[lxc-users] red hat/centos guest support

Stéphane Graber stgraber at ubuntu.com
Thu Jun 12 14:50:17 UTC 2014 

On Thu, Jun 12, 2014 at 04:35:08PM +0200, Tamas Papp wrote:
> 
> On 06/12/2014 04:17 PM, Fajar A. Nugraha wrote:
> >DIfferent distros have different needs. For example, an ubuntu
> >container works just fine running with restricted apparmor
> >container profile, while fedora (or any other distro which uses
> >systemd) won't work.
> 
> I wa referring to the format of the config file.
> 
> For example
> Ubuntu:
> 
> # Template used to create this container:
> /usr/share/lxc/templates/lxc-ubuntu
> # Parameters passed to the template: -r precise
> # For additional config options, please look at lxc.conf(5)
> 
> # Common configuration
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> 
> # Container specific configuration
> lxc.rootfs = /tank/lxc/mine/rootfs
> lxc.mount = /tank/lxc/mine/fstab
> lxc.utsname = mine
> lxc.arch = amd64
> 
> # Network configuration
> lxc.network.type = veth
> lxc.network.hwaddr = 00:16:3e:76:1f:5a
> lxc.network.flags = up
> lxc.network.link = br-eth0
> 
> lxc.start.auto = 1
> 
> 
> Oracle:
> 
> # Template used to create this container:
> /usr/share/lxc/templates/lxc-oracle
> # Parameters passed to the template:
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br-eth0
> lxc.rootfs = /tank/lxc/example-oracle/rootfs
> # Container configuration for Oracle Linux 6.4
> lxc.arch = x86_64
> lxc.utsname = example-oracle
> lxc.devttydir = lxc
> lxc.tty = 4
> lxc.pts = 1024
> lxc.mount = /tank/lxc/example-oracle/fstab
> lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
> # Uncomment these if you don't run anything that needs the capability, and
> # would like the container to run with less privilege.
> #
> # Dropping sys_admin disables container root from doing a lot of things
> # that could be bad like re-mounting lxc fstab entries rw for example,
> # but also disables some useful things like being able to nfs mount, and
> # things that are already namespaced with ns_capable() kernel checks, like
> # hostname(1).
> # lxc.cap.drop = sys_admin
> # lxc.cap.drop = net_raw          # breaks dhcp/ping
> # lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
> # lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
> # lxc.cap.drop = setuid           # breaks sshd,nfs statd
> # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
> # lxc.cap.drop = audit_write
> #
> lxc.cap.drop = mac_admin mac_override setfcap setpcap
> lxc.cap.drop = sys_module sys_nice sys_pacct
> lxc.cap.drop = sys_rawio sys_time
> lxc.cap.drop = sys_resource
> 
> # Networking
> lxc.network.name = eth0
> lxc.network.mtu = 1500
> lxc.network.hwaddr = fe:5f:22:6a:23:f5
> # Control Group devices: all denied except those whitelisted
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 1:3 rwm    # /dev/null
> lxc.cgroup.devices.allow = c 1:5 rwm    # /dev/zero
> lxc.cgroup.devices.allow = c 1:7 rwm    # /dev/full
> lxc.cgroup.devices.allow = c 5:0 rwm    # /dev/tty
> lxc.cgroup.devices.allow = c 1:8 rwm    # /dev/random
> lxc.cgroup.devices.allow = c 1:9 rwm    # /dev/urandom
> lxc.cgroup.devices.allow = c 136:* rwm    # /dev/tty[1-4] ptys and
> lxc console
> lxc.cgroup.devices.allow = c 5:2 rwm    # /dev/ptmx pty master
> 
> 
> 
> I see no reason, why there is difference, how they look.
> It could matter, when a human tries to parse it.

That Oracle config looks a bit old to me, all the templates which are
supported by the download template had to be ported over the new style
config (something like the one you got for the Ubuntu container above).
I suspect that if you were to create a fresh Oracle container you may
find yourself with a config much closer to that of the Ubuntu container
(probably identical with the only difference being the name of the
distro in the include line).

> 
> >>Also oracle, redhat, sl and centos templates should be very-very similar to
> >>each other.
> >... and there's the fact that different people contribute/maintain
> >them, and it would take additional efforts (probably a big one) to
> >"merge" them to the same template while verifying that it still works.
> 
> However, that's correct, if that happened, they could be maintained
> more easily together(*). Eg. if there is a change, all template
> script could be updated at the same time.
> For example RH7 is out, soon there will be OL7 and the others.
> 
> tamas
> 
> ps.: (*) IMO:)
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140612/5c3d6c52/attachment-0001.sig>

More information about the lxc-users mailing list