Reduce duplication in new style configs

This is a rather massive cleanup of config/templates/* As new templates were added, I've noticed that we pretty much all share the tty/pts configs, some capabilities being dropped and most of the cgroup configuration. All the userns configs were also almost identical. As a result, this change introduces two new files: - common.conf.in - userns.conf.in Each is included by the relevant <template>.<type>.conf.in templates, this means that the individual per-template configs are now overlays on top of the default config. Once we see a specific key becoming popular, we ought to check whether it should also be applied to the other templates and if more than 50% of the templates have it set to the same value, that value ought to be moved to the master config file and then overriden for the templates that do not use it. This change while pretty big and scary, shouldn't be very visible from a user point of view, the actual changes can be summarized as: - Extend clonehostname to work with Debian based distros and use it for all containers. - lxc.pivotdir is now set to lxc_putold for all templates, this means that instead of using /mnt in the container, lxc will create and use /lxc_putold instead. The reason for this is to avoid failures when the user bind-mounts something else on top of /mnt. - Some minor cgroup limit changes, the main one I remember is /dev/console now being writable by all of the redhat based containers. The rest of the set should be identical with additions in the per-distro ones. - Drop binfmtmisc and efivars bind-mounts for non-mountall based unpriivileged containers as I assumed they got those from copy/paste from Ubuntu and not because they actually need those entries. (If I'm wrong, we probably should move those to userns.conf then). Additional investigation and changes to reduce the config delta between distros would be appreciated. In practice, I only expect lxc.cap.drop and lxc.mount.entry to really vary between distros (depending on the init system, the rest should be mostly common. Diff from the RFC: - Add archlinux to the mix - Drop /etc/hostname from the clone hook Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Reduce duplication in new style configs
5b99af00 · Stéphane Graber · fd986e08 · 5b99af00 · 5b99af00 · 5b99af00
Commit 5b99af00 authored Jun 20, 2014 by Stéphane Graber
24 changed files
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -7,6 +7,7 @@ templatesconfig_DATA = \
 	archlinux.userns.conf \
 	centos.common.conf \
 	centos.userns.conf \
+	common.conf \
 	debian.common.conf \
 	debian.userns.conf \
 	fedora.common.conf \
@@ -25,5 +26,6 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
+	ubuntu.priv.seccomp \
 	ubuntu.userns.conf \
-	ubuntu.priv.seccomp
+	userns.conf
--- a/config/templates/archlinux.common.conf.in
+++ b/config/templates/archlinux.common.conf.in
-# Based on fedora.common.conf.in
+# This derives from the global common config
-# Console settings
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.autodev = 1
+# Allow for 6 tty devices by default
 lxc.tty = 6
-lxc.pts = 1024
+# Turn on autodev for systemd
+lxc.autodev = 1
+# Disable kmsg
 lxc.kmsg = 0
+# Set the halt/stop signals
 lxc.haltsignal=SIGRTMIN+4
 lxc.stopsignal=SIGRTMIN+14
@@ -30,21 +35,4 @@ lxc.mount.auto = proc:mixed sys:ro
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
 #
-lxc.cap.drop = mac_admin mac_override
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
-lxc.cap.drop = setfcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-6] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/archlinux.userns.conf.in
+++ b/config/templates/archlinux.userns.conf.in
-# Based on fedora.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-# Extra fstab entries as mountall can't mount those by itself
-# lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
-# Taken from the oracle.common.conf.in
+# This derives from the global common config
-# Console settings
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
@@ -27,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
-#
+lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
-lxc.cap.drop = mac_admin mac_override setfcap setpcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/centos.userns.conf.in
+++ b/config/templates/centos.userns.conf.in
-# Taken from the oracle.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
+# Default configuration shared by all containers
+# Setup the LXC devices in /dev/lxc/
+lxc.devttydir = lxc
+# Allow for 1024 pseudo terminals
+lxc.pts = 1024
+# Setup 4 tty devices
+lxc.tty = 4
+# Drop some harmful capabilities
+lxc.cap.drop = mac_admin mac_override sys_time sys_module
+# Set the pivot directory
+lxc.pivotdir = lxc_putold
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# CGroup whitelist
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## Allow specific devices
+lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
+lxc.cgroup.devices.allow = c 5:1 rwm	# /dev/console
+lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx
+lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm	# /dev/pts/*
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
-# Default pivot location
+# This derives from the global common config
-lxc.pivotdir = lxc_putold
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs defaults 0 0
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
-# Default console settings
-lxc.tty = 4
-lxc.pts = 1024
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
@@ -21,38 +17,20 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+#lxc.mount.auto = cgroup:mixed
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
 #lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
+# Extra cgroup device access
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm

--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.allow =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
--- a/config/templates/fedora.common.conf.in
+++ b/config/templates/fedora.common.conf.in
-# Taken from the oracle.common.conf.in
+# This derives from the global common config
-# Console settings
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
@@ -28,22 +18,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
-#
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = setfcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/fedora.userns.conf.in
+++ b/config/templates/fedora.userns.conf.in
-# Taken from the oracle.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Gentoo common default configuration
 # This is the most feature-full container configuration
 # But security is not the goal.
 # Looking for more security, see gentoo.moresecure.conf
-# sysfs
+# Default mount entries
 lxc.mount.entry=sys sys sysfs defaults 0 0
-# console access
+# Doesn't support consoles in /dev/lxc/
-lxc.pts = 1024
+lxc.devttydir =
-# this part is based on 'linux capabilities', see: man 7 capabilities
-#  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-# deny access to all devices by default, explicitly grant some permissions
+# Extra cgroup device access
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-#            ^     ^                   ^
-# char/block -'     \`- device number    \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
 lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
\ No newline at end of file
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Gentoo security oriented default configuration
 # This is a more security oriented container configuration
 # "More" because this is far from fully secure
@@ -11,9 +14,6 @@ lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
-# console access
-lxc.pts = 1024
 # this part is based on 'linux capabilities', see: man 7 capabilities
 #  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
 #
@@ -31,29 +31,4 @@ lxc.pts = 1024
 # conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
 # aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
-lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
+lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-#            ^     ^                   ^
-# char/block -'     \`- device number    \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rw
-lxc.cgroup.devices.allow = c 1:5 rw
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rw
-lxc.cgroup.devices.allow = c 1:8 r
-# /dev/pts/*
-lxc.cgroup.devices.allow = c 136:* rw
-lxc.cgroup.devices.allow = c 5:2 rw
-# /dev/tty{0,1}
-lxc.cgroup.devices.allow = c 4:1 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-# /dev/tty
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/console
-lxc.cgroup.devices.allow = c 5:1 rwm
\ No newline at end of file
--- a/config/templates/gentoo.userns.conf.in
+++ b/config/templates/gentoo.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.allow =
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/opensuse.common.conf.in
+++ b/config/templates/opensuse.common.conf.in
-lxc.autodev = 1
+# This derives from the global common config
-lxc.devttydir = lxc
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.tty = 4
-lxc.pts = 1024
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
+# Enable autodev
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+lxc.autodev = 1
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
@@ -27,21 +22,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
 # lxc.cap.drop = setfcap
-#
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/opensuse.userns.conf.in
+++ b/config/templates/opensuse.userns.conf.in
-# Taken from the oracle.userns.conf.in
+# This derives from the global userns config
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
-# Console settings
+# This derives from the global common config
-lxc.devttydir = lxc
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.tty = 4
-lxc.pts = 1024
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
@@ -25,21 +20,4 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
-#
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
--- a/config/templates/oracle.userns.conf.in
+++ b/config/templates/oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.allow =
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
-# Default console settings
+# This derives from the global common config
-lxc.tty = 4
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.pts = 1024
 # Default mount
 lxc.mount.auto = proc sys cgroup
-# Default capabilities
+# Doesn't support consoles in /dev/lxc/
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.devttydir =
-lxc.cgroup.devices.deny = a
+# Extra cgroup device access
-# /dev/null and zero
+## rtc
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-# rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-# fuse
+## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
--- a/config/templates/plamo.userns.conf.in
+++ b/config/templates/plamo.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.allow =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
-# Default pivot location
+# This derives from the global common config
-lxc.pivotdir = lxc_putold
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
@@ -9,14 +9,6 @@ lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
 lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
-# Default console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
@@ -36,31 +28,13 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # devices below in lxc.cgroup.devices.allow.
 #lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
+# Extra cgroup device access
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm

--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+# This derives from the global userns config
-lxc.cgroup.devices.deny =
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.cgroup.devices.allow =
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0

--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
--- a/configure.ac
+++ b/configure.ac
@@ -598,6 +598,7 @@ AC_CONFIG_FILES([
 	config/templates/archlinux.userns.conf
 	config/templates/centos.common.conf
 	config/templates/centos.userns.conf
+	config/templates/common.conf
 	config/templates/debian.common.conf
 	config/templates/debian.userns.conf
 	config/templates/fedora.common.conf
@@ -617,6 +618,7 @@ AC_CONFIG_FILES([
 	config/templates/ubuntu.common.conf
 	config/templates/ubuntu.lucid.conf
 	config/templates/ubuntu.userns.conf
+	config/templates/userns.conf
 	config/yum/Makefile
 	doc/Makefile

--- a/hooks/clonehostname
+++ b/hooks/clonehostname
@@ -20,7 +20,8 @@
 # Note that /etc/hostname is updated by lxc itself
 for file in \
    $LXC_ROOTFS_PATH/etc/sysconfig/network \
-    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ;
+    $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \
+    $LXC_ROOTFS_PATH/etc/hosts ;
 do
    if [ -f $file ]; then
        sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file