Move some common Ubuntu config

config/Makefile.am

-configdir = $(sysconfdir)/lxc
-config_DATA = default.conf
-distroconf = @LXC_DISTRO_CONF@
-
-EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown
-
-default.conf:
-	cp $(distroconf) $@
-
-clean-local:
-	@$(RM) -f default.conf
-
-distclean-local:
-	@$(RM) -f default.conf
-	@$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile
+SUBDIRS = etc templates

config/etc/Makefile.am

+configdir = $(sysconfdir)/lxc
+config_DATA = default.conf
+distroconf = @LXC_DISTRO_CONF@
+
+EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown
+
+default.conf:
+	cp $(distroconf) $@
+
+clean-local:
+	@$(RM) -f default.conf
+
+distclean-local:
+	@$(RM) -f default.conf
+	@$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile

config/templates/Makefile.am

+templatesconfigdir=@LXCTEMPLATECONFIG@
+
+templatesconfig_DATA = \
+	ubuntu-cloud.common.conf \
+	ubuntu-cloud.lucid.conf \
+	ubuntu-cloud.userns.conf \
+	ubuntu.common.conf \
+	ubuntu.lucid.conf

config/templates/ubuntu-cloud.common.conf.in

+# This derives from the main Ubuntu config
+lxc.include = @LXCTEMPLATECONFIG@/ubuntu.common.conf
+
+lxc.hook.clone = @LXCHOOKDIR@/ubuntu-cloud-prep

config/templates/ubuntu-cloud.lucid.conf.in

+# This derives from the main Ubuntu lucid config
+lxc.include = @LXCTEMPLATECONFIG@/ubuntu.lucid.conf

config/templates/ubuntu-cloud.userns.conf.in

+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0

config/templates/ubuntu.common.conf.in

+# Default pivot location
+lxc.pivotdir = lxc_putold
+
+# Default mount entries
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
+lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
+lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
+lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
+lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
+
+# Default console settings
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Default capabilities
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+
+# Default cgroup limits
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## full
+lxc.cgroup.devices.allow = c 1:7 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm

config/templates/ubuntu.lucid.conf.in

+# Ubuntu 10.04 LTS doesn't have /dev/lxc/
+lxc.devttydir =

configure.ac

@@ -361,6 +361,7 @@ AS_AC_EXPAND(LXC_USERNIC_CONF, "$with_usernic_conf")
 AS_AC_EXPAND(LXC_USERNIC_DB, "$with_usernic_db")
 AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
 AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
+AS_AC_EXPAND(LXCTEMPLATECONFIG, "$datadir/lxc/config")
 AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks")
 AS_AC_EXPAND(LXCINITDIR, "$libexecdir")
 AS_AC_EXPAND(LOGPATH, "$with_log_path")
@@ -447,7 +448,15 @@ AC_CONFIG_FILES([
 	Makefile
 	lxc.pc
 	lxc.spec
+
 	config/Makefile
+	config/etc/Makefile
+	config/templates/Makefile
+	config/templates/ubuntu-cloud.common.conf
+	config/templates/ubuntu-cloud.lucid.conf
+	config/templates/ubuntu-cloud.userns.conf
+	config/templates/ubuntu.common.conf
+	config/templates/ubuntu.lucid.conf
 
 	doc/Makefile
 	doc/api/Makefile

src/lxc/lxccontainer.c

@@ -1127,6 +1127,7 @@ bool prepend_lxc_header(char *path, const char *t, char *const argv[])
 		fprintf(f, "%02x", md_value[i]);
 	fprintf(f, "\n");
 #endif
+	fprintf(f, "# For additional config options, please look at lxc.conf(5)\n");
 	if (fwrite(contents, 1, flen, f) != flen) {
 		SYSERROR("Writing original contents");
 		free(contents);

templates/lxc-ubuntu-cloud.in

@@ -24,6 +24,7 @@ set -e
 STATE_DIR="@LOCALSTATEDIR@"
 HOOK_DIR="@LXCHOOKDIR@"
 CLONE_HOOK_FN="$HOOK_DIR/ubuntu-cloud-prep"
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 
 if [ -r /etc/default/lxc ]; then
     . /etc/default/lxc
@@ -59,81 +60,45 @@ copy_configuration()
         grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
     fi
 
-    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
-    cat <<EOF >> $path/config
-lxc.mount = $path/fstab
-lxc.pivotdir = lxc_putold
-
-lxc.devttydir =$ttydir
-lxc.tty = 4
-lxc.pts = 1024
-
-lxc.utsname = $name
-lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+    # Generate the configuration file
+    ## Create the fstab (empty by default)
+    touch $path/fstab
 
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+    ## Relocate all the network config entries
+    sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
 
-# To support container nesting on an Ubuntu host, uncomment next two lines:
-#lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+    ## Relocate any other config entries
+    sed -i -e "/lxc./{w ${path}/config-auto" -e "d}" $path/config
 
-lxc.hook.clone = ${CLONE_HOOK_FN}
-EOF
-
-    # can't write to devices.deny without CAP_SYS_ADMIN in init-user-ns
-    if [ $in_userns -ne 1 ]; then
-	    cat <<EOF >> $path/config
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-# fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
-# tun
-lxc.cgroup.devices.allow = c 10:200 rwm
-# full
-lxc.cgroup.devices.allow = c 1:7 rwm
-# hpet
-lxc.cgroup.devices.allow = c 10:228 rwm
-# kvm
-lxc.cgroup.devices.allow = c 10:232 rwm
-EOF
+    ## Add all the includes
+    echo "" >> $path/config
+    echo "# Common configuration" >> $path/config
+    if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.common.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.common.conf" >> $path/config
+    fi
+    if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.${release}.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.${release}.conf" >> $path/config
+    fi
+    if [ $in_userns -eq 1 ] && [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu-cloud.userns.conf" >> $path/config
     fi
 
-    cat <<EOF > $path/fstab
-proc            proc         proc    nodev,noexec,nosuid 0 0
-sysfs           sys          sysfs defaults  0 0
-/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
-/sys/kernel/debug sys/kernel/debug none bind,optional 0 0
-/sys/kernel/security sys/kernel/security none bind,optional 0 0
-/sys/fs/pstore sys/fs/pstore none bind,optional 0 0
+    ## Add the container-specific config
+    echo "" >> $path/config
+    echo "# Container specific configuration" >> $path/config
+    [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
+    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
+    cat <<EOF >> $path/config
+lxc.mount = $path/fstab
+lxc.utsname = $name
+lxc.arch = $arch
 EOF
 
-    # unprivileged user can't mknod these.  One day we may allow
-    # that in the kernel, but not right now.  So let's just bind
-    # mount the files from the host.
-    if [ $in_userns -eq 1 ]; then
-        mkdir -p $rootfs/dev/pts
-        for dev in null tty urandom console; do
-            touch $rootfs/dev/$dev
-            echo "/dev/$dev dev/$dev    none bind 0 0" >> $path/fstab
-        done
-    fi
+    ## Re-add the previously removed network config
+    echo "" >> $path/config
+    echo "# Network configuration" >> $path/config
+    cat $path/config-network >> $path/config
+    rm $path/config-network
 
     # Set initial timezone as on host
     if [ -f /etc/timezone ]; then
@@ -397,6 +362,7 @@ do_extract_rootfs() {
     cd $rootfs
     if [ $in_userns -eq 1 ]; then
         tar --anchored --exclude="dev/*" --numeric-owner -xpzf "$cache/$filename"
+        mkdir -p $cache/$filename/dev/pts/
     else
         tar --numeric-owner -xpzf "$cache/$filename"
     fi

templates/lxc-ubuntu.in

@@ -26,7 +26,8 @@
 
 set -e
 
-LOCALSTATEDIR=@LOCALSTATEDIR@
+LOCALSTATEDIR="@LOCALSTATEDIR@"
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 
 if [ -r /etc/default/lxc ]; then
     . /etc/default/lxc
@@ -385,11 +386,6 @@ copy_configuration()
         arch="i686"
     fi
 
-    ttydir=""
-    if [ -f $rootfs/etc/init/container-detect.conf ]; then
-        ttydir=" lxc"
-    fi
-
     # if there is exactly one veth network entry, make sure it has an
     # associated hwaddr.
     nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
@@ -397,63 +393,42 @@ copy_configuration()
         grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
     fi
 
+    # Generate the configuration file
+    ## Create the fstab (empty by default)
+    touch $path/fstab
+
+    ## Relocate all the network config entries
+    sed -i -e "/lxc.network/{w ${path}/config-network" -e "d}" $path/config
+
+    ## Relocate any other config entries
+    sed -i -e "/lxc./{w ${path}/config-auto" -e "d}" $path/config
+
+    ## Add all the includes
+    echo "" >> $path/config
+    echo "# Common configuration" >> $path/config
+    if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu.common.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.common.conf" >> $path/config
+    fi
+    if [ -e "${LXC_TEMPLATE_CONFIG}/ubuntu.${release}.conf" ]; then
+        echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/ubuntu.${release}.conf" >> $path/config
+    fi
+
+    ## Add the container-specific config
+    echo "" >> $path/config
+    echo "# Container specific configuration" >> $path/config
+    [ -e "$path/config-auto" ] && cat $path/config-auto >> $path/config && rm $path/config-auto
     grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
     cat <<EOF >> $path/config
 lxc.mount = $path/fstab
-lxc.pivotdir = lxc_putold
-
-lxc.devttydir =$ttydir
-lxc.tty = 4
-lxc.pts = 1024
-
 lxc.utsname = $name
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
-
-# To support container nesting on an Ubuntu host, uncomment next two lines:
-#lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
-
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-# fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
-# tun
-lxc.cgroup.devices.allow = c 10:200 rwm
-# full
-lxc.cgroup.devices.allow = c 1:7 rwm
-# hpet
-lxc.cgroup.devices.allow = c 10:228 rwm
-# kvm
-lxc.cgroup.devices.allow = c 10:232 rwm
 EOF
 
-    cat <<EOF > $path/fstab
-proc            proc         proc    nodev,noexec,nosuid 0 0
-sysfs           sys          sysfs defaults  0 0
-/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
-/sys/kernel/debug sys/kernel/debug none bind,optional 0 0
-/sys/kernel/security sys/kernel/security none bind,optional 0 0
-/sys/fs/pstore sys/fs/pstore none bind,optional 0 0
-EOF
+    ## Re-add the previously removed network config
+    echo "" >> $path/config
+    echo "# Network configuration" >> $path/config
+    cat $path/config-network >> $path/config
+    rm $path/config-network
 
     if [ $? -ne 0 ]; then
         echo "Failed to add configuration"