Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>

10 年前 · 733ce2c29f
--- a/utils/lxc/patches/202-add-openwrt-common-config.patch
+++ b/utils/lxc/patches/202-add-openwrt-common-config.patch
@@ -0,0 +1,78 @@
 
				+--- /dev/null
			
 
				++++ b/config/templates/openwrt.common.conf.in
			
 
				+@@ -0,0 +1,56 @@
			
 
				++# Default mount entries
			
 
				++lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
			
 
				++lxc.mount.entry = sysfs sys sysfs defaults 0 0
			
 
				++
			
 
				++# Default console settings
			
 
				++lxc.devttydir = lxc
			
 
				++lxc.tty = 4
			
 
				++lxc.pts = 1024
			
 
				++
			
 
				++# Default capabilities
			
 
				++lxc.cap.drop = mac_admin
			
 
				++lxc.cap.drop = mac_override
			
 
				++lxc.cap.drop = sys_admin
			
 
				++lxc.cap.drop = sys_module
			
 
				++lxc.cap.drop = sys_nice
			
 
				++lxc.cap.drop = sys_pacct
			
 
				++lxc.cap.drop = sys_ptrace
			
 
				++lxc.cap.drop = sys_rawio
			
 
				++lxc.cap.drop = sys_resource
			
 
				++lxc.cap.drop = sys_time
			
 
				++lxc.cap.drop = sys_tty_config
			
 
				++lxc.cap.drop = syslog
			
 
				++lxc.cap.drop = wake_alarm
			
 
				++
			
 
				++# Default cgroups - all denied except those whitelisted
			
 
				++lxc.cgroup.devices.deny = a
			
 
				++## /dev/null and zero
			
 
				++lxc.cgroup.devices.allow = c 1:3 rwm
			
 
				++lxc.cgroup.devices.allow = c 1:5 rwm
			
 
				++## consoles
			
 
				++lxc.cgroup.devices.allow = c 5:0 rwm
			
 
				++lxc.cgroup.devices.allow = c 5:1 rwm
			
 
				++## /dev/{,u}random
			
 
				++lxc.cgroup.devices.allow = c 1:8 rwm
			
 
				++lxc.cgroup.devices.allow = c 1:9 rwm
			
 
				++## /dev/pts/*
			
 
				++lxc.cgroup.devices.allow = c 5:2 rwm
			
 
				++lxc.cgroup.devices.allow = c 136:* rwm
			
 
				++## rtc
			
 
				++lxc.cgroup.devices.allow = c 254:0 rm
			
 
				++## fuse
			
 
				++lxc.cgroup.devices.allow = c 10:229 rwm
			
 
				++## tun
			
 
				++lxc.cgroup.devices.allow = c 10:200 rwm
			
 
				++## dev/tty0
			
 
				++lxc.cgroup.devices.allow = c 4:0 rwm
			
 
				++## dev/tty1
			
 
				++lxc.cgroup.devices.allow = c 4:1 rwm
			
 
				++
			
 
				++## To use loop devices, copy the following line to the container's
			
 
				++## configuration file (uncommented).
			
 
				++#lxc.cgroup.devices.allow = b 7:* rwm
			
 
				++
			
 
				++# Blacklist some syscalls which are not safe in privileged
			
 
				++# containers
			
 
				++lxc.seccomp = /usr/share/lxc/config/common.seccomp
			
 
				+--- a/configure.ac
			
 
				++++ b/configure.ac
			
 
				+@@ -579,6 +579,7 @@ AC_CONFIG_FILES([
			
 
				+ 	config/templates/ubuntu.common.conf
			
 
				+ 	config/templates/ubuntu.lucid.conf
			
 
				+ 	config/templates/ubuntu.userns.conf
			
 
				++	config/templates/openwrt.common.conf
			
 
				+ 	config/yum/Makefile
			
 
				+ 
			
 
				+ 	doc/Makefile
			
 
				+--- a/config/templates/Makefile.am
			
 
				++++ b/config/templates/Makefile.am
			
 
				+@@ -22,4 +22,5 @@ templatesconfig_DATA = \
			
 
				+ 	ubuntu-cloud.userns.conf \
			
 
				+ 	ubuntu.common.conf \
			
 
				+ 	ubuntu.lucid.conf \
			
 
				+-	ubuntu.userns.conf
			
 
				++	ubuntu.userns.conf \
			
 
				++	openwrt.common.conf