[lxc-users] red hat/centos guest support

Thu Jun 12 14:53:50 UTC 2014

On 06/12/2014 04:50 PM, Stéphane Graber wrote:
> On Thu, Jun 12, 2014 at 04:35:08PM +0200, Tamas Papp wrote:
>> On 06/12/2014 04:17 PM, Fajar A. Nugraha wrote:
>>> DIfferent distros have different needs. For example, an ubuntu
>>> container works just fine running with restricted apparmor
>>> container profile, while fedora (or any other distro which uses
>>> systemd) won't work.
>> I wa referring to the format of the config file.
>>
>> For example
>> Ubuntu:
>>
>> # Template used to create this container:
>> /usr/share/lxc/templates/lxc-ubuntu
>> # Parameters passed to the template: -r precise
>> # For additional config options, please look at lxc.conf(5)
>>
>> # Common configuration
>> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>>
>> # Container specific configuration
>> lxc.rootfs = /tank/lxc/mine/rootfs
>> lxc.mount = /tank/lxc/mine/fstab
>> lxc.utsname = mine
>> lxc.arch = amd64
>>
>> # Network configuration
>> lxc.network.type = veth
>> lxc.network.hwaddr = 00:16:3e:76:1f:5a
>> lxc.network.flags = up
>> lxc.network.link = br-eth0
>>
>> lxc.start.auto = 1
>>
>>
>> Oracle:
>>
>> # Template used to create this container:
>> /usr/share/lxc/templates/lxc-oracle
>> # Parameters passed to the template:
>> lxc.network.type = veth
>> lxc.network.flags = up
>> lxc.network.link = br-eth0
>> lxc.rootfs = /tank/lxc/example-oracle/rootfs
>> # Container configuration for Oracle Linux 6.4
>> lxc.arch = x86_64
>> lxc.utsname = example-oracle
>> lxc.devttydir = lxc
>> lxc.tty = 4
>> lxc.pts = 1024
>> lxc.mount = /tank/lxc/example-oracle/fstab
>> lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
>> # Uncomment these if you don't run anything that needs the capability, and
>> # would like the container to run with less privilege.
>> #
>> # Dropping sys_admin disables container root from doing a lot of things
>> # that could be bad like re-mounting lxc fstab entries rw for example,
>> # but also disables some useful things like being able to nfs mount, and
>> # things that are already namespaced with ns_capable() kernel checks, like
>> # hostname(1).
>> # lxc.cap.drop = sys_admin
>> # lxc.cap.drop = net_raw          # breaks dhcp/ping
>> # lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
>> # lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
>> # lxc.cap.drop = setuid           # breaks sshd,nfs statd
>> # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
>> # lxc.cap.drop = audit_write
>> #
>> lxc.cap.drop = mac_admin mac_override setfcap setpcap
>> lxc.cap.drop = sys_module sys_nice sys_pacct
>> lxc.cap.drop = sys_rawio sys_time
>> lxc.cap.drop = sys_resource
>>
>> # Networking
>> lxc.network.name = eth0
>> lxc.network.mtu = 1500
>> lxc.network.hwaddr = fe:5f:22:6a:23:f5
>> # Control Group devices: all denied except those whitelisted
>> lxc.cgroup.devices.deny = a
>> lxc.cgroup.devices.allow = c 1:3 rwm    # /dev/null
>> lxc.cgroup.devices.allow = c 1:5 rwm    # /dev/zero
>> lxc.cgroup.devices.allow = c 1:7 rwm    # /dev/full
>> lxc.cgroup.devices.allow = c 5:0 rwm    # /dev/tty
>> lxc.cgroup.devices.allow = c 1:8 rwm    # /dev/random
>> lxc.cgroup.devices.allow = c 1:9 rwm    # /dev/urandom
>> lxc.cgroup.devices.allow = c 136:* rwm    # /dev/tty[1-4] ptys and
>> lxc console
>> lxc.cgroup.devices.allow = c 5:2 rwm    # /dev/ptmx pty master
>>
>>
>>
>> I see no reason, why there is difference, how they look.
>> It could matter, when a human tries to parse it.
> That Oracle config looks a bit old to me, all the templates which are
> supported by the download template had to be ported over the new style
> config (something like the one you got for the Ubuntu container above).
> I suspect that if you were to create a fresh Oracle container you may
> find yourself with a config much closer to that of the Ubuntu container
> (probably identical with the only difference being the name of the
> distro in the include line).

That's correct, it's quite old.
I should have checked, how it looks recently:)

Thanks,
tamas