debian: Switch to config includes

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

debian: Switch to config includes
00fe5e1d · Stéphane Graber · ceceea1e · 00fe5e1d · 00fe5e1d · 00fe5e1d
Commit 00fe5e1d authored Jan 15, 2014 by Stéphane Graber
5 changed files
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
 templatesconfigdir=@LXCTEMPLATECONFIG@
 templatesconfig_DATA = \
+	debian.common.conf \
+	debian.userns.conf \
 	oracle.common.conf \
 	oracle.userns.conf \
 	plamo.common.conf \

--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
+# Default pivot location
+lxc.pivotdir = lxc_putold
+# Default mount entries
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
+lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
+# Default console settings
+lxc.tty = 4
+lxc.pts = 1024
+# Default capabilities
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.aa_profile = unconfined
+# To support container nesting on an Ubuntu host while retaining most of
+# apparmor's added security, use the following two lines instead.
+#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.aa_profile = lxc-container-default-with-mounting
+# Default cgroup limits
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## full
+lxc.cgroup.devices.allow = c 1:7 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
--- a/configure.ac
+++ b/configure.ac
@@ -532,6 +532,8 @@ AC_CONFIG_FILES([
 	config/Makefile
 	config/etc/Makefile
 	config/templates/Makefile
+	config/templates/debian.common.conf
+	config/templates/debian.userns.conf
 	config/templates/oracle.common.conf
 	config/templates/oracle.userns.conf
 	config/templates/plamo.common.conf

--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -21,6 +21,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 MIRROR=${MIRROR:-http://cdn.debian.net/debian}
+LOCALSTATEDIR="@LOCALSTATEDIR@"
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 configure_debian()
 {
@@ -202,11 +204,11 @@ copy_debian()
 install_debian()
 {
-    cache="@LOCALSTATEDIR@/cache/lxc/debian"
+    cache="$LOCALSTATEDIR/cache/lxc/debian"
    rootfs=$1
    release=$2
    arch=$3
-    mkdir -p @LOCALSTATEDIR@/lock/subsys/
+    mkdir -p $LOCALSTATEDIR/lock/subsys/
    (
        flock -x 9
        if [ $? -ne 0 ]; then
@@ -231,7 +233,7 @@ install_debian()
        return 0
-        ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
+        ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
    return $?
 }
@@ -243,6 +245,10 @@ copy_configuration()
    hostname=$3
    arch=$4
+    # Generate the configuration file
+    ## Create the fstab (empty by default)
+    touch $path/fstab
    # if there is exactly one veth network entry, make sure it has an
    # associated hwaddr.
    nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
@@ -250,37 +256,25 @@ copy_configuration()
        grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
    fi
+    ## Add all the includes
+    echo "" >> $path/config
+    echo "# Common configuration" >> $path/config
+    if [ -e "${LXC_TEMPLATE_CONFIG}/debian.common.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.common.conf" >> $path/config
+    fi
+    if [ -e "${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" >> $path/config
+    fi
+    ## Add the container-specific config
+    echo "" >> $path/config
+    echo "# Container specific configuration" >> $path/config
    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
    cat <<EOF >> $path/config
-lxc.tty = 4
+lxc.mount = $path/fstab
-lxc.pts = 1024
-lxc.arch = $arch
 lxc.utsname = $hostname
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.arch = $arch
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-# mounts point
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults  0 0
 EOF
    if [ $? -ne 0 ]; then
@@ -293,7 +287,7 @@ EOF
 clean()
 {
-    cache="@LOCALSTATEDIR@/cache/lxc/debian"
+    cache="$LOCALSTATEDIR/cache/lxc/debian"
    if [ ! -e $cache ]; then
        exit 0
@@ -311,7 +305,7 @@ clean()
        rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
        exit 0
-    ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-debian
+    ) 9>$LOCALSTATEDIR/lock/subsys/lxc-debian
 }
 usage()