[lxc-devel] [PATCH] Use consistent /proc, /sys and /sys/fs/cgroup (v2)

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jan 29 10:27:13 UTC 2015


Quoting Stéphane Graber (stgraber at ubuntu.com):
>  - Implements mixed mode for /sys where it's mounted read-only but with
>    /sys/devices/virtual/net/ writable.
> 
>  - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all
>    templates.
> 
>  - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup.
> 
>  - Get rid of the fstab file by default, using lxc.mount.entry instead.
> 
>  - Set sys:mixed as the default for "sys". sys:mixed is slightly more
>    permissive than sys:ro so this shouldn't be a problem.
> 
> The read-only bind mount of /sys on top of itself is there so that
> mountall and other init systems don't attempt to remount /sys
> read-write.
> 
> v2 changes:
>  - Fix the mount list, don't specify a source for the remount.
>  - Update the documentation.
> 
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  config/templates/archlinux.common.conf.in  |  3 ---
>  config/templates/centos.common.conf.in     |  3 ---
>  config/templates/common.conf.in            |  3 +++
>  config/templates/debian.common.conf.in     |  5 +----
>  config/templates/gentoo.common.conf.in     |  3 ---
>  config/templates/gentoo.moresecure.conf.in |  2 --
>  config/templates/openwrt.common.conf.in    |  4 ----
>  config/templates/oracle.common.conf.in     |  3 ---
>  config/templates/plamo.common.conf.in      |  1 -
>  config/templates/ubuntu.common.conf.in     |  5 +----
>  doc/lxc.container.conf.sgml.in             |  9 ++++++++-
>  src/lxc/conf.c                             | 25 ++++++++++++++++---------
>  src/lxc/conf.h                             |  1 +
>  src/lxc/confile.c                          |  3 ++-
>  templates/lxc-alpine.in                    |  3 +--
>  templates/lxc-altlinux.in                  |  6 +-----
>  templates/lxc-busybox.in                   | 22 ++++++----------------
>  templates/lxc-cirros.in                    |  4 +---
>  templates/lxc-debian.in                    |  5 -----
>  templates/lxc-openmandriva.in              |  7 +------
>  templates/lxc-opensuse.in                  |  8 +-------
>  templates/lxc-plamo.in                     |  5 +----
>  templates/lxc-sshd.in                      |  4 ++--
>  templates/lxc-ubuntu-cloud.in              |  4 ----
>  templates/lxc-ubuntu.in                    |  6 +-----
>  25 files changed, 47 insertions(+), 97 deletions(-)
> 
> diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
> index 693f2f4..f869491 100644
> --- a/config/templates/archlinux.common.conf.in
> +++ b/config/templates/archlinux.common.conf.in
> @@ -8,9 +8,6 @@ lxc.tty = 6
>  lxc.haltsignal=SIGRTMIN+4
>  lxc.stopsignal=SIGRTMIN+14
>  
> -# Mount entries
> -lxc.mount.auto = proc:mixed sys:ro
> -
>  # Uncomment to disable creating tty devices subdirectory in /dev
>  # lxc.devttydir =
>  
> diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
> index 4ce2fda..ee2e9e1 100644
> --- a/config/templates/centos.common.conf.in
> +++ b/config/templates/centos.common.conf.in
> @@ -1,9 +1,6 @@
>  # This derives from the global common config
>  lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
> -# Mount entries
> -lxc.mount.auto = proc:mixed sys:ro
> -
>  # Capabilities
>  # Uncomment these if you don't run anything that needs the capability, and
>  # would like the container to run with less privilege.
> diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
> index f22ef0c..26b3229 100644
> --- a/config/templates/common.conf.in
> +++ b/config/templates/common.conf.in
> @@ -43,6 +43,9 @@ lxc.cgroup.devices.allow = c 1:9 rwm
>  ### /dev/pts/*
>  lxc.cgroup.devices.allow = c 136:* rwm
>  
> +# Setup the default mounts
> +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
> +
>  # Blacklist some syscalls which are not safe in privileged
>  # containers
>  lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
> diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
> index e1d421f..493feee 100644
> --- a/config/templates/debian.common.conf.in
> +++ b/config/templates/debian.common.conf.in
> @@ -5,8 +5,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  lxc.devttydir =
>  
>  # Default mount entries
> -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> -lxc.mount.entry = sysfs sys sysfs defaults 0 0
>  lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
>  
>  # When using LXC with apparmor, the container will be confined by default.
> @@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt
>  #lxc.aa_profile = unconfined
>  
>  # To support container nesting on an Ubuntu host while retaining most of
> -# apparmor's added security, use the following two lines instead.
> +# apparmor's added security, use the following line instead.
>  #lxc.aa_profile = lxc-container-default-with-nesting
> -#lxc.mount.auto = cgroup:mixed
>  
>  # If you wish to allow mounting block filesystems, then use the following
>  # line instead, and make sure to grant access to the block device and/or loop
> diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
> index 7b96672..01c8f48 100644
> --- a/config/templates/gentoo.common.conf.in
> +++ b/config/templates/gentoo.common.conf.in
> @@ -6,9 +6,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  # But security is not the goal.
>  # Looking for more security, see gentoo.moresecure.conf
>  
> -# Default mount entries
> -lxc.mount.entry=sys sys sysfs defaults 0 0
> -
>  # Doesn't support consoles in /dev/lxc/
>  lxc.devttydir =
>  
> diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
> index 238303d..270e9df 100644
> --- a/config/templates/gentoo.moresecure.conf.in
> +++ b/config/templates/gentoo.moresecure.conf.in
> @@ -8,8 +8,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  # Container user ? see gentoo.common.conf
>  
>  # do not mount sysfs, see http://blog.bofh.it/debian/id_413
> -# lxc.mount.entry=sys sys sysfs rw 0 0
> -lxc.mount.entry=proc proc proc ro,nodev,noexec,nosuid 0 0
>  lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
>  lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
>  lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
> diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in
> index 05918f0..6609333 100644
> --- a/config/templates/openwrt.common.conf.in
> +++ b/config/templates/openwrt.common.conf.in
> @@ -1,7 +1,3 @@
> -# Default mount entries
> -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> -lxc.mount.entry = sysfs sys sysfs defaults 0 0
> -
>  # Default console settings
>  lxc.devttydir = lxc
>  lxc.tty = 4
> diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
> index 10522b2..8a72ad0 100644
> --- a/config/templates/oracle.common.conf.in
> +++ b/config/templates/oracle.common.conf.in
> @@ -1,9 +1,6 @@
>  # This derives from the global common config
>  lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
> -# Mount entries
> -lxc.mount.auto = cgroup:mixed proc:mixed sys:ro
> -
>  # Capabilities
>  # Uncomment these if you don't run anything that needs the capability, and
>  # would like the container to run with less privilege.
> diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
> index 9b0d02b..e7809e1 100644
> --- a/config/templates/plamo.common.conf.in
> +++ b/config/templates/plamo.common.conf.in
> @@ -2,7 +2,6 @@
>  lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
>  # Default mount
> -lxc.mount.auto = proc sys cgroup
>  lxc.mount.entry = none dev/shm tmpfs nosuid,nodev,noexec,mode=1777 0 0
>  
>  # Doesn't support consoles in /dev/lxc/
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index 19a6a67..d1ce8e9 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -2,8 +2,6 @@
>  lxc.include = @LXCTEMPLATECONFIG@/common.conf
>  
>  # Default mount entries
> -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> -lxc.mount.entry = sysfs sys sysfs defaults 0 0
>  lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
>  lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
>  lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
> @@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
>  #lxc.aa_profile = unconfined
>  
>  # To support container nesting on an Ubuntu host while retaining most of
> -# apparmor's added security, use the following two lines instead.
> +# apparmor's added security, use the following line instead.
>  #lxc.aa_profile = lxc-container-default-with-nesting
> -#lxc.mount.auto = cgroup:mixed
>  
>  # Uncomment the following line to autodetect squid-deb-proxy configuration on the
>  # host and forward it to the guest at start time.
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index a86b1e5..50c6a2a 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -774,7 +774,14 @@ proc proc proc nodev,noexec,nosuid 0 0
>                </listitem>
>                <listitem>
>                  <para>
> -                  <option>sys:ro</option> (or <option>sys</option>):
> +                  <option>sys:mixed</option> (or <option>sys</option>):
> +                  mount <filename>/sys</filename> as read-only but with
> +                  /sys/devices/virtual/net writable.
> +                </para>
> +              </listitem>
> +              <listitem>
> +                <para>
> +                  <option>sys:ro</option>:
>                    mount <filename>/sys</filename> as read-only
>                    for security / container isolation purposes.
>                  </para>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index e7def3e..d2cfbe8 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -750,15 +750,21 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
>  		 * MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for kernels as low as
>  		 * 2.6.32...
>  		 */
> -		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                  "%r/proc",               "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
> -		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",           "%r/proc/sys",           NULL,    MS_BIND,                      NULL },
> -		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                    "%r/proc/sys",           NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
> -		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL,    MS_BIND,                      NULL },
> -		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                    "%r/proc/sysrq-trigger", NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
> -		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                  "%r/proc",               "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
> -		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                 "%r/sys",                "sysfs", 0,                            NULL },
> -		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                 "%r/sys",                "sysfs", MS_RDONLY,                    NULL },
> -		{ 0,                  0,                   NULL,                    NULL,                    NULL,    0,                            NULL }
> +		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                                              "%r/proc",                      "proc",     MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
> +		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",                                       "%r/proc/sys",                  NULL,       MS_BIND,                        NULL },
> +		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                                "%r/proc/sys",                  NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
> +		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger",                             "%r/proc/sysrq-trigger",        NULL,       MS_BIND,                        NULL },
> +		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                                "%r/proc/sysrq-trigger",        NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
> +		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                                              "%r/proc",                      "proc",     MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                                             "%r/sys",                       "sysfs",    0,                              NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                                             "%r/sys",                       "sysfs",    MS_RDONLY,                      NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                             "%r/sys",                       "sysfs",    MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys",                                            "%r/sys",                       NULL,       MS_BIND,                        NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                                "%r/sys",                       NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                             "%r/sys/devices/virtual/net",   "sysfs",    0,                              NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys/devices/virtual/net/devices/virtual/net",    "%r/sys/devices/virtual/net",   NULL,       MS_BIND,                        NULL },
> +		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                                "%r/sys/devices/virtual/net",   NULL,       MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC,   NULL },
> +		{ 0,                  0,                   NULL,                                                NULL,                           NULL,       0,                              NULL }
>  	};
>  
>  	for (i = 0; default_mounts[i].match_mask; i++) {
> @@ -793,6 +799,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
>  			saved_errno = errno;
>  			if (r < 0)
>  				SYSERROR("error mounting %s on %s flags %lu", source, destination, mflags);
> +
>  			free(source);
>  			free(destination);
>  			if (r < 0) {
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 8ec3e8e..afa5517 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -236,6 +236,7 @@ enum {
>  
>  	LXC_AUTO_SYS_RW               = 0x004,   /* /sys */
>  	LXC_AUTO_SYS_RO               = 0x008,   /* /sys read-only */
> +	LXC_AUTO_SYS_MIXED            = 0x00C,   /* /sys read-only and /sys/class/net read-write */
>  	LXC_AUTO_SYS_MASK             = 0x00C,
>  
>  	LXC_AUTO_CGROUP_RO            = 0x010,   /* /sys/fs/cgroup (partial mount, read-only) */
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index ccdf26c..8544ac9 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -1416,8 +1416,9 @@ static int config_mount_auto(const char *key, const char *value,
>  		{ "proc",               LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_MIXED         },
>  		{ "proc:mixed",         LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_MIXED         },
>  		{ "proc:rw",            LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_RW            },
> -		{ "sys",                LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RO             },
> +		{ "sys",                LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_MIXED          },
>  		{ "sys:ro",             LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RO             },
> +		{ "sys:mixed",          LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_MIXED          },
>  		{ "sys:rw",             LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RW             },
>  		{ "cgroup",             LXC_AUTO_CGROUP_MASK,    LXC_AUTO_CGROUP_NOSPEC      },
>  		{ "cgroup:mixed",       LXC_AUTO_CGROUP_MASK,    LXC_AUTO_CGROUP_MIXED       },
> diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> index 187a032..886a838 100644
> --- a/templates/lxc-alpine.in
> +++ b/templates/lxc-alpine.in
> @@ -249,9 +249,8 @@ lxc.cgroup.devices.allow = c 5:2 rwm
>  lxc.cgroup.devices.allow = c 254:0 rm
>  
>  # mounts point
> -lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> +lxc.mount.auto=cgroup:mixed proc:mixed sys:mixed
>  lxc.mount.entry=run run tmpfs nodev,noexec,nosuid,relatime,size=1m,mode=0755 0 0
> -lxc.mount.entry=none dev/pts devpts gid=5,mode=620 0 0
>  lxc.mount.entry=shm dev/shm tmpfs nodev,nosuid,noexec,mode=1777 0 0
>  
>  EOF
> diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
> index ac4527b..8b4168c 100644
> --- a/templates/lxc-altlinux.in
> +++ b/templates/lxc-altlinux.in
> @@ -266,7 +266,6 @@ copy_configuration()
>  lxc.utsname = $name
>  lxc.tty = 4
>  lxc.pts = 1024
> -lxc.mount = $config_path/fstab
>  lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
> @@ -317,11 +316,8 @@ lxc.cgroup.devices.allow = c 136:* rwm
>  lxc.cgroup.devices.allow = c 5:2 rwm
>  # rtc
>  lxc.cgroup.devices.allow = c 10:135 rwm
> -EOF
>  
> -    cat <<EOF > $config_path/fstab
> -proc            proc         proc    nodev,noexec,nosuid 0 0
> -sysfs           sys          sysfs   defaults  0 0
> +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
>  EOF
>  
>      if [ $? -ne 0 ]; then
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 3cfa958..72531d6 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -74,7 +74,7 @@ $rootfs/usr/lib64"
>      # minimal devices needed for busybox
>      if [ $in_userns -eq 1 ]; then
>          for dev in tty console tty0 tty1 ram0 null urandom; do
> -            echo "/dev/$dev dev/$dev    none bind,optional,create=file 0 0" >> $path/fstab
> +            echo "lxc.mount.entry = /dev/$dev dev/$dev    none bind,optional,create=file 0 0" >> $path/config
>          done
>      else
>          mknod -m 666 tty c 5 0       || res=1
> @@ -110,14 +110,6 @@ EOF
>      # executable
>      chmod 744 $rootfs/etc/init.d/rcS || return 1
>  
> -    # mount points
> -    cat <<EOF >> $rootfs/etc/fstab
> -shm   /dev/shm   tmpfs   defaults     0      0
> -EOF
> -
> -    # writable and readable for other
> -    chmod 644 $rootfs/etc/fstab || return 1
> -
>      # launch rcS first then make a console available
>      # and propose a shell on the tty, the last one is
>      # not needed
> @@ -285,6 +277,9 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
>  #lxc.aa_profile = unconfined
> +
> +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
> +lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
>  EOF
>  
>      libdirs="\
> @@ -299,11 +294,6 @@ EOF
>          fi
>      done
>      echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
> -    echo "lxc.mount.auto = proc:mixed sys" >>$path/config
> -
> -    if [ -f "$path/fstab" ]; then
> -        echo "lxc.mount = $path/fstab" >>$path/config
> -    fi
>  }
>  
>  remap_userns()
> @@ -311,12 +301,12 @@ remap_userns()
>      path=$1
>  
>      if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
> -        chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
> +        chown $LXC_MAPPED_UID $path/config >/dev/null 2>&1
>          chown -R root $path/rootfs >/dev/null 2>&1
>      fi
>  
>      if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
> -        chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
> +        chgrp $LXC_MAPPED_GID $path/config >/dev/null 2>&1
>          chgrp -R root $path/rootfs >/dev/null 2>&1
>      fi
>  }
> diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
> index c8a8b36..349cdbf 100644
> --- a/templates/lxc-cirros.in
> +++ b/templates/lxc-cirros.in
> @@ -118,7 +118,6 @@ cat >> "$path/config" <<EOF
>  # Template used to create this container: cirros
>  
>  lxc.rootfs = $rootfs
> -#lxc.mount = $path/fstab
>  lxc.pivotdir = lxc_putold
>  
>  lxc.tty = 4
> @@ -132,7 +131,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  #lxc.aa_profile = unconfined
>  # To support container nesting on an Ubuntu host, uncomment next two lines:
>  #lxc.aa_profile = lxc-container-default-with-nesting
> -#lxc.mount.auto = cgroup
> +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
>  
>  lxc.cgroup.devices.deny = a
>  # Allow any mknod (but not using the node)
> @@ -165,7 +164,6 @@ EOF
>  
>      if [ $in_userns -eq 1 ] && [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" ]; then
>          echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.userns.conf" >> $path/config
> -        echo "lxc.mount.auto = cgroup:mixed proc:mixed sys:ro" >> $path/config
>      fi
>  
>  }
> diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> index 05eee06..938f0db 100644
> --- a/templates/lxc-debian.in
> +++ b/templates/lxc-debian.in
> @@ -202,7 +202,6 @@ configure_debian_systemd()
>  
>      # This function has been copied and adapted from lxc-fedora
>      rm -f ${rootfs}/etc/systemd/system/default.target
> -    touch ${rootfs}/etc/fstab
>      chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
>      chroot ${rootfs} ln -s /dev/null /etc/systemd/system/systemd-udevd.service
>      chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> @@ -325,9 +324,6 @@ copy_configuration()
>      arch=$4
>  
>      # Generate the configuration file
> -    ## Create the fstab (empty by default)
> -    touch $path/fstab
> -
>      # if there is exactly one veth network entry, make sure it has an
>      # associated hwaddr.
>      nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
> @@ -351,7 +347,6 @@ copy_configuration()
>      grep -q "^lxc.rootfs" $path/config 2> /dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
>  
>      cat <<EOF >> $path/config
> -lxc.mount = $path/fstab
>  lxc.utsname = $hostname
>  lxc.arch = $arch
>  EOF
> diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
> index 46c829d..6123c5e 100644
> --- a/templates/lxc-openmandriva.in
> +++ b/templates/lxc-openmandriva.in
> @@ -231,8 +231,8 @@ copy_configuration()
>  lxc.utsname = $name
>  lxc.tty = 4
>  lxc.pts = 1024
> -lxc.mount = $config_path/fstab
>  lxc.cap.drop = sys_module mac_admin mac_override sys_time
> +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
>  #lxc.aa_profile = unconfined
> @@ -284,11 +284,6 @@ lxc.cgroup.devices.allow = c 5:2 rwm
>  lxc.cgroup.devices.allow = c 10:135 rwm
>  EOF
>  
> -    cat <<EOF > $config_path/fstab
> -proc            $rootfs_path/proc         proc    nodev,noexec,nosuid 0 0
> -sysfs           $rootfs_path/sys          sysfs defaults  0 0
> -EOF
> -
>      if [ $? -ne 0 ]; then
>          echo "Failed to add configuration"
>          return 1
> diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> index bb015c8..4ff1dcf 100644
> --- a/templates/lxc-opensuse.in
> +++ b/templates/lxc-opensuse.in
> @@ -321,7 +321,7 @@ lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
>  lxc.arch = $arch
>  lxc.utsname = $name
>  
> -lxc.mount = $path/fstab
> +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
>  #lxc.aa_profile = unconfined
> @@ -340,12 +340,6 @@ lxc.mount = $path/fstab
>  
>  EOF
>  
> -    cat <<EOF > $path/fstab
> -proc            proc         proc	nodev,noexec,nosuid 0 0
> -sysfs           sys          sysfs	defaults  0 0
> -tmpfs           run          tmpfs	mode=0755,nodev,nosuid 0 0
> -EOF
> -
>      if [ $? -ne 0 ]; then
>          echo "Failed to add configuration"
>          return 1
> diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in
> index 5061056..c588ddb 100644
> --- a/templates/lxc-plamo.in
> +++ b/templates/lxc-plamo.in
> @@ -247,7 +247,6 @@ copy_configuration() {
>    ret=0
>    cat <<- EOF >> $path/config || let ret++
>  	lxc.utsname = $name
> -	lxc.mount = $path/fstab
>  	lxc.arch = $arch
>  	EOF
>    if [ -f "@LXCTEMPLATECONFIG@/plamo.common.conf" ] ; then
> @@ -256,8 +255,6 @@ copy_configuration() {
>  	lxc.include = @LXCTEMPLATECONFIG@/plamo.common.conf
>  	EOF
>    fi
> -  # create the fstab (empty by default)
> -  touch $path/fstab || let ret++
>    if [ $ret -ne 0 ] ; then
>      echo "Failed to add configuration."
>      return 1
> @@ -274,7 +271,7 @@ do_bindhome() {
>    # bind-mount the user's path into the container's /home
>    h=`getent passwd $bindhome | cut -d: -f6`
>    mkdir -p $rootfs/$h
> -  echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
> +  echo "lxc.mount.entry = $h $rootfs/$h none bind 0 0" >> $path/config
>    # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
>    if ! pwd=`getent passwd $bindhome` ; then
>      echo "Warning: failed to copy password entry for $bindhome."
> diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
> index aa45c1d..d34b3b4 100644
> --- a/templates/lxc-sshd.in
> +++ b/templates/lxc-sshd.in
> @@ -141,9 +141,9 @@ lxc.mount.entry = /usr usr none ro,bind 0 0
>  lxc.mount.entry = /sbin sbin none ro,bind 0 0
>  lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
>  lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
> -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> -lxc.mount.entry = sysfs sys sysfs ro 0 0
>  lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
> +
> +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
>  EOF
>  
>      # Oracle Linux and Fedora need the following two bind mounted
> diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> index c4eb5ca..81abf2a 100644
> --- a/templates/lxc-ubuntu-cloud.in
> +++ b/templates/lxc-ubuntu-cloud.in
> @@ -66,9 +66,6 @@ copy_configuration()
>      fi
>  
>      # Generate the configuration file
> -    ## Create the fstab (empty by default)
> -    touch $path/fstab
> -
>      ## Relocate all the network config entries
>      sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
>  
> @@ -94,7 +91,6 @@ copy_configuration()
>      [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
>      grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
>      cat <<EOF >> $path/config
> -lxc.mount = $path/fstab
>  lxc.utsname = $name
>  lxc.arch = $arch
>  EOF
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index bbe7f7d..073724b 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -483,9 +483,6 @@ copy_configuration()
>      fi
>  
>      # Generate the configuration file
> -    ## Create the fstab (empty by default)
> -    touch $path/fstab
> -
>      ## Relocate all the network config entries
>      sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
>  
> @@ -508,7 +505,6 @@ copy_configuration()
>      [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
>      grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
>      cat <<EOF >> $path/config
> -lxc.mount = $path/fstab
>  lxc.utsname = $name
>  lxc.arch = $arch
>  EOF
> @@ -659,7 +655,7 @@ do_bindhome()
>      while [ ${h2:0:1} = "/" ]; do
>          h2=${h2#/}
>      done
> -    echo "$h $h2 none bind 0 0" >> $path/fstab
> +    echo "lxc.mount.entry = $h $h2 none bind 0 0" >> $path/config
>  
>      # Make sure the group exists in container
>      grp=`echo $pwd | cut -d: -f 4`  # group number for $user
> -- 
> 1.9.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list