templates: fedora requires openssl binary /usr/share/lxc/templates/lxc-fedora: line 1078: openssl: command not found Signed-off-by: Elan Ruusamäe <glen@delfi.ee>

Fix echo statement inside fedora template We no longer use mirrors.kernel.org. Commit f71e8f4 switched it to archives.fedoraproject.org Signed-off-by: Nehal J Wani <nehaljw.kkd1@gmail.com>

Fix message after {fedora|centos}container creation If the backingstore is not 'dir', then lxc shouldn't ask the user to change the password by performing a 'chroot'. Rather, the user should start, attach, use the passwd command, and then stop the container. Fixes #731 Signed-off-by: Nehal J Wani <nehaljw.kkd1@gmail.com>

Fix Comment inside Fedora Template We no longer use mirrors.kernel.org. Commit f71e8f4 switched it to archives.fedoraproject.org Signed-off-by: Nehal J Wani <nehaljw.kkd1@gmail.com>

lxc-fedora: Default to 22 but use 20 squashfs The Fedora 22 squashfs doesn't appear to work, the Fedora 21 isn't available, so lets use the fedora archive mirror and pull the good old Fedora 20 squashfs. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Default to Fedora 21 as 22 no longer uses yum Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Fix fedora some more Apparently the paths have changed on the rsync server. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Fedora 20 no longer exists on the mirrors Switch to Fedora 22 for now. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

use `hostname` for DHCP_HOSTNAME in ifcfg-eth0 Updated centos/fedora/oracle templates to use `hostname` for DHCP_HOSTNAME in /etc/sysconfig/network/ifcfg-eth0, so the container's host name is propagated to the host's DHCP server (e.g. dnsmasq, which also acts as the DNS server). This resolves lxc/lxd#756 Signed-off-by: Lenz Grimmer <lenz@grimmer.com>

Added container-cache option to templates This change adds in the container-cache option within the mainline default lxc templates. The pupose here is to allow a template to pull from a location that may not be `@LOCALSTATEDIR@/cache/lxc` Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

lxc-fedora: manage secondary architectures URL for packages and LiveOS differs from x86, x86_64 and ARM. This patch allows to select the good mirror URL according to the architecture. Primary architecture: http://mirrors.kernel.org/fedora Secondary architecture: http://mirrors.kernel.org/fedora-secondary The managed secondary architectures are only ppc64 and s390x, the secondary architectures for Fedora 20 (the base of initial bootstrap). Signed-off-by: Laurent Vivier <Laurent@Vivier.EU> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-{centos|fedora}: Respect --rootfs Close #406 Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

add "--mask-tmp" to lxc-fedora, plus some template script fixes] Hi Michael, do you have any concerns with the attached patch to the fedora template that adds an option --mask-tmp that prevents fedora/systemd from over-mounting /tmp with tmpfs, which is useful in some cases? Thanks - Michael ----- Forwarded message from Michael Adam <obnox@samba.org> ----- Date: Sat, 10 Jan 2015 13:12:06 +0100 From: Michael Adam <obnox@samba.org> To: LXC development mailing-list <lxc-devel@lists.linuxcontainers.org> Subject: Re: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes User-Agent: Mutt/1.5.23 (2014-03-12) On 2015-01-10 at 13:08 +0100, Michael Adam wrote: > On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > > The less controversial one is adding mask-tmp to the fedora template. > > It looks fine to me, but that should go separately to mwarfield, our > > fedora template maintainer :) > > I had notified mhw of my patches on irc, but apparently he is > currently very busy. > > For a start, following is an update of the uncontroversial fix > patches, i.e. the fix patche without the path ones, and without > the mask-tmp patch. And here comes the mask-tmp patch. It needs to be applied onto the previous fix-patchset. From 9589dca113535ed2f4faad89db2fab33bb8a9d7e Mon Sep 17 00:00:00 2001 From: Michael Adam <obnox@samba.org> Date: Thu, 8 Jan 2015 10:25:24 +0100 Subject: [PATCH] lxc-fedora: add a new option --mask-tmp This will configure the container to prevent the standard behaviour of over-mounting /tmp with tmpfs, which can be undesirable in some cases. My personal use case is vagrant-lxc in combination with vagrant-cachier. Signed-off-by: Michael Adam <obnox@samba.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Set kmsg to 0 by default It's now been proven over and over again that the symlink from /dev/kmsg to /dev/console is harmful for everything but upstart systems. As Ubuntu is now switching over to systemd too, lets switch the default. Upstart users wishing to see boot messages can always set lxc.kmsg = 1 manually in their config (so long as they don't expect to then dist-upgrade the container to systemd succesfuly). Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Turn autodev on by default Now that autodev works fine with unprivileged containers and shouldn't come with any side effect, lets turn it on by default. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora: let help text fit into 80 columns by breaking and shortening some lines. Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora: In fedora21, the fedora-repos package is needed. fedora-release has been split into fedora-release and fedora-repos. Signed-off-by: Michael Adam <obnox@samba.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora: when using systemd, set lxc.kmsg = 0 in the config This is to prevent systemd-journald to enter a 100% cpu loop. Signed-off-by: Michael Adam <obnox@samba.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

typofixes - https://github.com/vlajos/misspell_fixer Signed-off-by: Veres Lajos <vlajos@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: switch from arch command to uname -m Signed-off-by: Michael Werner <xaseron@googlemail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-fedora.in: Correct some systemd target setups. Set the halt.target action to be sigpwr.target. This allows SIGPWR to properly shut the container down from lxc-stop. Renable the systemd-journald.service. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Added lxc.arch to configuration files for CentOS and Fedora Added lxc.arch to the resulting container configuration files to support i686 on x86_64 cross arch containers. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Added root_password_expired password control tuning knob. Added the environment variable "root_password_expired" to control if the initial, temporary, root password is initially set up as "expired". If set to "yes" (default), the root password is set as "expired" and the user must change it at first login. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Support SIGPWR in Fedora and Centos containers. Added code to catch SIGPWR for Upstart in Fedora and CentOS containers as well as for Systemd in Fedora containers. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Set timezone for new container if not previously defined. If the container does not already contain an /etc/localtime timezone definition, then copy a definition from the host to the container. This is often a symlink to an appropriate system timezone definition files and is presumed to exist in Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Fix arch cross-build when running distro cross-build. Corner case existed when building a cross-arch container (i686 on x86_64) on a cross-distro host (Fedora container on Ubuntu host). Fixed the arch "fixup" code to do the right thing when running from the bootstrap. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Fix bashisms in common code Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Make sure usual locations are in PATH Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

templates: improve refusing to run unprivileged For all templates except lxc-ubuntu-cloud and lxc-download, detect not only --mapped-uid but also --mapped-gid and error out. Detecting will not be done after -- parameter because of non-option parameters. Also, change the mode of lxc-archlinux.in 100755 to 100644. Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Refuse to run unprivileged Only the download and ubuntu-cloud templates work with unprivileged containers, for all others, detect --mapped-uid and error out as early as possible, recommending the use of the download template. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Update CentOS and Fedora templates to support archtectures option. Added code to the CentOS and Fedora templates so that x86 32 bit containers may be built on x86_64 platforms. Like archectectures may also be trivially used as well. Option added is "-a {arch}". Additionally cleaned up some bash specific logic. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update Fedora and CentOS templates for common conf includes. This updates the Fedora and CentOS templates to utilize a common included config. This is largely based on the changes in the Oracle template with some exceptions. Dropping of setpcap (present in the Oracle template) is commented out in the Fedora template. It seems to cause problems, such as large login delays with Fedora 20 containers (but not Fedora 19 - strange). The Fedora template is further modified to disable systemd-journald.service as it is unnecessary in a container and causes serious problems when running in a Fedora 20 container. The Fedora template is also updated to default to Fedora 20 when running on a non-Fedora host. Regards, Mike Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Modify lxc-fedora and lxc-centos for multiple issues... This is a reissue of two previous patches along with some additional changes for hardening the root password process based on discussions on-list. -- This patch modifies the lxc-fedora and lxc-centos templates for 3 things. 1) Extensively modifies root password generation, storage, and management based on discussions on the devel list. Root passwords are hardened and have advanced configurability. A static password may be provided. A password based on a template may be generated, including ${RANDOM}. A password may be generated through mktmp using a template with X's. Root passwords default to expired, initially. Passwords may optionally be echoed to stdout at container creation. (no) Passwords may optionally be stored in ${rootfs_path}/tmp_root_pass. (yes) Users may be optionally forced to change the password at creation time. (no) Default is to generate a pattern based password and store, no force change. All of this may be overridden by environment variables through conditional assignment. 2) Random static hardware addresses are generated for all configured interfaces. 3) Add code to create sysv init style scripts to intercept shutdown and reboot to prevent init restart and hang for CentOS and legacy Fedora systems on shutdown, reboot, init 0, and init 6. This solves a variety of hang conditions but only affects newly created containers. Does not have any impact on systemd based containers. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Additional logic for dealing with container shutdown / reboot Additional logic for dealing with container shutdown / reboot Fix a problem with CentOS containers and legacy Fedora (<16) containers not shutting down or rebooting properly. Copy /etc/init.d/halt to /etc/init.d/lxc-halt, deleting everything from the "hwclock save" and all after and append a force halt or reboot at the end of the new script, to prevent reexecing init. Link that script in as S00lxc-halt in rc0.d and S00lxc-reboot in rc6.d to intercept the shutdown process before it gets to S01halt / S01reboot causing the hang. Fixed some typos in the CentOS template that were introduced in the previous patch for hwaddr settings and missed in regression testing. Cleaned up some instruction typos and tabs from previous patch. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Fix version checking typos in Fedora template. Backported typo fixes from CentOS template back to Fedora Template Bumped default rev from Fedora 18 to Fedora 19 Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-fedora: Fixes for selinux and pam_loginuid.so Just some additional catches for disabling selinux and pam_loginuid.so thanks to Dwight Engen and the Oracle template. Also add ssh and ssh-server to the default installation. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Fix stupid architecture error. From 38cfabdbe0e46f5a0ed20687fcda48424b4a7b6d Mon Sep 17 00:00:00 2001 From: "Michael H. Warfield" <mhw@WittsEnd.com> Date: Mon, 25 Nov 2013 10:34:48 -0500 Subject: [PATCH 1/2] Fix stupid architecture error. Organization: Thaumaturgy & Speculums Technology Fix stupid architecture error. Stupid error and I did it! Fixed hard coded x86_64 in several spots. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

use awk, instead of 'grep | awk' Signed-off-by: Elan Ruusamäe <glen@delfi.ee> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates/lxc-fedora Network startup w/o Network Manager This patches the Fedora template to insure that the legacy network startup scripts are enabled when NetworkManager has not been installed in the container (default). It also fixes a login problem with pam_loginuid.so in a container. https://bugzilla.redhat.com/show_bug.cgi?id=966807 Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> -- Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

trivial: remove trailing whitespce from lxc-fedora Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora: remove 4:0 and 4:1 from devices whitelist They are the real /dev/tty{0,1}, which are physical consoles. Lxc bind-mounts over them. Don't let the container use these! Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

templates/lxc-fedora Rework for distro independence. This patch reworks the Fedora template to operate in the most "distro agnostic" manner possible. It should even run on distros where rpm and yum are not present and not available or may be incompatible. It depends on the most basic set of system facilities like rsync but does require squashfs support also be available to mount a LiveOS runtime. Based on comments at Linux Plumbers, what I had been referring to as a "run time environment" or RTE has been renamed in the code to refer to it as a "bootstrap". It has been tested on Fedora (of course), OpenSuse, Ubuntu, and Oracle (latest host versions of each) building Fedora containers of F19 back through F9. Varying levels of database problems were encountered from F11 and back and are "will not fix" due to versions being long EOL. F15 and F16 build but do not run "out of the box" due to systemd version issues and those are also "will not fix" for the same reasons. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora: Show usage when no name is passed Reported-by: Anatoly Techtonik Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

fedora: Use consistent tab/space indent Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Update lxc-fedora.in Fedora 19's release has no -1 revision; it's a -2 revision actually: ftp://mirrors.kernel.org/fedora/releases/19/Fedora/x86_64/os/Packages/f/ Signed-off-by: Renich Bon Ciric <renich@woralelandia.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

licensing: Add missing headers and FSF address Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

fedora: Add missing double-quotes. Reported-by: tlc Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-fedrora: New patch for systemd detection and init configuration. Satoshi Matsumoto certainly had the right idea and in spotting a bug in the lxc-fedora template for systemd detection. Heart was in the right spot but patch was not what we needed. I've looked the patch code over for systemd support and init/upstart support and modified the logic appropriately. If /etc/systemd/system exists, we'll do the right thing by systemd. If /etc/rc.sysinit exists, we'll do the right thing by init / upstart. If both are installed, we'll trying and accommodate both in case someone is playing games with the two (I've done this). Patch was trivial, just took more time to actually test it and create some containers with it and verify them, than it did to code them. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora template - Fix retries, use os-release for release, add utsname. Hey all! Patch for the Fedora template. Several things... 1) A month or so ago, I floated an idea of adding an option for utsname which Serge seemed to like but we let it float for more feedback (none came). 2) In private mail to Serge and Stéphane I mentioned the idea of using the CPE (Common Platform Enumeration) for host distro and version identification. I heard back from Serge but not Stéphane. CPE is a standard promoted by NIST and Mitre (along with CVE and CVSS) as part of the security community as a common identification mechanism. It's supported by RedHat based distros and many others (notable exception Ubuntu). I've patched the Fedora template to parse first the /etc/os-release file or, alternatively, the /etc/system-release-cpe file for the distro ID and version instead of the human readable /etc/redhat-release. There's more that can be done with that in the realm of cross distro container builds, I suspect. 3) At the time of working on 1&2 I noticed that the retry logic in the Fedora template just didn't seem right. I believe I posted a message asking for clarification on that behavior. A recently post in the -users list indicating that someone could not create a Fedora 19 container (because the release ver string was 19-2 and the template was only looking for -1) prompted me to rework the retry logic for handling the mirror list and servers as well as revamp the download logic to properly identify the correct release package. The patch for all of the above is attached below the jump. It's been tested on Fedora 17 through Fedora 19 hosts and has created containers for F11, F12, F13, F14, F16, F17, F18, and F19. F15 failed for rpm dependency issues that are not worth fixing (IMHO). Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -- Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Move container creation fully into the api 1. implement bdev->create: python and lua: send NULL for bdevtype and bdevspecs. They'll want to be updated to pass those in in a way that makes sense, but I can't think about that right now. 2. templates: pass --rootfs If the container is backed by a device which must be mounted (i.e. lvm) then pass the actual rootfs mount destination to the templates. Note that the lxc.rootfs can be a mounted block device. The template should actually be installing the rootfs under the path where the lxc.rootfs is *mounted*. Still, some people like to run templates by hand and assume purely directory backed containers, so continue to support that use case (i.e. if no --rootfs is listed). Make sure the templates don't re-write lxc.rootfs if it is already in the config. (Most were already checking for that) 3. Replace lxc-create script with lxc_create.c program. Changelog: May 24: when creating a container, create $lxcpath/$name/partial, and flock it. When done, close that file and unlink it. In lxc_container_new() and lxcapi_start(), check for this file. If it is locked, create is ongoing. If it exists but is not locked, create() was killed - remove the container. May 24: dont disk-lock during lxcapi_create. The partial lock is sufficient. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora template. Cleanup for rootfs. This is just some minor changes in the way the Fedora template is synthesizing the target rootfs_path. Currently, the template uses a path with the container in it twice like this: /var/lib/lxc/rasputin/rasputin/rootfs This happens because the container name is already contained in the "path" and the template appends it a second time. This changes the logic to be congruent with other templates such as lxc-arch. The new behavior will be to create the rootfs like this: /var/lib/lxc/rasputin/rootfs Attached below the jump. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -- Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora template - systemd console gettys Hey all... Patch to the lxc-fedora template to setup gettys on the ttys that are enabled in the configuration. The area of the code already had some modifications to that service that didn't seem to do anything and would get wiped out by an update. I commented that out but subsumed the change it was attempting into my command in case it does something on another rev somewhere. This is very similar to the logic in the OpenSuse template but doesn't seem to appear in other templates, such as arch, which have to deal with systemd. This isn't unique to Fedora. The templates for Fedora, ArchLinux, and OpenSuse are the only three that seem to have any reference to systemd at all. Attached below the jump. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -- Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-fedora-template: autodev, hostname, ARM archs, Raspberry Pi fixes This took a lot longer for me to get around to it... Sorry. Patch to the lxc-fedora template. I didn't get any further comments from my earlier proposal, weeks ago, and did get one addition based on comments about properly setting the hostname in /etc/hostname, which I've added. I could have broken them into separate patches but most are pretty small and minor. Changes: * Map armv6l and armv7l architectures to "arm" for yum and repos to function properly. * Detect Fedora Remix distros with no "/etc/fedora-release" file (Raspberry Pi) and find proper release versions when "remix" part of the file context. * Change default Fedora container on non-Fedora hosts to Fedora 17. * Added code for autodev for Fedora systemd containers. * Added code to set /etc/hostname for Fedora > 14 (systemd). * Fix a few typos. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -- Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

templates: deny writes to host's clock (v2) Don't allow write to /dev/rtc0, and remove sys_time. Thanks, Christoph. v2: drop sys_time, sys_module, mac_admin and mac_override in all templates. Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Use "uname -m" instead of "arch" According to "arch"'s manpage, it's identical to "uname -m". Some distros ship uname but don't ship arch, however all distros ship uname, therefore it makes sense to use "uname -m" whenever possible. Signed-off-by: Christian Bühler <christian@cbuehler.de> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

fixed RELEASE_URL for fedora releases higher than 16 The Url for the fedora-release RPM changed in release 17. Signed-off-by: Maximilian Seesslen <mes@seesslen.net> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

templates: Consistent use of locking Move to per-template lock (except for oracle that's per-container). Also ensure that the path used for the lock is relative to LOCALSTATEDIR. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Update for consistent indent This commit updates all scripts using mixed indent to a consistent 4 spaces indent. In the past quite a few of those scripts used tabs to instead of 8 spaces or instead of 4 spaces, sometimes mixing those in the same line and sometimes changing the tab width within the same file. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

templates: Make generated config consistent This updates all the templates and the configuration files to consistently use "key = value" everywhere. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Use LXCPATH and LOCALSTATEDIR instead of hardcoded /var Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: use hardlink detection in rsync I'm not sure whether we want this: is -H ubiquitous? Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Dwight Engen <dwight.engen@oracle.com>

lxc-create: Make location of container rootfs configurable Make 'dir' an explicit backing store type, which accepts '--dir rootfs' as an option to specify a custom location for the container rootfs. Also update lxc-destroy to now remove the rootfs separately, as removing @LXCPATH@/$name may not hit it. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

display warning when yum missing in fedora template This early exit is preventing the warning message that follows it from being shown. Signed-off-by: Dwight Engen <dwight.engen@oracle.com>

Various fedora template improvements 1. don't add network segment to config 2. check for 'curl' 3. don't add $name to $path, it's already in there 4. don't add devpts to fstab, that's wrong. 5. $UTSNAME doesn't exist 6. set root pwd to root instead of rooter. 7. install fedora-release package. 8. add a console on /dev/console. 9. create empty fstab 10. don't mount devpts in rc.sysinit. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Add lxc.aa_profile example to all templates LXC has optional apparmor support, default profile is lxc-container-default. This change adds a commented "lxc.aa_profile = default" line to all templates, uncommenting this will bypass apparmor for the container. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

templates: don't fail on busy flock Just wait until the lock is available. That is a nicer behavior for concurrent lxc-creates. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

templates: use relative paths when creating containers At the same time, allow lxc.mount.entry to specify an absolute target path relative to /var/lib/lxc/CN/rootfs, even if rootfs is a blockdev. Otherwise all such entries are ignored for blockdev-backed containers. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

fix cached rootfs update* fix rootfs path* add handling of systemd Signed-off-by: InformatiQ <rhanna@informatiq.org> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-fedora.in: Fix fetching of the fedora-release rpm The hardcoded URL seems to be broken and 404 error was not checked. Now the mirror is selected from mirrorlist (instead of hardcoding to funet.fi) and fetch errors are checked. Also added a retry loop (with 3 tries) to find a working mirror, since some of the mirrors are not OK. Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-fedora.in: Use i386 instead of i686 There is no i686 variant of Fedora, but Ubuntu seems to return i686 from the arch command. Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-fedora.in: Add missing default release variable The text says that 14 is default, but release=14 was not set anywhere in the script. Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

remove the check for container path as it's done in lxc-create Signed-off-by: InformatiQ <rhanna@informatiq.org> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-fedora.in * if not running on fedora host amd -R is not set, use fedora 14 as default * trap SIGHUP SIGINT SIGTERM, and cleanup before exiting Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

fix for missing EOF and fstab contents templates/lxc-fedora.in | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

fix RELEAE_URL to not hardcode the arch Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

working fedora template Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

templates: don't put devpts in $confdir/container/fstab src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab entry, which is getting processed first, did not specify -o newinstance. This can cause the host's devpts entry mount options to change, as in https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

update the fedora template Update the fedora template in order to call it from the lxc-create script. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

move script templates to an adequate place At present the lxc-{template} scripts are installed in the $bindir. This is not the right place as specified by the FHS, so they go to $libdir/lxc/templates. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>