lxc: modernize void configuration for guests.

srcpkgs/lxc/files/void.common.conf

@@ -1,69 +1,34 @@
-# Default pivot location
+# This derives from the global common config
-#lxc.pivotdir = lxc_putold
+lxc.include = /usr/share/lxc/config/common.conf
 
+# Allow for 6 tty devices by default
+lxc.tty = 6
+
+# Set the halt/stop signals
 lxc.haltsignal = SIGCONT
 
-# Default mount entries
+# Uncomment to disable creating tty devices subdirectory in /dev
-lxc.mount.entry = run run tmpfs rw,nosuid,nodev,mode=755 0 0
+lxc.devttydir =
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
 
-# Default console settings
+# Capabilities
-lxc.tty = 6
+# Uncomment these if you don't run anything that needs the capability, and
-lxc.pts = 1024
+# would like the container to run with less privilege.
-lxc.autodev = 1
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw          # breaks dhcp/ping
+# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid           # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+# lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
+#
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
 
-# Default capabilities
+# Setup the default mounts
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.mount.auto = cgroup:ro proc:rw sys:rw
-
-# When using LXC with apparmor, the container will be confined by default.
-# If you wish for it to instead run unconfined, copy the following line
-# (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
-
-# To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following two lines instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
-
-# If you wish to allow mounting block filesystems, then use the following
-# line instead, and make sure to grant access to the block device and/or loop
-# devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
-
-# Default cgroup limits
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-## rtc
-lxc.cgroup.devices.allow = c 254:0 rm
-## fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
-## tun
-lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
-## hpet
-lxc.cgroup.devices.allow = c 10:228 rwm
-## kvm
-lxc.cgroup.devices.allow = c 10:232 rwm
-## To use loop devices, copy the following line to the container's
-## configuration file (uncommented).
-#lxc.cgroup.devices.allow = b 7:* rwm
-
-# Blacklist some syscalls which are not safe in privileged
-# containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp

srcpkgs/lxc/template

@@ -3,7 +3,7 @@ _desc="Linux Containers"
 
 pkgname=lxc
 version=1.1.0
-revision=3
+revision=4
 build_style=gnu-configure
 configure_args="--enable-doc --enable-seccomp --enable-cgmanager
  --enable-capabilities --disable-apparmor --with-distro=none