Enable default seccomp profile for all distros This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Reduce duplication in new style configs This is a rather massive cleanup of config/templates/* As new templates were added, I've noticed that we pretty much all share the tty/pts configs, some capabilities being dropped and most of the cgroup configuration. All the userns configs were also almost identical. As a result, this change introduces two new files: - common.conf.in - userns.conf.in Each is included by the relevant <template>.<type>.conf.in templates, this means that the individual per-template configs are now overlays on top of the default config. Once we see a specific key becoming popular, we ought to check whether it should also be applied to the other templates and if more than 50% of the templates have it set to the same value, that value ought to be moved to the master config file and then overriden for the templates that do not use it. This change while pretty big and scary, shouldn't be very visible from a user point of view, the actual changes can be summarized as: - Extend clonehostname to work with Debian based distros and use it for all containers. - lxc.pivotdir is now set to lxc_putold for all templates, this means that instead of using /mnt in the container, lxc will create and use /lxc_putold instead. The reason for this is to avoid failures when the user bind-mounts something else on top of /mnt. - Some minor cgroup limit changes, the main one I remember is /dev/console now being writable by all of the redhat based containers. The rest of the set should be identical with additions in the per-distro ones. - Drop binfmtmisc and efivars bind-mounts for non-mountall based unpriivileged containers as I assumed they got those from copy/paste from Ubuntu and not because they actually need those entries. (If I'm wrong, we probably should move those to userns.conf then). Additional investigation and changes to reduce the config delta between distros would be appreciated. In practice, I only expect lxc.cap.drop and lxc.mount.entry to really vary between distros (depending on the init system, the rest should be mostly common. Diff from the RFC: - Add archlinux to the mix - Drop /etc/hostname from the clone hook Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ubuntu containers: use a seccomp filter by default (v2) Blacklist module loading, kexec, and open_by_handle_at (the cause of the not-docker-specific dockerinit mounts namespace escape). This should be applied to all arches, but iiuc stgraber will be doing some reworking of the commonizations which will simplify that, so I'm not doing it here. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

userns: Update bind-mounted devices This updates all configs to include the exact same set of 7 bind-mounted devices: - console - full - null - random - tty - urandom - zero Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

download: Initial template This adds a new template called "download". It's a fairly simple template with a minimal set of dependency which will grab any pre-built image available on https://images.linuxcontainers.org Note that the serverside is still work in progress (missing SSL support). Access is done over https by default with a warning being emitted if fallback to http was required (may be needed for testing, when behind proxy and with private servers). All index files and tarballs are gpg-signed with the default pubkeyid contained in the template itself. The main benefit of this template is to be entirely distribution-agnostic, any template that can be integrated with the server build infrastructure will then work on any LXC machine when using the download template. This template is also compatible with user namespaces and will hopefully help widden the number of distros that may work in unprivileged LXC. This commit also bundles a small change to the template configs to have the ubuntu template (used by the download template) to work with unprivileged LXC. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>