Quoting Stéphane Graber ([email protected]): > Signed-off-by: Stéphane Graber <[email protected]>
Acked-by: Serge E. Hallyn <[email protected]> > --- > config/templates/Makefile.am | 2 ++ > config/templates/debian.common.conf.in | 62 > ++++++++++++++++++++++++++++++++++ > config/templates/debian.userns.conf.in | 9 +++++ > configure.ac | 2 ++ > templates/lxc-debian.in | 60 +++++++++++++++----------------- > 5 files changed, 102 insertions(+), 33 deletions(-) > create mode 100644 config/templates/debian.common.conf.in > create mode 100644 config/templates/debian.userns.conf.in > > diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am > index 4c71375..c7f5812 100644 > --- a/config/templates/Makefile.am > +++ b/config/templates/Makefile.am > @@ -1,6 +1,8 @@ > templatesconfigdir=@LXCTEMPLATECONFIG@ > > templatesconfig_DATA = \ > + debian.common.conf \ > + debian.userns.conf \ > oracle.common.conf \ > oracle.userns.conf \ > plamo.common.conf \ > diff --git a/config/templates/debian.common.conf.in > b/config/templates/debian.common.conf.in > new file mode 100644 > index 0000000..09e5c40 > --- /dev/null > +++ b/config/templates/debian.common.conf.in > @@ -0,0 +1,62 @@ > +# Default pivot location > +lxc.pivotdir = lxc_putold > + > +# Default mount entries > +lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 > +lxc.mount.entry = sysfs sys sysfs defaults 0 0 > +lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none > bind,optional 0 0 > + > +# Default console settings > +lxc.tty = 4 > +lxc.pts = 1024 > + > +# Default capabilities > +lxc.cap.drop = sys_module mac_admin mac_override sys_time > + > +# When using LXC with apparmor, the container will be confined by default. > +# If you wish for it to instead run unconfined, copy the following line > +# (uncommented) to the container's configuration file. > +#lxc.aa_profile = unconfined > + > +# To support container nesting on an Ubuntu host while retaining most of > +# apparmor's added security, use the following two lines instead. > +#lxc.aa_profile = lxc-container-default-with-nesting > +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups > + > +# If you wish to allow mounting block filesystems, then use the following > +# line instead, and make sure to grant access to the block device and/or loop > +# devices below in lxc.cgroup.devices.allow. > +#lxc.aa_profile = lxc-container-default-with-mounting > + > +# Default cgroup limits > +lxc.cgroup.devices.deny = a > +## Allow any mknod (but not using the node) > +lxc.cgroup.devices.allow = c *:* m > +lxc.cgroup.devices.allow = b *:* m > +## /dev/null and zero > +lxc.cgroup.devices.allow = c 1:3 rwm > +lxc.cgroup.devices.allow = c 1:5 rwm > +## consoles > +lxc.cgroup.devices.allow = c 5:0 rwm > +lxc.cgroup.devices.allow = c 5:1 rwm > +## /dev/{,u}random > +lxc.cgroup.devices.allow = c 1:8 rwm > +lxc.cgroup.devices.allow = c 1:9 rwm > +## /dev/pts/* > +lxc.cgroup.devices.allow = c 5:2 rwm > +lxc.cgroup.devices.allow = c 136:* rwm > +## rtc > +lxc.cgroup.devices.allow = c 254:0 rm > +## fuse > +lxc.cgroup.devices.allow = c 10:229 rwm > +## tun > +lxc.cgroup.devices.allow = c 10:200 rwm > +## full > +lxc.cgroup.devices.allow = c 1:7 rwm > +## hpet > +lxc.cgroup.devices.allow = c 10:228 rwm > +## kvm > +lxc.cgroup.devices.allow = c 10:232 rwm > +## To use loop devices, copy the following line to the container's > +## configuration file (uncommented). > +#lxc.cgroup.devices.allow = b 7:* rwm > diff --git a/config/templates/debian.userns.conf.in > b/config/templates/debian.userns.conf.in > new file mode 100644 > index 0000000..330a2f0 > --- /dev/null > +++ b/config/templates/debian.userns.conf.in > @@ -0,0 +1,9 @@ > +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > +lxc.cgroup.devices.deny = > +lxc.cgroup.devices.allow = > + > +# Extra bind-mounts for userns > +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > diff --git a/configure.ac b/configure.ac > index c34dee1..2d55cd6 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -532,6 +532,8 @@ AC_CONFIG_FILES([ > config/Makefile > config/etc/Makefile > config/templates/Makefile > + config/templates/debian.common.conf > + config/templates/debian.userns.conf > config/templates/oracle.common.conf > config/templates/oracle.userns.conf > config/templates/plamo.common.conf > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in > index f399c0b..5d41396 100644 > --- a/templates/lxc-debian.in > +++ b/templates/lxc-debian.in > @@ -21,6 +21,8 @@ > # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 > USA > > MIRROR=${MIRROR:-http://cdn.debian.net/debian} > +LOCALSTATEDIR="@LOCALSTATEDIR@" > +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" > > configure_debian() > { > @@ -202,11 +204,11 @@ copy_debian() > > install_debian() > { > - cache="@LOCALSTATEDIR@/cache/lxc/debian" > + cache="$LOCALSTATEDIR/cache/lxc/debian" > rootfs=$1 > release=$2 > arch=$3 > - mkdir -p @LOCALSTATEDIR@/lock/subsys/ > + mkdir -p $LOCALSTATEDIR/lock/subsys/ > ( > flock -x 9 > if [ $? -ne 0 ]; then > @@ -231,7 +233,7 @@ install_debian() > > return 0 > > - ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian > + ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian > > return $? > } > @@ -243,6 +245,10 @@ copy_configuration() > hostname=$3 > arch=$4 > > + # Generate the configuration file > + ## Create the fstab (empty by default) > + touch $path/fstab > + > # if there is exactly one veth network entry, make sure it has an > # associated hwaddr. > nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc > -l` > @@ -250,37 +256,25 @@ copy_configuration() > grep -q "^lxc.network.hwaddr" $path/config || sed -i -e > "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = > 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config > fi > > + ## Add all the includes > + echo "" >> $path/config > + echo "# Common configuration" >> $path/config > + if [ -e "${LXC_TEMPLATE_CONFIG}/debian.common.conf" ]; then > + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.common.conf" >> > $path/config > + fi > + if [ -e "${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" ]; then > + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" > >> $path/config > + fi > + > + ## Add the container-specific config > + echo "" >> $path/config > + echo "# Container specific configuration" >> $path/config > grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = > $rootfs" >> $path/config > + > cat <<EOF >> $path/config > -lxc.tty = 4 > -lxc.pts = 1024 > -lxc.arch = $arch > +lxc.mount = $path/fstab > lxc.utsname = $hostname > -lxc.cap.drop = sys_module mac_admin mac_override sys_time > - > -# When using LXC with apparmor, uncomment the next line to run unconfined: > -#lxc.aa_profile = unconfined > - > -lxc.cgroup.devices.deny = a > -# /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rwm > -lxc.cgroup.devices.allow = c 1:5 rwm > -# consoles > -lxc.cgroup.devices.allow = c 5:1 rwm > -lxc.cgroup.devices.allow = c 5:0 rwm > -lxc.cgroup.devices.allow = c 4:0 rwm > -lxc.cgroup.devices.allow = c 4:1 rwm > -# /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:9 rwm > -lxc.cgroup.devices.allow = c 1:8 rwm > -lxc.cgroup.devices.allow = c 136:* rwm > -lxc.cgroup.devices.allow = c 5:2 rwm > -# rtc > -lxc.cgroup.devices.allow = c 254:0 rm > - > -# mounts point > -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 > -lxc.mount.entry = sysfs sys sysfs defaults 0 0 > +lxc.arch = $arch > EOF > > if [ $? -ne 0 ]; then > @@ -293,7 +287,7 @@ EOF > > clean() > { > - cache="@LOCALSTATEDIR@/cache/lxc/debian" > + cache="$LOCALSTATEDIR/cache/lxc/debian" > > if [ ! -e $cache ]; then > exit 0 > @@ -311,7 +305,7 @@ clean() > rm --preserve-root --one-file-system -rf $cache && echo "Done." || > exit 1 > exit 0 > > - ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian > + ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian > } > > usage() > -- > 1.8.5.2 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
