oracle template: convert to common.conf style

Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
lxc · Jan 15, 2014 · 9e69977 · 9e69977
1 parent 04a243f
commit 9e69977
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 35 deletions.
diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
@@ -1,6 +1,8 @@
 templatesconfigdir=@LXCTEMPLATECONFIG@
 
 templatesconfig_DATA = \
+	oracle.common.conf \
+	oracle.userns.conf \
 	plamo.common.conf \
 	plamo.userns.conf \
 	ubuntu-cloud.common.conf \

diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
@@ -0,0 +1,45 @@
+# Console settings
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw          # breaks dhcp/ping
+# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid           # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+#
+lxc.cap.drop = mac_admin mac_override setfcap setpcap
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
+lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in
@@ -0,0 +1,17 @@
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+
+# Extra fstab entries as mountall can't mount those by itself
+lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
+lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
diff --git a/configure.ac b/configure.ac
@@ -532,6 +532,8 @@ AC_CONFIG_FILES([
 	config/Makefile
 	config/etc/Makefile
 	config/templates/Makefile
+	config/templates/oracle.common.conf
+	config/templates/oracle.userns.conf
 	config/templates/plamo.common.conf
 	config/templates/plamo.userns.conf
 	config/templates/ubuntu-cloud.common.conf

diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
@@ -370,40 +370,22 @@ EOF
 container_config_create()
 {
     echo "Create configuration file $cfg_dir/config"
+    mkdir -p $cfg_dir || die "unable to create config dir $cfg_dir"
+
+    echo "# Common configuration" >> $cfg_dir/config
+    if [ -e "@LXCTEMPLATECONFIG@/oracle.common.conf" ]; then
+        echo "lxc.include = @LXCTEMPLATECONFIG@/oracle.common.conf" >> $cfg_dir/config
+    fi
+
     # generate a hwaddr for the container with a high mac address
     # see http://sourceforge.net/tracker/?func=detail&aid=3411497&group_id=163076&atid=826303
     local hwaddr="fe:`dd if=/dev/urandom bs=8 count=1 2>/dev/null |od -t x8 | \
                       head -1 |awk '{print $2}' | cut -c1-10 |\
                       sed 's/\(..\)/\1:/g; s/.$//'`"
-    mkdir -p $cfg_dir || die "unable to create config dir $cfg_dir"
     cat <<EOF >> $cfg_dir/config || die "unable to create $cfg_dir/config"
 # Container configuration for Oracle Linux $container_release_major.$container_release_minor
 lxc.arch = $arch
 lxc.utsname = $name
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-lxc.mount.auto = proc:mixed sys:ro
-lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname
-# Uncomment these if you don't run anything that needs the capability, and
-# would like the container to run with less privilege.
-#
-# Dropping sys_admin disables container root from doing a lot of things
-# that could be bad like re-mounting lxc fstab entries rw for example,
-# but also disables some useful things like being able to nfs mount, and
-# things that are already namespaced with ns_capable() kernel checks, like
-# hostname(1).
-# lxc.cap.drop = sys_admin
-# lxc.cap.drop = net_raw          # breaks dhcp/ping
-# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
-# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
-# lxc.cap.drop = setuid           # breaks sshd,nfs statd
-# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
-# lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override setfcap setpcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
 EOF
     grep -q "^lxc.rootfs" $cfg_dir/config 2>/dev/null || echo "lxc.rootfs = $container_rootfs" >> $cfg_dir/config
 
@@ -426,16 +408,6 @@ EOF
 lxc.network.name = eth0
 lxc.network.mtu = 1500
 lxc.network.hwaddr = $hwaddr
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
 EOF
 }