Reduce duplication in new style configs

This is a rather massive cleanup of config/templates/* As new templates were added, I've noticed that we pretty much all share the tty/pts configs, some capabilities being dropped and most of the cgroup configuration. All the userns configs were also almost identical. As a result, this change introduces two new files: - common.conf.in - userns.conf.in Each is included by the relevant <template>.<type>.conf.in templates, this means that the individual per-template configs are now overlays on top of the default config. Once we see a specific key becoming popular, we ought to check whether it should also be applied to the other templates and if more than 50% of the templates have it set to the same value, that value ought to be moved to the master config file and then overriden for the templates that do not use it. This change while pretty big and scary, shouldn't be very visible from a user point of view, the actual changes can be summarized as: - Extend clonehostname to work with Debian based distros and use it for all containers. - lxc.pivotdir is now set to lxc_putold for all templates, this means that instead of using /mnt in the container, lxc will create and use /lxc_putold instead. The reason for this is to avoid failures when the user bind-mounts something else on top of /mnt. - Some minor cgroup limit changes, the main one I remember is /dev/console now being writable by all of the redhat based containers. The rest of the set should be identical with additions in the per-distro ones. - Drop binfmtmisc and efivars bind-mounts for non-mountall based unpriivileged containers as I assumed they got those from copy/paste from Ubuntu and not because they actually need those entries. (If I'm wrong, we probably should move those to userns.conf then). Additional investigation and changes to reduce the config delta between distros would be appreciated. In practice, I only expect lxc.cap.drop and lxc.mount.entry to really vary between distros (depending on the init system, the rest should be mostly common. Diff from the RFC: - Add archlinux to the mix - Drop /etc/hostname from the clone hook Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2025-08-15 12:06:12 +00:00 · 2014-06-20 17:20:06 -04:00 · 2014-06-20 17:20:06 -04:00 · 5b99af0079
commit 5b99af0079
parent fd986e0874
24 changed files with 128 additions and 431 deletions
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@ -7,6 +7,7 @@ templatesconfig_DATA = \
 	archlinux.userns.conf \
 	centos.common.conf \
 	centos.userns.conf \
 	common.conf \
 	debian.common.conf \
 	debian.userns.conf \
 	fedora.common.conf \
@ -25,5 +26,6 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
 	ubuntu.priv.seccomp \
 	ubuntu.userns.conf \
-	ubuntu.priv.seccomp
+	userns.conf
--- a/config/templates/archlinux.common.conf.in
+++ b/config/templates/archlinux.common.conf.in
@ -1,11 +1,16 @@
-# Based on fedora.common.conf.in
+# This derives from the global common config
-# Console settings
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.autodev = 1
+# Allow for 6 tty devices by default
 lxc.tty = 6
-lxc.pts = 1024
+
 # Turn on autodev for systemd
 lxc.autodev = 1
 # Disable kmsg
 lxc.kmsg = 0
 # Set the halt/stop signals
 lxc.haltsignal=SIGRTMIN+4
 lxc.stopsignal=SIGRTMIN+14
@ -30,21 +35,4 @@ lxc.mount.auto = proc:mixed sys:ro
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
 #
-lxc.cap.drop = mac_admin mac_override
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
 lxc.cap.drop = setfcap
 lxc.cap.drop = sys_module sys_nice sys_pacct
 lxc.cap.drop = sys_rawio sys_time
 # Control Group devices: all denied except those whitelisted
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
 lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
 lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-6] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/archlinux.userns.conf.in
+++ b/config/templates/archlinux.userns.conf.in
@ -1,20 +1,2 @@
-# Based on fedora.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 # lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
@ -1,16 +1,9 @@
-# Taken from the oracle.common.conf.in
+# This derives from the global common config
-# Console settings
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 lxc.devttydir = lxc
 lxc.tty = 4
 lxc.pts = 1024
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
-#
+lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
 lxc.cap.drop = mac_admin mac_override setfcap setpcap
 lxc.cap.drop = sys_module sys_nice sys_pacct
 lxc.cap.drop = sys_rawio sys_time
 # Control Group devices: all denied except those whitelisted
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
 lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
 lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/centos.userns.conf.in
+++ b/config/templates/centos.userns.conf.in
@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@ -0,0 +1,35 @@
 # Default configuration shared by all containers
 # Setup the LXC devices in /dev/lxc/
 lxc.devttydir = lxc
 # Allow for 1024 pseudo terminals
 lxc.pts = 1024
 # Setup 4 tty devices
 lxc.tty = 4
 # Drop some harmful capabilities
 lxc.cap.drop = mac_admin mac_override sys_time sys_module
 # Set the pivot directory
 lxc.pivotdir = lxc_putold
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # CGroup whitelist
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 ## Allow specific devices
 lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
 lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
 lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
 lxc.cgroup.devices.allow = c 5:1 rwm	# /dev/console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/pts/*
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@ -1,18 +1,14 @@
-# Default pivot location
+# This derives from the global common config
-lxc.pivotdir = lxc_putold
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Doesn't support consoles in /dev/lxc/
 lxc.devttydir =
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs defaults 0 0
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 # Default console settings
 lxc.tty = 4
 lxc.pts = 1024
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+#lxc.mount.auto = cgroup:mixed
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
 #lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
+# Extra cgroup device access
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not using the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 ## /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
 ## consoles
 lxc.cgroup.devices.allow = c 5:0 rwm
 lxc.cgroup.devices.allow = c 5:1 rwm
 ## /dev/{,u}random
 lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 1:9 rwm
 ## /dev/pts/*
 lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## full
 lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
@ -1,12 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.allow =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
--- a/config/templates/fedora.common.conf.in
+++ b/config/templates/fedora.common.conf.in
@ -1,15 +1,5 @@
-# Taken from the oracle.common.conf.in
+# This derives from the global common config
-# Console settings
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 lxc.devttydir = lxc
 lxc.tty = 4
 lxc.pts = 1024
 # Mount entries
 # lxc.mount.auto = proc:mixed sys:ro
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
-#
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
 lxc.cap.drop = mac_admin mac_override
 lxc.cap.drop = setfcap
 lxc.cap.drop = sys_module sys_nice sys_pacct
 lxc.cap.drop = sys_rawio sys_time
 # Control Group devices: all denied except those whitelisted
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
 lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
 lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/fedora.userns.conf.in
+++ b/config/templates/fedora.userns.conf.in
@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@ -1,54 +1,28 @@
 # This derives from the global common config
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Gentoo common default configuration
 # This is the most feature-full container configuration
 # But security is not the goal.
 # Looking for more security, see gentoo.moresecure.conf
-# sysfs
+# Default mount entries
 lxc.mount.entry=sys sys sysfs defaults 0 0
-# console access
+# Doesn't support consoles in /dev/lxc/
-lxc.pts = 1024
+lxc.devttydir =
-# this part is based on 'linux capabilities', see: man 7 capabilities
+# Extra cgroup device access
 #  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # deny access to all devices by default, explicitly grant some permissions
 #
 # format is [c|b] [major|*]:[minor|*] [r][w][m]
 #            ^     ^                   ^
 # char/block -'     \`- device number    \`-- read, write, mknod
 #
 # first deny all...
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not using the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 ## /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
 ## consoles
 lxc.cgroup.devices.allow = c 5:0 rwm
 lxc.cgroup.devices.allow = c 5:1 rwm
 ## /dev/{,u}random
 lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 1:9 rwm
 ## /dev/pts/*
 lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## full
 lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
 lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
-#lxc.cgroup.devices.allow = b 7:* rwm
+#lxc.cgroup.devices.allow = b 7:* rwm
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@ -1,3 +1,6 @@
 # This derives from the global common config
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Gentoo security oriented default configuration
 # This is a more security oriented container configuration
 # "More" because this is far from fully secure
@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
 # console access
 lxc.pts = 1024
 # this part is based on 'linux capabilities', see: man 7 capabilities
 #  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
 #
@ -31,29 +31,4 @@ lxc.pts = 1024
 # conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
 # aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
-lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
+lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
 # deny access to all devices by default, explicitly grant some permissions
 #
 # format is [c|b] [major|*]:[minor|*] [r][w][m]
 #            ^     ^                   ^
 # char/block -'     \`- device number    \`-- read, write, mknod
 #
 # first deny all...
 lxc.cgroup.devices.deny = a
 # /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rw
 lxc.cgroup.devices.allow = c 1:5 rw
 # /dev/{,u}random
 lxc.cgroup.devices.allow = c 1:9 rw
 lxc.cgroup.devices.allow = c 1:8 r
 # /dev/pts/*
 lxc.cgroup.devices.allow = c 136:* rw
 lxc.cgroup.devices.allow = c 5:2 rw
 # /dev/tty{0,1}
 lxc.cgroup.devices.allow = c 4:1 rwm
 lxc.cgroup.devices.allow = c 4:0 rwm
 # /dev/tty
 lxc.cgroup.devices.allow = c 5:0 rwm
 # /dev/console
 lxc.cgroup.devices.allow = c 5:1 rwm
--- a/config/templates/gentoo.userns.conf.in
+++ b/config/templates/gentoo.userns.conf.in
@ -1,19 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/opensuse.common.conf.in
+++ b/config/templates/opensuse.common.conf.in
@ -1,13 +1,8 @@
 # This derives from the global common config
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Enable autodev
 lxc.autodev = 1
 lxc.devttydir = lxc
 lxc.tty = 4
 lxc.pts = 1024
 # Mount entries
 # lxc.mount.auto = proc:mixed sys:ro
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
 # lxc.cap.drop = setfcap
-#
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
 lxc.cap.drop = mac_admin mac_override
 lxc.cap.drop = sys_module sys_nice sys_pacct
 lxc.cap.drop = sys_rawio sys_time
 # Control Group devices: all denied except those whitelisted
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
 lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
 lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/opensuse.userns.conf.in
+++ b/config/templates/opensuse.userns.conf.in
@ -1,20 +1,2 @@
-# Taken from the oracle.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
@ -1,14 +1,9 @@
-# Console settings
+# This derives from the global common config
-lxc.devttydir = lxc
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 lxc.tty = 4
 lxc.pts = 1024
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
-#
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
 lxc.cap.drop = mac_admin mac_override
 lxc.cap.drop = sys_module sys_nice sys_pacct
 lxc.cap.drop = sys_rawio sys_time
 # Control Group devices: all denied except those whitelisted
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
 lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
 lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/oracle.userns.conf.in
+++ b/config/templates/oracle.userns.conf.in
@ -1,19 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@ -1,26 +1,14 @@
-# Default console settings
+# This derives from the global common config
-lxc.tty = 4
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 lxc.pts = 1024
 # Default mount
 lxc.mount.auto = proc sys cgroup
-# Default capabilities
+# Doesn't support consoles in /dev/lxc/
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.devttydir =
-lxc.cgroup.devices.deny = a
+# Extra cgroup device access
-# /dev/null and zero
+## rtc
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
 # consoles
 lxc.cgroup.devices.allow = c 5:0 rwm
 lxc.cgroup.devices.allow = c 5:1 rwm
 # /dev/{,u}random
 lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 1:9 rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 # rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-# fuse
+## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
--- a/config/templates/plamo.userns.conf.in
+++ b/config/templates/plamo.userns.conf.in
@ -1,12 +1,2 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.allow =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@ -1,5 +1,5 @@
-# Default pivot location
+# This derives from the global common config
-lxc.pivotdir = lxc_putold
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
 lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
 # Default console settings
 lxc.devttydir = lxc
 lxc.tty = 4
 lxc.pts = 1024
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # devices below in lxc.cgroup.devices.allow.
 #lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
+# Extra cgroup device access
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not using the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 ## /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
 ## consoles
 lxc.cgroup.devices.allow = c 5:0 rwm
 lxc.cgroup.devices.allow = c 5:1 rwm
 ## /dev/{,u}random
 lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 1:9 rwm
 ## /dev/pts/*
 lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## full
 lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@ -1,18 +1,5 @@
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@ -0,0 +1,15 @@
 # CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =
 # Extra bind-mounts for userns
 lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
--- a/configure.ac
+++ b/configure.ac
@ -598,6 +598,7 @@ AC_CONFIG_FILES([
 	config/templates/archlinux.userns.conf
 	config/templates/centos.common.conf
 	config/templates/centos.userns.conf
 	config/templates/common.conf
 	config/templates/debian.common.conf
 	config/templates/debian.userns.conf
 	config/templates/fedora.common.conf
@ -617,6 +618,7 @@ AC_CONFIG_FILES([
 	config/templates/ubuntu.common.conf
 	config/templates/ubuntu.lucid.conf
 	config/templates/ubuntu.userns.conf
 	config/templates/userns.conf
 	config/yum/Makefile
 	doc/Makefile
--- a/hooks/clonehostname
+++ b/hooks/clonehostname
@ -20,7 +20,8 @@
 # Note that /etc/hostname is updated by lxc itself
 for file in \
    $LXC_ROOTFS_PATH/etc/sysconfig/network \
-    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ;
+    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \
    $LXC_ROOTFS_PATH/etc/hosts ;
 do
    if [ -f $file ]; then
        sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file