maybe chmod 0755 'apparmor.d/abstractions'
maybe chmod 0644 'apparmor.d/abstractions/lightdm'
maybe chmod 0644 'apparmor.d/abstractions/lightdm_chromium-browser'
+maybe chmod 0755 'apparmor.d/abstractions/lxc'
+maybe chmod 0644 'apparmor.d/abstractions/lxc/container-base'
+maybe chmod 0644 'apparmor.d/abstractions/lxc/start-container'
maybe chmod 0755 'apparmor.d/local'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd'
+maybe chmod 0755 'apparmor.d/lxc'
+maybe chmod 0644 'apparmor.d/lxc-containers'
+maybe chmod 0644 'apparmor.d/lxc/lxc-default'
+maybe chmod 0644 'apparmor.d/lxc/lxc-default-with-mounting'
+maybe chmod 0644 'apparmor.d/lxc/lxc-default-with-nesting'
+maybe chmod 0644 'apparmor.d/usr.bin.lxc-start'
maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/usr.sbin.cupsd'
maybe chmod 0755 'apt'
maybe chmod 0644 'bash_completion.d/insserv'
maybe chmod 0644 'bash_completion.d/jackd'
maybe chmod 0644 'bash_completion.d/libreoffice.sh'
+maybe chmod 0644 'bash_completion.d/lxc'
maybe chmod 0644 'bash_completion.d/pulseaudio-bash-completion.sh'
maybe chmod 0644 'bash_completion.d/whiptail'
maybe chmod 0644 'bindresvport.blacklist'
maybe chmod 0755 'init.d/killprocs'
maybe chmod 0755 'init.d/kmod'
maybe chmod 0755 'init.d/lightdm'
+maybe chmod 0755 'init.d/lxc'
maybe chmod 0755 'init.d/motd'
maybe chmod 0755 'init.d/mountall-bootclean.sh'
maybe chmod 0755 'init.d/mountall.sh'
maybe chmod 0644 'logrotate.d/cups-daemon'
maybe chmod 0644 'logrotate.d/dpkg'
maybe chmod 0644 'logrotate.d/rsyslog'
+maybe chmod 0755 'lxc'
+maybe chmod 0644 'lxc/default.conf'
maybe chmod 0444 'machine-id'
maybe chmod 0644 'magic'
maybe chmod 0644 'magic.mime'
--- /dev/null
+ network,
+ capability,
+ file,
+ umount,
+
+ # The following 3 entries are only supported by recent apparmor versions.
+ # Comment them if the apparmor parser doesn't recognize them.
+ #dbus,
+ #signal,
+ #ptrace,
+
+ # ignore DENIED message on / remount
+ deny mount options=(ro, remount) -> /,
+
+ # allow tmpfs mounts everywhere
+ mount fstype=tmpfs,
+
+ # allow hugetlbfs mounts everywhere
+ mount fstype=hugetlbfs,
+
+ # allow mqueue mounts everywhere
+ mount fstype=mqueue,
+
+ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
+
+ # allow bind mount of /lib/init/fstab for lxcguest
+ mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
+ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ deny @{PROC}/sys/fs/** wklx,
+
+ # allow efivars to be mounted, writing to it will be blocked though
+ mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+ # block some other dangerous paths
+ deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/kmem rwklx,
+
+ # deny writes in /sys except for /sys/fs/cgroup, also allow
+ # fusectl, securityfs and debugfs to be mounted there (read-only)
+ mount fstype=fusectl -> /sys/fs/fuse/connections/,
+ mount fstype=securityfs -> /sys/kernel/security/,
+ mount fstype=debugfs -> /sys/kernel/debug/,
+ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+ mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+
+ # generated by: lxc-generate-aa-rules.py container-rules.base
+ deny /proc/sys/[^kn]*{,/**} wklx,
+ deny /proc/sys/k[^e]*{,/**} wklx,
+ deny /proc/sys/ke[^r]*{,/**} wklx,
+ deny /proc/sys/ker[^n]*{,/**} wklx,
+ deny /proc/sys/kern[^e]*{,/**} wklx,
+ deny /proc/sys/kerne[^l]*{,/**} wklx,
+ deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+ deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+ deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/domainname?*{,/**} wklx,
+ deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+ deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/hostname?*{,/**} wklx,
+ deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+ deny /proc/sys/kernel/msg*/** wklx,
+ deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+ deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/sem*/** wklx,
+ deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/shm*/** wklx,
+ deny /proc/sys/kernel?*{,/**} wklx,
+ deny /proc/sys/n[^e]*{,/**} wklx,
+ deny /proc/sys/ne[^t]*{,/**} wklx,
+ deny /proc/sys/net?*{,/**} wklx,
+ deny /sys/[^fdc]*{,/**} wklx,
+ deny /sys/c[^l]*{,/**} wklx,
+ deny /sys/cl[^a]*{,/**} wklx,
+ deny /sys/cla[^s]*{,/**} wklx,
+ deny /sys/clas[^s]*{,/**} wklx,
+ deny /sys/class/[^n]*{,/**} wklx,
+ deny /sys/class/n[^e]*{,/**} wklx,
+ deny /sys/class/ne[^t]*{,/**} wklx,
+ deny /sys/class/net?*{,/**} wklx,
+ deny /sys/class?*{,/**} wklx,
+ deny /sys/d[^e]*{,/**} wklx,
+ deny /sys/de[^v]*{,/**} wklx,
+ deny /sys/dev[^i]*{,/**} wklx,
+ deny /sys/devi[^c]*{,/**} wklx,
+ deny /sys/devic[^e]*{,/**} wklx,
+ deny /sys/device[^s]*{,/**} wklx,
+ deny /sys/devices/[^v]*{,/**} wklx,
+ deny /sys/devices/v[^i]*{,/**} wklx,
+ deny /sys/devices/vi[^r]*{,/**} wklx,
+ deny /sys/devices/vir[^t]*{,/**} wklx,
+ deny /sys/devices/virt[^u]*{,/**} wklx,
+ deny /sys/devices/virtu[^a]*{,/**} wklx,
+ deny /sys/devices/virtua[^l]*{,/**} wklx,
+ deny /sys/devices/virtual/[^n]*{,/**} wklx,
+ deny /sys/devices/virtual/n[^e]*{,/**} wklx,
+ deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
+ deny /sys/devices/virtual/net?*{,/**} wklx,
+ deny /sys/devices/virtual?*{,/**} wklx,
+ deny /sys/devices?*{,/**} wklx,
+ deny /sys/f[^s]*{,/**} wklx,
+ deny /sys/fs/[^c]*{,/**} wklx,
+ deny /sys/fs/c[^g]*{,/**} wklx,
+ deny /sys/fs/cg[^r]*{,/**} wklx,
+ deny /sys/fs/cgr[^o]*{,/**} wklx,
+ deny /sys/fs/cgro[^u]*{,/**} wklx,
+ deny /sys/fs/cgrou[^p]*{,/**} wklx,
+ deny /sys/fs/cgroup?*{,/**} wklx,
+ deny /sys/fs?*{,/**} wklx,
--- /dev/null
+ network,
+ capability,
+ file,
+
+ # The following 3 entries are only supported by recent apparmor versions.
+ # Comment them if the apparmor parser doesn't recognize them.
+ #dbus,
+ #signal,
+ #ptrace,
+
+ # currently blocked by apparmor bug
+ mount -> /usr/lib/*/lxc/{**,},
+ mount -> /usr/lib/lxc/{**,},
+ mount fstype=devpts -> /dev/pts/,
+ mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+ mount options=(rw, slave) -> /,
+ mount fstype=debugfs,
+ # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
+ mount -> /var/lib/lxc/{**,},
+
+ # required for some pre-mount hooks (like the new lxc-start-ephemeral)
+ mount fstype=overlayfs,
+ mount fstype=aufs,
+ mount fstype=ecryptfs,
+
+ # all umounts are under the original root's /mnt, but right now we
+ # can't allow those umounts after pivot_root. So allow all umounts
+ # right now. They'll be restricted for the container at least.
+ umount,
+ #umount /mnt/{**,},
+
+ # This may look a bit redundant, however it appears we need all of
+ # them if we want things to work properly on all combinations of kernel
+ # and userspace parser...
+ pivot_root /usr/lib/lxc/,
+ pivot_root /usr/lib/*/lxc/,
+ pivot_root /usr/lib/lxc/**,
+ pivot_root /usr/lib/*/lxc/**,
+
+ change_profile -> lxc-*,
+ change_profile -> unconfined,
--- /dev/null
+# This file exists only to ensure that all per-container policies
+# listed under /etc/apparmor.d/lxc get loaded at boot. Please do
+# not edit this file.
+
+#include <tunables/global>
+
+#include <lxc>
--- /dev/null
+# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/lxc/container-base>
+
+ # the container may never be allowed to mount devpts. If it does, it
+ # will remount the host's devpts. We could allow it to do it with
+ # the newinstance option (but, right now, we don't).
+ deny mount fstype=devpts,
+}
--- /dev/null
+# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/lxc/container-base>
+
+# allow standard blockdevtypes.
+# The concern here is in-kernel superblock parsers bringing down the
+# host with bad data. However, we continue to disallow proc, sys, securityfs,
+# etc to nonstandard locations.
+ mount fstype=ext*,
+ mount fstype=xfs,
+ mount fstype=btrfs,
+}
--- /dev/null
+# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/lxc/container-base>
+ #include <abstractions/lxc/start-container>
+
+# Uncomment the line below if you are not using cgmanager
+# mount fstype=cgroup -> /sys/fs/cgroup/**,
+
+ mount fstype=proc -> /var/cache/lxc/**,
+ mount fstype=sysfs -> /var/cache/lxc/**,
+ mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,
+}
--- /dev/null
+#include <tunables/global>
+
+/usr/bin/lxc-start flags=(attach_disconnected) {
+ #include <abstractions/lxc/start-container>
+}
--- /dev/null
+have lxc-start && {
+ _lxc_names() {
+ COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) )
+ }
+
+ _lxc_states() {
+ COMPREPLY=( $( compgen -W "STOPPED STARTING RUNNING STOPPING ABORTING FREEZING FROZEN THAWED" "$cur" ) )
+ }
+
+ _lxc_templates() {
+ COMPREPLY=( $( compgen -W "$(ls /usr/share/lxc/templates/ | sed -e 's|^lxc-||' )" "$cur" ) )
+ }
+
+ _lxc-generic-n() {
+ local cur prev
+
+ COMPREPLY=()
+ _get_comp_words_by_ref cur prev
+
+ case $prev in
+ -n)
+ _lxc_names "$cur"
+ return 0
+ ;;
+ esac
+
+ return 1
+ }
+
+ _lxc-generic-ns() {
+ local cur prev
+
+ COMPREPLY=()
+ _get_comp_words_by_ref cur prev
+
+ case $prev in
+ -n)
+ _lxc_names "$cur"
+ return 0
+ ;;
+
+ -s)
+ _lxc_states "$cur"
+ return 0
+ ;;
+ esac
+
+ return 1
+ }
+
+ _lxc-generic-t() {
+ local cur prev
+
+ COMPREPLY=()
+ _get_comp_words_by_ref cur prev
+
+ case $prev in
+ -t)
+ _lxc_templates "$cur"
+ return 0
+ ;;
+ esac
+
+ return 1
+ }
+
+ _lxc-generic-o() {
+ local cur prev
+
+ COMPREPLY=()
+ _get_comp_words_by_ref cur prev
+
+ case $prev in
+ -o)
+ _lxc_names "$cur"
+ return 0
+ ;;
+ esac
+
+ return 1
+ }
+
+ complete -o default -F _lxc-generic-n lxc-attach
+ complete -o default -F _lxc-generic-n lxc-cgroup
+ complete -o default -F _lxc-generic-n lxc-console
+ complete -o default -F _lxc-generic-n lxc-destroy
+ complete -o default -F _lxc-generic-n lxc-device
+ complete -o default -F _lxc-generic-n lxc-execute
+ complete -o default -F _lxc-generic-n lxc-freeze
+ complete -o default -F _lxc-generic-n lxc-info
+ complete -o default -F _lxc-generic-n lxc-monitor
+ complete -o default -F _lxc-generic-n lxc-snapshot
+ complete -o default -F _lxc-generic-n lxc-start
+ complete -o default -F _lxc-generic-n lxc-stop
+ complete -o default -F _lxc-generic-n lxc-unfreeze
+
+ complete -o default -F _lxc-generic-ns lxc-wait
+
+ complete -o default -F _lxc-generic-t lxc-create
+
+ complete -o default -F _lxc-generic-o lxc-clone
+ complete -o default -F _lxc-generic-o lxc-start-ephemeral
+}
--- /dev/null
+#!/bin/sh
+#
+# lxc Start/Stop LXC autoboot containers
+#
+# chkconfig: 345 99 01
+# description: Starts/Stops all LXC containers configured for autostart.
+#
+### BEGIN INIT INFO
+# Provides: lxc
+# Required-Start: $syslog $remote_fs
+# Required-Stop: $syslog $remote_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Bring up/down LXC autostart containers
+# Description: Bring up/down LXC autostart containers
+# X-Start-Before:
+# X-Stop-After:
+# X-Interactive:
+### END INIT INFO
+
+sysconfdir="/etc"
+bindir="/usr/bin"
+localstatedir="/var"
+
+# These can be overridden in /etc/sysconfig/lxc
+
+# BOOTGROUPS - What groups should start on bootup?
+# Comma separated list of groups.
+# Leading comma, trailing comma or embedded double
+# comma indicates when the NULL group should be run.
+# Example (default): boot the onboot group first then the NULL group
+BOOTGROUPS="onboot,"
+
+# SHUTDOWNDELAY - Wait time for a container to shut down.
+# ner shutdown can result in lengthy system
+# shutdown times. Even 5 seconds per container can be
+# too long.
+SHUTDOWNDELAY=5
+
+# OPTIONS can be used for anything else.
+# If you want to boot everything then
+# options can be "-a" or "-a -A".
+OPTIONS=
+
+# STOPOPTS are stop options. The can be used for anything else to stop.
+# If you want to kill containers fast, use -k
+STOPOPTS="-a -s"
+
+# Source function library.
+test ! -r /lib/lsb/init-functions ||
+ . /lib/lsb/init-functions
+
+# Source any configurable options
+test ! -r "$sysconfdir"/sysconfig/lxc ||
+ . "$sysconfdir"/sysconfig/lxc
+
+# Check for needed utility program
+[ -x "$bindir"/lxc-autostart ] || exit 1
+
+# If libvirtd is providing the bridge, it might not be
+# immediately available, so wait a bit for it before starting
+# up the containers or else any that use the bridge will fail
+# to start
+wait_for_bridge()
+{
+ [ -f "$sysconfdir"/lxc/default.conf ] || { return 0; }
+
+ which ifconfig >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ cmd="ifconfig -a"
+ else
+ which ip >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ cmd="ip link list"
+ fi
+ fi
+ [ -n cmd ] || { return 0; }
+
+ BRNAME=`grep '^[ ]*lxc.network.link' "$sysconfdir"/lxc/default.conf | sed 's/^.*=[ ]*//'`
+ if [ -z "$BRNAME" ]; then
+ return 0
+ fi
+
+ for try in `seq 1 30`; do
+ eval $cmd |grep "^$BRNAME" >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ return
+ fi
+ sleep 1
+ done
+}
+
+mkdir -p /var/lock/subsys
+
+# See how we were called.
+case "$1" in
+ start)
+ [ ! -f "$localstatedir"/lock/subsys/lxc ] || { exit 0; }
+
+ if [ -n "$BOOTGROUPS" ]
+ then
+ BOOTGROUPS="-g $BOOTGROUPS"
+ fi
+
+ # Start containers
+ wait_for_bridge
+ # Start autoboot containers first then the NULL group "onboot,".
+ log_daemon_msg "Starting LXC autoboot containers: "
+ "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS
+ touch "$localstatedir"/lock/subsys/lxc
+ ;;
+ stop)
+ if [ -n "$SHUTDOWNDELAY" ]
+ then
+ SHUTDOWNDELAY="-t $SHUTDOWNDELAY"
+ fi
+
+ # The stop is serialized and can take excessive time. We need to avoid
+ # delaying the system shutdown / reboot as much as we can since it's not
+ # parallelized... Even 5 second timout may be too long.
+ log_daemon_msg "Stopping LXC containers: "
+ "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY
+ rm -f "$localstatedir"/lock/subsys/lxc
+ ;;
+ restart|reload|force-reload)
+ $0 stop
+ $0 start
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|reload|force-reload}"
+ exit 2
+esac
+exit $?
--- /dev/null
+lxc.network.type = empty
--- /dev/null
+../init.d/lxc
\ No newline at end of file
--- /dev/null
+../init.d/lxc
\ No newline at end of file
--- /dev/null
+../init.d/lxc
\ No newline at end of file
--- /dev/null
+../init.d/lxc
\ No newline at end of file
--- /dev/null
+../init.d/lxc
\ No newline at end of file
--- /dev/null
+../init.d/lxc
\ No newline at end of file
--- /dev/null
+../init.d/lxc
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/lxc.service
\ No newline at end of file
projects / pi-dgl-wand / commitdiff