Zmudzinski, Krystof C | 18 Sep 00:22 2014
Picon

Re: Your message to lxc-devel awaits moderator approval

Sorry, guys but I included all kinds of logs and the message is too big.  But I think Tycho would like to see it.

Krystof

-----Original Message-----
From: lxc-devel [mailto:lxc-devel-bounces <at> lists.linuxcontainers.org] On Behalf Of lxc-devel-owner <at> lists.linuxcontainers.org
Sent: Wednesday, September 17, 2014 3:03 PM
To: Zmudzinski, Krystof C
Subject: Your message to lxc-devel awaits moderator approval

Your mail to 'lxc-devel' with the subject

    RE: [lxc-devel] [PATCH] Add support for checkpoint and restore via CRIU

Is being held until the list moderator can review it for approval.

The reason it is being held:

    Message body is too big: 5805213 bytes with a limit of 40 KB

Either the message will get posted to the list, or you will receive notification of the moderator's
decision.  If you would like to cancel this posting, please visit the following URL:

    http://lists.linuxcontainers.org/confirm/lxc-devel/03409d29e0096224779d3462017c932d3b21b659


_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
(Continue reading)

S.Çağlar Onur | 17 Sep 20:16 2014

images.linuxcontainers.org broken?

Hey,

Is images.linuxcontainers.org broken? It looks like it stopped
generating trusty images about a month ago.

[1] http://images.linuxcontainers.org/images/ubuntu/trusty/arm64/default/

Cheers,
--

-- 
S.Çağlar Onur <caglar <at> 10ur.org>
_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Dongsheng Yang | 17 Sep 02:57 2014

[PATCH 0/9 V1] Rewrite lxc-device.

Hi all:
	This patchset here is to rewrite lxc-device to drop
the dependence to ip command.
	[7/9] is to add two interfaces named [at|de]tach_interface.
Thanx for the suggestion from Stgraber, I can move the interface from
container back to host now.
	[8/9] added the two new interface of [at|de]tach_interface
to class Container in python-binding.
	[9/9] rewrite the lxc-device using the new functions, droping
the dependence to external command of ip.

Others are about some preparation or enhancement I think.

Any comments, thoughts, proposals are really welcome.

Thanx

Changelog:
	- [7/9] Move netdev from container back to host when we are
detaching it. Rather than delete it directly.

Dongsheng Yang (9):
  network: convert param ifname to const.
  network: check result of if_nametoindex().
  lxc_start: ERROR if container is already running.
  network: allow lxc_network_move_by_index() rename netdev in moving.
  network: introduce a interface named lxc_netdev_isup().
  utils: move useful helper functions from lxccontainer to utils.
  container: introduce two functions named as {at/de}tach_interface().
  python-lxc: Add [at|de]tach_interface() to python binding.
(Continue reading)

Zmudzinski, Krystof C | 17 Sep 01:11 2014
Picon

Re: [PATCH] Add support for checkpoint and restore via CRIU

I’ve added DECLARE_ARG("--evasive-devices"); in lxccontainer.c/exec_criu and I was finally able to dump the container.  It also restored but only when both -V and -d were passed to lxc-checkpoint. 

 

But lxc-stop, lxc-attach, etc. hang  after the container is restored.  But that is expected at this point, isn’t it?

 

The interesting part is that something like this is not needed but it is used in run.sh

 

DECLARE_ARG("-n net -n mnt -n ipc -n pid");

 

Lastly, could criu dump the entire command line to the logs when it is executed?  So the beginning of the log starts with something like:

 

(00.000047) ========================================

(00.000057) /usr/local/sbin/criu dump --tcp-established --evasive-devices --file-locks --link-remap --manage-cgroups…….

(00.000087) Dumping processes (pid: 22614)

(00.000093) ========================================

 

Krystof

 

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Dongsheng Yang | 16 Sep 13:15 2014

[PATCH 0/9] Rewrite lxc-device.

Hi all:
	This patchset here is to rewrite lxc-device to drop
the dependence to ip command.
	[6/9] is to add two interfaces named [at|de]tach_interface
to struct lxc_container. It use netlink to set the netns of netdev
to container. But currently, I do not catch up with a good idea to
detach a physical net device from a container. So in this patchset
I make the attaching physical net device to container as forbidden.
Do you have some suggestion about it?
	[7/9] added the two new interface of [at|de]tach_interface
to class Container in python-binding.
	[9/9] rewrite the lxc-device using the new functions, droping
the dependence to external command of ip.

Any comments, thoughts, proposals are really welcome.

Thanx
Yang

Dongsheng Yang (9):
  network: convert param ifname to const.
  network: check result of if_nametoindex().
  lxc_start: ERROR if container is already running.
  network: allow lxc_network_move_by_index() rename netdev in moving.
  network: introduce a interface named lxc_netdev_isup().
  container: introduce two functions named as {at/de}tach_interface().
  python-lxc: Add [at|de]tach_interface() to python binding.
  utils: move useful helper functions from lxccontainer to utils.
  lxc-device: rewrite lxc-device.

 src/lxc/Makefile.am    |   4 +-
 src/lxc/conf.c         |   4 +-
 src/lxc/lxc-device     |  97 ------------------------------
 src/lxc/lxc_device.c   | 158 +++++++++++++++++++++++++++++++++++++++++++++++++
 src/lxc/lxc_start.c    |   4 ++
 src/lxc/lxc_unshare.c  |   2 +-
 src/lxc/lxc_user_nic.c |   2 +-
 src/lxc/lxccontainer.c | 132 ++++++++++++++++++++++++++---------------
 src/lxc/lxccontainer.h |  19 ++++++
 src/lxc/network.c      |  80 ++++++++++++++++++++++++-
 src/lxc/network.h      |   6 +-
 src/lxc/utils.c        |  55 +++++++++++++++++
 src/lxc/utils.h        |   2 +
 src/python-lxc/lxc.c   |  73 +++++++++++++++++++++++
 14 files changed, 483 insertions(+), 155 deletions(-)
 delete mode 100644 src/lxc/lxc-device
 create mode 100644 src/lxc/lxc_device.c

--

-- 
1.8.4.2

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Dongsheng Yang | 16 Sep 12:47 2014

[PATCH 0/9] Rewrite lxc-device.

Hi all:
	This patchset here is to rewrite lxc-device to drop
the dependence to ip command.
	[6/9] is to add two interfaces named [at|de]tach_interface
to struct lxc_container. It use netlink to set the netns of netdev
to container. But currently, I do not catch up with a good idea to
detach a physical net device from a container. So in this patchset
I make the attaching physical net device to container as forbidden.
Do you have some suggestion about it?
	[7/9] added the two new interface of [at|de]tach_interface
to class Container in python-binding.
	[9/9] rewrite the lxc-device using the new functions, droping
the dependence to external command of ip.

Any comments, thoughts, proposals are really welcome.

Thanx
Yang

Dongsheng Yang (9):
  network: convert param ifname to const.
  network: check result of if_nametoindex().
  lxc_start: ERROR if container is already running.
  network: allow lxc_network_move_by_index() rename netdev in moving.
  network: introduce a interface named lxc_netdev_isup().
  container: introduce two functions named as {at/de}tach_interface().
  python-lxc: Add [at|de]tach_interface() to python binding.
  utils: move useful helper functions from lxccontainer to utils.
  lxc-device: rewrite lxc-device.

 src/lxc/conf.c         |   4 +-
 src/lxc/lxc-device     |  97 -----------------------------
 src/lxc/lxc_device.c   | 161 +++++++++++++++++++++++++++++++++++++++++++++++++
 src/lxc/lxc_start.c    |   4 ++
 src/lxc/lxc_unshare.c  |   2 +-
 src/lxc/lxc_user_nic.c |   2 +-
 src/lxc/lxccontainer.c | 132 +++++++++++++++++++++++++---------------
 src/lxc/lxccontainer.h |  19 ++++++
 src/lxc/network.c      |  80 +++++++++++++++++++++++-
 src/lxc/network.h      |   6 +-
 src/lxc/utils.c        |  55 +++++++++++++++++
 src/lxc/utils.h        |   2 +
 src/python-lxc/lxc.c   |  73 ++++++++++++++++++++++
 13 files changed, 484 insertions(+), 153 deletions(-)
 delete mode 100644 src/lxc/lxc-device
 create mode 100644 src/lxc/lxc_device.c

--

-- 
1.8.4.2

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Serge Hallyn | 16 Sep 00:22 2014

[PATCH 1/1] lxc_map_ids: add a comment

(Sent this before in the middle of a thread, sending it separately
so it doesn't get lost)

Explain why we insist that root use newuidmap if it is available.

Signed-off-by: Serge Hallyn <serge.hallyn <at> ubuntu.com>
---
 src/lxc/conf.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5e61c35..e61002b 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
 <at>  <at>  -3429,6 +3429,12  <at>  <at>  int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 	enum idtype type;
 	char *buf = NULL, *pos, *cmdpath = NULL;

+	/*
+	 * If newuidmap exists, that is, if shadow is handing out subuid
+	 * ranges, then insist that root also reserve ranges in subuid.  This
+	 * will protected it by preventing another user from being handed the
+	 * range by shadow.
+	 */
 	cmdpath = on_path("newuidmap", NULL);
 	if (cmdpath) {
 		use_shadow = 1;
--

-- 
2.1.0

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Michael H. Warfield | 15 Sep 02:57 2014

[PATCH] Various fixes for Fedora/CentOS/OpenSUSE templates and systemd.

Various fixes for Fedora/CentOS/OpenSUSE templates and systemd.

This patch integrates several fixes for several template issues
and open bugzilla bugs at the Fedora project.

The lxc-centos template now supports CentOS 7 and correct configuration
of systemd in CentOS.

The CentOS and Fedora template have been fixed for a rootfs bug that
was a skew between the parsed parameter (rootfs) and the working variable
(rootfs_path) by normalizing to "rootfs", congruent with several other
templates.  This should fix the backing store problem.

The user password generation logic has been refactored out of the
Fedora and CentOS templates into a new template/functions file.  This
is the beginning of a security fix that has been reported as a bug in
Fedora and Debian.  The functions support random password generation
and/or disabled password on accounts.  Templates need to convert over
and avoid static passwords like "root:root" or "ubuntu:ubuntu" in order
to avoid this security issue.  Function supports multiple user setup.

The template/functions file includes a function for static MAC address
generation (not yet used) and may contain other common functions we
standardize on.

Added "fedora" user to lxc-fedora template.

Added "centos" user to lxc-centos template.

Dropping "setfcap" has been moved to a comment for Fedora, CentOS,
and SUSE due to it's interference with yum update in containers
(yum fails to update several packages including httpd).

Added "sudo" to the package list for CentOS and Fedora.

Set the apparmor profile for CentOS, Fedora, and SUSE containers to
"unconfined", until someone comes up with something better, in order
to have containers run out of the box on apparmor hosts.  Commented
code in the individual templates has been moved to explicit settings
in the common config files.

Addressed systemd-journald runaway CPU issue by setting lxc.kmsg = 0
in affected template (including Mandriva) and establishing a run time
default to autoswitch lxc.kmsg depending on the state of lxc.autodev
(systemd case).  lxc.kmsg will be set to 0 in the case of lxc.autodev = 1
and set to 1 in the case of lxc.autodev = 0, unless overridden in
the config file.

Signed-off-by: Michael H. Warfield <mhw-BetbSzk+GohWk0Htik3J/w <at> public.gmane.org>
---
 config/templates/centos.common.conf.in   |   8 +-
 config/templates/fedora.common.conf.in   |   8 +-
 config/templates/opensuse.common.conf.in |   7 +-
 configure.ac                             |   1 +
 src/lxc/conf.c                           |  23 +-
 templates/Makefile.am                    |   1 +
 templates/functions.in                   | 208 +++++++++++++++++
 templates/lxc-centos.in                  | 387 ++++++++++++++++---------------
 templates/lxc-fedora.in                  | 318 ++++++++++---------------
 templates/lxc-openmandriva.in            |   1 +
 templates/lxc-opensuse.in                |  50 +++-
 11 files changed, 612 insertions(+), 400 deletions(-)
 create mode 100644 templates/functions.in

diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
index 4ce2fda..7f39ddf 100644
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
 <at>  <at>  -20,4 +20,10  <at>  <at>  lxc.mount.auto = proc:mixed sys:ro
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
-lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
+# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
+
+# This lets LXC CentOS containers run on hosts with apparmor.
+# It does nothing on hosts which do not have apparmor enabled.
+lxc.aa_profile = unconfined
+
diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
index acebe3c..7794945 100644
--- a/config/templates/fedora.common.conf.in
+++ b/config/templates/fedora.common.conf.in
 <at>  <at>  -18,4 +18,10  <at>  <at>  lxc.include =  <at> LXCTEMPLATECONFIG <at> /common.conf
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
-lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
+# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
+
+# This lets LXC Fedora containers run on hosts with apparmor.
+# It does nothing on hosts which do not have apparmor enabled.
+lxc.aa_profile = unconfined
+
diff --git a/config/templates/opensuse.common.conf.in b/config/templates/opensuse.common.conf.in
index 4026975..813d296 100644
--- a/config/templates/opensuse.common.conf.in
+++ b/config/templates/opensuse.common.conf.in
 <at>  <at>  -21,5 +21,10  <at>  <at>  lxc.autodev = 1
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
-# lxc.cap.drop = setfcap
+# lxc.cap.drop = setfcap          # setfcap causes all sorts of problems with yum update
 lxc.cap.drop = sys_nice sys_pacct sys_rawio
+
+# This lets LXC SUSE containers run on hosts with apparmor.
+# It does nothing on hosts which do not have apparmor enabled.
+lxc.aa_profile = unconfined
+
diff --git a/configure.ac b/configure.ac
index 5d5f974..c1a575b 100644
--- a/configure.ac
+++ b/configure.ac
 <at>  <at>  -731,6 +731,7  <at>  <at>  AC_CONFIG_FILES([
 	hooks/Makefile
 
 	templates/Makefile
+	templates/functions
 	templates/lxc-alpine
 	templates/lxc-altlinux
 	templates/lxc-archlinux
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5e61c35..7e1e564 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
 <at>  <at>  -2862,7 +2862,8  <at>  <at>  struct lxc_conf *lxc_conf_init(void)
 		free(new);
 		return NULL;
 	}
-	new->kmsg = 1;
+	/* Unless this is overriden, decide this based on autodev */
+	new->kmsg = -1;
 	lxc_list_init(&new->cgroup);
 	lxc_list_init(&new->network);
 	lxc_list_init(&new->mount_list);
 <at>  <at>  -4159,6 +4160,26  <at>  <at>  int lxc_setup(struct lxc_handler *handler)
 			ERROR("failed to mount /dev in the container");
 			return -1;
 		}
+		if (lxc_conf->kmsg < 0) {
+			/*
+			 * Autodev is generally used for systemd.  If systemd
+			 * is running then journald is likely to be running.  If
+			 * journald is running we should NOT symlink /dev/kmsg!
+			 * If we do set the symlink, a logging loop is created
+			 * and journald eats CPU time for lunch!
+			 */
+			lxc_conf->kmsg = 0;
+
+			/*
+			 * Note: This can be overridden by those who know what
+			 *	they are doing and why by explicitly setting
+			 *	lxc.autodev in the container config and setting
+			 *	lxc.kmsg to what ever they like.  Then it's a
+			 *	self-inflicted injury.
+			 */
+		}
+	} else if (lxc_conf->kmsg < 0) {
+			lxc_conf->kmsg = 1;
 	}
 
 	/* do automatic mounts (mainly /proc and /sys), but exclude
diff --git a/templates/Makefile.am b/templates/Makefile.am
index ac870a1..4f05069 100644
--- a/templates/Makefile.am
+++ b/templates/Makefile.am
 <at>  <at>  -1,6 +1,7  <at>  <at> 
 templatesdir= <at> LXCTEMPLATEDIR <at> 
 
 templates_SCRIPTS = \
+	functions \
 	lxc-alpine \
 	lxc-altlinux \
 	lxc-archlinux \
diff --git a/templates/functions.in b/templates/functions.in
new file mode 100644
index 0000000..ee80120
--- /dev/null
+++ b/templates/functions.in
 <at>  <at>  -0,0 +1,208  <at>  <at> 
+#!/bin/sh -
+
+# templates/functions
+
+# Misc functions for template support.
+
+# Authors:
+# Michael H. Warfield <mhw-BetbSzk+GohWk0Htik3J/w <at> public.gmane.org>
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+###
+# User creation and password support.
+###
+
+# Some combinations of the tuning knobs below do not exactly make sense.
+# but that's ok.
+#
+# If the "root_password" is non-blank, use it, else set a default.
+# This can be passed to the script as an environment variable and is
+# set by a shell conditional assignment.  Looks weird but it is what it is.
+#
+# If the root password contains a ding ($) then try to expand it.
+# That will pick up things like ${name} and ${RANDOM}.
+# If the root password contians more than 3 consecutive X's, pass it as
+# a template to mktemp and take the result.
+#
+# If root_display_password = yes, display the temporary root password at exit.
+# If root_store_password = yes, store it in the configuration directory
+# If root_prompt_password = yes, invoke "passwd" to force the user to change
+# the root password after the container is created.
+# If root_expire_password = yes, you will be prompted to change the root
+# password at the first login.
+#
+# These are conditional assignments...  The can be overridden from the
+# preexisting environment variables in the calling template or from
+# the user environment...
+#
+# Default user...
+: ${LXC_DEFAULT_USER='root'}
+# Make sure this is in single quotes to defer expansion to later!
+# :{root_password='Root-${name}-${RANDOM}'}
+: ${LXC_PASSWORD='Root-${name}-XXXXXX'}
+
+# Now, it doesn't make much sense to display, store, and force change
+# together.  But, we gotta test, right???
+: ${LXC_DISPLAY_PASSWORD='no'}
+: ${LXC_STORE_PASSWORD='yes'}
+
+# Expire root password? Default to yes, but can be overridden from
+# the environment variable
+: ${LXC_EXPIRE_PASSWORD='yes'}
+
+
+# Then above environment variables are for convention and for
+# convenience of use by the calling template.  They may be
+# overriden by the environment, calling line parameters, or the
+# whim of the template writer.  They can be ignored entirely.
+# The values used in setting up a user are the values passed in
+# calling lxc_setup_user().
+
+# lxc_setup_user username password/hash display store expire
+#
+#   Set the user password, creating the user if necessary...
+#
+
+lxc_setup_user() {
+    local CONTAINER_NAME="${1}"
+    local ROOTFS="${2}"
+    local CONFIG_PATH="${3}"
+    local USER="${4}"
+    local PASSWD="${5}"
+    local DISPLAY="${6}"
+    local STORE="${7}"
+    local EXPIRE="${8}"
+
+    # The required groups in this list should alraedy be created.
+    # Groups that don't exist will not be created and will be ignored.
+    # Might be worth making that a tunable parameter as well.  Maybe...
+    local groups="sudo admin wheel"
+
+    # See if the user exists.  For root, this should not be a question.
+    # for non-root defaults (like ubuntu) we may need to create the user.
+    PWENT=$(chroot ${ROOTFS} getent passwd ${USER})
+
+    if [ "$?" != 0 ]
+    then
+        chroot ${ROOTFS} useradd ${USER}
+        for group in $groups; do
+            # We do this individually so that, if a group doesn't exist,
+            # all the groups that do exist have the user added.
+            chroot ${ROOTFS} usermod -a -G ${group} ${USER} >/dev/null 2>&1 || true
+        done
+    fi
+
+    if [ ${PASSWD} = "PROMPT" ]
+    then
+        echo "Invoking the passwd command in the container to set the ${USER} password.
+
+        chroot ${ROOTFS} passwd ${USER}
+"
+        chroot ${ROOTFS} passwd ${USER}
+    elif [ $(expr "${PASSWD}" : '$$') != 0 -o \
+           $(expr "${PASSWD}" : '*$') != 0 -o \
+           $(expr "${PASSWD}" : '!!$') != 0 ]
+    then
+        # Matches one of 3 common "disabled" conventions so treat them
+        # as if they were "hashed" passwords to be copied literally
+        # by chpasswd.  Result is an account with no valid password.
+        if [ ${DISPLAY} = "yes" ]
+        then
+            echo "Disabling ${USER} password"
+        fi
+        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd -e
+    elif [ $(expr "${PASSWD}" : '$[0-9][0-9]*$.') != 0 ]
+    then
+        # Matches on a $[0-9]$ hash indicator for a real password hash.
+        if [ ${DISPLAY} = "yes" ]
+        then
+            echo "Setting ${USER} password hash to ${PASSWORD}"
+        fi
+        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd -e
+    else
+        # Anything else, assume a clear text password template...
+
+        # Let's do something better for the initial user password.
+        # It's not perfect but it will defeat common scanning brute force
+        # attacks in the case where ssh is exposed.  It may also be set to
+        # expired, forcing the user to change it at first login.
+        if [ "${PASSWD}" = "" ]
+        then
+            PASSWD=${USER}-${CONTAINER_NAME}-${RANDOM}
+        fi
+
+        # If it's got a ding in it, try and expand it!
+        # In theory, this could also access and external program.
+        if [ $(expr "${PASSWD}" : '.*$.') != 0 ]
+        then
+            PASSWD=$(eval echo "${PASSWD}")
+        fi
+
+        # If it has more than 3 consequtive X's in it, feed it
+        # through mktemp as a template.
+        if [ $(expr "${PASSWD}" : '.*XXXX') != 0 ]
+        then
+            PASSWD=$(mktemp -u ${PASSWD})
+        fi
+        if [ ${STORE} = "yes" ]
+        then
+            touch ${config_path}/tmp_pass
+            chmod 600 ${config_path}/tmp_pass
+            # Append the user and password to the file.
+            # We might be ultimately adding more than one.
+            echo ${USER}:${PASSWD} >> ${config_path}/tmp_pass
+
+            echo "The temporary password for ${USER} is stored in:
+
+        '${config_path}/tmp_pass'
+"
+        fi
+
+        if [ ${DISPLAY} = "yes" ]
+        then
+            echo "Setting ${USER} password to '$PASSWORD'"
+        fi
+        echo "${USER}:${PASSWD}" | chroot ${ROOTFS} chpasswd
+    fi
+
+    if [ ${EXPIRE} = "yes" ]
+    then
+        # Also set this password as expired to force the user to change it!
+        chroot ${ROOTFS} passwd -e ${USER}
+        echo "
+The password for ${USER} is set up as "expired" and will require it to be changed
+at first login, which you should do as soon as possible.  If you lose the
+${USER} password or wish to change it without starting the container, you
+can change it from the host by running the following command (which will
+also reset the expired flag):
+
+    chroot ${ROOTFS} passwd
+"
+    fi
+}
+
+
+###
+# HW Mac address generation support.
+###
+
+# Generate a random hardware (MAC) address composed of FE followed by
+# 5 random bytes...
+lxc_create_hwaddr()
+{
+    openssl rand -hex 5 | sed -e 's/\(..\)/:\1/g; s/^/fe/'
+}
+
diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
index 1586a90..3f9ef4d 100644
--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
 <at>  <at>  -1,7 +1,7  <at>  <at> 
 #!/bin/bash
 
 #
-# template script for generating centos container for LXC
+# template script for generating a CentOS container for LXC
 
 #
 # lxc: linux Container library
 <at>  <at>  -28,44 +28,13  <at>  <at> 
 
 #Configurations
 default_path= <at> LXCPATH <at> 
+template_path= <at> LXCTEMPLATEDIR <at> 
 
-# Some combinations of the tuning knobs below do not exactly make sense.
-# but that's ok.
-#
-# If the "root_password" is non-blank, use it, else set a default.
-# This can be passed to the script as an environment variable and is
-# set by a shell conditional assignment.  Looks weird but it is what it is.
-#
-# If the root password contains a ding ($) then try to expand it.
-# That will pick up things like ${name} and ${RANDOM}.
-# If the root password contians more than 3 consecutive X's, pass it as
-# a template to mktemp and take the result.
-#
-# If root_display_password = yes, display the temporary root password at exit.
-# If root_store_password = yes, store it in the configuration directory
-# If root_prompt_password = yes, invoke "passwd" to force the user to change
-# the root password after the container is created.
-# If root_expire_password = yes, you will be prompted to change the root
-# password at the first login.
-#
-# These are conditional assignments...  The can be overridden from the
-# preexisting environment variables...
-#
-# Make sure this is in single quotes to defer expansion to later!
-# :{root_password='Root-${name}-${RANDOM}'}
-: ${root_password='Root-${name}-XXXXXX'}
-
-# Now, it doesn't make much sense to display, store, and force change
-# together.  But, we gotta test, right???
-: ${root_display_password='no'}
-: ${root_store_password='yes'}
-# Prompting for something interactive has potential for mayhem
-# with users running under the API...  Don't default to "yes"
-: ${root_prompt_password='no'}
-
-# Expire root password? Default to yes, but can be overridden from
-# the environment variable
-: ${root_expire_password='yes'}
+# Load up some common functions
+if [ -f ${template_path}/functions ]
+then
+    . ${template_path}/functions
+fi
 
 # These are only going into comments in the resulting config...
 lxc_network_type=veth
 <at>  <at>  -161,31 +130,31  <at>  <at>  configure_centos()
 {
 
     # disable selinux in centos
-    mkdir -p $rootfs_path/selinux
-    echo 0 > $rootfs_path/selinux/enforce
+    mkdir -p ${rootfs}/selinux
+    echo 0 > ${rootfs}/selinux/enforce
 
     # Also kill it in the /etc/selinux/config file if it's there...
-    if [ -f $rootfs_path/etc/selinux/config ]
+    if [ -f ${rootfs}/etc/selinux/config ]
     then
-        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
+        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' ${rootfs}/etc/selinux/config
     fi
 
     # Nice catch from Dwight Engen in the Oracle template.
     # Wantonly plagerized here with much appreciation.
-    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
-        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
-        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
+    if [ -f ${rootfs}/usr/sbin/selinuxenabled ]; then
+        mv ${rootfs}/usr/sbin/selinuxenabled ${rootfs}/usr/sbin/selinuxenabled.lxcorig
+        ln -s /bin/false ${rootfs}/usr/sbin/selinuxenabled
     fi
 
     # This is a known problem and documented in RedHat bugzilla as relating
     # to a problem with auditing enabled.  This prevents an error in
     # the container "Cannot make/remove an entry for the specified session"
-    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
-    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
+    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/login
+    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/sshd
 
-    if [ -f ${rootfs_path}/etc/pam.d/crond ]
+    if [ -f ${rootfs}/etc/pam.d/crond ]
     then
-        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
+        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/crond
     fi
 
     # In addition to disabling pam_loginuid in the above config files
 <at>  <at>  -193,27 +162,27  <at>  <at>  configure_centos()
     # we missed or any that get installed after the container is built.
     #
     # Catch either or both 32 and 64 bit archs.
-    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
+    if [ -f ${rootfs}/lib/security/pam_loginuid.so ]
     then
-        ( cd ${rootfs_path}/lib/security/
+        ( cd ${rootfs}/lib/security/
         mv pam_loginuid.so pam_loginuid.so.disabled
         ln -s pam_permit.so pam_loginuid.so
         )
     fi
 
-    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
+    if [ -f ${rootfs}/lib64/security/pam_loginuid.so ]
     then
-        ( cd ${rootfs_path}/lib64/security/
+        ( cd ${rootfs}/lib64/security/
         mv pam_loginuid.so pam_loginuid.so.disabled
         ln -s pam_permit.so pam_loginuid.so
         )
     fi
 
     # Set default localtime to the host localtime if not set...
-    if [ -e /etc/localtime -a ! -e ${rootfs_path}/etc/localtime ]
+    if [ -e /etc/localtime -a ! -e ${rootfs}/etc/localtime ]
     then
         # if /etc/localtime is a symlink, this should preserve it.
-        cp -a /etc/localtime ${rootfs_path}/etc/localtime
+        cp -a /etc/localtime ${rootfs}/etc/localtime
     fi
 
     # Deal with some dain bramage in the /etc/init.d/halt script.
 <at>  <at>  -226,26 +195,26  <at>  <at>  configure_centos()
     # So we just eliminate the whole bottom half of that script in making
     # ourselves a copy.  That way a major update to the init scripts won't
     # trash what we've set up.
-    if [ -f ${rootfs_path}/etc/init.d/halt ]
+    if [ -f ${rootfs}/etc/init.d/halt ]
     then
         sed -e '/hwclock/,$d' \
-            < ${rootfs_path}/etc/init.d/halt \
-            > ${rootfs_path}/etc/init.d/lxc-halt
+            < ${rootfs}/etc/init.d/halt \
+            > ${rootfs}/etc/init.d/lxc-halt
 
-        echo '$command -f' >> ${rootfs_path}/etc/init.d/lxc-halt
-        chmod 755 ${rootfs_path}/etc/init.d/lxc-halt
+        echo '$command -f' >> ${rootfs}/etc/init.d/lxc-halt
+        chmod 755 ${rootfs}/etc/init.d/lxc-halt
 
         # Link them into the rc directories...
         (
-             cd ${rootfs_path}/etc/rc.d/rc0.d
+             cd ${rootfs}/etc/rc.d/rc0.d
              ln -s ../init.d/lxc-halt S00lxc-halt
-             cd ${rootfs_path}/etc/rc.d/rc6.d
+             cd ${rootfs}/etc/rc.d/rc6.d
              ln -s ../init.d/lxc-halt S00lxc-reboot
         )
     fi
 
     # configure the network using the dhcp
-    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
+    cat <<EOF > ${rootfs}/etc/sysconfig/network-scripts/ifcfg-eth0
 DEVICE=eth0
 BOOTPROTO=dhcp
 ONBOOT=yes
 <at>  <at>  -257,25 +226,30  <at>  <at>  DHCP_HOSTNAME=$name
 EOF
 
     # set the hostname
-    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
+    cat <<EOF > ${rootfs}/etc/sysconfig/network
 NETWORKING=yes
 HOSTNAME=${UTSNAME}
 EOF
 
+    # set hostname on systemd systems
+    if [ $release -gt 6 ]; then
+        echo "${utsname}" > ${rootfs}/etc/hostname
+    fi
+
     # set minimal hosts
-    cat <<EOF > $rootfs_path/etc/hosts
+    cat <<EOF > ${rootfs}/etc/hosts
 127.0.0.1 localhost $name
 EOF
 
     # set minimal fstab
-    cat <<EOF > $rootfs_path/etc/fstab
+    cat <<EOF > ${rootfs}/etc/fstab
 /dev/root               /                       rootfs   defaults        0 0
 none                    /dev/shm                tmpfs    nosuid,nodev    0 0
 EOF
 
     # create lxc compatibility init script
     if [ "$release" = "6" ]; then
-        cat <<EOF > $rootfs_path/etc/init/lxc-sysinit.conf
+        cat <<EOF > ${rootfs}/etc/init/lxc-sysinit.conf
 start on startup
 env container
 
 <at>  <at>  -291,23 +265,23  <at>  <at>  pre-start script
 end script
 EOF
     elif [ "$release" = "5" ]; then
-        cat <<EOF > $rootfs_path/etc/rc.d/lxc.sysinit
+        cat <<EOF > ${rootfs}/etc/rc.d/lxc.sysinit
 #! /bin/bash
 rm -f /etc/mtab /var/run/*.{pid,lock} /var/lock/subsys/*
 rm -rf {/,/var}/tmp/*
 echo "/dev/root               /                       rootfs   defaults        0 0" > /etc/mtab
 exit 0
 EOF
-        chmod 755 $rootfs_path/etc/rc.d/lxc.sysinit
-        sed -i 's|si::sysinit:/etc/rc.d/rc.sysinit|si::bootwait:/etc/rc.d/lxc.sysinit|'  $rootfs_path/etc/inittab
+        chmod 755 ${rootfs}/etc/rc.d/lxc.sysinit
+        sed -i 's|si::sysinit:/etc/rc.d/rc.sysinit|si::bootwait:/etc/rc.d/lxc.sysinit|'  ${rootfs}/etc/inittab
         # prevent mingetty from calling vhangup(2) since it fails with userns.
         # Same issue as oracle template: prevent mingetty from calling vhangup(2)
         # commit 2e83f7201c5d402478b9849f0a85c62d5b9f1589.
-        sed -i 's|^1:|co:2345:respawn:/sbin/mingetty --nohangup console\n1:|' $rootfs_path/etc/inittab
-        sed -i 's|^\([56]:\)|#\1|' $rootfs_path/etc/inittab
+        sed -i 's|^1:|co:2345:respawn:/sbin/mingetty --nohangup console\n1:|' ${rootfs}/etc/inittab
+        sed -i 's|^\([56]:\)|#\1|' ${rootfs}/etc/inittab
     fi
 
-    dev_path="${rootfs_path}/dev"
+    dev_path="${rootfs}/dev"
     rm -rf $dev_path
     mkdir -p $dev_path
     mknod -m 666 ${dev_path}/null c 1 3
 <at>  <at>  -334,59 +308,39  <at>  <at>  EOF
     # since lxc.devttydir is specified in the config.
 
     # allow root login on console, tty[1-4], and pts/0 for libvirt
-    echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
-    echo "lxc/console"  >>${rootfs_path}/etc/securetty
-    echo "lxc/tty1"     >>${rootfs_path}/etc/securetty
-    echo "lxc/tty2"     >>${rootfs_path}/etc/securetty
-    echo "lxc/tty3"     >>${rootfs_path}/etc/securetty
-    echo "lxc/tty4"     >>${rootfs_path}/etc/securetty
-    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
-    echo "pts/0"        >>${rootfs_path}/etc/securetty
+    echo "# LXC (Linux Containers)" >>${rootfs}/etc/securetty
+    echo "lxc/console"  >>${rootfs}/etc/securetty
+    echo "lxc/tty1"     >>${rootfs}/etc/securetty
+    echo "lxc/tty2"     >>${rootfs}/etc/securetty
+    echo "lxc/tty3"     >>${rootfs}/etc/securetty
+    echo "lxc/tty4"     >>${rootfs}/etc/securetty
+    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs}/etc/securetty
+    echo "pts/0"        >>${rootfs}/etc/securetty
 
     # prevent mingetty from calling vhangup(2) since it fails with userns.
     # Same issue as oracle template: prevent mingetty from calling vhangup(2)
     # commit 2e83f7201c5d402478b9849f0a85c62d5b9f1589.
-    sed -i 's|mingetty|mingetty --nohangup|' $container_rootfs/etc/init/tty.conf
-
-    if [ ${root_display_password} = "yes" ]
-    then
-        echo "Setting root password to '$root_password'"
-    fi
-    if [ ${root_store_password} = "yes" ]
+    if [ -f ${rootfs}/etc/init/tty.conf ]
     then
-        touch ${config_path}/tmp_root_pass
-        chmod 600 ${config_path}/tmp_root_pass
-        echo ${root_password} > ${config_path}/tmp_root_pass
-        echo "Storing root password in '${config_path}/tmp_root_pass'"
+        sed -i 's|mingetty|mingetty --nohangup|' ${rootfs}/etc/init/tty.conf
     fi
 
-    echo "root:$root_password" | chroot $rootfs_path chpasswd
-
-    if [ ${root_expire_password} = "yes" ]
-    then
-        # Also set this password as expired to force the user to change it!
-        chroot $rootfs_path passwd -e root
-    fi
-
-    # This will need to be enhanced for CentOS 7 when systemd
-    # comes into play...   /\/\|=mhw=|\/\/
-
     return 0
 }
 
 configure_centos_init()
 {
-    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
-    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
+    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.sysinit
+    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.d/rc.sysinit
     if [ "$release" = "6" ]; then
-        chroot ${rootfs_path} chkconfig udev-post off
+        chroot ${rootfs} chkconfig udev-post off
     fi
-    chroot ${rootfs_path} chkconfig network on
+    chroot ${rootfs} chkconfig network on
 
-    if [ -d ${rootfs_path}/etc/init ]
+    if [ -d ${rootfs}/etc/init ]
     then
        # This is to make upstart honor SIGPWR
-        cat <<EOF >${rootfs_path}/etc/init/power-status-changed.conf
+        cat <<EOF >${rootfs}/etc/init/power-status-changed.conf
 #  power-status-changed - shutdown on SIGPWR
 #
 start on power-status-changed
 <at>  <at>  -396,6 +350,35  <at>  <at>  EOF
     fi
 }
 
+configure_centos_systemd()
+{
+    rm -f ${rootfs}/etc/systemd/system/default.target
+    touch ${rootfs}/etc/fstab
+    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
+    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+    # Make systemd honor SIGPWR
+    chroot ${rootfs} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
+    #dependency on a device unit fails it specially that we disabled udev
+    # sed -i 's/After=dev-%i.device/After=/' ${rootfs}/lib/systemd/system/getty\ <at> .service
+    #
+    # Actually, the After=dev-%i.device line does not appear in the
+    # Fedora 17 or Fedora 18 systemd getty\ <at> .service file.  It may be left
+    # over from an earlier version and it's not doing any harm.  We do need
+    # to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are
+    # started on the ttys in the container.  Lets do it in an override copy of
+    # the service so it can still pass rpm verifies and not be automatically
+    # updated by a new systemd version.  --  mhw  /\/\|=mhw=|\/\/
+
+    sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
+        -e 's/After=dev-%i.device/After=/' \
+        < ${rootfs}/lib/systemd/system/getty\ <at> .service \
+        > ${rootfs}/etc/systemd/system/getty\ <at> .service
+    # Setup getty service on the 4 ttys we are going to allow in the
+    # default config.  Number should match lxc.tty
+    ( cd ${rootfs}/etc/systemd/system/getty.target.wants
+        for i in 1 2 3 4 ; do ln -sf ../getty\ <at> .service getty <at> tty${i}.service; done )
+}
+
 download_centos()
 {
 
 <at>  <at>  -410,19 +393,19  <at>  <at>  download_centos()
     # download a mini centos into a cache
     echo "Downloading centos minimal ..."
     YUM="yum --installroot $INSTALL_ROOT -y --nogpgcheck"
-    PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils"
+    PKG_LIST="yum initscripts passwd rsyslog vim-minimal sudo openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils"
 
     # use temporary repository definition
     REPO_FILE=$INSTALL_ROOT/etc/yum.repos.d/lxc-centos-temp.repo
     mkdir -p $(dirname $REPO_FILE)
     if [ -n "$repo" ]; then
-	cat <<EOF > $REPO_FILE
+        cat <<EOF > $REPO_FILE
 [base]
 name=local repository
 baseurl="$repo"
 EOF
 else
-	cat <<EOF > $REPO_FILE
+        cat <<EOF > $REPO_FILE
 [base]
 name=CentOS-$release - Base
 mirrorlist=http://mirrorlist.centos.org/?release=$release&arch=$basearch&repo=os
 <at>  <at>  -434,20 +417,23  <at>  <at>  EOF
     fi
 
     # create minimal device nodes, needed for "yum install" and "yum update" process
-    mkdir -p $INSTALL_ROOT/dev
-    force_mknod 666 $INSTALL_ROOT/dev/null c 1 3
-    force_mknod 666 $INSTALL_ROOT/dev/urandom c 1 9
+    mkdir -p $INSTALL_ROOT/dev $INSTALL_ROOT/proc
+
+    # CentOS7 needs these, even if they are overkill for 5&6.
+    mount -o bind /dev ${INSTALL_ROOT}/dev
+    mount -t proc proc ${INSTALL_ROOT}/proc
+    # Always make sure /etc/resolv.conf is up to date in the target!
+    cp /etc/resolv.conf ${INSTALL_ROOT}/etc/
 
     $YUM install $PKG_LIST
 
     if [ $? -ne 0 ]; then
         echo "Failed to download the rootfs, aborting."
+        umount ${INSTALL_ROOT}/proc
+        umount ${INSTALL_ROOT}/dev
         return 1
     fi
 
-    # use same nameservers as hosts, needed for "yum update later"
-    cp /etc/resolv.conf $INSTALL_ROOT/etc/
-
     # check whether rpmdb is under $HOME
     if [ ! -e $INSTALL_ROOT/var/lib/rpm/Packages -a -e $INSTALL_ROOT/$HOME/.rpmdb/Packages ]; then
         echo "Fixing rpmdb location ..."
 <at>  <at>  -469,17 +455,26  <at>  <at>  EOF
         mv $INSTALL_ROOT/etc/yum.repos.d/*.repo $INSTALL_ROOT/etc/yum.repos.disabled/
         mv $REPO_FILE.tmp $REPO_FILE
         mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/etc
-        cp /etc/resolv.conf $INSTALL_ROOT/$INSTALL_ROOT/etc/
         mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/dev
-        mknod -m 666 $INSTALL_ROOT/$INSTALL_ROOT/dev/null c 1 3
-        mknod -m 666 $INSTALL_ROOT/$INSTALL_ROOT/dev/urandom c 1 9
+        mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/proc
+        # CentOS7 needs these, even if they are overkill for 5&6.
+        mount -o bind /dev ${INSTALL_ROOT}/${INSTALL_ROOT}/dev
+        mount -t proc proc ${INSTALL_ROOT}/${INSTALL_ROOT}/proc
+        # Always make sure /etc/resolv.conf is up to date in the target!
+        cp /etc/resolv.conf $INSTALL_ROOT/$INSTALL_ROOT/etc/
         mkdir -p $INSTALL_ROOT/$INSTALL_ROOT/var/cache/yum
         cp -al $INSTALL_ROOT/var/cache/yum/* $INSTALL_ROOT/$INSTALL_ROOT/var/cache/yum/
         chroot $INSTALL_ROOT $YUM install $PKG_LIST
         if [ $? -ne 0 ]; then
             echo "Failed to download the rootfs, aborting."
+            umount ${INSTALL_ROOT}/${INSTALL_ROOT}/proc
+            umount ${INSTALL_ROOT}/${INSTALL_ROOT}/dev
+            umount ${INSTALL_ROOT}/proc
+            umount ${INSTALL_ROOT}/dev
             return 1
         fi
+        umount ${INSTALL_ROOT}/proc
+        umount ${INSTALL_ROOT}/dev
         mv $INSTALL_ROOT/$INSTALL_ROOT $INSTALL_ROOT.tmp
         rm -rf $INSTALL_ROOT
         mv $INSTALL_ROOT.tmp $INSTALL_ROOT
 <at>  <at>  -488,6 +483,9  <at>  <at>  EOF
     rm -f $REPO_FILE
     rm -rf $INSTALL_ROOT/var/cache/yum/*
 
+    umount ${INSTALL_ROOT}/proc
+    umount ${INSTALL_ROOT}/dev
+
     mv "$INSTALL_ROOT" "$cache/rootfs"
     echo "Download complete."
 
 <at>  <at>  -498,11 +496,11  <at>  <at>  copy_centos()
 {
 
     # make a local copy of the mini centos
-    echo -n "Copying rootfs to $rootfs_path ..."
-    #cp -a $cache/rootfs-$arch $rootfs_path || return 1
+    echo -n "Copying rootfs to ${rootfs} ..."
+    #cp -a $cache/rootfs-$arch ${rootfs} || return 1
     # i prefer rsync (no reason really)
-    mkdir -p $rootfs_path
-    rsync -a $cache/rootfs/ $rootfs_path/
+    mkdir -p ${rootfs}
+    rsync -a $cache/rootfs/ ${rootfs}/
     echo
     return 0
 }
 <at>  <at>  -510,11 +508,24  <at>  <at>  copy_centos()
 update_centos()
 {
     YUM="chroot $cache/rootfs yum -y --nogpgcheck"
+
+    # CentOS7 needs these, even if they are overkill for 5&6.
+    mount -o bind /dev ${cache}/rootfs/dev
+    mount -t proc proc ${cache}/rootfs/proc
+    # Always make sure /etc/resolv.conf is up to date in the target!
+    cp /etc/resolv.conf ${cache}/rootfs/etc/
+
     $YUM update
     if [ $? -ne 0 ]; then
+        umount ${cache}/rootfs/dev
+        umount ${cache}/rootfs/proc
         return 1
     fi
     $YUM clean packages
+
+    echo
+    umount ${cache}/rootfs/dev
+    umount ${cache}/rootfs/proc
 }
 
 install_centos()
 <at>  <at>  -544,7 +555,7  <at>  <at>  install_centos()
         fi
     fi
 
-    echo "Copy $cache/rootfs to $rootfs_path ... "
+    echo "Copy $cache/rootfs to ${rootfs} ... "
     copy_centos
     if [ $? -ne 0 ]; then
         echo "Failed to copy rootfs"
 <at>  <at>  -568,7 +579,7  <at>  <at>  copy_configuration()
     mkdir -p $config_path
 
     grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "
-lxc.rootfs = $rootfs_path
+lxc.rootfs = ${rootfs}
 " >> $config_path/config
 
     # The following code is to create static MAC addresses for each
 <at>  <at>  -612,11 +623,19  <at>  <at>  lxc.include =  <at> LXCTEMPLATECONFIG <at> /centos.common.conf
 lxc.arch = $arch
 lxc.utsname = $utsname
 
-lxc.autodev = $auto_dev
+EOF
 
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+    if [ "${auto_dev}" != "0" ]
+    then
+        # Keep systemd and journald happy...
+        echo "\
+lxc.autodev = 1
+lxc.kmsg = 0
+" >> $config_path/config
+    fi
 
+    # Throw on some commments...
+    cat <<EOF >> $config_path/config
 # example simple networking setup, uncomment to enable
 #lxc.network.type = $lxc_network_type
 #lxc.network.flags = up
 <at>  <at>  -699,7 +718,7  <at>  <at>  do
         -n|--name)      name=$2; shift 2;;
         -c|--clean)     clean=$2; shift 2;;
         -R|--release)   release=$2; shift 2;;
-	--repo)		repo="$2"; shift 2;;
+        --repo)         repo="$2"; shift 2;;
         -a|--arch)      newarch=$2; shift 2;;
         --fqdn)         utsname=$2; shift 2;;
         --)             shift 1; break ;;
 <at>  <at>  -757,28 +776,6  <at>  <at>  fi
 
 cache_base= <at> LOCALSTATEDIR <at> /cache/lxc/centos/$basearch
 
-# Let's do something better for the initial root password.
-# It's not perfect but it will defeat common scanning brute force
-# attacks in the case where ssh is exposed.  It will also be set to
-# expired, forcing the user to change it at first login.
-if [ "${root_password}" = "" ]
-then
-    root_password=Root-${name}-${RANDOM}
-else
-    # If it's got a ding in it, try and expand it!
-    if [ $(expr "${root_password}" : '.*$.') != 0 ]
-    then
-        root_password=$(eval echo "${root_password}")
-    fi
-
-    # If it has more than 3 consequtive X's in it, feed it
-    # through mktemp as a template.
-    if [ $(expr "${root_password}" : '.*XXXX') != 0 ]
-    then
-        root_password=$(mktemp -u ${root_password})
-    fi
-fi
-
 if [ -z "${utsname}" ]; then
     utsname=${name}
 fi
 <at>  <at>  -844,14 +841,15  <at>  <at>  if [ "$(id -u)" != "0" ]; then
 fi
 
 
-if [ -z "$rootfs_path" ]; then
-    rootfs_path=$path/rootfs
+if [ -z "${rootfs}" ]; then
+    rootfs=$path/rootfs
     # check for 'lxc.rootfs' passed in through default config by lxc-create
     if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
-        rootfs_path=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
+        rootfs=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
             -e 's/^lxc.rootfs\s*=\s*//' -e q $path/config)
     fi
 fi
+
 config_path=$path
 cache=$cache_base/$release
 
 <at>  <at>  -885,51 +883,54  <at>  <at>  if [ $? -ne 0 ]; then
     exit 1
 fi
 
-configure_centos_init
+# If the systemd configuration directory exists - set it up for what we need.
+if [ -d ${rootfs}/etc/systemd/system ]
+then
+    configure_centos_systemd
+fi
+
+# This configuration (rc.sysinit) is not inconsistent with the systemd stuff
+# above and may actually coexist on some upgraded systems.  Let's just make
+# sure that, if it exists, we update this file, even if it's not used...
+if [ -f ${rootfs}/etc/rc.sysinit ]
+then
+    configure_centos_init
+fi
 
 if [ ! -z $clean ]; then
     clean || exit 1
     exit 0
 fi
+
 echo "
 Container rootfs and config have been created.
 Edit the config file to check/enable networking setup.
 "
 
-if [ ${root_display_password} = "yes" ]
-then
-    echo "The temporary password for root is: '$root_password'
+# Set up the superuser user.
+# Several of the LXC_ variables are environment variables set up
+# in the "functions" file but can be overriden byt the calling environment
+# or by the template or ignored in calling this function.
+lxc_setup_user \
+    "${name}" \
+    "${rootfs}" \
+    "${config_path}" \
+    "${LXC_DEFAULT_USER}" \
+    "${LXC_PASSWORD}" \
+    "${LXC_DISPLAY_PASSWORD}" \
+    "${LXC_STORE_PASSWORD}" \
+    "${LXC_EXPIRE_PASSWORD}"
+
+# Add a "centos" user using the same template and config.
+# This is congruent with several other templates...
+lxc_setup_user \
+    "${name}" \
+    "${rootfs}" \
+    "${config_path}" \
+    "centos" \
+    "${LXC_PASSWORD}" \
+    "${LXC_DISPLAY_PASSWORD}" \
+    "${LXC_STORE_PASSWORD}" \
+    "${LXC_EXPIRE_PASSWORD}"
 
-You may want to note that password down before starting the container.
-"
-fi
-
-if [ ${root_store_password} = "yes" ]
-then
-    echo "The temporary root password is stored in:
-
-        '${config_path}/tmp_root_pass'
-"
-fi
-
-if [ ${root_prompt_password} = "yes" ]
-then
-    echo "Invoking the passwd command in the container to set the root password.
-
-        chroot ${rootfs_path} passwd
-"
-    chroot ${rootfs_path} passwd
-else
-    if [ ${root_expire_password} = "yes" ]
-    then
-        echo "
-The root password is set up as "expired" and will require it to be changed
-at first login, which you should do as soon as possible.  If you lose the
-root password or wish to change it without starting the container, you
-can change it from the host by running the following command (which will
-also reset the expired flag):
-
-        chroot ${rootfs_path} passwd
-"
-    fi
-fi
+exit 0
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index a56e7ec..bfc2fc7 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
 <at>  <at>  -28,44 +28,13  <at>  <at> 
 
 #Configurations
 default_path= <at> LXCPATH <at> 
+template_path= <at> LXCTEMPLATEDIR <at> 
 
-# Some combinations of the tuning knobs below do not exactly make sense.
-# but that's ok.
-#
-# If the "root_password" is non-blank, use it, else set a default.
-# This can be passed to the script as an environment variable and is
-# set by a shell conditional assignment.  Looks weird but it is what it is.
-#
-# If the root password contains a ding ($) then try to expand it.
-# That will pick up things like ${name} and ${RANDOM}.
-# If the root password contians more than 3 consecutive X's, pass it as
-# a template to mktemp and take the result.
-#
-# If root_display_password = yes, display the temporary root password at exit.
-# If root_store_password = yes, store it in the configuration directory
-# If root_prompt_password = yes, invoke "passwd" to force the user to change
-# the root password after the container is created.
-# If root_expire_password = yes, you will be prompted to change the root
-# password at the first login.
-#
-# These are conditional assignments...  The can be overridden from the
-# preexisting environment variables...
-#
-# Make sure this is in single quotes to defer expansion to later!
-# :{root_password='Root-${name}-${RANDOM}'}
-: ${root_password='Root-${name}-XXXXXX'}
-
-# Now, it doesn't make much sense to display, store, and force change
-# together.  But, we gotta test, right???
-: ${root_display_password='no'}
-: ${root_store_password='yes'}
-# Prompting for something interactive has potential for mayhem
-# with users running under the API...  Don't default to "yes"
-: ${root_prompt_password='no'}
-
-# Expire root password? Default to yes, but can be overridden from
-# the environment variable
-: ${root_expire_password='yes'}
+# Load up some common functions
+if [ -f ${template_path}/functions ]
+then
+    . ${template_path}/functions
+fi
 
 # These are only going into comments in the resulting config...
 lxc_network_type=veth
 <at>  <at>  -134,31 +103,31  <at>  <at>  configure_fedora()
 {
 
     # disable selinux in fedora
-    mkdir -p $rootfs_path/selinux
-    echo 0 > $rootfs_path/selinux/enforce
+    mkdir -p ${rootfs}/selinux
+    echo 0 > ${rootfs}/selinux/enforce
 
     # Also kill it in the /etc/selinux/config file if it's there...
-    if [[ -f $rootfs_path/etc/selinux/config ]]
+    if [[ -f ${rootfs}/etc/selinux/config ]]
     then
-        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
+        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' ${rootfs}/etc/selinux/config
     fi
 
     # Nice catch from Dwight Engen in the Oracle template.
     # Wantonly plagerized here with much appreciation.
-    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
-        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
-        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
+    if [ -f ${rootfs}/usr/sbin/selinuxenabled ]; then
+        mv ${rootfs}/usr/sbin/selinuxenabled ${rootfs}/usr/sbin/selinuxenabled.lxcorig
+        ln -s /bin/false ${rootfs}/usr/sbin/selinuxenabled
     fi
 
     # This is a known problem and documented in RedHat bugzilla as relating
     # to a problem with auditing enabled.  This prevents an error in
     # the container "Cannot make/remove an entry for the specified session"
-    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
-    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
+    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/login
+    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/sshd
 
-    if [ -f ${rootfs_path}/etc/pam.d/crond ]
+    if [ -f ${rootfs}/etc/pam.d/crond ]
     then
-        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
+        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs}/etc/pam.d/crond
     fi
 
     # In addition to disabling pam_loginuid in the above config files
 <at>  <at>  -166,27 +135,27  <at>  <at>  configure_fedora()
     # we missed or any that get installed after the container is built.
     #
     # Catch either or both 32 and 64 bit archs.
-    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
+    if [ -f ${rootfs}/lib/security/pam_loginuid.so ]
     then
-        ( cd ${rootfs_path}/lib/security/
+        ( cd ${rootfs}/lib/security/
         mv pam_loginuid.so pam_loginuid.so.disabled
         ln -s pam_permit.so pam_loginuid.so
         )
     fi
 
-    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
+    if [ -f ${rootfs}/lib64/security/pam_loginuid.so ]
     then
-        ( cd ${rootfs_path}/lib64/security/
+        ( cd ${rootfs}/lib64/security/
         mv pam_loginuid.so pam_loginuid.so.disabled
         ln -s pam_permit.so pam_loginuid.so
         )
     fi
 
     # Set default localtime to the host localtime if not set...
-    if [ -e /etc/localtime -a ! -e ${rootfs_path}/etc/localtime ]
+    if [ -e /etc/localtime -a ! -e ${rootfs}/etc/localtime ]
     then
         # if /etc/localtime is a symlink, this should preserve it.
-        cp -a /etc/localtime ${rootfs_path}/etc/localtime
+        cp -a /etc/localtime ${rootfs}/etc/localtime
     fi
 
     # Deal with some dain bramage in the /etc/init.d/halt script.
 <at>  <at>  -202,26 +171,26  <at>  <at>  configure_fedora()
     #
     # This is mostly for legacy distros since any modern systemd Fedora
     # release will not have this script so we won't try to intercept it.
-    if [ -f ${rootfs_path}/etc/init.d/halt ]
+    if [ -f ${rootfs}/etc/init.d/halt ]
     then
         sed -e '/hwclock/,$d' \
-            < ${rootfs_path}/etc/init.d/halt \
-            > ${rootfs_path}/etc/init.d/lxc-halt
+            < ${rootfs}/etc/init.d/halt \
+            > ${rootfs}/etc/init.d/lxc-halt
 
-        echo '$command -f' >> ${rootfs_path}/etc/init.d/lxc-halt
-        chmod 755 ${rootfs_path}/etc/init.d/lxc-halt
+        echo '$command -f' >> ${rootfs}/etc/init.d/lxc-halt
+        chmod 755 ${rootfs}/etc/init.d/lxc-halt
 
         # Link them into the rc directories...
         (
-             cd ${rootfs_path}/etc/rc.d/rc0.d
+             cd ${rootfs}/etc/rc.d/rc0.d
              ln -s ../init.d/lxc-halt S00lxc-halt
-             cd ${rootfs_path}/etc/rc.d/rc6.d
+             cd ${rootfs}/etc/rc.d/rc6.d
              ln -s ../init.d/lxc-halt S00lxc-reboot
         )
     fi
 
     # configure the network using the dhcp
-    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
+    cat <<EOF > ${rootfs}/etc/sysconfig/network-scripts/ifcfg-eth0
 DEVICE=eth0
 BOOTPROTO=dhcp
 ONBOOT=yes
 <at>  <at>  -232,18 +201,18  <at>  <at>  MTU=${MTU}
 EOF
 
     # set the hostname
-    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
+    cat <<EOF > ${rootfs}/etc/sysconfig/network
 NETWORKING=yes
 HOSTNAME=${utsname}
 EOF
 
     # set hostname on systemd Fedora systems
     if [ $release -gt 14 ]; then
-        echo "${utsname}" > ${rootfs_path}/etc/hostname
+        echo "${utsname}" > ${rootfs}/etc/hostname
     fi
 
     # set minimal hosts
-    cat <<EOF > $rootfs_path/etc/hosts
+    cat <<EOF > ${rootfs}/etc/hosts
 127.0.0.1 localhost.localdomain localhost $utsname
 ::1                 localhost6.localdomain6 localhost6
 EOF
 <at>  <at>  -251,7 +220,7  <at>  <at>  EOF
     # These mknod's really don't make any sense with modern releases of
     # Fedora with systemd, devtmpfs, and autodev enabled.  They are left
     # here for legacy reasons and older releases with upstart and sysv init.
-    dev_path="${rootfs_path}/dev"
+    dev_path="${rootfs}/dev"
     rm -rf $dev_path
     mkdir -p $dev_path
     mknod -m 666 ${dev_path}/null c 1 3
 <at>  <at>  -278,83 +247,63  <at>  <at>  EOF
     # since lxc.devttydir is specified in the config.
 
     # allow root login on console, tty[1-4], and pts/0 for libvirt
-    echo "# LXC (Linux Containers)" >>${rootfs_path}/etc/securetty
-    echo "lxc/console"  >>${rootfs_path}/etc/securetty
-    echo "lxc/tty1"     >>${rootfs_path}/etc/securetty
-    echo "lxc/tty2"     >>${rootfs_path}/etc/securetty
-    echo "lxc/tty3"     >>${rootfs_path}/etc/securetty
-    echo "lxc/tty4"     >>${rootfs_path}/etc/securetty
-    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs_path}/etc/securetty
-    echo "pts/0"        >>${rootfs_path}/etc/securetty
-
-    if [ ${root_display_password} = "yes" ]
-    then
-        echo "Setting root password to '$root_password'"
-    fi
-    if [ ${root_store_password} = "yes" ]
-    then
-        touch ${config_path}/tmp_root_pass
-        chmod 600 ${config_path}/tmp_root_pass
-        echo ${root_password} > ${config_path}/tmp_root_pass
-        echo "Storing root password in '${config_path}/tmp_root_pass'"
-    fi
-
-    echo "root:$root_password" | chroot $rootfs_path chpasswd
-
-    if [ ${root_expire_password} = "yes" ]
-    then
-        # Also set this password as expired to force the user to change it!
-        chroot $rootfs_path passwd -e root
-    fi
+    echo "# LXC (Linux Containers)" >>${rootfs}/etc/securetty
+    echo "lxc/console"  >>${rootfs}/etc/securetty
+    echo "lxc/tty1"     >>${rootfs}/etc/securetty
+    echo "lxc/tty2"     >>${rootfs}/etc/securetty
+    echo "lxc/tty3"     >>${rootfs}/etc/securetty
+    echo "lxc/tty4"     >>${rootfs}/etc/securetty
+    echo "# For libvirt/Virtual Machine Monitor" >>${rootfs}/etc/securetty
+    echo "pts/0"        >>${rootfs}/etc/securetty
 
     # specifying this in the initial packages doesn't always work.
     # Even though it should have...
     echo "installing fedora-release package"
-    mount -o bind /dev ${rootfs_path}/dev
-    mount -t proc proc ${rootfs_path}/proc
+    mount -o bind /dev ${rootfs}/dev
+    mount -t proc proc ${rootfs}/proc
     # Always make sure /etc/resolv.conf is up to date in the target!
-    cp /etc/resolv.conf ${rootfs_path}/etc/
+    cp /etc/resolv.conf ${rootfs}/etc/
     # Rebuild the rpm database based on the target rpm version...
-    rm -f ${rootfs_path}/var/lib/rpm/__db*
-    chroot ${rootfs_path} rpm --rebuilddb
-    chroot ${rootfs_path} yum -y install fedora-release
+    rm -f ${rootfs}/var/lib/rpm/__db*
+    chroot ${rootfs} rpm --rebuilddb
+    chroot ${rootfs} yum -y install fedora-release
 
-    if [[ ! -e ${rootfs_path}/sbin/NetworkManager ]]
+    if [[ ! -e ${rootfs}/sbin/NetworkManager ]]
     then
         # NetworkManager has not been installed.  Use the
         # legacy chkconfig command to enable the network startup
         # scripts in the container.
-        chroot ${rootfs_path} chkconfig network on
+        chroot ${rootfs} chkconfig network on
     fi
 
-    umount ${rootfs_path}/proc
-    umount ${rootfs_path}/dev
+    umount ${rootfs}/proc
+    umount ${rootfs}/dev
 
     # silence some needless startup errors
-    touch ${rootfs_path}/etc/fstab
+    touch ${rootfs}/etc/fstab
 
     # give us a console on /dev/console
     sed -i 's/ACTIVE_CONSOLES=.*$/ACTIVE_CONSOLES="\/dev\/console \/dev\/tty[1-4]"/' \
-        ${rootfs_path}/etc/sysconfig/init
+        ${rootfs}/etc/sysconfig/init
 
     return 0
 }
 
 configure_fedora_init()
 {
-    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
-    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
+    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.sysinit
+    sed -i 's|.sbin.start_udev||' ${rootfs}/etc/rc.d/rc.sysinit
     # don't mount devpts, for pete's sake
-    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.sysinit
-    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.d/rc.sysinit
-    chroot ${rootfs_path} chkconfig udev-post off
-    chroot ${rootfs_path} chkconfig network on
+    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs}/etc/rc.sysinit
+    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs}/etc/rc.d/rc.sysinit
+    chroot ${rootfs} chkconfig udev-post off
+    chroot ${rootfs} chkconfig network on
 
-    if [ -d ${rootfs_path}/etc/init ]
+    if [ -d ${rootfs}/etc/init ]
     then
        # This is to make upstart honor SIGPWR.  Should do no harm
        # on systemd systems and some systems may have both.
-        cat <<EOF >${rootfs_path}/etc/init/power-status-changed.conf
+        cat <<EOF >${rootfs}/etc/init/power-status-changed.conf
 #  power-status-changed - shutdown on SIGPWR
 #
 start on power-status-changed
 <at>  <at>  -366,14 +315,14  <at>  <at>  EOF
 
 configure_fedora_systemd()
 {
-    rm -f ${rootfs_path}/etc/systemd/system/default.target
-    touch ${rootfs_path}/etc/fstab
-    chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
-    chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+    rm -f ${rootfs}/etc/systemd/system/default.target
+    touch ${rootfs}/etc/fstab
+    chroot ${rootfs} ln -s /dev/null /etc/systemd/system/udev.service
+    chroot ${rootfs} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
     # Make systemd honor SIGPWR
-    chroot ${rootfs_path} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
+    chroot ${rootfs} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
     #dependency on a device unit fails it specially that we disabled udev
-    # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\ <at> .service
+    # sed -i 's/After=dev-%i.device/After=/' ${rootfs}/lib/systemd/system/getty\ <at> .service
     #
     # Actually, the After=dev-%i.device line does not appear in the
     # Fedora 17 or Fedora 18 systemd getty\ <at> .service file.  It may be left
 <at>  <at>  -385,11 +334,11  <at>  <at>  configure_fedora_systemd()
 
     sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
         -e 's/After=dev-%i.device/After=/' \
-        < ${rootfs_path}/lib/systemd/system/getty\ <at> .service \
-        > ${rootfs_path}/etc/systemd/system/getty\ <at> .service
+        < ${rootfs}/lib/systemd/system/getty\ <at> .service \
+        > ${rootfs}/etc/systemd/system/getty\ <at> .service
     # Setup getty service on the 4 ttys we are going to allow in the
     # default config.  Number should match lxc.tty
-    ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
+    ( cd ${rootfs}/etc/systemd/system/getty.target.wants
         for i in 1 2 3 4 ; do ln -sf ../getty\ <at> .service getty <at> tty${i}.service; done )
 }
 
 <at>  <at>  -970,11 +919,11  <at>  <at>  copy_fedora()
 {
 
     # make a local copy of the minifedora
-    echo -n "Copying rootfs to $rootfs_path ..."
-    #cp -a $cache/rootfs-$basearch $rootfs_path || return 1
+    echo -n "Copying rootfs to ${rootfs} ..."
+    #cp -a $cache/rootfs-$basearch ${rootfs} || return 1
     # i prefer rsync (no reason really)
-    mkdir -p $rootfs_path
-    rsync -Ha $cache/rootfs/ $rootfs_path/
+    mkdir -p ${rootfs}
+    rsync -Ha $cache/rootfs/ ${rootfs}/
     echo
     return 0
 }
 <at>  <at>  -1017,7 +966,7  <at>  <at>  install_fedora()
             fi
         fi
 
-        echo "Copy $cache/rootfs to $rootfs_path ... "
+        echo "Copy $cache/rootfs to ${rootfs} ... "
         copy_fedora
         if [ $? -ne 0 ]; then
             echo "Failed to copy rootfs"
 <at>  <at>  -1042,7 +991,7  <at>  <at>  copy_configuration()
     mkdir -p $config_path
 
     grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "
-lxc.rootfs = $rootfs_path
+lxc.rootfs = ${rootfs}
 " >> $config_path/config
 
     # The following code is to create static MAC addresses for each
 <at>  <at>  -1088,11 +1037,19  <at>  <at>  lxc.include =  <at> LXCTEMPLATECONFIG <at> /fedora.common.conf
 lxc.arch = $arch
 lxc.utsname = $utsname
 
-lxc.autodev = $auto_dev
+EOF
 
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+    if [ "${auto_dev}" != "0" ]
+    then
+        # Keep systemd and journald happy...
+        echo "\
+lxc.autodev = 1
+lxc.kmsg = 0
+" >> $config_path/config
+    fi
 
+    # Throw on some commments...
+    cat <<EOF >> $config_path/config
 # example simple networking setup, uncomment to enable
 #lxc.network.type = $lxc_network_type
 #lxc.network.flags = up
 <at>  <at>  -1232,28 +1189,6  <at>  <at>  fi
 
 cache_base= <at> LOCALSTATEDIR <at> /cache/lxc/fedora/$basearch
 
-# Let's do something better for the initial root password.
-# It's not perfect but it will defeat common scanning brute force
-# attacks in the case where ssh is exposed.  It will also be set to
-# expired, forcing the user to change it at first login.
-if [ "${root_password}" = "" ]
-then
-    root_password=Root-${name}-${RANDOM}
-else
-    # If it's got a ding in it, try and expand it!
-    if [ $(expr "${root_password}" : '.*$.') != 0 ]
-    then
-        root_password=$(eval echo "${root_password}")
-    fi
-
-    # If it has more than 3 consequtive X's in it, feed it
-    # through mktemp as a template.
-    if [ $(expr "${root_password}" : '.*XXXX') != 0 ]
-    then
-        root_password=$(mktemp -u ${root_password})
-    fi
-fi
-
 if [ -z "${utsname}" ]; then
     utsname=${name}
 fi
 <at>  <at>  -1317,11 +1252,11  <at>  <at>  if [ "$(id -u)" != "0" ]; then
 fi
 
 
-if [ -z "$rootfs_path" ]; then
-    rootfs_path=$path/rootfs
+if [ -z "${rootfs}" ]; then
+    rootfs=$path/rootfs
     # check for 'lxc.rootfs' passed in through default config by lxc-create
     if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
-        rootfs_path=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
+        rootfs=$(sed -e '/^lxc.rootfs\s*=/!d' -e 's/\s*#.*//' \
             -e 's/^lxc.rootfs\s*=\s*//' -e q $path/config)
     fi
 fi
 <at>  <at>  -1359,7 +1294,7  <at>  <at>  if [ $? -ne 0 ]; then
 fi
 
 # If the systemd configuration directory exists - set it up for what we need.
-if [ -d ${rootfs_path}/etc/systemd/system ]
+if [ -d ${rootfs}/etc/systemd/system ]
 then
     configure_fedora_systemd
 fi
 <at>  <at>  -1367,7 +1302,7  <at>  <at>  fi
 # This configuration (rc.sysinit) is not inconsistent with the systemd stuff
 # above and may actually coexist on some upgraded systems.  Let's just make
 # sure that, if it exists, we update this file, even if it's not used...
-if [ -f ${rootfs_path}/etc/rc.sysinit ]
+if [ -f ${rootfs}/etc/rc.sysinit ]
 then
     configure_fedora_init
 fi
 <at>  <at>  -1376,6 +1311,7  <at>  <at>  if [ ! -z $clean ]; then
     clean || exit 1
     exit 0
 fi
+
 echo "
 Container rootfs and config have been created.
 Edit the config file to check/enable networking setup.
 <at>  <at>  -1398,40 +1334,30  <at>  <at>  and may be removed.
 "
 fi
 
-if [ ${root_display_password} = "yes" ]
-then
-    echo "The temporary password for root is: '$root_password'
-
-You may want to note that password down before starting the container.
-"
-fi
-
-if [ ${root_store_password} = "yes" ]
-then
-    echo "The temporary root password is stored in:
-
-        '${config_path}/tmp_root_pass'
-"
-fi
-
-if [ ${root_prompt_password} = "yes" ]
-then
-    echo "Invoking the passwd command in the container to set the root password.
-
-        chroot ${rootfs_path} passwd
-"
-    chroot ${rootfs_path} passwd
-else
-    if [ ${root_expire_password} = "yes" ]
-    then
-        echo "
-The root password is set up as "expired" and will require it to be changed
-at first login, which you should do as soon as possible.  If you lose the
-root password or wish to change it without starting the container, you
-can change it from the host by running the following command (which will
-also reset the expired flag):
-
-        chroot ${rootfs_path} passwd
-"
-    fi
-fi
+# Set up the superuser user.
+# Several of the LXC_ variables are environment variables set up
+# in the "functions" file but can be overriden byt the calling environment
+# or by the template or ignored in calling this function.
+lxc_setup_user \
+    "${name}" \
+    "${rootfs}" \
+    "${config_path}" \
+    "${LXC_DEFAULT_USER}" \
+    "${LXC_PASSWORD}" \
+    "${LXC_DISPLAY_PASSWORD}" \
+    "${LXC_STORE_PASSWORD}" \
+    "${LXC_EXPIRE_PASSWORD}"
+
+# Add a "fedora" user using the same template and config.
+# This is congruent with several other templates...
+lxc_setup_user \
+    "${name}" \
+    "${rootfs}" \
+    "${config_path}" \
+    "fedora" \
+    "${LXC_PASSWORD}" \
+    "${LXC_DISPLAY_PASSWORD}" \
+    "${LXC_STORE_PASSWORD}" \
+    "${LXC_EXPIRE_PASSWORD}"
+
+exit 0
diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
index 4fdaece..fb47957 100644
--- a/templates/lxc-openmandriva.in
+++ b/templates/lxc-openmandriva.in
 <at>  <at>  -230,6 +230,7  <at>  <at>  copy_configuration()
     cat <<EOF >> $config_path/config
 lxc.utsname = $name
 lxc.autodev = 1
+lxc.kmsg = 0
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $config_path/fstab
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index c4dce5d..cc43aa0 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
 <at>  <at>  -26,6 +26,16  <at>  <at> 
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
+#Configurations
+default_path= <at> LXCPATH <at> 
+template_path= <at> LXCTEMPLATEDIR <at> 
+
+# Load up some common functions
+if [ -f ${template_path}/functions ]
+then
+    . ${template_path}/functions
+fi
+
 # Detect use under userns (unsupported)
 for arg in "$ <at> "; do
     [ "$arg" = "--" ] && break
 <at>  <at>  -108,9 +118,6  <at>  <at>  EOF
 
     touch $rootfs/etc/sysconfig/kernel
 
-    echo "Please change root-password !"
-    echo "root:root" | chpasswd -R $rootfs
-
     return 0
 }
 
 <at>  <at>  -265,7 +272,7  <at>  <at>  copy_configuration()
     name=$3
 
     grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "
-lxc.rootfs = $rootfs_path
+lxc.rootfs = ${rootfs}
 " >> $path/config
 
     # The following code is to create static MAC addresses for each
 <at>  <at>  -313,10 +320,11  <at>  <at>  lxc.include =  <at> LXCTEMPLATECONFIG <at> /opensuse.common.conf
 lxc.arch = $arch
 lxc.utsname = $name
 
-lxc.mount = $path/fstab
+# Keep systemd and journald happy...
+lxc.autodev = 1
+lxc.kmsg = 0
 
-# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+lxc.mount = $path/fstab
 
 # example simple networking setup, uncomment to enable
 #lxc.network.type = $lxc_network_type
 <at>  <at>  -452,3 +460,31  <at>  <at>  if [ ! -z $clean ]; then
     clean || exit 1
     exit 0
 fi
+
+# Set up the superuser user.
+# Several of the LXC_ variables are environment variables set up
+# in the "functions" file but can be overriden byt the calling environment
+# or by the template or ignored in calling this function.
+lxc_setup_user \
+    "${name}" \
+    "${rootfs}" \
+    "${config_path}" \
+    "${LXC_DEFAULT_USER}" \
+    "${LXC_PASSWORD}" \
+    "${LXC_DISPLAY_PASSWORD}" \
+    "${LXC_STORE_PASSWORD}" \
+    "${LXC_EXPIRE_PASSWORD}"
+
+# Add a "suse" user using the same template and config.
+# This is congruent with several other templates...
+lxc_setup_user \
+    "${name}" \
+    "${rootfs}" \
+    "${config_path}" \
+    "suse" \
+    "${LXC_PASSWORD}" \
+    "${LXC_DISPLAY_PASSWORD}" \
+    "${LXC_STORE_PASSWORD}" \
+    "${LXC_EXPIRE_PASSWORD}"
+
+exit 0
-- 
1.9.3



Regards,
Mike
--

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw-BetbSzk+GohWk0Htik3J/w <at> public.gmane.org
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Zhou Kang(研究院 | 12 Sep 11:15 2014

[PATCH] procfs in containers based on fuse

Hi

This patch is for procfs in per container. It is based on Daniel Lezcano’s code which use fsue. ( https://github.com/hallyn/procfs ), but we made the following improvements.

l  The fuse_main is started by lxc_start, so it’s easier to manage the container

l  We mount the /proc path in /tmp instead of rootfs, the path is uniq.

l  We rewrite the following files: meminfo, stat, cpuinfo, sysrq-trigger. The command ‘top’ can show the right info in the container.

l  /proc/ sysrq-trigger is unwritable.

 

We tested this patch on hundreds of containers for a long time, it had worked very well.

 

Kang Zhou

Attachment (procfs.patch): application/octet-stream, 192 KiB
_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
David E | 11 Sep 03:43 2014
Picon

lxc internals

Hi guys I am new to LXC and have been trying to learn about the internals of it but most information I find is more user-level type of information. How can I get to learn more about the details of the implementation of LXC? Any recommendation would be appreciated.

Thank you,
David E
_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Serge Hallyn | 14 Sep 06:38 2014

[PATCH 1/1] fix root-owned unpriv containers

lxc_map_ids was always using newuidmap if it existed.  We don't want
to use it if we start as root.

Note that when /var/lib/lxc is 700, root still cannot start containers
there, because the subuid will not be able to read the configuration
file to start the container.  Root can work around that by using another
lxcpath, i.e. /opt/lxc.  (We may want to talk about ways to fix this)

Signed-off-by: Serge Hallyn <serge.hallyn <at> ubuntu.com>
---
 src/lxc/conf.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5e61c35..6fc85e1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
 <at>  <at>  -3429,15 +3429,15  <at>  <at>  int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 	enum idtype type;
 	char *buf = NULL, *pos, *cmdpath = NULL;

-	cmdpath = on_path("newuidmap", NULL);
-	if (cmdpath) {
-		use_shadow = 1;
-		free(cmdpath);
-	}
-
-	if (!use_shadow && geteuid()) {
-		ERROR("Missing newuidmap/newgidmap");
-		return -1;
+	if (geteuid()) {
+		cmdpath = on_path("newuidmap", NULL);
+		if (cmdpath) {
+			use_shadow = 1;
+			free(cmdpath);
+		} else {
+			ERROR("Missing newuidmap/newgidmap");
+			return -1;
+		}
 	}

 	for(type = ID_TYPE_UID; type <= ID_TYPE_GID; type++) {
--

-- 
2.1.0

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Gmane