maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-@ENABLE_APPARMOR_FALSE@uninstall-local:
@ENABLE_APPARMOR_FALSE@install-data-local:
+@ENABLE_APPARMOR_FALSE@uninstall-local:
clean: clean-am
clean-am: clean-generic mostlyclean-am
mount fstype=fuse,
mount fstype=fuse.*,
- # allow bind mount of /lib/init/fstab for lxcguest
- mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
-
- # allow bind mounts of /run/{,lock} to /var/run/{,lock}
- mount options=(rw, bind) /run/ -> /var/run/,
- mount options=(rw, bind) /run/lock/ -> /var/lock/,
-
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # allow paths to be made slave, shared, private or unbindable
+ mount options=(rw,make-slave) -> **,
+ mount options=(rw,make-rslave) -> **,
+ mount options=(rw,make-shared) -> **,
+ mount options=(rw,make-rshared) -> **,
+ mount options=(rw,make-private) -> **,
+ mount options=(rw,make-rprivate) -> **,
+ mount options=(rw,make-unbindable) -> **,
+ mount options=(rw,make-runbindable) -> **,
+
+ # allow bind-mounts of anything except /proc, /sys and /dev
+ mount options=(rw,bind) /[^spd]*{,/**},
+ mount options=(rw,bind) /d[^e]*{,/**},
+ mount options=(rw,bind) /de[^v]*{,/**},
+ mount options=(rw,bind) /dev/.[^l]*{,/**},
+ mount options=(rw,bind) /dev/.l[^x]*{,/**},
+ mount options=(rw,bind) /dev/.lx[^c]*{,/**},
+ mount options=(rw,bind) /dev/.lxc?*{,/**},
+ mount options=(rw,bind) /dev/[^.]*{,/**},
+ mount options=(rw,bind) /dev?*{,/**},
+ mount options=(rw,bind) /p[^r]*{,/**},
+ mount options=(rw,bind) /pr[^o]*{,/**},
+ mount options=(rw,bind) /pro[^c]*{,/**},
+ mount options=(rw,bind) /proc?*{,/**},
+ mount options=(rw,bind) /s[^y]*{,/**},
+ mount options=(rw,bind) /sy[^s]*{,/**},
+ mount options=(rw,bind) /sys?*{,/**},
+
+ # allow moving mounts except for /proc, /sys and /dev
+ mount options=(rw,move) /[^spd]*{,/**},
+ mount options=(rw,move) /d[^e]*{,/**},
+ mount options=(rw,move) /de[^v]*{,/**},
+ mount options=(rw,move) /dev/.[^l]*{,/**},
+ mount options=(rw,move) /dev/.l[^x]*{,/**},
+ mount options=(rw,move) /dev/.lx[^c]*{,/**},
+ mount options=(rw,move) /dev/.lxc?*{,/**},
+ mount options=(rw,move) /dev/[^.]*{,/**},
+ mount options=(rw,move) /dev?*{,/**},
+ mount options=(rw,move) /p[^r]*{,/**},
+ mount options=(rw,move) /pr[^o]*{,/**},
+ mount options=(rw,move) /pro[^c]*{,/**},
+ mount options=(rw,move) /proc?*{,/**},
+ mount options=(rw,move) /s[^y]*{,/**},
+ mount options=(rw,move) /sy[^s]*{,/**},
+ mount options=(rw,move) /sys?*{,/**},
+
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
mount fstype=fuse,
mount fstype=fuse.*,
- # allow bind mount of /lib/init/fstab for lxcguest
- mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
-
- # allow bind mounts of /run/{,lock} to /var/run/{,lock}
- mount options=(rw, bind) /run/ -> /var/run/,
- mount options=(rw, bind) /run/lock/ -> /var/lock/,
-
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # allow paths to be made slave, shared, private or unbindable
+ # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+# mount options=(rw,make-slave) -> **,
+# mount options=(rw,make-rslave) -> **,
+# mount options=(rw,make-shared) -> **,
+# mount options=(rw,make-rshared) -> **,
+# mount options=(rw,make-private) -> **,
+# mount options=(rw,make-rprivate) -> **,
+# mount options=(rw,make-unbindable) -> **,
+# mount options=(rw,make-runbindable) -> **,
+
+ # allow bind-mounts of anything except /proc, /sys and /dev
+ mount options=(rw,bind) /[^spd]*{,/**},
+ mount options=(rw,bind) /d[^e]*{,/**},
+ mount options=(rw,bind) /de[^v]*{,/**},
+ mount options=(rw,bind) /dev/.[^l]*{,/**},
+ mount options=(rw,bind) /dev/.l[^x]*{,/**},
+ mount options=(rw,bind) /dev/.lx[^c]*{,/**},
+ mount options=(rw,bind) /dev/.lxc?*{,/**},
+ mount options=(rw,bind) /dev/[^.]*{,/**},
+ mount options=(rw,bind) /dev?*{,/**},
+ mount options=(rw,bind) /p[^r]*{,/**},
+ mount options=(rw,bind) /pr[^o]*{,/**},
+ mount options=(rw,bind) /pro[^c]*{,/**},
+ mount options=(rw,bind) /proc?*{,/**},
+ mount options=(rw,bind) /s[^y]*{,/**},
+ mount options=(rw,bind) /sy[^s]*{,/**},
+ mount options=(rw,bind) /sys?*{,/**},
+
+ # allow moving mounts except for /proc, /sys and /dev
+ mount options=(rw,move) /[^spd]*{,/**},
+ mount options=(rw,move) /d[^e]*{,/**},
+ mount options=(rw,move) /de[^v]*{,/**},
+ mount options=(rw,move) /dev/.[^l]*{,/**},
+ mount options=(rw,move) /dev/.l[^x]*{,/**},
+ mount options=(rw,move) /dev/.lx[^c]*{,/**},
+ mount options=(rw,move) /dev/.lxc?*{,/**},
+ mount options=(rw,move) /dev/[^.]*{,/**},
+ mount options=(rw,move) /dev?*{,/**},
+ mount options=(rw,move) /p[^r]*{,/**},
+ mount options=(rw,move) /pr[^o]*{,/**},
+ mount options=(rw,move) /pro[^c]*{,/**},
+ mount options=(rw,move) /proc?*{,/**},
+ mount options=(rw,move) /s[^y]*{,/**},
+ mount options=(rw,move) /sy[^s]*{,/**},
+ mount options=(rw,move) /sys?*{,/**},
+
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,
mount options=(rw, make-slave) -> **,
+ mount options=(rw, make-rslave) -> **,
mount fstype=debugfs,
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
mount -> /var/lib/lxc/{**,},
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-@ENABLE_BASH_FALSE@install-data-local:
@ENABLE_BASH_FALSE@uninstall-local:
+@ENABLE_BASH_FALSE@install-data-local:
clean: clean-am
clean-am: clean-generic mostlyclean-am
-EXTRA_DIST = lxc-containers.in lxc-net.in lxc-devsetup
-pkglibexec_SCRIPTS = lxc-containers lxc-net lxc-devsetup
+EXTRA_DIST = lxc-containers.in lxc-net.in
+pkglibexec_SCRIPTS = lxc-containers lxc-net
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
-EXTRA_DIST = lxc-containers.in lxc-net.in lxc-devsetup
-pkglibexec_SCRIPTS = lxc-containers lxc-net lxc-devsetup
+EXTRA_DIST = lxc-containers.in lxc-net.in
+pkglibexec_SCRIPTS = lxc-containers lxc-net
all: all-am
.SUFFIXES:
+++ /dev/null
-#!/bin/sh -
-
-# lxc.devsetup - Setup host /dev for container /dev subdirectories.
-
-if [ ! -d /dev/.lxc ]
-then
- echo "Creating /dev/.lxc"
- mkdir /dev/.lxc
- chmod 755 /dev/.lxc
-fi
-
-if grep -q "/dev devtmpfs " /proc/self/mounts
-then
- echo "/dev is devtmpfs"
-else
- echo "/dev is not devtmpfs - mounting tmpfs on .lxc"
- mount -t tmpfs tmpfs /dev/.lxc
-fi
-
-if [ ! -d /dev/.lxc/user ]
-then
- echo "Creating /dev/.lxc/user"
- mkdir /dev/.lxc/user
- chmod 1777 /dev/.lxc/user
-fi
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-@INIT_SCRIPT_SYSTEMD_FALSE@install-data-local:
@INIT_SCRIPT_SYSTEMD_FALSE@uninstall-local:
+@INIT_SCRIPT_SYSTEMD_FALSE@install-data-local:
clean: clean-am
clean-am: clean-generic mostlyclean-am
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStartPre=@LIBEXECDIR@/lxc/lxc-devsetup
ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load
ExecStart=@LIBEXECDIR@/lxc/lxc-containers start
ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop
KillMode=mixed
KillSignal=SIGPWR
TimeoutStopSec=120s
-ExecStart=@BINDIR@/lxc-start -n %i
+ExecStart=@BINDIR@/lxc-start -F -n %i
# Environment=BOOTUP=serial
# Environment=CONSOLETYPE=serial
Delegate=yes
start() {
# Setup host /dev for autodev containers.
- @LIBEXECDIR@/lxc/lxc-devsetup
log_daemon_msg "Starting LXC autoboot containers: "
@LIBEXECDIR@/lxc/lxc-containers start
}
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-@INIT_SCRIPT_UPSTART_FALSE@install-data-local:
@INIT_SCRIPT_UPSTART_FALSE@uninstall-local:
+@INIT_SCRIPT_UPSTART_FALSE@install-data-local:
clean: clean-am
clean-am: clean-generic mostlyclean-am
lxc-wait -s RUNNING -n $NAME -t 0 && { stop; exit 0; } || true
end script
-script
- exec lxc-start -n $NAME
-end script
+exec lxc-start -F -n $NAME
fi
fi
- # Setup host /dev for autodev containers.
- /usr/local/libexec/lxc/lxc-devsetup
-
[ "x$LXC_AUTO" = "xtrue" ] || exit 0
if [ -n "$BOOTGROUPS" ]
fi
fi
- # Setup host /dev for autodev containers.
- @LIBEXECDIR@/lxc/lxc-devsetup
-
[ "x$LXC_AUTO" = "xtrue" ] || exit 0
if [ -n "$BOOTGROUPS" ]
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for lxc 2.0.1.
+# Generated by GNU Autoconf 2.69 for lxc 2.0.2.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
# Identity of this package.
PACKAGE_NAME='lxc'
PACKAGE_TARNAME='lxc'
-PACKAGE_VERSION='2.0.1'
-PACKAGE_STRING='lxc 2.0.1'
+PACKAGE_VERSION='2.0.2'
+PACKAGE_STRING='lxc 2.0.2'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures lxc 2.0.1 to adapt to many kinds of systems.
+\`configure' configures lxc 2.0.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of lxc 2.0.1:";;
+ short | recursive ) echo "Configuration of lxc 2.0.2:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-lxc configure 2.0.1
+lxc configure 2.0.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by lxc $as_me 2.0.1, which was
+It was created by lxc $as_me 2.0.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
fi
fi
-LXC_VERSION_BASE=2.0.1
+LXC_VERSION_BASE=2.0.2
LXC_VERSION_MINOR=0
-LXC_VERSION_MICRO=1
+LXC_VERSION_MICRO=2
LXC_VERSION_ABI=1.2.0
-LXC_VERSION=2.0.1
+LXC_VERSION=2.0.2
# Define the identity of the package.
PACKAGE='lxc'
- VERSION='2.0.1'
+ VERSION='2.0.2'
cat >>confdefs.h <<_ACEOF
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by lxc $as_me 2.0.1, which was
+This file was extended by lxc $as_me 2.0.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-lxc config.status 2.0.1
+lxc config.status 2.0.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
m4_define([lxc_version_major], 2)
m4_define([lxc_version_minor], 0)
-m4_define([lxc_version_micro], 1)
+m4_define([lxc_version_micro], 2)
m4_define([lxc_version_beta], [])
m4_define([lxc_version_abi], 1.2.0)
%endif
Name: lxc
-Version: 2.0.1
+Version: 2.0.2
Release: %{?beta_rel:0.1.%{beta_rel}}%{?!beta_rel:%{norm_rel}}%{?dist}
URL: http://linuxcontainers.org
Source: http://linuxcontainers.org/downloads/%{name}-%{version}%{?beta_dot}.tar.gz
%{_libexecdir}/%{name}
%attr(4111,root,root) %{_libexecdir}/%{name}/lxc-user-nic
%if %{with_systemd}
-%attr(555,root,root) %{_libexecdir}/%{name}/lxc-devsetup
%attr(555,root,root) %{_libexecdir}/%{name}/lxc-net
%attr(555,root,root) %{_libexecdir}/%{name}/lxc-containers
%endif
%{_libexecdir}/%{name}
%attr(4111,root,root) %{_libexecdir}/%{name}/lxc-user-nic
%if %{with_systemd}
-%attr(555,root,root) %{_libexecdir}/%{name}/lxc-devsetup
%attr(555,root,root) %{_libexecdir}/%{name}/lxc-net
%attr(555,root,root) %{_libexecdir}/%{name}/lxc-containers
%endif
extern struct mntent *getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz);
#endif
-#ifndef HAVE_SETMNTENT
+#if !defined(HAVE_SETMNTENT) || IS_BIONIC
FILE *setmntent (const char *file, const char *mode);
#endif
-#ifndef HAVE_ENDMNTENT
+#if !defined(HAVE_ENDMNTENT) || IS_BIONIC
int endmntent (FILE *stream);
#endif
-#ifndef HAVE_HASMNTOPT
+#if !defined(HAVE_HASMNTOPT) || IS_BIONIC
extern char *hasmntopt (const struct mntent *mnt, const char *opt);
#endif
/* The command line always looks like:
* criu $(action) --tcp-established --file-locks --link-remap \
- * --manage-cgroups action-script foo.sh -D $(directory) \
+ * --manage-cgroups=full action-script foo.sh -D $(directory) \
* -o $(directory)/$(action).log --ext-mount-map auto
* --enable-external-sharing --enable-external-masters
* --enable-fs hugetlbfs --enable-fs tracefs --ext-mount-map console:/dev/pts/n
DECLARE_ARG("--tcp-established");
DECLARE_ARG("--file-locks");
DECLARE_ARG("--link-remap");
- DECLARE_ARG("--manage-cgroups");
+ DECLARE_ARG("--manage-cgroups=full");
DECLARE_ARG("--ext-mount-map");
DECLARE_ARG("auto");
DECLARE_ARG("--enable-external-sharing");
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/in.h>
-#include <linux/if_bridge.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/sockios.h>
#define LXC_VERSION_MAJOR 2
#define LXC_VERSION_MINOR 0
-#define LXC_VERSION_MICRO 1
+#define LXC_VERSION_MICRO 2
#define LXC_VERSION_ABI "1.2.0"
-#define LXC_VERSION "2.0.1"
+#define LXC_VERSION "2.0.2"
#endif
download_debian()
{
packages=\
+init,\
ifupdown,\
locales,\
libui-dialog-perl,\
# OL7 has systemd, no rc.sysinit
if [ $container_release_major = "7" ]; then
- # from mhw in the fedora template: We do need to disable the
- # "ConditionalPathExists=/dev/tty0" line or no gettys are started on
- # the ttys in the container. Lets do it in an override copy of the
- # service so it can still pass rpm verifies and not be automatically
- # updated by a new systemd version.
- sed -e 's/^ConditionPathExists=/#LXC ConditionPathExists=/' \
- < $container_rootfs/usr/lib/systemd/system/getty\@.service \
- > $container_rootfs/etc/systemd/system/getty\@.service
- # Setup getty service on the 4 ttys we are going to allow in the
- # default config. Number should match lxc.tty
- ( cd $container_rootfs/etc/systemd/system/getty.target.wants
- for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
- # We only want to spawn a getty on /dev/console in lxc, libvirt-lxc
- # symlinks /dev/console to /dev/tty1
- sed -i '/Before=getty.target/a ConditionVirtualization=lxc' $container_rootfs/usr/lib/systemd/system/console-getty.service
+ # with newer systemd (OL7.2), getty service include container-getty.service
+ # let that be the one who manage the getty service instead
+ if [ ! -f $container_rootfs/usr/lib/systemd/system/container-getty@.service ]; then
+ # from mhw in the fedora template: We do need to disable the
+ # "ConditionalPathExists=/dev/tty0" line or no gettys are started on
+ # the ttys in the container. Lets do it in an override copy of the
+ # service so it can still pass rpm verifies and not be automatically
+ # updated by a new systemd version.
+ sed -e 's/^ConditionPathExists=/#LXC ConditionPathExists=/' \
+ < $container_rootfs/usr/lib/systemd/system/getty\@.service \
+ > $container_rootfs/etc/systemd/system/getty\@.service
+ # Setup getty service on the 4 ttys we are going to allow in the
+ # default config. Number should match lxc.tty
+ ( cd $container_rootfs/etc/systemd/system/getty.target.wants
+ for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
+ # We only want to spawn a getty on /dev/console in lxc, libvirt-lxc
+ # symlinks /dev/console to /dev/tty1
+ sed -i '/Before=getty.target/a ConditionVirtualization=lxc' $container_rootfs/usr/lib/systemd/system/console-getty.service
+ fi
# disable some systemd services, set default boot, sigpwr target
rm -f $container_rootfs/usr/lib/systemd/system/sysinit.target.wants/kmod-static-nodes.service
CATEGORIES=${CATEGORIES-"00_base 01_minimum"}
EXTRACTGRS=${EXTRACTGRS-""}
IGNOREPKGS=${IGNOREPKGS-"grub kernel lilo linux_firmware microcode_ctl
- cpufreqd cpufrequtils gpm"}
+ cpufreqd cpufrequtils gpm ntp kmod"}
ADDONPKGS=${ADDONPKGS-"`echo contrib/Hamradio/{morse,qrq}`"}
download_plamo() {
sh /tmp/netconfig.rconly
rm -f /tmp/netconfig.rconly
sed -i '/cmdline/s/if/& false \&\&/' $rootfs/etc/rc.d/rc.inet1.tradnet
+ # /etc/rc.d/rc.inet2
+ sed -i '/rpc.mountd/s/^/#/' $rootfs/etc/rc.d/rc.inet2
+ sed -i '/modprobe/s/^/#/' $rootfs/etc/rc.d/rc.inet2
+ # configure to start only the minimum of service
+ chmod 644 $rootfs/etc/rc.d/init.d/saslauthd
+ chmod 644 $rootfs/etc/rc.d/init.d/open-iscsi
+ rm -f $rootfs/etc/rc.d/init.d/postfix
+ rm -f $rootfs/var/log/initpkg/shadow
return 0
}
;;
esac
- packages_template=${packages_template:-"ssh,vim"}
+ packages_template=${packages_template:-"apt-transport-https,ssh,vim"}
debootstrap_parameters=
# Try to guess a list of langpacks to install
debootstrap_parameters="$debootstrap_parameters --variant=$variant"
fi
if [ "$variant" = 'minbase' ]; then
- packages_template="${packages_template},sudo,ifupdown,isc-dhcp-client,apt-transport-https"
+ packages_template="${packages_template},sudo,ifupdown,isc-dhcp-client"
fi
echo "Installing packages in template: ${packages_template}"
projects / toolchains / lxc.git / commitdiff