Quoting Stéphane Graber (stgra...@ubuntu.com): > This is a rather massive cleanup of config/templates/* > > As new templates were added, I've noticed that we pretty much all share > the tty/pts configs, some capabilities being dropped and most of the > cgroup configuration. All the userns configs were also almost identical. > > As a result, this change introduces two new files: > - common.conf.in > - userns.conf.in > > Each is included by the relevant <template>.<type>.conf.in templates, > this means that the individual per-template configs are now overlays on > top of the default config. > > Once we see a specific key becoming popular, we ought to check whether > it should also be applied to the other templates and if more than 50% of > the templates have it set to the same value, that value ought to be > moved to the master config file and then overriden for the templates > that do not use it. > > This change while pretty big and scary, shouldn't be very visible from a > user point of view, the actual changes can be summarized as: > - Extend clonehostname to work with Debian based distros and use it for > all containers. > - lxc.pivotdir is now set to lxc_putold for all templates, this means > that instead of using /mnt in the container, lxc will create and use > /lxc_putold instead. The reason for this is to avoid failures when the > user bind-mounts something else on top of /mnt. > - Some minor cgroup limit changes, the main one I remember is > /dev/console now being writable by all of the redhat based containers. > The rest of the set should be identical with additions in the per-distro > ones. > - Drop binfmtmisc and efivars bind-mounts for non-mountall based > unpriivileged containers as I assumed they got those from copy/paste > from Ubuntu and not because they actually need those entries. (If I'm > wrong, we probably should move those to userns.conf then). > > Additional investigation and changes to reduce the config delta between > distros would be appreciated. In practice, I only expect lxc.cap.drop > and lxc.mount.entry to really vary between distros (depending on the > init system, the rest should be mostly common. > > I'm marking this as RFC because I haven't done any testing on this yet > and I've got to work on something else right now. I'd appreciate the > input from the affected template maintainers! > > Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
Looks good from a high level. Would do the same with the seccomp policy. > --- > config/templates/Makefile.am | 4 ++- > config/templates/centos.common.conf.in | 30 +++------------------ > config/templates/centos.userns.conf.in | 22 ++-------------- > config/templates/common.conf.in | 35 +++++++++++++++++++++++++ > config/templates/debian.common.conf.in | 36 +++++-------------------- > config/templates/debian.userns.conf.in | 14 ++-------- > config/templates/fedora.common.conf.in | 34 +++--------------------- > config/templates/fedora.userns.conf.in | 22 ++-------------- > config/templates/gentoo.common.conf.in | 42 > ++++++------------------------ > config/templates/gentoo.moresecure.conf.in | 33 +++-------------------- > config/templates/gentoo.userns.conf.in | 21 ++------------- > config/templates/opensuse.common.conf.in | 32 ++++------------------- > config/templates/opensuse.userns.conf.in | 22 ++-------------- > config/templates/oracle.common.conf.in | 28 +++----------------- > config/templates/oracle.userns.conf.in | 21 ++------------- > config/templates/plamo.common.conf.in | 26 +++++------------- > config/templates/plamo.userns.conf.in | 14 ++-------- > config/templates/ubuntu.common.conf.in | 32 +++-------------------- > config/templates/ubuntu.userns.conf.in | 17 ++---------- > config/templates/userns.conf.in | 15 +++++++++++ > configure.ac | 2 ++ > hooks/clonehostname | 4 ++- > 22 files changed, 117 insertions(+), 389 deletions(-) > create mode 100644 config/templates/common.conf.in > create mode 100644 config/templates/userns.conf.in > > diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am > index d0b1c87..d48384f 100644 > --- a/config/templates/Makefile.am > +++ b/config/templates/Makefile.am > @@ -3,6 +3,7 @@ templatesconfigdir=@LXCTEMPLATECONFIG@ > templatesconfig_DATA = \ > centos.common.conf \ > centos.userns.conf \ > + common.conf \ > debian.common.conf \ > debian.userns.conf \ > fedora.common.conf \ > @@ -21,4 +22,5 @@ templatesconfig_DATA = \ > ubuntu-cloud.userns.conf \ > ubuntu.common.conf \ > ubuntu.lucid.conf \ > - ubuntu.userns.conf > + ubuntu.userns.conf \ > + userns.conf > diff --git a/config/templates/centos.common.conf.in > b/config/templates/centos.common.conf.in > index c0e6816..4ce2fda 100644 > --- a/config/templates/centos.common.conf.in > +++ b/config/templates/centos.common.conf.in > @@ -1,16 +1,9 @@ > -# Taken from the oracle.common.conf.in > -# Console settings > - > -lxc.devttydir = lxc > -lxc.tty = 4 > -lxc.pts = 1024 > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > > # Mount entries > lxc.mount.auto = proc:mixed sys:ro > > -# Ensure hostname is changed on clone > -lxc.hook.clone = @LXCHOOKDIR@/clonehostname > - > # Capabilities > # Uncomment these if you don't run anything that needs the capability, and > # would like the container to run with less privilege. > @@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname > # lxc.cap.drop = setuid # breaks sshd,nfs statd > # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) > # lxc.cap.drop = audit_write > -# > -lxc.cap.drop = mac_admin mac_override setfcap setpcap > -lxc.cap.drop = sys_module sys_nice sys_pacct > -lxc.cap.drop = sys_rawio sys_time > - > -# Control Group devices: all denied except those whitelisted > -lxc.cgroup.devices.deny = a > -# Allow any mknod (but not reading/writing the node) > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null > -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero > -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full > -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty > -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc > console > -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master > +lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio > diff --git a/config/templates/centos.userns.conf.in > b/config/templates/centos.userns.conf.in > index f6de0e9..707bb30 100644 > --- a/config/templates/centos.userns.conf.in > +++ b/config/templates/centos.userns.conf.in > @@ -1,20 +1,2 @@ > -# Taken from the oracle.userns.conf.in > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# We can't move bind-mounts, so don't use /dev/lxc/ > -lxc.devttydir = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > - > -# Extra fstab entries as mountall can't mount those by itself > -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in > new file mode 100644 > index 0000000..1616b4f > --- /dev/null > +++ b/config/templates/common.conf.in > @@ -0,0 +1,35 @@ > +# Default configuration shared by all containers > + > +# Setup the LXC devices in /dev/lxc/ > +lxc.devttydir = lxc > + > +# Allow for 1024 pseudo terminals > +lxc.pts = 1024 > + > +# Setup 4 tty devices > +lxc.tty = 4 > + > +# Drop some harmful capabilities > +lxc.cap.drop = mac_admin mac_override sys_time sys_module > + > +# Set the pivot directory > +lxc.pivotdir = lxc_putold > + > +# Ensure hostname is changed on clone > +lxc.hook.clone = @LXCHOOKDIR@/clonehostname > + > +# CGroup whitelist > +lxc.cgroup.devices.deny = a > +## Allow any mknod (but not reading/writing the node) > +lxc.cgroup.devices.allow = c *:* m > +lxc.cgroup.devices.allow = b *:* m > +## Allow specific devices > +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null > +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero > +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full > +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty > +lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console > +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx > +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > +lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* > diff --git a/config/templates/debian.common.conf.in > b/config/templates/debian.common.conf.in > index 09e5c40..e1d421f 100644 > --- a/config/templates/debian.common.conf.in > +++ b/config/templates/debian.common.conf.in > @@ -1,18 +1,14 @@ > -# Default pivot location > -lxc.pivotdir = lxc_putold > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > + > +# Doesn't support consoles in /dev/lxc/ > +lxc.devttydir = > > # Default mount entries > lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 > lxc.mount.entry = sysfs sys sysfs defaults 0 0 > lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none > bind,optional 0 0 > > -# Default console settings > -lxc.tty = 4 > -lxc.pts = 1024 > - > -# Default capabilities > -lxc.cap.drop = sys_module mac_admin mac_override sys_time > - > # When using LXC with apparmor, the container will be confined by default. > # If you wish for it to instead run unconfined, copy the following line > # (uncommented) to the container's configuration file. > @@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time > # To support container nesting on an Ubuntu host while retaining most of > # apparmor's added security, use the following two lines instead. > #lxc.aa_profile = lxc-container-default-with-nesting > -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups > +#lxc.mount.auto = cgroup:mixed > > # If you wish to allow mounting block filesystems, then use the following > # line instead, and make sure to grant access to the block device and/or loop > # devices below in lxc.cgroup.devices.allow. > #lxc.aa_profile = lxc-container-default-with-mounting > > -# Default cgroup limits > -lxc.cgroup.devices.deny = a > -## Allow any mknod (but not using the node) > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > -## /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rwm > -lxc.cgroup.devices.allow = c 1:5 rwm > -## consoles > -lxc.cgroup.devices.allow = c 5:0 rwm > -lxc.cgroup.devices.allow = c 5:1 rwm > -## /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:8 rwm > -lxc.cgroup.devices.allow = c 1:9 rwm > -## /dev/pts/* > -lxc.cgroup.devices.allow = c 5:2 rwm > -lxc.cgroup.devices.allow = c 136:* rwm > +# Extra cgroup device access > ## rtc > lxc.cgroup.devices.allow = c 254:0 rm > ## fuse > lxc.cgroup.devices.allow = c 10:229 rwm > ## tun > lxc.cgroup.devices.allow = c 10:200 rwm > -## full > -lxc.cgroup.devices.allow = c 1:7 rwm > ## hpet > lxc.cgroup.devices.allow = c 10:228 rwm > ## kvm > diff --git a/config/templates/debian.userns.conf.in > b/config/templates/debian.userns.conf.in > index 3e9600d..707bb30 100644 > --- a/config/templates/debian.userns.conf.in > +++ b/config/templates/debian.userns.conf.in > @@ -1,12 +1,2 @@ > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > diff --git a/config/templates/fedora.common.conf.in > b/config/templates/fedora.common.conf.in > index 31b23a4..acebe3c 100644 > --- a/config/templates/fedora.common.conf.in > +++ b/config/templates/fedora.common.conf.in > @@ -1,15 +1,5 @@ > -# Taken from the oracle.common.conf.in > -# Console settings > - > -lxc.devttydir = lxc > -lxc.tty = 4 > -lxc.pts = 1024 > - > -# Mount entries > -# lxc.mount.auto = proc:mixed sys:ro > - > -# Ensure hostname is changed on clone > -lxc.hook.clone = @LXCHOOKDIR@/clonehostname > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > > # Capabilities > # Uncomment these if you don't run anything that needs the capability, and > @@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname > # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) > # lxc.cap.drop = audit_write > # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd > -# > -lxc.cap.drop = mac_admin mac_override > -lxc.cap.drop = setfcap > -lxc.cap.drop = sys_module sys_nice sys_pacct > -lxc.cap.drop = sys_rawio sys_time > - > -# Control Group devices: all denied except those whitelisted > -lxc.cgroup.devices.deny = a > -# Allow any mknod (but not reading/writing the node) > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null > -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero > -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full > -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty > -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc > console > -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master > +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio > diff --git a/config/templates/fedora.userns.conf.in > b/config/templates/fedora.userns.conf.in > index f6de0e9..707bb30 100644 > --- a/config/templates/fedora.userns.conf.in > +++ b/config/templates/fedora.userns.conf.in > @@ -1,20 +1,2 @@ > -# Taken from the oracle.userns.conf.in > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# We can't move bind-mounts, so don't use /dev/lxc/ > -lxc.devttydir = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > - > -# Extra fstab entries as mountall can't mount those by itself > -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > diff --git a/config/templates/gentoo.common.conf.in > b/config/templates/gentoo.common.conf.in > index 5a8b231..7b96672 100644 > --- a/config/templates/gentoo.common.conf.in > +++ b/config/templates/gentoo.common.conf.in > @@ -1,54 +1,28 @@ > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > + > # Gentoo common default configuration > # This is the most feature-full container configuration > # But security is not the goal. > # Looking for more security, see gentoo.moresecure.conf > > -# sysfs > +# Default mount entries > lxc.mount.entry=sys sys sysfs defaults 0 0 > > -# console access > -lxc.pts = 1024 > - > -# this part is based on 'linux capabilities', see: man 7 capabilities > -# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping) > - > -lxc.cap.drop = sys_module mac_admin mac_override sys_time > +# Doesn't support consoles in /dev/lxc/ > +lxc.devttydir = > > -# deny access to all devices by default, explicitly grant some permissions > -# > -# format is [c|b] [major|*]:[minor|*] [r][w][m] > -# ^ ^ ^ > -# char/block -' \`- device number \`-- read, write, mknod > -# > -# first deny all... > -lxc.cgroup.devices.deny = a > -## Allow any mknod (but not using the node) > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > -## /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rwm > -lxc.cgroup.devices.allow = c 1:5 rwm > -## consoles > -lxc.cgroup.devices.allow = c 5:0 rwm > -lxc.cgroup.devices.allow = c 5:1 rwm > -## /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:8 rwm > -lxc.cgroup.devices.allow = c 1:9 rwm > -## /dev/pts/* > -lxc.cgroup.devices.allow = c 5:2 rwm > -lxc.cgroup.devices.allow = c 136:* rwm > +# Extra cgroup device access > ## rtc > lxc.cgroup.devices.allow = c 254:0 rm > ## fuse > lxc.cgroup.devices.allow = c 10:229 rwm > ## tun > lxc.cgroup.devices.allow = c 10:200 rwm > -## full > -lxc.cgroup.devices.allow = c 1:7 rwm > ## hpet > lxc.cgroup.devices.allow = c 10:228 rwm > ## kvm > lxc.cgroup.devices.allow = c 10:232 rwm > ## To use loop devices, copy the following line to the container's > ## configuration file (uncommented). > -#lxc.cgroup.devices.allow = b 7:* rwm > \ No newline at end of file > +#lxc.cgroup.devices.allow = b 7:* rwm > diff --git a/config/templates/gentoo.moresecure.conf.in > b/config/templates/gentoo.moresecure.conf.in > index da68562..238303d 100644 > --- a/config/templates/gentoo.moresecure.conf.in > +++ b/config/templates/gentoo.moresecure.conf.in > @@ -1,3 +1,6 @@ > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > + > # Gentoo security oriented default configuration > # This is a more security oriented container configuration > # "More" because this is far from fully secure > @@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue > rw,nodev,noexec,nosuid 0 0 > lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0 > lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0 > > -# console access > -lxc.pts = 1024 > - > # this part is based on 'linux capabilities', see: man 7 capabilities > # eg: you may also wish to drop 'cap_net_raw' (though it breaks ping) > # > @@ -31,29 +31,4 @@ lxc.pts = 1024 > # conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot > # aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill > lease net_admin net_bind_service net_broadcast net_raw setgid setuid > sys_chroot) > > -lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner > linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot > sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time > sys_tty_config syslog > - > -# deny access to all devices by default, explicitly grant some permissions > -# > -# format is [c|b] [major|*]:[minor|*] [r][w][m] > -# ^ ^ ^ > -# char/block -' \`- device number \`-- read, write, mknod > -# > -# first deny all... > -lxc.cgroup.devices.deny = a > -# /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rw > -lxc.cgroup.devices.allow = c 1:5 rw > -# /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:9 rw > -lxc.cgroup.devices.allow = c 1:8 r > -# /dev/pts/* > -lxc.cgroup.devices.allow = c 136:* rw > -lxc.cgroup.devices.allow = c 5:2 rw > -# /dev/tty{0,1} > -lxc.cgroup.devices.allow = c 4:1 rwm > -lxc.cgroup.devices.allow = c 4:0 rwm > -# /dev/tty > -lxc.cgroup.devices.allow = c 5:0 rwm > -# /dev/console > -lxc.cgroup.devices.allow = c 5:1 rwm > \ No newline at end of file > +lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner > linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace > sys_rawio sys_resource sys_tty_config syslog > diff --git a/config/templates/gentoo.userns.conf.in > b/config/templates/gentoo.userns.conf.in > index 5643744..707bb30 100644 > --- a/config/templates/gentoo.userns.conf.in > +++ b/config/templates/gentoo.userns.conf.in > @@ -1,19 +1,2 @@ > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# We can't move bind-mounts, so don't use /dev/lxc/ > -lxc.devttydir = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > - > -# Extra fstab entries as mountall can't mount those by itself > -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > diff --git a/config/templates/opensuse.common.conf.in > b/config/templates/opensuse.common.conf.in > index 1585fb8..4026975 100644 > --- a/config/templates/opensuse.common.conf.in > +++ b/config/templates/opensuse.common.conf.in > @@ -1,13 +1,8 @@ > -lxc.autodev = 1 > -lxc.devttydir = lxc > -lxc.tty = 4 > -lxc.pts = 1024 > - > -# Mount entries > -# lxc.mount.auto = proc:mixed sys:ro > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > > -# Ensure hostname is changed on clone > -lxc.hook.clone = @LXCHOOKDIR@/clonehostname > +# Enable autodev > +lxc.autodev = 1 > > # Capabilities > # Uncomment these if you don't run anything that needs the capability, and > @@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname > # lxc.cap.drop = audit_write > # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd > # lxc.cap.drop = setfcap > -# > -lxc.cap.drop = mac_admin mac_override > -lxc.cap.drop = sys_module sys_nice sys_pacct > -lxc.cap.drop = sys_rawio sys_time > - > -# Control Group devices: all denied except those whitelisted > -lxc.cgroup.devices.deny = a > -# Allow any mknod (but not reading/writing the node) > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null > -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero > -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full > -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty > -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc > console > -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master > +lxc.cap.drop = sys_nice sys_pacct sys_rawio > diff --git a/config/templates/opensuse.userns.conf.in > b/config/templates/opensuse.userns.conf.in > index f6de0e9..707bb30 100644 > --- a/config/templates/opensuse.userns.conf.in > +++ b/config/templates/opensuse.userns.conf.in > @@ -1,20 +1,2 @@ > -# Taken from the oracle.userns.conf.in > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# We can't move bind-mounts, so don't use /dev/lxc/ > -lxc.devttydir = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > - > -# Extra fstab entries as mountall can't mount those by itself > -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > diff --git a/config/templates/oracle.common.conf.in > b/config/templates/oracle.common.conf.in > index ddcdc88..ec5ae94 100644 > --- a/config/templates/oracle.common.conf.in > +++ b/config/templates/oracle.common.conf.in > @@ -1,14 +1,9 @@ > -# Console settings > -lxc.devttydir = lxc > -lxc.tty = 4 > -lxc.pts = 1024 > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > > # Mount entries > lxc.mount.auto = proc:mixed sys:ro > > -# Ensure hostname is changed on clone > -lxc.hook.clone = @LXCHOOKDIR@/clonehostname > - > # Capabilities > # Uncomment these if you don't run anything that needs the capability, and > # would like the container to run with less privilege. > @@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname > # lxc.cap.drop = setuid # breaks sshd,nfs statd > # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) > # lxc.cap.drop = audit_write > -# > -lxc.cap.drop = mac_admin mac_override > -lxc.cap.drop = sys_module sys_nice sys_pacct > -lxc.cap.drop = sys_rawio sys_time > - > -# Control Group devices: all denied except those whitelisted > -lxc.cgroup.devices.deny = a > -# Allow any mknod (but not reading/writing the node) > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null > -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero > -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full > -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty > -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc > console > -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master > +lxc.cap.drop = sys_nice sys_pacct sys_rawio > diff --git a/config/templates/oracle.userns.conf.in > b/config/templates/oracle.userns.conf.in > index 5643744..707bb30 100644 > --- a/config/templates/oracle.userns.conf.in > +++ b/config/templates/oracle.userns.conf.in > @@ -1,19 +1,2 @@ > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# We can't move bind-mounts, so don't use /dev/lxc/ > -lxc.devttydir = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > - > -# Extra fstab entries as mountall can't mount those by itself > -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > diff --git a/config/templates/plamo.common.conf.in > b/config/templates/plamo.common.conf.in > index 50783c3..483a556 100644 > --- a/config/templates/plamo.common.conf.in > +++ b/config/templates/plamo.common.conf.in > @@ -1,26 +1,14 @@ > -# Default console settings > -lxc.tty = 4 > -lxc.pts = 1024 > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > > # Default mount > lxc.mount.auto = proc sys cgroup > > -# Default capabilities > -lxc.cap.drop = sys_module mac_admin mac_override sys_time > +# Doesn't support consoles in /dev/lxc/ > +lxc.devttydir = > > -lxc.cgroup.devices.deny = a > -# /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rwm > -lxc.cgroup.devices.allow = c 1:5 rwm > -# consoles > -lxc.cgroup.devices.allow = c 5:0 rwm > -lxc.cgroup.devices.allow = c 5:1 rwm > -# /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:8 rwm > -lxc.cgroup.devices.allow = c 1:9 rwm > -lxc.cgroup.devices.allow = c 5:2 rwm > -lxc.cgroup.devices.allow = c 136:* rwm > -# rtc > +# Extra cgroup device access > +## rtc > lxc.cgroup.devices.allow = c 254:0 rm > -# fuse > +## fuse > lxc.cgroup.devices.allow = c 10:229 rwm > diff --git a/config/templates/plamo.userns.conf.in > b/config/templates/plamo.userns.conf.in > index 3e9600d..707bb30 100644 > --- a/config/templates/plamo.userns.conf.in > +++ b/config/templates/plamo.userns.conf.in > @@ -1,12 +1,2 @@ > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > diff --git a/config/templates/ubuntu.common.conf.in > b/config/templates/ubuntu.common.conf.in > index 1ec323f..631b4bb 100644 > --- a/config/templates/ubuntu.common.conf.in > +++ b/config/templates/ubuntu.common.conf.in > @@ -1,5 +1,5 @@ > -# Default pivot location > -lxc.pivotdir = lxc_putold > +# This derives from the global common config > +lxc.include = @LXCTEMPLATECONFIG@/common.conf > > # Default mount entries > lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 > @@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none > bind,optional 0 0 > lxc.mount.entry = /sys/kernel/security sys/kernel/security none > bind,optional 0 0 > lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 > > -# Default console settings > -lxc.devttydir = lxc > -lxc.tty = 4 > -lxc.pts = 1024 > - > -# Default capabilities > -lxc.cap.drop = sys_module mac_admin mac_override sys_time > - > # When using LXC with apparmor, the container will be confined by default. > # If you wish for it to instead run unconfined, copy the following line > # (uncommented) to the container's configuration file. > @@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time > # devices below in lxc.cgroup.devices.allow. > #lxc.aa_profile = lxc-container-default-with-mounting > > -# Default cgroup limits > -lxc.cgroup.devices.deny = a > -## Allow any mknod (but not using the node) > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > -## /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rwm > -lxc.cgroup.devices.allow = c 1:5 rwm > -## consoles > -lxc.cgroup.devices.allow = c 5:0 rwm > -lxc.cgroup.devices.allow = c 5:1 rwm > -## /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:8 rwm > -lxc.cgroup.devices.allow = c 1:9 rwm > -## /dev/pts/* > -lxc.cgroup.devices.allow = c 5:2 rwm > -lxc.cgroup.devices.allow = c 136:* rwm > +# Extra cgroup device access > ## rtc > lxc.cgroup.devices.allow = c 254:0 rm > ## fuse > lxc.cgroup.devices.allow = c 10:229 rwm > ## tun > lxc.cgroup.devices.allow = c 10:200 rwm > -## full > -lxc.cgroup.devices.allow = c 1:7 rwm > ## hpet > lxc.cgroup.devices.allow = c 10:228 rwm > ## kvm > diff --git a/config/templates/ubuntu.userns.conf.in > b/config/templates/ubuntu.userns.conf.in > index 5643744..0d73464 100644 > --- a/config/templates/ubuntu.userns.conf.in > +++ b/config/templates/ubuntu.userns.conf.in > @@ -1,18 +1,5 @@ > -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > -lxc.cgroup.devices.deny = > -lxc.cgroup.devices.allow = > - > -# We can't move bind-mounts, so don't use /dev/lxc/ > -lxc.devttydir = > - > -# Extra bind-mounts for userns > -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > +# This derives from the global userns config > +lxc.include = @LXCTEMPLATECONFIG@/userns.conf > > # Extra fstab entries as mountall can't mount those by itself > lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in > new file mode 100644 > index 0000000..5dc19c7 > --- /dev/null > +++ b/config/templates/userns.conf.in > @@ -0,0 +1,15 @@ > +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > +lxc.cgroup.devices.deny = > +lxc.cgroup.devices.allow = > + > +# We can't move bind-mounts, so don't use /dev/lxc/ > +lxc.devttydir = > + > +# Extra bind-mounts for userns > +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > +lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 > +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > diff --git a/configure.ac b/configure.ac > index 5ade4b5..fcc1402 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -583,6 +583,7 @@ AC_CONFIG_FILES([ > config/templates/Makefile > config/templates/centos.common.conf > config/templates/centos.userns.conf > + config/templates/common.conf > config/templates/debian.common.conf > config/templates/debian.userns.conf > config/templates/fedora.common.conf > @@ -602,6 +603,7 @@ AC_CONFIG_FILES([ > config/templates/ubuntu.common.conf > config/templates/ubuntu.lucid.conf > config/templates/ubuntu.userns.conf > + config/templates/userns.conf > config/yum/Makefile > > doc/Makefile > diff --git a/hooks/clonehostname b/hooks/clonehostname > index 8865c2d..e5676af 100755 > --- a/hooks/clonehostname > +++ b/hooks/clonehostname > @@ -20,7 +20,9 @@ > # Note that /etc/hostname is updated by lxc itself > for file in \ > $LXC_ROOTFS_PATH/etc/sysconfig/network \ > - $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ; > + $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \ > + $LXC_ROOTFS_PATH/etc/hostname \ > + $LXC_ROOTFS_PATH/etc/hosts ; > do > if [ -f $file ]; then > sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file > -- > 1.9.1 > > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel