On Thu, 2 Jan 2014 10:14:41 -0600 Serge Hallyn <[email protected]> wrote:
> Quoting Leonid Isaev ([email protected]): > > Multiple fixes for the ArchLinux template: > > > > 1. Add some packages from base group to the pkg install list. > > > > 2. Better comment and clean up the default container config, namely: (i) > > remove duplicate and conflicting entries, (ii) constrain list of > > accessible devices on the host. > > > > 3. Do not copy the pacman keyring master key (pacman@localhost) from the > > host, as this opens host to attacks. Instead, generate a new > > private/public keypair. > > > > 4. Be more verbose when reporting successfull creation of a container. > > Also, print a BIG FAT warning about the empty root password. > > Thanks, Leonid. Some of the changes look great, but I'm a little > worried about some of these - Alexander, could you please confirm that > these won't break your containers? FWIW, I didn't notice any breakage in my tests but perhaps I wasn't looking for the right thing. > > Leonid, please make sure to add Signed-off-by: line right above the > diffstat. Sorry, completely forgot that. I'll resend whenever the patch is reviewed... Happy new year, Leonid. > > > --- > > templates/lxc-archlinux.in | 35 ++++++++++++++++++++++++++++------- > > 1 file changed, 28 insertions(+), 7 deletions(-) > > > > diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in > > index e3c01d5..7fc4ab3 100644 > > --- a/templates/lxc-archlinux.in > > +++ b/templates/lxc-archlinux.in > > @@ -49,7 +49,7 @@ base_packages=( > > "iputils" > > "inetutils" > > "dhcpcd" > > - "dnsutils" > > + "ldns" > > "nano" > > "grep" > > "less" > > @@ -58,6 +58,9 @@ base_packages=( > > "tar" > > "gzip" > > "which" > > + "diffutils" > > + "file" > > + "vi" > > ) > > declare -a additional_packages > > > > @@ -113,6 +116,9 @@ ln > > -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket ln > > -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount # set > > default systemd target ln > > -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target > > +# initialize pacman keyring +pacman-key --init > > +pacman-key --populate archlinux > > EOF > > return 0 > > } > > @@ -136,19 +142,21 @@ lxc.network.flags=up > > lxc.network.name=eth0 > > lxc.network.mtu=1500 > > #cgroups > > +# please refer to kernel documentation for details: > > +# https://www.kernel.org/doc/Documentation/devices.txt > > +# https://www.kernel.org/doc/Documentation/cgroups/devices.txt > > lxc.cgroup.devices.deny = a > > -lxc.cgroup.devices.allow = c *:* m > > -lxc.cgroup.devices.allow = b *:* m > > +# /dev/{null,zero,full,random,urandom} > > lxc.cgroup.devices.allow = c 1:3 rwm > > lxc.cgroup.devices.allow = c 1:5 rwm > > lxc.cgroup.devices.allow = c 1:7 rwm > > lxc.cgroup.devices.allow = c 1:8 rwm > > lxc.cgroup.devices.allow = c 1:9 rwm > > -lxc.cgroup.devices.allow = c 1:9 rwm > > -lxc.cgroup.devices.allow = c 4:1 rwm > > +# /dev/{tty,console,ptmx} > > lxc.cgroup.devices.allow = c 5:0 rwm > > lxc.cgroup.devices.allow = c 5:1 rwm > > lxc.cgroup.devices.allow = c 5:2 rwm > > +# /dev/pts/* > > lxc.cgroup.devices.allow = c 136:* rwm > > EOF > > > > @@ -166,7 +174,7 @@ EOF > > > > # install packages within container chroot > > function install_arch { > > - if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" > > ${base_packages[@]}; then > > + if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" > > ${base_packages[@]}; then echo "Failed to install container packages" > > return 1 > > fi > > @@ -282,4 +290,17 @@ if [ ${?} -ne 0 ]; then > > exit 1 > > fi > > > > -echo "container config is ${config_path}/config" > > +cat << EOF > > + > > +ArchLinux container ${name} is successfully created! The configuration is > > +stored in ${config_path}/config. Please refer to > > https://wiki.archlinux.org for +information about configuring ArchLinux. > > + > > +************************************************************ > > +* THIS CONTAINER IS VULNERABLE. * > > +* There is *NO* default root password. * > > +* It is highly recommended that you set it on first login. * > > +************************************************************ > > +EOF > > + > > +exit 0 > > -- > > 1.8.5.2 > > > > > > -- > > Leonid Isaev > > GnuPG key: 0x164B5A6D > > Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D > > > > > _______________________________________________ > > lxc-devel mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
signature.asc
Description: PGP signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
