Add cgroup devices whitelist for the debian

From: Daniel Lezcano <dlezcano@fr.ibm.com>

Added thed cgroup whitelist configuration for a debian container.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

diff --git a/scripts/lxc-debian.in b/scripts/lxc-debian.in
index a71d802b23165d12043ccd7d9b1261b44a05bc0e..b252dd0738a4ce96c2d516f4d64560c57f76a804 100755 (executable)
--- a/scripts/lxc-debian.in
+++ b/scripts/lxc-debian.in
@@ -116,13 +116,40 @@ EOF
 # lxc configuration
 
 cat <<EOF > $CONFFILE
+
 lxc.utsname = $UTSNAME
+
 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = br0
 lxc.network.name = eth0
+
 lxc.mount = $MNTFILE
+
 lxc.rootfs = $ROOTFS
+
+lxc.cgroup.devices.deny = a
+
+# /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+
+# consoles
+lxc.cgroup.devices.allow = c 5:1 rwm
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 4:0 rwm
+lxc.cgroup.devices.allow = c 4:1 rwm
+
+# /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:9 rwm
+lxc.cgroup.devices.allow = c 1:8 rwm
+
+# /dev/pts/* - pts namespaces are "coming soon"
+lxc.cgroup.devices.allow = c 136:* rwm
+
+# rtc
+lxc.cgroup.devices.allow = c 254:0 rwm
+
 EOF
 
 
@@ -172,13 +199,18 @@ EOF
 
 # create the container object
 
-@BINDIR@/lxc-create -n $NAME -f $CONFFILE
+@BINDIR@/lxc-create -n $NAME -f $CONFFILE 
+RES=$?
 
 # remove the configuration files
-
 rm -f $CONFFILE
 rm -f $MNTFILE
 
+if [ "$RES" != "0" ]; then
+    echo "Failed to create '$NAME'"
+    exit 1
+fi
+
 echo "Done."
 echo -e "\nYou can run your container with the 'lxc-start -n $NAME'\n"
 }