Multiple fixes for the ArchLinux template: 1. Add some packages from base group to the pkg install list.
2. Better comment and clean up the default container config, namely: (i) remove
duplicate and conflicting entries, (ii) constrain list of accessible devices on
the host.
3. Do not copy the pacman keyring master key (pacman@localhost) from the host,
as this opens host to attacks. Instead, generate a new private/public keypair.
4. Be more verbose when reporting successfull creation of a container. Also,
print a BIG FAT warning about the empty root password.
---
templates/lxc-archlinux.in | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index e3c01d5..7fc4ab3 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -49,7 +49,7 @@ base_packages=(
"iputils"
"inetutils"
"dhcpcd"
- "dnsutils"
+ "ldns"
"nano"
"grep"
"less"
@@ -58,6 +58,9 @@ base_packages=(
"tar"
"gzip"
"which"
+ "diffutils"
+ "file"
+ "vi"
)
declare -a additional_packages
@@ -113,6 +116,9 @@ ln -s /dev/null
/etc/systemd/system/systemd-udevd-kernel.socket
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
# set default systemd target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+# initialize pacman keyring
+pacman-key --init
+pacman-key --populate archlinux
EOF
return 0
}
@@ -136,19 +142,21 @@ lxc.network.flags=up
lxc.network.name=eth0
lxc.network.mtu=1500
#cgroups
+# please refer to kernel documentation for details:
+# https://www.kernel.org/doc/Documentation/devices.txt
+# https://www.kernel.org/doc/Documentation/cgroups/devices.txt
lxc.cgroup.devices.deny = a
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
+# /dev/{null,zero,full,random,urandom}
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
+# /dev/{tty,console,ptmx}
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
+# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
EOF
@@ -166,7 +174,7 @@ EOF
# install packages within container chroot
function install_arch {
- if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}"
${base_packages[@]}; then
+ if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}"
${base_packages[@]}; then
echo "Failed to install container packages"
return 1
fi
@@ -282,4 +290,17 @@ if [ ${?} -ne 0 ]; then
exit 1
fi
-echo "container config is ${config_path}/config"
+cat << EOF
+
+ArchLinux container ${name} is successfully created! The configuration is
+stored in ${config_path}/config. Please refer to https://wiki.archlinux.org
for
+information about configuring ArchLinux.
+
+************************************************************
+* THIS CONTAINER IS VULNERABLE. *
+* There is *NO* default root password. *
+* It is highly recommended that you set it on first login. *
+************************************************************
+EOF
+
+exit 0
--
1.8.5.2
--
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
signature.asc
Description: PGP signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
