_PASSWORD}" \
> +    "${LXC_STORE_PASSWORD}" \
> +    "${LXC_EXPIRE_PASSWORD}"
> +
> +# Add a "centos" user using the same template and config.
> +# This is congruent with several other templates...
> +lxc_setup_user \
> +    "${name}" \
> +    "${rootfs}" \
> +    "${config_path}" \
> +    "centos" \
> +    "${LXC_PASSWORD}" \
> +    "${LXC_DISPLAY_PASSWORD}" \
> +    "${LXC_STORE_PASSWORD}" \
> +    "${LXC_EXPIRE_PASSWORD}"
>  
> -You may want to note that password down before starting the container.
> -"
> -fi
> -
> -if [ ${root_store_password} = "yes" ]
> -then
> -    echo "The temporary root password is stored in:
> -
> -        '${config_path}/tmp_root_pass'
> -"
> -fi
> -
> -if [ ${root_prompt_password} = "yes" ]
> -then
> -    echo "Invoking the passwd command in the container to set the root password.
> -
> -        chroot ${rootfs_path} passwd
> -"
> -    chroot ${rootfs_path} passwd
> -else
> -    if [ ${root_expire_password} = "yes" ]
> -    then
> -        echo "
> -The root password is set up as "expired" and will require it to be changed
> -at first login, which you should do as soon as possible.  If you lose the
> -root password or wish to change it without starting the container, you
> -can change it from the host by running the following command (which will
> -also reset the expired flag):
> -
> -        chroot ${rootfs_path} passwd
> -"
> -    fi
> -fi
> +exit 0
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index a56e7ec..bfc2fc7 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -28,44 +28,13 @@
>  
>  #Configurations
>  default_path=@LXCPATH@
> +template_path=@LXCTEMPLATEDIR@
>  
> -# Some combinations of the tuning knobs below do not exactly make sense.
> -# but that's ok.
> -#
> -# If the "root_password" is non-blank, use it, else set a default.
> -# This can be passed to the script as an environment variable and is
> -# set by a shell conditional assignment.  Looks weird but it is what it is.
> -#
> -# If the root password contains a ding ($) then try to expand it.
> -# That will pick up things like ${name} and ${RANDOM}.
> -# If the root password contians more than 3 consecutive X's, pass it as
> -# a template to mktemp and take the result.
> -#
> -# If root_display_password = yes, display the temporary root password at exit.
> -# If root_store_password = yes, store it in the configuration directory
> -# If root_prompt_password = yes, invoke "passwd" to force the user to change
> -# the root password after the container is created.
> -# If root_expire_password = yes, you will be prompted to change the root
> -# password at the first login.
> -#
> -# These are conditional assignments...  The can be overridden from the
> -# preexisting environment variables...
> -#
> -# Make sure this is in single quotes to defer expansion to later!
> -# :{root_password='Root-${name}-${RANDOM}'}
> -: ${root_password='Root-${name}-XXXXXX'}
> -
> -# Now, it doesn't make much sense to display, store, and force change
> -# together.  But, we gotta test, right???
> -: ${root_display_password='no'}
> -: ${root_store_password='yes'}
> -# Prompting for something interactive has potential for mayhem
> -# with users running under the API...  Don't default to "yes"
> -: ${root_prompt_password='no'}
> -
> -# Expire root password? Default to yes, but can be overridden from
> -# the environment variable
> -: ${root_expire_password='yes'}
> +# Load up some common functions
> +if [ -f ${template_path}/functions ]
> +then
> +    . ${template_path}/functions
> +fi
>  
>  # These are only going into comments in the resulting config...
>  lxc_network_type=veth
> @@ -134,31 +103,31 @@ configure_fedora()
>  {
>  
>      # disable selinux in fedora
> -    mkdir -p $rootfs_path/selinux
> -    echo 0 > $rootfs_path/selinux/enforce
> +    mkdir -p ${rootfs}/selinux
> +    echo 0 > ${rootfs}/selinux/enforce
>  
>      # Also kill it in the /etc/selinux/config file if it's there...
> -    if [[ -f $rootfs_path/etc/selinux/config ]]
> +    if [[ -f ${rootfs}/etc/selinux/config ]]
>      then
> -        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
> +        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' ${rootfs}/etc/selinux/config
>      fi
>  
>      # Nice catch from Dwight Engen in the Oracle template.
>      # Wantonly plagerized here with much appreciation.
> -    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
> -        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
> -        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
> +    if [ -f ${rootfs}/usr/sbin/selinuxenabled ]; then
> +        mv ${rootfs}/usr/sbin/selinuxenabled ${rootfs}/usr/sbin/selinuxenabled.lxcorig
> +        ln -s /bin/false ${rootfs}/usr/sbin/selinuxenabled
>      fi
>  
>      # This is a known problem and documented in RedHat bugzilla as relating
>      # to a problem with auditing enabled.  This prevents an error in
>      # the container "Cannot make/remove an entry for the specified session"
> -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> -    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/login
> +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/sshd
>  
> -    if [ -f ${rootfs_path}/etc/pam.d/crond ]
> +    if [ -f ${rootfs}/etc/pam.d/crond ]
>      then
> -        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
> +        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/crond
>      fi
>  
>      # In addition to disabling pam_loginuid in the above config files
> @@ -166,27 +135,27 @@ configure_fedora()
>      # we missed or any that get installed after the container is built.
>      #
>      # Catch either or both 32 and 64 bit archs.
> -    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
> +    if [ -f ${rootfs}/lib/security/pam_loginuid.so ]
>      then
> -        ( cd ${rootfs_path}/lib/security/
> +        ( cd ${rootfs}/lib/security/
>          mv pam_loginuid.so pam_loginuid.so.disabled
>          ln -s pam_permit.so pam_loginuid.so
>          )
>      fi
>  
> -    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
> +    if [ -f ${rootfs}/lib64/security/pam_loginuid.so ]
>      then
> -        ( cd ${rootfs_path}/lib64/security/
> +        ( cd ${rootfs}/lib64/security/
>          mv pam_loginuid.so pam_loginuid.so.disabled
>          ln -s pam_permit.so pam_loginuid.so
>          )
>      fi
>  
>      # Set default localtime to the host localtime if not set...
> -    if [ -e /etc/localtime -a ! -e ${rootfs_path}/etc/localtime ]
> +    if [ -e /etc/localtime -a ! -e ${rootfs}/etc/localtime ]
>      then
>          # if /etc/localtime is a symlink, this should preserve it.
> -        cp -a /etc/localtime ${rootfs_path}/etc/localtime
> +        cp -a /etc/localtime ${rootfs}/etc/localtime
>      fi
>  
>      # Deal with some dain bramage in the /etc/init.d/halt script.
> @@ -202,26 +171,26 @@ configure_fedora()
>      #
>      # This is mostly for legacy distros since any modern systemd Fedora
>      # release will not have this script so we won't try to intercept it.
> -    if [ -f ${rootfs_path}/etc/init.d/halt ]
> +    if [ -f ${rootfs}/etc/init.d/halt ]
>      then
>          sed -e '/hwclock/,$d' \
> -            < ${rootfs_path}/etc/init.d/halt \
> -            > ${rootfs_path}/etc/init.d/lxc-halt
> +            < ${rootfs}/etc/init.d/halt \
> +            > ${rootfs}/etc/init.d/lxc-halt
>  
> -        echo '$command -f' >> ${rootfs_path}/etc/init.d/lxc-halt
> -        chmod 755 ${rootfs_path}/etc/init.d/lxc-halt
> +        echo '$command -f' >> ${rootfs}/etc/init.d/lxc-halt
> +        chmod 755 ${rootfs}/etc/init.d/lxc-halt
>  
>          # Link them into the rc directories...
>          (
> -             cd ${rootfs_path}/etc/rc.d/rc0.d
> +             cd ${rootfs}/etc/rc.d/rc0.d
>               ln -s ../init.d/lxc-halt S00lxc-halt
> -             cd ${rootfs_path}/etc/rc.d/rc6.d
> +             cd ${rootfs}/etc/rc.d/rc6.d
>               ln -s ../init.d/lxc-halt S00lxc-reboot
>          )
>      fi
>  
>      # configure the network using the dhcp
> -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> +    cat <<EOF > ${rootfs}/etc/sysconfig/network-scripts/ifcfg-eth0
>  DEVICE=eth0
>  BOOTPROTO=dhcp
>  ONBOOT=yes
> @@ -232,18 +201,18 @@ MTU=${MTU}
>  EOF
>  
>      # set the hostname
> -    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
> +    cat <<EOF > ${rootfs}/etc/sysconfig/network
>  NETWORKING=yes
>  HOSTNAME=${utsname}
>  EOF
>  
>      # set hostname on systemd Fedora systems
>      if [ $release -gt 14 ]; then
> -        echo "${utsname}" > ${rootfs_path}/etc/hostname
> +        echo "${utsname}" > ${rootfs}/etc/hostname
>      fi
>  
>      # set minimal hosts
> -    cat <<EOF > $rootfs_path/etc/hosts
> +    cat <<EOF > ${rootfs}/etc/hosts
>  127.0.0.1 localhost.localdomain localhost $utsname
>  ::1                 localhost6.localdomain6 localhost6
>  EOF
> @@ -251,7 +220,7 @@ EOF
>      # These mknod's really don't make any sense with modern releases of
>      # Fedora with systemd, devtmpfs, and autodev enabled.  They are left
>      # here for legacy reasons and older releases with upstart and sysv init.
> -    dev_path="${rootfs_path}/dev"
> +    dev_path="${rootfs}/dev"
>      rm -rf $dev_path
>      mkdir -p $dev_path
>      mknod -m 666 ${dev_path}/null c 1 3
> @@ -278,83 +247,63 @@ EOF
>      # since lxc.devttydir is specified in the config.
>  
>      # allow root login on console, tty[1-4], and pts/0 for libvirt
> -    echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
> -    echo "lxc/console"  >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty1"     >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty2"     >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty3"     >>${rootfs_path}/etc/securetty
> -    echo "lxc/tty4"     >>${rootfs_path}/etc/securetty
> -    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
> -    echo "pts/0"        >>${rootfs_path}/etc/securetty
> -
> -    if [ ${root_display_password} = "yes" ]
> -    then
> -        echo "Setting root password to '$root_password'"
> -    fi
> -    if [ ${root_store_password} = "yes" ]
> -    then
> -        touch ${config_path}/tmp_root_pass
> -        chmod 600 ${config_path}/tmp_root_pass
> -        echo ${root_password} > ${config_path}/tmp_root_pass
> -        echo "Storing root password in '${config_path}/tmp_root_pass'"
> -    fi
> -
> -    echo "root:$root_password" | chroot $rootfs_path chpasswd
> -
> -    if [ ${root_expire_password} = "yes" ]
> -    then
> -        # Also set this password as expired to force the user to change it!
> -        chroot $rootfs_path passwd -e root
> -    fi
> +    echo "# LXC (Linux Containers)" >>${rootfs}/etc/securetty
> +    echo "lxc/console"  >>${rootfs}/etc/securetty
> +    echo "lxc/tty1"     >>${rootfs}/etc/securetty
> +    echo "lxc/tty2"     >>${rootfs}/etc/securetty
> +    echo "lxc/tty3"     >>${rootfs}/etc/securetty
> +    echo "lxc/tty4"     >>${rootfs}/etc/securetty
> +    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs}/etc/securetty
> +    echo "pts/0"        >>${rootfs}/etc/securetty
>  
>      # specifying this in the initial packages doesn't always work.
>      # Even though it should have...
>      echo "installing fedora-release package"
> -    mount -o bind /dev ${rootfs_path}/dev
> -    mount -t proc proc ${rootfs_path}/proc
> +    mount -o bind /dev ${rootfs}/dev
> +    mount -t proc proc ${rootfs}/proc
>      # Always make sure /etc/resolv.conf is up to date in the target!
> -    cp /etc/resolv.conf ${rootfs_path}/etc/
> +    cp /etc/resolv.conf ${rootfs}/etc/
>      # Rebuild the rpm database based on the target rpm version...
> -    rm -f ${rootfs_path}/var/lib/rpm/__db*
> -    chroot ${rootfs_path} rpm --rebuilddb
> -    chroot ${rootfs_path} yum -y install fedora-release
> +    rm -f ${rootfs}/var/lib/rpm/__db*
> +    chroot ${rootfs} rpm --rebuilddb
> +    chroot ${rootfs} yum -y install fedora-release
>  
> -    if [[ ! -e ${rootfs_path}/sbin/NetworkManager ]]
> +    if [[ ! -e ${rootfs}/sbin/NetworkManager ]]
>      then
>          # NetworkManager has not been installed.  Use the
>          # legacy chkconfig command to enable the network startup
>          # scripts in the container.
> -        chroot ${rootfs_path} chkconfig network on
> +        chroot ${rootfs} chkconfig network on
>      fi
>  
> -    umount ${rootfs_path}/proc
> -    umount ${rootfs_path}/dev
> +    umount ${rootfs}/proc
> +    umount ${rootfs}/dev
>  
>      # silence some needless startup errors
> -    touch ${rootfs_path}/etc/fstab
> +    touch ${rootfs}/etc/fstab
>  
>      # give us a console on /dev/console
>      sed -i 's/ACTIVE_CONSOLES=.*$/ACTIVE_CONSOLES="\/dev\/console \/dev\/tty[1-4]"/' \
> -        ${rootfs_path}/etc/sysconfig/init
> +        ${rootfs}/etc/sysconfig/init
>  
>      return 0
>  }
>  
>  configure_fedora_init()
>  {
> -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
> -    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
> +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.sysinit
> +    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.d/rc.sysinit
>      # don't mount devpts, for pete's sake
> -    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.sysinit
> -    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.d/rc.sysinit
> -    chroot ${rootfs_path} chkconfig udev-post off
> -    chroot ${rootfs_path} chkconfig network on
> +    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs}/etc/rc.sysinit
> +    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs}/etc/rc.d/rc.sysinit
> +    chroot ${rootfs} chkconfig udev-post off
> +    chroot ${rootfs} chkconfig network on
>  
> -    if [ -d ${rootfs_path}/etc/init ]
> +    if [ -d ${rootfs}/etc/init ]
>      then
>         # This is to make upstart honor SIGPWR.  Should do no harm
>         # on systemd systems and some systems may have both.
> -        cat <<EOF >${rootfs_path}/etc/init/power-status-changed.conf
> +        cat <<EOF >${rootfs}/etc/init/power-status-changed.conf
>  #  power-status-changed - shutdown on SIGPWR
>  #
>  start on power-status-changed
> @@ -366,14 +315,14 @@ EOF
>  
>  configure_fedora_systemd()
>  {
> -    rm -f ${rootfs_path}/etc/systemd/system/default.target
> -    touch ${rootfs_path}/etc/fstab
> -    chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
> -    chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> +    rm -f ${rootfs}/etc/systemd/system/default.target
> +    touch ${rootfs}/etc/fstab
> +    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
> +    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
>      # Make systemd honor SIGPWR
> -    chroot ${rootfs_path} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
> +    chroot ${rootfs} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
>      #dependency on a device unit fails it specially that we disabled udev
> -    # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
> +    # sed -i 's/After=dev-%i.device/After=/' ${rootfs}/lib/systemd/system/getty\@.service
>      #
>      # Actually, the After=dev-%i.device line does not appear in the
>      # Fedora 17 or Fedora 18 systemd getty\@.service file.  It may be left
> @@ -385,11 +334,11 @@ configure_fedora_systemd()
>  
>      sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
>          -e 's/After=dev-%i.device/After=/' \
> -        < ${rootfs_path}/lib/systemd/system/getty\@.service \
> -        > ${rootfs_path}/etc/systemd/system/getty\@.service
> +        < ${rootfs}/lib/systemd/system/getty\@.service \
> +        > ${rootfs}/etc/systemd/system/getty\@.service
>      # Setup getty service on the 4 ttys we are going to allow in the
>      # default config.  Number should match lxc.tty
> -    ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
> +    ( cd ${rootfs}/etc/systemd/system/getty.target.wants
>          for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty at tty${i}.service; done )
>  }
>  
> @@ -970,11 +919,11 @@ copy_fedora()
>  {
>  
>      # make a local copy of the minifedora
> -    echo -n "Copying rootfs to $rootfs_path ..."
> -    #cp -a $cache/rootfs-$basearch $rootfs_path || return 1
> +    echo -n "Copying rootfs to ${rootfs} ..."
> +    #cp -a $cache/rootfs-$basearch ${rootfs} || return 1
>      # i prefer rsync (no reason really)
> -    mkdir -p $rootfs_path
> -    rsync -Ha $cache/rootfs/ $rootfs_path/
> +    mkdir -p ${rootfs}
> +    rsync -Ha $cache/rootfs/ ${rootfs}/
>      echo
>      return 0
>  }
> @@ -1017,7 +966,7 @@ install_fedora()
>              fi
>          fi
>  
> -        echo "Copy $cache/rootfs to $rootfs_path ... "
> +        echo "Copy $cache/rootfs to ${rootfs} ... "
>          copy_fedora
>          if [ $? -ne 0 ]; then
>              echo "Failed to copy rootfs"
> @@ -1042,7 +991,7 @@ copy_configuration()
>      mkdir -p $config_path
>  
>      grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "
> -lxc.rootfs = $rootfs_path
> +lxc.rootfs = ${rootfs}
>  " >> $config_path/config
>  
>      # The following code is to create static MAC addresses for each
> @@ -1088,11 +1037,19 @@ lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf
>  lxc.arch = $arch
>  lxc.utsname = $utsname
>  
> -lxc.autodev = $auto_dev
> +EOF
>  
> -# When using LXC with apparmor, uncomment the next line to run unconfined:
> -#lxc.aa_profile = unconfined
> +    if [ "${auto_dev}" != "0" ]
> +    then
> +        # Keep systemd and journald happy...
> +        echo "\
> +lxc.autodev = 1
> +lxc.kmsg = 0
> +" >> $config_path/config
> +    fi
>  
> +    # Throw on some commments...
> +    cat <<EOF >> $config_path/config
>  # example simple networking setup, uncomment to enable
>  #lxc.network.type = $lxc_network_type
>  #lxc.network.flags = up
> @@ -1232,28 +1189,6 @@ fi
>  
>  cache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$basearch
>  
> -# Let's do something better for the initial root password.
> -# It's not perfect but it will defeat common scanning brute force
> -# attacks in the case where ssh is exposed.  It will also be set to
> -# expired, forcing the user to change it at first login.
> -if [ "${root_password}" = "" ]
> -then
> -    root_password=Root-${name}-${RANDOM}
> -else
> -    # If it's got a ding in it, try and expand it!
> -    if [ $(expr "${root_password}" : '.*$.') != 0 ]
> -    then
> -        root_password=$(eval echo "${root_password}")
> -    fi
> -
> -    # If it has more than 3 consequtive X's in it, feed it
> -    # through mktemp as a template.
> -    if [ $(expr "${root_password}" : '.*XXXX') != 0 ]
> -    then
> -        root_password=$(mktemp -u ${root_password})
> -    fi
> -fi
> -
>  if [ -z "${utsname}" ]; then
>      utsname=${name}
>  fi
> @@ -1317,11 +1252,11 @@ if [ "$(id -u)" != "0" ]; then
>  fi
>  
>  
> -if [ -z "$rootfs_path" ]; then
> -    rootfs_path=$path/rootfs
> +if [ -z "${rootfs}" ]; then
> +    rootfs=$path/rootfs
>      # check for 'lxc.rootfs' passed in through default config by lxc-create
>      if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
> -        rootfs_path=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
> +        rootfs=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
>              -e 's/^lxc.rootfs\s*=\s*//' -e q $path/config)
>      fi
>  fi
> @@ -1359,7 +1294,7 @@ if [ $? -ne 0 ]; then
>  fi
>  
>  # If the systemd configuration directory exists - set it up for what we need.
> -if [ -d ${rootfs_path}/etc/systemd/system ]
> +if [ -d ${rootfs}/etc/systemd/system ]
>  then
>      configure_fedora_systemd
>  fi
> @@ -1367,7 +1302,7 @@ fi
>  # This configuration (rc.sysinit) is not inconsistent with the systemd stuff
>  # above and may actually coexist on some upgraded systems.  Let's just make
>  # sure that, if it exists, we update this file, even if it's not used...
> -if [ -f ${rootfs_path}/etc/rc.sysinit ]
> +if [ -f ${rootfs}/etc/rc.sysinit ]
>  then
>      configure_fedora_init
>  fi
> @@ -1376,6 +1311,7 @@ if [ ! -z $clean ]; then
>      clean || exit 1
>      exit 0
>  fi
> +
>  echo "
>  Container rootfs and config have been created.
>  Edit the config file to check/enable networking setup.
> @@ -1398,40 +1334,30 @@ and may be removed.
>  "
>  fi
>  
> -if [ ${root_display_password} = "yes" ]
> -then
> -    echo "The temporary password for root is: '$root_password'
> -
> -You may want to note that password down before starting the container.
> -"
> -fi
> -
> -if [ ${root_store_password} = "yes" ]
> -then
> -    echo "The temporary root password is stored in:
> -
> -        '${config_path}/tmp_root_pass'
> -"
> -fi
> -
> -if [ ${root_prompt_password} = "yes" ]
> -then
> -    echo "Invoking the passwd command in the container to set the root password.
> -
> -        chroot ${rootfs_path} passwd
> -"
> -    chroot ${rootfs_path} passwd
> -else
> -    if [ ${root_expire_password} = "yes" ]
> -    then
> -        echo "
> -The root password is set up as "expired" and will require it to be changed
> -at first login, which you should do as soon as possible.  If you lose the
> -root password or wish to change it without starting the container, you
> -can change it from the host by running the following command (which will
> -also reset the expired flag):
> -
> -        chroot ${rootfs_path} passwd
> -"
> -    fi
> -fi
> +# Set up the superuser user.
> +# Several of the LXC_ variables are environment variables set up
> +# in the "functions" file but can be overriden byt the calling environment
> +# or by the template or ignored in calling this function.
> +lxc_setup_user \
> +    "${name}" \
> +    "${rootfs}" \
> +    "${config_path}" \
> +    "${LXC_DEFAULT_USER}" \
> +    "${LXC_PASSWORD}" \
> +    "${LXC_DISPLAY_PASSWORD}" \
> +    "${LXC_STORE_PASSWORD}" \
> +    "${LXC_EXPIRE_PASSWORD}"
> +
> +# Add a "fedora" user using the same template and config.
> +# This is congruent with several other templates...
> +lxc_setup_user \
> +    "${name}" \
> +    "${rootfs}" \
> +    "${config_path}" \
> +    "fedora" \
> +    "${LXC_PASSWORD}" \
> +    "${LXC_DISPLAY_PASSWORD}" \
> +    "${LXC_STORE_PASSWORD}" \
> +    "${LXC_EXPIRE_PASSWORD}"
> +
> +exit 0
> diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
> index 4fdaece..fb47957 100644
> --- a/templates/lxc-openmandriva.in
> +++ b/templates/lxc-openmandriva.in
> @@ -230,6 +230,7 @@ copy_configuration()
>      cat <<EOF >> $config_path/config
>  lxc.utsname = $name
>  lxc.autodev = 1
> +lxc.kmsg = 0
>  lxc.tty = 4
>  lxc.pts = 1024
>  lxc.mount = $config_path/fstab
> diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> index c4dce5d..cc43aa0 100644
> --- a/templates/lxc-opensuse.in
> +++ b/templates/lxc-opensuse.in
> @@ -26,6 +26,16 @@
>  # License along with this library; if not, write to the Free Software
>  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>  
> +#Configurations
> +default_path=@LXCPATH@
> +template_path=@LXCTEMPLATEDIR@
> +
> +# Load up some common functions
> +if [ -f ${template_path}/functions ]
> +then
> +    . ${template_path}/functions
> +fi
> +
>  # Detect use under userns (unsupported)
>  for arg in "$@"; do
>      [ "$arg" = "--" ] && break
> @@ -108,9 +118,6 @@ EOF
>  
>      touch $rootfs/etc/sysconfig/kernel
>  
> -    echo "Please change root-password !"
> -    echo "root:root" | chpasswd -R $rootfs
> -
>      return 0
>  }
>  
> @@ -265,7 +272,7 @@ copy_configuration()
>      name=$3
>  
>      grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "
> -lxc.rootfs = $rootfs_path
> +lxc.rootfs = ${rootfs}
>  " >> $path/config
>  
>      # The following code is to create static MAC addresses for each
> @@ -313,10 +320,11 @@ lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
>  lxc.arch = $arch
>  lxc.utsname = $name
>  
> -lxc.mount = $path/fstab
> +# Keep systemd and journald happy...
> +lxc.autodev = 1
> +lxc.kmsg = 0
>  
> -# When using LXC with apparmor, uncomment the next line to run unconfined:
> -#lxc.aa_profile = unconfined
> +lxc.mount = $path/fstab
>  
>  # example simple networking setup, uncomment to enable
>  #lxc.network.type = $lxc_network_type
> @@ -452,3 +460,31 @@ if [ ! -z $clean ]; then
>      clean || exit 1
>      exit 0
>  fi
> +
> +# Set up the superuser user.
> +# Several of the LXC_ variables are environment variables set up
> +# in the "functions" file but can be overriden byt the calling environment
> +# or by the template or ignored in calling this function.
> +lxc_setup_user \
> +    "${name}" \
> +    "${rootfs}" \
> +    "${config_path}" \
> +    "${LXC_DEFAULT_USER}" \
> +    "${LXC_PASSWORD}" \
> +    "${LXC_DISPLAY_PASSWORD}" \
> +    "${LXC_STORE_PASSWORD}" \
> +    "${LXC_EXPIRE_PASSWORD}"
> +
> +# Add a "suse" user using the same template and config.
> +# This is congruent with several other templates...
> +lxc_setup_user \
> +    "${name}" \
> +    "${rootfs}" \
> +    "${config_path}" \
> +    "suse" \
> +    "${LXC_PASSWORD}" \
> +    "${LXC_DISPLAY_PASSWORD}" \
> +    "${LXC_STORE_PASSWORD}" \
> +    "${LXC_EXPIRE_PASSWORD}"
> +
> +exit 0
> -- 
> 1.9.3
> 
> 
> 
> Regards,
> Mike
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140919/2188f718/attachment-0001.sig>


More information about the lxc-devel mailing list