add default userns config file

With cgroupv2 we lose the default devices entries, which in
cgroupv1 results in the default inherited 'a *:* rwm', so
let's have lxc's cgroupv2 default do the same (iow. turn it
into a "deny-list").

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/Makefile b/src/Makefile
index 450a8ebe8ae819511782caabd4a36e49098be9e8..e42a87c770dfbc60281492d98759dfdcac751d28 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -11,6 +11,7 @@ LXC_TMPL_DIR=${LXC_SCRIPT_DIR}/templates
 LXC_HOOK_DIR=${LXC_SCRIPT_DIR}/hooks
 LXC_CONFIG_DIR=${LXC_SCRIPT_DIR}/config
 LXC_COMMON_CONFIG_DIR=${LXC_CONFIG_DIR}/common.conf.d
+LXC_USERNS_CONFIG_DIR=${LXC_CONFIG_DIR}/userns.conf.d
 SERVICEDIR=${DESTDIR}/lib/systemd/system
 PODDIR=${DOCDIR}/pod
 MAN1DIR=${MANDIR}/man1/
@@ -59,6 +60,8 @@ install: pct lxc-pve.conf pct.1 pct.conf.5 pct.bash-completion pct.zsh-completio
        install -m 0644 pve-userns.seccomp ${LXC_CONFIG_DIR}/pve-userns.seccomp
        install -d ${LXC_COMMON_CONFIG_DIR}
        install -m 0644 lxc-pve.conf ${LXC_COMMON_CONFIG_DIR}/01-pve.conf
+       install -d ${LXC_USERNS_CONFIG_DIR}
+       install -m 0644 lxc-pve-userns.conf ${LXC_USERNS_CONFIG_DIR}/01-pve.conf
        install -m 0644 -D pct.bash-completion ${BASHCOMPLDIR}/pct
        install -m 0644 -D pct.zsh-completion ${ZSHCOMPLDIR}/_pct
        make -C PVE install

diff --git a/src/lxc-pve-userns.conf b/src/lxc-pve-userns.conf
new file mode 100644 (file)
index 0000000..3329625
--- /dev/null
+++ b/src/lxc-pve-userns.conf
@@ -0,0 +1,7 @@
+# Default unified cgroup configuration
+
+# Reset cgroupv2:
+lxc.cgroup2.devices.deny =
+lxc.cgroup2.devices.allow =
+# For unprivileged contaienrs we make it a deny-list:
+lxc.cgroup2.devices.allow = a