diff --git a/Makefile b/Makefile index 6a11c05..8cd48bb 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ UBUNTU_BOXES= precise quantal raring saucy trusty utopic vivid DEBIAN_BOXES= squeeze wheezy sid jessie -CENTOS_BOXES= 6 +CENTOS_BOXES= 6 7 FEDORA_BOXES= rawhide 23 22 21 20 19 TODAY=$(shell date -u +"%Y-%m-%d") diff --git a/centos/install-extras.sh b/centos/install-extras.sh index 679a311..fa45ba4 100755 --- a/centos/install-extras.sh +++ b/centos/install-extras.sh @@ -9,6 +9,9 @@ info 'Installing extra packages and upgrading' debug 'Bringing container up' utils.lxc.start +# how to get that network up?... +utils.lxc.attach ifup eth0 + # Sleep for a bit so that the container can get an IP SECS=20 log "Sleeping for $SECS seconds..." diff --git a/common/download.sh b/common/download.sh index 14373bf..6cf13b0 100755 --- a/common/download.sh +++ b/common/download.sh @@ -52,13 +52,15 @@ else fi if [ ${DISTRIBUTION} = 'fedora' -o \ - ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'jessie' ] + ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'jessie' -o \ + ${DISTRIBUTION} = 'centos' -a ${RELEASE} = '7' ] then # Improve systemd support: # - The fedora template does it but the fedora images from the download # template apparently don't. # - The debian template does it but the debian image from the download # template apparently not. + # - For centos, there there is no support in either template yet. utils.lxc.stop echo >> /var/lib/lxc/${CONTAINER}/config echo "# settings for systemd with PID 1:" >> /var/lib/lxc/${CONTAINER}/config diff --git a/conf/centos-7 b/conf/centos-7 new file mode 100644 index 0000000..eaec0eb --- /dev/null +++ b/conf/centos-7 @@ -0,0 +1,55 @@ +# support systemd as PID 1: +lxc.autodev = 1 +lxc.kmsg = 0 + +# Taken from the oracle.common.conf.in +# Console settings + +lxc.devttydir = lxc +lxc.tty = 4 +lxc.pts = 1024 + +# Mount entries +lxc.mount.auto = proc:mixed sys:ro + +# Ensure hostname is changed on clone +lxc.hook.clone = /usr/share/lxc/hooks/clonehostname + +# Capabilities +# Uncomment these if you don't run anything that needs the capability, and +# would like the container to run with less privilege. +# +# Dropping sys_admin disables container root from doing a lot of things +# that could be bad like re-mounting lxc fstab entries rw for example, +# but also disables some useful things like being able to nfs mount, and +# things that are already namespaced with ns_capable() kernel checks, like +# hostname(1). +# lxc.cap.drop = sys_admin +# lxc.cap.drop = net_raw # breaks dhcp/ping +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups) +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) +# lxc.cap.drop = setuid # breaks sshd,nfs statd +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) +# lxc.cap.drop = audit_write +# +lxc.cap.drop = mac_admin mac_override setfcap setpcap +lxc.cap.drop = sys_module sys_nice sys_pacct +lxc.cap.drop = sys_rawio sys_time + +# Control Group devices: all denied except those whitelisted +lxc.cgroup.devices.deny = a +# Allow any mknod (but not reading/writing the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null +lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero +lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full +lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty +lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random +lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom +lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console +lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master + +# Blacklist some syscalls which are not safe in privileged +# containers +lxc.seccomp = /usr/share/lxc/config/common.seccomp