Quoting Leonid Isaev ([email protected]): > Multiple fixes for the ArchLinux template: > > 1. Add some packages from base group to the pkg install list. > > 2. Better comment and clean up the default container config, namely: (i) > remove > duplicate and conflicting entries, (ii) constrain list of accessible devices > on > the host. > > 3. Do not copy the pacman keyring master key (pacman@localhost) from the host, > as this opens host to attacks. Instead, generate a new private/public keypair. > > 4. Be more verbose when reporting successfull creation of a container. Also, > print a BIG FAT warning about the empty root password.
Thanks, Leonid. Some of the changes look great, but I'm a little worried about some of these - Alexander, could you please confirm that these won't break your containers? Leonid, please make sure to add Signed-off-by: line right above the diffstat. > --- > templates/lxc-archlinux.in | 35 ++++++++++++++++++++++++++++------- > 1 file changed, 28 insertions(+), 7 deletions(-) > > diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in > index e3c01d5..7fc4ab3 100644 > --- a/templates/lxc-archlinux.in > +++ b/templates/lxc-archlinux.in > @@ -49,7 +49,7 @@ base_packages=( > "iputils" > "inetutils" > "dhcpcd" > - "dnsutils" > + "ldns" > "nano" > "grep" > "less" > @@ -58,6 +58,9 @@ base_packages=( > "tar" > "gzip" > "which" > + "diffutils" > + "file" > + "vi" > ) > declare -a additional_packages > > @@ -113,6 +116,9 @@ ln -s /dev/null > /etc/systemd/system/systemd-udevd-kernel.socket > ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount > # set default systemd target > ln -s /lib/systemd/system/multi-user.target > /etc/systemd/system/default.target > +# initialize pacman keyring > +pacman-key --init > +pacman-key --populate archlinux > EOF > return 0 > } > @@ -136,19 +142,21 @@ lxc.network.flags=up > lxc.network.name=eth0 > lxc.network.mtu=1500 > #cgroups > +# please refer to kernel documentation for details: > +# https://www.kernel.org/doc/Documentation/devices.txt > +# https://www.kernel.org/doc/Documentation/cgroups/devices.txt > lxc.cgroup.devices.deny = a > -lxc.cgroup.devices.allow = c *:* m > -lxc.cgroup.devices.allow = b *:* m > +# /dev/{null,zero,full,random,urandom} > lxc.cgroup.devices.allow = c 1:3 rwm > lxc.cgroup.devices.allow = c 1:5 rwm > lxc.cgroup.devices.allow = c 1:7 rwm > lxc.cgroup.devices.allow = c 1:8 rwm > lxc.cgroup.devices.allow = c 1:9 rwm > -lxc.cgroup.devices.allow = c 1:9 rwm > -lxc.cgroup.devices.allow = c 4:1 rwm > +# /dev/{tty,console,ptmx} > lxc.cgroup.devices.allow = c 5:0 rwm > lxc.cgroup.devices.allow = c 5:1 rwm > lxc.cgroup.devices.allow = c 5:2 rwm > +# /dev/pts/* > lxc.cgroup.devices.allow = c 136:* rwm > EOF > > @@ -166,7 +174,7 @@ EOF > > # install packages within container chroot > function install_arch { > - if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" > ${base_packages[@]}; then > + if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" > ${base_packages[@]}; then > echo "Failed to install container packages" > return 1 > fi > @@ -282,4 +290,17 @@ if [ ${?} -ne 0 ]; then > exit 1 > fi > > -echo "container config is ${config_path}/config" > +cat << EOF > + > +ArchLinux container ${name} is successfully created! The configuration is > +stored in ${config_path}/config. Please refer to https://wiki.archlinux.org > for > +information about configuring ArchLinux. > + > +************************************************************ > +* THIS CONTAINER IS VULNERABLE. * > +* There is *NO* default root password. * > +* It is highly recommended that you set it on first login. * > +************************************************************ > +EOF > + > +exit 0 > -- > 1.8.5.2 > > > -- > Leonid Isaev > GnuPG key: 0x164B5A6D > Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
