projects:package-building
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
projects:package-building [2013/07/13 07:53] – siretart | projects:package-building [2013/07/14 08:31] (current) – notes on my lxc setup siretart | ||
---|---|---|---|
Line 19: | Line 19: | ||
Steps to create a container suitable for package building: | Steps to create a container suitable for package building: | ||
- | SUITE=wheezy lxc-create -t debian-build | + | |
- | echo ' | + | ln -s / |
- | ln -s /var/lib/lxc/debian-build/ | + | |
+ | Ubuntu confines the container with app-armor in order to limit the capability and permissions of processes inside the container, and thus, to limit the security risks of untrusted code " | ||
+ | |||
+ | - Run the container in with the unconfined profile | ||
+ | - Create and use the following profile: | ||
+ | |||
+ | < | ||
+ | # / | ||
+ | # | ||
+ | # Do not load this file. Rather, load / | ||
+ | # will source all profiles under / | ||
+ | |||
+ | profile lxc-container-schroot flags=(attach_disconnected, | ||
+ | #include < | ||
+ | #include < | ||
+ | |||
+ | mount fstype=cgroup -> / | ||
+ | |||
+ | mount options in (ro, | ||
+ | mount fstype=proc, | ||
+ | mount fstype=sysfs, | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Unfortunately, | ||
+ | |||
+ | < | ||
+ | # Template used to create this container: debian | ||
+ | # Template script checksum (SHA-1): 33e3fc0cb7e2809453c36e81fe0fe4aa5542c208 | ||
+ | |||
+ | lxc.network.type = veth | ||
+ | lxc.network.link = lxcbr0 | ||
+ | lxc.network.flags = up | ||
+ | lxc.network.ipv4 = 10.0.3.200 | ||
+ | |||
+ | lxc.rootfs = / | ||
+ | lxc.tty = 4 | ||
+ | lxc.pts = 1024 | ||
+ | lxc.utsname = debian-build | ||
+ | |||
+ | # When using LXC with apparmor, uncomment the next line to run unconfined: | ||
+ | # | ||
+ | |||
+ | lxc.aa_profile = lxc-container-schroot | ||
+ | |||
+ | lxc.cgroup.devices.deny = a | ||
+ | # /dev/null and zero | ||
+ | lxc.cgroup.devices.allow = c 1:3 rwm | ||
+ | lxc.cgroup.devices.allow = c 1:5 rwm | ||
+ | # consoles | ||
+ | lxc.cgroup.devices.allow = c 5:1 rwm | ||
+ | lxc.cgroup.devices.allow = c 5:0 rwm | ||
+ | lxc.cgroup.devices.allow = c 4:0 rwm | ||
+ | lxc.cgroup.devices.allow = c 4:1 rwm | ||
+ | # /dev/ | ||
+ | lxc.cgroup.devices.allow = c 1:9 rwm | ||
+ | lxc.cgroup.devices.allow = c 1:8 rwm | ||
+ | lxc.cgroup.devices.allow = c 136:* rwm | ||
+ | lxc.cgroup.devices.allow = c 5:2 rwm | ||
+ | # rtc | ||
+ | lxc.cgroup.devices.allow = c 254:0 rwm | ||
+ | |||
+ | # found on http://wiki.progress-linux.org/ | ||
+ | # Allow to mknod all devices (but not using them) | ||
+ | lxc.cgroup.devices.allow | ||
+ | lxc.cgroup.devices.allow | ||
+ | |||
+ | # mounts point | ||
+ | lxc.mount.entry = proc proc proc nodev, | ||
+ | lxc.mount.entry = sysfs sys sysfs defaults | ||
+ | </ | ||
+ | |||
projects/package-building.1373702030.txt.gz · Last modified: 2013/07/13 07:53 by siretart