Fix all builds for LXC v3.0

This commit is contained in:
Virgil Dupras 2018-04-30 22:04:29 -04:00
parent 552f378613
commit 2802008032
12 changed files with 101 additions and 126 deletions

View file

@ -1,7 +1,7 @@
UBUNTU_BOXES= precise quantal raring saucy trusty utopic vivid wily xenial
DEBIAN_BOXES= squeeze wheezy jessie stretch sid
CENTOS_BOXES= 6 7
FEDORA_BOXES= rawhide 23 22 21 20 19
UBUNTU_BOXES= trusty xenial
DEBIAN_BOXES= jessie stretch sid
CENTOS_BOXES= 7
FEDORA_BOXES= 27
TODAY=$(shell date -u +"%Y-%m-%d")
# Replace i686 with i386 and x86_64 with amd64
@ -54,7 +54,7 @@ acceptance: CONTAINER = "vagrant-base-acceptance-$(ARCH)"
acceptance: PACKAGE = "output/${TODAY}/vagrant-lxc-acceptance-$(ARCH).box"
acceptance:
@mkdir -p $$(dirname $(PACKAGE))
@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu precise $(ARCH) $(CONTAINER) $(PACKAGE)
@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu xenial $(ARCH) $(CONTAINER) $(PACKAGE)
@sudo chmod +rw $(PACKAGE)
@sudo chown ${USER}: $(PACKAGE)

View file

@ -26,34 +26,15 @@ fi
# If we got to this point, we need to create the container
log "Creating container..."
if [ $RELEASE = 'raring' ] || [ $RELEASE = 'wily' ] || [ $RELEASE = 'xenial' ]; then
utils.lxc.create -t ubuntu -- \
--release ${RELEASE} \
--arch ${ARCH}
elif [ $RELEASE = 'squeeze' ] || [ $RELEASE = 'wheezy' ]; then
utils.lxc.create -t debian -- \
--release ${RELEASE} \
--arch ${ARCH}
elif [ ${DISTRIBUTION} = 'fedora' ] && [ "${RELEASE}" = 'rawhide' ]; then
ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
utils.lxc.create -t fedora --\
--release ${RELEASE} \
--arch ${ARCH}
elif [ ${DISTRIBUTION} = 'fedora' ] && [ ${RELEASE} -ge 21 ]; then
ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
utils.lxc.create -t fedora --\
--release ${RELEASE} \
--arch ${ARCH}
else
utils.lxc.create -t download -- \
--dist ${DISTRIBUTION} \
--release ${RELEASE} \
--arch ${ARCH}
fi
if [ ${DISTRIBUTION} = 'fedora' ] ||\
[ ${DISTRIBUTION} = 'ubuntu' -a ${RELEASE} = 'wily' ] ||\
[ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'jessie' ] ||\
[ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'stretch' ]
[ ${DISTRIBUTION} = 'ubuntu' ] ||\
[ ${DISTRIBUTION} = 'debian' ]
then
# Improve systemd support:
# - The fedora template does it but the fedora images from the download

View file

@ -1,9 +1,9 @@
# Taken from the oracle.common.conf.in
# Console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
lxc.tty.dir = lxc
lxc.tty.max = 4
lxc.pty.max = 1024
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
@ -54,4 +54,4 @@ lxc.cgroup.devices.allow = c 10:200 rwm # /dev/net/tun
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp

View file

@ -1,36 +1,34 @@
# Default pivot location
lxc.pivotdir = lxc_putold
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
# Default console settings
lxc.tty = 4
lxc.pts = 1024
lxc.tty.max = 4
lxc.pty.max = 1024
# Default capabilities
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# Prevent systemd-journald from burning 100% of CPU
# See https://wiki.debian.org/LXC#Incompatibility_with_systemd
lxc.kmsg = 0
lxc.autodev = 1
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined
#lxc.apparmor.profile = unconfined
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.apparmor.profile = lxc-container-default-with-nesting
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
#lxc.apparmor.profile = lxc-container-default-with-mounting
# Default cgroup limits
lxc.cgroup.devices.deny = a

View file

@ -1,17 +1,15 @@
# support systemd as PID 1
lxc.autodev = 1
lxc.kmsg = 0
# Default pivot location
lxc.pivotdir = lxc_putold
# Default mount entries
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
# Default console settings
lxc.tty = 4
lxc.pts = 1024
lxc.tty.max = 4
lxc.pty.max = 1024
# Default capabilities
lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
@ -19,17 +17,17 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined
#lxc.apparmor.profile = unconfined
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.apparmor.profile = lxc-container-default-with-nesting
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
#lxc.apparmor.profile = lxc-container-default-with-mounting
# Default cgroup limits
lxc.cgroup.devices.deny = a

View file

@ -1 +0,0 @@
debian-jessie

63
conf/debian-stretch Normal file
View file

@ -0,0 +1,63 @@
# support systemd as PID 1
lxc.autodev = 1
# Default pivot location
# Default mount entries
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
# Default console settings
lxc.tty.max = 4
lxc.pty.max = 1024
# Default capabilities
lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.apparmor.profile = unconfined
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
#lxc.apparmor.profile = lxc-container-default-with-nesting
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.apparmor.profile = lxc-container-default-with-mounting
# Default cgroup limits
lxc.cgroup.devices.deny = a
## Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
## consoles
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
## /dev/{,u}random
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
## /dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## full
lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm

View file

@ -1,13 +1,12 @@
# work better with systemd:
lxc.autodev = 1
lxc.kmsg = 0
# Taken from the oracle.common.conf.in
# Console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
lxc.tty.dir = lxc
lxc.tty.max = 4
lxc.pty.max = 1024
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
@ -66,4 +65,4 @@ lxc.cgroup.devices.allow = c 5:2 rwm
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp

View file

@ -1,14 +1,13 @@
# Default pivot location
lxc.pivotdir = lxc_putold
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
# Default console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
lxc.tty.dir = lxc
lxc.tty.max = 4
lxc.pty.max = 1024
# Default capabilities
lxc.cap.drop = sys_module mac_admin mac_override sys_time
@ -16,11 +15,11 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined
#lxc.apparmor.profile = unconfined
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.apparmor.profile = lxc-container-default-with-nesting
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
# Uncomment the following line to autodetect squid-deb-proxy configuration on the
@ -30,7 +29,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
#lxc.apparmor.profile = lxc-container-default-with-mounting
# Default cgroup limits
lxc.cgroup.devices.deny = a

View file

@ -6,5 +6,4 @@
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
# settings for systemd with PID 1:
lxc.kmsg = 0
lxc.autodev = 1

View file

@ -6,8 +6,7 @@
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
# settings for systemd with PID 1:
lxc.kmsg = 0
lxc.autodev = 1
# allow unconfined and incomplete
lxc.aa_profile = unconfined
lxc.aa_allow_incomplete = 1
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_incomplete = 1

View file

@ -50,7 +50,7 @@ if [ $ANSIBLE = 1 ]; then
else
info "Installing Ansible"
cp debian/install-ansible.sh ${ROOTFS}/tmp/ && chmod +x ${ROOTFS}/tmp/install-ansible.sh
utils.lxc.attach /tmp/install-ansible.sh &>>${LOG}
utils.lxc.attach /tmp/install-ansible.sh
fi
else
log "Skipping Ansible installation"
@ -79,8 +79,6 @@ if [ $PUPPET = 1 ]; then
warn "Puppet can't be installed on Debian sid, skipping"
else
log "Installing Puppet"
wget http://apt.puppetlabs.com/puppetlabs-release-${RELEASE}.deb -O "${ROOTFS}/tmp/puppetlabs-release-stable.deb" &>>${LOG}
utils.lxc.attach dpkg -i "/tmp/puppetlabs-release-stable.deb"
utils.lxc.attach apt-get update
utils.lxc.attach apt-get install puppet -y --force-yes
fi
@ -91,68 +89,10 @@ fi
if [ $SALT = 1 ]; then
if $(lxc-attach -n ${CONTAINER} -- which salt-minion &>/dev/null); then
log "Salt has been installed on container, skipping"
elif [ ${RELEASE} = 'raring' ]; then
warn "Salt can't be installed on Ubuntu Raring 13.04, skipping"
else
if [ $DISTRIBUTION = 'ubuntu' ]; then
if [ $RELEASE = 'precise' ] || [ $RELEASE = 'trusty' ] || [ $RELEASE = 'xenial' ] ; then
# For LTS releases we use packages from repo.saltstack.com
if [ $RELEASE = 'precise' ]; then
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest precise main"
SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
elif [ $RELEASE = 'trusty' ]; then
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main"
SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
elif [ $RELEASE = 'xenial' ]; then
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main"
SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
fi
echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
utils.lxc.attach wget -q -O /tmp/salt.key $SALT_GPG_KEY
utils.lxc.attach apt-key add /tmp/salt.key
elif [ $RELEASE = 'quantal' ] || [ $RELEASE = 'saucy' ] ; then
utils.lxc.attach add-apt-repository -y ppa:saltstack/salt
fi
# For Utopic, Vivid and Wily releases use system packages
else # DEBIAN
if [ $RELEASE == "squeeze" ]; then
SALT_SOURCE_1="deb http://debian.saltstack.com/debian squeeze-saltstack main"
SALT_SOURCE_2="deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free"
elif [ $RELEASE == "wheezy" ]; then
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/7/amd64/latest wheezy main"
elif [ $RELEASE == "jessie" ]; then
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main"
else
SALT_SOURCE_1="deb http://debian.saltstack.com/debian unstable main"
fi
echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
echo $SALT_SOURCE_2 >> ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
utils.lxc.attach wget -q -O /tmp/salt.key "https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub"
utils.lxc.attach apt-key add /tmp/salt.key
fi
utils.lxc.attach apt-get update
utils.lxc.attach apt-get install salt-minion -y --force-yes
fi
else
log "Skipping Salt installation"
fi
if [ $BABUSHKA = 1 ]; then
if $(lxc-attach -n ${CONTAINER} -- which babushka &>/dev/null); then
log "Babushka has been installed on container, skipping"
elif [ ${RELEASE} = 'trusty' ]; then
warn "Babushka can't be installed on Ubuntu Trusty 14.04, skipping"
else
log "Installing Babushka"
cat > $ROOTFS/tmp/install-babushka.sh << EOF
#!/bin/sh
curl https://babushka.me/up | sudo bash
EOF
chmod +x $ROOTFS/tmp/install-babushka.sh
utils.lxc.attach /tmp/install-babushka.sh
fi
else
log "Skipping Babushka installation"
fi

View file

@ -17,8 +17,8 @@ sleep $SECS
# TODO: Support for appending to this list from outside
PACKAGES=(vim-enhanced curl wget man-db bash-completion ca-certificates sudo openssh-server strace python-dnf dnf-plugins-core e2fsprogs net-tools bind-utils)
utils.lxc.attach yum update -y
utils.lxc.attach yum install ${PACKAGES[*]} -y
utils.lxc.attach dnf update -y
utils.lxc.attach dnf install ${PACKAGES[*]} -y
MASK_TMP=${MASK_TMP:-0}