Set the halt.target action to be sigpwr.target. This allows
SIGPWR to properly shut the container down from lxc-stop.
Renable the systemd-journald.service.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Added lxc.arch to the resulting container configuration files
to support i686 on x86_64 cross arch containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Added the environment variable "root_password_expired" to
control if the initial, temporary, root password is initially
set up as "expired". If set to "yes" (default), the root password
is set as "expired" and the user must change it at first login.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Added code to catch SIGPWR for Upstart in Fedora and CentOS
containers as well as for Systemd in Fedora containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If the container does not already contain an /etc/localtime
timezone definition, then copy a definition from the host to
the container. This is often a symlink to an appropriate
system timezone definition files and is presumed to exist in
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Corner case existed when building a cross-arch container (i686 on x86_64)
on a cross-distro host (Fedora container on Ubuntu host). Fixed the
arch "fixup" code to do the right thing when running from the bootstrap.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
For all templates except lxc-ubuntu-cloud and lxc-download, detect not
only --mapped-uid but also --mapped-gid and error out. Detecting will
not be done after -- parameter because of non-option parameters.
Also, change the mode of lxc-archlinux.in 100755 to 100644.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Only the download and ubuntu-cloud templates work with unprivileged
containers, for all others, detect --mapped-uid and error out as early
as possible, recommending the use of the download template.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Added code to the CentOS and Fedora templates so that x86 32 bit containers
may be built on x86_64 platforms. Like archectectures may also be trivially
used as well.
Option added is "-a {arch}".
Additionally cleaned up some bash specific logic.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This updates the Fedora and CentOS templates to utilize a common
included config. This is largely based on the changes in the Oracle
template with some exceptions.
Dropping of setpcap (present in the Oracle template) is commented out in
the Fedora template. It seems to cause problems, such as large login
delays with Fedora 20 containers (but not Fedora 19 - strange).
The Fedora template is further modified to disable systemd-journald.service
as it is unnecessary in a container and causes serious problems when
running in a Fedora 20 container.
The Fedora template is also updated to default to Fedora 20 when running
on a non-Fedora host.
Regards,
Mike
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is a reissue of two previous patches along with some additional
changes for hardening the root password process based on discussions
on-list.
--
This patch modifies the lxc-fedora and lxc-centos templates for 3 things.
1) Extensively modifies root password generation, storage, and management
based on discussions on the devel list.
Root passwords are hardened and have advanced configurability.
A static password may be provided.
A password based on a template may be generated, including ${RANDOM}.
A password may be generated through mktmp using a template with X's.
Root passwords default to expired, initially.
Passwords may optionally be echoed to stdout at container creation. (no)
Passwords may optionally be stored in ${rootfs_path}/tmp_root_pass. (yes)
Users may be optionally forced to change the password at creation time. (no)
Default is to generate a pattern based password and store, no force change.
All of this may be overridden by environment variables through
conditional assignment.
2) Random static hardware addresses are generated for all configured
interfaces.
3) Add code to create sysv init style scripts to intercept shutdown and
reboot to prevent init restart and hang for CentOS and legacy Fedora
systems on shutdown, reboot, init 0, and init 6. This solves a variety
of hang conditions but only affects newly created containers. Does
not have any impact on systemd based containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Additional logic for dealing with container shutdown / reboot
Fix a problem with CentOS containers and legacy Fedora (<16) containers
not shutting down or rebooting properly. Copy /etc/init.d/halt to
/etc/init.d/lxc-halt, deleting everything from the "hwclock save" and
all after and append a force halt or reboot at the end of the new
script, to prevent reexecing init. Link that script in as
S00lxc-halt in rc0.d and S00lxc-reboot in rc6.d to intercept the
shutdown process before it gets to S01halt / S01reboot causing the hang.
Fixed some typos in the CentOS template that were introduced in the
previous patch for hwaddr settings and missed in regression testing.
Cleaned up some instruction typos and tabs from previous patch.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Backported typo fixes from CentOS template back to Fedora Template
Bumped default rev from Fedora 18 to Fedora 19
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Just some additional catches for disabling selinux and pam_loginuid.so
thanks to Dwight Engen and the Oracle template.
Also add ssh and ssh-server to the default installation.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This patches the Fedora template to insure that the legacy network
startup scripts are enabled when NetworkManager has not been installed
in the container (default).
It also fixes a login problem with pam_loginuid.so in a container.
https://bugzilla.redhat.com/show_bug.cgi?id=966807
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
--
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
They are the real /dev/tty{0,1}, which are physical consoles. Lxc
bind-mounts over them. Don't let the container use these!
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This patch reworks the Fedora template to operate in the most "distro
agnostic" manner possible. It should even run on distros where rpm and
yum are not present and not available or may be incompatible. It
depends on the most basic set of system facilities like rsync but does
require squashfs support also be available to mount a LiveOS runtime.
Based on comments at Linux Plumbers, what I had been referring to as a
"run time environment" or RTE has been renamed in the code to refer to
it as a "bootstrap". It has been tested on Fedora (of course),
OpenSuse, Ubuntu, and Oracle (latest host versions of each) building
Fedora containers of F19 back through F9. Varying levels of database
problems were encountered from F11 and back and are "will not fix" due
to versions being long EOL. F15 and F16 build but do not run "out of
the box" due to systemd version issues and those are also "will not fix"
for the same reasons.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Satoshi Matsumoto certainly had the right idea and in spotting a bug in
the lxc-fedora template for systemd detection. Heart was in the right
spot but patch was not what we needed.
I've looked the patch code over for systemd support and init/upstart
support and modified the logic appropriately. If /etc/systemd/system
exists, we'll do the right thing by systemd. If /etc/rc.sysinit exists,
we'll do the right thing by init / upstart. If both are installed,
we'll trying and accommodate both in case someone is playing games with
the two (I've done this).
Patch was trivial, just took more time to actually test it and create
some containers with it and verify them, than it did to code them.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Hey all!
Patch for the Fedora template. Several things...
1) A month or so ago, I floated an idea of adding an option for utsname
which Serge seemed to like but we let it float for more feedback (none
came).
2) In private mail to Serge and Stéphane I mentioned the idea of using
the CPE (Common Platform Enumeration) for host distro and version
identification. I heard back from Serge but not Stéphane. CPE is a
standard promoted by NIST and Mitre (along with CVE and CVSS) as part of
the security community as a common identification mechanism. It's
supported by RedHat based distros and many others (notable exception
Ubuntu). I've patched the Fedora template to parse first
the /etc/os-release file or, alternatively, the /etc/system-release-cpe
file for the distro ID and version instead of the human
readable /etc/redhat-release. There's more that can be done with that
in the realm of cross distro container builds, I suspect.
3) At the time of working on 1&2 I noticed that the retry logic in the
Fedora template just didn't seem right. I believe I posted a message
asking for clarification on that behavior. A recently post in the
-users list indicating that someone could not create a Fedora 19
container (because the release ver string was 19-2 and the template was
only looking for -1) prompted me to rework the retry logic for handling
the mirror list and servers as well as revamp the download logic to
properly identify the correct release package.
The patch for all of the above is attached below the jump. It's been
tested on Fedora 17 through Fedora 19 hosts and has created containers
for F11, F12, F13, F14, F16, F17, F18, and F19. F15 failed for rpm
dependency issues that are not worth fixing (IMHO).
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
1. implement bdev->create:
python and lua: send NULL for bdevtype and bdevspecs.
They'll want to be updated to pass those in in a way that makes
sense, but I can't think about that right now.
2. templates: pass --rootfs
If the container is backed by a device which must be mounted (i.e.
lvm) then pass the actual rootfs mount destination to the
templates.
Note that the lxc.rootfs can be a mounted block device. The template
should actually be installing the rootfs under the path where the
lxc.rootfs is *mounted*.
Still, some people like to run templates by hand and assume purely
directory backed containers, so continue to support that use case
(i.e. if no --rootfs is listed).
Make sure the templates don't re-write lxc.rootfs if it is
already in the config. (Most were already checking for that)
3. Replace lxc-create script with lxc_create.c program.
Changelog:
May 24: when creating a container, create $lxcpath/$name/partial,
and flock it. When done, close that file and unlink it. In
lxc_container_new() and lxcapi_start(), check for this file. If
it is locked, create is ongoing. If it exists but is not locked,
create() was killed - remove the container.
May 24: dont disk-lock during lxcapi_create. The partial lock
is sufficient.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is just some minor changes in the way the Fedora template is
synthesizing the target rootfs_path. Currently, the template uses a
path with the container in it twice like this:
/var/lib/lxc/rasputin/rasputin/rootfs
This happens because the container name is already contained in the
"path" and the template appends it a second time. This changes the
logic to be congruent with other templates such as lxc-arch. The new
behavior will be to create the rootfs like this:
/var/lib/lxc/rasputin/rootfs
Attached below the jump.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Hey all...
Patch to the lxc-fedora template to setup gettys on the ttys that are
enabled in the configuration. The area of the code already had some
modifications to that service that didn't seem to do anything and would
get wiped out by an update. I commented that out but subsumed the
change it was attempting into my command in case it does something on
another rev somewhere.
This is very similar to the logic in the OpenSuse template but doesn't
seem to appear in other templates, such as arch, which have to deal with
systemd. This isn't unique to Fedora. The templates for Fedora,
ArchLinux, and OpenSuse are the only three that seem to have any
reference to systemd at all.
Attached below the jump.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This took a lot longer for me to get around to it... Sorry.
Patch to the lxc-fedora template.
I didn't get any further comments from my earlier proposal, weeks ago,
and did get one addition based on comments about properly setting the
hostname in /etc/hostname, which I've added. I could have broken them
into separate patches but most are pretty small and minor.
Changes:
* Map armv6l and armv7l architectures to "arm" for yum and repos to
function properly.
* Detect Fedora Remix distros with no "/etc/fedora-release" file
(Raspberry Pi) and find proper release versions when "remix" part of the
file context.
* Change default Fedora container on non-Fedora hosts to Fedora 17.
* Added code for autodev for Fedora systemd containers.
* Added code to set /etc/hostname for Fedora > 14 (systemd).
* Fix a few typos.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Don't allow write to /dev/rtc0, and remove sys_time.
Thanks, Christoph.
v2: drop sys_time, sys_module, mac_admin and mac_override in
all templates.
Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
According to "arch"'s manpage, it's identical to "uname -m".
Some distros ship uname but don't ship arch, however all distros ship uname,
therefore it makes sense to use "uname -m" whenever possible.
Signed-off-by: Christian Bühler <christian@cbuehler.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The Url for the fedora-release RPM changed in release 17.
Signed-off-by: Maximilian Seesslen <mes@seesslen.net>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Move to per-template lock (except for oracle that's per-container).
Also ensure that the path used for the lock is relative to LOCALSTATEDIR.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit updates all scripts using mixed indent to a consistent
4 spaces indent.
In the past quite a few of those scripts used tabs to instead of 8 spaces or
instead of 4 spaces, sometimes mixing those in the same line and sometimes
changing the tab width within the same file.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This updates all the templates and the configuration files to consistently
use "key = value" everywhere.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
I'm not sure whether we want this: is -H ubiquitous?
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Make 'dir' an explicit backing store type, which accepts '--dir rootfs'
as an option to specify a custom location for the container rootfs. Also
update lxc-destroy to now remove the rootfs separately, as removing
@LXCPATH@/$name may not hit it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
LXC has optional apparmor support, default profile is lxc-container-default.
This change adds a commented "lxc.aa_profile = default" line to all templates,
uncommenting this will bypass apparmor for the container.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Just wait until the lock is available. That is a nicer behavior
for concurrent lxc-creates.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
At the same time, allow lxc.mount.entry to specify an absolute target
path relative to /var/lib/lxc/CN/rootfs, even if rootfs is a blockdev.
Otherwise all such entries are ignored for blockdev-backed containers.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The hardcoded URL seems to be broken and 404 error was not
checked. Now the mirror is selected from mirrorlist (instead of
hardcoding to funet.fi) and fetch errors are checked.
Also added a retry loop (with 3 tries) to find a working mirror, since
some of the mirrors are not OK.
Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
