9.2.4 About the lxc-oracle Template Script

Note

If you amend a template script, you alter the configuration files of all containers that you subsequently create from that script. If you amend the config file for a container, you alter the configuration of that container and all containers that you subsequently clone from it.

The lxc-oracle template script defines system settings and resources that are assigned to a running container, including:

  • the default passwords for the oracle and root users, which are set to oracle and root respectively

  • the host name (lxc.utsname), which is set to the name of the container

  • the number of available terminals (lxc.tty), which is set to 4

  • the location of the container's root file system on the host (lxc.rootfs)

  • the location of the fstab mount configuration file (lxc.mount)

  • all system capabilities that are not available to the container (lxc.cap.drop)

  • the local network interface configuration (lxc.network)

  • all whitelisted cgroup devices (lxc.cgroup.devices.allow)

The template script sets the virtual network type (lxc.network.type) and bridge (lxc.network.link) to veth and virbr0. If you want to use a macvlan bridge or Virtual Ethernet Port Aggregator that allows external systems to access your container via the network, you must modify the container's configuration file. See Section 9.2.5, “About Veth and Macvlan” and Section 9.2.6, “Modifying a Container to Use Macvlan”.

To enhance security, you can uncomment lxc.cap.drop capabilities to prevent root in the container from performing certain actions. For example, dropping the sys_admin capability prevents root from remounting the container's fstab entries as writable. However, dropping sys_admin also prevents the container from mounting any file system and disables the hostname command. By default, the template script drops the following capabilities: mac_admin, mac_override, setfcap, setpcap, sys_module, sys_nice, sys_pacct, sys_rawio, and sys_time.

For more information, see Chapter 8, Control Groups and the capabilities(7) and lxc.conf(5) manual pages.

When you create a container, the template script writes the container's configuration settings and mount configuration to /container/name/config and /container/name/fstab, and sets up the container's root file system under /container/name/rootfs.

Unless you specify to clone an existing root file system, the template script installs the following packages under rootfs (by default, from the Oracle Linux Yum Server at http://yum.oracle.com):

Package

Description

chkconfig

chkconfig utility for maintaining the /etc/rc*.d hierarchy.

dhclient

DHCP client daemon (dhclient) and dhclient-script.

initscripts

/etc/inittab file and /etc/init.d scripts.

openssh-server

Open source SSH server daemon, /usr/sbin/sshd.

oraclelinux-release

Oracle Linux 6 release and information files.

passwd

passwd utility for setting or changing passwords using PAM.

policycoreutils

SELinux policy core utilities.

rootfiles

Basic files required by the root user.

rsyslog

Enhanced system logging and kernel message trapping daemons.

vim-minimal

Minimal version of the VIM editor.

yum

yum utility for installing, updating and managing RPM packages.

The template script edits the system configuration files under rootfs to set up networking in the container and to disable unnecessary services including volume management (LVM), device management (udev), the hardware clock, readahead, and the Plymouth boot system.