diff --git a/Makefile b/Makefile index e05b596..f1b8303 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ -UBUNTU_BOXES= precise quantal raring saucy trusty utopic vivid wily xenial -DEBIAN_BOXES= squeeze wheezy jessie stretch sid -CENTOS_BOXES= 6 7 -FEDORA_BOXES= rawhide 23 22 21 20 19 +UBUNTU_BOXES= trusty xenial +DEBIAN_BOXES= jessie stretch sid +CENTOS_BOXES= 7 +FEDORA_BOXES= 27 TODAY=$(shell date -u +"%Y-%m-%d") # Replace i686 with i386 and x86_64 with amd64 @@ -54,7 +54,7 @@ acceptance: CONTAINER = "vagrant-base-acceptance-$(ARCH)" acceptance: PACKAGE = "output/${TODAY}/vagrant-lxc-acceptance-$(ARCH).box" acceptance: @mkdir -p $$(dirname $(PACKAGE)) - @PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu precise $(ARCH) $(CONTAINER) $(PACKAGE) + @PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu xenial $(ARCH) $(CONTAINER) $(PACKAGE) @sudo chmod +rw $(PACKAGE) @sudo chown ${USER}: $(PACKAGE) diff --git a/common/download.sh b/common/download.sh index 5fdb8dd..c6b23de 100755 --- a/common/download.sh +++ b/common/download.sh @@ -26,34 +26,15 @@ fi # If we got to this point, we need to create the container log "Creating container..." -if [ $RELEASE = 'raring' ] || [ $RELEASE = 'wily' ] || [ $RELEASE = 'xenial' ]; then - utils.lxc.create -t ubuntu -- \ - --release ${RELEASE} \ - --arch ${ARCH} -elif [ $RELEASE = 'squeeze' ] || [ $RELEASE = 'wheezy' ]; then - utils.lxc.create -t debian -- \ - --release ${RELEASE} \ - --arch ${ARCH} -elif [ ${DISTRIBUTION} = 'fedora' ] && [ "${RELEASE}" = 'rawhide' ]; then - ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/") - utils.lxc.create -t fedora --\ - --release ${RELEASE} \ - --arch ${ARCH} -elif [ ${DISTRIBUTION} = 'fedora' ] && [ ${RELEASE} -ge 21 ]; then - ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/") - utils.lxc.create -t fedora --\ - --release ${RELEASE} \ - --arch ${ARCH} -else + utils.lxc.create -t download -- \ --dist ${DISTRIBUTION} \ --release ${RELEASE} \ --arch ${ARCH} -fi + if [ ${DISTRIBUTION} = 'fedora' ] ||\ - [ ${DISTRIBUTION} = 'ubuntu' -a ${RELEASE} = 'wily' ] ||\ - [ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'jessie' ] ||\ - [ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'stretch' ] + [ ${DISTRIBUTION} = 'ubuntu' ] ||\ + [ ${DISTRIBUTION} = 'debian' ] then # Improve systemd support: # - The fedora template does it but the fedora images from the download diff --git a/conf/centos b/conf/centos index fa493a8..188c4f0 100644 --- a/conf/centos +++ b/conf/centos @@ -1,9 +1,9 @@ # Taken from the oracle.common.conf.in # Console settings -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 +lxc.tty.dir = lxc +lxc.tty.max = 4 +lxc.pty.max = 1024 # Mount entries lxc.mount.auto = proc:mixed sys:ro @@ -54,4 +54,4 @@ lxc.cgroup.devices.allow = c 10:200 rwm # /dev/net/tun # Blacklist some syscalls which are not safe in privileged # containers -lxc.seccomp = /usr/share/lxc/config/common.seccomp +lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp diff --git a/conf/debian b/conf/debian index 8ac9e05..bb076a4 100644 --- a/conf/debian +++ b/conf/debian @@ -1,36 +1,34 @@ # Default pivot location -lxc.pivotdir = lxc_putold # Default mount entries lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry = sysfs sys sysfs defaults 0 0 # Default console settings -lxc.tty = 4 -lxc.pts = 1024 +lxc.tty.max = 4 +lxc.pty.max = 1024 # Default capabilities lxc.cap.drop = sys_module mac_admin mac_override sys_time # Prevent systemd-journald from burning 100% of CPU # See https://wiki.debian.org/LXC#Incompatibility_with_systemd -lxc.kmsg = 0 lxc.autodev = 1 # When using LXC with apparmor, the container will be confined by default. # If you wish for it to instead run unconfined, copy the following line # (uncommented) to the container's configuration file. -#lxc.aa_profile = unconfined +#lxc.apparmor.profile = unconfined # To support container nesting on an Ubuntu host while retaining most of # apparmor's added security, use the following two lines instead. -#lxc.aa_profile = lxc-container-default-with-nesting +#lxc.apparmor.profile = lxc-container-default-with-nesting #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups # If you wish to allow mounting block filesystems, then use the following # line instead, and make sure to grant access to the block device and/or loop # devices below in lxc.cgroup.devices.allow. -#lxc.aa_profile = lxc-container-default-with-mounting +#lxc.apparmor.profile = lxc-container-default-with-mounting # Default cgroup limits lxc.cgroup.devices.deny = a diff --git a/conf/debian-jessie b/conf/debian-jessie index f98b85f..eae1244 100644 --- a/conf/debian-jessie +++ b/conf/debian-jessie @@ -1,17 +1,15 @@ # support systemd as PID 1 lxc.autodev = 1 -lxc.kmsg = 0 # Default pivot location -lxc.pivotdir = lxc_putold # Default mount entries lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 # Default console settings -lxc.tty = 4 -lxc.pts = 1024 +lxc.tty.max = 4 +lxc.pty.max = 1024 # Default capabilities lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio @@ -19,17 +17,17 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio # When using LXC with apparmor, the container will be confined by default. # If you wish for it to instead run unconfined, copy the following line # (uncommented) to the container's configuration file. -#lxc.aa_profile = unconfined +#lxc.apparmor.profile = unconfined # To support container nesting on an Ubuntu host while retaining most of # apparmor's added security, use the following two lines instead. -#lxc.aa_profile = lxc-container-default-with-nesting +#lxc.apparmor.profile = lxc-container-default-with-nesting #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups # If you wish to allow mounting block filesystems, then use the following # line instead, and make sure to grant access to the block device and/or loop # devices below in lxc.cgroup.devices.allow. -#lxc.aa_profile = lxc-container-default-with-mounting +#lxc.apparmor.profile = lxc-container-default-with-mounting # Default cgroup limits lxc.cgroup.devices.deny = a diff --git a/conf/debian-stretch b/conf/debian-stretch deleted file mode 120000 index 5c5c2ae..0000000 --- a/conf/debian-stretch +++ /dev/null @@ -1 +0,0 @@ -debian-jessie \ No newline at end of file diff --git a/conf/debian-stretch b/conf/debian-stretch new file mode 100644 index 0000000..eae1244 --- /dev/null +++ b/conf/debian-stretch @@ -0,0 +1,63 @@ +# support systemd as PID 1 +lxc.autodev = 1 + +# Default pivot location + +# Default mount entries +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed +lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 + +# Default console settings +lxc.tty.max = 4 +lxc.pty.max = 1024 + +# Default capabilities +lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio + +# When using LXC with apparmor, the container will be confined by default. +# If you wish for it to instead run unconfined, copy the following line +# (uncommented) to the container's configuration file. +#lxc.apparmor.profile = unconfined + +# To support container nesting on an Ubuntu host while retaining most of +# apparmor's added security, use the following two lines instead. +#lxc.apparmor.profile = lxc-container-default-with-nesting +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups + +# If you wish to allow mounting block filesystems, then use the following +# line instead, and make sure to grant access to the block device and/or loop +# devices below in lxc.cgroup.devices.allow. +#lxc.apparmor.profile = lxc-container-default-with-mounting + +# Default cgroup limits +lxc.cgroup.devices.deny = a +## Allow any mknod (but not using the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +## /dev/null and zero +lxc.cgroup.devices.allow = c 1:3 rwm +lxc.cgroup.devices.allow = c 1:5 rwm +## consoles +lxc.cgroup.devices.allow = c 5:0 rwm +lxc.cgroup.devices.allow = c 5:1 rwm +## /dev/{,u}random +lxc.cgroup.devices.allow = c 1:8 rwm +lxc.cgroup.devices.allow = c 1:9 rwm +## /dev/pts/* +lxc.cgroup.devices.allow = c 5:2 rwm +lxc.cgroup.devices.allow = c 136:* rwm +## rtc +lxc.cgroup.devices.allow = c 254:0 rm +## fuse +lxc.cgroup.devices.allow = c 10:229 rwm +## tun +lxc.cgroup.devices.allow = c 10:200 rwm +## full +lxc.cgroup.devices.allow = c 1:7 rwm +## hpet +lxc.cgroup.devices.allow = c 10:228 rwm +## kvm +lxc.cgroup.devices.allow = c 10:232 rwm +## To use loop devices, copy the following line to the container's +## configuration file (uncommented). +#lxc.cgroup.devices.allow = b 7:* rwm diff --git a/conf/fedora b/conf/fedora index 464a586..8ea8f05 100644 --- a/conf/fedora +++ b/conf/fedora @@ -1,13 +1,12 @@ # work better with systemd: lxc.autodev = 1 -lxc.kmsg = 0 # Taken from the oracle.common.conf.in # Console settings -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 +lxc.tty.dir = lxc +lxc.tty.max = 4 +lxc.pty.max = 1024 # Mount entries lxc.mount.auto = proc:mixed sys:ro @@ -66,4 +65,4 @@ lxc.cgroup.devices.allow = c 5:2 rwm # Blacklist some syscalls which are not safe in privileged # containers -lxc.seccomp = /usr/share/lxc/config/common.seccomp +lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp diff --git a/conf/ubuntu b/conf/ubuntu index 4460cb6..9ebb9eb 100644 --- a/conf/ubuntu +++ b/conf/ubuntu @@ -1,14 +1,13 @@ # Default pivot location -lxc.pivotdir = lxc_putold # Default mount entries lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry = sysfs sys sysfs defaults 0 0 # Default console settings -lxc.devttydir = lxc -lxc.tty = 4 -lxc.pts = 1024 +lxc.tty.dir = lxc +lxc.tty.max = 4 +lxc.pty.max = 1024 # Default capabilities lxc.cap.drop = sys_module mac_admin mac_override sys_time @@ -16,11 +15,11 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, the container will be confined by default. # If you wish for it to instead run unconfined, copy the following line # (uncommented) to the container's configuration file. -#lxc.aa_profile = unconfined +#lxc.apparmor.profile = unconfined # To support container nesting on an Ubuntu host while retaining most of # apparmor's added security, use the following two lines instead. -#lxc.aa_profile = lxc-container-default-with-nesting +#lxc.apparmor.profile = lxc-container-default-with-nesting #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups # Uncomment the following line to autodetect squid-deb-proxy configuration on the @@ -30,7 +29,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time # If you wish to allow mounting block filesystems, then use the following # line instead, and make sure to grant access to the block device and/or loop # devices below in lxc.cgroup.devices.allow. -#lxc.aa_profile = lxc-container-default-with-mounting +#lxc.apparmor.profile = lxc-container-default-with-mounting # Default cgroup limits lxc.cgroup.devices.deny = a diff --git a/conf/ubuntu-wily b/conf/ubuntu-wily index 869d6af..d936899 100644 --- a/conf/ubuntu-wily +++ b/conf/ubuntu-wily @@ -6,5 +6,4 @@ lxc.include = /usr/share/lxc/config/ubuntu.common.conf # settings for systemd with PID 1: -lxc.kmsg = 0 lxc.autodev = 1 diff --git a/conf/ubuntu-xenial b/conf/ubuntu-xenial index df9b2f2..ccba934 100644 --- a/conf/ubuntu-xenial +++ b/conf/ubuntu-xenial @@ -6,8 +6,7 @@ lxc.include = /usr/share/lxc/config/ubuntu.common.conf # settings for systemd with PID 1: -lxc.kmsg = 0 lxc.autodev = 1 # allow unconfined and incomplete -lxc.aa_profile = unconfined -lxc.aa_allow_incomplete = 1 +lxc.apparmor.profile = unconfined +lxc.apparmor.allow_incomplete = 1 diff --git a/debian/install-extras.sh b/debian/install-extras.sh index 55c7966..b685ba9 100755 --- a/debian/install-extras.sh +++ b/debian/install-extras.sh @@ -50,7 +50,7 @@ if [ $ANSIBLE = 1 ]; then else info "Installing Ansible" cp debian/install-ansible.sh ${ROOTFS}/tmp/ && chmod +x ${ROOTFS}/tmp/install-ansible.sh - utils.lxc.attach /tmp/install-ansible.sh &>>${LOG} + utils.lxc.attach /tmp/install-ansible.sh fi else log "Skipping Ansible installation" @@ -79,8 +79,6 @@ if [ $PUPPET = 1 ]; then warn "Puppet can't be installed on Debian sid, skipping" else log "Installing Puppet" - wget http://apt.puppetlabs.com/puppetlabs-release-${RELEASE}.deb -O "${ROOTFS}/tmp/puppetlabs-release-stable.deb" &>>${LOG} - utils.lxc.attach dpkg -i "/tmp/puppetlabs-release-stable.deb" utils.lxc.attach apt-get update utils.lxc.attach apt-get install puppet -y --force-yes fi @@ -91,68 +89,10 @@ fi if [ $SALT = 1 ]; then if $(lxc-attach -n ${CONTAINER} -- which salt-minion &>/dev/null); then log "Salt has been installed on container, skipping" - elif [ ${RELEASE} = 'raring' ]; then - warn "Salt can't be installed on Ubuntu Raring 13.04, skipping" else - if [ $DISTRIBUTION = 'ubuntu' ]; then - if [ $RELEASE = 'precise' ] || [ $RELEASE = 'trusty' ] || [ $RELEASE = 'xenial' ] ; then - # For LTS releases we use packages from repo.saltstack.com - if [ $RELEASE = 'precise' ]; then - SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest precise main" - SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest/SALTSTACK-GPG-KEY.pub" - elif [ $RELEASE = 'trusty' ]; then - SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main" - SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub" - elif [ $RELEASE = 'xenial' ]; then - SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main" - SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub" - fi - echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list - - utils.lxc.attach wget -q -O /tmp/salt.key $SALT_GPG_KEY - utils.lxc.attach apt-key add /tmp/salt.key - elif [ $RELEASE = 'quantal' ] || [ $RELEASE = 'saucy' ] ; then - utils.lxc.attach add-apt-repository -y ppa:saltstack/salt - fi - # For Utopic, Vivid and Wily releases use system packages - else # DEBIAN - if [ $RELEASE == "squeeze" ]; then - SALT_SOURCE_1="deb http://debian.saltstack.com/debian squeeze-saltstack main" - SALT_SOURCE_2="deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free" - elif [ $RELEASE == "wheezy" ]; then - SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/7/amd64/latest wheezy main" - elif [ $RELEASE == "jessie" ]; then - SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main" - else - SALT_SOURCE_1="deb http://debian.saltstack.com/debian unstable main" - fi - echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list - echo $SALT_SOURCE_2 >> ${ROOTFS}/etc/apt/sources.list.d/saltstack.list - - utils.lxc.attach wget -q -O /tmp/salt.key "https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub" - utils.lxc.attach apt-key add /tmp/salt.key - fi utils.lxc.attach apt-get update utils.lxc.attach apt-get install salt-minion -y --force-yes fi else log "Skipping Salt installation" fi - -if [ $BABUSHKA = 1 ]; then - if $(lxc-attach -n ${CONTAINER} -- which babushka &>/dev/null); then - log "Babushka has been installed on container, skipping" - elif [ ${RELEASE} = 'trusty' ]; then - warn "Babushka can't be installed on Ubuntu Trusty 14.04, skipping" - else - log "Installing Babushka" - cat > $ROOTFS/tmp/install-babushka.sh << EOF -#!/bin/sh -curl https://babushka.me/up | sudo bash -EOF - chmod +x $ROOTFS/tmp/install-babushka.sh - utils.lxc.attach /tmp/install-babushka.sh - fi -else - log "Skipping Babushka installation" -fi diff --git a/fedora/install-extras.sh b/fedora/install-extras.sh index d8f8673..b247ec5 100755 --- a/fedora/install-extras.sh +++ b/fedora/install-extras.sh @@ -17,8 +17,8 @@ sleep $SECS # TODO: Support for appending to this list from outside PACKAGES=(vim-enhanced curl wget man-db bash-completion ca-certificates sudo openssh-server strace python-dnf dnf-plugins-core e2fsprogs net-tools bind-utils) -utils.lxc.attach yum update -y -utils.lxc.attach yum install ${PACKAGES[*]} -y +utils.lxc.attach dnf update -y +utils.lxc.attach dnf install ${PACKAGES[*]} -y MASK_TMP=${MASK_TMP:-0}