diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index 3db2269be..61b4b4536 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -7,6 +7,7 @@ templatesconfig_DATA = \ archlinux.userns.conf \ centos.common.conf \ centos.userns.conf \ + common.conf \ debian.common.conf \ debian.userns.conf \ fedora.common.conf \ @@ -25,5 +26,6 @@ templatesconfig_DATA = \ ubuntu-cloud.userns.conf \ ubuntu.common.conf \ ubuntu.lucid.conf \ + ubuntu.priv.seccomp \ ubuntu.userns.conf \ - ubuntu.priv.seccomp + userns.conf diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in index 2c492995e..7c950e7a1 100644 --- a/config/templates/archlinux.common.conf.in +++ b/config/templates/archlinux.common.conf.in @@ -1,11 +1,16 @@ -# Based on fedora.common.conf.in -# Console settings +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf -lxc.autodev = 1 +# Allow for 6 tty devices by default lxc.tty = 6 -lxc.pts = 1024 + +# Turn on autodev for systemd +lxc.autodev = 1 + +# Disable kmsg lxc.kmsg = 0 +# Set the halt/stop signals lxc.haltsignal=SIGRTMIN+4 lxc.stopsignal=SIGRTMIN+14 @@ -30,21 +35,4 @@ lxc.mount.auto = proc:mixed sys:ro # lxc.cap.drop = audit_write # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd # -lxc.cap.drop = mac_admin mac_override -lxc.cap.drop = setfcap -lxc.cap.drop = sys_module sys_nice sys_pacct -lxc.cap.drop = sys_rawio sys_time - -# Control Group devices: all denied except those whitelisted -lxc.cgroup.devices.deny = a -# Allow any mknod (but not reading/writing the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-6] ptys and lxc console -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio diff --git a/config/templates/archlinux.userns.conf.in b/config/templates/archlinux.userns.conf.in index 28b03faaf..707bb30c0 100644 --- a/config/templates/archlinux.userns.conf.in +++ b/config/templates/archlinux.userns.conf.in @@ -1,20 +1,2 @@ -# Based on fedora.userns.conf.in -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# We can't move bind-mounts, so don't use /dev/lxc/ -lxc.devttydir = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Extra fstab entries as mountall can't mount those by itself -# lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in index c0e68165b..4ce2fda2c 100644 --- a/config/templates/centos.common.conf.in +++ b/config/templates/centos.common.conf.in @@ -1,16 +1,9 @@ -# Taken from the oracle.common.conf.in -# Console settings - -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf # Mount entries lxc.mount.auto = proc:mixed sys:ro -# Ensure hostname is changed on clone -lxc.hook.clone = @LXCHOOKDIR@/clonehostname - # Capabilities # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. @@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname # lxc.cap.drop = setuid # breaks sshd,nfs statd # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write -# -lxc.cap.drop = mac_admin mac_override setfcap setpcap -lxc.cap.drop = sys_module sys_nice sys_pacct -lxc.cap.drop = sys_rawio sys_time - -# Control Group devices: all denied except those whitelisted -lxc.cgroup.devices.deny = a -# Allow any mknod (but not reading/writing the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master +lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in index f6de0e97d..707bb30c0 100644 --- a/config/templates/centos.userns.conf.in +++ b/config/templates/centos.userns.conf.in @@ -1,20 +1,2 @@ -# Taken from the oracle.userns.conf.in -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# We can't move bind-mounts, so don't use /dev/lxc/ -lxc.devttydir = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Extra fstab entries as mountall can't mount those by itself -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in new file mode 100644 index 000000000..1616b4f37 --- /dev/null +++ b/config/templates/common.conf.in @@ -0,0 +1,35 @@ +# Default configuration shared by all containers + +# Setup the LXC devices in /dev/lxc/ +lxc.devttydir = lxc + +# Allow for 1024 pseudo terminals +lxc.pts = 1024 + +# Setup 4 tty devices +lxc.tty = 4 + +# Drop some harmful capabilities +lxc.cap.drop = mac_admin mac_override sys_time sys_module + +# Set the pivot directory +lxc.pivotdir = lxc_putold + +# Ensure hostname is changed on clone +lxc.hook.clone = @LXCHOOKDIR@/clonehostname + +# CGroup whitelist +lxc.cgroup.devices.deny = a +## Allow any mknod (but not reading/writing the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +## Allow specific devices +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty +lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom +lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in index 09e5c4088..e1d421f87 100644 --- a/config/templates/debian.common.conf.in +++ b/config/templates/debian.common.conf.in @@ -1,18 +1,14 @@ -# Default pivot location -lxc.pivotdir = lxc_putold +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf + +# Doesn't support consoles in /dev/lxc/ +lxc.devttydir = # Default mount entries lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry = sysfs sys sysfs defaults 0 0 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 -# Default console settings -lxc.tty = 4 -lxc.pts = 1024 - -# Default capabilities -lxc.cap.drop = sys_module mac_admin mac_override sys_time - # When using LXC with apparmor, the container will be confined by default. # If you wish for it to instead run unconfined, copy the following line # (uncommented) to the container's configuration file. @@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time # To support container nesting on an Ubuntu host while retaining most of # apparmor's added security, use the following two lines instead. #lxc.aa_profile = lxc-container-default-with-nesting -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups +#lxc.mount.auto = cgroup:mixed # If you wish to allow mounting block filesystems, then use the following # line instead, and make sure to grant access to the block device and/or loop # devices below in lxc.cgroup.devices.allow. #lxc.aa_profile = lxc-container-default-with-mounting -# Default cgroup limits -lxc.cgroup.devices.deny = a -## Allow any mknod (but not using the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -## /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -## consoles -lxc.cgroup.devices.allow = c 5:0 rwm -lxc.cgroup.devices.allow = c 5:1 rwm -## /dev/{,u}random -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 1:9 rwm -## /dev/pts/* -lxc.cgroup.devices.allow = c 5:2 rwm -lxc.cgroup.devices.allow = c 136:* rwm +# Extra cgroup device access ## rtc lxc.cgroup.devices.allow = c 254:0 rm ## fuse lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm -## full -lxc.cgroup.devices.allow = c 1:7 rwm ## hpet lxc.cgroup.devices.allow = c 10:228 rwm ## kvm diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in index 3e9600d50..707bb30c0 100644 --- a/config/templates/debian.userns.conf.in +++ b/config/templates/debian.userns.conf.in @@ -1,12 +1,2 @@ -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in index 31b23a4a4..acebe3c7c 100644 --- a/config/templates/fedora.common.conf.in +++ b/config/templates/fedora.common.conf.in @@ -1,15 +1,5 @@ -# Taken from the oracle.common.conf.in -# Console settings - -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 - -# Mount entries -# lxc.mount.auto = proc:mixed sys:ro - -# Ensure hostname is changed on clone -lxc.hook.clone = @LXCHOOKDIR@/clonehostname +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf # Capabilities # Uncomment these if you don't run anything that needs the capability, and @@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd -# -lxc.cap.drop = mac_admin mac_override -lxc.cap.drop = setfcap -lxc.cap.drop = sys_module sys_nice sys_pacct -lxc.cap.drop = sys_rawio sys_time - -# Control Group devices: all denied except those whitelisted -lxc.cgroup.devices.deny = a -# Allow any mknod (but not reading/writing the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in index f6de0e97d..707bb30c0 100644 --- a/config/templates/fedora.userns.conf.in +++ b/config/templates/fedora.userns.conf.in @@ -1,20 +1,2 @@ -# Taken from the oracle.userns.conf.in -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# We can't move bind-mounts, so don't use /dev/lxc/ -lxc.devttydir = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Extra fstab entries as mountall can't mount those by itself -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in index 5a8b2316b..7b966726e 100644 --- a/config/templates/gentoo.common.conf.in +++ b/config/templates/gentoo.common.conf.in @@ -1,54 +1,28 @@ +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf + # Gentoo common default configuration # This is the most feature-full container configuration # But security is not the goal. # Looking for more security, see gentoo.moresecure.conf -# sysfs +# Default mount entries lxc.mount.entry=sys sys sysfs defaults 0 0 -# console access -lxc.pts = 1024 +# Doesn't support consoles in /dev/lxc/ +lxc.devttydir = -# this part is based on 'linux capabilities', see: man 7 capabilities -# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping) - -lxc.cap.drop = sys_module mac_admin mac_override sys_time - -# deny access to all devices by default, explicitly grant some permissions -# -# format is [c|b] [major|*]:[minor|*] [r][w][m] -# ^ ^ ^ -# char/block -' \`- device number \`-- read, write, mknod -# -# first deny all... -lxc.cgroup.devices.deny = a -## Allow any mknod (but not using the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -## /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -## consoles -lxc.cgroup.devices.allow = c 5:0 rwm -lxc.cgroup.devices.allow = c 5:1 rwm -## /dev/{,u}random -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 1:9 rwm -## /dev/pts/* -lxc.cgroup.devices.allow = c 5:2 rwm -lxc.cgroup.devices.allow = c 136:* rwm +# Extra cgroup device access ## rtc lxc.cgroup.devices.allow = c 254:0 rm ## fuse lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm -## full -lxc.cgroup.devices.allow = c 1:7 rwm ## hpet lxc.cgroup.devices.allow = c 10:228 rwm ## kvm lxc.cgroup.devices.allow = c 10:232 rwm ## To use loop devices, copy the following line to the container's ## configuration file (uncommented). -#lxc.cgroup.devices.allow = b 7:* rwm \ No newline at end of file +#lxc.cgroup.devices.allow = b 7:* rwm diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in index da68562c7..238303d30 100644 --- a/config/templates/gentoo.moresecure.conf.in +++ b/config/templates/gentoo.moresecure.conf.in @@ -1,3 +1,6 @@ +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf + # Gentoo security oriented default configuration # This is a more security oriented container configuration # "More" because this is far from fully secure @@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0 -# console access -lxc.pts = 1024 - # this part is based on 'linux capabilities', see: man 7 capabilities # eg: you may also wish to drop 'cap_net_raw' (though it breaks ping) # @@ -31,29 +31,4 @@ lxc.pts = 1024 # conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot # aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot) -lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog - -# deny access to all devices by default, explicitly grant some permissions -# -# format is [c|b] [major|*]:[minor|*] [r][w][m] -# ^ ^ ^ -# char/block -' \`- device number \`-- read, write, mknod -# -# first deny all... -lxc.cgroup.devices.deny = a -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rw -lxc.cgroup.devices.allow = c 1:5 rw -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:9 rw -lxc.cgroup.devices.allow = c 1:8 r -# /dev/pts/* -lxc.cgroup.devices.allow = c 136:* rw -lxc.cgroup.devices.allow = c 5:2 rw -# /dev/tty{0,1} -lxc.cgroup.devices.allow = c 4:1 rwm -lxc.cgroup.devices.allow = c 4:0 rwm -# /dev/tty -lxc.cgroup.devices.allow = c 5:0 rwm -# /dev/console -lxc.cgroup.devices.allow = c 5:1 rwm \ No newline at end of file +lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in index 5643744df..707bb30c0 100644 --- a/config/templates/gentoo.userns.conf.in +++ b/config/templates/gentoo.userns.conf.in @@ -1,19 +1,2 @@ -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# We can't move bind-mounts, so don't use /dev/lxc/ -lxc.devttydir = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Extra fstab entries as mountall can't mount those by itself -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in index 1585fb8de..40269751c 100644 --- a/config/templates/opensuse.common.conf.in +++ b/config/templates/opensuse.common.conf.in @@ -1,13 +1,8 @@ +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf + +# Enable autodev lxc.autodev = 1 -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 - -# Mount entries -# lxc.mount.auto = proc:mixed sys:ro - -# Ensure hostname is changed on clone -lxc.hook.clone = @LXCHOOKDIR@/clonehostname # Capabilities # Uncomment these if you don't run anything that needs the capability, and @@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname # lxc.cap.drop = audit_write # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd # lxc.cap.drop = setfcap -# -lxc.cap.drop = mac_admin mac_override -lxc.cap.drop = sys_module sys_nice sys_pacct -lxc.cap.drop = sys_rawio sys_time - -# Control Group devices: all denied except those whitelisted -lxc.cgroup.devices.deny = a -# Allow any mknod (but not reading/writing the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master +lxc.cap.drop = sys_nice sys_pacct sys_rawio diff --git a/config/templates/opensuse.userns.conf.in b/config/templates/opensuse.userns.conf.in index f6de0e97d..707bb30c0 100644 --- a/config/templates/opensuse.userns.conf.in +++ b/config/templates/opensuse.userns.conf.in @@ -1,20 +1,2 @@ -# Taken from the oracle.userns.conf.in -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# We can't move bind-mounts, so don't use /dev/lxc/ -lxc.devttydir = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Extra fstab entries as mountall can't mount those by itself -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in index ddcdc8872..ec5ae94dd 100644 --- a/config/templates/oracle.common.conf.in +++ b/config/templates/oracle.common.conf.in @@ -1,14 +1,9 @@ -# Console settings -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf # Mount entries lxc.mount.auto = proc:mixed sys:ro -# Ensure hostname is changed on clone -lxc.hook.clone = @LXCHOOKDIR@/clonehostname - # Capabilities # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. @@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname # lxc.cap.drop = setuid # breaks sshd,nfs statd # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write -# -lxc.cap.drop = mac_admin mac_override -lxc.cap.drop = sys_module sys_nice sys_pacct -lxc.cap.drop = sys_rawio sys_time - -# Control Group devices: all denied except those whitelisted -lxc.cgroup.devices.deny = a -# Allow any mknod (but not reading/writing the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null -lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero -lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full -lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty -lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random -lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom -lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console -lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master +lxc.cap.drop = sys_nice sys_pacct sys_rawio diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in index 5643744df..707bb30c0 100644 --- a/config/templates/oracle.userns.conf.in +++ b/config/templates/oracle.userns.conf.in @@ -1,19 +1,2 @@ -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# We can't move bind-mounts, so don't use /dev/lxc/ -lxc.devttydir = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Extra fstab entries as mountall can't mount those by itself -lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 -lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in index 50783c3b2..483a5569a 100644 --- a/config/templates/plamo.common.conf.in +++ b/config/templates/plamo.common.conf.in @@ -1,26 +1,14 @@ -# Default console settings -lxc.tty = 4 -lxc.pts = 1024 +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf # Default mount lxc.mount.auto = proc sys cgroup -# Default capabilities -lxc.cap.drop = sys_module mac_admin mac_override sys_time +# Doesn't support consoles in /dev/lxc/ +lxc.devttydir = -lxc.cgroup.devices.deny = a -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -# consoles -lxc.cgroup.devices.allow = c 5:0 rwm -lxc.cgroup.devices.allow = c 5:1 rwm -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 1:9 rwm -lxc.cgroup.devices.allow = c 5:2 rwm -lxc.cgroup.devices.allow = c 136:* rwm -# rtc +# Extra cgroup device access +## rtc lxc.cgroup.devices.allow = c 254:0 rm -# fuse +## fuse lxc.cgroup.devices.allow = c 10:229 rwm diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in index 3e9600d50..707bb30c0 100644 --- a/config/templates/plamo.userns.conf.in +++ b/config/templates/plamo.userns.conf.in @@ -1,12 +1,2 @@ -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in index a61ed79c9..ee008e239 100644 --- a/config/templates/ubuntu.common.conf.in +++ b/config/templates/ubuntu.common.conf.in @@ -1,5 +1,5 @@ -# Default pivot location -lxc.pivotdir = lxc_putold +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf # Default mount entries lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 @@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 -# Default console settings -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 - -# Default capabilities -lxc.cap.drop = sys_module mac_admin mac_override sys_time - # When using LXC with apparmor, the container will be confined by default. # If you wish for it to instead run unconfined, copy the following line # (uncommented) to the container's configuration file. @@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time # devices below in lxc.cgroup.devices.allow. #lxc.aa_profile = lxc-container-default-with-mounting -# Default cgroup limits -lxc.cgroup.devices.deny = a -## Allow any mknod (but not using the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -## /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -## consoles -lxc.cgroup.devices.allow = c 5:0 rwm -lxc.cgroup.devices.allow = c 5:1 rwm -## /dev/{,u}random -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 1:9 rwm -## /dev/pts/* -lxc.cgroup.devices.allow = c 5:2 rwm -lxc.cgroup.devices.allow = c 136:* rwm +# Extra cgroup device access ## rtc lxc.cgroup.devices.allow = c 254:0 rm ## fuse lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm -## full -lxc.cgroup.devices.allow = c 1:7 rwm ## hpet lxc.cgroup.devices.allow = c 10:228 rwm ## kvm diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in index c744b1d66..e25270c42 100644 --- a/config/templates/ubuntu.userns.conf.in +++ b/config/templates/ubuntu.userns.conf.in @@ -1,18 +1,5 @@ -# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices -lxc.cgroup.devices.deny = -lxc.cgroup.devices.allow = - -# We can't move bind-mounts, so don't use /dev/lxc/ -lxc.devttydir = - -# Extra bind-mounts for userns -lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 -lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 -lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 -lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 -lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 -lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 -lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in new file mode 100644 index 000000000..5dc19c72c --- /dev/null +++ b/config/templates/userns.conf.in @@ -0,0 +1,15 @@ +# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices +lxc.cgroup.devices.deny = +lxc.cgroup.devices.allow = + +# We can't move bind-mounts, so don't use /dev/lxc/ +lxc.devttydir = + +# Extra bind-mounts for userns +lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 +lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 +lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 +lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 +lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 +lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 +lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 diff --git a/configure.ac b/configure.ac index 1a27e1f74..baeb4a20a 100644 --- a/configure.ac +++ b/configure.ac @@ -598,6 +598,7 @@ AC_CONFIG_FILES([ config/templates/archlinux.userns.conf config/templates/centos.common.conf config/templates/centos.userns.conf + config/templates/common.conf config/templates/debian.common.conf config/templates/debian.userns.conf config/templates/fedora.common.conf @@ -617,6 +618,7 @@ AC_CONFIG_FILES([ config/templates/ubuntu.common.conf config/templates/ubuntu.lucid.conf config/templates/ubuntu.userns.conf + config/templates/userns.conf config/yum/Makefile doc/Makefile diff --git a/hooks/clonehostname b/hooks/clonehostname index 8865c2df8..ed2765c4d 100755 --- a/hooks/clonehostname +++ b/hooks/clonehostname @@ -20,7 +20,8 @@ # Note that /etc/hostname is updated by lxc itself for file in \ $LXC_ROOTFS_PATH/etc/sysconfig/network \ - $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ; + $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \ + $LXC_ROOTFS_PATH/etc/hosts ; do if [ -f $file ]; then sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file