Skip to content

Commit

Permalink
Merge branch 'lxc-buster-updates' of https://github.com/drybjed/debops
Browse files Browse the repository at this point in the history 
…into drybjed-lxc-buster-updates
  • Loading branch information
@drybjed
drybjed committed Jun 26, 2019
2 parents 7627ac9 + 6bb8601 commit 2c02382
Show file tree
Hide file tree
Showing 18 changed files with 391 additions and 90 deletions.
46 changes: 46 additions & 0 deletions CHANGELOG.rst
View file
Expand Up @@ -42,6 +42,13 @@ Added
able to access SSH service from any host. Existing installations might need
to be updated manually to fix UID/GID or LDAP DN conflicts.

- [debops.sysctl] The kernel protection for symlinks and hardlinks will be
enabled by default on Debian/Ubuntu hosts.

- [debops.lxc] The :command:`lxc-prepare-ssh` script can now look up the SSH
keys of the current user in LDAP if support for it is enabled on the LXC
host.

Changed
~~~~~~~

Expand Down Expand Up @@ -76,6 +83,45 @@ Changed
preparation of adding a role that will provide client functionality like
network and container management.

- [debops.netbase] Do not try to manage the hostname in LXC, Docker or OpenVZ
containers by default. We assume that these containers are unprivileged and
their hostname cannot be changed from the inside of the container.

- [debops.lxc] The role now checks the version of the installed LXC support and
uses the old or new configuration keys accordingly. You can review the
`changed configuration keys`__ between the old and new LXC version for
comparsion.

.. __: https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487

- [debops.lxc] New LXC containers will have the ``CAP_SYS_TIME`` POSIX
capability dropped by default to ensure that time configuration is disabled
inside of the container. This should fix an issue on Debian Buster where an
unprivileged LXC containers still have this capability enabled.

On Debian Buster LXC hosts, the ``CAP_SYS_ADMIN`` POSIX capbility will be
dropped in new LXC containers by default.

- [debops.lxc] On Debian Buster (specifically on LXC versions below 3.1.0) the
AppArmor restrictions on unprivileged LXC containers will be relaxed to allow
correct operation of the :command:`systemd` service manager inside of
a container. Check the Debian Bugs `#916644`__, `#918839`__ and `#911806`__
for reasoning behind this modification.

.. __: https://bugs.debian.org/916644
.. __: https://bugs.debian.org/918839
.. __: https://bugs.debian.org/911806

Removed
~~~~~~~

- [debops.lxc] The :command:`lxc-prepare-ssh` script will no longer install SSH
keys from the LXC host ``root`` account on the LXC container ``root``
account. This can cause confusion and unintended security breach when other
services (for example backup scripts or remote command execution tools)
install their own SSH keys on the LXC host and they are subsequently
copied inside of the LXC containers created on that host.


`debops v1.0.0`_ - 2019-05-22
-----------------------------
Expand Down
150 changes: 127 additions & 23 deletions ansible/roles/debops.lxc/defaults/main.yml
View file
Expand Up @@ -19,12 +19,27 @@
lxc__base_packages:
- [ 'lxc', 'lxcfs', 'debootstrap', 'xz-utils' ]
- '{{ [ "dnsmasq-base", "resolvconf" ] if (lxc__net_deploy_state == "present") else [] }}'
- '{{ []
if (ansible_distribution_release in
[ "wheezy", "jessie", "stretch",
"precise", "trusty", "xenial" ])
else [ "apparmor" ] }}'

# ]]]
# .. envvar:: lxc__packages [[[
#
# List of additional APT packages to install with LXC.
lxc__packages: []

# ]]]
# .. envvar:: lxc__version [[[
#
# The variable that exposes the version of the LXC service installed on
# a host. It will be set automatically using the Ansible local facts.
lxc__version: '{{ ansible_local.lxc.version
if (ansible_local|d() and ansible_local.lxc|d() and
ansible_local.lxc.version|d())
else "0.0.0" }}'
# ]]]
# ]]]
# Unprivileged LXC containers [[[
Expand Down Expand Up @@ -194,6 +209,9 @@ lxc__default_configuration:

- name: 'lxc.cgroup.use'
value: '@all'
state: '{{ "present"
if (lxc__version is version("2.1.0", "<"))
else "absent" }}'

- name: 'lxc.default_config'
comment: |
Expand All @@ -211,27 +229,37 @@ lxc__default_configuration:
- name: 'unprivileged'
options:

- name: 'lxc.network.type'
- name: '{{ "lxc.network.type"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.type" }}'
value: 'veth'

- name: 'lxc.network.link'
- name: '{{ "lxc.network.link"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.link" }}'
value: '{{ "br0"
if (ansible_local|d() and ansible_local.ifupdown|d() and
(ansible_local.ifupdown.configured|d())|bool)
else (lxc__net_bridge
if (lxc__net_deploy_state == "present")
else "br0") }}'

- name: 'lxc.network.flags'
- name: '{{ "lxc.network.flags"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.flags" }}'
value: 'up'

- name: 'lxc.id_map_user'
alias: 'lxc.id_map'
alias: '{{ "lxc.id_map"
if (lxc__version is version("2.1.0", "<"))
else "lxc.idmap" }}'
value: 'u 0 {{ lxc__root_subuid_start }} {{ lxc__root_subuid_count }}'
separator: True

- name: 'lxc.id_map_group'
alias: 'lxc.id_map'
alias: '{{ "lxc.id_map"
if (lxc__version is version("2.1.0", "<"))
else "lxc.idmap" }}'
value: 'g 0 {{ lxc__root_subgid_start }} {{ lxc__root_subgid_count }}'

- name: 'lxc.start.auto'
Expand All @@ -240,7 +268,8 @@ lxc__default_configuration:

- name: 'lxc.cap.drop_secure'
alias: 'lxc.cap.drop'
value: 'mknod sys_rawio syslog wake_alarm'
value: '{{ [ "mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time" ]
+ ([] if (lxc__version is version("3.0.0", "<")) else [ "sys_admin" ]) }}'

# Select how many CPUs are available inside of the container
- name: 'lxc.cgroup.cpuset.cpus'
Expand All @@ -260,22 +289,50 @@ lxc__default_configuration:
value: '{{ ((ansible_memtotal_mb|int + ansible_swaptotal_mb|int) / 1024) | round | int }}G'
state: 'comment'

# Required in AppArmor environment to allow systemd services to start
# inside of the LXC unprivileged containers.
# See also: https://bugs.debian.org/916644,
# https://bugs.debian.org/918839, https://bugs.debian.org/911806
- name: 'lxc.apparmor.profile'
value: 'generated'
state: '{{ "absent"
if (lxc__version is version("3.0.0", "<") or
lxc__version is version("3.1.0", ">="))
else "present" }}'

# Required in AppArmor environment to allow systemd services to start
# inside of the LXC unprivileged containers.
# See also: https://bugs.debian.org/916644,
# https://bugs.debian.org/918839, https://bugs.debian.org/911806
- name: 'lxc.apparmor.allow_nesting'
value: '1'
state: '{{ "absent"
if (lxc__version is version("3.0.0", "<") or
lxc__version is version("3.1.0", ">="))
else "present" }}'

# Default configuration for privileged LXC containers
- name: 'privileged'
options:

- name: 'lxc.network.type'
- name: '{{ "lxc.network.type"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.type" }}'
value: 'veth'

- name: 'lxc.network.link'
- name: '{{ "lxc.network.link"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.link" }}'
value: '{{ "br0"
if (ansible_local|d() and ansible_local.ifupdown|d() and
(ansible_local.ifupdown.configured|d())|bool)
else (lxc__net_bridge
if (lxc__net_deploy_state == "present")
else "br0") }}'

- name: 'lxc.network.flags'
- name: '{{ "lxc.network.flags"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.flags" }}'
value: 'up'

- name: 'lxc.start.auto'
Expand All @@ -284,30 +341,41 @@ lxc__default_configuration:

- name: 'lxc.cap.drop_secure'
alias: 'lxc.cap.drop'
value: 'mknod sys_rawio syslog wake_alarm'
value: '{{ [ "mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time" ]
+ ([] if (lxc__version is version("3.0.0", "<")) else [ "sys_admin" ]) }}'

# Configuration for unprivileged LXC containers that uses only the internal
# bridge managed by the 'lxc-net' service
- name: 'internal-unprivileged'
state: '{{ "present" if (lxc__net_deploy_state == "present") else "absent" }}'
options:

- name: 'lxc.network.type'
- name: '{{ "lxc.network.type"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.type" }}'
value: 'veth'

- name: 'lxc.network.link'
- name: '{{ "lxc.network.link"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.link" }}'
value: '{{ lxc__net_bridge }}'

- name: 'lxc.network.flags'
- name: '{{ "lxc.network.flags"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.flags" }}'
value: 'up'

- name: 'lxc.id_map_user'
alias: 'lxc.id_map'
alias: '{{ "lxc.id_map"
if (lxc__version is version("2.1.0", "<"))
else "lxc.idmap" }}'
value: 'u 0 {{ lxc__root_subuid_start }} {{ lxc__root_subuid_count }}'
separator: True

- name: 'lxc.id_map_group'
alias: 'lxc.id_map'
alias: '{{ "lxc.id_map"
if (lxc__version is version("2.1.0", "<"))
else "lxc.idmap" }}'
value: 'g 0 {{ lxc__root_subgid_start }} {{ lxc__root_subgid_count }}'

- name: 'lxc.start.auto'
Expand All @@ -316,7 +384,8 @@ lxc__default_configuration:

- name: 'lxc.cap.drop_secure'
alias: 'lxc.cap.drop'
value: 'mknod sys_rawio syslog wake_alarm'
value: '{{ [ "mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time" ]
+ ([] if (lxc__version is version("3.0.0", "<")) else [ "sys_admin" ]) }}'

# Select how many CPUs are available inside of the container
- name: 'lxc.cgroup.cpuset.cpus'
Expand All @@ -336,17 +405,43 @@ lxc__default_configuration:
value: '{{ ((ansible_memtotal_mb|int + ansible_swaptotal_mb|int) / 1024) | round | int }}G'
state: 'comment'

# Required in AppArmor environment to allow systemd services to start
# inside of the LXC unprivileged containers.
# See also: https://bugs.debian.org/916644,
# https://bugs.debian.org/918839, https://bugs.debian.org/911806
- name: 'lxc.apparmor.profile'
value: 'generated'
state: '{{ "absent"
if (lxc__version is version("3.0.0", "<") or
lxc__version is version("3.1.0", ">="))
else "present" }}'

# Required in AppArmor environment to allow systemd services to start
# inside of the LXC unprivileged containers.
# See also: https://bugs.debian.org/916644,
# https://bugs.debian.org/918839, https://bugs.debian.org/911806
- name: 'lxc.apparmor.allow_nesting'
value: '1'
state: '{{ "absent"
if (lxc__version is version("3.0.0", "<") or
lxc__version is version("3.1.0", ">="))
else "present" }}'

# Default configuration for privileged LXC containers with multiple network
# interfaces
- name: 'external-internal'
options:

- name: 'lxc.network.type_net0'
alias: 'lxc.network.type'
alias: '{{ "lxc.network.type"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.type" }}'
value: 'veth'

- name: 'lxc.network.link_net0'
alias: 'lxc.network.link'
alias: '{{ "lxc.network.link"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.link" }}'
value: '{{ "br0"
if (ansible_local|d() and ansible_local.ifupdown|d() and
(ansible_local.ifupdown.configured|d())|bool)
Expand All @@ -355,20 +450,28 @@ lxc__default_configuration:
else "br0") }}'

- name: 'lxc.network.flags_net0'
alias: 'lxc.network.flags'
alias: '{{ "lxc.network.flags"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.0.flags" }}'
value: 'up'

- name: 'lxc.network.type_net1'
alias: 'lxc.network.type'
alias: '{{ "lxc.network.type"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.1.type" }}'
value: 'veth'
separator: True

- name: 'lxc.network.link_net1'
alias: 'lxc.network.link'
alias: '{{ "lxc.network.link"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.1.link" }}'
value: 'br1'

- name: 'lxc.network.flags_net1'
alias: 'lxc.network.flags'
alias: '{{ "lxc.network.flags"
if (lxc__version is version("2.1.0", "<"))
else "lxc.net.1.flags" }}'
value: 'up'

- name: 'lxc.start.auto'
Expand All @@ -377,7 +480,8 @@ lxc__default_configuration:

- name: 'lxc.cap.drop_secure'
alias: 'lxc.cap.drop'
value: 'mknod sys_rawio syslog wake_alarm'
value: '{{ [ "mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time" ]
+ ([] if (lxc__version is version("3.0.0", "<")) else [ "sys_admin" ]) }}'

# ]]]
# .. envvar:: lxc__configuration [[[
Expand Down

0 comments on commit 2c02382

Please sign in to comment.