--- /dev/null
+# Default configuration for Sabayon containers
+
+# Setup the default mounts
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+
+# Allow for 1024 pseudo terminals
+lxc.pts = 1024
+
+# Setup 1 tty devices for lxc-console command
+lxc.tty = 1
+
+# Needed for systemd distro
+lxc.autodev = 1
+
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
+
+# CGroup whitelist
+lxc.cgroup.devices.deny = a
+
+## Allow any mknod (but not reading/writing the node)
+#lxc.cgroup.devices.allow = c *:* m
+#lxc.cgroup.devices.allow = b *:* m
+
+## Allow specific devices
+### /dev/null
+lxc.cgroup.devices.allow = c 1:3 rwm
+### /dev/zero
+lxc.cgroup.devices.allow = c 1:5 rwm
+### /dev/full
+lxc.cgroup.devices.allow = c 1:7 rwm
+### /dev/random
+lxc.cgroup.devices.allow = c 1:8 rwm
+### /dev/urandom
+lxc.cgroup.devices.allow = c 1:9 rwm
+### /dev/pts/*
+#lxc.cgroup.devices.allow = c 136:* rwm
+### /dev/tty
+#lxc.cgroup.devices.allow = c 5:0 rwm
+### /dev/console
+#lxc.cgroup.devices.allow = c 5:1 rwm
+### /dev/ptmx
+#lxc.cgroup.devices.allow = c 5:2 rwm
+### fuse
+#lxc.cgroup.devices.allow = c 10:229 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
+## rtc
+#lxc.cgroup.devices.allow = c 254:0 rm
+## tun
+#lxc.cgroup.devices.allow = c 10:200 rwm
+## hpet
+#lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+#lxc.cgroup.devices.allow = c 10:232 rwm
+
+# If something doesn't work, try to comment this out.
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
+#lxc.cap.drop = sys_admin
+
+
+# /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328)
+# and possibly other packages.
+lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
+
+# Customize lxc options through common directory
+lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
http://mirror.internode.on.net/pub/sabayon/
http://mirror.yandex.ru/sabayon/
http://sabayon.c3sl.ufpr.br/
-http://mirror.umd.edu/sabayonlinux/
http://mirror.clarkson.edu/sabayon/
http://na.mirror.garr.it/mirrors/sabayonlinux/"
# Disable mount of hugepages
ln -s /dev/null dev-hugepages.mount
- # Fix TERM variable for container console
- mkdir container-getty\@0.service.d
- cat <<EOF > container-getty\@0.service.d/00gentoo.conf
-[Service]
-Environment=TERM=
-Environment=TERM=linux
-EOF
-
-
popd
pushd ${rootfs}
# Remove LVM service. Normally not needed on container system.
rm -rf ${rootfs}/etc/systemd/system/sysinit.target.wants/lvm2-lvmetad.service
+ # Comment unneeded entry on /etc/fstab
+ sed -e 's/\/dev/#\/dev/g' -i ${rootfs}/etc/fstab
+
+ # Fix this stupid error until fix is available on sabayon image
+ # /usr/lib/systemd/system-generators/gentoo-local-generator: line 4: cd: /etc/local.d: No such file or directory
+ mkdir ${rootfs}/etc/local.d/
+
+ # Fix TERM variable for container console
+ mkdir container-getty\@0.service.d
+ cat <<EOF > container-getty\@0.service.d/00gentoo.conf
+[Service]
+Environment=TERM=
+Environment=TERM=linux
+EOF
+
return 0
}
if [[ $unprivileged && $unprivileged == true ]] ; then
unprivileged_options="
-lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed
-
-# Enable tty console for lxc-console command
-lxc.tty = 1
-
lxc.id_map = u 0 ${mapped_uid} 65536
lxc.id_map = g 0 ${mapped_gid} 65536
+
+# Include common configuration.
+lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.userns.conf
+
"
else
privileged_options="
-lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed
-lxc.cgroup.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c *:* m
+
+### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-lxc.cgroup.devices.allow = c 1:7 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
+### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
+### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
+### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
+### fuse
lxc.cgroup.devices.allow = c 10:229 rwm
+
"
fi
# Set hostname.
lxc.utsname = $hostname
-# If something doesn't work, try to comment this out.
-# Dropping sys_admin disables container root from doing a lot of things
-# that could be bad like re-mounting lxc fstab entries rw for example,
-# but also disables some useful things like being able to nfs mount, and
-# things that are already namespaced with ns_capable() kernel checks, like
-# hostname(1).
-lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
-#lxc.cap.drop = sys_admin
-
-lxc.autodev = 1
-lxc.pts = 1024
+# Include common configuration.
+lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.common.conf
$unprivileged_options
$privileged_options
-
-# Customize lxc options through common directory
-lxc.include = /usr/share/lxc/config/common.conf.d/
-
EOF
}
projects / thirdparty / lxc.git / commitdiff
