proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-13 18:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use consistent /proc, /sys and /sys/fs/cgroup (v2)

Browse Source 
- Implements mixed mode for /sys where it's mounted read-only but with
   /sys/devices/virtual/net/ writable.

 - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all
   templates.

 - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup.

 - Get rid of the fstab file by default, using lxc.mount.entry instead.

 - Set sys:mixed as the default for "sys". sys:mixed is slightly more
   permissive than sys:ro so this shouldn't be a problem.

The read-only bind mount of /sys on top of itself is there so that
mountall and other init systems don't attempt to remount /sys
read-write.

v2 changes:
 - Fix the mount list, don't specify a source for the remount.
 - Update the documentation.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
Stéphane Graber 2015-01-28 19:41:26 +01:00
parent e088e9267c
commit f24a52d5f5
25 changed files with 47 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/templates/archlinux.common.conf.in
View File

@ -8,9 +8,6 @@ lxc.tty = 6
lxc.haltsignal=SIGRTMIN+4
lxc.stopsignal=SIGRTMIN+14
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
# Uncomment to disable creating tty devices subdirectory in /dev
# lxc.devttydir =

3
config/templates/centos.common.conf.in
View File

@ -1,9 +1,6 @@
# This derives from the global common config
lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.

3
config/templates/common.conf.in
View File

@ -43,6 +43,9 @@ lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

5
config/templates/debian.common.conf.in
View File

@ -5,8 +5,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
lxc.devttydir =
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
# When using LXC with apparmor, the container will be confined by default.
@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt
#lxc.aa_profile = unconfined
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
# apparmor's added security, use the following line instead.
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.mount.auto = cgroup:mixed
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop

3
config/templates/gentoo.common.conf.in
View File

@ -6,9 +6,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
# But security is not the goal.
# Looking for more security, see gentoo.moresecure.conf
# Default mount entries
lxc.mount.entry=sys sys sysfs defaults 0 0
# Doesn't support consoles in /dev/lxc/
lxc.devttydir =

2
config/templates/gentoo.moresecure.conf.in
View File

@ -8,8 +8,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Container user ? see gentoo.common.conf
# do not mount sysfs, see http://blog.bofh.it/debian/id_413
# lxc.mount.entry=sys sys sysfs rw 0 0
lxc.mount.entry=proc proc proc ro,nodev,noexec,nosuid 0 0
lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0

4
config/templates/openwrt.common.conf.in
View File

@ -1,7 +1,3 @@
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
# Default console settings
lxc.devttydir = lxc
lxc.tty = 4

3
config/templates/oracle.common.conf.in
View File

@ -1,9 +1,6 @@
# This derives from the global common config
lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Mount entries
lxc.mount.auto = cgroup:mixed proc:mixed sys:ro
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.

1
config/templates/plamo.common.conf.in
View File

@ -2,7 +2,6 @@
lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Default mount
lxc.mount.auto = proc sys cgroup
lxc.mount.entry = none dev/shm tmpfs nosuid,nodev,noexec,mode=1777 0 0
# Doesn't support consoles in /dev/lxc/

5
config/templates/ubuntu.common.conf.in
View File

@ -2,8 +2,6 @@
lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
#lxc.aa_profile = unconfined
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
# apparmor's added security, use the following line instead.
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.mount.auto = cgroup:mixed
# Uncomment the following line to autodetect squid-deb-proxy configuration on the
# host and forward it to the guest at start time.

9
doc/lxc.container.conf.sgml.in
View File

@ -774,7 +774,14 @@ proc proc proc nodev,noexec,nosuid 0 0
</listitem>
<listitem>
<para>
<option>sys:ro</option> (or <option>sys</option>):
<option>sys:mixed</option> (or <option>sys</option>):
mount <filename>/sys</filename> as read-only but with
/sys/devices/virtual/net writable.
</para>
</listitem>
<listitem>
<para>
<option>sys:ro</option>:
mount <filename>/sys</filename> as read-only
for security / container isolation purposes.
</para>

25
src/lxc/conf.c
View File

@ -750,15 +750,21 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
* MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for kernels as low as
* 2.6.32...
*/
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL },
{ 0, 0, NULL, NULL, NULL, 0, NULL }
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL },
{ 0, 0, NULL, NULL, NULL, 0, NULL }
};
for (i = 0; default_mounts[i].match_mask; i++) {
@ -793,6 +799,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
saved_errno = errno;
if (r < 0)
SYSERROR("error mounting %s on %s flags %lu", source, destination, mflags);
free(source);
free(destination);
if (r < 0) {

1
src/lxc/conf.h
View File

@ -236,6 +236,7 @@ enum {
LXC_AUTO_SYS_RW = 0x004, /* /sys */
LXC_AUTO_SYS_RO = 0x008, /* /sys read-only */
LXC_AUTO_SYS_MIXED = 0x00C, /* /sys read-only and /sys/class/net read-write */
LXC_AUTO_SYS_MASK = 0x00C,
LXC_AUTO_CGROUP_RO = 0x010, /* /sys/fs/cgroup (partial mount, read-only) */

3
src/lxc/confile.c
View File

@ -1416,8 +1416,9 @@ static int config_mount_auto(const char *key, const char *value,
{ "proc", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED },
{ "proc:mixed", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED },
{ "proc:rw", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW },
{ "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO },
{ "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED },
{ "sys:ro", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO },
{ "sys:mixed", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED },
{ "sys:rw", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW },
{ "cgroup", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC },
{ "cgroup:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED },

3
templates/lxc-alpine.in
View File

@ -249,9 +249,8 @@ lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 254:0 rm
# mounts point
lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.auto=cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry=run run tmpfs nodev,noexec,nosuid,relatime,size=1m,mode=0755 0 0
lxc.mount.entry=none dev/pts devpts gid=5,mode=620 0 0
lxc.mount.entry=shm dev/shm tmpfs nodev,nosuid,noexec,mode=1777 0 0
EOF

6
templates/lxc-altlinux.in
View File

@ -266,7 +266,6 @@ copy_configuration()
lxc.utsname = $name
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
@ -317,11 +316,8 @@ lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 10:135 rwm
EOF
cat <<EOF > $config_path/fstab
proc proc proc nodev,noexec,nosuid 0 0
sysfs sys sysfs defaults 0 0
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
EOF
if [ $? -ne 0 ]; then

22
templates/lxc-busybox.in
View File

@ -74,7 +74,7 @@ $rootfs/usr/lib64"
# minimal devices needed for busybox
if [ $in_userns -eq 1 ]; then
for dev in tty console tty0 tty1 ram0 null urandom; do
echo "/dev/$dev dev/$dev none bind,optional,create=file 0 0" >> $path/fstab
echo "lxc.mount.entry = /dev/$dev dev/$dev none bind,optional,create=file 0 0" >> $path/config
done
else
mknod -m 666 tty c 5 0 || res=1
@ -110,14 +110,6 @@ EOF
# executable
chmod 744 $rootfs/etc/init.d/rcS || return 1
# mount points
cat <<EOF >> $rootfs/etc/fstab
shm /dev/shm tmpfs defaults 0 0
EOF
# writable and readable for other
chmod 644 $rootfs/etc/fstab || return 1
# launch rcS first then make a console available
# and propose a shell on the tty, the last one is
# not needed
@ -285,6 +277,9 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
EOF
libdirs="\
@ -299,11 +294,6 @@ EOF
fi
done
echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
echo "lxc.mount.auto = proc:mixed sys" >>$path/config
if [ -f "$path/fstab" ]; then
echo "lxc.mount = $path/fstab" >>$path/config
fi
}
remap_userns()
@ -311,12 +301,12 @@ remap_userns()
path=$1
if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
chown $LXC_MAPPED_UID $path/config >/dev/null 2>&1
chown -R root $path/rootfs >/dev/null 2>&1
fi
if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
chgrp $LXC_MAPPED_GID $path/config >/dev/null 2>&1
chgrp -R root $path/rootfs >/dev/null 2>&1
fi
}

4
templates/lxc-cirros.in
View File

@ -118,7 +118,6 @@ cat >> "$path/config" <<EOF
# Template used to create this container: cirros
lxc.rootfs = $rootfs
#lxc.mount = $path/fstab
lxc.pivotdir = lxc_putold
lxc.tty = 4
@ -132,7 +131,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
#lxc.aa_profile = unconfined
# To support container nesting on an Ubuntu host, uncomment next two lines:
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.mount.auto = cgroup
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
@ -165,7 +164,6 @@ EOF
if [ $in_userns -eq 1 ] && [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" ]; then
echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.userns.conf" >> $path/config
echo "lxc.mount.auto = cgroup:mixed proc:mixed sys:ro" >> $path/config
fi
}

5
templates/lxc-debian.in
View File

@ -202,7 +202,6 @@ configure_debian_systemd()
# This function has been copied and adapted from lxc-fedora
rm -f ${rootfs}/etc/systemd/system/default.target
touch ${rootfs}/etc/fstab
chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
chroot ${rootfs} ln -s /dev/null /etc/systemd/system/systemd-udevd.service
chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
@ -325,9 +324,6 @@ copy_configuration()
arch=$4
# Generate the configuration file
## Create the fstab (empty by default)
touch $path/fstab
# if there is exactly one veth network entry, make sure it has an
# associated hwaddr.
nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
@ -351,7 +347,6 @@ copy_configuration()
grep -q "^lxc.rootfs" $path/config 2> /dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
cat <<EOF >> $path/config
lxc.mount = $path/fstab
lxc.utsname = $hostname
lxc.arch = $arch
EOF

7
templates/lxc-openmandriva.in
View File

@ -231,8 +231,8 @@ copy_configuration()
lxc.utsname = $name
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@ -282,11 +282,6 @@ lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 10:135 rwm
EOF
cat <<EOF > $config_path/fstab
proc $rootfs_path/proc proc nodev,noexec,nosuid 0 0
sysfs $rootfs_path/sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then

8
templates/lxc-opensuse.in
View File

@ -321,7 +321,7 @@ lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
lxc.arch = $arch
lxc.utsname = $name
lxc.mount = $path/fstab
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@ -338,12 +338,6 @@ lxc.mount = $path/fstab
# Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0
EOF
cat <<EOF > $path/fstab
proc proc proc nodev,noexec,nosuid 0 0
sysfs sys sysfs defaults 0 0
tmpfs run tmpfs mode=0755,nodev,nosuid 0 0
EOF
if [ $? -ne 0 ]; then

5
templates/lxc-plamo.in
View File

@ -247,7 +247,6 @@ copy_configuration() {
ret=0
cat <<- EOF >> $path/config || let ret++
lxc.utsname = $name
lxc.mount = $path/fstab
lxc.arch = $arch
EOF
if [ -f "@LXCTEMPLATECONFIG@/plamo.common.conf" ] ; then
@ -256,8 +255,6 @@ copy_configuration() {
lxc.include = @LXCTEMPLATECONFIG@/plamo.common.conf
EOF
fi
# create the fstab (empty by default)
touch $path/fstab || let ret++
if [ $ret -ne 0 ] ; then
echo "Failed to add configuration."
return 1
@ -274,7 +271,7 @@ do_bindhome() {
# bind-mount the user's path into the container's /home
h=`getent passwd $bindhome | cut -d: -f6`
mkdir -p $rootfs/$h
echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
echo "lxc.mount.entry = $h $rootfs/$h none bind 0 0" >> $path/config
# copy /etc/passwd, /etc/shadow, and /etc/group entries into container
if ! pwd=`getent passwd $bindhome` ; then
echo "Warning: failed to copy password entry for $bindhome."

4
templates/lxc-sshd.in
View File

@ -141,9 +141,9 @@ lxc.mount.entry = /usr usr none ro,bind 0 0
lxc.mount.entry = /sbin sbin none ro,bind 0 0
lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs ro 0 0
lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
EOF
# Oracle Linux and Fedora need the following two bind mounted

4
templates/lxc-ubuntu-cloud.in
View File

@ -66,9 +66,6 @@ copy_configuration()
fi
# Generate the configuration file
## Create the fstab (empty by default)
touch $path/fstab
## Relocate all the network config entries
sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
@ -94,7 +91,6 @@ copy_configuration()
[ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
cat <<EOF >> $path/config
lxc.mount = $path/fstab
lxc.utsname = $name
lxc.arch = $arch
EOF

6
templates/lxc-ubuntu.in
View File

@ -483,9 +483,6 @@ copy_configuration()
fi
# Generate the configuration file
## Create the fstab (empty by default)
touch $path/fstab
## Relocate all the network config entries
sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
@ -508,7 +505,6 @@ copy_configuration()
[ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
cat <<EOF >> $path/config
lxc.mount = $path/fstab
lxc.utsname = $name
lxc.arch = $arch
EOF
@ -659,7 +655,7 @@ do_bindhome()
while [ ${h2:0:1} = "/" ]; do
h2=${h2#/}
done
echo "$h $h2 none bind 0 0" >> $path/fstab
echo "lxc.mount.entry = $h $h2 none bind 0 0" >> $path/config
# Make sure the group exists in container
grp=`echo $pwd | cut -d: -f 4` # group number for $user