[lxc-devel] [PATCH] Ubuntu template: Allow mknod (fixing udev upgrades) and drop mac_override and mac_admin from lxc.cap.drop as apparmor has/will have support for namespaces
Daniel Lezcano
daniel.lezcano at free.fr
Thu Nov 10 08:48:54 UTC 2011
On 11/02/2011 08:17 PM, Stéphane Graber wrote:
> ---
> templates/lxc-ubuntu.in | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 4f44b03..2be8680 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -179,9 +179,12 @@ lxc.pts = 1024
> lxc.rootfs = $rootfs
> lxc.mount = $path/fstab
> lxc.arch = $arch
> -lxc.cap.drop = sys_module mac_override mac_admin
> +lxc.cap.drop = sys_module
>
> lxc.cgroup.devices.deny = a
> +# Allow any mknod (but not using the node)
> +lxc.cgroup.devices.allow = c *:* m
> +lxc.cgroup.devices.allow = b *:* m
> # /dev/null and zero
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
Applied. Thanks.
More information about the lxc-devel
mailing list