lxc-alpine: completely rewrite the template script New template script is more readable and robust, uses cache and external LXC config file as other templates. Signed-off-by: Jakub Jirutka <jakub@jirutka.cz>

Add support for Linux for SPARC distribution host and template Linux for SPARC is a free community Linux distribution for SPARC hosted by Oracle. See : https://oss.oracle.com/projects/linux-sparc While the distribution is based on Oracle Linux it does have some differences and since it's not actually Oracle Linux I decided to add a separate template rather than having the Oracle Linux template also support Linux for SPARC. This patch adds the lxc-template for Linux for SPARC and it also adds Linux for SPARC in the configure.ac as a distribution target to build. Signed-off-by: Wim Coekaerts <wim.coekaerts@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Add a slackware template. Requires pkgtools and slackpkg (from the slackware-current tree). Signed-off-by: Matteo Bernardini <ponce@slackbuilds.org>

Add a nesting.conf which can be included to support nesting containers (v2) Newer kernels have added a new restriction: if /proc or /sys on the host has files or non-empty directories which are over-mounted, and there is no /proc which fully visible, then it assumes there is a "security" reason for this. It prevents anyone in a non-initial user namespace from creating a new proc or sysfs mount. To work around this, this patch adds a new 'nesting.conf' which can be lxc.include'd from a container configuration file. It adds a non-overmounted mount of /proc and /sys under /dev/.lxc, so that the kernel can see that we're not trying to *hide* things like /proc/uptime. and /sys/devices/virtual/net. If the host adds this to the config file for container w1, then container w1 will support unprivileged child containers. The nesting.conf file also sets the apparmor profile to the with-nesting variant, since that is required anyway. This actually means that supporting nesting isn't really more work than it used to be, just different. Instead of adding lxc.aa_profile = lxc-container-default-with-nesting you now just need to lxc.include = /usr/share/lxc/config/nesting.conf (Look, fewer characters :) Finally, in order to maintain the current apparmor protections on proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable. We don't need to be able to use them, we're just showing the kernel what's what. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Add common.conf.d Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

openwrt: add common configuration file This adds OpenWrt common config file. Signed-off-by: Petar Koretic <petar.koretic@sartura.hr> CC: Luka Perkov <luka.perkov@sartura.hr> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Enable default seccomp profile for all distros This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Reduce duplication in new style configs This is a rather massive cleanup of config/templates/* As new templates were added, I've noticed that we pretty much all share the tty/pts configs, some capabilities being dropped and most of the cgroup configuration. All the userns configs were also almost identical. As a result, this change introduces two new files: - common.conf.in - userns.conf.in Each is included by the relevant <template>.<type>.conf.in templates, this means that the individual per-template configs are now overlays on top of the default config. Once we see a specific key becoming popular, we ought to check whether it should also be applied to the other templates and if more than 50% of the templates have it set to the same value, that value ought to be moved to the master config file and then overriden for the templates that do not use it. This change while pretty big and scary, shouldn't be very visible from a user point of view, the actual changes can be summarized as: - Extend clonehostname to work with Debian based distros and use it for all containers. - lxc.pivotdir is now set to lxc_putold for all templates, this means that instead of using /mnt in the container, lxc will create and use /lxc_putold instead. The reason for this is to avoid failures when the user bind-mounts something else on top of /mnt. - Some minor cgroup limit changes, the main one I remember is /dev/console now being writable by all of the redhat based containers. The rest of the set should be identical with additions in the per-distro ones. - Drop binfmtmisc and efivars bind-mounts for non-mountall based unpriivileged containers as I assumed they got those from copy/paste from Ubuntu and not because they actually need those entries. (If I'm wrong, we probably should move those to userns.conf then). Additional investigation and changes to reduce the config delta between distros would be appreciated. In practice, I only expect lxc.cap.drop and lxc.mount.entry to really vary between distros (depending on the init system, the rest should be mostly common. Diff from the RFC: - Add archlinux to the mix - Drop /etc/hostname from the clone hook Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Update Arch Linux template and add common configuration files Move common container configuration entries into template config. Remove unnecessary service symlinking and configuration entries, as well as guest configs and other redundant configuration, fix minor script bugs. Clean up template command line, add -d option to allow disabling services. Also enable getty's on all configured ttys to allow logins via lxc-console, set lxc.tty value corresponding to default Arch /etc/securetty configuration. This patch simplifies Arch Linux template a bit, while fixing some longstanding issues. It also provides common configuration based on files provided for Fedora templates. Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Include ubuntu.priv.seccomp in dist tarball Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu containers: use a seccomp filter by default (v2) Blacklist module loading, kexec, and open_by_handle_at (the cause of the not-docker-specific dockerinit mounts namespace escape). This should be applied to all arches, but iiuc stgraber will be doing some reworking of the commonizations which will simplify that, so I'm not doing it here. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Updated lxc-opensuse for common configuration changes. Updated the lxc-opensuse template for the changes for the common configuration used by the download template. Changed the default network mode in the container to dhcp. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

gentoo: Add basic userns config Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

gentoo: template rework Now splited config 2 settings available * common ** featureful oriented settings * moresecure ** security oriented Signed-off-by: gza <github.guillaume@zitta.fr> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update Fedora and CentOS templates for common conf includes. This updates the Fedora and CentOS templates to utilize a common included config. This is largely based on the changes in the Oracle template with some exceptions. Dropping of setpcap (present in the Oracle template) is commented out in the Fedora template. It seems to cause problems, such as large login delays with Fedora 20 containers (but not Fedora 19 - strange). The Fedora template is further modified to disable systemd-journald.service as it is unnecessary in a container and causes serious problems when running in a Fedora 20 container. The Fedora template is also updated to default to Fedora 20 when running on a non-Fedora host. Regards, Mike Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

debian: Switch to config includes Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

oracle template: convert to common.conf style Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Add minimal userns config for plamo Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

plamo: Update template to use lxc.include and add plamo.common.conf Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

download: Initial template This adds a new template called "download". It's a fairly simple template with a minimal set of dependency which will grab any pre-built image available on https://images.linuxcontainers.org Note that the serverside is still work in progress (missing SSL support). Access is done over https by default with a warning being emitted if fallback to http was required (may be needed for testing, when behind proxy and with private servers). All index files and tarballs are gpg-signed with the default pubkeyid contained in the template itself. The main benefit of this template is to be entirely distribution-agnostic, any template that can be integrated with the server build infrastructure will then work on any LXC machine when using the download template. This template is also compatible with user namespaces and will hopefully help widden the number of distros that may work in unprivileged LXC. This commit also bundles a small change to the template configs to have the ubuntu template (used by the download template) to work with unprivileged LXC. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Move some common Ubuntu config This introduces a new /usr/share/lxc/config directory containing common configuration snippets. The two Ubuntu templates are then simplified to just include the relevant entries avoiding a whole lot of hardcoded cgroup, capabilities and mount points configuration. An extra comment is also added at the top of all generated configuration files telling the user to look at lxc.conf(5) for more information. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>