Use consistent /proc, /sys and /sys/fs/cgroup (v2)

 - Implements mixed mode for /sys where it's mounted read-only but with
   /sys/devices/virtual/net/ writable.

 - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all
   templates.

 - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup.

 - Get rid of the fstab file by default, using lxc.mount.entry instead.

 - Set sys:mixed as the default for "sys". sys:mixed is slightly more
   permissive than sys:ro so this shouldn't be a problem.

The read-only bind mount of /sys on top of itself is there so that
mountall and other init systems don't attempt to remount /sys
read-write.

v2 changes:
 - Fix the mount list, don't specify a source for the remount.
 - Update the documentation.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
index 693f2f4556576982c6d0a048c90ad00745386db6..f86949138e7893590ca3363be5a57a13b22c01b5 100644 (file)
--- a/config/templates/archlinux.common.conf.in
+++ b/config/templates/archlinux.common.conf.in
@@ -8,9 +8,6 @@ lxc.tty = 6
 lxc.haltsignal=SIGRTMIN+4
 lxc.stopsignal=SIGRTMIN+14
 
-# Mount entries
-lxc.mount.auto = proc:mixed sys:ro
-
 # Uncomment to disable creating tty devices subdirectory in /dev
 # lxc.devttydir =
 

diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
index 4ce2fda2c90bb048d7c9e6f8b9475d93c72418c8..ee2e9e1ba684e65002bcdfa8a456e64b598c1e5e 100644 (file)
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
@@ -1,9 +1,6 @@
 # This derives from the global common config
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
-# Mount entries
-lxc.mount.auto = proc:mixed sys:ro
-
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.

diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
index f22ef0c1fd875c325c625208edcaf0920d9a31dc..26b322964b0934e25bf05a37ef87249f5b09f079 100644 (file)
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -43,6 +43,9 @@ lxc.cgroup.devices.allow = c 1:9 rwm
 ### /dev/pts/*
 lxc.cgroup.devices.allow = c 136:* rwm
 
+# Setup the default mounts
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+
 # Blacklist some syscalls which are not safe in privileged
 # containers
 lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
index e1d421f87ff41192398dce39877ce9cfc3f7048a..493feee338a92d9a3eb953469bd8153802f7963b 100644 (file)
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -5,8 +5,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 lxc.devttydir =
 
 # Default mount entries
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 
 # When using LXC with apparmor, the container will be confined by default.
@@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt
 #lxc.aa_profile = unconfined
 
 # To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following two lines instead.
+# apparmor's added security, use the following line instead.
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.mount.auto = cgroup:mixed
 
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop

diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
index 7b966726eb0e350bb5440af63f375bb041a3951d..01c8f4885920d2c68977491fb8533f7e843344b3 100644 (file)
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -6,9 +6,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # But security is not the goal.
 # Looking for more security, see gentoo.moresecure.conf
 
-# Default mount entries
-lxc.mount.entry=sys sys sysfs defaults 0 0
-
 # Doesn't support consoles in /dev/lxc/
 lxc.devttydir =
 

diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
index 238303d301bea72f1d9cb7192af85927721144b8..270e9df979473821074568c5f243c53a70929879 100644 (file)
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@@ -8,8 +8,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Container user ? see gentoo.common.conf
 
 # do not mount sysfs, see http://blog.bofh.it/debian/id_413
-# lxc.mount.entry=sys sys sysfs rw 0 0
-lxc.mount.entry=proc proc proc ro,nodev,noexec,nosuid 0 0
 lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0

diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in
index 05918f057057559197342a15ebe96e61b9c5d314..6609333c6c9a2455109ef9457c4c86899de04e04 100644 (file)
--- a/config/templates/openwrt.common.conf.in
+++ b/config/templates/openwrt.common.conf.in
@@ -1,7 +1,3 @@
-# Default mount entries
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
-
 # Default console settings
 lxc.devttydir = lxc
 lxc.tty = 4

diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
index 10522b2b6756670a106f5bb7d1e136ecb9a48b70..8a72ad003efd352c0730a97d7590e288832001d5 100644 (file)
--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
@@ -1,9 +1,6 @@
 # This derives from the global common config
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
-# Mount entries
-lxc.mount.auto = cgroup:mixed proc:mixed sys:ro
-
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.

diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
index 9b0d02b3f1880b8adc83526d54f7df0aa31a858c..e7809e13e81acd01eb104af15a75d3b6131ba6e2 100644 (file)
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@@ -2,7 +2,6 @@
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Default mount
-lxc.mount.auto = proc sys cgroup
 lxc.mount.entry = none dev/shm tmpfs nosuid,nodev,noexec,mode=1777 0 0
 
 # Doesn't support consoles in /dev/lxc/

diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index 19a6a6771ad8d9f84ae6d0b336faebe74cf787e9..d1ce8e99f884b6327d5ebe4f8a8cce6c5b318a53 100644 (file)
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -2,8 +2,6 @@
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Default mount entries
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
@@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
 #lxc.aa_profile = unconfined
 
 # To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following two lines instead.
+# apparmor's added security, use the following line instead.
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.mount.auto = cgroup:mixed
 
 # Uncomment the following line to autodetect squid-deb-proxy configuration on the
 # host and forward it to the guest at start time.

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index a86b1e565cf9563969aadb2bfe93c6eaeb8965ae..50c6a2a7c95b1144b002ccec4a7cdeb8cd5f93d6 100644 (file)
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -774,7 +774,14 @@ proc proc proc nodev,noexec,nosuid 0 0
               </listitem>
               <listitem>
                 <para>
-                  <option>sys:ro</option> (or <option>sys</option>):
+                  <option>sys:mixed</option> (or <option>sys</option>):
+                  mount <filename>/sys</filename> as read-only but with
+                  /sys/devices/virtual/net writable.
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  <option>sys:ro</option>:
                   mount <filename>/sys</filename> as read-only
                   for security / container isolation purposes.
                 </para>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index e7def3e9e236979978e42568a8e83b5581df375f..d2cfbe80772a83c11e1594aaae362113bb2e6f98 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -750,15 +750,21 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
                 * MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for kernels as low as
                 * 2.6.32...
                 */
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                  "%r/proc",               "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",           "%r/proc/sys",           NULL,    MS_BIND,                      NULL },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                    "%r/proc/sys",           NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL,    MS_BIND,                      NULL },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                    "%r/proc/sysrq-trigger", NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                  "%r/proc",               "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                 "%r/sys",                "sysfs", 0,                            NULL },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                 "%r/sys",                "sysfs", MS_RDONLY,                    NULL },
-               { 0,                  0,                   NULL,                    NULL,                    NULL,    0,                            NULL }
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                                              "%r/proc",                      "proc",     MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",                                       "%r/proc/sys",                  NULL,       MS_BIND,                        NULL },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                                "%r/proc/sys",                  NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger",                             "%r/proc/sysrq-trigger",        NULL,       MS_BIND,                        NULL },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                                "%r/proc/sysrq-trigger",        NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                                              "%r/proc",                      "proc",     MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                                             "%r/sys",                       "sysfs",    0,                              NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                                             "%r/sys",                       "sysfs",    MS_RDONLY,                      NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                             "%r/sys",                       "sysfs",    MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys",                                            "%r/sys",                       NULL,       MS_BIND,                        NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                                "%r/sys",                       NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                             "%r/sys/devices/virtual/net",   "sysfs",    0,                              NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys/devices/virtual/net/devices/virtual/net",    "%r/sys/devices/virtual/net",   NULL,       MS_BIND,                        NULL },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                                "%r/sys/devices/virtual/net",   NULL,       MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC,   NULL },
+               { 0,                  0,                   NULL,                                                NULL,                           NULL,       0,                              NULL }
        };
 
        for (i = 0; default_mounts[i].match_mask; i++) {
@@ -793,6 +799,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
                        saved_errno = errno;
                        if (r < 0)
                                SYSERROR("error mounting %s on %s flags %lu", source, destination, mflags);
+
                        free(source);
                        free(destination);
                        if (r < 0) {

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 8ec3e8e705415e797291db427fa1a9b709d3835b..afa55179d243243e0775c4ce639580ab10c3fd86 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -236,6 +236,7 @@ enum {
 
        LXC_AUTO_SYS_RW               = 0x004,   /* /sys */
        LXC_AUTO_SYS_RO               = 0x008,   /* /sys read-only */
+       LXC_AUTO_SYS_MIXED            = 0x00C,   /* /sys read-only and /sys/class/net read-write */
        LXC_AUTO_SYS_MASK             = 0x00C,
 
        LXC_AUTO_CGROUP_RO            = 0x010,   /* /sys/fs/cgroup (partial mount, read-only) */

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index ccdf26c44df1f2e7fa282849b60070adb433ef8d..8544ac9b7c678ed8d5a6a6a86683db8be495b3cd 100644 (file)
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1416,8 +1416,9 @@ static int config_mount_auto(const char *key, const char *value,
                { "proc",               LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_MIXED         },
                { "proc:mixed",         LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_MIXED         },
                { "proc:rw",            LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_RW            },
-               { "sys",                LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RO             },
+               { "sys",                LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_MIXED          },
                { "sys:ro",             LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RO             },
+               { "sys:mixed",          LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_MIXED          },
                { "sys:rw",             LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RW             },
                { "cgroup",             LXC_AUTO_CGROUP_MASK,    LXC_AUTO_CGROUP_NOSPEC      },
                { "cgroup:mixed",       LXC_AUTO_CGROUP_MASK,    LXC_AUTO_CGROUP_MIXED       },

diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 187a032534dbb078b119dca399d6a1359cb50c6a..886a8380640133b45fce120e1825cb81d9fc9cae 100644 (file)
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -249,9 +249,8 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 254:0 rm
 
 # mounts point
-lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.auto=cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry=run run tmpfs nodev,noexec,nosuid,relatime,size=1m,mode=0755 0 0
-lxc.mount.entry=none dev/pts devpts gid=5,mode=620 0 0
 lxc.mount.entry=shm dev/shm tmpfs nodev,nosuid,noexec,mode=1777 0 0
 
 EOF

diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
index ac4527b362ef52af7f51abccfcf0b53a8897dc87..8b4168c61abde892aba60d1da563800ed0f0de2f 100644 (file)
--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -266,7 +266,6 @@ copy_configuration()
 lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
-lxc.mount = $config_path/fstab
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
@@ -317,11 +316,8 @@ lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
 lxc.cgroup.devices.allow = c 10:135 rwm
-EOF
 
-    cat <<EOF > $config_path/fstab
-proc            proc         proc    nodev,noexec,nosuid 0 0
-sysfs           sys          sysfs   defaults  0 0
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 EOF
 
     if [ $? -ne 0 ]; then

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 3cfa9586a1ec635abdb3a7d07bc122f0915997c3..72531d6bd04c31dc67fdf79d3f490dd6db72e864 100644 (file)
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -74,7 +74,7 @@ $rootfs/usr/lib64"
     # minimal devices needed for busybox
     if [ $in_userns -eq 1 ]; then
         for dev in tty console tty0 tty1 ram0 null urandom; do
-            echo "/dev/$dev dev/$dev    none bind,optional,create=file 0 0" >> $path/fstab
+            echo "lxc.mount.entry = /dev/$dev dev/$dev    none bind,optional,create=file 0 0" >> $path/config
         done
     else
         mknod -m 666 tty c 5 0       || res=1
@@ -110,14 +110,6 @@ EOF
     # executable
     chmod 744 $rootfs/etc/init.d/rcS || return 1
 
-    # mount points
-    cat <<EOF >> $rootfs/etc/fstab
-shm   /dev/shm   tmpfs   defaults     0      0
-EOF
-
-    # writable and readable for other
-    chmod 644 $rootfs/etc/fstab || return 1
-
     # launch rcS first then make a console available
     # and propose a shell on the tty, the last one is
     # not needed
@@ -285,6 +277,9 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
+
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
 EOF
 
     libdirs="\
@@ -299,11 +294,6 @@ EOF
         fi
     done
     echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
-    echo "lxc.mount.auto = proc:mixed sys" >>$path/config
-
-    if [ -f "$path/fstab" ]; then
-        echo "lxc.mount = $path/fstab" >>$path/config
-    fi
 }
 
 remap_userns()
@@ -311,12 +301,12 @@ remap_userns()
     path=$1
 
     if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
-        chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
+        chown $LXC_MAPPED_UID $path/config >/dev/null 2>&1
         chown -R root $path/rootfs >/dev/null 2>&1
     fi
 
     if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
-        chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
+        chgrp $LXC_MAPPED_GID $path/config >/dev/null 2>&1
         chgrp -R root $path/rootfs >/dev/null 2>&1
     fi
 }

diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
index c8a8b36c4a8ff8ac0ce7c76c774592e74b049c01..349cdbfc474815add9acf7de54f82cfe4ca738fc 100644 (file)
--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -118,7 +118,6 @@ cat >> "$path/config" <<EOF
 # Template used to create this container: cirros
 
 lxc.rootfs = $rootfs
-#lxc.mount = $path/fstab
 lxc.pivotdir = lxc_putold
 
 lxc.tty = 4
@@ -132,7 +131,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 #lxc.aa_profile = unconfined
 # To support container nesting on an Ubuntu host, uncomment next two lines:
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.mount.auto = cgroup
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not using the node)
@@ -165,7 +164,6 @@ EOF
 
     if [ $in_userns -eq 1 ] && [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" ]; then
         echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.userns.conf" >> $path/config
-        echo "lxc.mount.auto = cgroup:mixed proc:mixed sys:ro" >> $path/config
     fi
 
 }

diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 05eee06b6561c69dd257d1c53b7e86a696313299..938f0dbf430e261e7f83de99a512c5fbb6fe675a 100644 (file)
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -202,7 +202,6 @@ configure_debian_systemd()
 
     # This function has been copied and adapted from lxc-fedora
     rm -f ${rootfs}/etc/systemd/system/default.target
-    touch ${rootfs}/etc/fstab
     chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
     chroot ${rootfs} ln -s /dev/null /etc/systemd/system/systemd-udevd.service
     chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
@@ -325,9 +324,6 @@ copy_configuration()
     arch=$4
 
     # Generate the configuration file
-    ## Create the fstab (empty by default)
-    touch $path/fstab
-
     # if there is exactly one veth network entry, make sure it has an
     # associated hwaddr.
     nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
@@ -351,7 +347,6 @@ copy_configuration()
     grep -q "^lxc.rootfs" $path/config 2> /dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
 
     cat <<EOF >> $path/config
-lxc.mount = $path/fstab
 lxc.utsname = $hostname
 lxc.arch = $arch
 EOF

diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
index 46c829dfd2d017ada843be1ca8c0950b1bde6f4a..6123c5e5f721a620b291b14610cbeaf2b9e6a2e3 100644 (file)
--- a/templates/lxc-openmandriva.in
+++ b/templates/lxc-openmandriva.in
@@ -231,8 +231,8 @@ copy_configuration()
 lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
-lxc.mount = $config_path/fstab
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -282,11 +282,6 @@ lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
 lxc.cgroup.devices.allow = c 10:135 rwm
-EOF
-
-    cat <<EOF > $config_path/fstab
-proc            $rootfs_path/proc         proc    nodev,noexec,nosuid 0 0
-sysfs           $rootfs_path/sys          sysfs defaults  0 0
 EOF
 
     if [ $? -ne 0 ]; then

diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index bb015c84ff2c7d2a26685f80ad1d154bf3fc94fe..4ff1dcffa7c11db80c966367d7102accbd980a11 100644 (file)
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -321,7 +321,7 @@ lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
 lxc.arch = $arch
 lxc.utsname = $name
 
-lxc.mount = $path/fstab
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -338,12 +338,6 @@ lxc.mount = $path/fstab
 #        Note: This may potentially collide with other containers of same name!
 #lxc.network.veth.pair = v-$name-e0
 
-EOF
-
-    cat <<EOF > $path/fstab
-proc            proc         proc      nodev,noexec,nosuid 0 0
-sysfs           sys          sysfs     defaults  0 0
-tmpfs           run          tmpfs     mode=0755,nodev,nosuid 0 0
 EOF
 
     if [ $? -ne 0 ]; then

diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in
index 5061056e8d3006b5cf284b4199411e32d72e8b89..c588ddb7236ac869317fb36887711f2ac7e9bd6e 100644 (file)
--- a/templates/lxc-plamo.in
+++ b/templates/lxc-plamo.in
@@ -247,7 +247,6 @@ copy_configuration() {
   ret=0
   cat <<- EOF >> $path/config || let ret++
        lxc.utsname = $name
-       lxc.mount = $path/fstab
        lxc.arch = $arch
        EOF
   if [ -f "@LXCTEMPLATECONFIG@/plamo.common.conf" ] ; then
@@ -256,8 +255,6 @@ copy_configuration() {
        lxc.include = @LXCTEMPLATECONFIG@/plamo.common.conf
        EOF
   fi
-  # create the fstab (empty by default)
-  touch $path/fstab || let ret++
   if [ $ret -ne 0 ] ; then
     echo "Failed to add configuration."
     return 1
@@ -274,7 +271,7 @@ do_bindhome() {
   # bind-mount the user's path into the container's /home
   h=`getent passwd $bindhome | cut -d: -f6`
   mkdir -p $rootfs/$h
-  echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
+  echo "lxc.mount.entry = $h $rootfs/$h none bind 0 0" >> $path/config
   # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
   if ! pwd=`getent passwd $bindhome` ; then
     echo "Warning: failed to copy password entry for $bindhome."

diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index aa45c1d6c9342c7a72551d2729c0c38d6a763803..d34b3b4552b09c86d8293b9f6217657a64cbc26d 100644 (file)
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -141,9 +141,9 @@ lxc.mount.entry = /usr usr none ro,bind 0 0
 lxc.mount.entry = /sbin sbin none ro,bind 0 0
 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs ro 0 0
 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
+
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 EOF
 
     # Oracle Linux and Fedora need the following two bind mounted

diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
index c4eb5ca42068824b948a96d679652c14cbb17322..81abf2a8fb86a28c17e9bb09501216ee75351648 100644 (file)
--- a/templates/lxc-ubuntu-cloud.in
+++ b/templates/lxc-ubuntu-cloud.in
@@ -66,9 +66,6 @@ copy_configuration()
     fi
 
     # Generate the configuration file
-    ## Create the fstab (empty by default)
-    touch $path/fstab
-
     ## Relocate all the network config entries
     sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
 
@@ -94,7 +91,6 @@ copy_configuration()
     [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
     grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
     cat <<EOF >> $path/config
-lxc.mount = $path/fstab
 lxc.utsname = $name
 lxc.arch = $arch
 EOF

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index bbe7f7d6f3b715d3b943918c444d6b072c8edba9..073724b0542b31f1c573284c4d6561abd72be479 100644 (file)
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -483,9 +483,6 @@ copy_configuration()
     fi
 
     # Generate the configuration file
-    ## Create the fstab (empty by default)
-    touch $path/fstab
-
     ## Relocate all the network config entries
     sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
 
@@ -508,7 +505,6 @@ copy_configuration()
     [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
     grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
     cat <<EOF >> $path/config
-lxc.mount = $path/fstab
 lxc.utsname = $name
 lxc.arch = $arch
 EOF
@@ -659,7 +655,7 @@ do_bindhome()
     while [ ${h2:0:1} = "/" ]; do
         h2=${h2#/}
     done
-    echo "$h $h2 none bind 0 0" >> $path/fstab
+    echo "lxc.mount.entry = $h $h2 none bind 0 0" >> $path/config
 
     # Make sure the group exists in container
     grp=`echo $pwd | cut -d: -f 4`  # group number for $user