Hi Michael,
do you have any concerns with the attached patch to
the fedora template that adds an option --mask-tmp
that prevents fedora/systemd from over-mounting
/tmp with tmpfs, which is useful in some cases?
Thanks - Michael
----- Forwarded message from Michael Adam <obnox@samba.org> -----
Date: Sat, 10 Jan 2015 13:12:06 +0100
From: Michael Adam <obnox@samba.org>
To: LXC development mailing-list <lxc-devel@lists.linuxcontainers.org>
Subject: Re: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some
template script fixes
User-Agent: Mutt/1.5.23 (2014-03-12)
On 2015-01-10 at 13:08 +0100, Michael Adam wrote:
> On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote:
>
> > The less controversial one is adding mask-tmp to the fedora template.
> > It looks fine to me, but that should go separately to mwarfield, our
> > fedora template maintainer :)
>
> I had notified mhw of my patches on irc, but apparently he is
> currently very busy.
>
> For a start, following is an update of the uncontroversial fix
> patches, i.e. the fix patche without the path ones, and without
> the mask-tmp patch.
And here comes the mask-tmp patch.
It needs to be applied onto the previous fix-patchset.
From 9589dca113535ed2f4faad89db2fab33bb8a9d7e Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 8 Jan 2015 10:25:24 +0100
Subject: [PATCH] lxc-fedora: add a new option --mask-tmp
This will configure the container to prevent the standard
behaviour of over-mounting /tmp with tmpfs, which can be
undesirable in some cases.
My personal use case is vagrant-lxc in combination with
vagrant-cachier.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It's now been proven over and over again that the symlink from /dev/kmsg
to /dev/console is harmful for everything but upstart systems. As Ubuntu
is now switching over to systemd too, lets switch the default.
Upstart users wishing to see boot messages can always set lxc.kmsg = 1
manually in their config (so long as they don't expect to then
dist-upgrade the container to systemd succesfuly).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Now that autodev works fine with unprivileged containers and shouldn't
come with any side effect, lets turn it on by default.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
--help and --list are special in the sense that they
are independent of the other options and exit early.
Document them separately.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Make it possible to use --list without having to specify
--dist, --release, and --arch, which does not make a lot
of sense.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Alpine Linux provides yaml files with latest release instead of the old
approach with .latest.txt.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
fedora-release has been split into fedora-release and fedora-repos.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is to prevent systemd-journald to enter a 100% cpu loop.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Do as much as possible to allow containers switching from non-systemd to
systemd to work as intended (but nothing that will cause side effects).
Use update-rc.d disable instead of remove so the init scripts are not
re-enabled when the package is updated
Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Disabled building openSUSE containers on openSUSE 13.2 and openSUSE
Tumbleweed due to faulty behaviour with newer versions of
init_buildsystem.
Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Create a tty so we get login prompt on console by default
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Support creation and use of lxc-cirros by unprivileged users.
If we detect we are an unprivileged user, then insist that we
be in a userns with a id mapping.
If we are in a userns, then don't extract /dev when extracting
the rootfs.
If we are not root, then save the tarball to ~/.cache/lxc/cirros
instead of /var/cache/lxc/cirros.
If we are not roo, then include entries to auto-mount proc and sys,
as well as bind-mount devices.
Cc: Scott Moser <smoser@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Do mkdir $rootfs/dev/shm and then mount tmpfs on /dev/shm.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Containers with systemd need a somewhat special setup, which I borrowed
and adapted from lxc-fedora. These changes are required so that Debian 8
(jessie) containers work properly, and are a no-op for previous Debian
versions.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fix a typo in the lines inserted in the default sources.list.
Change the default mirror to http.debian.net which is (supposedly) more
accurate and better than cdn.debian.net for a generic configuration.
Use security.debian.org directly for the {release}/updates repository.
Signed-off-by: Gu1 <gu1@aeroxteam.fr>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
I've found one more typo in the gentoo template, configuration in the
generated file /etc/conf.d/hostname was not valid, but it didn't impact
me due to "lxc.utsname" being set in the configuration file of container
and hostname service being not used. Anyway, I've made a patch and
sending it with this mail.
Signed-off-by: Dark Templar <dark_templar@hotbox.ru>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
When running unprivileged, lxc-create will touch a fstab file, with bind-mounts
for the ttys and other devices. Add this entry in the container config.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Apply the changes found in templates/lxc-download to the busybox template as
well. Change ownership of the config and fstab files to the unprivileged user,
and the ownership of the rootfs to root in the new user namespace.
Eliminate the "unsupported for userns" flag.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- move action() from common to sysvinit wrapper since its only really
applicable for sysvinit and not the other init systems
- fix bug in action() fallback, need to shift away msg before executing action
- make lxc-net 98 so it starts before lxc-container (99), otherwise the lxcbr0
won't be available when containers are autostarted
- make the default RUNTIME_PATH be /var/run instead of /run. On older
distros (like ol6.5) /run doesn't exist. lxc-net will create this directory
and attempt to create the dnsmasq.pid file in it, but this will fail when
SELinux is enabled because the directory will have the default_t type.
Newer systems have /var/run symlinked to /run so you get to the same place
in that case.
- add %postun to remove lxc-dnsmasq user when pkgs are removed
- fix bug in lxc-oracle template that was creating /var/lock/subsys/lxc as
a dir and interfering with the init scripts
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
