Setting Fedora Linux capabilities

asked 2015-04-03 11:13:21 -0500

Caterpillar gravatar image

updated 2015-04-04 11:04:41 -0500

I have to create a Fedora tar.gz container template file for CONFINE project. CONFINE used to use Debian containers, so they wrote this tutorial

Now I have to "translate" that tutorial to be able to create a good Fedora tar.gz container template file. Since I don't have a Fedora equivalent lxc-debconfig, I have to setup manually all the following settings. I need help in how to manually setup Linux capabilities that you can find under section

# Capabilities to be dropped from the container

Full sliver.cfg file

# # Debian preseed file for CONFINE sliver template
# Tested on lxc 0.9.0~alpha3-2 and live-debconfig 4.0~a17.

# ## Distribution and packages
lxc-debconfig lxc-debconfig/distribution string wheezy
lxc-debconfig lxc-debconfig/architecture string i386
lxc-debconfig lxc-debconfig/archives multiselect \
    wheezy-security, wheezy-updates, wheezy-backports
lxc-debconfig lxc-debconfig/mirror string \
    http://http.debian.net/debian/
lxc-debconfig lxc-debconfig/mirror-security string \
    http://security.debian.org/
lxc-debconfig lxc-debconfig/mirror-backports string \
    http://http.debian.net/debian/
lxc-debconfig lxc-debconfig/archive-areas multiselect main
lxc-debconfig lxc-debconfig/packages string \
    bridge-utils curl iperf iptables iputils-arping iputils-ping \
    less man-db nano openssl screen \
    traceroute tshark vim-tiny w3m wget

# For configuring additional package sources.
##lxc-debconfig lxc-debconfig/archives0/repository string \
##    https://debian.example.com/  wheezy  main
##lxc-debconfig lxc-debconfig/archives0/list string local-my-repo
##lxc-debconfig lxc-debconfig/archives0/comment string \
##    My custom package repository
##lxc-debconfig lxc-debconfig/archives0/source boolean true
##lxc-debconfig lxc-debconfig/archives0/key string \
##    https://debian.example.com/keys/archive-key.asc

# ## Network
# Please adjust to the name of the bridge used in your host.
lxc-debconfig lxc-debconfig/eth0-bridge string vmbr
# Private MAC address, to be replaced on sliver creation.
lxc-debconfig lxc-debconfig/eth0-mac string 52:C0:A1:AB:BA:1A
# Private veth interface name, to be replaced on sliver creation.
lxc-debconfig lxc-debconfig/eth0-veth string veth-sliver

# ## Other container options
lxc-debconfig lxc-debconfig/auto boolean false
# Use live-debconfig to further configure the container.
lxc-debconfig lxc-debconfig/lxc-debconfig-with-live-debconfig boolean true
lxc-debconfig lxc-debconfig/apt-recommends boolean false
# Avoid debconf questions.
lxc-debconfig lxc-debconfig/debconf-frontend select noninteractive
## (default value)
##lxc-debconfig lxc-debconfig/debconf-priority string medium

# For running commands in the container and host at the end.
##lxc-debconfig lxc-debconfig/late-command string container-command args...
##lxc-debconfig lxc-debconfig/late-host-command string host-command args...

# Capabilities to be dropped from the container.
lxc-debconfig lxc-debconfig/capabilities string \
    audit_control audit_write ipc_lock mac_admin mac_override \
    sys_admin sys_module sys_pacct sys_rawio sys_resource sys_time \
    syslog wake_alarm

# For mounting filesystems in container.
##lxc-debconfig lxc-debconfig/mount0/entry string \
##    /host/path/foo  /container/path/bar  none  bind  0  0
##lxc-debconfig lxc-debconfig/mount0/comment string \
##    Bind mount host path in container

# ## Live-debconfig scripts configuration

# (For some reason live-debconfig options must be on a single line
# or the following options are not interpreted correctly.)

live-debconfig live-debconfig/scripts multiselect hostname, ifupdown, openssh-server, passwd, sysvinit, util-linux

# ### LXC (sysvinit)
# Perform LXC tweaks in the container.
live-debconfig live-debconfig/sysvinit/lxc-enable boolean true
## (default values)
##live-debconfig live-debconfig/sysvinit/lxc-consoles string 6
##live-debconfig live-debconfig/sysvinit/lxc-disable-services string checkroot.sh hwclockfirst.sh hwclock.sh kmod module-init-tools mountall.sh mountkernfs.sh umountfs umountroot

### Hardware clock access (util-linux)
live-debconfig live-debconfig/util-linux/hwclockaccess boolean false

# ### Host name (hostname)
# Host name, to be replaced on sliver creation.
live-debconfig live-debconfig/hostname/hostname string sliver

# ### Network ...
(more)
edit retag flag offensive close merge delete