templatesconfigdir=@LXCTEMPLATECONFIG@
templatesconfig_DATA = \
+ centos.common.conf \
+ centos.userns.conf \
debian.common.conf \
debian.userns.conf \
+ fedora.common.conf \
+ fedora.userns.conf \
oracle.common.conf \
oracle.userns.conf \
plamo.common.conf \
--- /dev/null
+# Taken from the oracle.common.conf.in
+# Console settings
+
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw # breaks dhcp/ping
+# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+#
+lxc.cap.drop = mac_admin mac_override setfcap setpcap
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
--- /dev/null
+# Taken from the oracle.userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+# lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- /dev/null
+# Taken from the oracle.common.conf.in
+# Console settings
+
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+# lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw # breaks dhcp/ping
+# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
+#
+lxc.cap.drop = mac_admin mac_override
+lxc.cap.drop = setfcap
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
--- /dev/null
+# Taken from the oracle.userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
config/init/upstart/Makefile
config/etc/Makefile
config/templates/Makefile
+ config/templates/centos.common.conf
+ config/templates/centos.userns.conf
config/templates/debian.common.conf
config/templates/debian.userns.conf
+ config/templates/fedora.common.conf
+ config/templates/fedora.userns.conf
config/templates/oracle.common.conf
config/templates/oracle.userns.conf
config/templates/plamo.common.conf
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
+ # setup console and tty[1-4] for login. note that /dev/console and
+ # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
+ # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
+ # lxc will maintain these links and bind mount ptys over /dev/lxc/*
+ # since lxc.devttydir is specified in the config.
+
+ # allow root login on console, tty[1-4], and pts/0 for libvirt
+ echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
+ echo "lxc/console" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty1" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty2" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty3" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty4" >>${rootfs_path}/etc/securetty
+ echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
+ echo "pts/0" >>${rootfs_path}/etc/securetty
+
if [ ${root_display_password} = "yes" ]
then
echo "Setting root password to '$root_password'"
rm -f $config_path/config.def
+ if [ -e "@LXCTEMPLATECONFIG@/centos.common.conf" ]; then
+ echo "
+# Include common configuration
+lxc.include = @LXCTEMPLATECONFIG@/centos.common.conf
+" >> $config_path/config
+ fi
+
+ # Append things which require expansion here...
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
-lxc.tty = 4
-lxc.pts = 1024
-lxc.mount = $config_path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
# Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0
-#cgroups
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
-EOF
-
- cat <<EOF > $config_path/fstab
-proc proc proc nodev,noexec,nosuid 0 0
-sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
+ # setup console and tty[1-4] for login. note that /dev/console and
+ # /dev/tty[1-4] will be symlinks to the ptys /dev/lxc/console and
+ # /dev/lxc/tty[1-4] so that package updates can overwrite the symlinks.
+ # lxc will maintain these links and bind mount ptys over /dev/lxc/*
+ # since lxc.devttydir is specified in the config.
+
+ # allow root login on console, tty[1-4], and pts/0 for libvirt
+ echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
+ echo "lxc/console" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty1" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty2" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty3" >>${rootfs_path}/etc/securetty
+ echo "lxc/tty4" >>${rootfs_path}/etc/securetty
+ echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
+ echo "pts/0" >>${rootfs_path}/etc/securetty
+
if [ ${root_display_password} = "yes" ]
then
echo "Setting root password to '$root_password'"
rm -f ${rootfs_path}/etc/systemd/system/default.target
touch ${rootfs_path}/etc/fstab
chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
+ chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/systemd-journald.service
chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
#dependency on a device unit fails it specially that we disabled udev
# sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
# and then used to build other arbitrary vesions of Fedora of a
# given architecture. Not that this only has to run once for
# Fedora on a given architecture since rpm and yum can build other
-# versions. We'll arbitrarily pick Fedora 19 to build this. This
+# versions. We'll arbitrarily pick Fedora 20 to build this. This
# will need to change as time goes on.
# Programmers Note... A future fall back may be to download the netinst
"
sleep 3 # let him read it...
- # Right now, we are using Fedora 19 for the inial bootstrap.
+ # Right now, we are using Fedora 20 for the inial bootstrap.
# We could make this the "current" Fedora rev (F > 15).
- rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/LiveOS .
+ rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/LiveOS .
if [[ 0 == $? ]]
then
# of this LiveOS image we're camped out on. This is the beginning
# of the butt ugly hack. Look close or you may missing it...
- rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
- mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/y/yum-[0-9]* .
+ rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
+ mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/y/yum-[0-9]* .
# And here it is...
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
echo "Stage 1 creation complete. Building stage 2 Installation Bootstrap"
mount -o bind ../bootstrap run/install
- rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/f/fedora-release-19* .
+ rsync -av mirrors.kernel.org::fedora/releases/20/Fedora/$arch/os/Packages/f/fedora-release-20* .
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
chroot . rpm --root /run/install --nodeps -ivh fedora-release-*
{
mkdir -p @LOCALSTATEDIR@/lock/subsys/
(
- flock -x 200
+ flock -x 9
if [ $? -ne 0 ]; then
echo "Cache repository is busy."
return 1
fi
return 0
- ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
+ ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
return $?
}
rm -f $config_path/config.def
+ if [ -e "@LXCTEMPLATECONFIG@/fedora.common.conf" ]; then
+ echo "
+# Include common configuration
+lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf
+" >> $config_path/config
+ fi
+
+ # Append things which require expansion here...
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
-lxc.tty = 4
-lxc.pts = 1024
-lxc.mount = $config_path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
# Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0
-#cgroups
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-EOF
-
- cat <<EOF > $config_path/fstab
-proc proc proc nodev,noexec,nosuid 0 0
-sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then
# lock, so we won't purge while someone is creating a repository
(
- flock -x 200
+ flock -x 9
if [ $? != 0 ]; then
echo "Cache repository is busy."
exit 1
echo -n "Purging the download cache for Fedora-$release..."
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
exit 0
- ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
+ ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
}
usage()
if [ "$is_fedora" -a "$fedora_host_ver" ]; then
release=$fedora_host_ver
else
- echo "This is not a fedora host and release missing, defaulting to 19. use -R|--release to specify release"
- release=19
+ echo "This is not a fedora host and release missing, defaulting to 20 use -R|--release to specify release"
+ release=20
fi
fi
projects / thirdparty / lxc.git / commitdiff
