Fix all builds for LXC v3.0

Makefile

@@ -1,7 +1,7 @@
-UBUNTU_BOXES= precise quantal raring saucy trusty utopic vivid wily xenial
-DEBIAN_BOXES= squeeze wheezy jessie stretch sid
-CENTOS_BOXES= 6 7
-FEDORA_BOXES= rawhide 23 22 21 20 19
+UBUNTU_BOXES= trusty xenial
+DEBIAN_BOXES= jessie stretch sid
+CENTOS_BOXES= 7
+FEDORA_BOXES= 27 
 TODAY=$(shell date -u +"%Y-%m-%d")
 
 # Replace i686 with i386 and x86_64 with amd64
@@ -54,7 +54,7 @@ acceptance: CONTAINER = "vagrant-base-acceptance-$(ARCH)"
 acceptance: PACKAGE = "output/${TODAY}/vagrant-lxc-acceptance-$(ARCH).box"
 acceptance:
 	@mkdir -p $$(dirname $(PACKAGE))
-	@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu precise $(ARCH) $(CONTAINER) $(PACKAGE)
+	@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu xenial $(ARCH) $(CONTAINER) $(PACKAGE)
 	@sudo chmod +rw $(PACKAGE)
 	@sudo chown ${USER}: $(PACKAGE)
 

common/download.sh

@@ -26,34 +26,15 @@ fi
 
 # If we got to this point, we need to create the container
 log "Creating container..."
-if [ $RELEASE = 'raring' ] || [ $RELEASE = 'wily' ] || [ $RELEASE = 'xenial' ]; then
-  utils.lxc.create -t ubuntu -- \
-                   --release ${RELEASE} \
-                   --arch ${ARCH}
-elif [ $RELEASE = 'squeeze' ] || [ $RELEASE = 'wheezy' ]; then
-  utils.lxc.create -t debian -- \
-                   --release ${RELEASE} \
-                   --arch ${ARCH}
-elif [ ${DISTRIBUTION} = 'fedora' ] && [ "${RELEASE}" = 'rawhide' ]; then
-  ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
-  utils.lxc.create -t fedora --\
-                   --release ${RELEASE} \
-                   --arch ${ARCH}
-elif [ ${DISTRIBUTION} = 'fedora' ] && [ ${RELEASE} -ge 21 ]; then
-  ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
-  utils.lxc.create -t fedora --\
-                   --release ${RELEASE} \
-                   --arch ${ARCH}
-else
+
   utils.lxc.create -t download -- \
                    --dist ${DISTRIBUTION} \
                    --release ${RELEASE} \
                    --arch ${ARCH}
-fi
+
 if [ ${DISTRIBUTION} = 'fedora' ] ||\
-   [ ${DISTRIBUTION} = 'ubuntu' -a ${RELEASE} = 'wily' ] ||\
-   [ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'jessie' ] ||\
-   [ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'stretch' ]
+   [ ${DISTRIBUTION} = 'ubuntu' ] ||\
+   [ ${DISTRIBUTION} = 'debian' ]
 then
   # Improve systemd support:
   # - The fedora template does it but the fedora images from the download

conf/centos

@@ -1,9 +1,9 @@
 # Taken from the oracle.common.conf.in
 # Console settings
 
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+lxc.tty.dir = lxc
+lxc.tty.max = 4
+lxc.pty.max = 1024
 
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
@@ -54,4 +54,4 @@ lxc.cgroup.devices.allow = c 10:200 rwm # /dev/net/tun
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp
+lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp

conf/debian

@@ -1,36 +1,34 @@
 # Default pivot location
-lxc.pivotdir = lxc_putold
 
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs defaults 0 0
 
 # Default console settings
-lxc.tty = 4
-lxc.pts = 1024
+lxc.tty.max = 4
+lxc.pty.max = 1024
 
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # Prevent systemd-journald from burning 100% of CPU
 # See https://wiki.debian.org/LXC#Incompatibility_with_systemd
-lxc.kmsg = 0
 lxc.autodev = 1
 
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.apparmor.profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
+#lxc.apparmor.profile = lxc-container-default-with-mounting
 
 # Default cgroup limits
 lxc.cgroup.devices.deny = a

conf/debian-jessie

@@ -1,17 +1,15 @@
 # support systemd as PID 1
 lxc.autodev = 1
-lxc.kmsg = 0
 
 # Default pivot location
-lxc.pivotdir = lxc_putold
 
 # Default mount entries
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 
 # Default console settings
-lxc.tty = 4
-lxc.pts = 1024
+lxc.tty.max = 4
+lxc.pty.max = 1024
 
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
@@ -19,17 +17,17 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.apparmor.profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
+#lxc.apparmor.profile = lxc-container-default-with-mounting
 
 # Default cgroup limits
 lxc.cgroup.devices.deny = a

conf/debian-stretch

@@ -1 +0,0 @@
-debian-jessie

conf/debian-stretch

@@ -0,0 +1,63 @@
+# support systemd as PID 1
+lxc.autodev = 1
+
+# Default pivot location
+
+# Default mount entries
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
+
+# Default console settings
+lxc.tty.max = 4
+lxc.pty.max = 1024
+
+# Default capabilities
+lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
+
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.apparmor.profile = unconfined
+
+# To support container nesting on an Ubuntu host while retaining most of
+# apparmor's added security, use the following two lines instead.
+#lxc.apparmor.profile = lxc-container-default-with-nesting
+#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.apparmor.profile = lxc-container-default-with-mounting
+
+# Default cgroup limits
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## full
+lxc.cgroup.devices.allow = c 1:7 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm

conf/fedora

@@ -1,13 +1,12 @@
 # work better with systemd:
 lxc.autodev = 1
-lxc.kmsg = 0
 
 # Taken from the oracle.common.conf.in
 # Console settings
 
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+lxc.tty.dir = lxc
+lxc.tty.max = 4
+lxc.pty.max = 1024
 
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
@@ -66,4 +65,4 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp
+lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp

conf/ubuntu

@@ -1,14 +1,13 @@
 # Default pivot location
-lxc.pivotdir = lxc_putold
 
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs defaults 0 0
 
 # Default console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+lxc.tty.dir = lxc
+lxc.tty.max = 4
+lxc.pty.max = 1024
 
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
@@ -16,11 +15,11 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.apparmor.profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 
 # Uncomment the following line to autodetect squid-deb-proxy configuration on the
@@ -30,7 +29,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
+#lxc.apparmor.profile = lxc-container-default-with-mounting
 
 # Default cgroup limits
 lxc.cgroup.devices.deny = a

conf/ubuntu-wily

@@ -6,5 +6,4 @@
 lxc.include = /usr/share/lxc/config/ubuntu.common.conf
 
 # settings for systemd with PID 1:
-lxc.kmsg = 0
 lxc.autodev = 1

conf/ubuntu-xenial

@@ -6,8 +6,7 @@
 lxc.include = /usr/share/lxc/config/ubuntu.common.conf
 
 # settings for systemd with PID 1:
-lxc.kmsg = 0
 lxc.autodev = 1
 # allow unconfined and incomplete
-lxc.aa_profile = unconfined
-lxc.aa_allow_incomplete = 1
+lxc.apparmor.profile = unconfined
+lxc.apparmor.allow_incomplete = 1

debian/install-extras.sh

@@ -50,7 +50,7 @@ if [ $ANSIBLE = 1 ]; then
   else
     info "Installing Ansible"
     cp debian/install-ansible.sh ${ROOTFS}/tmp/ && chmod +x ${ROOTFS}/tmp/install-ansible.sh
-    utils.lxc.attach /tmp/install-ansible.sh &>>${LOG}
+    utils.lxc.attach /tmp/install-ansible.sh
   fi
 else
   log "Skipping Ansible installation"
@@ -79,8 +79,6 @@ if [ $PUPPET = 1 ]; then
     warn "Puppet can't be installed on Debian sid, skipping"
   else
     log "Installing Puppet"
-    wget http://apt.puppetlabs.com/puppetlabs-release-${RELEASE}.deb -O "${ROOTFS}/tmp/puppetlabs-release-stable.deb" &>>${LOG}
-    utils.lxc.attach dpkg -i "/tmp/puppetlabs-release-stable.deb"
     utils.lxc.attach apt-get update
     utils.lxc.attach apt-get install puppet -y --force-yes
   fi
@@ -91,68 +89,10 @@ fi
 if [ $SALT = 1 ]; then
   if $(lxc-attach -n ${CONTAINER} -- which salt-minion &>/dev/null); then
     log "Salt has been installed on container, skipping"
-  elif [ ${RELEASE} = 'raring' ]; then
-    warn "Salt can't be installed on Ubuntu Raring 13.04, skipping"
   else
-    if [ $DISTRIBUTION = 'ubuntu' ]; then
-      if [ $RELEASE = 'precise' ] || [ $RELEASE = 'trusty' ] || [ $RELEASE = 'xenial' ] ; then
-        # For LTS releases we use packages from repo.saltstack.com
-        if [ $RELEASE = 'precise' ]; then
-          SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest precise main"
-          SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
-        elif [ $RELEASE = 'trusty' ]; then
-          SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main"
-          SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
-        elif [ $RELEASE = 'xenial' ]; then
-          SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main"
-          SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
-        fi
-        echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
-
-        utils.lxc.attach wget -q -O /tmp/salt.key $SALT_GPG_KEY
-        utils.lxc.attach apt-key add /tmp/salt.key
-      elif [ $RELEASE = 'quantal' ] || [ $RELEASE = 'saucy' ] ; then
-        utils.lxc.attach add-apt-repository -y ppa:saltstack/salt
-      fi
-      # For Utopic, Vivid and Wily releases use system packages
-    else # DEBIAN
-      if [ $RELEASE == "squeeze" ]; then
-        SALT_SOURCE_1="deb http://debian.saltstack.com/debian squeeze-saltstack main"
-        SALT_SOURCE_2="deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free"
-      elif [ $RELEASE == "wheezy" ]; then
-        SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/7/amd64/latest wheezy main"
-      elif [ $RELEASE == "jessie" ]; then
-        SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main"
-      else
-        SALT_SOURCE_1="deb http://debian.saltstack.com/debian unstable main"
-      fi
-      echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
-      echo $SALT_SOURCE_2 >> ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
-
-      utils.lxc.attach wget -q -O /tmp/salt.key "https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub"
-      utils.lxc.attach apt-key add /tmp/salt.key
-    fi
     utils.lxc.attach apt-get update
     utils.lxc.attach apt-get install salt-minion -y --force-yes
   fi
 else
   log "Skipping Salt installation"
 fi
-
-if [ $BABUSHKA = 1 ]; then
-  if $(lxc-attach -n ${CONTAINER} -- which babushka &>/dev/null); then
-    log "Babushka has been installed on container, skipping"
-  elif [ ${RELEASE} = 'trusty' ]; then
-    warn "Babushka can't be installed on Ubuntu Trusty 14.04, skipping"
-  else
-    log "Installing Babushka"
-    cat > $ROOTFS/tmp/install-babushka.sh << EOF
-#!/bin/sh
-curl https://babushka.me/up | sudo bash
-EOF
-    chmod +x $ROOTFS/tmp/install-babushka.sh
-    utils.lxc.attach /tmp/install-babushka.sh
-  fi
-else
-  log "Skipping Babushka installation"
-fi

fedora/install-extras.sh

@@ -17,8 +17,8 @@ sleep $SECS
 # TODO: Support for appending to this list from outside
 PACKAGES=(vim-enhanced curl wget man-db bash-completion ca-certificates sudo openssh-server strace python-dnf dnf-plugins-core e2fsprogs net-tools bind-utils)
 
-utils.lxc.attach yum update -y
-utils.lxc.attach yum install ${PACKAGES[*]} -y
+utils.lxc.attach dnf update -y
+utils.lxc.attach dnf install ${PACKAGES[*]} -y
 
 
 MASK_TMP=${MASK_TMP:-0}