This introduces a new /usr/share/lxc/config directory containing common configuration snippets.
The two Ubuntu templates are then simplified to just include the relevant entries avoiding a whole lot of hardcoded cgroup, capabilities and mount points configuration. An extra comment is also added at the top of all generated configuration files telling the user to look at lxc.conf(5) for more information. Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- config/Makefile.am | 16 +---- config/default.conf.libvirt | 3 - config/default.conf.ubuntu | 3 - config/default.conf.unknown | 1 - config/etc/Makefile.am | 15 ++++ config/etc/default.conf.libvirt | 3 + config/etc/default.conf.ubuntu | 3 + config/etc/default.conf.unknown | 1 + config/templates/Makefile.am | 8 +++ config/templates/ubuntu-cloud.common.conf.in | 4 ++ config/templates/ubuntu-cloud.lucid.conf.in | 2 + config/templates/ubuntu-cloud.userns.conf.in | 16 +++++ config/templates/ubuntu.common.conf.in | 48 +++++++++++++ config/templates/ubuntu.lucid.conf.in | 2 + configure.ac | 9 +++ src/lxc/lxccontainer.c | 1 + templates/lxc-ubuntu-cloud.in | 102 +++++++++------------------ templates/lxc-ubuntu.in | 87 ++++++++--------------- 18 files changed, 178 insertions(+), 146 deletions(-) delete mode 100644 config/default.conf.libvirt delete mode 100644 config/default.conf.ubuntu delete mode 100644 config/default.conf.unknown create mode 100644 config/etc/Makefile.am create mode 100644 config/etc/default.conf.libvirt create mode 100644 config/etc/default.conf.ubuntu create mode 100644 config/etc/default.conf.unknown create mode 100644 config/templates/Makefile.am create mode 100644 config/templates/ubuntu-cloud.common.conf.in create mode 100644 config/templates/ubuntu-cloud.lucid.conf.in create mode 100644 config/templates/ubuntu-cloud.userns.conf.in create mode 100644 config/templates/ubuntu.common.conf.in create mode 100644 config/templates/ubuntu.lucid.conf.in diff --git a/config/Makefile.am b/config/Makefile.am index 81d7709..7ca23eb 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -1,15 +1 @@ -configdir = $(sysconfdir)/lxc -config_DATA = default.conf -distroconf = @LXC_DISTRO_CONF@ - -EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown - -default.conf: - cp $(distroconf) $@ - -clean-local: - @$(RM) -f default.conf - -distclean-local: - @$(RM) -f default.conf - @$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile +SUBDIRS = etc templates diff --git a/config/default.conf.libvirt b/config/default.conf.libvirt deleted file mode 100644 index 6950dca..0000000 --- a/config/default.conf.libvirt +++ /dev/null @@ -1,3 +0,0 @@ -lxc.network.type = veth -lxc.network.link = virbr0 -lxc.network.flags = up diff --git a/config/default.conf.ubuntu b/config/default.conf.ubuntu deleted file mode 100644 index 0a5ac71..0000000 --- a/config/default.conf.ubuntu +++ /dev/null @@ -1,3 +0,0 @@ -lxc.network.type = veth -lxc.network.link = lxcbr0 -lxc.network.flags = up diff --git a/config/default.conf.unknown b/config/default.conf.unknown deleted file mode 100644 index 6c88010..0000000 --- a/config/default.conf.unknown +++ /dev/null @@ -1 +0,0 @@ -lxc.network.type = empty diff --git a/config/etc/Makefile.am b/config/etc/Makefile.am new file mode 100644 index 0000000..81d7709 --- /dev/null +++ b/config/etc/Makefile.am @@ -0,0 +1,15 @@ +configdir = $(sysconfdir)/lxc +config_DATA = default.conf +distroconf = @LXC_DISTRO_CONF@ + +EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown + +default.conf: + cp $(distroconf) $@ + +clean-local: + @$(RM) -f default.conf + +distclean-local: + @$(RM) -f default.conf + @$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile diff --git a/config/etc/default.conf.libvirt b/config/etc/default.conf.libvirt new file mode 100644 index 0000000..6950dca --- /dev/null +++ b/config/etc/default.conf.libvirt @@ -0,0 +1,3 @@ +lxc.network.type = veth +lxc.network.link = virbr0 +lxc.network.flags = up diff --git a/config/etc/default.conf.ubuntu b/config/etc/default.conf.ubuntu new file mode 100644 index 0000000..0a5ac71 --- /dev/null +++ b/config/etc/default.conf.ubuntu @@ -0,0 +1,3 @@ +lxc.network.type = veth +lxc.network.link = lxcbr0 +lxc.network.flags = up diff --git a/config/etc/default.conf.unknown b/config/etc/default.conf.unknown new file mode 100644 index 0000000..6c88010 --- /dev/null +++ b/config/etc/default.conf.unknown @@ -0,0 +1 @@ +lxc.network.type = empty diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am new file mode 100644 index 0000000..6cc045b --- /dev/null +++ b/config/templates/Makefile.am @@ -0,0 +1,8 @@ +templatesconfigdir=@LXCTEMPLATECONFIG@ + +templatesconfig_DATA = \ + ubuntu-cloud.common.conf \ + ubuntu-cloud.lucid.conf \ + ubuntu-cloud.userns.conf \ + ubuntu.common.conf \ + ubuntu.lucid.conf diff --git a/config/templates/ubuntu-cloud.common.conf.in b/config/templates/ubuntu-cloud.common.conf.in new file mode 100644 index 0000000..4d67722 --- /dev/null +++ b/config/templates/ubuntu-cloud.common.conf.in @@ -0,0 +1,4 @@ +# This derives from the main Ubuntu config +lxc.include = @LXCTEMPLATECONFIG@/ubuntu.common.conf + +lxc.hook.clone = @LXCHOOKDIR@/ubuntu-cloud-prep diff --git a/config/templates/ubuntu-cloud.lucid.conf.in b/config/templates/ubuntu-cloud.lucid.conf.in new file mode 100644 index 0000000..78205e5 --- /dev/null +++ b/config/templates/ubuntu-cloud.lucid.conf.in @@ -0,0 +1,2 @@ +# This derives from the main Ubuntu lucid config +lxc.include = @LXCTEMPLATECONFIG@/ubuntu.lucid.conf diff --git a/config/templates/ubuntu-cloud.userns.conf.in b/config/templates/ubuntu-cloud.userns.conf.in new file mode 100644 index 0000000..f47ede3 --- /dev/null +++ b/config/templates/ubuntu-cloud.userns.conf.in @@ -0,0 +1,16 @@ +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices +lxc.cgroup.devices.deny = +lxc.cgroup.devices.allow = + +# We can't move bind-mounts, so don't use /dev/lxc/ +lxc.devttydir = + +# Extra bind-mounts for userns +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 + +# Extra fstab entries as mountall can't mount those by itself +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in new file mode 100644 index 0000000..8c61033 --- /dev/null +++ b/config/templates/ubuntu.common.conf.in @@ -0,0 +1,48 @@ +# Default pivot location +lxc.pivotdir = lxc_putold + +# Default mount entries +lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 +lxc.mount.entry = sysfs sys sysfs defaults 0 0 +lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 +lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 +lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 +lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 + +# Default console settings +lxc.devttydir = lxc +lxc.tty = 4 +lxc.pts = 1024 + +# Default capabilities +lxc.cap.drop = sys_module mac_admin mac_override sys_time + +# Default cgroup limits +lxc.cgroup.devices.deny = a +## Allow any mknod (but not using the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +## /dev/null and zero +lxc.cgroup.devices.allow = c 1:3 rwm +lxc.cgroup.devices.allow = c 1:5 rwm +## consoles +lxc.cgroup.devices.allow = c 5:0 rwm +lxc.cgroup.devices.allow = c 5:1 rwm +## /dev/{,u}random +lxc.cgroup.devices.allow = c 1:8 rwm +lxc.cgroup.devices.allow = c 1:9 rwm +## /dev/pts/* +lxc.cgroup.devices.allow = c 5:2 rwm +lxc.cgroup.devices.allow = c 136:* rwm +## rtc +lxc.cgroup.devices.allow = c 254:0 rm +## fuse +lxc.cgroup.devices.allow = c 10:229 rwm +## tun +lxc.cgroup.devices.allow = c 10:200 rwm +## full +lxc.cgroup.devices.allow = c 1:7 rwm +## hpet +lxc.cgroup.devices.allow = c 10:228 rwm +## kvm +lxc.cgroup.devices.allow = c 10:232 rwm diff --git a/config/templates/ubuntu.lucid.conf.in b/config/templates/ubuntu.lucid.conf.in new file mode 100644 index 0000000..adb8b7e --- /dev/null +++ b/config/templates/ubuntu.lucid.conf.in @@ -0,0 +1,2 @@ +# Ubuntu 10.04 LTS doesn't have /dev/lxc/ +lxc.devttydir = diff --git a/configure.ac b/configure.ac index 7b3da91..575493f 100644 --- a/configure.ac +++ b/configure.ac @@ -361,6 +361,7 @@ AS_AC_EXPAND(LXC_USERNIC_CONF, "$with_usernic_conf") AS_AC_EXPAND(LXC_USERNIC_DB, "$with_usernic_db") AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path") AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates") +AS_AC_EXPAND(LXCTEMPLATECONFIG, "$datadir/lxc/config") AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks") AS_AC_EXPAND(LXCINITDIR, "$libexecdir") AS_AC_EXPAND(LOGPATH, "$with_log_path") @@ -447,7 +448,15 @@ AC_CONFIG_FILES([ Makefile lxc.pc lxc.spec + config/Makefile + config/etc/Makefile + config/templates/Makefile + config/templates/ubuntu-cloud.common.conf + config/templates/ubuntu-cloud.lucid.conf + config/templates/ubuntu-cloud.userns.conf + config/templates/ubuntu.common.conf + config/templates/ubuntu.lucid.conf doc/Makefile doc/api/Makefile diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 7f54f50..7e09da9 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -1127,6 +1127,7 @@ bool prepend_lxc_header(char *path, const char *t, char *const argv[]) fprintf(f, "%02x", md_value[i]); fprintf(f, "\n"); #endif + fprintf(f, "# For additional config options, please look at lxc.conf(5)\n"); if (fwrite(contents, 1, flen, f) != flen) { SYSERROR("Writing original contents"); free(contents); diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index 019ef5b..6798be5 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -24,6 +24,7 @@ set -e STATE_DIR="@LOCALSTATEDIR@" HOOK_DIR="@LXCHOOKDIR@" CLONE_HOOK_FN="$HOOK_DIR/ubuntu-cloud-prep" +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" if [ -r /etc/default/lxc ]; then . /etc/default/lxc @@ -59,81 +60,45 @@ copy_configuration() grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config fi - grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config - cat <<EOF >> $path/config -lxc.mount = $path/fstab -lxc.pivotdir = lxc_putold - -lxc.devttydir =$ttydir -lxc.tty = 4 -lxc.pts = 1024 - -lxc.utsname = $name -lxc.arch = $arch -lxc.cap.drop = sys_module mac_admin mac_override sys_time + # Generate the configuration file + ## Create the fstab (empty by default) + touch $path/fstab -# When using LXC with apparmor, uncomment the next line to run unconfined: -#lxc.aa_profile = unconfined + ## Relocate all the network config entries + sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config -# To support container nesting on an Ubuntu host, uncomment next two lines: -#lxc.aa_profile = lxc-container-default-with-nesting -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups + ## Relocate any other config entries + sed -i -e "/lxc./{w ${path}/config-auto" -e "d}" $path/config -lxc.hook.clone = ${CLONE_HOOK_FN} -EOF - - # can't write to devices.deny without CAP_SYS_ADMIN in init-user-ns - if [ $in_userns -ne 1 ]; then - cat <<EOF >> $path/config -lxc.cgroup.devices.deny = a -# Allow any mknod (but not using the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -# consoles -lxc.cgroup.devices.allow = c 5:1 rwm -lxc.cgroup.devices.allow = c 5:0 rwm -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:9 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 136:* rwm -lxc.cgroup.devices.allow = c 5:2 rwm -# rtc -lxc.cgroup.devices.allow = c 254:0 rm -# fuse -lxc.cgroup.devices.allow = c 10:229 rwm -# tun -lxc.cgroup.devices.allow = c 10:200 rwm -# full -lxc.cgroup.devices.allow = c 1:7 rwm -# hpet -lxc.cgroup.devices.allow = c 10:228 rwm -# kvm -lxc.cgroup.devices.allow = c 10:232 rwm -EOF + ## Add all the includes + echo "" >> $path/config + echo "# Common configuration" >> $path/config + if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.common.conf" ]; then + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.common.conf" >> $path/config + fi + if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.${release}.conf" ]; then + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.${release}.conf" >> $path/config + fi + if [ $in_userns -eq 1 ] && [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" ]; then + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" >> $path/config fi - cat <<EOF > $path/fstab -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 -/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 -/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 -/sys/kernel/security sys/kernel/security none bind,optional 0 0 -/sys/fs/pstore sys/fs/pstore none bind,optional 0 0 + ## Add the container-specific config + echo "" >> $path/config + echo "# Container specific configuration" >> $path/config + [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto + grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config + cat <<EOF >> $path/config +lxc.mount = $path/fstab +lxc.utsname = $name +lxc.arch = $arch EOF - # unprivileged user can't mknod these. One day we may allow - # that in the kernel, but not right now. So let's just bind - # mount the files from the host. - if [ $in_userns -eq 1 ]; then - mkdir -p $rootfs/dev/pts - for dev in null tty urandom console; do - touch $rootfs/dev/$dev - echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab - done - fi + ## Re-add the previously removed network config + echo "" >> $path/config + echo "# Network configuration" >> $path/config + cat $path/config-network >> $path/config + rm $path/config-network # Set initial timezone as on host if [ -f /etc/timezone ]; then @@ -397,6 +362,7 @@ do_extract_rootfs() { cd $rootfs if [ $in_userns -eq 1 ]; then tar --anchored --exclude="dev/*" --numeric-owner -xpzf "$cache/$filename" + mkdir -p $cache/$filename/dev/pts/ else tar --numeric-owner -xpzf "$cache/$filename" fi diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index e20a874..3dcc93a 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -26,7 +26,8 @@ set -e -LOCALSTATEDIR=@LOCALSTATEDIR@ +LOCALSTATEDIR="@LOCALSTATEDIR@" +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" if [ -r /etc/default/lxc ]; then . /etc/default/lxc @@ -385,11 +386,6 @@ copy_configuration() arch="i686" fi - ttydir="" - if [ -f $rootfs/etc/init/container-detect.conf ]; then - ttydir=" lxc" - fi - # if there is exactly one veth network entry, make sure it has an # associated hwaddr. nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` @@ -397,63 +393,42 @@ copy_configuration() grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config fi + # Generate the configuration file + ## Create the fstab (empty by default) + touch $path/fstab + + ## Relocate all the network config entries + sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config + + ## Relocate any other config entries + sed -i -e "/lxc./{w ${path}/config-auto" -e "d}" $path/config + + ## Add all the includes + echo "" >> $path/config + echo "# Common configuration" >> $path/config + if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu.common.conf" ]; then + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.common.conf" >> $path/config + fi + if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu.${release}.conf" ]; then + echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.${release}.conf" >> $path/config + fi + + ## Add the container-specific config + echo "" >> $path/config + echo "# Container specific configuration" >> $path/config + [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config cat <<EOF >> $path/config lxc.mount = $path/fstab -lxc.pivotdir = lxc_putold - -lxc.devttydir =$ttydir -lxc.tty = 4 -lxc.pts = 1024 - lxc.utsname = $name lxc.arch = $arch -lxc.cap.drop = sys_module mac_admin mac_override sys_time - -# When using LXC with apparmor, uncomment the next line to run unconfined: -#lxc.aa_profile = unconfined - -# To support container nesting on an Ubuntu host, uncomment next two lines: -#lxc.aa_profile = lxc-container-default-with-nesting -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups - -lxc.cgroup.devices.deny = a -# Allow any mknod (but not using the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -# consoles -lxc.cgroup.devices.allow = c 5:1 rwm -lxc.cgroup.devices.allow = c 5:0 rwm -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:9 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 136:* rwm -lxc.cgroup.devices.allow = c 5:2 rwm -# rtc -lxc.cgroup.devices.allow = c 254:0 rm -# fuse -lxc.cgroup.devices.allow = c 10:229 rwm -# tun -lxc.cgroup.devices.allow = c 10:200 rwm -# full -lxc.cgroup.devices.allow = c 1:7 rwm -# hpet -lxc.cgroup.devices.allow = c 10:228 rwm -# kvm -lxc.cgroup.devices.allow = c 10:232 rwm EOF - cat <<EOF > $path/fstab -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 -/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 -/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 -/sys/kernel/security sys/kernel/security none bind,optional 0 0 -/sys/fs/pstore sys/fs/pstore none bind,optional 0 0 -EOF + ## Re-add the previously removed network config + echo "" >> $path/config + echo "# Network configuration" >> $path/config + cat $path/config-network >> $path/config + rm $path/config-network if [ $? -ne 0 ]; then echo "Failed to add configuration" -- 1.8.5.1 ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel