Updated lxc-opensuse for common configuration changes.

Updated the lxc-opensuse template for the changes for the common configuration used by the download template. Changed the default network mode in the container to dhcp. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Updated lxc-opensuse for common configuration changes.
41cf1ac3 · Michael H. Warfield · Stéphane Graber · 52036991 · 41cf1ac3 · 41cf1ac3
Commit 41cf1ac3 authored Jun 18, 2014 by Michael H. Warfield Committed by Stéphane Graber Jun 18, 2014
5 changed files
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -10,6 +10,8 @@ templatesconfig_DATA = \
 	gentoo.common.conf \
 	gentoo.moresecure.conf \
 	gentoo.userns.conf \
+	opensuse.common.conf \
+	opensuse.userns.conf \
 	oracle.common.conf \
 	oracle.userns.conf \
 	plamo.common.conf \

--- a/config/templates/opensuse.common.conf.in
+++ b/config/templates/opensuse.common.conf.in
+lxc.autodev = 1
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+# Mount entries
+# lxc.mount.auto = proc:mixed sys:ro
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw          # breaks dhcp/ping
+# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid           # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+# lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
+# lxc.cap.drop = setfcap
+#
+lxc.cap.drop = mac_admin mac_override
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/opensuse.userns.conf.in
+++ b/config/templates/opensuse.userns.conf.in
+# Taken from the oracle.userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/configure.ac
+++ b/configure.ac
@@ -590,6 +590,8 @@ AC_CONFIG_FILES([
 	config/templates/gentoo.common.conf
 	config/templates/gentoo.moresecure.conf
 	config/templates/gentoo.userns.conf
+	config/templates/opensuse.common.conf
+	config/templates/opensuse.userns.conf
 	config/templates/oracle.common.conf
 	config/templates/oracle.userns.conf
 	config/templates/plamo.common.conf

--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
 #!/bin/bash
 #
-# template script for generating suse container for LXC
+# template script for generating OpenSUSE container for LXC
 #
 #
@@ -10,6 +10,7 @@
 # Authors:
 # Daniel Lezcano <daniel.lezcano@free.fr>
 # Frederic Crozat <fcrozat@suse.com>
+# Michael H. Warfield <mhw@WittsEnd.com>
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -45,10 +46,10 @@ configure_opensuse()
    rootfs=$1
    hostname=$2
-   # set network as static, but everything is done by LXC outside the container
+   # set first network adapter as dhcp.  This is the most common config.
   cat <<EOF > $rootfs/etc/sysconfig/network/ifcfg-eth0
 STARTMODE='auto'
-BOOTPROTO='none'
+BOOTPROTO='dhcp'
 EOF
   # create empty fstab
@@ -171,7 +172,7 @@ EOF
        mkdir -p $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686
        for i in "$cache/partial-$arch-packages/var/cache/zypp/packages/update/i586/*" ; do
            ln -s $i $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686/
-	done
+        done
    fi
    CLEAN_BUILD=1 BUILD_ARCH="$arch" BUILD_ROOT="$cache/partial-$arch" BUILD_DIST="$cache/partial-$arch-packages/opensuse.conf" PATH="$PATH:/usr/lib/build" /usr/lib/build/init_buildsystem  --clean --configdir /usr/lib/build/configs --cachedir $cache/partial-$arch-cache --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/noarch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/noarch || return 1
@@ -228,8 +229,6 @@ install_opensuse()
            return 1
        fi
-        arch=$(uname -m)
        echo "Checking cache download in $cache/rootfs-$arch ... "
        if [ ! -e "$cache/rootfs-$arch" ]; then
            download_opensuse $cache $arch
@@ -252,66 +251,85 @@ install_opensuse()
    return $?
 }
+# Generate a random hardware (MAC) address composed of FE followed by
+# 5 random bytes...
+create_hwaddr()
+{
+    openssl rand -hex 5 | sed -e 's/\(..\)/:\1/g; s/^/fe/'
+}
 copy_configuration()
 {
    path=$1
    rootfs=$2
    name=$3
-    if grep -q "^lxc.network.type" $path/config; then
+    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "
-        TYPE=$(sed '/^#/d; /lxc.network.type/!d; s/.*=[ \t]*//' $path/config)
+lxc.rootfs = $rootfs_path
-        grep -q "^lxc.network.ipv4" $path/config
+" >> $path/config
-        IPV4_NOT_CONFIGURED=$?
+    # The following code is to create static MAC addresses for each
-        if ! grep -q "^lxc.network.*.gateway" $path/config; then
+    # interface in the container.  This code will work for multiple
-            [ $IPV4_NOT_CONFIGURED -eq 0 ] && IPV4=$(sed '/^#/d; /lxc.network.ipv4/!d; /gateway/d; s/.*=[ \t]*//; s/\([[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\).*/\1/' $path/config)
+    # interfaces in the default config.  It will also strip any
-            if [ "$TYPE" = "veth" -o "$TYPE" = "macvlan" ]; then
+    # hwaddr stanzas out of the default config since we can not share
-                if [ $IPV4_NOT_CONFIGURED -eq 0 -a "$IPV4" != "0.0.0.0" ]; then
+    # MAC addresses between containers.
-                    # set default route
+    #
-                    IP=$(/sbin/ip route | awk '/default/ { print $3 }')
+    # This code is largely mimiced from the Fedora Template.
-                    echo "lxc.network.ipv4.gateway = $IP " >> $path/config
+    mv $path/config $path/config.def
-                else
+    while read LINE
-                    # set network as dhcp
+    do
-                    sed -i -e 's/BOOTPROTO=.*/BOOTPROTO=dhcp/' $rootfs/etc/sysconfig/network/ifcfg-eth0
+        # This should catch variable expansions from the default config...
-                fi
+        if expr "${LINE}" : '.*\$' > /dev/null 2>&1
-            fi
+        then
+                LINE=$(eval "echo \"${LINE}\"")
        fi
-        if [ "$TYPE" != "empty" ]; then
-            echo "#remove next line if host DNS configuration should not be available to container" >> $path/config
+        # There is a tab and a space in the regex bracket below!
-            echo "lxc.mount.entry = /etc/resolv.conf etc/resolv.conf none bind,ro 0 0" >> $path/config
+        # Seems that \s doesn't work in brackets.
+        KEY=$(expr "${LINE}" : '\s*\([^	 ]*\)\s*=')
+        if [[ "${KEY}" != "lxc.network.hwaddr" ]]
+        then
+            echo "${LINE}" >> $path/config
+            if [[ "${KEY}" == "lxc.network.link" ]]
+            then
+                echo "lxc.network.hwaddr = $(create_hwaddr)" >> $path/config
+            fi
        fi
-    else
+    done < $path/config.def
-        echo 'lxc.network.type = empty' >> $path/config
+    rm -f $path/config.def
+    if [ -e "@LXCTEMPLATECONFIG@/opensuse.common.conf" ]; then
+        echo "
+# Include common configuration
+lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
+" >> $path/config
    fi
-    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
+    # Append things which require expansion here...
    cat <<EOF >> $path/config
+lxc.arch = $arch
 lxc.utsname = $name
-lxc.autodev=1
-lxc.tty = 4
-lxc.pts = 1024
 lxc.mount = $path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
-lxc.cgroup.devices.deny = a
+# example simple networking setup, uncomment to enable
-# /dev/null and zero
+#lxc.network.type = $lxc_network_type
-lxc.cgroup.devices.allow = c 1:3 rwm
+#lxc.network.flags = up
-lxc.cgroup.devices.allow = c 1:5 rwm
+#lxc.network.link = $lxc_network_link
-# consoles
+#lxc.network.name = eth0
-lxc.cgroup.devices.allow = c 5:1 rwm
+# Additional example for veth network type
-lxc.cgroup.devices.allow = c 5:0 rwm
+#    static MAC address,
-lxc.cgroup.devices.allow = c 4:0 rwm
+#lxc.network.hwaddr = 00:16:3e:77:52:20
-lxc.cgroup.devices.allow = c 4:1 rwm
+#    persistent veth device name on host side
-# /dev/{,u}random
+#        Note: This may potentially collide with other containers of same name!
-lxc.cgroup.devices.allow = c 1:9 rwm
+#lxc.network.veth.pair = v-$name-e0
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
 EOF
    cat <<EOF > $path/fstab
@@ -358,6 +376,9 @@ EOF
    return 0
 }
+# Make arch a global.  This may become configurable?
+arch=$(uname -m)
 options=$(getopt -o hp:n:c -l help,rootfs:,path:,name:,clean -- "$@")
 if [ $? -ne 0 ]; then
    usage $(basename $0)