diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index c7f5812b3..bcea3c39f 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -1,8 +1,12 @@ templatesconfigdir=@LXCTEMPLATECONFIG@ templatesconfig_DATA = \ + centos.common.conf \ + centos.userns.conf \ debian.common.conf \ debian.userns.conf \ + fedora.common.conf \ + fedora.userns.conf \ oracle.common.conf \ oracle.userns.conf \ plamo.common.conf \ diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in new file mode 100644 index 000000000..c0e68165b --- /dev/null +++ b/config/templates/centos.common.conf.in @@ -0,0 +1,47 @@ +# Taken from the oracle.common.conf.in +# Console settings + +lxc.devttydir = lxc +lxc.tty = 4 +lxc.pts = 1024 + +# Mount entries +lxc.mount.auto = proc:mixed sys:ro + +# Ensure hostname is changed on clone +lxc.hook.clone = @LXCHOOKDIR@/clonehostname + +# Capabilities +# Uncomment these if you don't run anything that needs the capability, and +# would like the container to run with less privilege. +# +# Dropping sys_admin disables container root from doing a lot of things +# that could be bad like re-mounting lxc fstab entries rw for example, +# but also disables some useful things like being able to nfs mount, and +# things that are already namespaced with ns_capable() kernel checks, like +# hostname(1). +# lxc.cap.drop = sys_admin +# lxc.cap.drop = net_raw # breaks dhcp/ping +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups) +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) +# lxc.cap.drop = setuid # breaks sshd,nfs statd +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) +# lxc.cap.drop = audit_write +# +lxc.cap.drop = mac_admin mac_override setfcap setpcap +lxc.cap.drop = sys_module sys_nice sys_pacct +lxc.cap.drop = sys_rawio sys_time + +# Control Group devices: all denied except those whitelisted +lxc.cgroup.devices.deny = a +# Allow any mknod (but not reading/writing the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom +lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in new file mode 100644 index 000000000..341db0b4c --- /dev/null +++ b/config/templates/centos.userns.conf.in @@ -0,0 +1,19 @@ +# Taken from the oracle.userns.conf.in +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices +lxc.cgroup.devices.deny = +lxc.cgroup.devices.allow = + +# We can't move bind-mounts, so don't use /dev/lxc/ +# lxc.devttydir = + +# Extra bind-mounts for userns +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 + +# Extra fstab entries as mountall can't mount those by itself +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in new file mode 100644 index 000000000..31b23a4a4 --- /dev/null +++ b/config/templates/fedora.common.conf.in @@ -0,0 +1,49 @@ +# Taken from the oracle.common.conf.in +# Console settings + +lxc.devttydir = lxc +lxc.tty = 4 +lxc.pts = 1024 + +# Mount entries +# lxc.mount.auto = proc:mixed sys:ro + +# Ensure hostname is changed on clone +lxc.hook.clone = @LXCHOOKDIR@/clonehostname + +# Capabilities +# Uncomment these if you don't run anything that needs the capability, and +# would like the container to run with less privilege. +# +# Dropping sys_admin disables container root from doing a lot of things +# that could be bad like re-mounting lxc fstab entries rw for example, +# but also disables some useful things like being able to nfs mount, and +# things that are already namespaced with ns_capable() kernel checks, like +# hostname(1). +# lxc.cap.drop = sys_admin +# lxc.cap.drop = net_raw # breaks dhcp/ping +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups) +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) +# lxc.cap.drop = setuid # breaks sshd,nfs statd +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) +# lxc.cap.drop = audit_write +# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd +# +lxc.cap.drop = mac_admin mac_override +lxc.cap.drop = setfcap +lxc.cap.drop = sys_module sys_nice sys_pacct +lxc.cap.drop = sys_rawio sys_time + +# Control Group devices: all denied except those whitelisted +lxc.cgroup.devices.deny = a +# Allow any mknod (but not reading/writing the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom +lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in new file mode 100644 index 000000000..c33e38daf --- /dev/null +++ b/config/templates/fedora.userns.conf.in @@ -0,0 +1,19 @@ +# Taken from the oracle.userns.conf.in +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices +lxc.cgroup.devices.deny = +lxc.cgroup.devices.allow = + +# We can't move bind-mounts, so don't use /dev/lxc/ +lxc.devttydir = + +# Extra bind-mounts for userns +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 + +# Extra fstab entries as mountall can't mount those by itself +lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 +lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 diff --git a/configure.ac b/configure.ac index 4179dcf92..e2b7e79db 100644 --- a/configure.ac +++ b/configure.ac @@ -554,8 +554,12 @@ AC_CONFIG_FILES([ config/init/upstart/Makefile config/etc/Makefile config/templates/Makefile + config/templates/centos.common.conf + config/templates/centos.userns.conf config/templates/debian.common.conf config/templates/debian.userns.conf + config/templates/fedora.common.conf + config/templates/fedora.userns.conf config/templates/oracle.common.conf config/templates/oracle.userns.conf config/templates/plamo.common.conf diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index bf8942719..82dc651d6 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -315,6 +315,22 @@ EOF mknod -m 600 ${dev_path}/initctl p mknod -m 666 ${dev_path}/ptmx c 5 2 + # setup console and tty[1-4] for login. note that /dev/console and + # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and + # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks. + # lxc will maintain these links and bind mount ptys over /dev/lxc/* + # since lxc.devttydir is specified in the config. + + # allow root login on console, tty[1-4], and pts/0 for libvirt + echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty + echo "lxc/console" >>${rootfs_path}/etc/securetty + echo "lxc/tty1" >>${rootfs_path}/etc/securetty + echo "lxc/tty2" >>${rootfs_path}/etc/securetty + echo "lxc/tty3" >>${rootfs_path}/etc/securetty + echo "lxc/tty4" >>${rootfs_path}/etc/securetty + echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty + echo "pts/0" >>${rootfs_path}/etc/securetty + if [ ${root_display_password} = "yes" ] then echo "Setting root password to '$root_password'" @@ -544,12 +560,16 @@ lxc.rootfs = $rootfs_path rm -f $config_path/config.def + if [ -e "@LXCTEMPLATECONFIG@/centos.common.conf" ]; then + echo " +# Include common configuration +lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf +" >> $config_path/config + fi + + # Append things which require expansion here... cat <> $config_path/config lxc.utsname = $utsname -lxc.tty = 4 -lxc.pts = 1024 -lxc.mount = $config_path/fstab -lxc.cap.drop = sys_module mac_admin mac_override sys_time lxc.autodev = $auto_dev @@ -568,26 +588,6 @@ lxc.autodev = $auto_dev # Note: This may potentially collide with other containers of same name! #lxc.network.veth.pair = v-$name-e0 -#cgroups -lxc.cgroup.devices.deny = a -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -# consoles -lxc.cgroup.devices.allow = c 5:1 rwm -lxc.cgroup.devices.allow = c 5:0 rwm -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:9 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 136:* rwm -lxc.cgroup.devices.allow = c 5:2 rwm -# rtc -lxc.cgroup.devices.allow = c 254:0 rwm -EOF - - cat < $config_path/fstab -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 EOF if [ $? -ne 0 ]; then diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index a96701f3a..12c810d8a 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -259,6 +259,22 @@ EOF mknod -m 600 ${dev_path}/initctl p mknod -m 666 ${dev_path}/ptmx c 5 2 + # setup console and tty[1-4] for login. note that /dev/console and + # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and + # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks. + # lxc will maintain these links and bind mount ptys over /dev/lxc/* + # since lxc.devttydir is specified in the config. + + # allow root login on console, tty[1-4], and pts/0 for libvirt + echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty + echo "lxc/console" >>${rootfs_path}/etc/securetty + echo "lxc/tty1" >>${rootfs_path}/etc/securetty + echo "lxc/tty2" >>${rootfs_path}/etc/securetty + echo "lxc/tty3" >>${rootfs_path}/etc/securetty + echo "lxc/tty4" >>${rootfs_path}/etc/securetty + echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty + echo "pts/0" >>${rootfs_path}/etc/securetty + if [ ${root_display_password} = "yes" ] then echo "Setting root password to '$root_password'" @@ -324,6 +340,7 @@ configure_fedora_systemd() rm -f ${rootfs_path}/etc/systemd/system/default.target touch ${rootfs_path}/etc/fstab chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service + chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/systemd-journald.service chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target #dependency on a device unit fails it specially that we disabled udev # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service @@ -379,7 +396,7 @@ configure_fedora_systemd() # and then used to build other arbitrary vesions of Fedora of a # given architecture. Not that this only has to run once for # Fedora on a given architecture since rpm and yum can build other -# versions. We'll arbitrarily pick Fedora 19 to build this. This +# versions. We'll arbitrarily pick Fedora 20 to build this. This # will need to change as time goes on. # Programmers Note... A future fall back may be to download the netinst @@ -530,10 +547,10 @@ Have a beer or a cup of coffee. This will take a bit (~300MB). " sleep 3 # let him read it... - # Right now, we are using Fedora 19 for the inial bootstrap. + # Right now, we are using Fedora 20 for the inial bootstrap. # We could make this the "current" Fedora rev (F > 15). - rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/LiveOS . + rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/LiveOS . if [[ 0 == $? ]] then @@ -610,8 +627,8 @@ This will take a couple of minutes. Patience..." # of this LiveOS image we're camped out on. This is the beginning # of the butt ugly hack. Look close or you may missing it... - rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/r/rpm-[0-9]* \ - mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/y/yum-[0-9]* . + rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/r/rpm-[0-9]* \ + mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/y/yum-[0-9]* . # And here it is... # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?! @@ -643,7 +660,7 @@ This will take a couple of minutes. Patience..." echo "Stage 1 creation complete. Building stage 2 Installation Bootstrap" mount -o bind ../bootstrap run/install - rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/f/fedora-release-19* . + rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/f/fedora-release-20* . # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?! chroot . rpm --root /run/install --nodeps -ivh fedora-release-* @@ -934,7 +951,7 @@ install_fedora() { mkdir -p @LOCALSTATEDIR@/lock/subsys/ ( - flock -x 200 + flock -x 9 if [ $? -ne 0 ]; then echo "Cache repository is busy." return 1 @@ -965,7 +982,7 @@ install_fedora() fi return 0 - ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora + ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora return $? } @@ -1017,12 +1034,16 @@ lxc.rootfs = $rootfs_path rm -f $config_path/config.def + if [ -e "@LXCTEMPLATECONFIG@/fedora.common.conf" ]; then + echo " +# Include common configuration +lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf +" >> $config_path/config + fi + + # Append things which require expansion here... cat <> $config_path/config lxc.utsname = $utsname -lxc.tty = 4 -lxc.pts = 1024 -lxc.mount = $config_path/fstab -lxc.cap.drop = sys_module mac_admin mac_override sys_time lxc.autodev = $auto_dev @@ -1041,26 +1062,6 @@ lxc.autodev = $auto_dev # Note: This may potentially collide with other containers of same name! #lxc.network.veth.pair = v-$name-e0 -#cgroups -lxc.cgroup.devices.deny = a -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -# consoles -lxc.cgroup.devices.allow = c 5:1 rwm -lxc.cgroup.devices.allow = c 5:0 rwm -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:9 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 136:* rwm -lxc.cgroup.devices.allow = c 5:2 rwm -# rtc -lxc.cgroup.devices.allow = c 254:0 rm -EOF - - cat < $config_path/fstab -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 EOF if [ $? -ne 0 ]; then @@ -1080,7 +1081,7 @@ clean() # lock, so we won't purge while someone is creating a repository ( - flock -x 200 + flock -x 9 if [ $? != 0 ]; then echo "Cache repository is busy." exit 1 @@ -1089,7 +1090,7 @@ clean() echo -n "Purging the download cache for Fedora-$release..." rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1 exit 0 - ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora + ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora } usage() @@ -1206,8 +1207,8 @@ if [ -z "$release" ]; then if [ "$is_fedora" -a "$fedora_host_ver" ]; then release=$fedora_host_ver else - echo "This is not a fedora host and release missing, defaulting to 19. use -R|--release to specify release" - release=19 + echo "This is not a fedora host and release missing, defaulting to 20 use -R|--release to specify release" + release=20 fi fi