Skip to content

L
lxc
Commit f2a95ee1 by Stéphane Graber
Options

Move some common Ubuntu config

This introduces a new /usr/share/lxc/config directory containing common configuration snippets. The two Ubuntu templates are then simplified to just include the relevant entries avoiding a whole lot of hardcoded cgroup, capabilities and mount points configuration. An extra comment is also added at the top of all generated configuration files telling the user to look at lxc.conf(5) for more information. Signed-off-by: 's avatarStéphane Graber <stgraber@ubuntu.com> Acked-by: 's avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
parent 34cfffb3
Showing with 171 additions and 139 deletions
config/Makefile.am
configdir = $(sysconfdir)/lxc SUBDIRS = etc templates
config_DATA = default.conf
distroconf = @LXC_DISTRO_CONF@
EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown
default.conf:
cp $(distroconf) $@
clean-local:
@$(RM) -f default.conf
distclean-local:
@$(RM) -f default.conf
@$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile
config/etc/Makefile.am 0 → 100644
configdir = $(sysconfdir)/lxc
config_DATA = default.conf
distroconf = @LXC_DISTRO_CONF@
EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown
default.conf:
cp $(distroconf) $@
clean-local:
@$(RM) -f default.conf
distclean-local:
@$(RM) -f default.conf
@$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile
config/templates/Makefile.am 0 → 100644
templatesconfigdir=@LXCTEMPLATECONFIG@
templatesconfig_DATA = \
ubuntu-cloud.common.conf \
ubuntu-cloud.lucid.conf \
ubuntu-cloud.userns.conf \
ubuntu.common.conf \
ubuntu.lucid.conf
config/templates/ubuntu-cloud.common.conf.in 0 → 100644
# This derives from the main Ubuntu config
lxc.include = @LXCTEMPLATECONFIG@/ubuntu.common.conf
lxc.hook.clone = @LXCHOOKDIR@/ubuntu-cloud-prep
config/templates/ubuntu-cloud.lucid.conf.in 0 → 100644
# This derives from the main Ubuntu lucid config
lxc.include = @LXCTEMPLATECONFIG@/ubuntu.lucid.conf
config/templates/ubuntu-cloud.userns.conf.in 0 → 100644
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
# We can't move bind-mounts, so don't use /dev/lxc/
lxc.devttydir =
# Extra bind-mounts for userns
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
config/templates/ubuntu.common.conf.in 0 → 100644
# Default pivot location
lxc.pivotdir = lxc_putold
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
# Default console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
# Default capabilities
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# Default cgroup limits
lxc.cgroup.devices.deny = a
## Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
## consoles
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
## /dev/{,u}random
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
## /dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## full
lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
config/templates/ubuntu.lucid.conf.in 0 → 100644
# Ubuntu 10.04 LTS doesn't have /dev/lxc/
lxc.devttydir =
configure.ac
...@@ -361,6 +361,7 @@ AS_AC_EXPAND(LXC_USERNIC_CONF, "$with_usernic_conf") ...@@ -361,6 +361,7 @@ AS_AC_EXPAND(LXC_USERNIC_CONF, "$with_usernic_conf")
AS_AC_EXPAND(LXC_USERNIC_DB, "$with_usernic_db") AS_AC_EXPAND(LXC_USERNIC_DB, "$with_usernic_db")
AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path") AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates") AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
AS_AC_EXPAND(LXCTEMPLATECONFIG, "$datadir/lxc/config")
AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks") AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks")
AS_AC_EXPAND(LXCINITDIR, "$libexecdir") AS_AC_EXPAND(LXCINITDIR, "$libexecdir")
AS_AC_EXPAND(LOGPATH, "$with_log_path") AS_AC_EXPAND(LOGPATH, "$with_log_path")
...@@ -447,7 +448,15 @@ AC_CONFIG_FILES([ ...@@ -447,7 +448,15 @@ AC_CONFIG_FILES([
Makefile Makefile
lxc.pc lxc.pc
lxc.spec lxc.spec
config/Makefile config/Makefile
config/etc/Makefile
config/templates/Makefile
config/templates/ubuntu-cloud.common.conf
config/templates/ubuntu-cloud.lucid.conf
config/templates/ubuntu-cloud.userns.conf
config/templates/ubuntu.common.conf
config/templates/ubuntu.lucid.conf
doc/Makefile doc/Makefile
doc/api/Makefile doc/api/Makefile
......
src/lxc/lxccontainer.c
...@@ -1127,6 +1127,7 @@ bool prepend_lxc_header(char *path, const char *t, char *const argv[]) ...@@ -1127,6 +1127,7 @@ bool prepend_lxc_header(char *path, const char *t, char *const argv[])
fprintf(f, "%02x", md_value[i]); fprintf(f, "%02x", md_value[i]);
fprintf(f, "\n"); fprintf(f, "\n");
#endif #endif
fprintf(f, "# For additional config options, please look at lxc.conf(5)\n");
if (fwrite(contents, 1, flen, f) != flen) { if (fwrite(contents, 1, flen, f) != flen) {
SYSERROR("Writing original contents"); SYSERROR("Writing original contents");
free(contents); free(contents);
......
templates/lxc-ubuntu-cloud.in
...@@ -24,6 +24,7 @@ set -e ...@@ -24,6 +24,7 @@ set -e
STATE_DIR="@LOCALSTATEDIR@" STATE_DIR="@LOCALSTATEDIR@"
HOOK_DIR="@LXCHOOKDIR@" HOOK_DIR="@LXCHOOKDIR@"
CLONE_HOOK_FN="$HOOK_DIR/ubuntu-cloud-prep" CLONE_HOOK_FN="$HOOK_DIR/ubuntu-cloud-prep"
LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
if [ -r /etc/default/lxc ]; then if [ -r /etc/default/lxc ]; then
. /etc/default/lxc . /etc/default/lxc
...@@ -59,81 +60,45 @@ copy_configuration() ...@@ -59,81 +60,45 @@ copy_configuration()
grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
fi fi
grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config # Generate the configuration file
cat <<EOF >> $path/config ## Create the fstab (empty by default)
lxc.mount = $path/fstab touch $path/fstab
lxc.pivotdir = lxc_putold
lxc.devttydir =$ttydir
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = $name
lxc.arch = $arch
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined: ## Relocate all the network config entries
#lxc.aa_profile = unconfined sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
# To support container nesting on an Ubuntu host, uncomment next two lines: ## Relocate any other config entries
#lxc.aa_profile = lxc-container-default-with-nesting sed -i -e "/lxc./{w ${path}/config-auto" -e "d}" $path/config
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
lxc.hook.clone = ${CLONE_HOOK_FN} ## Add all the includes
EOF echo "" >> $path/config
echo "# Common configuration" >> $path/config
# can't write to devices.deny without CAP_SYS_ADMIN in init-user-ns if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.common.conf" ]; then
if [ $in_userns -ne 1 ]; then echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.common.conf" >> $path/config
cat <<EOF >> $path/config fi
lxc.cgroup.devices.deny = a if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.${release}.conf" ]; then
# Allow any mknod (but not using the node) echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.${release}.conf" >> $path/config
lxc.cgroup.devices.allow = c *:* m fi
lxc.cgroup.devices.allow = b *:* m if [ $in_userns -eq 1 ] && [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" ]; then
# /dev/null and zero echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" >> $path/config
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
# fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# tun
lxc.cgroup.devices.allow = c 10:200 rwm
# full
lxc.cgroup.devices.allow = c 1:7 rwm
# hpet
lxc.cgroup.devices.allow = c 10:228 rwm
# kvm
lxc.cgroup.devices.allow = c 10:232 rwm
EOF
fi fi
cat <<EOF > $path/fstab ## Add the container-specific config
proc proc proc nodev,noexec,nosuid 0 0 echo "" >> $path/config
sysfs sys sysfs defaults 0 0 echo "# Container specific configuration" >> $path/config
/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
/sys/kernel/security sys/kernel/security none bind,optional 0 0 cat <<EOF >> $path/config
/sys/fs/pstore sys/fs/pstore none bind,optional 0 0 lxc.mount = $path/fstab
lxc.utsname = $name
lxc.arch = $arch
EOF EOF
# unprivileged user can't mknod these. One day we may allow ## Re-add the previously removed network config
# that in the kernel, but not right now. So let's just bind echo "" >> $path/config
# mount the files from the host. echo "# Network configuration" >> $path/config
if [ $in_userns -eq 1 ]; then cat $path/config-network >> $path/config
mkdir -p $rootfs/dev/pts rm $path/config-network
for dev in null tty urandom console; do
touch $rootfs/dev/$dev
echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab
done
fi
# Set initial timezone as on host # Set initial timezone as on host
if [ -f /etc/timezone ]; then if [ -f /etc/timezone ]; then
...@@ -397,6 +362,7 @@ do_extract_rootfs() { ...@@ -397,6 +362,7 @@ do_extract_rootfs() {
cd $rootfs cd $rootfs
if [ $in_userns -eq 1 ]; then if [ $in_userns -eq 1 ]; then
tar --anchored --exclude="dev/*" --numeric-owner -xpzf "$cache/$filename" tar --anchored --exclude="dev/*" --numeric-owner -xpzf "$cache/$filename"
mkdir -p $cache/$filename/dev/pts/
else else
tar --numeric-owner -xpzf "$cache/$filename" tar --numeric-owner -xpzf "$cache/$filename"
fi fi
......
templates/lxc-ubuntu.in
...@@ -26,7 +26,8 @@ ...@@ -26,7 +26,8 @@
set -e set -e
LOCALSTATEDIR=@LOCALSTATEDIR@ LOCALSTATEDIR="@LOCALSTATEDIR@"
LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
if [ -r /etc/default/lxc ]; then if [ -r /etc/default/lxc ]; then
. /etc/default/lxc . /etc/default/lxc
...@@ -385,11 +386,6 @@ copy_configuration() ...@@ -385,11 +386,6 @@ copy_configuration()
arch="i686" arch="i686"
fi fi
ttydir=""
if [ -f $rootfs/etc/init/container-detect.conf ]; then
ttydir=" lxc"
fi
# if there is exactly one veth network entry, make sure it has an # if there is exactly one veth network entry, make sure it has an
# associated hwaddr. # associated hwaddr.
nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
...@@ -397,63 +393,42 @@ copy_configuration() ...@@ -397,63 +393,42 @@ copy_configuration()
grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
fi fi
# Generate the configuration file
## Create the fstab (empty by default)
touch $path/fstab
## Relocate all the network config entries
sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
## Relocate any other config entries
sed -i -e "/lxc./{w ${path}/config-auto" -e "d}" $path/config
## Add all the includes
echo "" >> $path/config
echo "# Common configuration" >> $path/config
if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu.common.conf" ]; then
echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.common.conf" >> $path/config
fi
if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu.${release}.conf" ]; then
echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.${release}.conf" >> $path/config
fi
## Add the container-specific config
echo "" >> $path/config
echo "# Container specific configuration" >> $path/config
[ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
cat <<EOF >> $path/config cat <<EOF >> $path/config
lxc.mount = $path/fstab lxc.mount = $path/fstab
lxc.pivotdir = lxc_putold
lxc.devttydir =$ttydir
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = $name lxc.utsname = $name
lxc.arch = $arch lxc.arch = $arch
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
# To support container nesting on an Ubuntu host, uncomment next two lines:
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
# fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# tun
lxc.cgroup.devices.allow = c 10:200 rwm
# full
lxc.cgroup.devices.allow = c 1:7 rwm
# hpet
lxc.cgroup.devices.allow = c 10:228 rwm
# kvm
lxc.cgroup.devices.allow = c 10:232 rwm
EOF EOF
cat <<EOF > $path/fstab ## Re-add the previously removed network config
proc proc proc nodev,noexec,nosuid 0 0 echo "" >> $path/config
sysfs sys sysfs defaults 0 0 echo "# Network configuration" >> $path/config
/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 cat $path/config-network >> $path/config
/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 rm $path/config-network
/sys/kernel/security sys/kernel/security none bind,optional 0 0
/sys/fs/pstore sys/fs/pstore none bind,optional 0 0
EOF
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Failed to add configuration" echo "Failed to add configuration"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment