From 2b5bf68813d5d2c139e150951bb7decce3ce125c Mon Sep 17 00:00:00 2001 From: Juan RP Date: Wed, 4 Feb 2015 15:46:40 +0100 Subject: [PATCH] lxc: modernize void configuration for guests. --- srcpkgs/lxc/files/void.common.conf | 93 ++++++++++-------------------- srcpkgs/lxc/template | 2 +- 2 files changed, 30 insertions(+), 65 deletions(-) diff --git a/srcpkgs/lxc/files/void.common.conf b/srcpkgs/lxc/files/void.common.conf index f9f99ef061..14c78b9b4c 100644 --- a/srcpkgs/lxc/files/void.common.conf +++ b/srcpkgs/lxc/files/void.common.conf @@ -1,69 +1,34 @@ -# Default pivot location -#lxc.pivotdir = lxc_putold +# This derives from the global common config +lxc.include = /usr/share/lxc/config/common.conf +# Allow for 6 tty devices by default +lxc.tty = 6 + +# Set the halt/stop signals lxc.haltsignal = SIGCONT -# Default mount entries -lxc.mount.entry = run run tmpfs rw,nosuid,nodev,mode=755 0 0 -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = sysfs sys sysfs defaults 0 0 +# Uncomment to disable creating tty devices subdirectory in /dev +lxc.devttydir = -# Default console settings -lxc.tty = 6 -lxc.pts = 1024 -lxc.autodev = 1 +# Capabilities +# Uncomment these if you don't run anything that needs the capability, and +# would like the container to run with less privilege. +# +# Dropping sys_admin disables container root from doing a lot of things +# that could be bad like re-mounting lxc fstab entries rw for example, +# but also disables some useful things like being able to nfs mount, and +# things that are already namespaced with ns_capable() kernel checks, like +# hostname(1). +# lxc.cap.drop = sys_admin +# lxc.cap.drop = net_raw # breaks dhcp/ping +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups) +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) +# lxc.cap.drop = setuid # breaks sshd,nfs statd +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) +# lxc.cap.drop = audit_write +# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd +# +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio -# Default capabilities -lxc.cap.drop = sys_module mac_admin mac_override sys_time - -# When using LXC with apparmor, the container will be confined by default. -# If you wish for it to instead run unconfined, copy the following line -# (uncommented) to the container's configuration file. -#lxc.aa_profile = unconfined - -# To support container nesting on an Ubuntu host while retaining most of -# apparmor's added security, use the following two lines instead. -#lxc.aa_profile = lxc-container-default-with-nesting -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups - -# If you wish to allow mounting block filesystems, then use the following -# line instead, and make sure to grant access to the block device and/or loop -# devices below in lxc.cgroup.devices.allow. -#lxc.aa_profile = lxc-container-default-with-mounting - -# Default cgroup limits -lxc.cgroup.devices.deny = a -## Allow any mknod (but not using the node) -lxc.cgroup.devices.allow = c *:* m -lxc.cgroup.devices.allow = b *:* m -## /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -## consoles -lxc.cgroup.devices.allow = c 5:0 rwm -lxc.cgroup.devices.allow = c 5:1 rwm -## /dev/{,u}random -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 1:9 rwm -## /dev/pts/* -lxc.cgroup.devices.allow = c 5:2 rwm -lxc.cgroup.devices.allow = c 136:* rwm -## rtc -lxc.cgroup.devices.allow = c 254:0 rm -## fuse -lxc.cgroup.devices.allow = c 10:229 rwm -## tun -lxc.cgroup.devices.allow = c 10:200 rwm -## full -lxc.cgroup.devices.allow = c 1:7 rwm -## hpet -lxc.cgroup.devices.allow = c 10:228 rwm -## kvm -lxc.cgroup.devices.allow = c 10:232 rwm -## To use loop devices, copy the following line to the container's -## configuration file (uncommented). -#lxc.cgroup.devices.allow = b 7:* rwm - -# Blacklist some syscalls which are not safe in privileged -# containers -lxc.seccomp = /usr/share/lxc/config/common.seccomp +# Setup the default mounts +lxc.mount.auto = cgroup:ro proc:rw sys:rw diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template index 1f736c68fc..8c60e8d57c 100644 --- a/srcpkgs/lxc/template +++ b/srcpkgs/lxc/template @@ -3,7 +3,7 @@ _desc="Linux Containers" pkgname=lxc version=1.1.0 -revision=3 +revision=4 build_style=gnu-configure configure_args="--enable-doc --enable-seccomp --enable-cgmanager --enable-capabilities --disable-apparmor --with-distro=none