On Tue, Jan 21, 2014 at 11:56:56AM -0500, Michael H. Warfield wrote: > Update Fedora and CentOS templates for common conf includes. > > This updates the Fedora and CentOS templates to utilize a common > included config. This is largely based on the changes in the Oracle > template with some exceptions. > > Dropping of setpcap (present in the Oracle template) is commented out in > the Fedora template. It seems to cause problems, such as large login > delays with Fedora 20 containers (but not Fedora 19 - strange). > > The Fedora template is further modified to disable systemd-journald.service > as it is unnecessary in a container and causes serious problems when > running in a Fedora 20 container. > > The Fedora template is also updated to default to Fedora 20 when running > on a non-Fedora host. > > Regards, > Mike > > Signed-off-by: Michael H. Warfield <[email protected]>
Acked-by: Stéphane Graber <[email protected]> I'll setup builds for CentOS 6.5 on amd64 and i386 and for Fedora 19 and 20 also on amd64 and i386. I believe Fedora 20 also supports armhf but that one may need a bit more work to get going (do you know if your template works with armhf?). > --- > config/templates/Makefile.am | 4 ++ > config/templates/centos.common.conf.in | 47 ++++++++++++++++++++++ > config/templates/centos.userns.conf.in | 19 +++++++++ > config/templates/fedora.common.conf.in | 49 +++++++++++++++++++++++ > config/templates/fedora.userns.conf.in | 19 +++++++++ > configure.ac | 4 ++ > templates/lxc-centos.in | 48 +++++++++++----------- > templates/lxc-fedora.in | 73 > +++++++++++++++++----------------- > 8 files changed, 203 insertions(+), 60 deletions(-) > create mode 100644 config/templates/centos.common.conf.in > create mode 100644 config/templates/centos.userns.conf.in > create mode 100644 config/templates/fedora.common.conf.in > create mode 100644 config/templates/fedora.userns.conf.in > > diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am > index c7f5812..bcea3c3 100644 > --- a/config/templates/Makefile.am > +++ b/config/templates/Makefile.am > @@ -1,8 +1,12 @@ > templatesconfigdir=@LXCTEMPLATECONFIG@ > > templatesconfig_DATA = \ > + centos.common.conf \ > + centos.userns.conf \ > debian.common.conf \ > debian.userns.conf \ > + fedora.common.conf \ > + fedora.userns.conf \ > oracle.common.conf \ > oracle.userns.conf \ > plamo.common.conf \ > diff --git a/config/templates/centos.common.conf.in > b/config/templates/centos.common.conf.in > new file mode 100644 > index 0000000..c0e6816 > --- /dev/null > +++ b/config/templates/centos.common.conf.in > @@ -0,0 +1,47 @@ > +# Taken from the oracle.common.conf.in > +# Console settings > + > +lxc.devttydir = lxc > +lxc.tty = 4 > +lxc.pts = 1024 > + > +# Mount entries > +lxc.mount.auto = proc:mixed sys:ro > + > +# Ensure hostname is changed on clone > +lxc.hook.clone = @LXCHOOKDIR@/clonehostname > + > +# Capabilities > +# Uncomment these if you don't run anything that needs the capability, and > +# would like the container to run with less privilege. > +# > +# Dropping sys_admin disables container root from doing a lot of things > +# that could be bad like re-mounting lxc fstab entries rw for example, > +# but also disables some useful things like being able to nfs mount, and > +# things that are already namespaced with ns_capable() kernel checks, like > +# hostname(1). > +# lxc.cap.drop = sys_admin > +# lxc.cap.drop = net_raw # breaks dhcp/ping > +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups) > +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) > +# lxc.cap.drop = setuid # breaks sshd,nfs statd > +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) > +# lxc.cap.drop = audit_write > +# > +lxc.cap.drop = mac_admin mac_override setfcap setpcap > +lxc.cap.drop = sys_module sys_nice sys_pacct > +lxc.cap.drop = sys_rawio sys_time > + > +# Control Group devices: all denied except those whitelisted > +lxc.cgroup.devices.deny = a > +# Allow any mknod (but not reading/writing the node) > +lxc.cgroup.devices.allow = c *:* m > +lxc.cgroup.devices.allow = b *:* m > +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null > +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero > +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full > +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty > +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > +lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc > console > +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master > diff --git a/config/templates/centos.userns.conf.in > b/config/templates/centos.userns.conf.in > new file mode 100644 > index 0000000..341db0b > --- /dev/null > +++ b/config/templates/centos.userns.conf.in > @@ -0,0 +1,19 @@ > +# Taken from the oracle.userns.conf.in > +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > +lxc.cgroup.devices.deny = > +lxc.cgroup.devices.allow = > + > +# We can't move bind-mounts, so don't use /dev/lxc/ > +# lxc.devttydir = > + > +# Extra bind-mounts for userns > +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > + > +# Extra fstab entries as mountall can't mount those by itself > +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > diff --git a/config/templates/fedora.common.conf.in > b/config/templates/fedora.common.conf.in > new file mode 100644 > index 0000000..31b23a4 > --- /dev/null > +++ b/config/templates/fedora.common.conf.in > @@ -0,0 +1,49 @@ > +# Taken from the oracle.common.conf.in > +# Console settings > + > +lxc.devttydir = lxc > +lxc.tty = 4 > +lxc.pts = 1024 > + > +# Mount entries > +# lxc.mount.auto = proc:mixed sys:ro > + > +# Ensure hostname is changed on clone > +lxc.hook.clone = @LXCHOOKDIR@/clonehostname > + > +# Capabilities > +# Uncomment these if you don't run anything that needs the capability, and > +# would like the container to run with less privilege. > +# > +# Dropping sys_admin disables container root from doing a lot of things > +# that could be bad like re-mounting lxc fstab entries rw for example, > +# but also disables some useful things like being able to nfs mount, and > +# things that are already namespaced with ns_capable() kernel checks, like > +# hostname(1). > +# lxc.cap.drop = sys_admin > +# lxc.cap.drop = net_raw # breaks dhcp/ping > +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups) > +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) > +# lxc.cap.drop = setuid # breaks sshd,nfs statd > +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) > +# lxc.cap.drop = audit_write > +# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd > +# > +lxc.cap.drop = mac_admin mac_override > +lxc.cap.drop = setfcap > +lxc.cap.drop = sys_module sys_nice sys_pacct > +lxc.cap.drop = sys_rawio sys_time > + > +# Control Group devices: all denied except those whitelisted > +lxc.cgroup.devices.deny = a > +# Allow any mknod (but not reading/writing the node) > +lxc.cgroup.devices.allow = c *:* m > +lxc.cgroup.devices.allow = b *:* m > +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null > +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero > +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full > +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty > +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > +lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc > console > +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master > diff --git a/config/templates/fedora.userns.conf.in > b/config/templates/fedora.userns.conf.in > new file mode 100644 > index 0000000..c33e38d > --- /dev/null > +++ b/config/templates/fedora.userns.conf.in > @@ -0,0 +1,19 @@ > +# Taken from the oracle.userns.conf.in > +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices > +lxc.cgroup.devices.deny = > +lxc.cgroup.devices.allow = > + > +# We can't move bind-mounts, so don't use /dev/lxc/ > +lxc.devttydir = > + > +# Extra bind-mounts for userns > +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 > +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 > +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 > +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > + > +# Extra fstab entries as mountall can't mount those by itself > +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > diff --git a/configure.ac b/configure.ac > index 4179dcf..e2b7e79 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -554,8 +554,12 @@ AC_CONFIG_FILES([ > config/init/upstart/Makefile > config/etc/Makefile > config/templates/Makefile > + config/templates/centos.common.conf > + config/templates/centos.userns.conf > config/templates/debian.common.conf > config/templates/debian.userns.conf > + config/templates/fedora.common.conf > + config/templates/fedora.userns.conf > config/templates/oracle.common.conf > config/templates/oracle.userns.conf > config/templates/plamo.common.conf > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in > index bf89427..82dc651 100644 > --- a/templates/lxc-centos.in > +++ b/templates/lxc-centos.in > @@ -315,6 +315,22 @@ EOF > mknod -m 600 ${dev_path}/initctl p > mknod -m 666 ${dev_path}/ptmx c 5 2 > > + # setup console and tty[1-4] for login. note that /dev/console and > + # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and > + # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks. > + # lxc will maintain these links and bind mount ptys over /dev/lxc/* > + # since lxc.devttydir is specified in the config. > + > + # allow root login on console, tty[1-4], and pts/0 for libvirt > + echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty > + echo "lxc/console" >>${rootfs_path}/etc/securetty > + echo "lxc/tty1" >>${rootfs_path}/etc/securetty > + echo "lxc/tty2" >>${rootfs_path}/etc/securetty > + echo "lxc/tty3" >>${rootfs_path}/etc/securetty > + echo "lxc/tty4" >>${rootfs_path}/etc/securetty > + echo "# For libvirt/Virtual Machine Monitor" > >>${rootfs_path}/etc/securetty > + echo "pts/0" >>${rootfs_path}/etc/securetty > + > if [ ${root_display_password} = "yes" ] > then > echo "Setting root password to '$root_password'" > @@ -544,12 +560,16 @@ lxc.rootfs = $rootfs_path > > rm -f $config_path/config.def > > + if [ -e "@LXCTEMPLATECONFIG@/centos.common.conf" ]; then > + echo " > +# Include common configuration > +lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf > +" >> $config_path/config > + fi > + > + # Append things which require expansion here... > cat <<EOF >> $config_path/config > lxc.utsname = $utsname > -lxc.tty = 4 > -lxc.pts = 1024 > -lxc.mount = $config_path/fstab > -lxc.cap.drop = sys_module mac_admin mac_override sys_time > > lxc.autodev = $auto_dev > > @@ -568,26 +588,6 @@ lxc.autodev = $auto_dev > # Note: This may potentially collide with other containers of same > name! > #lxc.network.veth.pair = v-$name-e0 > > -#cgroups > -lxc.cgroup.devices.deny = a > -# /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rwm > -lxc.cgroup.devices.allow = c 1:5 rwm > -# consoles > -lxc.cgroup.devices.allow = c 5:1 rwm > -lxc.cgroup.devices.allow = c 5:0 rwm > -# /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:9 rwm > -lxc.cgroup.devices.allow = c 1:8 rwm > -lxc.cgroup.devices.allow = c 136:* rwm > -lxc.cgroup.devices.allow = c 5:2 rwm > -# rtc > -lxc.cgroup.devices.allow = c 254:0 rwm > -EOF > - > - cat <<EOF > $config_path/fstab > -proc proc proc nodev,noexec,nosuid 0 0 > -sysfs sys sysfs defaults 0 0 > EOF > > if [ $? -ne 0 ]; then > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in > index a96701f..12c810d 100644 > --- a/templates/lxc-fedora.in > +++ b/templates/lxc-fedora.in > @@ -259,6 +259,22 @@ EOF > mknod -m 600 ${dev_path}/initctl p > mknod -m 666 ${dev_path}/ptmx c 5 2 > > + # setup console and tty[1-4] for login. note that /dev/console and > + # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and > + # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks. > + # lxc will maintain these links and bind mount ptys over /dev/lxc/* > + # since lxc.devttydir is specified in the config. > + > + # allow root login on console, tty[1-4], and pts/0 for libvirt > + echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty > + echo "lxc/console" >>${rootfs_path}/etc/securetty > + echo "lxc/tty1" >>${rootfs_path}/etc/securetty > + echo "lxc/tty2" >>${rootfs_path}/etc/securetty > + echo "lxc/tty3" >>${rootfs_path}/etc/securetty > + echo "lxc/tty4" >>${rootfs_path}/etc/securetty > + echo "# For libvirt/Virtual Machine Monitor" > >>${rootfs_path}/etc/securetty > + echo "pts/0" >>${rootfs_path}/etc/securetty > + > if [ ${root_display_password} = "yes" ] > then > echo "Setting root password to '$root_password'" > @@ -324,6 +340,7 @@ configure_fedora_systemd() > rm -f ${rootfs_path}/etc/systemd/system/default.target > touch ${rootfs_path}/etc/fstab > chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service > + chroot ${rootfs_path} ln -s /dev/null > /etc/systemd/system/systemd-journald.service > chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target > /etc/systemd/system/default.target > #dependency on a device unit fails it specially that we disabled udev > # sed -i 's/After=dev-%i.device/After=/' > ${rootfs_path}/lib/systemd/system/getty\@.service > @@ -379,7 +396,7 @@ configure_fedora_systemd() > # and then used to build other arbitrary vesions of Fedora of a > # given architecture. Not that this only has to run once for > # Fedora on a given architecture since rpm and yum can build other > -# versions. We'll arbitrarily pick Fedora 19 to build this. This > +# versions. We'll arbitrarily pick Fedora 20 to build this. This > # will need to change as time goes on. > > # Programmers Note... A future fall back may be to download the netinst > @@ -530,10 +547,10 @@ Have a beer or a cup of coffee. This will take a bit > (~300MB). > " > sleep 3 # let him read it... > > - # Right now, we are using Fedora 19 for the inial bootstrap. > + # Right now, we are using Fedora 20 for the inial bootstrap. > # We could make this the "current" Fedora rev (F > 15). > > - rsync -av > mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/LiveOS . > + rsync -av > mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/LiveOS . > > if [[ 0 == $? ]] > then > @@ -610,8 +627,8 @@ This will take a couple of minutes. Patience..." > # of this LiveOS image we're camped out on. This is the beginning > # of the butt ugly hack. Look close or you may missing it... > > - rsync -av > mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/r/rpm-[0-9]* \ > - > mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/y/yum-[0-9]* . > + rsync -av > mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/r/rpm-[0-9]* \ > + > mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/y/yum-[0-9]* . > > # And here it is... > # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?! > @@ -643,7 +660,7 @@ This will take a couple of minutes. Patience..." > echo "Stage 1 creation complete. Building stage 2 Installation > Bootstrap" > > mount -o bind ../bootstrap run/install > - rsync -av > mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/f/fedora-release-19* > . > + rsync -av > mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/f/fedora-release-20* > . > > # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?! > chroot . rpm --root /run/install --nodeps -ivh fedora-release-* > @@ -934,7 +951,7 @@ install_fedora() > { > mkdir -p @LOCALSTATEDIR@/lock/subsys/ > ( > - flock -x 200 > + flock -x 9 > if [ $? -ne 0 ]; then > echo "Cache repository is busy." > return 1 > @@ -965,7 +982,7 @@ install_fedora() > fi > > return 0 > - ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora > + ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora > > return $? > } > @@ -1017,12 +1034,16 @@ lxc.rootfs = $rootfs_path > > rm -f $config_path/config.def > > + if [ -e "@LXCTEMPLATECONFIG@/fedora.common.conf" ]; then > + echo " > +# Include common configuration > +lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf > +" >> $config_path/config > + fi > + > + # Append things which require expansion here... > cat <<EOF >> $config_path/config > lxc.utsname = $utsname > -lxc.tty = 4 > -lxc.pts = 1024 > -lxc.mount = $config_path/fstab > -lxc.cap.drop = sys_module mac_admin mac_override sys_time > > lxc.autodev = $auto_dev > > @@ -1041,26 +1062,6 @@ lxc.autodev = $auto_dev > # Note: This may potentially collide with other containers of same > name! > #lxc.network.veth.pair = v-$name-e0 > > -#cgroups > -lxc.cgroup.devices.deny = a > -# /dev/null and zero > -lxc.cgroup.devices.allow = c 1:3 rwm > -lxc.cgroup.devices.allow = c 1:5 rwm > -# consoles > -lxc.cgroup.devices.allow = c 5:1 rwm > -lxc.cgroup.devices.allow = c 5:0 rwm > -# /dev/{,u}random > -lxc.cgroup.devices.allow = c 1:9 rwm > -lxc.cgroup.devices.allow = c 1:8 rwm > -lxc.cgroup.devices.allow = c 136:* rwm > -lxc.cgroup.devices.allow = c 5:2 rwm > -# rtc > -lxc.cgroup.devices.allow = c 254:0 rm > -EOF > - > - cat <<EOF > $config_path/fstab > -proc proc proc nodev,noexec,nosuid 0 0 > -sysfs sys sysfs defaults 0 0 > EOF > > if [ $? -ne 0 ]; then > @@ -1080,7 +1081,7 @@ clean() > > # lock, so we won't purge while someone is creating a repository > ( > - flock -x 200 > + flock -x 9 > if [ $? != 0 ]; then > echo "Cache repository is busy." > exit 1 > @@ -1089,7 +1090,7 @@ clean() > echo -n "Purging the download cache for Fedora-$release..." > rm --preserve-root --one-file-system -rf $cache && echo "Done." || > exit 1 > exit 0 > - ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora > + ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora > } > > usage() > @@ -1206,8 +1207,8 @@ if [ -z "$release" ]; then > if [ "$is_fedora" -a "$fedora_host_ver" ]; then > release=$fedora_host_ver > else > - echo "This is not a fedora host and release missing, defaulting to > 19. use -R|--release to specify release" > - release=19 > + echo "This is not a fedora host and release missing, defaulting to > 20 use -R|--release to specify release" > + release=20 > fi > fi > > -- > 1.8.3.1 > > > -- > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
