openwrt: add common configuration file

author Petar Koretic <petar.koretic@sartura.hr>

Thu, 30 Oct 2014 12:41:49 +0000 (12:41 +0000)

committer Stéphane Graber <stgraber@ubuntu.com>

Mon, 24 Nov 2014 21:36:17 +0000 (16:36 -0500)
author Petar Koretic <petar.koretic@sartura.hr>
Thu, 30 Oct 2014 12:41:49 +0000 (12:41 +0000)
committer Stéphane Graber <stgraber@ubuntu.com>
Mon, 24 Nov 2014 21:36:17 +0000 (16:36 -0500)
diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am

index 82ca8be1bf003c2db1c56e9498d141a49a807271..fdbf9d298a7f12b843895b5425025cf11b35e3dc 100644 (file)
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -28,4 +28,5 @@ templatesconfig_DATA = \
         ubuntu.common.conf \
         ubuntu.lucid.conf \
         ubuntu.userns.conf \
+       openwrt.common.conf \
         userns.conf
diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in

new file mode 100644 (file)

index 0000000..05918f0
--- /dev/null
+++ b/config/templates/openwrt.common.conf.in
@@ -0,0 +1,56 @@
+# Default mount entries
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
+
+# Default console settings
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Default capabilities
+lxc.cap.drop = mac_admin
+lxc.cap.drop = mac_override
+lxc.cap.drop = sys_admin
+lxc.cap.drop = sys_module
+lxc.cap.drop = sys_nice
+lxc.cap.drop = sys_pacct
+lxc.cap.drop = sys_ptrace
+lxc.cap.drop = sys_rawio
+lxc.cap.drop = sys_resource
+lxc.cap.drop = sys_time
+lxc.cap.drop = sys_tty_config
+lxc.cap.drop = syslog
+lxc.cap.drop = wake_alarm
+
+# Default cgroups - all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## dev/tty0
+lxc.cgroup.devices.allow = c 4:0 rwm
+## dev/tty1
+lxc.cgroup.devices.allow = c 4:1 rwm
+
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
diff --git a/configure.ac b/configure.ac

index 5f9774b641aad466f4bff7fef2accab9207b74bb..1d9634ec2065813ab550e7ae57a8aa987c534aec 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -646,6 +646,7 @@ AC_CONFIG_FILES([
         config/templates/ubuntu.common.conf
         config/templates/ubuntu.lucid.conf
         config/templates/ubuntu.userns.conf
+       config/templates/openwrt.common.conf
         config/templates/userns.conf
         config/yum/Makefile
         config/sysconfig/Makefile
author	Petar Koretic <petar.koretic@sartura.hr>
	Thu, 30 Oct 2014 12:41:49 +0000 (12:41 +0000)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Mon, 24 Nov 2014 21:36:17 +0000 (16:36 -0500)
config/templates/Makefile.am		patch \| blob \| blame \| history
config/templates/openwrt.common.conf.in	[new file with mode: 0644]	patch \| blob
configure.ac		patch \| blob \| blame \| history