proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-12 21:56:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Fedora and CentOS templates for common conf includes.

Browse Source 
This updates the Fedora and CentOS templates to utilize a common
included config.  This is largely based on the changes in the Oracle
template with some exceptions.

Dropping of setpcap (present in the Oracle template) is commented out in
the Fedora template.  It seems to cause problems, such as large login
delays with Fedora 20 containers (but not Fedora 19 - strange).

The Fedora template is further modified to disable systemd-journald.service
as it is unnecessary in a container and causes serious problems when
running in a Fedora 20 container.

The Fedora template is also updated to default to Fedora 20 when running
on a non-Fedora host.

Regards,
Mike

Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit is contained in:
Michael H. Warfield 2014-01-21 11:56:56 -05:00 committed by Stéphane Graber
parent ae22a22064
commit 1ecee40b7d
8 changed files with 203 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/templates/Makefile.am
View File

@ -1,8 +1,12 @@
templatesconfigdir=@LXCTEMPLATECONFIG@
templatesconfig_DATA = \
centos.common.conf \
centos.userns.conf \
debian.common.conf \
debian.userns.conf \
fedora.common.conf \
fedora.userns.conf \
oracle.common.conf \
oracle.userns.conf \
plamo.common.conf \

47
config/templates/centos.common.conf.in Normal file
View File

@ -0,0 +1,47 @@
# Taken from the oracle.common.conf.in
# Console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
# Ensure hostname is changed on clone
lxc.hook.clone = @LXCHOOKDIR@/clonehostname
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
#
# Dropping sys_admin disables container root from doing a lot of things
# that could be bad like re-mounting lxc fstab entries rw for example,
# but also disables some useful things like being able to nfs mount, and
# things that are already namespaced with ns_capable() kernel checks, like
# hostname(1).
# lxc.cap.drop = sys_admin
# lxc.cap.drop = net_raw # breaks dhcp/ping
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
#
lxc.cap.drop = mac_admin mac_override setfcap setpcap
lxc.cap.drop = sys_module sys_nice sys_pacct
lxc.cap.drop = sys_rawio sys_time
# Control Group devices: all denied except those whitelisted
lxc.cgroup.devices.deny = a
# Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master

19
config/templates/centos.userns.conf.in Normal file
View File

@ -0,0 +1,19 @@
# Taken from the oracle.userns.conf.in
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
# We can't move bind-mounts, so don't use /dev/lxc/
# lxc.devttydir =
# Extra bind-mounts for userns
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0

49
config/templates/fedora.common.conf.in Normal file
View File

@ -0,0 +1,49 @@
# Taken from the oracle.common.conf.in
# Console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
# Mount entries
# lxc.mount.auto = proc:mixed sys:ro
# Ensure hostname is changed on clone
lxc.hook.clone = @LXCHOOKDIR@/clonehostname
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
#
# Dropping sys_admin disables container root from doing a lot of things
# that could be bad like re-mounting lxc fstab entries rw for example,
# but also disables some useful things like being able to nfs mount, and
# things that are already namespaced with ns_capable() kernel checks, like
# hostname(1).
# lxc.cap.drop = sys_admin
# lxc.cap.drop = net_raw # breaks dhcp/ping
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
#
lxc.cap.drop = mac_admin mac_override
lxc.cap.drop = setfcap
lxc.cap.drop = sys_module sys_nice sys_pacct
lxc.cap.drop = sys_rawio sys_time
# Control Group devices: all denied except those whitelisted
lxc.cgroup.devices.deny = a
# Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master

19
config/templates/fedora.userns.conf.in Normal file
View File

@ -0,0 +1,19 @@
# Taken from the oracle.userns.conf.in
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
# We can't move bind-mounts, so don't use /dev/lxc/
lxc.devttydir =
# Extra bind-mounts for userns
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0

4
configure.ac
View File

@ -554,8 +554,12 @@ AC_CONFIG_FILES([
config/init/upstart/Makefile
config/etc/Makefile
config/templates/Makefile
config/templates/centos.common.conf
config/templates/centos.userns.conf
config/templates/debian.common.conf
config/templates/debian.userns.conf
config/templates/fedora.common.conf
config/templates/fedora.userns.conf
config/templates/oracle.common.conf
config/templates/oracle.userns.conf
config/templates/plamo.common.conf

48
templates/lxc-centos.in
View File

@ -315,6 +315,22 @@ EOF
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
# setup console and tty[1-4] for login. note that /dev/console and
# /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
# /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
# lxc will maintain these links and bind mount ptys over /dev/lxc/*
# since lxc.devttydir is specified in the config.
# allow root login on console, tty[1-4], and pts/0 for libvirt
echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
echo "lxc/console" >>${rootfs_path}/etc/securetty
echo "lxc/tty1" >>${rootfs_path}/etc/securetty
echo "lxc/tty2" >>${rootfs_path}/etc/securetty
echo "lxc/tty3" >>${rootfs_path}/etc/securetty
echo "lxc/tty4" >>${rootfs_path}/etc/securetty
echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
echo "pts/0" >>${rootfs_path}/etc/securetty
if [ ${root_display_password} = "yes" ]
then
echo "Setting root password to '$root_password'"
@ -544,12 +560,16 @@ lxc.rootfs = $rootfs_path
rm -f $config_path/config.def
if [ -e "@LXCTEMPLATECONFIG@/centos.common.conf" ]; then
echo "
# Include common configuration
lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf
" >> $config_path/config
fi
# Append things which require expansion here...
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
@ -568,26 +588,6 @@ lxc.autodev = $auto_dev
# Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0
#cgroups
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
EOF
cat <<EOF > $config_path/fstab
proc proc proc nodev,noexec,nosuid 0 0
sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then

73
templates/lxc-fedora.in
View File

@ -259,6 +259,22 @@ EOF
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
# setup console and tty[1-4] for login. note that /dev/console and
# /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
# /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
# lxc will maintain these links and bind mount ptys over /dev/lxc/*
# since lxc.devttydir is specified in the config.
# allow root login on console, tty[1-4], and pts/0 for libvirt
echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
echo "lxc/console" >>${rootfs_path}/etc/securetty
echo "lxc/tty1" >>${rootfs_path}/etc/securetty
echo "lxc/tty2" >>${rootfs_path}/etc/securetty
echo "lxc/tty3" >>${rootfs_path}/etc/securetty
echo "lxc/tty4" >>${rootfs_path}/etc/securetty
echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
echo "pts/0" >>${rootfs_path}/etc/securetty
if [ ${root_display_password} = "yes" ]
then
echo "Setting root password to '$root_password'"
@ -324,6 +340,7 @@ configure_fedora_systemd()
rm -f ${rootfs_path}/etc/systemd/system/default.target
touch ${rootfs_path}/etc/fstab
chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/systemd-journald.service
chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
#dependency on a device unit fails it specially that we disabled udev
# sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
@ -379,7 +396,7 @@ configure_fedora_systemd()
# and then used to build other arbitrary vesions of Fedora of a
# given architecture. Not that this only has to run once for
# Fedora on a given architecture since rpm and yum can build other
# versions. We'll arbitrarily pick Fedora 19 to build this. This
# versions. We'll arbitrarily pick Fedora 20 to build this. This
# will need to change as time goes on.
# Programmers Note... A future fall back may be to download the netinst
@ -530,10 +547,10 @@ Have a beer or a cup of coffee. This will take a bit (~300MB).
"
sleep 3 # let him read it...
# Right now, we are using Fedora 19 for the inial bootstrap.
# Right now, we are using Fedora 20 for the inial bootstrap.
# We could make this the "current" Fedora rev (F > 15).
rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/LiveOS .
rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/LiveOS .
if [[ 0 == $? ]]
then
@ -610,8 +627,8 @@ This will take a couple of minutes. Patience..."
# of this LiveOS image we're camped out on. This is the beginning
# of the butt ugly hack. Look close or you may missing it...
rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/y/yum-[0-9]* .
rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/y/yum-[0-9]* .
# And here it is...
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
@ -643,7 +660,7 @@ This will take a couple of minutes. Patience..."
echo "Stage 1 creation complete. Building stage 2 Installation Bootstrap"
mount -o bind ../bootstrap run/install
rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/f/fedora-release-19* .
rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/f/fedora-release-20* .
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
chroot . rpm --root /run/install --nodeps -ivh fedora-release-*
@ -934,7 +951,7 @@ install_fedora()
{
mkdir -p @LOCALSTATEDIR@/lock/subsys/
(
flock -x 200
flock -x 9
if [ $? -ne 0 ]; then
echo "Cache repository is busy."
return 1
@ -965,7 +982,7 @@ install_fedora()
fi
return 0
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
return $?
}
@ -1017,12 +1034,16 @@ lxc.rootfs = $rootfs_path
rm -f $config_path/config.def
if [ -e "@LXCTEMPLATECONFIG@/fedora.common.conf" ]; then
echo "
# Include common configuration
lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf
" >> $config_path/config
fi
# Append things which require expansion here...
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
@ -1041,26 +1062,6 @@ lxc.autodev = $auto_dev
# Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0
#cgroups
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
EOF
cat <<EOF > $config_path/fstab
proc proc proc nodev,noexec,nosuid 0 0
sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then
@ -1080,7 +1081,7 @@ clean()
# lock, so we won't purge while someone is creating a repository
(
flock -x 200
flock -x 9
if [ $? != 0 ]; then
echo "Cache repository is busy."
exit 1
@ -1089,7 +1090,7 @@ clean()
echo -n "Purging the download cache for Fedora-$release..."
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
exit 0
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
}
usage()
@ -1206,8 +1207,8 @@ if [ -z "$release" ]; then
if [ "$is_fedora" -a "$fedora_host_ver" ]; then
release=$fedora_host_ver
else
echo "This is not a fedora host and release missing, defaulting to 19. use -R|--release to specify release"
release=19
echo "This is not a fedora host and release missing, defaulting to 20 use -R|--release to specify release"
release=20
fi
fi