config: Allow all containers to use fuse

This enables containers to mount fuse filesystems per default. The mount
is designed to be safe. Hence, it can be enabled per default in
common.conf. It will lead to a cleaner boot for some unprivileged
systemd-based containers.

Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
index 26b322964b0934e25bf05a37ef87249f5b09f079..80f31ced081a46b0e8f856b16dbaf7520232063a 100644 (file)
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -42,9 +42,12 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 1:9 rwm
 ### /dev/pts/*
 lxc.cgroup.devices.allow = c 136:* rwm
+### fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
 
 # Setup the default mounts
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 
 # Blacklist some syscalls which are not safe in privileged
 # containers

diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
index 493feee338a92d9a3eb953469bd8153802f7963b..e034b954cded25ca7cbf56d3681dc486c1b42fb4 100644 (file)
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -4,9 +4,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf
 # Doesn't support consoles in /dev/lxc/
 lxc.devttydir =
 
-# Default mount entries
-lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
-
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
@@ -24,8 +21,6 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt
 # Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-## fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## hpet

diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
index 01c8f4885920d2c68977491fb8533f7e843344b3..ca3ffc160da8a8e19cabe8fdf720fb505910b8dc 100644 (file)
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -12,8 +12,6 @@ lxc.devttydir =
 # Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-## fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## hpet

diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in
index 6609333c6c9a2455109ef9457c4c86899de04e04..878e8390c77dbdde9d69cc16462c1fff106486c5 100644 (file)
--- a/config/templates/openwrt.common.conf.in
+++ b/config/templates/openwrt.common.conf.in
@@ -34,8 +34,6 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-## fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## dev/tty0

diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
index 888fa4b687068e16dc7e1209bb049cf17dff1b28..718fc5354c228e84cb02dd2faf031658e3cc6e86 100644 (file)
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@@ -7,5 +7,3 @@ lxc.devttydir =
 # Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-## fuse
-lxc.cgroup.devices.allow = c 10:229 rwm

diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index d1ce8e99f884b6327d5ebe4f8a8cce6c5b318a53..857c255e73fe352bed249c077307d79a7ea8e874 100644 (file)
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -2,7 +2,6 @@
 lxc.include = @LXCTEMPLATECONFIG@/common.conf
 
 # Default mount entries
-lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
 lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
@@ -28,8 +27,6 @@ lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
 # Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-## fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
 ## hpet