From a38e3e325d651200b0aac77ef5287f36e8c46a63 Mon Sep 17 00:00:00 2001 From: brauner Date: Sun, 8 Feb 2015 16:48:31 +0100 Subject: [PATCH] config: Allow all containers to use fuse MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This enables containers to mount fuse filesystems per default. The mount is designed to be safe. Hence, it can be enabled per default in common.conf. It will lead to a cleaner boot for some unprivileged systemd-based containers. Signed-off-by: Christian Brauner Acked-by: Stéphane Graber --- config/templates/common.conf.in | 3 +++ config/templates/debian.common.conf.in | 5 ----- config/templates/gentoo.common.conf.in | 2 -- config/templates/openwrt.common.conf.in | 2 -- config/templates/plamo.common.conf.in | 2 -- config/templates/ubuntu.common.conf.in | 3 --- 6 files changed, 3 insertions(+), 14 deletions(-) diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in index 26b322964..80f31ced0 100644 --- a/config/templates/common.conf.in +++ b/config/templates/common.conf.in @@ -42,9 +42,12 @@ lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 1:9 rwm ### /dev/pts/* lxc.cgroup.devices.allow = c 136:* rwm +### fuse +lxc.cgroup.devices.allow = c 10:229 rwm # Setup the default mounts lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed +lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 # Blacklist some syscalls which are not safe in privileged # containers diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in index 493feee33..e034b954c 100644 --- a/config/templates/debian.common.conf.in +++ b/config/templates/debian.common.conf.in @@ -4,9 +4,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # Doesn't support consoles in /dev/lxc/ lxc.devttydir = -# Default mount entries -lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 - # When using LXC with apparmor, the container will be confined by default. # If you wish for it to instead run unconfined, copy the following line # (uncommented) to the container's configuration file. @@ -24,8 +21,6 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt # Extra cgroup device access ## rtc lxc.cgroup.devices.allow = c 254:0 rm -## fuse -lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm ## hpet diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in index 01c8f4885..ca3ffc160 100644 --- a/config/templates/gentoo.common.conf.in +++ b/config/templates/gentoo.common.conf.in @@ -12,8 +12,6 @@ lxc.devttydir = # Extra cgroup device access ## rtc lxc.cgroup.devices.allow = c 254:0 rm -## fuse -lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm ## hpet diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in index 6609333c6..878e8390c 100644 --- a/config/templates/openwrt.common.conf.in +++ b/config/templates/openwrt.common.conf.in @@ -34,8 +34,6 @@ lxc.cgroup.devices.allow = c 5:2 rwm lxc.cgroup.devices.allow = c 136:* rwm ## rtc lxc.cgroup.devices.allow = c 254:0 rm -## fuse -lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm ## dev/tty0 diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in index 888fa4b68..718fc5354 100644 --- a/config/templates/plamo.common.conf.in +++ b/config/templates/plamo.common.conf.in @@ -7,5 +7,3 @@ lxc.devttydir = # Extra cgroup device access ## rtc lxc.cgroup.devices.allow = c 254:0 rm -## fuse -lxc.cgroup.devices.allow = c 10:229 rwm diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in index d1ce8e99f..857c255e7 100644 --- a/config/templates/ubuntu.common.conf.in +++ b/config/templates/ubuntu.common.conf.in @@ -2,7 +2,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # Default mount entries -lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 @@ -28,8 +27,6 @@ lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 # Extra cgroup device access ## rtc lxc.cgroup.devices.allow = c 254:0 rm -## fuse -lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm ## hpet