precise is not the latest LTS, let's use xenial instead

ubuntu: Fix package upgrades requiring proc Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Move apt-transport-https to global packages_template In many environments the preference is to configure containers with apt mirrors that are SSL-secured. When building containers using the download template this can't be done unless an insecure mirror is first used to install the apt-transport-https package, then the sources reconfigured to use the https URL. When building containers without using the download template this can't be done unless the container creator specifically includes this package in the package list at build time. It seems more intuitive to me to have the package installed by default. Commit 396f75abb3d319adc7d871b94b08bc6bb9c49585 added the package to the minbase variant, but this variant is not used by the download template build process. The build process instead specifies no variant, so this patch moves the package from the packages_template package list in the minbase variant to the global packages_template package list, ensuring that this package is included in all Ubuntu build images that use the lxc-ubuntu template. Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>

Add apt-transport-https to minbase variant packages_template In many environments the preference is to configure containers with apt mirrors that are SSL-secured. When building containers using the download template this can't be done unless an insecure mirror is first used to install the apt-transport-https package, then the sources reconfigured to use the https URL. When building containers without using the download template this can't be done unless the container creator specifically includes this package in the package list at build time. It seems more intuitive to me to have the package installed by default. This patch includes the required package for the minbase variant only as this is the default. Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>

lxc-ubuntu: Fix building on secondary architectures Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

always provide a default mirror for debootstraping Ubuntu debootstrap sometimes selects the wrong mirror due to [1] [1] https://bugs.debian.org/819300 Signed-off-by: Evgeni Golov <evgeni@debian.org>

Update lxc-ubuntu.in Updated as per request in #740 Signed-off-by: Vaidas Kascėnas vaidas@kascenas.lt

Update lxc-ubuntu.in Updated as per request in https://github.com/lxc/lxc/pull/740#discussion-diff-48759756 Signed-off-by: Vaidas Kascėnas vaidas@kascenas.lt

Optional template parameter -v|--variant tells debootstrap which variant script to use. Signed-off-by: Vaidas Kascėnas <vaidas@kascenas.lt>

Added container-cache option to templates This change adds in the container-cache option within the mainline default lxc templates. The pupose here is to allow a template to pull from a location that may not be `@LOCALSTATEDIR@/cache/lxc` Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

ubuntu: Drop lucid support and refresh releaess list Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Use consistent /proc, /sys and /sys/fs/cgroup (v2) - Implements mixed mode for /sys where it's mounted read-only but with /sys/devices/virtual/net/ writable. - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all templates. - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup. - Get rid of the fstab file by default, using lxc.mount.entry instead. - Set sys:mixed as the default for "sys". sys:mixed is slightly more permissive than sys:ro so this shouldn't be a problem. The read-only bind mount of /sys on top of itself is there so that mountall and other init systems don't attempt to remount /sys read-write. v2 changes: - Fix the mount list, don't specify a source for the remount. - Update the documentation. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Create the apt proxy in the cache instead of the 1st container This addresses https://github.com/lxc/lxc/issues/280. Signed-off-by: Simon Deziel <simon@sdeziel.info> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: Check that btrfs is actually available Before calling btrfs and playing with subvolumes, let's make sure the btrfs command is available. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu templates: don't check for $rootfs/run/shm /dev/shm must be turned from a directory into a symlink to /run/shm. The templates do this only if they find -d $rootfs/run/shm. Since /run will be a tmpfs, checking for it in the rootfs is silly. It also is currently broken as ubuntu cloud images have an empty /run. (this should fix https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1353734) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

add help string for ubuntu templete Signed-off-by: Trần Ngọc Quân <vnwildman@gmail.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: update coding style Signed-off-by: José Martínez <xosemp@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ubuntu: fix btrfs when rootfs == realrootfs Fix btrfs support when lxc-create does not bind-mount the rootfs. Signed-off-by: José Martínez <xosemp@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ubuntu: use btrfs subvolumes and snapshots Try to create the cache rootfs as a btrfs subvolume, and use btrfs snapshots to copy the rootfs if btrfs is selected as backing store. Signed-off-by: José Martínez <xosemp@gmail.com>

templates: Fix bashisms in common code Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Make sure usual locations are in PATH Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

templates: improve refusing to run unprivileged For all templates except lxc-ubuntu-cloud and lxc-download, detect not only --mapped-uid but also --mapped-gid and error out. Detecting will not be done after -- parameter because of non-option parameters. Also, change the mode of lxc-archlinux.in 100755 to 100644. Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Refuse to run unprivileged Only the download and ubuntu-cloud templates work with unprivileged containers, for all others, detect --mapped-uid and error out as early as possible, recommending the use of the download template. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

ubuntu/ubuntu-cloud: Add support for arm64 and ppc64el Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ubuntu: Don't fail on invalid locale Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ubuntu: Fix path to openssh-server's postinst The path isn't relative to @LOCALSTATEDIR@ Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Make ubuntu templates squid-deb-proxy-client aware This makes the ubuntu and ubuntu-cloud templates automatically aware of apt proxy settings when the LXC host has "squid-deb-proxy-client" installed. This makes installations *much* faster when a suitable squid-deb-proxy is found on the network (or installed on the host). Signed-off-by: Chris Glass <tribaal@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

handle simple bashisms: - [[ ]] -> [ ] - == -> = - source -> . - redirect of fd 200 is error in mksh, use fd 9 - &> /dev/null -> > /dev/null 2>&1 - useless function keyword - echo -e -> printf still left bash shebang which did not validate with checkbashism, mostly due 'type' being reported as bashism Signed-Off-By: Elan Ruusamäe <glen@delfi.ee> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Fix some typos Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: Fix initial container creation The list of packages must be comma separated, not space separated. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: Make vim part of base template This moves vim back to the default list of packages, drops the duplicate ssh entry which means that unless extra packages are passed through --packages, container creation won't invoke apt-get anymore. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

use $LOCALSTATEDIR/lock/subsys/lxc-ubuntu$release as lock filename Otherwise one cannot create two containers with different releases (let's say saucy [cached] and raring [not caced]) if both are not cached on the local filesystem already. The lock blocks cached one to move forward until not cached one finishes it's downloads. Fix that by seperating locks using release names Signed-off-by: S.Çağlar Onur <caglar@10ur.org> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Move some common Ubuntu config This introduces a new /usr/share/lxc/config directory containing common configuration snippets. The two Ubuntu templates are then simplified to just include the relevant entries avoiding a whole lot of hardcoded cgroup, capabilities and mount points configuration. An extra comment is also added at the top of all generated configuration files telling the user to look at lxc.conf(5) for more information. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: Replace the hostname in ssh pubkey Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Some tweak on previous change (timezone) This adds the same code to the Debian-based templates (Ubuntu and Ubuntu Cloud) and also avoids a needless fork. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: Actually attempt to remove /dev/shm Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ubuntu: Fix regression in post-process THe recent reorg of lxc-ubuntu introduced some package installation in post-process but without first disabling service startup. As a result, if the cache is a bit out of date and a ssh update is available, post-process will apply that update (as it does apt-get install ssh vim) which in turn will attemp to start sshd. This will either lead to ssh on the host being restarted or if there's no sshd on the host, will fail the container creation as the postinst will get an error from upstart. The fix is very simply to add the same policy-rc.d trick when running post-process. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Convert all files to utf-8 Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ubuntu: Factorize @LOCALSTATEDIR@ variable Signed-off-by: Guilhem Lettron <guilhem.lettron@optiflows.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ubuntu: Add mirror and security-mirror options Signed-off-by: Guilhem Lettron <guilhem.lettron@optiflows.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ubuntu: Move package install to post-process Signed-off-by: Guilhem Lettron <guilhem.lettron@optiflows.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ubuntu: Add extra options This adds support for "packages", "user" and "password" Signed-off-by: Guilhem Lettron <guilhem.lettron@optiflows.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

use awk, instead of 'grep | awk' Signed-off-by: Elan Ruusamäe <glen@delfi.ee> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ubuntu*: Mark non-essential mounts optional Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: Remove trim option Container trimming is a bad idea in general, Ubuntu since 12.04 allows standard systems to run in containers and we've got separate code to deal with 10.04, so let's just drop trim. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

ubuntu templates: make pstore fstab entry optional Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

add pstore to container fstab Otherwise user-namespace containers will hang on mountall. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: iproute is now called iproute2 Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

fix license text in ubuntu and ubuntu-cloud templates Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

ubuntu templates: add some kernel filesystems to container fstab The debugfs, fusectl, and securityfs may not be mounted inside a non-init userns. But mountall hangs waiting for them to be mounted. So just pre-mount them using $lxcpath/$name/fstab as bind mounts, which will prevent mountall from trying to mount them. If the kernel doesn't provide them, then the bind mount failure will be ignored, and mountall in the container will proceed without the mount since it is 'optional'. But without these bind mounts, starting a container inside a user namespace hangs. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: Tweak layout of the config Just add an extra white line to both templates. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: Fix openssh postinst call in >= saucy The new openssh uses a different mechanism to start/stop the daemon which in turn requires a few tweaks in our template to deal with both the new and old ways of doing that. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Move container creation fully into the api 1. implement bdev->create: python and lua: send NULL for bdevtype and bdevspecs. They'll want to be updated to pass those in in a way that makes sense, but I can't think about that right now. 2. templates: pass --rootfs If the container is backed by a device which must be mounted (i.e. lvm) then pass the actual rootfs mount destination to the templates. Note that the lxc.rootfs can be a mounted block device. The template should actually be installing the rootfs under the path where the lxc.rootfs is *mounted*. Still, some people like to run templates by hand and assume purely directory backed containers, so continue to support that use case (i.e. if no --rootfs is listed). Make sure the templates don't re-write lxc.rootfs if it is already in the config. (Most were already checking for that) 3. Replace lxc-create script with lxc_create.c program. Changelog: May 24: when creating a container, create $lxcpath/$name/partial, and flock it. When done, close that file and unlink it. In lxc_container_new() and lxcapi_start(), check for this file. If it is locked, create is ongoing. If it exists but is not locked, create() was killed - remove the container. May 24: dont disk-lock during lxcapi_create. The partial lock is sufficient. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

ubuntu templates: add comments to show how to enable nesting Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

templates: deny writes to host's clock (v2) Don't allow write to /dev/rtc0, and remove sys_time. Thanks, Christoph. v2: drop sys_time, sys_module, mac_admin and mac_override in all templates. Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

ubuntu: Don't break when the locale is C.* Update the code to also match C.* so that C.UTF-8 doesn't make the container creation fail. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

detect APT_PROXY from host apt.conf Introduce a new HTTP_PROXY variable in /etc/default/lxc. If unset or set to none, then behavior continues as before. If set to 'apt', then any http::proxy set in apt.conf will be used as http_proxy for debootstrap, and specified in the container's /etc/apt/apt.conf.d/70proxy. If set to something else, then the value of HTTP_PROXY will be used as http_proxy for debootstrap and specified in the container's 70proxy. Changelog: (apr 23) merge the two apt proxy detection functions. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: Various fixes - Drop disabled entries from allowed devices list - Improve generated config layout a bit - Drop redundant uname call - Re-generate the SSH host keys on container creation Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Use "uname -m" instead of "arch" According to "arch"'s manpage, it's identical to "uname -m". Some distros ship uname but don't ship arch, however all distros ship uname, therefore it makes sense to use "uname -m" whenever possible. Signed-off-by: Christian Bühler <christian@cbuehler.de> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu template: fix installation when LANG=C The ubuntu template will silently fail (because it is set -e) on the locale-gen command when LANG=C Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ubuntu: Tweak architecture support This updates the various checks to match the grid below: == lxc-ubuntu support per architecture == amd64: amd64, i386, armel, armhf, powerpc i386: i386, armel, armhf, powerpc armel: armel, armhf armhf: armhf, armel powerpc: powerpc == lxc-ubuntu-cloud support per architecture == amd64: amd64, i386 i386: i386 armel: armel, armhf armhf: armhf, armel Note that most of the foreign architectures on x86 are supported through the use of qemu-user-static. This one however isn't yet support for cloud images (I'll send a patch for 1.0). Also, qemu-user-static is technically able to emulate amd64 on i386 but qemu-debootstrap doesn't appear to know that and fails quite miserably. We may also want to add a test for amd64 kernel but i386 userspace, which is a valid combination that allows running an amd64 container on an i386 host without requiring emulation, but that's for another patch. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu{-cloud}: Config layout tweaking This commit tweaks the layout of the config file for the Ubuntu templates. With this, we now get a clear network config group, then a path related group, then a bunch of random config options and the end of the config is apparmor, capabilities and cgroups. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

use which instead of type This is for consistency with the rest of lxc, and also because type checks for shell builtins, a behavior that we do not want in these cases. Ensure stderr for which is redirected to /dev/null also. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

templates: Consistent use of locking Move to per-template lock (except for oracle that's per-container). Also ensure that the path used for the lock is relative to LOCALSTATEDIR. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: Don't hardcode path to cache Use LOCALSTATEDIR to generate the path to the cache. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: Guess a list of langpacks to install In addition to creating the current locale in the container, also try to scan the host and extra the list of langpacks installed there, then pass that list to debootstrap as additional packages to install. On distros that don't have dpkg, only language-pack-en will be installed. The code will always ensure that language-pack-en is ALWAYS installed in the target, similar to what Ubuntu does with its various media. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: Always create the needed locales Move some old code from the trim() function into the main configure_ubuntu function so that we always create a locale in the container. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-create: Make location of container rootfs configurable Make 'dir' an explicit backing store type, which accepts '--dir rootfs' as an option to specify a custom location for the container rootfs. Also update lxc-destroy to now remove the rootfs separately, as removing @LXCPATH@/$name may not hit it. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

revert devtmpfs in ubuntu templates devtmpfs is shared between host and containers, and it messes up lucid containers too. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu{-cloud}: Fix missing "fi" in new devtmpfs code The "if" statement to add devtmpfs was missing a matching "fi" causing parsing error when using the template. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

templates: mount devtmpfs in ubuntu containers That way /dev/disk/ exists, and update-grub can succeed. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1060404

lxc-ubuntu: fix printing of default user If a user is bound into the container, don't claim the default user is ubuntu. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1052315 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

try to better handle out of date container caches. For a lucid container, apt-get update before installing the source package for add-apt-repository, so that apt-get does not fail. If apt-get dist-upgrade fails, suggest running lxc-create with -F. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Add lxc.aa_profile example to all templates LXC has optional apparmor support, default profile is lxc-container-default. This change adds a commented "lxc.aa_profile = default" line to all templates, uncommenting this will bypass apparmor for the container. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Use lxc_putold as the pivot_root put dir in the ubuntu templates By default we use mnt, but that means that lxc fstab entries do not work when placed under the container's /mnt/. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Fix lxc-ubuntu and lxc-ubuntu-cloud to properly deal with /dev/shm. Now that initscripts in Debian and Ubuntu has been updated to no longer do silly things with /dev/shm and /run/shm on installation/update, the check needs updating to detect any remaining broken case and fix it. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu template: apt-get clean after debootstrapping a cache This saves quite a bit of space in the cache and containers. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1037626 for the original bug report. Reported-by: Fajar A. Nugraha <list@fajar.net> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

ubuntu and debian templates: Clean up cache if cache build is interrupted Otherwise the next lxc-create may rsync a bad cache. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: Use dpkg --add-architecture When a container has dpkg >= 1.16.2, use dpkg --add-architecture for multi-arch configuration on foreign architecture containers. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

templates: don't fail on busy flock Just wait until the lock is available. That is a nicer behavior for concurrent lxc-creates. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu.in: drop duplicate code Commits 15da01b3938d7ba45472e6c9d3b183a94dd86ca9 and 2e44ed1e647d9fd1544b7ad855bda22ca71abd12 conflicted and resulted in some duplicate functionality. Drop the poorer version of that block. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Simplify the Ubuntu template a bit - Update list of extra packages for debootstrap to only include vim and ssh. The others were only relevant when we were still using the minbase variant. (LP: #996839) - Drop any hardcoded Ubuntu version check and replace by feature checks instead. - Format lxc-ubuntu to consistently use 4-spaces indent instead of mixed spaces/tabs. - Update default /etc/network/interfaces to include the header. - Update default /etc/hosts to match that of a regular Ubuntu system. - Drop support for end-of-life releases (gutsy on sparc). - Make sure /etc/resolv.conf is valid before running any apt command. - Update template help message for release and arch parameters. - Switch default Ubuntu version from lucid to precise. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: fix non-native architectures When installing a non-native architecture, the template installs a bunch of packages of the native architecture to work around existing limitations of qemu-user-static, mostly related to netlink. The current code would install upstart of the host architecture but force the amd64 version of the others. This was just a mistake done while testing/developping the code. Fixing now to always install the native architecture version of all of them. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu templates: remove maverick as it is end-of-life Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Update Ubuntu templates for quantal Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu*: in precise, make /dev/shm a symbolic link to /run/shm This would be done (though done wrongly) by mounted-dev.conf, but that doesn't run because we don't mount /dev. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Minor lxc config template layout fix Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: use relative path as target for bind mount An absolute path will be interpreted as absolute with respect to the parent's namespace. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

templates: use relative paths when creating containers At the same time, allow lxc.mount.entry to specify an absolute target path relative to /var/lib/lxc/CN/rootfs, even if rootfs is a blockdev. Otherwise all such entries are ignored for blockdev-backed containers. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu.in: fix up the logic adding group for bound users 1. 'getent group $user' assumes user's group is named $user. 2. if 'getent group' returns error, just ignore the group in container 3. (misc) while it happens to all work out fine anyway, don't do getent passwd $bindhome if $bindhome isn't defined. (it will successfully return all password entries) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: if a user is bound in, don't define ubuntu user It might have a conflicting uid, and isn't needed. Also put the bound user into sudo group. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: add sudo group and cleanup minor devttydir issue Always add the user to the 'sudo' group as it's been around since at least Ubuntu 10.04. In addition make the user part of the admin group until 12.04 where it's been removed. Also fix a minor layout issue with devttydir. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: install bound user's shell If a host user is bound into the container (-b), make sure that his shell is installed in the container. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: handle /etc/resolv.conf being a symlink Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: set -e to return error on failures. Otherwise callers can get bad containers without knowing it. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/922645 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu templates cleanups 1. fix inconsistent use of '--auth-key' (not --auth_key) which broke their usage 2. add --debug option to lxc-ubuntu (which does set -x to show what broke) (idea from Idea from lifeless and benji) 3. fix incorrect assumption about group with -b option. User's default group may not be the same as username. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

update ubuntu templates to provide macaddr and more Add a macaddr if precisely one veth is specified but no hwaddr. Allow specifying ssh authkeys. In cloud template, copy locales by default and allow a tarball to be specified. Signed-off-by: Ben Howard <ben.howard@canonical.com> Signed-off-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: fix obscure arguments 1. --path is meant to be passed by lxc-create, but should not be passed in by users. Don't advertise it in --help. 2. --clean syntax ends up not making much sense. Get rid of it, and add '--flush-cache' option instead. Signed-off-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template changes Author: Stéphane Graber <stgraber@ubuntu.com> Use ubuntu/ubuntu instead of root/root by default. Stop removing tty[56].conf in Precise. Stop messing with dhclient.conf. Set devttydir on Precise to /dev/lxc to allow for clean upgrades. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Don't install lxcguest in precise (and higher) releases lxcguest is no longer needed, as precise should boot in a container un-modified. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: Support for building a container of a foreign architecture Support building a container of a foreign architecture if qemu-user-static is installed. This is done by installing some packages of the host architecture in the container using multi-arch. Author: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

add lvm support to lxc-create 1. Some templates copy the cached pristine rootfs using 'cp a b' where b is $lxc_path/$name/rootfs. That doesn't do the right thing if rootfs already exists, as it will when it is an lvm or other mount. So switch to 'rsync a/ b/'. (cp can be made to work too of course). 2. Update lxc-create to support backing stores. For now only lvm is implemented. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: use release-updates and release-security Particularly for LTS releases, which many people will want to use in their containers, it is not wise to not use -security and -updates. Furthermore the fix allowing ssh to allow the container to shut down is in lucid-updates only. With this patch, after debootstrapping a container, we add -updates and -security to sources.list and do an apt-get upgrade under chroot. Unfortunately we need to do this because debootstrap doesn't know how to. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: add /dev/full, /dev/hpet, and /dev/kvm to devices whitelist Thanks for Scott Moser for these, which allows qemu to run inside a container. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

drop mac_admin and mac_override mac_admin stops the container from loading LSM policy. Neither selinux nor apparmor currently will do well with automatic namespacing of policy (though it's coming in apparmor, after which we can re-enable this). Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Add new 'precise' release to ubuntu template Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: use -updates and -security (v3) Particularly for LTS releases, which many people will want to use in their containers, it is not wise to not use release-security and release-updates. Furthermore the fix allowing ssh to allow the container to shut down is in lucid-updates only. With this patch, after debootstrapping a container, we add -updates and -security to sources.list and do an upgrade under chroot. Unfortunately we need to do this because debootstrap doesn't know how to. Changelog: Nov 14: as Stéphane Graber suggested, make sure no daemons start on the host while doing dist-upgrade from chroot. Nov 15: use security.ubuntu.com, not mirror. (stgraber) Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Ubuntu template: some tweaks Allow mknod (fixing udev upgrades) and drop mac_override and mac_admin from lxc.cap.drop as apparmor has/will have support for namespaces Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Drop resolvconf from oneiric container package list It prevents containers from getting a good resolv.conf without doing ifdown eth0; ifup eth0. (see pad.lv/880020) Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: stop early if a bad user is specified in -b option Otherwise we end up with a bad container fstab and a container that won't boot. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/879052 Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: allow containers to create tap devices Thought I had sent this before, but I don't find it anywhere. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubuntu template: disallow cap_sys_module (by popular demand) This isn't particularly reassuring, and will be moot with user namespaces, but as people are asking for it, turn off sys_module. While we're at it, turn off mac_admin and mac_override. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

remove minimal install for ubuntu template Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

add ubuntu-keyring to the packagelist for oneiric containers. Otherwise apt fails during and after debootstrap. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Don't try to add host user's groups in container When '-b user' is specified to lxc-ubuntu container creation template, do not automatically add all the groups of which user is a member on the host, to user's groups in the container. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: Allow /dev/fuse to be used in a container As people seem to want it, i.e. https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/800886 Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: don't put devpts in $confdir/container/fstab src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab entry, which is getting processed first, did not specify -o newinstance. This can cause the host's devpts entry mount options to change, as in https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636. Note - I messed up. This was applied upstream, but I dropped it in subsequent conversion to lxc-ubuntu template. It therefore needs to be reapplied. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: Default to current ubuntu release. If can't match any valid release, use lucid. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc-ubuntu: Base arch detection code on debootstrap's with some additions when we don't have dpkg or udpkg Changelog: [seh] Don't take arch from environment Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

consolidate ubuntu templates Consolidate lucid, maverick, natty, and oneiric templates into one 'ubuntu' template. Add support for specifying architecture. Add support for '--trim|-x' option, which removes services like the lucid template used to. This creates smaller, faster-booting containers, but they will not be safe with certain upgrades, like mountall or udev. When -x is not specified for lucid or maverick container, then install lxcguest from the ubuntu-virt ppa, since it does not exist in the official archives, and the container is not safe to boot without lxcguest. Add support for '--bindhome <user>' option, which will cause /home/<user> to be bind-mounted into the container, and create the user with his original password, shell, and group memberships in the container. changelog: june 23: lxc-ubuntu template: set lxc.arch in config install lxcguest when NOT trimming the container lxc-ubuntu: always install lxcguest in postprocess Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

remove bad default console option in ubuntu template Remove this options as by default container console goes to the tty or /dev/null if not available. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

ubunutu - fix ssh runlevel stop condition The default ssh upstart configuration makes the daemon to respawn either if we are shutdowning. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

few enhancement on the ubuntu template Improved and cleanup the ubuntu template. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Signed-off-by: Wilhelm Meier <wilhelm.meier@fh-kl.de>

move script templates to an adequate place At present the lxc-{template} scripts are installed in the $bindir. This is not the right place as specified by the FHS, so they go to $libdir/lxc/templates. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>