[lxc-devel] [PATCH 1/3] oracle template: convert to common.conf style

Wed, 15 Jan 2014 09:22:43 -0800 

Signed-off-by: Dwight Engen <dwight.en...@oracle.com>
---
 config/templates/Makefile.am           |  2 ++
 config/templates/oracle.common.conf.in | 45 ++++++++++++++++++++++++++++++++++
 config/templates/oracle.userns.conf.in | 17 +++++++++++++
 configure.ac                           |  2 ++
 templates/lxc-oracle.in                | 42 ++++++-------------------------
 5 files changed, 73 insertions(+), 35 deletions(-)
 create mode 100644 config/templates/oracle.common.conf.in
 create mode 100644 config/templates/oracle.userns.conf.in

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index dd0dfa4..4c71375 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -1,6 +1,8 @@
 templatesconfigdir=@LXCTEMPLATECONFIG@
 
 templatesconfig_DATA = \
+       oracle.common.conf \
+       oracle.userns.conf \
        plamo.common.conf \
        plamo.userns.conf \
        ubuntu-cloud.common.conf \
diff --git a/config/templates/oracle.common.conf.in 
b/config/templates/oracle.common.conf.in
new file mode 100644
index 0000000..515c4c8
--- /dev/null
+++ b/config/templates/oracle.common.conf.in
@@ -0,0 +1,45 @@
+# Console settings
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw          # breaks dhcp/ping
+# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid           # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+#
+lxc.cap.drop = mac_admin mac_override setfcap setpcap
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm   # /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm   # /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm   # /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm   # /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm   # /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm   # /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm   # /dev/ptmx pty master
diff --git a/config/templates/oracle.userns.conf.in 
b/config/templates/oracle.userns.conf.in
new file mode 100644
index 0000000..dec2ae8
--- /dev/null
+++ b/config/templates/oracle.userns.conf.in
@@ -0,0 +1,17 @@
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none 
bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none 
bind,optional 0 0
diff --git a/configure.ac b/configure.ac
index 44343dc..325dfd4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -532,6 +532,8 @@ AC_CONFIG_FILES([
        config/Makefile
        config/etc/Makefile
        config/templates/Makefile
+       config/templates/oracle.common.conf
+       config/templates/oracle.userns.conf
        config/templates/plamo.common.conf
        config/templates/plamo.userns.conf
        config/templates/ubuntu-cloud.common.conf
diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index 6ae60b0..ccc746a 100644
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -370,40 +370,22 @@ EOF
 container_config_create()
 {
     echo "Create configuration file $cfg_dir/config"
+    mkdir -p $cfg_dir || die "unable to create config dir $cfg_dir"
+
+    echo "# Common configuration" >> $cfg_dir/config
+    if [ -e "@LXCTEMPLATECONFIG@/oracle.common.conf" ]; then
+        echo "lxc.include = @LXCTEMPLATECONFIG@/oracle.common.conf" >> 
$cfg_dir/config
+    fi
+
     # generate a hwaddr for the container with a high mac address
     # see 
http://sourceforge.net/tracker/?func=detail&aid=3411497&group_id=163076&atid=826303
     local hwaddr="fe:`dd if=/dev/urandom bs=8 count=1 2>/dev/null |od -t x8 | \
                       head -1 |awk '{print $2}' | cut -c1-10 |\
                       sed 's/\(..\)/\1:/g; s/.$//'`"
-    mkdir -p $cfg_dir || die "unable to create config dir $cfg_dir"
     cat <<EOF >> $cfg_dir/config || die "unable to create $cfg_dir/config"
 # Container configuration for Oracle Linux 
$container_release_major.$container_release_minor
 lxc.arch = $arch
 lxc.utsname = $name
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-lxc.mount.auto = proc:mixed sys:ro
-lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname
-# Uncomment these if you don't run anything that needs the capability, and
-# would like the container to run with less privilege.
-#
-# Dropping sys_admin disables container root from doing a lot of things
-# that could be bad like re-mounting lxc fstab entries rw for example,
-# but also disables some useful things like being able to nfs mount, and
-# things that are already namespaced with ns_capable() kernel checks, like
-# hostname(1).
-# lxc.cap.drop = sys_admin
-# lxc.cap.drop = net_raw          # breaks dhcp/ping
-# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
-# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
-# lxc.cap.drop = setuid           # breaks sshd,nfs statd
-# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
-# lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override setfcap setpcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
 EOF
     grep -q "^lxc.rootfs" $cfg_dir/config 2>/dev/null || echo "lxc.rootfs = 
$container_rootfs" >> $cfg_dir/config
 
@@ -426,16 +408,6 @@ EOF
 lxc.network.name = eth0
 lxc.network.mtu = 1500
 lxc.network.hwaddr = $hwaddr
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-lxc.cgroup.devices.allow = c 1:3 rwm   # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm   # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm   # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm   # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm   # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm   # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm   # /dev/ptmx pty master
 EOF
 }
 
-- 
1.8.3.1

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to