[lxc-users] red hat/centos guest support

Michael H. Warfield mhw at WittsEnd.com
Thu Jun 12 14:52:25 UTC 2014


On Thu, 2014-06-12 at 16:35 +0200, Tamas Papp wrote:
> On 06/12/2014 04:17 PM, Fajar A. Nugraha wrote:
> > DIfferent distros have different needs. For example, an ubuntu 
> > container works just fine running with restricted apparmor container 
> > profile, while fedora (or any other distro which uses systemd) won't 
> > work. 

> I wa referring to the format of the config file.

It's purely because different people have written different templates
and, largely, have carried forward configurations which they have used
or know to work.  Nobody has set a standard for the esthetic appearance
of a config file so we haven't worried about form and just worried about
function.

> For example
> Ubuntu:
> 
> # Template used to create this container: 
> /usr/share/lxc/templates/lxc-ubuntu
> # Parameters passed to the template: -r precise
> # For additional config options, please look at lxc.conf(5)
> 
> # Common configuration
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> 
> # Container specific configuration
> lxc.rootfs = /tank/lxc/mine/rootfs
> lxc.mount = /tank/lxc/mine/fstab
> lxc.utsname = mine
> lxc.arch = amd64
> 
> # Network configuration
> lxc.network.type = veth
> lxc.network.hwaddr = 00:16:3e:76:1f:5a
> lxc.network.flags = up
> lxc.network.link = br-eth0
> 
> lxc.start.auto = 1
> 
> 
> Oracle:
> 
> # Template used to create this container: 
> /usr/share/lxc/templates/lxc-oracle
> # Parameters passed to the template:
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br-eth0
> lxc.rootfs = /tank/lxc/example-oracle/rootfs
> # Container configuration for Oracle Linux 6.4
> lxc.arch = x86_64
> lxc.utsname = example-oracle
> lxc.devttydir = lxc
> lxc.tty = 4
> lxc.pts = 1024
> lxc.mount = /tank/lxc/example-oracle/fstab
> lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
> # Uncomment these if you don't run anything that needs the capability, and
> # would like the container to run with less privilege.
> #
> # Dropping sys_admin disables container root from doing a lot of things
> # that could be bad like re-mounting lxc fstab entries rw for example,
> # but also disables some useful things like being able to nfs mount, and
> # things that are already namespaced with ns_capable() kernel checks, like
> # hostname(1).
> # lxc.cap.drop = sys_admin
> # lxc.cap.drop = net_raw          # breaks dhcp/ping
> # lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
> # lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
> # lxc.cap.drop = setuid           # breaks sshd,nfs statd
> # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
> # lxc.cap.drop = audit_write
> #
> lxc.cap.drop = mac_admin mac_override setfcap setpcap
> lxc.cap.drop = sys_module sys_nice sys_pacct
> lxc.cap.drop = sys_rawio sys_time
> lxc.cap.drop = sys_resource
> 
> # Networking
> lxc.network.name = eth0
> lxc.network.mtu = 1500
> lxc.network.hwaddr = fe:5f:22:6a:23:f5
> # Control Group devices: all denied except those whitelisted
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 1:3 rwm    # /dev/null
> lxc.cgroup.devices.allow = c 1:5 rwm    # /dev/zero
> lxc.cgroup.devices.allow = c 1:7 rwm    # /dev/full
> lxc.cgroup.devices.allow = c 5:0 rwm    # /dev/tty
> lxc.cgroup.devices.allow = c 1:8 rwm    # /dev/random
> lxc.cgroup.devices.allow = c 1:9 rwm    # /dev/urandom
> lxc.cgroup.devices.allow = c 136:* rwm    # /dev/tty[1-4] ptys and lxc 
> console
> lxc.cgroup.devices.allow = c 5:2 rwm    # /dev/ptmx pty master
> 
> 
> 
> I see no reason, why there is difference, how they look.
> It could matter, when a human tries to parse it.
> 
> >> Also oracle, redhat, sl and centos templates should be very-very similar to
> >> each other.
> > ... and there's the fact that different people contribute/maintain
> > them, and it would take additional efforts (probably a big one) to
> > "merge" them to the same template while verifying that it still works.
> 
> However, that's correct, if that happened, they could be maintained more 
> easily together(*). Eg. if there is a change, all template script could 
> be updated at the same time.
> For example RH7 is out, soon there will be OL7 and the others.
> 
> tamas
> 
> ps.: (*) IMO:)
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140612/a0763a87/attachment.sig>


More information about the lxc-users mailing list