lxc-sshd was mounting itself (the template script) as /sbin/init in the
container using a writable bind-mount.
This shouldn't be needed and could lead to quite a few problems should
one of those containers overwrite /sbin/init for some reason.
Instead simply move to a read-only bind-mount which should prevent any
accidental dammage.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This moves vim back to the default list of packages, drops the duplicate
ssh entry which means that unless extra packages are passed through
--packages, container creation won't invoke apt-get anymore.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Otherwise one cannot create two containers with different releases
(let's say saucy [cached] and raring [not caced]) if both are not
cached on the local filesystem already. The lock blocks cached
one to move forward until not cached one finishes it's downloads.
Fix that by seperating locks using release names
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Change paths in fstab to be relative to the root and fix a wrong
rootfs_path value.
Signed-off-by: Serge Logvinov <serge.logvinov@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This introduces a new /usr/share/lxc/config directory containing common
configuration snippets.
The two Ubuntu templates are then simplified to just include the
relevant entries avoiding a whole lot of hardcoded cgroup, capabilities
and mount points configuration.
An extra comment is also added at the top of all generated configuration
files telling the user to look at lxc.conf(5) for more information.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds the same code to the Debian-based templates (Ubuntu and Ubuntu
Cloud) and also avoids a needless fork.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
THe recent reorg of lxc-ubuntu introduced some package installation in
post-process but without first disabling service startup.
As a result, if the cache is a bit out of date and a ssh update is
available, post-process will apply that update (as it does apt-get
install ssh vim) which in turn will attemp to start sshd. This will
either lead to ssh on the host being restarted or if there's no sshd on
the host, will fail the container creation as the postinst will get an
error from upstart.
The fix is very simply to add the same policy-rc.d trick when running
post-process.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This adds an lxc-centos template for crreating CentOS 5+ templates. It
does NOT create CentOS 4 or earlier containers as these are way past
end of life and no longer supported. It is based on the work of
Fajar A. Nugraha <github@fajar.net> who modified an earlier Fedora
template. His work has been brought LARGELY into congruence with
the current Fedora template. It still lacks the distro agnostic
bootstrap and systemd code from the Fedora template but those should
only be relevant with CentOS 7 when that can of worms pops open
sometime next year or so.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Just some additional catches for disabling selinux and pam_loginuid.so
thanks to Dwight Engen and the Oracle template.
Also add ssh and ssh-server to the default installation.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This adds support for "packages", "user" and "password"
Signed-off-by: Guilhem Lettron <guilhem.lettron@optiflows.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This allows the boot messages to be seen which are useful for monitoring
container startup.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is needed when using the user namespace since the kernel check does
not allow user_ns root to successfully call vhangup(2), and mingetty will
quit in this case.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
conf.c/conf.h: have replaced bool hostid_is_mapped() with int mapped_hostid()
which returns the mapped uid for the caller's uid on the host, or -1 if
none
create_run_template: pass caller's uid into template.
lxc-ubuntu-cloud:
1. accept --mapped-uid argument
2. don't write to devices cgroup - not allowed.
3. if running in userns, use $HOME/.cache
4. chown cached files to the uid to which our caller was
mapped
5. ignore /dev when extracting rootfs in a userns
Changelog: nov 5: remove debugging INFO line.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
We allow 4 consoles in the LXC config file so we can enable 4 in the
inittab as well.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The bootmisc script is needed to clean up various temp dirs like /tmp
and migrate /var/run to /run if needed.
The syslog service is started in 'boot' runlevel when running on real
hardware so we do the same for containers.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Note that since we don't drop CAP_SYS_ADMIN, root in the container can
remount proc or sys however they want to, however this at least improves
the default situation.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The template creates /dev/full for the container but needs also give
permission to access it.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Ensure /proc and /sys are mounted in the container, otherwise
apparmor_enabled() will fail to find
/sys/module/apparmor/parameters/enabled
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This fixes a few obvious issues when comparing the make dist output with
the git tree.
- Make all templates non-executable in git
- Remove unused files:
- src/lxc/list.c (empty, only includes the list.h header)
- src/lxc/lxc-destroy.in (replace by lxc_destroy.c)
- Add missing files to dist tarball:
- src/python-lxc/examples/pyconsole.py
- src/python-lxc/examples/pyconsole-vte.py
- Mark all the python API tests executable
- Mark lxc-test-ubuntu executable
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
