merge upstream lxc-templates configs

note that we have 1 difference to upstream,
from 612ec1f0543d ("config: opensuse.common: unset lxc.tty.dir key")

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/config/alpine.common.conf.in b/config/alpine.common.conf.in
index 1c4cf815a4113fa4cf1fff652a352afd6627e397..550ada82f86ead4911857d194f064346ed2646ba 100644 (file)
--- a/config/alpine.common.conf.in
+++ b/config/alpine.common.conf.in
@@ -8,7 +8,6 @@ lxc.tty.dir =
 lxc.cap.drop = audit_write
 lxc.cap.drop = ipc_owner
 lxc.cap.drop = mknod
-lxc.cap.drop = setpcap
 lxc.cap.drop = sys_nice
 lxc.cap.drop = sys_pacct
 lxc.cap.drop = sys_rawio

diff --git a/config/archlinux.common.conf.in b/config/archlinux.common.conf.in
index bebd7ad1eed797bfdffa83893abcfefc22a76488..81d6548839a4367ea7a1833f8e83c2d906824da0 100644 (file)
--- a/config/archlinux.common.conf.in
+++ b/config/archlinux.common.conf.in
@@ -27,3 +27,5 @@ lxc.signal.halt=SIGRTMIN+4
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
+#
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio

diff --git a/config/centos.common.conf.in b/config/centos.common.conf.in
index a463e42e8c20bf26acbf1c159e37b59f54bf141b..8a72ad003efd352c0730a97d7590e288832001d5 100644 (file)
--- a/config/centos.common.conf.in
+++ b/config/centos.common.conf.in
@@ -17,3 +17,4 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
+lxc.cap.drop = sys_nice sys_pacct sys_rawio

diff --git a/config/devuan.common.conf.in b/config/devuan.common.conf.in
new file mode 100644 (file)
index 0000000..4e6a6e6
--- /dev/null
+++ b/config/devuan.common.conf.in
@@ -0,0 +1,28 @@
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
+# Doesn't support consoles in /dev/lxc/
+lxc.tty.dir =
+
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.apparmor.profile = unconfined
+
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.apparmor.profile = lxc-container-default-with-mounting
+
+# Extra cgroup device access
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm

diff --git a/config/devuan.userns.conf.in b/config/devuan.userns.conf.in
new file mode 100644 (file)
index 0000000..707bb30
--- /dev/null
+++ b/config/devuan.userns.conf.in
@@ -0,0 +1,2 @@
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf

diff --git a/config/fedora.common.conf.in b/config/fedora.common.conf.in
index 365e5ff80f780635c44ba52dec67477779410ec7..acebe3c7c0e154bfbf7c4e7b596324e9f502f3b9 100644 (file)
--- a/config/fedora.common.conf.in
+++ b/config/fedora.common.conf.in
@@ -18,3 +18,4 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio

diff --git a/config/kali.common.conf.in b/config/kali.common.conf.in
new file mode 100644 (file)
index 0000000..4e6a6e6
--- /dev/null
+++ b/config/kali.common.conf.in
@@ -0,0 +1,28 @@
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
+# Doesn't support consoles in /dev/lxc/
+lxc.tty.dir =
+
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.apparmor.profile = unconfined
+
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.apparmor.profile = lxc-container-default-with-mounting
+
+# Extra cgroup device access
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm

diff --git a/config/kali.userns.conf.in b/config/kali.userns.conf.in
new file mode 100644 (file)
index 0000000..707bb30
--- /dev/null
+++ b/config/kali.userns.conf.in
@@ -0,0 +1,2 @@
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf

diff --git a/config/opensuse.common.conf.in b/config/opensuse.common.conf.in
index 536df964866452fb6927390b8bc0091ddff43027..c3123956002ab9205b75ad5efb665923834c9679 100644 (file)
--- a/config/opensuse.common.conf.in
+++ b/config/opensuse.common.conf.in
@@ -19,5 +19,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
 # lxc.cap.drop = setfcap
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
 
 lxc.tty.dir =