Use consistent /proc, /sys and /sys/fs/cgroup (v2)

- Implements mixed mode for /sys where it's mounted read-only but with /sys/devices/virtual/net/ writable. - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all templates. - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup. - Get rid of the fstab file by default, using lxc.mount.entry instead. - Set sys:mixed as the default for "sys". sys:mixed is slightly more permissive than sys:ro so this shouldn't be a problem. The read-only bind mount of /sys on top of itself is there so that mountall and other init systems don't attempt to remount /sys read-write. v2 changes: - Fix the mount list, don't specify a source for the remount. - Update the documentation. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Use consistent /proc, /sys and /sys/fs/cgroup (v2)
f24a52d5 · Stéphane Graber · e088e926 · f24a52d5 · f24a52d5 · f24a52d5
Commit f24a52d5 authored Jan 28, 2015 by Stéphane Graber
25 changed files
--- a/config/templates/archlinux.common.conf.in
+++ b/config/templates/archlinux.common.conf.in
@@ -8,9 +8,6 @@ lxc.tty = 6
 lxc.haltsignal=SIGRTMIN+4
 lxc.stopsignal=SIGRTMIN+14

-# Mount entries
-lxc.mount.auto = proc:mixed sys:ro
-
 # Uncomment to disable creating tty devices subdirectory in /dev
 # lxc.devttydir =


--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
 # This derives from the global common config
 lxc.include = @LXCTEMPLATECONFIG@/common.conf

-# Mount entries
-lxc.mount.auto = proc:mixed sys:ro
-
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.

--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -43,6 +43,9 @@ lxc.cgroup.devices.allow = c 1:9 rwm
 ### /dev/pts/*
 lxc.cgroup.devices.allow = c 136:* rwm

+# Setup the default mounts
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+
 # Blacklist some syscalls which are not safe in privileged
 # containers
 lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -5,8 +5,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 lxc.devttydir =

 # Default mount entries
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0

 # When using LXC with apparmor, the container will be confined by default.
@@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt
 #lxc.aa_profile = unconfined

 # To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following two lines instead.
+# apparmor's added security, use the following line instead.
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.mount.auto = cgroup:mixed

 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop

--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -6,9 +6,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # But security is not the goal.
 # Looking for more security, see gentoo.moresecure.conf

-# Default mount entries
-lxc.mount.entry=sys sys sysfs defaults 0 0
-
 # Doesn't support consoles in /dev/lxc/
 lxc.devttydir =


--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@@ -8,8 +8,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Container user ? see gentoo.common.conf

 # do not mount sysfs, see http://blog.bofh.it/debian/id_413
-# lxc.mount.entry=sys sys sysfs rw 0 0
-lxc.mount.entry=proc proc proc ro,nodev,noexec,nosuid 0 0
 lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0

--- a/config/templates/openwrt.common.conf.in
+++ b/config/templates/openwrt.common.conf.in
-# Default mount entries
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
-
 # Default console settings
 lxc.devttydir = lxc
 lxc.tty = 4

--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
 # This derives from the global common config
 lxc.include = @LXCTEMPLATECONFIG@/common.conf

-# Mount entries
-lxc.mount.auto = cgroup:mixed proc:mixed sys:ro
-
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.

--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@@ -2,7 +2,6 @@
 lxc.include = @LXCTEMPLATECONFIG@/common.conf

 # Default mount
-lxc.mount.auto = proc sys cgroup
 lxc.mount.entry = none dev/shm tmpfs nosuid,nodev,noexec,mode=1777 0 0

 # Doesn't support consoles in /dev/lxc/

--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -2,8 +2,6 @@
 lxc.include = @LXCTEMPLATECONFIG@/common.conf

 # Default mount entries
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
@@ -15,9 +13,8 @@ lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
 #lxc.aa_profile = unconfined

 # To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following two lines instead.
+# apparmor's added security, use the following line instead.
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.mount.auto = cgroup:mixed

 # Uncomment the following line to autodetect squid-deb-proxy configuration on the
 # host and forward it to the guest at start time.

--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -774,7 +774,14 @@ proc proc proc nodev,noexec,nosuid 0 0
              </listitem>
              <listitem>
                <para>
-                  <option>sys:ro</option> (or <option>sys</option>):
+                  <option>sys:mixed</option> (or <option>sys</option>):
+                  mount <filename>/sys</filename> as read-only but with
+                  /sys/devices/virtual/net writable.
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  <option>sys:ro</option>:
                  mount <filename>/sys</filename> as read-only
                  for security / container isolation purposes.
                </para>

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -750,15 +750,21 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
 		 * MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for kernels as low as
 		 * 2.6.32...
 		 */
-		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                  "%r/proc",               "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
-		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",           "%r/proc/sys",           NULL,    MS_BIND,                      NULL },
-		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                    "%r/proc/sys",           NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
-		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL,    MS_BIND,                      NULL },
-		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                    "%r/proc/sysrq-trigger", NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
-		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                  "%r/proc",               "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
-		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                 "%r/sys",                "sysfs", 0,                            NULL },
-		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                 "%r/sys",                "sysfs", MS_RDONLY,                    NULL },
-		{ 0,                  0,                   NULL,                    NULL,                    NULL,    0,                            NULL }
+		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                                              "%r/proc",                      "proc",     MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
+		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",                                       "%r/proc/sys",                  NULL,       MS_BIND,                        NULL },
+		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                                "%r/proc/sys",                  NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
+		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger",                             "%r/proc/sysrq-trigger",        NULL,       MS_BIND,                        NULL },
+		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                                "%r/proc/sysrq-trigger",        NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
+		{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                                              "%r/proc",                      "proc",     MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                                             "%r/sys",                       "sysfs",    0,                              NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                                             "%r/sys",                       "sysfs",    MS_RDONLY,                      NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                             "%r/sys",                       "sysfs",    MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys",                                            "%r/sys",                       NULL,       MS_BIND,                        NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                                "%r/sys",                       NULL,       MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                             "%r/sys/devices/virtual/net",   "sysfs",    0,                              NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys/devices/virtual/net/devices/virtual/net",    "%r/sys/devices/virtual/net",   NULL,       MS_BIND,                        NULL },
+		{ LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                                "%r/sys/devices/virtual/net",   NULL,       MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC,   NULL },
+		{ 0,                  0,                   NULL,                                                NULL,                           NULL,       0,                              NULL }
 	};

 	for (i = 0; default_mounts[i].match_mask; i++) {
@@ -793,6 +799,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
 			saved_errno = errno;
 			if (r < 0)
 				SYSERROR("error mounting %s on %s flags %lu", source, destination, mflags);
+
 			free(source);
 			free(destination);
 			if (r < 0) {

--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -236,6 +236,7 @@ enum {

 	LXC_AUTO_SYS_RW               = 0x004,   /* /sys */
 	LXC_AUTO_SYS_RO               = 0x008,   /* /sys read-only */
+	LXC_AUTO_SYS_MIXED            = 0x00C,   /* /sys read-only and /sys/class/net read-write */
 	LXC_AUTO_SYS_MASK             = 0x00C,

 	LXC_AUTO_CGROUP_RO            = 0x010,   /* /sys/fs/cgroup (partial mount, read-only) */

--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1416,8 +1416,9 @@ static int config_mount_auto(const char *key, const char *value,
 		{ "proc",               LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_MIXED         },
 		{ "proc:mixed",         LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_MIXED         },
 		{ "proc:rw",            LXC_AUTO_PROC_MASK,      LXC_AUTO_PROC_RW            },
-		{ "sys",                LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RO             },
+		{ "sys",                LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_MIXED          },
 		{ "sys:ro",             LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RO             },
+		{ "sys:mixed",          LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_MIXED          },
 		{ "sys:rw",             LXC_AUTO_SYS_MASK,       LXC_AUTO_SYS_RW             },
 		{ "cgroup",             LXC_AUTO_CGROUP_MASK,    LXC_AUTO_CGROUP_NOSPEC      },
 		{ "cgroup:mixed",       LXC_AUTO_CGROUP_MASK,    LXC_AUTO_CGROUP_MIXED       },

--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -249,9 +249,8 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 254:0 rm

 # mounts point
-lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.auto=cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry=run run tmpfs nodev,noexec,nosuid,relatime,size=1m,mode=0755 0 0
-lxc.mount.entry=none dev/pts devpts gid=5,mode=620 0 0
 lxc.mount.entry=shm dev/shm tmpfs nodev,nosuid,noexec,mode=1777 0 0

 EOF

--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -266,7 +266,6 @@ copy_configuration()
 lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
-lxc.mount = $config_path/fstab
 lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
@@ -317,11 +316,8 @@ lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
 lxc.cgroup.devices.allow = c 10:135 rwm
-EOF

-    cat <<EOF > $config_path/fstab
-proc            proc         proc    nodev,noexec,nosuid 0 0
-sysfs           sys          sysfs   defaults  0 0
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 EOF

    if [ $? -ne 0 ]; then

--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -74,7 +74,7 @@ $rootfs/usr/lib64"
    # minimal devices needed for busybox
    if [ $in_userns -eq 1 ]; then
        for dev in tty console tty0 tty1 ram0 null urandom; do
-            echo "/dev/$dev dev/$dev    none bind,optional,create=file 0 0" >> $path/fstab
+            echo "lxc.mount.entry = /dev/$dev dev/$dev    none bind,optional,create=file 0 0" >> $path/config
        done
    else
        mknod -m 666 tty c 5 0       || res=1
@@ -110,14 +110,6 @@ EOF
    # executable
    chmod 744 $rootfs/etc/init.d/rcS || return 1

-    # mount points
-    cat <<EOF >> $rootfs/etc/fstab
-shm   /dev/shm   tmpfs   defaults     0      0
-EOF
-
-    # writable and readable for other
-    chmod 644 $rootfs/etc/fstab || return 1
-
    # launch rcS first then make a console available
    # and propose a shell on the tty, the last one is
    # not needed
@@ -285,6 +277,9 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
+
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
 EOF

    libdirs="\
@@ -299,11 +294,6 @@ EOF
        fi
    done
    echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
-    echo "lxc.mount.auto = proc:mixed sys" >>$path/config
-
-    if [ -f "$path/fstab" ]; then
-        echo "lxc.mount = $path/fstab" >>$path/config
-    fi
 }

 remap_userns()
@@ -311,12 +301,12 @@ remap_userns()
    path=$1

    if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
-        chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
+        chown $LXC_MAPPED_UID $path/config >/dev/null 2>&1
        chown -R root $path/rootfs >/dev/null 2>&1
    fi

    if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
-        chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
+        chgrp $LXC_MAPPED_GID $path/config >/dev/null 2>&1
        chgrp -R root $path/rootfs >/dev/null 2>&1
    fi
 }

--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -118,7 +118,6 @@ cat >> "$path/config" <<EOF
 # Template used to create this container: cirros

 lxc.rootfs = $rootfs
-#lxc.mount = $path/fstab
 lxc.pivotdir = lxc_putold

 lxc.tty = 4
@@ -132,7 +131,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 #lxc.aa_profile = unconfined
 # To support container nesting on an Ubuntu host, uncomment next two lines:
 #lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.mount.auto = cgroup
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed

 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not using the node)
@@ -165,7 +164,6 @@ EOF

    if [ $in_userns -eq 1 ] && [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" ]; then
        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.userns.conf" >> $path/config
-        echo "lxc.mount.auto = cgroup:mixed proc:mixed sys:ro" >> $path/config
    fi

 }

--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -202,7 +202,6 @@ configure_debian_systemd()

    # This function has been copied and adapted from lxc-fedora
    rm -f ${rootfs}/etc/systemd/system/default.target
-    touch ${rootfs}/etc/fstab
    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/systemd-udevd.service
    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
@@ -325,9 +324,6 @@ copy_configuration()
    arch=$4

    # Generate the configuration file
-    ## Create the fstab (empty by default)
-    touch $path/fstab
-
    # if there is exactly one veth network entry, make sure it has an
    # associated hwaddr.
    nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
@@ -351,7 +347,6 @@ copy_configuration()
    grep -q "^lxc.rootfs" $path/config 2> /dev/null || echo "lxc.rootfs = $rootfs" >> $path/config

    cat <<EOF >> $path/config
-lxc.mount = $path/fstab
 lxc.utsname = $hostname
 lxc.arch = $arch
 EOF

--- a/templates/lxc-openmandriva.in
+++ b/templates/lxc-openmandriva.in
@@ -231,8 +231,8 @@ copy_configuration()
 lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
-lxc.mount = $config_path/fstab
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -284,11 +284,6 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 10:135 rwm
 EOF

-    cat <<EOF > $config_path/fstab
-proc            $rootfs_path/proc         proc    nodev,noexec,nosuid 0 0
-sysfs           $rootfs_path/sys          sysfs defaults  0 0
-EOF
-
    if [ $? -ne 0 ]; then
        echo "Failed to add configuration"
        return 1

--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -321,7 +321,7 @@ lxc.include = @LXCTEMPLATECONFIG@/opensuse.common.conf
 lxc.arch = $arch
 lxc.utsname = $name

-lxc.mount = $path/fstab
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -340,12 +340,6 @@ lxc.mount = $path/fstab

 EOF

-    cat <<EOF > $path/fstab
-proc            proc         proc	nodev,noexec,nosuid 0 0
-sysfs           sys          sysfs	defaults  0 0
-tmpfs           run          tmpfs	mode=0755,nodev,nosuid 0 0
-EOF
-
    if [ $? -ne 0 ]; then
        echo "Failed to add configuration"
        return 1

--- a/templates/lxc-plamo.in
+++ b/templates/lxc-plamo.in
@@ -247,7 +247,6 @@ copy_configuration() {
  ret=0
  cat <<- EOF >> $path/config || let ret++
 	lxc.utsname = $name
-	lxc.mount = $path/fstab
 	lxc.arch = $arch
 	EOF
  if [ -f "@LXCTEMPLATECONFIG@/plamo.common.conf" ] ; then
@@ -256,8 +255,6 @@ copy_configuration() {
 	lxc.include = @LXCTEMPLATECONFIG@/plamo.common.conf
 	EOF
  fi
-  # create the fstab (empty by default)
-  touch $path/fstab || let ret++
  if [ $ret -ne 0 ] ; then
    echo "Failed to add configuration."
    return 1
@@ -274,7 +271,7 @@ do_bindhome() {
  # bind-mount the user's path into the container's /home
  h=`getent passwd $bindhome | cut -d: -f6`
  mkdir -p $rootfs/$h
-  echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
+  echo "lxc.mount.entry = $h $rootfs/$h none bind 0 0" >> $path/config
  # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
  if ! pwd=`getent passwd $bindhome` ; then
    echo "Warning: failed to copy password entry for $bindhome."

--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -141,9 +141,9 @@ lxc.mount.entry = /usr usr none ro,bind 0 0
 lxc.mount.entry = /sbin sbin none ro,bind 0 0
 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs ro 0 0
 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
+
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 EOF

    # Oracle Linux and Fedora need the following two bind mounted

--- a/templates/lxc-ubuntu-cloud.in
+++ b/templates/lxc-ubuntu-cloud.in
@@ -66,9 +66,6 @@ copy_configuration()
    fi

    # Generate the configuration file
-    ## Create the fstab (empty by default)
-    touch $path/fstab
-
    ## Relocate all the network config entries
    sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config

@@ -94,7 +91,6 @@ copy_configuration()
    [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
    cat <<EOF >> $path/config
-lxc.mount = $path/fstab
 lxc.utsname = $name
 lxc.arch = $arch
 EOF

--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -483,9 +483,6 @@ copy_configuration()
    fi

    # Generate the configuration file
-    ## Create the fstab (empty by default)
-    touch $path/fstab
-
    ## Relocate all the network config entries
    sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config

@@ -508,7 +505,6 @@ copy_configuration()
    [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
    cat <<EOF >> $path/config
-lxc.mount = $path/fstab
 lxc.utsname = $name
 lxc.arch = $arch
 EOF
@@ -659,7 +655,7 @@ do_bindhome()
    while [ ${h2:0:1} = "/" ]; do
        h2=${h2#/}
    done
-    echo "$h $h2 none bind 0 0" >> $path/fstab
+    echo "lxc.mount.entry = $h $h2 none bind 0 0" >> $path/config

    # Make sure the group exists in container
    grp=`echo $pwd | cut -d: -f 4`  # group number for $user