Disables kernel.unprivileged_userns_clone at virtual::lxc::unprivileged

author: Silvio Rhatto <rhatto@riseup.net> 2018-01-04 14:36:37 -0200
committer: Silvio Rhatto <rhatto@riseup.net> 2018-01-04 14:36:37 -0200
commit: e83ec894936775c6d8f238c1c5ba21e7bfa9574e (patch)
tree: 6fe003520f647c42b0e5106eb60a27538e1de557
parent: 7a30f0004bd13d51f6320d1ef116d89927cc3bea (diff)
download: puppet-virtual-e83ec894936775c6d8f238c1c5ba21e7bfa9574e.tar.gz
puppet-virtual-e83ec894936775c6d8f238c1c5ba21e7bfa9574e.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/manifests/lxc/unprivileged.pp b/manifests/lxc/unprivileged.pp
index 6f187a5..d980192 100644
--- a/manifests/lxc/unprivileged.pp
+++ b/manifests/lxc/unprivileged.pp
@@ -9,12 +9,14 @@ class virtual::lxc::unprivileged {
     ensure => present,
   }
 
+  # Disabled, see https://www.debian.org/security/2017/dsa-4073
   file { "/etc/sysctl.d/80-lxc-userns.conf":
     owner   => "root",
     group   => "root",
     mode    => '0644',
     ensure  => present,
-    content => "kernel.unprivileged_userns_clone=1\n",
+    #content => "kernel.unprivileged_userns_clone=!\n",
+    content => "kernel.unprivileged_userns_clone=0\n",
   }
 
   exec { "sysctl --system":
author	Silvio Rhatto <rhatto@riseup.net>	2018-01-04 14:36:37 -0200
committer	Silvio Rhatto <rhatto@riseup.net>	2018-01-04 14:36:37 -0200
commit	e83ec894936775c6d8f238c1c5ba21e7bfa9574e (patch)
tree	6fe003520f647c42b0e5106eb60a27538e1de557
parent	7a30f0004bd13d51f6320d1ef116d89927cc3bea (diff)
download	puppet-virtual-e83ec894936775c6d8f238c1c5ba21e7bfa9574e.tar.gz puppet-virtual-e83ec894936775c6d8f238c1c5ba21e7bfa9574e.tar.bz2