From: Michael H. Warfield <mhw@WittsEnd.com>
Date: Wed, 18 Jun 2014 19:31:44 +0000 (-0400)
Subject: Updated lxc-opensuse for common configuration changes.
X-Git-Tag: lxc-1.1.0.alpha1~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41cf1ac30de569888c70b1f1b40d29993950ff2e;p=thirdparty%2Flxc.git

Updated lxc-opensuse for common configuration changes.

Updated the lxc-opensuse template for the changes for the common
configuration used by the download template.  Changed the default
network mode in the container to dhcp.

Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 47969a976..d0b1c8763 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -10,6 +10,8 @@ templatesconfig_DATA = \
 	gentoo.common.conf \
 	gentoo.moresecure.conf \
 	gentoo.userns.conf \
+	opensuse.common.conf \
+	opensuse.userns.conf \
 	oracle.common.conf \
 	oracle.userns.conf \
 	plamo.common.conf \
diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
new file mode 100644
index 000000000..1585fb8de
--- /dev/null
+++ b/config/templates/opensuse.common.conf.in
@@ -0,0 +1,47 @@
+lxc.autodev = 1
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+# lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw          # breaks dhcp/ping
+# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid           # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+# lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
+# lxc.cap.drop = setfcap
+#
+lxc.cap.drop = mac_admin mac_override
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
diff --git a/config/templates/opensuse.userns.conf.in b/config/templates/opensuse.userns.conf.in
new file mode 100644
index 000000000..f6de0e97d
--- /dev/null
+++ b/config/templates/opensuse.userns.conf.in
@@ -0,0 +1,20 @@
+# Taken from the oracle.userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
diff --git a/configure.ac b/configure.ac
index ab6c48171..be54043c3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -590,6 +590,8 @@ AC_CONFIG_FILES([
 	config/templates/gentoo.common.conf
 	config/templates/gentoo.moresecure.conf
 	config/templates/gentoo.userns.conf
+	config/templates/opensuse.common.conf
+	config/templates/opensuse.userns.conf
 	config/templates/oracle.common.conf
 	config/templates/oracle.userns.conf
 	config/templates/plamo.common.conf
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index 3999df62d..c4dce5def 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# template script for generating suse container for LXC
+# template script for generating OpenSUSE container for LXC
 #
 
 #
@@ -10,6 +10,7 @@
 # Authors:
 # Daniel Lezcano <daniel.lezcano@free.fr>
 # Frederic Crozat <fcrozat@suse.com>
+# Michael H. Warfield <mhw@WittsEnd.com>
 
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -45,10 +46,10 @@ configure_opensuse()
     rootfs=$1
     hostname=$2
 
-   # set network as static, but everything is done by LXC outside the container
+   # set first network adapter as dhcp.  This is the most common config.
    cat <<EOF > $rootfs/etc/sysconfig/network/ifcfg-eth0
 STARTMODE='auto'
-BOOTPROTO='none'
+BOOTPROTO='dhcp'
 EOF
 
    # create empty fstab
@@ -171,7 +172,7 @@ EOF
         mkdir -p $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686
         for i in "$cache/partial-$arch-packages/var/cache/zypp/packages/update/i586/*" ; do
             ln -s $i $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686/
-	done
+        done
     fi
 
     CLEAN_BUILD=1 BUILD_ARCH="$arch" BUILD_ROOT="$cache/partial-$arch" BUILD_DIST="$cache/partial-$arch-packages/opensuse.conf" PATH="$PATH:/usr/lib/build" /usr/lib/build/init_buildsystem  --clean --configdir /usr/lib/build/configs --cachedir $cache/partial-$arch-cache --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/noarch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/noarch || return 1
@@ -228,8 +229,6 @@ install_opensuse()
             return 1
         fi
 
-        arch=$(uname -m)
-
         echo "Checking cache download in $cache/rootfs-$arch ... "
         if [ ! -e "$cache/rootfs-$arch" ]; then
             download_opensuse $cache $arch
@@ -252,66 +251,85 @@ install_opensuse()
     return $?
 }
 
+# Generate a random hardware (MAC) address composed of FE followed by
+# 5 random bytes...
+create_hwaddr()
+{
+    openssl rand -hex 5 | sed -e 's/\(..\)/:\1/g; s/^/fe/'
+}
+
 copy_configuration()
 {
     path=$1
     rootfs=$2
     name=$3
 
-    if grep -q "^lxc.network.type" $path/config; then
-        TYPE=$(sed '/^#/d; /lxc.network.type/!d; s/.*=[ \t]*//' $path/config)
-        grep -q "^lxc.network.ipv4" $path/config
-        IPV4_NOT_CONFIGURED=$?
-
-        if ! grep -q "^lxc.network.*.gateway" $path/config; then
-            [ $IPV4_NOT_CONFIGURED -eq 0 ] && IPV4=$(sed '/^#/d; /lxc.network.ipv4/!d; /gateway/d; s/.*=[ \t]*//; s/\([[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\).*/\1/' $path/config)
-            if [ "$TYPE" = "veth" -o "$TYPE" = "macvlan" ]; then
-                if [ $IPV4_NOT_CONFIGURED -eq 0 -a "$IPV4" != "0.0.0.0" ]; then
-                    # set default route
-                    IP=$(/sbin/ip route | awk '/default/ { print $3 }')
-                    echo "lxc.network.ipv4.gateway = $IP " >> $path/config
-                else
-                    # set network as dhcp
-                    sed -i -e 's/BOOTPROTO=.*/BOOTPROTO=dhcp/' $rootfs/etc/sysconfig/network/ifcfg-eth0
-                fi
-            fi
+    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "
+lxc.rootfs = $rootfs_path
+" >> $path/config
+
+    # The following code is to create static MAC addresses for each
+    # interface in the container.  This code will work for multiple
+    # interfaces in the default config.  It will also strip any
+    # hwaddr stanzas out of the default config since we can not share
+    # MAC addresses between containers.
+    #
+    # This code is largely mimiced from the Fedora Template.
+    mv $path/config $path/config.def
+    while read LINE
+    do
+        # This should catch variable expansions from the default config...
+        if expr "${LINE}" : '.*\$' > /dev/null 2>&1
+        then
+                LINE=$(eval "echo \"${LINE}\"")
         fi
-        if [ "$TYPE" != "empty" ]; then
-            echo "#remove next line if host DNS configuration should not be available to container" >> $path/config
-            echo "lxc.mount.entry = /etc/resolv.conf etc/resolv.conf none bind,ro 0 0" >> $path/config
+
+        # There is a tab and a space in the regex bracket below!
+        # Seems that \s doesn't work in brackets.
+        KEY=$(expr "${LINE}" : '\s*\([^	 ]*\)\s*=')
+
+        if [[ "${KEY}" != "lxc.network.hwaddr" ]]
+        then
+            echo "${LINE}" >> $path/config
+
+            if [[ "${KEY}" == "lxc.network.link" ]]
+            then
+                echo "lxc.network.hwaddr = $(create_hwaddr)" >> $path/config
+            fi
         fi
-    else
-        echo 'lxc.network.type = empty' >> $path/config
+    done < $path/config.def
+
+    rm -f $path/config.def
+
+    if [ -e "@LXCTEMPLATECONFIG@/opensuse.common.conf" ]; then
+        echo "
+# Include common configuration
+lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
+" >> $path/config
     fi
 
-    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
+    # Append things which require expansion here...
     cat <<EOF >> $path/config
+lxc.arch = $arch
 lxc.utsname = $name
-lxc.autodev=1
-lxc.tty = 4
-lxc.pts = 1024
+
 lxc.mount = $path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
 
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
+# example simple networking setup, uncomment to enable
+#lxc.network.type = $lxc_network_type
+#lxc.network.flags = up
+#lxc.network.link = $lxc_network_link
+#lxc.network.name = eth0
+# Additional example for veth network type
+#    static MAC address,
+#lxc.network.hwaddr = 00:16:3e:77:52:20
+#    persistent veth device name on host side
+#        Note: This may potentially collide with other containers of same name!
+#lxc.network.veth.pair = v-$name-e0
+
 EOF
 
     cat <<EOF > $path/fstab
@@ -358,6 +376,9 @@ EOF
     return 0
 }
 
+# Make arch a global.  This may become configurable?
+arch=$(uname -m)
+
 options=$(getopt -o hp:n:c -l help,rootfs:,path:,name:,clean -- "$@")
 if [ $? -ne 0 ]; then
     usage $(basename $0)