The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
If you amend a template script, you alter the configuration
files of all containers that you subsequently create from that
script. If you amend the config
file for a
container, you alter the configuration of that container and
all containers that you subsequently clone from it.
The lxc-oracle
template script defines system
settings and resources that are assigned to a running container,
including:
the default passwords for the
oracle
androot
users, which are set tooracle
androot
respectivelythe host name (
lxc.utsname
), which is set to the name of the containerthe number of available terminals (
lxc.tty
), which is set to 4the location of the container's root file system on the host (
lxc.rootfs
)the location of the
fstab
mount configuration file (lxc.mount
)all system capabilities that are not available to the container (
lxc.cap.drop
)the local network interface configuration (
lxc.network
)all whitelisted cgroup devices (
lxc.cgroup.devices.allow
)
The template script sets the virtual network type
(lxc.network.type
) and bridge
(lxc.network.link
) to veth
and virbr0
. If you want to use a macvlan
bridge or Virtual Ethernet Port Aggregator that allows external
systems to access your container via the network, you must
modify the container's configuration file. See
Section 27.2.5, “About Veth and Macvlan” and
Section 27.2.6, “Modifying a Container to Use Macvlan”.
To enhance security, you can uncomment
lxc.cap.drop
capabilities to prevent
root
in the container from performing certain
actions. For example, dropping the sys_admin
capability prevents root
from remounting the
container's fstab
entries as writable.
However, dropping sys_admin
also prevents the
container from mounting any file system and disables the
hostname command. By default, the template
script drops the following capabilities:
mac_admin
, mac_override
,
setfcap
, setpcap
,
sys_module
, sys_nice
,
sys_pacct
, sys_rawio
, and
sys_time
.
For more information, see Chapter 10, Control Groups and the
capabilities(7)
and
lxc.conf(5)
manual pages.
When you create a container, the template script writes the
container's configuration settings and mount configuration to
/container/
and
name
/config/container/
,
and sets up the container's root file system under
name
/fstab/container/
.
name
/rootfs
Unless you specify to clone an existing root file system, the
template script installs the following packages under
rootfs
(by default, from the Oracle Linux Yum
Server at https://yum.oracle.com
):
Package | Description |
---|---|
|
chkconfig utility for maintaining
the |
|
DHCP client daemon ( |
|
|
|
Open source SSH server daemon,
|
| Oracle Linux 6 release and information files. |
| passwd utility for setting or changing passwords using PAM. |
| SELinux policy core utilities. |
|
Basic files required by the |
| Enhanced system logging and kernel message trapping daemons. |
| Minimal version of the VIM editor. |
| yum utility for installing, updating and managing RPM packages. |
The template script edits the system configuration files under
rootfs
to set up networking in the container
and to disable unnecessary services including volume management
(LVM), device management (udev
), the hardware
clock, readahead
, and the Plymouth boot
system.