Merge pull request #896 from hallyn/2016-03-15/nest

2016 03 15/nest

Merge pull request #896 from hallyn/2016-03-15/nest
b3e4df8a · Stéphane Graber · 01283774 · e6bff191 · b3e4df8a · b3e4df8a
Commit b3e4df8a authored Mar 15, 2016 by Stéphane Graber
5 changed files
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -9,10 +9,6 @@ lxc.devttydir =
 # (uncommented) to the container's configuration file.
 #lxc.aa_profile = unconfined
-# To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following line instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.

--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -12,10 +12,6 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
 # (uncommented) to the container's configuration file.
 #lxc.aa_profile = unconfined
-# To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following line instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
 # Uncomment the following line to autodetect squid-deb-proxy configuration on the
 # host and forward it to the guest at start time.
 #lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client

--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -145,6 +145,7 @@ AM_CFLAGS=-I$(top_srcdir)/src \
 	-DLXCINITDIR=\"$(LXCINITDIR)\" \
 	-DLIBEXECDIR=\"$(LIBEXECDIR)\" \
 	-DLXCTEMPLATEDIR=\"$(LXCTEMPLATEDIR)\" \
+	-DLXCTEMPLATECONFIG=\"$(LXCTEMPLATECONFIG)\" \
 	-DLOGPATH=\"$(LOGPATH)\" \
 	-DLXC_DEFAULT_CONFIG=\"$(LXC_DEFAULT_CONFIG)\" \
 	-DLXC_USERNIC_DB=\"$(LXC_USERNIC_DB)\" \

--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1375,6 +1375,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[])
 	fprintf(f, "\n");
 #endif
 	fprintf(f, "# For additional config options, please look at lxc.container.conf(5)\n");
+	fprintf(f, "\n# Uncomment the following line to support nesting containers:\n");
+	fprintf(f, "#lxc.include = " LXCTEMPLATECONFIG "/nesting.conf\n");
+	fprintf(f, "# (Be aware this has security implications)\n\n");
 	if (fwrite(contents, 1, flen, f) != flen) {
 		SYSERROR("Writing original contents");
 		free(contents);

--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -130,8 +130,6 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
-# To support container nesting on an Ubuntu host, uncomment next two lines:
-#lxc.aa_profile = lxc-container-default-with-nesting
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.cgroup.devices.deny = a