Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 config/templates/Makefile.am           |  2 ++
 config/templates/debian.common.conf.in | 62 ++++++++++++++++++++++++++++++++++
 config/templates/debian.userns.conf.in |  9 +++++
 configure.ac                           |  2 ++
 templates/lxc-debian.in                | 60 +++++++++++++++-----------------
 5 files changed, 102 insertions(+), 33 deletions(-)
 create mode 100644 config/templates/debian.common.conf.in
 create mode 100644 config/templates/debian.userns.conf.in

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 4c71375..c7f5812 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -1,6 +1,8 @@
 templatesconfigdir=@LXCTEMPLATECONFIG@
 
 templatesconfig_DATA = \
+       debian.common.conf \
+       debian.userns.conf \
        oracle.common.conf \
        oracle.userns.conf \
        plamo.common.conf \
diff --git a/config/templates/debian.common.conf.in 
b/config/templates/debian.common.conf.in
new file mode 100644
index 0000000..09e5c40
--- /dev/null
+++ b/config/templates/debian.common.conf.in
@@ -0,0 +1,62 @@
+# Default pivot location
+lxc.pivotdir = lxc_putold
+
+# Default mount entries
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
+lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none 
bind,optional 0 0
+
+# Default console settings
+lxc.tty = 4
+lxc.pts = 1024
+
+# Default capabilities
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.aa_profile = unconfined
+
+# To support container nesting on an Ubuntu host while retaining most of
+# apparmor's added security, use the following two lines instead.
+#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.aa_profile = lxc-container-default-with-mounting
+
+# Default cgroup limits
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## full
+lxc.cgroup.devices.allow = c 1:7 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
diff --git a/config/templates/debian.userns.conf.in 
b/config/templates/debian.userns.conf.in
new file mode 100644
index 0000000..330a2f0
--- /dev/null
+++ b/config/templates/debian.userns.conf.in
@@ -0,0 +1,9 @@
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
diff --git a/configure.ac b/configure.ac
index c34dee1..2d55cd6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -532,6 +532,8 @@ AC_CONFIG_FILES([
        config/Makefile
        config/etc/Makefile
        config/templates/Makefile
+       config/templates/debian.common.conf
+       config/templates/debian.userns.conf
        config/templates/oracle.common.conf
        config/templates/oracle.userns.conf
        config/templates/plamo.common.conf
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index f399c0b..5d41396 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -21,6 +21,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 MIRROR=${MIRROR:-http://cdn.debian.net/debian}
+LOCALSTATEDIR="@LOCALSTATEDIR@"
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 
 configure_debian()
 {
@@ -202,11 +204,11 @@ copy_debian()
 
 install_debian()
 {
-    cache="@LOCALSTATEDIR@/cache/lxc/debian"
+    cache="$LOCALSTATEDIR/cache/lxc/debian"
     rootfs=$1
     release=$2
     arch=$3
-    mkdir -p @LOCALSTATEDIR@/lock/subsys/
+    mkdir -p $LOCALSTATEDIR/lock/subsys/
     (
         flock -x 9
         if [ $? -ne 0 ]; then
@@ -231,7 +233,7 @@ install_debian()
 
         return 0
 
-        ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
+        ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
 
     return $?
 }
@@ -243,6 +245,10 @@ copy_configuration()
     hostname=$3
     arch=$4
 
+    # Generate the configuration file
+    ## Create the fstab (empty by default)
+    touch $path/fstab
+
     # if there is exactly one veth network entry, make sure it has an
     # associated hwaddr.
     nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
@@ -250,37 +256,25 @@ copy_configuration()
         grep -q "^lxc.network.hwaddr" $path/config || sed -i -e 
"/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 
00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
     fi
 
+    ## Add all the includes
+    echo "" >> $path/config
+    echo "# Common configuration" >> $path/config
+    if [ -e "${LXC_TEMPLATE_CONFIG}/debian.common.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.common.conf" >> 
$path/config
+    fi
+    if [ -e "${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" >> 
$path/config
+    fi
+
+    ## Add the container-specific config
+    echo "" >> $path/config
+    echo "# Container specific configuration" >> $path/config
     grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = 
$rootfs" >> $path/config
+
     cat <<EOF >> $path/config
-lxc.tty = 4
-lxc.pts = 1024
-lxc.arch = $arch
+lxc.mount = $path/fstab
 lxc.utsname = $hostname
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
-
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-
-# mounts point
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults  0 0
+lxc.arch = $arch
 EOF
 
     if [ $? -ne 0 ]; then
@@ -293,7 +287,7 @@ EOF
 
 clean()
 {
-    cache="@LOCALSTATEDIR@/cache/lxc/debian"
+    cache="$LOCALSTATEDIR/cache/lxc/debian"
 
     if [ ! -e $cache ]; then
         exit 0
@@ -311,7 +305,7 @@ clean()
         rm --preserve-root --one-file-system -rf $cache && echo "Done." || 
exit 1
         exit 0
 
-    ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
+    ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
 }
 
 usage()
-- 
1.8.5.2

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to