Commit 41cf1ac3 by Michael H. Warfield Committed by Stéphane Graber

Updated lxc-opensuse for common configuration changes.

Updated the lxc-opensuse template for the changes for the common configuration used by the download template. Changed the default network mode in the container to dhcp. Signed-off-by: 's avatarMichael H. Warfield <mhw@WittsEnd.com> Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
parent 52036991
...@@ -10,6 +10,8 @@ templatesconfig_DATA = \ ...@@ -10,6 +10,8 @@ templatesconfig_DATA = \
gentoo.common.conf \ gentoo.common.conf \
gentoo.moresecure.conf \ gentoo.moresecure.conf \
gentoo.userns.conf \ gentoo.userns.conf \
opensuse.common.conf \
opensuse.userns.conf \
oracle.common.conf \ oracle.common.conf \
oracle.userns.conf \ oracle.userns.conf \
plamo.common.conf \ plamo.common.conf \
......
lxc.autodev = 1
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
# Mount entries
# lxc.mount.auto = proc:mixed sys:ro
# Ensure hostname is changed on clone
lxc.hook.clone = @LXCHOOKDIR@/clonehostname
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
#
# Dropping sys_admin disables container root from doing a lot of things
# that could be bad like re-mounting lxc fstab entries rw for example,
# but also disables some useful things like being able to nfs mount, and
# things that are already namespaced with ns_capable() kernel checks, like
# hostname(1).
# lxc.cap.drop = sys_admin
# lxc.cap.drop = net_raw # breaks dhcp/ping
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
# lxc.cap.drop = setfcap
#
lxc.cap.drop = mac_admin mac_override
lxc.cap.drop = sys_module sys_nice sys_pacct
lxc.cap.drop = sys_rawio sys_time
# Control Group devices: all denied except those whitelisted
lxc.cgroup.devices.deny = a
# Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
# Taken from the oracle.userns.conf.in
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
# We can't move bind-mounts, so don't use /dev/lxc/
lxc.devttydir =
# Extra bind-mounts for userns
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
...@@ -590,6 +590,8 @@ AC_CONFIG_FILES([ ...@@ -590,6 +590,8 @@ AC_CONFIG_FILES([
config/templates/gentoo.common.conf config/templates/gentoo.common.conf
config/templates/gentoo.moresecure.conf config/templates/gentoo.moresecure.conf
config/templates/gentoo.userns.conf config/templates/gentoo.userns.conf
config/templates/opensuse.common.conf
config/templates/opensuse.userns.conf
config/templates/oracle.common.conf config/templates/oracle.common.conf
config/templates/oracle.userns.conf config/templates/oracle.userns.conf
config/templates/plamo.common.conf config/templates/plamo.common.conf
......
#!/bin/bash #!/bin/bash
# #
# template script for generating suse container for LXC # template script for generating OpenSUSE container for LXC
# #
# #
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
# Authors: # Authors:
# Daniel Lezcano <daniel.lezcano@free.fr> # Daniel Lezcano <daniel.lezcano@free.fr>
# Frederic Crozat <fcrozat@suse.com> # Frederic Crozat <fcrozat@suse.com>
# Michael H. Warfield <mhw@WittsEnd.com>
# This library is free software; you can redistribute it and/or # This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public # modify it under the terms of the GNU Lesser General Public
...@@ -45,10 +46,10 @@ configure_opensuse() ...@@ -45,10 +46,10 @@ configure_opensuse()
rootfs=$1 rootfs=$1
hostname=$2 hostname=$2
# set network as static, but everything is done by LXC outside the container # set first network adapter as dhcp. This is the most common config.
cat <<EOF > $rootfs/etc/sysconfig/network/ifcfg-eth0 cat <<EOF > $rootfs/etc/sysconfig/network/ifcfg-eth0
STARTMODE='auto' STARTMODE='auto'
BOOTPROTO='none' BOOTPROTO='dhcp'
EOF EOF
# create empty fstab # create empty fstab
...@@ -171,7 +172,7 @@ EOF ...@@ -171,7 +172,7 @@ EOF
mkdir -p $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686 mkdir -p $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686
for i in "$cache/partial-$arch-packages/var/cache/zypp/packages/update/i586/*" ; do for i in "$cache/partial-$arch-packages/var/cache/zypp/packages/update/i586/*" ; do
ln -s $i $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686/ ln -s $i $cache/partial-$arch-packages/var/cache/zypp/packages/update/i686/
done done
fi fi
CLEAN_BUILD=1 BUILD_ARCH="$arch" BUILD_ROOT="$cache/partial-$arch" BUILD_DIST="$cache/partial-$arch-packages/opensuse.conf" PATH="$PATH:/usr/lib/build" /usr/lib/build/init_buildsystem --clean --configdir /usr/lib/build/configs --cachedir $cache/partial-$arch-cache --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/noarch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/noarch || return 1 CLEAN_BUILD=1 BUILD_ARCH="$arch" BUILD_ROOT="$cache/partial-$arch" BUILD_DIST="$cache/partial-$arch-packages/opensuse.conf" PATH="$PATH:/usr/lib/build" /usr/lib/build/init_buildsystem --clean --configdir /usr/lib/build/configs --cachedir $cache/partial-$arch-cache --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/repo-oss/suse/noarch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/$arch --repository $cache/partial-$arch-packages/var/cache/zypp/packages/update/noarch || return 1
...@@ -228,8 +229,6 @@ install_opensuse() ...@@ -228,8 +229,6 @@ install_opensuse()
return 1 return 1
fi fi
arch=$(uname -m)
echo "Checking cache download in $cache/rootfs-$arch ... " echo "Checking cache download in $cache/rootfs-$arch ... "
if [ ! -e "$cache/rootfs-$arch" ]; then if [ ! -e "$cache/rootfs-$arch" ]; then
download_opensuse $cache $arch download_opensuse $cache $arch
...@@ -252,66 +251,85 @@ install_opensuse() ...@@ -252,66 +251,85 @@ install_opensuse()
return $? return $?
} }
# Generate a random hardware (MAC) address composed of FE followed by
# 5 random bytes...
create_hwaddr()
{
openssl rand -hex 5 | sed -e 's/\(..\)/:\1/g; s/^/fe/'
}
copy_configuration() copy_configuration()
{ {
path=$1 path=$1
rootfs=$2 rootfs=$2
name=$3 name=$3
if grep -q "^lxc.network.type" $path/config; then grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "
TYPE=$(sed '/^#/d; /lxc.network.type/!d; s/.*=[ \t]*//' $path/config) lxc.rootfs = $rootfs_path
grep -q "^lxc.network.ipv4" $path/config " >> $path/config
IPV4_NOT_CONFIGURED=$?
# The following code is to create static MAC addresses for each
if ! grep -q "^lxc.network.*.gateway" $path/config; then # interface in the container. This code will work for multiple
[ $IPV4_NOT_CONFIGURED -eq 0 ] && IPV4=$(sed '/^#/d; /lxc.network.ipv4/!d; /gateway/d; s/.*=[ \t]*//; s/\([[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\).*/\1/' $path/config) # interfaces in the default config. It will also strip any
if [ "$TYPE" = "veth" -o "$TYPE" = "macvlan" ]; then # hwaddr stanzas out of the default config since we can not share
if [ $IPV4_NOT_CONFIGURED -eq 0 -a "$IPV4" != "0.0.0.0" ]; then # MAC addresses between containers.
# set default route #
IP=$(/sbin/ip route | awk '/default/ { print $3 }') # This code is largely mimiced from the Fedora Template.
echo "lxc.network.ipv4.gateway = $IP " >> $path/config mv $path/config $path/config.def
else while read LINE
# set network as dhcp do
sed -i -e 's/BOOTPROTO=.*/BOOTPROTO=dhcp/' $rootfs/etc/sysconfig/network/ifcfg-eth0 # This should catch variable expansions from the default config...
fi if expr "${LINE}" : '.*\$' > /dev/null 2>&1
fi then
LINE=$(eval "echo \"${LINE}\"")
fi fi
if [ "$TYPE" != "empty" ]; then
echo "#remove next line if host DNS configuration should not be available to container" >> $path/config # There is a tab and a space in the regex bracket below!
echo "lxc.mount.entry = /etc/resolv.conf etc/resolv.conf none bind,ro 0 0" >> $path/config # Seems that \s doesn't work in brackets.
KEY=$(expr "${LINE}" : '\s*\([^ ]*\)\s*=')
if [[ "${KEY}" != "lxc.network.hwaddr" ]]
then
echo "${LINE}" >> $path/config
if [[ "${KEY}" == "lxc.network.link" ]]
then
echo "lxc.network.hwaddr = $(create_hwaddr)" >> $path/config
fi
fi fi
else done < $path/config.def
echo 'lxc.network.type = empty' >> $path/config
rm -f $path/config.def
if [ -e "@LXCTEMPLATECONFIG@/opensuse.common.conf" ]; then
echo "
# Include common configuration
lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
" >> $path/config
fi fi
grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config # Append things which require expansion here...
cat <<EOF >> $path/config cat <<EOF >> $path/config
lxc.arch = $arch
lxc.utsname = $name lxc.utsname = $name
lxc.autodev=1
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $path/fstab lxc.mount = $path/fstab
lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.aa_profile = unconfined
lxc.cgroup.devices.deny = a # example simple networking setup, uncomment to enable
# /dev/null and zero #lxc.network.type = $lxc_network_type
lxc.cgroup.devices.allow = c 1:3 rwm #lxc.network.flags = up
lxc.cgroup.devices.allow = c 1:5 rwm #lxc.network.link = $lxc_network_link
# consoles #lxc.network.name = eth0
lxc.cgroup.devices.allow = c 5:1 rwm # Additional example for veth network type
lxc.cgroup.devices.allow = c 5:0 rwm # static MAC address,
lxc.cgroup.devices.allow = c 4:0 rwm #lxc.network.hwaddr = 00:16:3e:77:52:20
lxc.cgroup.devices.allow = c 4:1 rwm # persistent veth device name on host side
# /dev/{,u}random # Note: This may potentially collide with other containers of same name!
lxc.cgroup.devices.allow = c 1:9 rwm #lxc.network.veth.pair = v-$name-e0
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
EOF EOF
cat <<EOF > $path/fstab cat <<EOF > $path/fstab
...@@ -358,6 +376,9 @@ EOF ...@@ -358,6 +376,9 @@ EOF
return 0 return 0
} }
# Make arch a global. This may become configurable?
arch=$(uname -m)
options=$(getopt -o hp:n:c -l help,rootfs:,path:,name:,clean -- "$@") options=$(getopt -o hp:n:c -l help,rootfs:,path:,name:,clean -- "$@")
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
usage $(basename $0) usage $(basename $0)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment