From f24a52d5f588ff4e4575046903fb9498c376d833 Mon Sep 17 00:00:00 2001 From: =?utf8?q?St=C3=A9phane=20Graber?= Date: Wed, 28 Jan 2015 19:41:26 +0100 Subject: [PATCH] Use consistent /proc, /sys and /sys/fs/cgroup (v2) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit - Implements mixed mode for /sys where it's mounted read-only but with /sys/devices/virtual/net/ writable. - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all templates. - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup. - Get rid of the fstab file by default, using lxc.mount.entry instead. - Set sys:mixed as the default for "sys". sys:mixed is slightly more permissive than sys:ro so this shouldn't be a problem. The read-only bind mount of /sys on top of itself is there so that mountall and other init systems don't attempt to remount /sys read-write. v2 changes: - Fix the mount list, don't specify a source for the remount. - Update the documentation. Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn --- config/templates/archlinux.common.conf.in | 3 --- config/templates/centos.common.conf.in | 3 --- config/templates/common.conf.in | 3 +++ config/templates/debian.common.conf.in | 5 +---- config/templates/gentoo.common.conf.in | 3 --- config/templates/gentoo.moresecure.conf.in | 2 -- config/templates/openwrt.common.conf.in | 4 ---- config/templates/oracle.common.conf.in | 3 --- config/templates/plamo.common.conf.in | 1 - config/templates/ubuntu.common.conf.in | 5 +---- doc/lxc.container.conf.sgml.in | 9 +++++++- src/lxc/conf.c | 25 ++++++++++++++-------- src/lxc/conf.h | 1 + src/lxc/confile.c | 3 ++- templates/lxc-alpine.in | 3 +-- templates/lxc-altlinux.in | 6 +----- templates/lxc-busybox.in | 22 ++++++------------- templates/lxc-cirros.in | 4 +--- templates/lxc-debian.in | 5 ----- templates/lxc-openmandriva.in | 7 +----- templates/lxc-opensuse.in | 8 +------ templates/lxc-plamo.in | 5 +---- templates/lxc-sshd.in | 4 ++-- templates/lxc-ubuntu-cloud.in | 4 ---- templates/lxc-ubuntu.in | 6 +----- 25 files changed, 47 insertions(+), 97 deletions(-) diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in index 693f2f455..f86949138 100644 --- a/config/templates/archlinux.common.conf.in +++ b/config/templates/archlinux.common.conf.in @@ -8,9 +8,6 @@ lxc.tty = 6 lxc.haltsignal=SIGRTMIN+4 lxc.stopsignal=SIGRTMIN+14 -# Mount entries -lxc.mount.auto = proc:mixed sys:ro - # Uncomment to disable creating tty devices subdirectory in /dev # lxc.devttydir = diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in index 4ce2fda2c..ee2e9e1ba 100644 --- a/config/templates/centos.common.conf.in +++ b/config/templates/centos.common.conf.in @@ -1,9 +1,6 @@ # This derives from the global common config lxc.include = @LXCTEMPLATECONFIG@/common.conf -# Mount entries -lxc.mount.auto = proc:mixed sys:ro - # Capabilities # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in index f22ef0c1f..26b322964 100644 --- a/config/templates/common.conf.in +++ b/config/templates/common.conf.in @@ -43,6 +43,9 @@ lxc.cgroup.devices.allow = c 1:9 rwm ### /dev/pts/* lxc.cgroup.devices.allow = c 136:* rwm +# Setup the default mounts +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed + # Blacklist some syscalls which are not safe in privileged # containers lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in index e1d421f87..493feee33 100644 --- a/config/templates/debian.common.conf.in +++ b/config/templates/debian.common.conf.in @@ -5,8 +5,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf lxc.devttydir = # Default mount entries -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = sysfs sys sysfs defaults 0 0 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 # When using LXC with apparmor, the container will be confined by default. @@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt #lxc.aa_profile = unconfined # To support container nesting on an Ubuntu host while retaining most of -# apparmor's added security, use the following two lines instead. +# apparmor's added security, use the following line instead. #lxc.aa_profile = lxc-container-default-with-nesting -#lxc.mount.auto = cgroup:mixed # If you wish to allow mounting block filesystems, then use the following # line instead, and make sure to grant access to the block device and/or loop diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in index 7b966726e..01c8f4885 100644 --- a/config/templates/gentoo.common.conf.in +++ b/config/templates/gentoo.common.conf.in @@ -6,9 +6,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # But security is not the goal. # Looking for more security, see gentoo.moresecure.conf -# Default mount entries -lxc.mount.entry=sys sys sysfs defaults 0 0 - # Doesn't support consoles in /dev/lxc/ lxc.devttydir = diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in index 238303d30..270e9df97 100644 --- a/config/templates/gentoo.moresecure.conf.in +++ b/config/templates/gentoo.moresecure.conf.in @@ -8,8 +8,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # Container user ? see gentoo.common.conf # do not mount sysfs, see http://blog.bofh.it/debian/id_413 -# lxc.mount.entry=sys sys sysfs rw 0 0 -lxc.mount.entry=proc proc proc ro,nodev,noexec,nosuid 0 0 lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0 diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in index 05918f057..6609333c6 100644 --- a/config/templates/openwrt.common.conf.in +++ b/config/templates/openwrt.common.conf.in @@ -1,7 +1,3 @@ -# Default mount entries -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = sysfs sys sysfs defaults 0 0 - # Default console settings lxc.devttydir = lxc lxc.tty = 4 diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in index 10522b2b6..8a72ad003 100644 --- a/config/templates/oracle.common.conf.in +++ b/config/templates/oracle.common.conf.in @@ -1,9 +1,6 @@ # This derives from the global common config lxc.include = @LXCTEMPLATECONFIG@/common.conf -# Mount entries -lxc.mount.auto = cgroup:mixed proc:mixed sys:ro - # Capabilities # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in index 9b0d02b3f..e7809e13e 100644 --- a/config/templates/plamo.common.conf.in +++ b/config/templates/plamo.common.conf.in @@ -2,7 +2,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # Default mount -lxc.mount.auto = proc sys cgroup lxc.mount.entry = none dev/shm tmpfs nosuid,nodev,noexec,mode=1777 0 0 # Doesn't support consoles in /dev/lxc/ diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in index 19a6a6771..d1ce8e99f 100644 --- a/config/templates/ubuntu.common.conf.in +++ b/config/templates/ubuntu.common.conf.in @@ -2,8 +2,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # Default mount entries -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = sysfs sys sysfs defaults 0 0 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 @@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 #lxc.aa_profile = unconfined # To support container nesting on an Ubuntu host while retaining most of -# apparmor's added security, use the following two lines instead. +# apparmor's added security, use the following line instead. #lxc.aa_profile = lxc-container-default-with-nesting -#lxc.mount.auto = cgroup:mixed # Uncomment the following line to autodetect squid-deb-proxy configuration on the # host and forward it to the guest at start time. diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index a86b1e565..50c6a2a7c 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -774,7 +774,14 @@ proc proc proc nodev,noexec,nosuid 0 0 - (or ): + (or ): + mount /sys as read-only but with + /sys/devices/virtual/net writable. + + + + + : mount /sys as read-only for security / container isolation purposes. diff --git a/src/lxc/conf.c b/src/lxc/conf.c index e7def3e9e..d2cfbe807 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -750,15 +750,21 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha * MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for kernels as low as * 2.6.32... */ - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, - { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL }, - { 0, 0, NULL, NULL, NULL, 0, NULL } + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL }, + { 0, 0, NULL, NULL, NULL, 0, NULL } }; for (i = 0; default_mounts[i].match_mask; i++) { @@ -793,6 +799,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha saved_errno = errno; if (r < 0) SYSERROR("error mounting %s on %s flags %lu", source, destination, mflags); + free(source); free(destination); if (r < 0) { diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 8ec3e8e70..afa55179d 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -236,6 +236,7 @@ enum { LXC_AUTO_SYS_RW = 0x004, /* /sys */ LXC_AUTO_SYS_RO = 0x008, /* /sys read-only */ + LXC_AUTO_SYS_MIXED = 0x00C, /* /sys read-only and /sys/class/net read-write */ LXC_AUTO_SYS_MASK = 0x00C, LXC_AUTO_CGROUP_RO = 0x010, /* /sys/fs/cgroup (partial mount, read-only) */ diff --git a/src/lxc/confile.c b/src/lxc/confile.c index ccdf26c44..8544ac9b7 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -1416,8 +1416,9 @@ static int config_mount_auto(const char *key, const char *value, { "proc", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED }, { "proc:mixed", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED }, { "proc:rw", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW }, - { "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO }, + { "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED }, { "sys:ro", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO }, + { "sys:mixed", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED }, { "sys:rw", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW }, { "cgroup", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC }, { "cgroup:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED }, diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index 187a03253..886a83806 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -249,9 +249,8 @@ lxc.cgroup.devices.allow = c 5:2 rwm lxc.cgroup.devices.allow = c 254:0 rm # mounts point -lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0 +lxc.mount.auto=cgroup:mixed proc:mixed sys:mixed lxc.mount.entry=run run tmpfs nodev,noexec,nosuid,relatime,size=1m,mode=0755 0 0 -lxc.mount.entry=none dev/pts devpts gid=5,mode=620 0 0 lxc.mount.entry=shm dev/shm tmpfs nodev,nosuid,noexec,mode=1777 0 0 EOF diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index ac4527b36..8b4168c61 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -266,7 +266,6 @@ copy_configuration() lxc.utsname = $name lxc.tty = 4 lxc.pts = 1024 -lxc.mount = $config_path/fstab lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: @@ -317,11 +316,8 @@ lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc lxc.cgroup.devices.allow = c 10:135 rwm -EOF - cat < $config_path/fstab -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed EOF if [ $? -ne 0 ]; then diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 3cfa9586a..72531d6bd 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -74,7 +74,7 @@ $rootfs/usr/lib64" # minimal devices needed for busybox if [ $in_userns -eq 1 ]; then for dev in tty console tty0 tty1 ram0 null urandom; do - echo "/dev/$dev dev/$dev none bind,optional,create=file 0 0" >> $path/fstab + echo "lxc.mount.entry = /dev/$dev dev/$dev none bind,optional,create=file 0 0" >> $path/config done else mknod -m 666 tty c 5 0 || res=1 @@ -110,14 +110,6 @@ EOF # executable chmod 744 $rootfs/etc/init.d/rcS || return 1 - # mount points - cat <> $rootfs/etc/fstab -shm /dev/shm tmpfs defaults 0 0 -EOF - - # writable and readable for other - chmod 644 $rootfs/etc/fstab || return 1 - # launch rcS first then make a console available # and propose a shell on the tty, the last one is # not needed @@ -285,6 +277,9 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined + +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed +lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0 EOF libdirs="\ @@ -299,11 +294,6 @@ EOF fi done echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config - echo "lxc.mount.auto = proc:mixed sys" >>$path/config - - if [ -f "$path/fstab" ]; then - echo "lxc.mount = $path/fstab" >>$path/config - fi } remap_userns() @@ -311,12 +301,12 @@ remap_userns() path=$1 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then - chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1 + chown $LXC_MAPPED_UID $path/config >/dev/null 2>&1 chown -R root $path/rootfs >/dev/null 2>&1 fi if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then - chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1 + chgrp $LXC_MAPPED_GID $path/config >/dev/null 2>&1 chgrp -R root $path/rootfs >/dev/null 2>&1 fi } diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in index c8a8b36c4..349cdbfc4 100644 --- a/templates/lxc-cirros.in +++ b/templates/lxc-cirros.in @@ -118,7 +118,6 @@ cat >> "$path/config" <> $path/config - echo "lxc.mount.auto = cgroup:mixed proc:mixed sys:ro" >> $path/config fi } diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 05eee06b6..938f0dbf4 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -202,7 +202,6 @@ configure_debian_systemd() # This function has been copied and adapted from lxc-fedora rm -f ${rootfs}/etc/systemd/system/default.target - touch ${rootfs}/etc/fstab chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service chroot ${rootfs} ln -s /dev/null /etc/systemd/system/systemd-udevd.service chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target @@ -325,9 +324,6 @@ copy_configuration() arch=$4 # Generate the configuration file - ## Create the fstab (empty by default) - touch $path/fstab - # if there is exactly one veth network entry, make sure it has an # associated hwaddr. nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` @@ -351,7 +347,6 @@ copy_configuration() grep -q "^lxc.rootfs" $path/config 2> /dev/null || echo "lxc.rootfs = $rootfs" >> $path/config cat <> $path/config -lxc.mount = $path/fstab lxc.utsname = $hostname lxc.arch = $arch EOF diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index 46c829dfd..6123c5e5f 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -231,8 +231,8 @@ copy_configuration() lxc.utsname = $name lxc.tty = 4 lxc.pts = 1024 -lxc.mount = $config_path/fstab lxc.cap.drop = sys_module mac_admin mac_override sys_time +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -282,11 +282,6 @@ lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc lxc.cgroup.devices.allow = c 10:135 rwm -EOF - - cat < $config_path/fstab -proc $rootfs_path/proc proc nodev,noexec,nosuid 0 0 -sysfs $rootfs_path/sys sysfs defaults 0 0 EOF if [ $? -ne 0 ]; then diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index bb015c84f..4ff1dcffa 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -321,7 +321,7 @@ lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf lxc.arch = $arch lxc.utsname = $name -lxc.mount = $path/fstab +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -338,12 +338,6 @@ lxc.mount = $path/fstab # Note: This may potentially collide with other containers of same name! #lxc.network.veth.pair = v-$name-e0 -EOF - - cat < $path/fstab -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 -tmpfs run tmpfs mode=0755,nodev,nosuid 0 0 EOF if [ $? -ne 0 ]; then diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in index 5061056e8..c588ddb72 100644 --- a/templates/lxc-plamo.in +++ b/templates/lxc-plamo.in @@ -247,7 +247,6 @@ copy_configuration() { ret=0 cat <<- EOF >> $path/config || let ret++ lxc.utsname = $name - lxc.mount = $path/fstab lxc.arch = $arch EOF if [ -f "@LXCTEMPLATECONFIG@/plamo.common.conf" ] ; then @@ -256,8 +255,6 @@ copy_configuration() { lxc.include = @LXCTEMPLATECONFIG@/plamo.common.conf EOF fi - # create the fstab (empty by default) - touch $path/fstab || let ret++ if [ $ret -ne 0 ] ; then echo "Failed to add configuration." return 1 @@ -274,7 +271,7 @@ do_bindhome() { # bind-mount the user's path into the container's /home h=`getent passwd $bindhome | cut -d: -f6` mkdir -p $rootfs/$h - echo "$h $rootfs/$h none bind 0 0" >> $path/fstab + echo "lxc.mount.entry = $h $rootfs/$h none bind 0 0" >> $path/config # copy /etc/passwd, /etc/shadow, and /etc/group entries into container if ! pwd=`getent passwd $bindhome` ; then echo "Warning: failed to copy password entry for $bindhome." diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index aa45c1d6c..d34b3b455 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -141,9 +141,9 @@ lxc.mount.entry = /usr usr none ro,bind 0 0 lxc.mount.entry = /sbin sbin none ro,bind 0 0 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0 -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = sysfs sys sysfs ro 0 0 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0 + +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed EOF # Oracle Linux and Fedora need the following two bind mounted diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index c4eb5ca42..81abf2a8f 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -66,9 +66,6 @@ copy_configuration() fi # Generate the configuration file - ## Create the fstab (empty by default) - touch $path/fstab - ## Relocate all the network config entries sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config @@ -94,7 +91,6 @@ copy_configuration() [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config cat <> $path/config -lxc.mount = $path/fstab lxc.utsname = $name lxc.arch = $arch EOF diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index bbe7f7d6f..073724b05 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -483,9 +483,6 @@ copy_configuration() fi # Generate the configuration file - ## Create the fstab (empty by default) - touch $path/fstab - ## Relocate all the network config entries sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config @@ -508,7 +505,6 @@ copy_configuration() [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config cat <> $path/config -lxc.mount = $path/fstab lxc.utsname = $name lxc.arch = $arch EOF @@ -659,7 +655,7 @@ do_bindhome() while [ ${h2:0:1} = "/" ]; do h2=${h2#/} done - echo "$h $h2 none bind 0 0" >> $path/fstab + echo "lxc.mount.entry = $h $h2 none bind 0 0" >> $path/config # Make sure the group exists in container grp=`echo $pwd | cut -d: -f 4` # group number for $user -- 2.47.2