TODO: start adding opensuse boxes

SQ centos 7
TODO centos: support centos 7
2015-12-07 15:02:21 +01:00 · 2015-12-07 15:02:21 +01:00 · 2015-12-07 15:02:21 +01:00
26 changed files with 242 additions and 346 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,2 @@
 /log
 /output
 *_packages
--- a/26
+++ b/26
@ -1,7 +1,9 @@
-UBUNTU_BOXES= trusty xenial
+UBUNTU_BOXES= precise quantal raring saucy trusty utopic vivid
-DEBIAN_BOXES= jessie stretch sid
+DEBIAN_BOXES= squeeze wheezy sid jessie
-CENTOS_BOXES= 7
+CENTOS_BOXES= 6 7
-FEDORA_BOXES= 27 
+FEDORA_BOXES= rawhide 23 22 21 20 19
 OPENSUSE_BOXES= 12.3
 TODAY=$(shell date -u +"%Y-%m-%d")
 # Replace i686 with i386 and x86_64 with amd64
@ -15,6 +17,7 @@ ubuntu: $(UBUNTU_BOXES)
 debian: $(DEBIAN_BOXES)
 centos: $(CENTOS_BOXES)
 fedora: $(FEDORA_BOXES)
 opensuse: $(OPENSUSE_BOXES)
 # REFACTOR: Figure out how can we reduce duplicated code
 $(UBUNTU_BOXES): CONTAINER = "vagrant-base-${@}-$(ARCH)"
@ -45,16 +48,19 @@ $(FEDORA_BOXES):
 	@sudo -E ./mk-fedora.sh $(@) $(ARCH) $(CONTAINER) $(PACKAGE)
 	@sudo chmod +rw $(PACKAGE)
 	@sudo chown ${USER}: $(PACKAGE)
-
+$(OPENSUSE_BOXES): CONTAINER = "vagrant-base-opensuse-${@}-$(ARCH)"
-.PHONY: gentoo
+$(OPENSUSE_BOXES): PACKAGE = "output/${TODAY}/vagrant-lxc-opensuse-${@}-$(ARCH).box"
-gentoo:
+$(OPENSUSE_BOXES):
-	@sudo -E ./mk-gentoo.sh
+	@mkdir -p $$(dirname $(PACKAGE))
 	@sudo -E ./mk-opensuse.sh $(@) $(ARCH) $(CONTAINER) $(PACKAGE)
 	@sudo chmod +rw $(PACKAGE)
 	@sudo chown ${USER}: $(PACKAGE)
 acceptance: CONTAINER = "vagrant-base-acceptance-$(ARCH)"
 acceptance: PACKAGE = "output/${TODAY}/vagrant-lxc-acceptance-$(ARCH).box"
 acceptance:
 	@mkdir -p $$(dirname $(PACKAGE))
-	@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu xenial $(ARCH) $(CONTAINER) $(PACKAGE)
+	@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu precise $(ARCH) $(CONTAINER) $(PACKAGE)
 	@sudo chmod +rw $(PACKAGE)
 	@sudo chown ${USER}: $(PACKAGE)
@ -64,7 +70,7 @@ release:
 	git tag $(version)
 	git push && git push --tags
-clean: ALL_BOXES = ${DEBIAN_BOXES} ${UBUNTU_BOXES} ${CENTOS_BOXES} ${FEDORA_BOXES} acceptance
+clean: ALL_BOXES = ${DEBIAN_BOXES} ${UBUNTU_BOXES} ${CENTOS_BOXES} ${FEDORA_BOXES} ${OPENSUSE_BOXES} acceptance
 clean:
 	@for r in $(ALL_BOXES); do \
 		sudo -E ./clean.sh $${r}\
--- a/README.md
+++ b/README.md
@ -1,28 +1,39 @@
 # vagrant-lxc base boxes
 This repository contains a set of scripts for creating base boxes for usage with
-[vagrant-lxc](https://github.com/fgrehm/vagrant-lxc) 1.4+.
+[vagrant-lxc](https://github.com/fgrehm/vagrant-lxc) 1.0+.
 ## :warning: Deprecated :warning:
 [I've stepped down as a maintainer of the plugin](https://github.com/fgrehm/vagrant-lxc/issues/375) and I'm no longer maintaining this repo. Feel free to use it as a starting point for your own boxes and if you need any help with that just LMK! :beers:
 This fork is still maintained:
 [https://github.com/obnoxxx/vagrant-lxc-base-boxes](https://github.com/obnoxxx/vagrant-lxc-base-boxes)
 ## What distros / versions can I build with this?
 * Ubuntu
-  - Xenial 16.04 x86_64
+  - Precise 12.04 x86_64
  - Quantal 12.10 x86_64
  - Raring 13.04 x86_64
  - Saucy 13.10 x86_64
  - Trusty 14.04 x86_64
  - Utopic 14.10 x86_64
  - Vivid 15.04 x86_64
 * Debian
-  - Stretch x86_64
+  - Squeeze x86_64
  - Wheezy x86_64
  - Jessie x86_64
  - Sid x86_64
 * Fedora
  - 19 x86_64
  - 20 x86_64
  - 21 x86_64
  - 22 x86_64
  - 23 x86_64
  - rawhide x86_64
 * CentOS
-  - 7 x86_64
+  - 6 x86_64
 ## Status
 This is a fork of `obnoxxx/vagrant-lxc-base-boxes` which itself was a fork for
 `fgrehm/vagrant-lxc-base-boxes`. The goal is to make LXC box generation work for LXC 3.0+. The
 repo is not in top shape, but it works `make stretch` (which is what I use myself).
 It should be easy enough for you to add support for distros you use (PR welcome).
 ## Building the boxes
@ -32,43 +43,44 @@ create one based on [this](https://github.com/lxc/lxc/blob/master/templates/lxc-
 and drop it on your lxc templates path (usually `/usr/share/lxc/templates`)._
 ```sh
-git clone https://github.com/hsoft/vagrant-lxc-base-boxes.git
+git clone https://github.com/fgrehm/vagrant-lxc-base-boxes.git
 cd vagrant-lxc-base-boxes
-make stretch
+make precise
 ```
 By default no provisioning tools will be included but you can pick the ones
 you want by providing some environmental variables. For example:
 ```sh
-ANSIBLE=1 PUPPET=1 CHEF=1 \
+PUPPET=1 CHEF=1 SALT=1 BABUSHKA=1 \
-make stretch
+make precise
 ```
-Will build a Debian Stretch x86_64 box with latest Ansible, Puppet and Chef pre-installed.
+Will build a Ubuntu Precise x86_64 box with latest Puppet, Chef, Salt and
 Babushka pre-installed.
 When using ANSIBLE=1, an optional ANSIBLE_VERSION parameter may be passed that
 will specify which version of ansible to install. By default it will install
 the latest Ansible.
 Additional packages to be installed can be specified with the ADDPACKAGES variable:
 ```sh
 ADDPACKAGES="aptitude htop" \
 make xenial
 ```
 Will build a Ubuntu Xenial x86_64 box with aptitude and htop as additional
 packages pre-installed. You can also specify the packages in a file
 xenial_packages.
 Note: ADDPACKAGES is currently only implemented for flavors of debian.
 ## Pre built base boxes
-There are no pre-built base boxes for this repo. You have to build them yourself.
+_**NOTE:** None of the base boxes below have a provisioner pre-installed_
 | Distribution | VagrantCloud box |
 | ------------ | ---------------- |
 | Ubuntu Precise 12.04 x86_64 | [fgrehm/precise64-lxc](https://vagrantcloud.com/fgrehm/precise64-lxc) |
 | Ubuntu Trusty 14.04 x86_64 | [fgrehm/trusty64-lxc](https://vagrantcloud.com/fgrehm/trusty64-lxc) |
 | Debian Wheezy 7 x86_64 | [fgrehm/wheezy64-lxc](https://vagrantcloud.com/fgrehm/wheezy64-lxc) |
 | Debian Jessie 8 x86_64 | [glenux/jessie64-lxc](https://atlas.hashicorp.com/glenux/boxes/jessie64-lxc) |
 | CentOS 6 x86_64 | [fgrehm/centos-6-64-lxc](https://vagrantcloud.com/fgrehm/centos-6-64-lxc) |
 ## What makes up for a vagrant-lxc base box?
 See [vagrant-lxc/BOXES.md](https://github.com/fgrehm/vagrant-lxc/blob/master/BOXES.md)
 ## Known issues
 * We can't get the NFS client to be installed on the containers used for building
  Ubuntu 13.04 / 13.10 / 14.04 base boxes.
 * Puppet can't be installed on Debian Sid
 * Salt can't be installed on Ubuntu 13.04
--- a/common/download.sh
+++ b/common/download.sh
@ -26,24 +26,45 @@ fi
 # If we got to this point, we need to create the container
 log "Creating container..."
-
+if [ $RELEASE = 'raring' ]; then
  utils.lxc.create -t ubuntu -- \
                   --release ${RELEASE} \
                   --arch ${ARCH}
 elif [ $RELEASE = 'squeeze' ] || [ $RELEASE = 'wheezy' ]; then
  utils.lxc.create -t debian -- \
                   --release ${RELEASE} \
                   --arch ${ARCH}
 elif [ ${DISTRIBUTION} = 'fedora' -a "${RELEASE}" = 'rawhide' ]; then
  ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
  utils.lxc.create -t fedora --\
                   --release ${RELEASE} \
                   --arch ${ARCH}
 elif [ ${DISTRIBUTION} = 'fedora' -a ${RELEASE} -ge '21' ]; then
  ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
  utils.lxc.create -t fedora --\
                   --release ${RELEASE} \
                   --arch ${ARCH}
 else
  utils.lxc.create -t download -- \
                   --dist ${DISTRIBUTION} \
                   --release ${RELEASE} \
                   --arch ${ARCH}
 fi
-if [ ${DISTRIBUTION} = 'fedora' ] ||\
+if [ ${DISTRIBUTION} = 'fedora' -o \
-   [ ${DISTRIBUTION} = 'ubuntu' ] ||\
+     ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'jessie' -o \
-   [ ${DISTRIBUTION} = 'debian' ]
+     ${DISTRIBUTION} = 'centos' -a ${RELEASE} = '7' ]
 then
  # Improve systemd support:
  # - The fedora template does it but the fedora images from the download
  #   template apparently don't.
  # - The debian template does it but the debian image from the download
  #   template apparently not.
  # - For centos, there there is no support in either template yet.
  utils.lxc.stop
  echo  >> /var/lib/lxc/${CONTAINER}/config
  echo "# settings for systemd with PID 1:" >> /var/lib/lxc/${CONTAINER}/config
  echo "lxc.kmsg = 0" >> /var/lib/lxc/${CONTAINER}/config
  echo "lxc.autodev = 1" >> /var/lib/lxc/${CONTAINER}/config
  utils.lxc.start
  utils.lxc.attach rm -f /dev/kmsg
--- a/common/package.sh
+++ b/common/package.sh
@ -3,13 +3,6 @@ set -e
 source common/ui.sh
 ROOTFS="/var/lib/lxc/${CONTAINER}/rootfs"
 WORKING_DIR="/tmp/${CONTAINER}"
 debug "Creating ${WORKING_DIR}"
 mkdir -p ${WORKING_DIR}
 mkdir -p $(dirname ${PACKAGE})
 # TODO: Create file with build date / time on container
 info "Packaging '${CONTAINER}' to '${PACKAGE}'..."
@ -23,10 +16,10 @@ if [ -f ${WORKING_DIR}/rootfs.tar.gz ]; then
 fi
 log "Compressing container's rootfs"
-pushd  $(dirname ${ROOTFS})
+pushd  $(dirname ${ROOTFS}) &>>${LOG}
  tar --numeric-owner --anchored --exclude=./rootfs/dev/log -czf \
      ${WORKING_DIR}/rootfs.tar.gz ./rootfs/*
-popd
+popd &>>${LOG}
 # Prepare package contents
 log 'Preparing box package contents'
@ -42,6 +35,3 @@ sed -i "s/<TODAY>/${NOW}/" ${WORKING_DIR}/metadata.json
 log 'Packaging box'
 TARBALL=$(readlink -f ${PACKAGE})
 (cd ${WORKING_DIR} && tar -czf $TARBALL ./*)
 chmod +rw ${PACKAGE}
 chown ${USER}: ${PACKAGE}
--- a/common/prepare-vagrant-user.sh
+++ b/common/prepare-vagrant-user.sh
@ -3,8 +3,7 @@ set -e
 source common/ui.sh
-ROOTFS="/var/lib/lxc/${CONTAINER}/rootfs"
+export VAGRANT_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
 VAGRANT_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
 info "Preparing vagrant user..."
@ -14,29 +13,24 @@ if $(grep -q 'vagrant' ${ROOTFS}/etc/shadow); then
 elif $(grep -q 'ubuntu' ${ROOTFS}/etc/shadow); then
  debug 'vagrant user does not exist, renaming ubuntu user...'
  mv ${ROOTFS}/home/{ubuntu,vagrant}
-  chroot ${ROOTFS} usermod -l vagrant -d /home/vagrant ubuntu
+  chroot ${ROOTFS} usermod -l vagrant -d /home/vagrant ubuntu &>> ${LOG}
-  chroot ${ROOTFS} groupmod -n vagrant ubuntu
+  chroot ${ROOTFS} groupmod -n vagrant ubuntu &>> ${LOG}
  echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
  log 'Renamed ubuntu user to vagrant and changed password.'
 elif [ ${DISTRIBUTION} = 'centos' -o ${DISTRIBUTION} = 'fedora' ]; then
  debug 'Creating vagrant user...'
-  chroot ${ROOTFS} useradd --create-home -s /bin/bash -u 1000 vagrant
+  chroot ${ROOTFS} useradd --create-home -s /bin/bash -u 1000 vagrant &>> ${LOG}
  echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
  sed -i 's/^Defaults\s\+requiretty/# Defaults requiretty/' $ROOTFS/etc/sudoers
  if [ ${RELEASE} -eq 6 ]; then
    info 'Disabling password aging for root...'
    # disable password aging (required on Centos 6)
    # pretend that password was changed today (won't fail during provisioning)
    chroot ${ROOTFS} chage -I -1 -m 0 -M 99999 -E -1 -d `date +%Y-%m-%d` root
  fi
 else
  debug 'Creating vagrant user...'
-  chroot ${ROOTFS} useradd --create-home -s /bin/bash vagrant
+  chroot ${ROOTFS} useradd --create-home -s /bin/bash vagrant &>> ${LOG}
  chroot ${ROOTFS} adduser vagrant sudo &>> ${LOG}
  echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
 fi
 # Configure SSH access
-if [ -d ${ROOTFS}/home/vagrant/.ssh/authorized_keys ]; then
+if [ -d ${ROOTFS}/home/vagrant/.ssh ]; then
  log 'Skipping vagrant SSH credentials configuration'
 else
  debug 'SSH key has not been set'
--- a/common/ui.sh
+++ b/common/ui.sh
@ -7,16 +7,19 @@ export WARN_COLOR='\033[33;01m'
 log() {
  LOG_PREFIX="${DISTRIBUTION}-${RELEASE}"
-  echo "    [${LOG_PREFIX}] ${1}"
+  echo "    [${LOG_PREFIX}] ${1}" >>${LOG}
  echo "    [${LOG_PREFIX}] ${1}" >&2
 }
 warn() {
  LOG_PREFIX="${DISTRIBUTION}-${RELEASE}"
  echo "==> [${LOG_PREFIX}] [WARN] ${1}" >>${LOG}
  echo -e "${WARN_COLOR}==> [${LOG_PREFIX}] ${1}${NO_COLOR}"
 }
 info() {
  LOG_PREFIX="${DISTRIBUTION}-${RELEASE}"
  echo "==> [${LOG_PREFIX}] [INFO] ${1}" >>${LOG}
  echo -e "${OK_COLOR}==> [${LOG_PREFIX}] ${1}${NO_COLOR}"
 }
--- a/common/utils.sh
+++ b/common/utils.sh
@ -3,31 +3,21 @@
 utils.lxc.attach() {
  cmd="$@"
  log "Running [${cmd}] inside '${CONTAINER}' container..."
-  lxc-attach -n ${CONTAINER} -- $cmd
+  (lxc-attach -n ${CONTAINER} -- $cmd) & >> ${LOG}
 }
 utils.lxc.pipetofile() {
  lxc-attach -n ${CONTAINER} -- /bin/bash -c "tee $1 > /dev/null"
 }
 utils.lxc.runscript() {
  log "Running $1 inside '${CONTAINER}'..."
  cat $1 | utils.lxc.pipetofile /script.sh
  utils.lxc.attach /bin/bash /script.sh
 }
 utils.lxc.start() {
-  lxc-start -d -n ${CONTAINER} || true
+  lxc-start -d -n ${CONTAINER} & >> ${LOG} || true
 }
 utils.lxc.stop() {
-  lxc-stop -n ${CONTAINER} || true
+  lxc-stop -n ${CONTAINER} & >> ${LOG} || true
 }
 utils.lxc.destroy() {
-  lxc-destroy -n ${CONTAINER}
+  lxc-destroy -n ${CONTAINER} & >> ${LOG}
 }
 utils.lxc.create() {
-  lxc-create -n ${CONTAINER} "$@"
+  lxc-create -n ${CONTAINER} "$@" & >> ${LOG}
 }
--- a/conf/centos
+++ b/conf/centos
@ -1,9 +1,9 @@
 # Taken from the oracle.common.conf.in
 # Console settings
-lxc.tty.dir = lxc
+lxc.devttydir = lxc
-lxc.tty.max = 4
+lxc.tty = 4
-lxc.pty.max = 1024
+lxc.pts = 1024
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
@ -54,4 +54,4 @@ lxc.cgroup.devices.allow = c 10:200 rwm # /dev/net/tun
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
--- a/conf/centos-7
+++ b/conf/centos-7
@ -0,0 +1,55 @@
 # support systemd as PID 1:
 lxc.autodev = 1
 lxc.kmsg = 0
 # Taken from the oracle.common.conf.in
 # Console settings
 lxc.devttydir = lxc
 lxc.tty = 4
 lxc.pts = 1024
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
 # Ensure hostname is changed on clone
 lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
 # Capabilities
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
 #
 # Dropping sys_admin disables container root from doing a lot of things
 # that could be bad like re-mounting lxc fstab entries rw for example,
 # but also disables some useful things like being able to nfs mount, and
 # things that are already namespaced with ns_capable() kernel checks, like
 # hostname(1).
 # lxc.cap.drop = sys_admin
 # lxc.cap.drop = net_raw          # breaks dhcp/ping
 # lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
 # lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 #
 lxc.cap.drop = mac_admin mac_override setfcap setpcap
 lxc.cap.drop = sys_module sys_nice sys_pacct
 lxc.cap.drop = sys_rawio sys_time
 # Control Group devices: all denied except those whitelisted
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
 lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
 lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
 # Blacklist some syscalls which are not safe in privileged
 # containers
 lxc.seccomp = /usr/share/lxc/config/common.seccomp
--- a/conf/debian
+++ b/conf/debian
@ -1,34 +1,36 @@
 # Default pivot location
 lxc.pivotdir = lxc_putold
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs defaults 0 0
 # Default console settings
-lxc.tty.max = 4
+lxc.tty = 4
-lxc.pty.max = 1024
+lxc.pts = 1024
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # Prevent systemd-journald from burning 100% of CPU
 # See https://wiki.debian.org/LXC#Incompatibility_with_systemd
 lxc.kmsg = 0
 lxc.autodev = 1
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.apparmor.profile = unconfined
+#lxc.aa_profile = unconfined
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
-#lxc.apparmor.profile = lxc-container-default-with-nesting
+#lxc.aa_profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.apparmor.profile = lxc-container-default-with-mounting
+#lxc.aa_profile = lxc-container-default-with-mounting
 # Default cgroup limits
 lxc.cgroup.devices.deny = a
--- a/conf/debian-jessie
+++ b/conf/debian-jessie
@ -1,33 +1,35 @@
 # support systemd as PID 1
 lxc.autodev = 1
 lxc.kmsg = 0
 # Default pivot location
 lxc.pivotdir = lxc_putold
 # Default mount entries
-lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
 # Default console settings
-lxc.tty.max = 4
+lxc.tty = 4
-lxc.pty.max = 1024
+lxc.pts = 1024
 # Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.apparmor.profile = unconfined
+#lxc.aa_profile = unconfined
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
-#lxc.apparmor.profile = lxc-container-default-with-nesting
+#lxc.aa_profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.apparmor.profile = lxc-container-default-with-mounting
+#lxc.aa_profile = lxc-container-default-with-mounting
 # Default cgroup limits
 lxc.cgroup.devices.deny = a
--- a/conf/debian-stretch
+++ b/conf/debian-stretch
@ -1,63 +0,0 @@
 # support systemd as PID 1
 lxc.autodev = 1
 # Default pivot location
 # Default mount entries
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 # Default console settings
 lxc.tty.max = 4
 lxc.pty.max = 1024
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
 #lxc.apparmor.profile = unconfined
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
 #lxc.apparmor.profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
 #lxc.apparmor.profile = lxc-container-default-with-mounting
 # Default cgroup limits
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not using the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
 ## /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
 ## consoles
 lxc.cgroup.devices.allow = c 5:0 rwm
 lxc.cgroup.devices.allow = c 5:1 rwm
 ## /dev/{,u}random
 lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 1:9 rwm
 ## /dev/pts/*
 lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
 ## fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## full
 lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
 lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
--- a/conf/fedora
+++ b/conf/fedora
@ -1,12 +1,13 @@
 # work better with systemd:
 lxc.autodev = 1
 lxc.kmsg = 0
 # Taken from the oracle.common.conf.in
 # Console settings
-lxc.tty.dir = lxc
+lxc.devttydir = lxc
-lxc.tty.max = 4
+lxc.tty = 4
-lxc.pty.max = 1024
+lxc.pts = 1024
 # Mount entries
 lxc.mount.auto = proc:mixed sys:ro
@ -34,8 +35,7 @@ lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
 #lxc.cap.drop = setpcap
 #
 lxc.cap.drop = mac_admin mac_override
-# needed for httpd
+lxc.cap.drop = setfcap
 #lxc.cap.drop = setfcap
 lxc.cap.drop = sys_module sys_pacct
 # sys_nice: needed to run CTDB
 #lxc.cap.drop = sys_nice sys_pacct
@ -65,4 +65,4 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
--- a/conf/gentoo
+++ b/conf/gentoo
@ -1,5 +0,0 @@
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 # Default console settings
 lxc.tty.max = 4
 lxc.pty.max = 1024
--- a/conf/ubuntu
+++ b/conf/ubuntu
@ -1,13 +1,14 @@
 # Default pivot location
 lxc.pivotdir = lxc_putold
 # Default mount entries
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs defaults 0 0
 # Default console settings
-lxc.tty.dir = lxc
+lxc.devttydir = lxc
-lxc.tty.max = 4
+lxc.tty = 4
-lxc.pty.max = 1024
+lxc.pts = 1024
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
@ -15,11 +16,11 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.apparmor.profile = unconfined
+#lxc.aa_profile = unconfined
 # To support container nesting on an Ubuntu host while retaining most of
 # apparmor's added security, use the following two lines instead.
-#lxc.apparmor.profile = lxc-container-default-with-nesting
+#lxc.aa_profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 # Uncomment the following line to autodetect squid-deb-proxy configuration on the
@ -29,7 +30,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.apparmor.profile = lxc-container-default-with-mounting
+#lxc.aa_profile = lxc-container-default-with-mounting
 # Default cgroup limits
 lxc.cgroup.devices.deny = a
--- a/conf/ubuntu-wily
+++ b/conf/ubuntu-wily
@ -1,9 +0,0 @@
 # Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
 # Parameters passed to the template: --release wily --arch amd64
 # For additional config options, please look at lxc.container.conf(5)
 # Common configuration
 lxc.include = /usr/share/lxc/config/ubuntu.common.conf
 # settings for systemd with PID 1:
 lxc.autodev = 1
--- a/conf/ubuntu-xenial
+++ b/conf/ubuntu-xenial
@ -1,12 +0,0 @@
 # Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
 # Parameters passed to the template: --release wily --arch amd64
 # For additional config options, please look at lxc.container.conf(5)
 # Common configuration
 lxc.include = /usr/share/lxc/config/ubuntu.common.conf
 # settings for systemd with PID 1:
 lxc.autodev = 1
 # allow unconfined and incomplete
 lxc.apparmor.profile = unconfined
 lxc.apparmor.allow_incomplete = 1
--- a/debian/install-ansible.sh
+++ b/debian/install-ansible.sh
@ -1,7 +0,0 @@
 #!/bin/bash
 ANSIBLE_VERSION=${ANSIBLE_VERSION:-latest}
 apt-get install -y build-essential python-setuptools python-jinja2 python-yaml python-paramiko python-httplib2 python-crypto sshpass
 wget https://releases.ansible.com/ansible/ansible-$ANSIBLE_VERSION.tar.gz -O /tmp//ansible.tar.gz
 tar -zxvf /tmp/ansible.tar.gz -C /tmp/ && rm -r /tmp/ansible.tar.gz
 cd /tmp/ansible-* && make && make install
--- a/debian/install-extras.sh
+++ b/debian/install-extras.sh
@ -14,25 +14,18 @@ SECS=15
 log "Sleeping for $SECS seconds..."
 sleep $SECS
-PACKAGES=(vim curl wget man-db openssh-server bash-completion ca-certificates sudo)
+# TODO: Support for appending to this list from outside
-
+PACKAGES=(vim curl wget man-db openssh-server bash-completion python-software-properties ca-certificates sudo)
 log "Installing additional packages: ${ADDPACKAGES}"
 PACKAGES+=" ${ADDPACKAGES}"
 if [ $DISTRIBUTION = 'ubuntu' ]; then
  PACKAGES+=' software-properties-common'
 fi
-if [ $RELEASE != 'raring' ] && [ $RELEASE != 'saucy' ] && [ $RELEASE != 'trusty' ] && [ $RELEASE != 'wily' ] ; then
+if [ $RELEASE != 'raring' ] && [ $RELEASE != 'saucy' ] && [ $RELEASE != 'trusty' ] ; then
  PACKAGES+=' nfs-common'
 fi
 if [ $RELEASE != 'stretch' ] ; then
  PACKAGES+=' python-software-properties'
 fi
 utils.lxc.attach apt-get update
 utils.lxc.attach apt-get install ${PACKAGES[*]} -y --force-yes
 utils.lxc.attach apt-get upgrade -y --force-yes
 ANSIBLE=${ANSIBLE:-0}
 CHEF=${CHEF:-0}
 PUPPET=${PUPPET:-0}
 SALT=${SALT:-0}
@ -44,18 +37,6 @@ if [ $DISTRIBUTION = 'debian' ]; then
    -i ${ROOTFS}/etc/bash.bashrc
 fi
 if [ $ANSIBLE = 1 ]; then
  if $(lxc-attach -n ${CONTAINER} -- which ansible &>/dev/null); then
    log "Ansible has been installed on container, skipping"
  else
    info "Installing Ansible"
    cp debian/install-ansible.sh ${ROOTFS}/tmp/ && chmod +x ${ROOTFS}/tmp/install-ansible.sh
    utils.lxc.attach /tmp/install-ansible.sh
  fi
 else
  log "Skipping Ansible installation"
 fi
 if [ $CHEF = 1 ]; then
  if $(lxc-attach -n ${CONTAINER} -- which chef-solo &>/dev/null); then
    log "Chef has been installed on container, skipping"
@ -79,6 +60,8 @@ if [ $PUPPET = 1 ]; then
    warn "Puppet can't be installed on Debian sid, skipping"
  else
    log "Installing Puppet"
    wget http://apt.puppetlabs.com/puppetlabs-release-stable.deb -O "${ROOTFS}/tmp/puppetlabs-release-stable.deb" &>>${LOG}
    utils.lxc.attach dpkg -i "/tmp/puppetlabs-release-stable.deb"
    utils.lxc.attach apt-get update
    utils.lxc.attach apt-get install puppet -y --force-yes
  fi
@ -89,10 +72,47 @@ fi
 if [ $SALT = 1 ]; then
  if $(lxc-attach -n ${CONTAINER} -- which salt-minion &>/dev/null); then
    log "Salt has been installed on container, skipping"
  elif [ ${RELEASE} = 'raring' ]; then
    warn "Salt can't be installed on Ubuntu Raring 13.04, skipping"
  else
    if [ $DISTRIBUTION = 'ubuntu' ]; then
      utils.lxc.attach add-apt-repository -y ppa:saltstack/salt
    else # DEBIAN
      if [ $RELEASE == "squeeze" ]; then
        SALT_SOURCE_1="deb http://debian.saltstack.com/debian squeeze-saltstack main"
        SALT_SOURCE_2="deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free"
      elif [ $RELEASE == "wheezy" ]; then
        SALT_SOURCE_1="deb http://debian.saltstack.com/debian wheezy-saltstack main"
      else
        SALT_SOURCE_1="deb http://debian.saltstack.com/debian unstable main"
      fi
      echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
      echo $SALT_SOURCE_2 >> ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
      utils.lxc.attach wget -q -O /tmp/salt.key "http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key"
      utils.lxc.attach apt-key add /tmp/salt.key
    fi
    utils.lxc.attach apt-get update
    utils.lxc.attach apt-get install salt-minion -y --force-yes
  fi
 else
  log "Skipping Salt installation"
 fi
 if [ $BABUSHKA = 1 ]; then
  if $(lxc-attach -n ${CONTAINER} -- which babushka &>/dev/null); then
    log "Babushka has been installed on container, skipping"
  elif [ ${RELEASE} = 'trusty' ]; then
    warn "Babushka can't be installed on Ubuntu Trusty 14.04, skipping"
  else
    log "Installing Babushka"
    cat > $ROOTFS/tmp/install-babushka.sh << EOF
 #!/bin/sh
 curl https://babushka.me/up | sudo bash
 EOF
    chmod +x $ROOTFS/tmp/install-babushka.sh
    utils.lxc.attach /tmp/install-babushka.sh
  fi
 else
  log "Skipping Babushka installation"
 fi
--- a/debian/vagrant-lxc-fixes.sh
+++ b/debian/vagrant-lxc-fixes.sh
@ -28,9 +28,9 @@ if [ ${DISTRIBUTION} = 'debian' ]; then
  utils.lxc.attach /usr/sbin/update-rc.d -f mountall-bootclean.sh remove
  utils.lxc.attach /usr/sbin/update-rc.d -f mountnfs-bootclean.sh remove
-  # Fixes for jessie, following the guide from
+  # Fixes for jessie, following the guide from 
  # https://wiki.debian.org/LXC#Incompatibility_with_systemd
-  if [ "$RELEASE" = 'jessie' ] || [ "$RELEASE" = 'stretch' ]; then
+  if [ "$RELEASE" = 'jessie' ]; then
 	  # Reconfigure the LXC
 	  utils.lxc.attach /bin/cp \
 		  /lib/systemd/system/getty@.service \
@ -48,5 +48,5 @@ utils.lxc.attach /usr/sbin/locale-gen ${LANG}
 utils.lxc.attach update-locale LANG=${LANG}
 # Fix to allow bindfs
-utils.lxc.attach ln -sf /bin/true /sbin/modprobe
+utils.lxc.attach ln -s /bin/true /sbin/modprobe
 utils.lxc.attach mknod -m 666 /dev/fuse c 10 229
--- a/fedora/install-extras.sh
+++ b/fedora/install-extras.sh
@ -15,10 +15,10 @@ log "Sleeping for $SECS seconds..."
 sleep $SECS
 # TODO: Support for appending to this list from outside
-PACKAGES=(vim-enhanced curl wget man-db bash-completion ca-certificates sudo openssh-server strace python-dnf dnf-plugins-core e2fsprogs net-tools bind-utils)
+PACKAGES=(vim curl wget man-db bash-completion ca-certificates sudo openssh-server)
-utils.lxc.attach dnf update -y
+utils.lxc.attach yum update -y
-utils.lxc.attach dnf install ${PACKAGES[*]} -y
+utils.lxc.attach yum install ${PACKAGES[*]} -y
 MASK_TMP=${MASK_TMP:-0}
--- a/gentoo/clean.sh
+++ b/gentoo/clean.sh
@ -1,14 +0,0 @@
 #!/bin/bash
 set -e
 source /etc/profile
 echo "Cleaning up"
 rm /script.sh
 echo 'Removing temporary files...'
 rm -rf /tmp/*
 echo 'cleaning up distfiles'
 rm -f /usr/portage/distfiles/*
--- a/gentoo/install-packages.sh
+++ b/gentoo/install-packages.sh
@ -1,41 +0,0 @@
 #!/bin/bash
 set -e
 source /etc/profile
 echo 'Installing packages and upgrading'
 PACKAGES=(net-misc/curl wget man-db openssh ca-certificates sudo)
 echo "Installing additional packages: ${ADDPACKAGES}"
 PACKAGES+=" ${ADDPACKAGES}"
 ANSIBLE=${ANSIBLE:-0}
 if [[ $ANSIBLE = 1 ]]; then
    PACKAGES+=' ansible'
 fi
 CHEF=${CHEF:-0}
 if [[ $CHEF = 1 ]]; then
    echo "Chef installation isn't supported on Gentoo"
    exit 1
 fi
 PUPPET=${PUPPET:-0}
 if [[ $PUPPET = 1 ]]; then
    PACKAGES+=' puppet eix'
 fi
 SALT=${SALT:-0}
 if [[ $SALT = 1 ]]; then
    PACKAGES+=' salt'
 fi
 # trying to set capabilities on an unprivileged container fails.
 echo "*/* -filecaps" > /etc/portage/package.use/vagrant_overrides
 emerge --sync
 emerge --noreplace ${PACKAGES[*]}
 emerge -uND @world
 rc-config add sshd default
--- a/mk-debian.sh
+++ b/mk-debian.sh
@ -13,7 +13,6 @@ export RELEASE=$2
 export ARCH=$3
 export CONTAINER=$4
 export PACKAGE=$5
 export ADDPACKAGES=${ADDPACKAGES-$(cat ${RELEASE}_packages | tr "\n" " ")}
 export ROOTFS="/var/lib/lxc/${CONTAINER}/rootfs"
 export WORKING_DIR="/tmp/${CONTAINER}"
 export NOW=$(date -u)
--- a/mk-gentoo.sh
+++ b/mk-gentoo.sh
@ -1,47 +0,0 @@
 #!/bin/bash
 set -e
 source common/ui.sh
 source common/utils.sh
 if [ "$(id -u)" != "0" ]; then
  echo "You should run this script as root (sudo)."
  exit 1
 fi
 TODAY=$(date -u +"%Y-%m-%d")
 export DISTRIBUTION=gentoo
 export RELEASE=current
 export ARCH=$(uname -m | sed -e "s/68/38/" | sed -e "s/x86_64/amd64/")
 export CONTAINER="vagrant-base-${DISTRIBUTION}-${ARCH}"
 export PACKAGE="output/${TODAY}/${CONTAINER}.box"
 export NOW=$(date -u)
 echo '############################################'
 echo "# Beginning build at $(date)"
 if [ -f ${PACKAGE} ]; then
  warn "The box '${PACKAGE}' already exists, skipping..."
  echo
  exit
 fi
 info "Building box to '${PACKAGE}'..."
 ./common/download.sh
 utils.lxc.start
 SECS=15
 log "Sleeping for $SECS seconds..."
 sleep $SECS
 utils.lxc.runscript gentoo/install-packages.sh
 ./common/prepare-vagrant-user.sh
 utils.lxc.runscript gentoo/clean.sh
 utils.lxc.stop
 ./common/package.sh
 info "Finished building '${PACKAGE}'!"
 log "Run \`lxc-destroy -n ${CONTAINER}\` or \`make clean\` to remove the container that was created along the way"
 echo