mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-07-13 05:50:05 +00:00
b4f7af7a52
This is a reissue of two previous patches along with some additional
changes for hardening the root password process based on discussions
on-list.
--
This patch modifies the lxc-fedora and lxc-centos templates for 3 things.
1) Extensively modifies root password generation, storage, and management
based on discussions on the devel list.
Root passwords are hardened and have advanced configurability.
A static password may be provided.
A password based on a template may be generated, including ${RANDOM}.
A password may be generated through mktmp using a template with X's.
Root passwords default to expired, initially.
Passwords may optionally be echoed to stdout at container creation. (no)
Passwords may optionally be stored in ${rootfs_path}/tmp_root_pass. (yes)
Users may be optionally forced to change the password at creation time. (no)
Default is to generate a pattern based password and store, no force change.
All of this may be overridden by environment variables through
conditional assignment.
2) Random static hardware addresses are generated for all configured
interfaces.
3) Add code to create sysv init style scripts to intercept shutdown and
reboot to prevent init restart and hang for CentOS and legacy Fedora
systems on shutdown, reboot, init 0, and init 6. This solves a variety
of hang conditions but only affects newly created containers. Does
not have any impact on systemd based containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
|
||
|---|---|---|
| config | ||
| doc | ||
| hooks | ||
| src | ||
| templates | ||
| .gitignore | ||
| .travis.yml | ||
| AUTHORS | ||
| autogen.sh | ||
| configure.ac | ||
| CONTRIBUTING | ||
| COPYING | ||
| INSTALL | ||
| lxc.pc.in | ||
| lxc.spec.in | ||
| MAINTAINERS | ||
| Makefile.am | ||
| NEWS | ||
| README | ||
| runapitests.sh | ||
| TODO | ||
Please see the COPYING file for details on copying and usage.
Please refer to the INSTALL file for instructions on how to build.
What is lxc:
The container technology is actively being pushed into the mainstream linux
kernel. It provides the resource management through the control groups aka
process containers and resource isolation through the namespaces.
The linux containers, lxc, aims to use these new functionalities to pro-
vide an userspace container object which provides full resource isolation
and resource control for an applications or a system.
The first objective of this project is to make the life easier for the ker-
nel developers involved in the containers project and especially to con-
tinue working on the Checkpoint/Restart new features. The lxc is small
enough to easily manage a container with simple command lines and complete
enough to be used for other purposes.
Using lxc:
Refer the lxc* man pages (generated from doc/* files)
Downloading the current source code:
Source for the latest released version can always be downloaded from
http://linuxcontainers.org/downloads/
You can browse the up to the minute source code and change history online.
http://github.com/lxc/lxc
For detailed build instruction refer to INSTALL and man lxc man page
but a short command line should work:
./autogen.sh && ./configure && make && sudo make install
preceded by ./autogen.sh if configure do not exist yet.
Troubleshooting:
If the ./autogen.sh script shows the following message: "aclocal: not found",
you are likely missing the "automake" package. Make sure it's installed and
try again.
If the ./configure script gives you the following message:
"configure: error: Please install the libcap development files."
you are likely missing the "libcap-dev" package.
The configure script will usually give you hints as to what you are missing,
looking for those in your package manager will usually give you the package
that you need to install.
Getting help:
when you find you need help, you can check out one of the two
lxc mailing list archives and register if interested:
http://lists.linuxcontainers.org/listinfo/lxc-devel
http://lists.linuxcontainers.org/listinfo/lxc-users
Portability:
lxc is still in development, so the command syntax and the API can
change. The version 1.0.0 will be the frozen version.
lxc is developed and tested on Linux since kernel mainline version 2.6.27
(without network) and 2.6.29 with network isolation.
It's compiled with gcc, and should work on most architectures as long as the
required kernel features are available. This includes (but isn't limited to):
i686, x86_64, ppc, ppc64, S390, armel and armhf.
AUTHOR
Daniel Lezcano <daniel.lezcano@free.fr>
Seccomp with LXC
----------------
To restrict a container with seccomp, you must specify a profile which is
basically a whitelist of system calls it may execute. In the container
config file, add a line like
lxc.seccomp = /var/lib/lxc/q1/seccomp.full
I created a usable (but basically worthless) seccomp.full file using
cat > seccomp.full << EOF
1
whitelist
EOF
for i in `seq 0 300`; do
echo $i >> seccomp.full
done
for i in `seq 1024 1079`; do
echo $i >> seccomp.full
done
-- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 27 Jul 2012 15:47:02 +0600