Change sshd template to work with Ubuntu 17.04 A few things have changed and this patch makes container generated for sshd work in Ubuntu Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>

Fix sshd template on systems with systemd Systems with systemd have /sbin/init as a symlink pointing to real init. Sshd template tries to bind-mount special init implementation. The problem is that one cannot bind-mount to a location that is a symlink. Fix this by deferencing /sbin/init symling and using that as bind-mount location. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>

Use consistent /proc, /sys and /sys/fs/cgroup (v2) - Implements mixed mode for /sys where it's mounted read-only but with /sys/devices/virtual/net/ writable. - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all templates. - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup. - Get rid of the fstab file by default, using lxc.mount.entry instead. - Set sys:mixed as the default for "sys". sys:mixed is slightly more permissive than sys:ro so this shouldn't be a problem. The read-only bind mount of /sys on top of itself is there so that mountall and other init systems don't attempt to remount /sys read-write. v2 changes: - Fix the mount list, don't specify a source for the remount. - Update the documentation. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Set kmsg to 0 by default It's now been proven over and over again that the symlink from /dev/kmsg to /dev/console is harmful for everything but upstart systems. As Ubuntu is now switching over to systemd too, lets switch the default. Upstart users wishing to see boot messages can always set lxc.kmsg = 1 manually in their config (so long as they don't expect to then dist-upgrade the container to systemd succesfuly). Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ssh: send hostname to dhcp server Send container's hostname to dhcp server when getting ip address. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

use correct lxc-init path in sshd template lxc-init got moved into SBINDIR/init.lxc recently. This broke sshd template because path wasn't updated there. This patch should fix this issue. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Fix bashisms in common code Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Make sure usual locations are in PATH Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

templates: improve refusing to run unprivileged For all templates except lxc-ubuntu-cloud and lxc-download, detect not only --mapped-uid but also --mapped-gid and error out. Detecting will not be done after -- parameter because of non-option parameters. Also, change the mode of lxc-archlinux.in 100755 to 100644. Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Refuse to run unprivileged Only the download and ubuntu-cloud templates work with unprivileged containers, for all others, detect --mapped-uid and error out as early as possible, recommending the use of the download template. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

handle simple bashisms: - [[ ]] -> [ ] - == -> = - source -> . - redirect of fd 200 is error in mksh, use fd 9 - &> /dev/null -> > /dev/null 2>&1 - useless function keyword - echo -e -> printf still left bash shebang which did not validate with checkbashism, mostly due 'type' being reported as bashism Signed-Off-By: Elan Ruusamäe <glen@delfi.ee> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

sshd: Don't bind-mount /sbin/init read-write lxc-sshd was mounting itself (the template script) as /sbin/init in the container using a writable bind-mount. This shouldn't be needed and could lead to quite a few problems should one of those containers overwrite /sbin/init for some reason. Instead simply move to a read-only bind-mount which should prevent any accidental dammage. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Tab/spaces consistency for templates Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

use awk, instead of 'grep | awk' Signed-off-by: Elan Ruusamäe <glen@delfi.ee> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

licensing: Add missing headers and FSF address Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

fix sshd template Commit a0a2066d introduced an lxc subdir into the lxc-init path, but this was never reflected in the sshd template. Add it there. Don't have ssh-keygen ask for passphrase since host keys are not supposed to use them. Don't try to symlink kmsg since /dev is bind mounted readonly. Read-only bind mount some extra /etc directories, and sysfs which are needed by dhclient on Fedora and Oracle Linux. Fix mounting of /proc. Find sshd in more places by adding some common paths to $PATH, and use the found path to it instead of hardcoded /usr/sbin. Check for ifconfig command, and print out container's IP address. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Move container creation fully into the api 1. implement bdev->create: python and lua: send NULL for bdevtype and bdevspecs. They'll want to be updated to pass those in in a way that makes sense, but I can't think about that right now. 2. templates: pass --rootfs If the container is backed by a device which must be mounted (i.e. lvm) then pass the actual rootfs mount destination to the templates. Note that the lxc.rootfs can be a mounted block device. The template should actually be installing the rootfs under the path where the lxc.rootfs is *mounted*. Still, some people like to run templates by hand and assume purely directory backed containers, so continue to support that use case (i.e. if no --rootfs is listed). Make sure the templates don't re-write lxc.rootfs if it is already in the config. (Most were already checking for that) 3. Replace lxc-create script with lxc_create.c program. Changelog: May 24: when creating a container, create $lxcpath/$name/partial, and flock it. When done, close that file and unlink it. In lxc_container_new() and lxcapi_start(), check for this file. If it is locked, create is ongoing. If it exists but is not locked, create() was killed - remove the container. May 24: dont disk-lock during lxcapi_create. The partial lock is sufficient. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

templates: deny writes to host's clock (v2) Don't allow write to /dev/rtc0, and remove sys_time. Thanks, Christoph. v2: drop sys_time, sys_module, mac_admin and mac_override in all templates. Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Update for consistent indent This commit updates all scripts using mixed indent to a consistent 4 spaces indent. In the past quite a few of those scripts used tabs to instead of 8 spaces or instead of 4 spaces, sometimes mixing those in the same line and sometimes changing the tab width within the same file. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

templates: Make generated config consistent This updates all the templates and the configuration files to consistently use "key = value" everywhere. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-ssh: fix message about ssh key insertion Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-create: Make location of container rootfs configurable Make 'dir' an explicit backing store type, which accepts '--dir rootfs' as an option to specify a custom location for the container rootfs. Also update lxc-destroy to now remove the rootfs separately, as removing @LXCPATH@/$name may not hit it. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

sshd: run dhclient; allow adding a root ssh key Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Add lxc.aa_profile example to all templates LXC has optional apparmor support, default profile is lxc-container-default. This change adds a commented "lxc.aa_profile = default" line to all templates, uncommenting this will bypass apparmor for the container. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

templates: use relative paths when creating containers At the same time, allow lxc.mount.entry to specify an absolute target path relative to /var/lib/lxc/CN/rootfs, even if rootfs is a blockdev. Otherwise all such entries are ignored for blockdev-backed containers. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Let sshd template work on ubuntu systems. /dev/shm is a symlink to /run/shm, so we need /run/shm to exist in the container rootfs. Also, /dev/mqueue does not exist on the host, and can't be created by the container. But we don't really need it so ignore that. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

fix sshd template Fixed the sshd template example. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Forgotten @LIBEXECDIR@ replacement Forgotten part of commit d674be08d4b282bb4717c51440811e39d3c2431e Signed-off-by: Panagiotis H.M. Issaris <takis@issaris.org> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

move script templates to an adequate place At present the lxc-{template} scripts are installed in the $bindir. This is not the right place as specified by the FHS, so they go to $libdir/lxc/templates. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>