Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- config/templates/Makefile.am | 2 ++ config/templates/debian.common.conf.in | 62 ++++++++++++++++++++++++++++++++++ config/templates/debian.userns.conf.in | 9 +++++ configure.ac | 2 ++ templates/lxc-debian.in | 60 +++++++++++++++----------------- 5 files changed, 102 insertions(+), 33 deletions(-) create mode 100644 config/templates/debian.common.conf.in create mode 100644 config/templates/debian.userns.conf.in
diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index 4c71375..c7f5812 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -1,6 +1,8 @@ templatesconfigdir=@LXCTEMPLATECONFIG@ templatesconfig_DATA = \ + debian.common.conf \ + debian.userns.conf \ oracle.common.conf \ oracle.userns.conf \ plamo.common.conf \ diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in new file mode 100644 index 0000000..09e5c40 --- /dev/null +++ b/config/templates/debian.common.conf.in @@ -0,0 +1,62 @@ +# Default pivot location +lxc.pivotdir = lxc_putold + +# Default mount entries +lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 +lxc.mount.entry = sysfs sys sysfs defaults 0 0 +lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 + +# Default console settings +lxc.tty = 4 +lxc.pts = 1024 + +# Default capabilities +lxc.cap.drop = sys_module mac_admin mac_override sys_time + +# When using LXC with apparmor, the container will be confined by default. +# If you wish for it to instead run unconfined, copy the following line +# (uncommented) to the container's configuration file. +#lxc.aa_profile = unconfined + +# To support container nesting on an Ubuntu host while retaining most of +# apparmor's added security, use the following two lines instead. +#lxc.aa_profile = lxc-container-default-with-nesting +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups + +# If you wish to allow mounting block filesystems, then use the following +# line instead, and make sure to grant access to the block device and/or loop +# devices below in lxc.cgroup.devices.allow. +#lxc.aa_profile = lxc-container-default-with-mounting + +# Default cgroup limits +lxc.cgroup.devices.deny = a +## Allow any mknod (but not using the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +## /dev/null and zero +lxc.cgroup.devices.allow = c 1:3 rwm +lxc.cgroup.devices.allow = c 1:5 rwm +## consoles +lxc.cgroup.devices.allow = c 5:0 rwm +lxc.cgroup.devices.allow = c 5:1 rwm +## /dev/{,u}random +lxc.cgroup.devices.allow = c 1:8 rwm +lxc.cgroup.devices.allow = c 1:9 rwm +## /dev/pts/* +lxc.cgroup.devices.allow = c 5:2 rwm +lxc.cgroup.devices.allow = c 136:* rwm +## rtc +lxc.cgroup.devices.allow = c 254:0 rm +## fuse +lxc.cgroup.devices.allow = c 10:229 rwm +## tun +lxc.cgroup.devices.allow = c 10:200 rwm +## full +lxc.cgroup.devices.allow = c 1:7 rwm +## hpet +lxc.cgroup.devices.allow = c 10:228 rwm +## kvm +lxc.cgroup.devices.allow = c 10:232 rwm +## To use loop devices, copy the following line to the container's +## configuration file (uncommented). +#lxc.cgroup.devices.allow = b 7:* rwm diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in new file mode 100644 index 0000000..330a2f0 --- /dev/null +++ b/config/templates/debian.userns.conf.in @@ -0,0 +1,9 @@ +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices +lxc.cgroup.devices.deny = +lxc.cgroup.devices.allow = + +# Extra bind-mounts for userns +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 diff --git a/configure.ac b/configure.ac index c34dee1..2d55cd6 100644 --- a/configure.ac +++ b/configure.ac @@ -532,6 +532,8 @@ AC_CONFIG_FILES([ config/Makefile config/etc/Makefile config/templates/Makefile + config/templates/debian.common.conf + config/templates/debian.userns.conf config/templates/oracle.common.conf config/templates/oracle.userns.conf config/templates/plamo.common.conf diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index f399c0b..5d41396 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -21,6 +21,8 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA MIRROR=${MIRROR:-http://cdn.debian.net/debian} +LOCALSTATEDIR="@LOCALSTATEDIR@" +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" configure_debian() { @@ -202,11 +204,11 @@ copy_debian() install_debian() { - cache="@LOCALSTATEDIR@/cache/lxc/debian" + cache="$LOCALSTATEDIR/cache/lxc/debian" rootfs=$1 release=$2 arch=$3 - mkdir -p @LOCALSTATEDIR@/lock/subsys/ + mkdir -p $LOCALSTATEDIR/lock/subsys/ ( flock -x 9 if [ $? -ne 0 ]; then @@ -231,7 +233,7 @@ install_debian() return 0 - ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian + ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian return $? } @@ -243,6 +245,10 @@ copy_configuration() hostname=$3 arch=$4 + # Generate the configuration file + ## Create the fstab (empty by default) + touch $path/fstab + # if there is exactly one veth network entry, make sure it has an # associated hwaddr. nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` @@ -250,37 +256,25 @@ copy_configuration() grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config fi + ## Add all the includes + echo "" >> $path/config + echo "# Common configuration" >> $path/config + if [ -e "${LXC_TEMPLATE_CONFIG}/debian.common.conf" ]; then + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.common.conf" >> $path/config + fi + if [ -e "${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" ]; then + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" >> $path/config + fi + + ## Add the container-specific config + echo "" >> $path/config + echo "# Container specific configuration" >> $path/config grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config + cat <<EOF >> $path/config -lxc.tty = 4 -lxc.pts = 1024 -lxc.arch = $arch +lxc.mount = $path/fstab lxc.utsname = $hostname -lxc.cap.drop = sys_module mac_admin mac_override sys_time - -# When using LXC with apparmor, uncomment the next line to run unconfined: -#lxc.aa_profile = unconfined - -lxc.cgroup.devices.deny = a -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -# consoles -lxc.cgroup.devices.allow = c 5:1 rwm -lxc.cgroup.devices.allow = c 5:0 rwm -lxc.cgroup.devices.allow = c 4:0 rwm -lxc.cgroup.devices.allow = c 4:1 rwm -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:9 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 136:* rwm -lxc.cgroup.devices.allow = c 5:2 rwm -# rtc -lxc.cgroup.devices.allow = c 254:0 rm - -# mounts point -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = sysfs sys sysfs defaults 0 0 +lxc.arch = $arch EOF if [ $? -ne 0 ]; then @@ -293,7 +287,7 @@ EOF clean() { - cache="@LOCALSTATEDIR@/cache/lxc/debian" + cache="$LOCALSTATEDIR/cache/lxc/debian" if [ ! -e $cache ]; then exit 0 @@ -311,7 +305,7 @@ clean() rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1 exit 0 - ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian + ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian } usage() -- 1.8.5.2 _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel