On 01/08/2013 11:59 AM, Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): >> Signed-off-by: Dwight Engen <dwight.en...@oracle.com> > > Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>
Pushed to staging.
> You might want to add a pointer to the capabilities(7) manpage for
> more details.
>
>> ---
>> templates/lxc-oracle.in | 26 ++++++++++++++++++++++++--
>> 1 file changed, 24 insertions(+), 2 deletions(-)
>>
>> diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
>> index 3242dc4..6a64a33 100644
>> --- a/templates/lxc-oracle.in
>> +++ b/templates/lxc-oracle.in
>> @@ -292,10 +292,32 @@ lxc.tty = 4
>> lxc.pts = 1024
>> lxc.rootfs = $container_rootfs
>> lxc.mount = $cfg_dir/fstab
>> -lxc.cap.drop = sys_rawio
>> -# Networking
>> +# Uncomment these if you don't run anything that needs the capability, and
>>
>> +# would like the container to run with less privilege.
>> +#
>> +# Dropping sys_admin disables container root from doing a lot of things
>> +# that could be bad like re-mounting lxc fstab entries rw for example,
>> +# but also disables some useful things like being able to nfs mount, and
>> +# things that are already namespaced with ns_capable() kernel checks, like
>> +# hostname(1).
>> +# lxc.cap.drop = sys_admin
>> +# lxc.cap.drop = net_raw # breaks dhcp/ping
>> +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
>> +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
>> +# lxc.cap.drop = setuid # breaks sshd,nfs statd
>> +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
>> +# lxc.cap.drop = audit_write
>> +#
>> +lxc.cap.drop = mac_admin mac_override setfcap setpcap
>> +lxc.cap.drop = sys_module sys_nice sys_pacct
>
> I'm a little surprised you'd want sys_nice by default, as opposed to
> pointing to some docs for using cgroups to limit resource use by
> the containers, with a commented-out 'lxc.cap.drop = sys_nice' for
> those who prefer to not bother setting up the cgroups.
>
>> +lxc.cap.drop = sys_rawio sys_time
>> EOF
>>
>> + if [ $container_release_major != "4" ]; then
>> + echo "lxc.cap.drop = sys_resource" >>$cfg_dir/config
>> + fi
>> +
>> + echo "# Networking" >>$cfg_dir/config
>> # see if the network settings were already specified
>> lxc_network_type=`grep '^lxc.network.type' $cfg_dir/config | awk -F'[=
>> \t]+' '{ print $2 }'`
>> if [ -z "$lxc_network_type" -a \
>> --
>> 1.7.11.7
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. SALE $99.99 this month only -- learn more at:
>> http://p.sf.net/sfu/learnmore_122412
>> _______________________________________________
>> Lxc-devel mailing list
>> Lxc-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
> ------------------------------------------------------------------------------
> Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
> and more. Get SQL Server skills now (including 2012) with LearnDevNow -
> 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only - learn more at:
> http://p.sf.net/sfu/learnmore_122512
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
