manifests/lxc/unprivileged.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

class virtual::lxc::unprivileged {
  include virtual::lxc::base

  package { [
    'libvirt0',
    'libpam-cgroup',
    'libpam-cgfs',
  ]:
    ensure => present,
  }

  # Disabled, see https://www.debian.org/security/2017/dsa-4073
  file { "/etc/sysctl.d/80-lxc-userns.conf":
    owner   => "root",
    group   => "root",
    mode    => '0644',
    ensure  => present,
    #content => "kernel.unprivileged_userns_clone=!\n",
    content => "kernel.unprivileged_userns_clone=0\n",
  }

  exec { "sysctl --system":
    user        => root,
    subscribe   => File["/etc/sysctl.d/80-lxc-userns.conf"],
    refreshonly => true,
  }

  # TODO: echo "$USER veth lxcbr0 1000"| sudo tee -i /etc/lxc/lxc-usernet
}