Merge pull request #1022 from subutai-io/dev

Mike Savochkin · web-flow · commit 261668f4fe7e · 2020-04-24T12:28:11.000+06:00
Dev
diff --git a/debian/postinst b/debian/postinst
@@ -16,3 +16,7 @@ if systemctl is-active --quiet ipfs.service; then
     ipfs bootstrap add /dnsaddr/eu1.s.optdyn.com/ipfs/QmUZFuJ31ctYGxYFDtKzDBXmpmiBQWZGyqQChL7RwQNitV
     ipfs bootstrap add /dnsaddr/us1.s.optdyn.com/ipfs/QmdL6K8gqGT2BRUEGtcnRGTCyGVV5H7QiYqPLzvgMcLpxo
 fi
+
+# Restart apparmor
+systemctl restart apparmor
+
diff --git a/debian/rules b/debian/rules
@@ -22,14 +22,18 @@ override_dh_auto_install:
 	dh_auto_install -- --no-source
 	mv debian/subutai/usr/bin/agent debian/subutai/usr/bin/subutai
 	mkdir -p debian/subutai/etc/subutai/
+	mkdir -p debian/subutai/etc/apparmor.d/lxc
 	mkdir -p debian/subutai/var/lib/subutai/
 	mkdir -p debian/subutai/usr/sbin
 	mkdir -p debian/subutai/usr/lib/subutai/libexec
 	mkdir -p debian/subutai/usr/lib/subutai/etc
+	mkdir -p debian/subutai/usr/share/subutai/config
 	mkdir -p debian/subutai/usr/share/bash-completion/completions
 	mkdir -p debian/subutai/lib/systemd/system
 	cp debian/tree/agent.conf debian/subutai/etc/subutai/
 	cp debian/tree/agent.conf debian/subutai/usr/lib/subutai/etc/
+	cp debian/tree/lxc-default-subutai debian/subutai/etc/apparmor.d/lxc/
+	cp debian/tree/subutai.conf debian/subutai/usr/share/subutai/config/
 	cp debian/tree/libexec/* debian/subutai/usr/lib/subutai/libexec/
 	cp debian/tree/ssh.pem debian/subutai/var/lib/subutai/
 	cp debian/tree/sbin/* debian/subutai/usr/sbin/
diff --git a/debian/tree/lxc-default-subutai b/debian/tree/lxc-default-subutai
@@ -0,0 +1,14 @@
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-subutai flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+  #include <abstractions/lxc/start-container>
+  deny mount fstype=devpts,
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
+  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
+  mount options=(rw,bind),
+  mount options=(rw,rbind),
+  mount options=(rw,rshared),
+  mount options=(ro,nosuid,noexec,remount,bind,strictatime),
+}
diff --git a/debian/tree/subutai.conf b/debian/tree/subutai.conf
@@ -0,0 +1,30 @@
+# This derives from the global common config
+lxc.include = /usr/share/lxc/config/common.conf
+
+# Doesn't support consoles in /dev/lxc/
+lxc.tty.dir =
+
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.apparmor.profile = unconfined
+lxc.apparmor.profile = lxc-container-default-subutai
+
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.apparmor.profile = lxc-container-default-with-mounting
+lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file
+
+# Extra cgroup device access
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## hpet
+lxc.cgroup.devices.allow = c 10:228 rwm
+## kvm
+lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
