commit 8f32132ed4c17b0646db4854f551379783d4b5b1c4aa3e31c7897df41cd438b8 Author: Christian Brauner Date: Wed Mar 27 17:26:15 2019 +0000 - Add LXD 3.11 package. - Update to LXC 3.1.0. - Update to LXCFS 3.0.3. - Rework packaging to be a more modern openSUSE-style. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/lxd?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/lxd-3.11.tar.gz b/lxd-3.11.tar.gz new file mode 100644 index 0000000..fbd96c3 --- /dev/null +++ b/lxd-3.11.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5d38ca401aedbba867f2b8b4cb491efe85047dd0729f22b31ae2feef21cfbf77 +size 27281796 diff --git a/lxd-3.11.tar.gz.asc b/lxd-3.11.tar.gz.asc new file mode 100644 index 0000000..cf2fd0a --- /dev/null +++ b/lxd-3.11.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEYC9WdmPlk7y9FPM4xjiXTWR5LWcFAlx+4xIACgkQxjiXTWR5 +LWdkxBAAok+kHC31SJ6pBxSFXu2GBG3XHq+qwWtwfa4+QNHimOh0jtwwteo9sETw +fiyQQLQ29+1DyonhRTMteZWEshYaNqyC6aQq8fkJ5i8wrySGa6/L+WFVH5UCdvvs +L7Qg4wYz4GFS2zFBLazvj5wUhbPI6ksVqm1nMMj8B+r54aRsA1ITHsrLG9L3G3Lu +x3cmtA0f/eM1sgrUgKQHkl3cK3nCU5GyQ+P3ybvv4Giar9tfCziE6h8xPiHNB8CB +LOInaVCXcaBagjgZxFwRlUQ237ju0uU/Ky9/Fo7m+flJIak90mVoAo5Aaaz1Z9OZ +SRhqoOzvnxrq0BFP7fZTQ/Wv3iB3h8whW7MG2qyXG+VhbqDZ+yubLH//Ptyo6XTD +xAfUmaKo9E/AFQ8JsunjT+FM9waN6yyH9VthwHeIdcEZYW7ap27Jw+LMykwBO+gO +TmvbmbR7JZTzwPZtDFbODPd+D/oZQIqD1BHaGse4jED2ndXIX5WqoMobIk3agDh0 +JbnxlSNz8Wzk69Tf0n/ovaNvobZBNSF+aN8AcYWHWoBBcIg/UzZFCvhmqW+80F5s +uAnmeyGfws7NDUXAuYKIV/UqufljgXyJ24RHWUqG6yqJuWPx3K6RnSEgni0L2Fer +wDXurLJlVha7sNu6dywWqRx/zWPkHjCYEudmMiGkKAfTWoEf9dM= +=dhL3 +-----END PGP SIGNATURE----- diff --git a/lxd.changes b/lxd.changes new file mode 100644 index 0000000..295918a --- /dev/null +++ b/lxd.changes @@ -0,0 +1,4 @@ +------------------------------------------------------------------- +Tue Mar 26 02:44:05 UTC 2019 - Aleksa Sarai + +- Initial packaging of LXD 3.11. diff --git a/lxd.dnsmasq b/lxd.dnsmasq new file mode 100644 index 0000000..f2cbf8f --- /dev/null +++ b/lxd.dnsmasq @@ -0,0 +1,5 @@ +# Tell any system-wide dnsmasq instance to make sure to bind to interfaces +# instead of listening on 0.0.0.0. +# WARNING: changes to this file will get lost if lxd is removed. +bind-interfaces +except-interface=lxdbr0 diff --git a/lxd.keyring b/lxd.keyring new file mode 100644 index 0000000..332d35b --- /dev/null +++ b/lxd.keyring @@ -0,0 +1,69 @@ +pub rsa4096/0xC638974D64792D67 2010-10-23 [SC] + 602F567663E593BCBD14F338C638974D64792D67 +uid [ unknown] Stéphane Graber +uid [ unknown] Stéphane Graber +sub rsa4096/0x9E4B2A99D7B3258F 2010-10-23 [E] + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBEzDJtYBEADeY2GjCIHiP69HyT6dea1bcBYKHzGusmPjUGfNExAgseCgkFGo +xROSpjt5ez8FGyvjvSevVTtWTO955eLrhj7fUzfcN8ot+Lj5EeCeyX6evR/jv/Kw +dJZfKNHEKFlsRL74NEodSIvxDxANsu4iggpPWe+RMcZt7yP/4j5j7/yfZHCtDNVe +6vYr6FvR9YmJ1TK3SudKQ0eLYBgW75V45xtgl1dzcTfmmnQKRq0NBgGHQ9P+VdA5 +TTaKDxDyVGuGL3eSBABLKiOTVxn8cLK75NOHH920PbOIKAfXh0StvIRbHL0EcwNj +4nrSHHsDqFwQaieVueEpxaL3OfKXlF/4KdkCz8J1fXMiKd7MrOaVCGfriU4J9H3V +2JUPzHCv1QOLlJFkzyfbAh/62xRuUKihqBnLvMStl1wCesbMSAUxZZs2u+emqjD7 +wqf7bj5u34bCb/7eBnirBhk7fCPrWeiw+tyr8focN3TB9ZjoFba+lzReP+ehYpFI +15ro7wJ82VvEYw3/UIOyUhGBdGWZzwoag6Y2sm7zY84YGtNV44LsaKpJYZUi7er4 +2JQZ6PN68lfkGgTyjd3eFQ4la7pmhOWDZt9ldy8rz8dw0K8gKRP+b5NNmaPznCcM +tg8s+mQqcjWpeqwmq93JrgbxGwgiI2qw9P+dZI0jn+Aoth+DDki3MC6ZXwARAQAB +tCZTdMOpcGhhbmUgR3JhYmVyIDxzdGdyYWJlckB1YnVudHUuY29tPokCNwQTAQoA +IQUCTMMuOgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDGOJdNZHktZ35S +D/434tFecFY622NY/YLjQUN++bSvP+mbeCeOXnOULZozURQTuQzneTWFgkPOL7Uv +RIrw0WznQEwhUMai7PUF3SbOYcj7iYSXJM6t3aNfW0zmjS185Ny2bRB7URihTAyE +eM4Jpk6oMTmhqmH2OHnFQuNqmCl1tiH44KVv/sQAEzN/txjxj64YSq5NSzkQKlMG +/n7QfLL+RhoB4db1wY8vhnrryP7vUx5DR1A5z9MYfFTIJb75vsQM6r4s3sVtwSTG +kozJMUZAs0EXbI2Tgx2Wd7t2ix21lBu0PDb/RINpXQV0pyhT1kQxa1ZKfpLoM2LR +Wp6ctqmU+qkryaW8cLEHkYmDKEQIgQ7/DrOJPrPgjfBIC9LOcXgI1LbIh1L7tNFA +OiOVS/e4C3zxBowCS4VCWq9m0LrmC531sFF46cmAMhrmtStWqJpn/Yaxn8VmhhTU +zIVOUr3gL9RzbynYGIiSif+LXsrPLzEaDTGjmKm3oFvDadUHmb6HyuQ0M9UCgLQK +kWiOvybx6Q16doFm61VQsJMqHDSpLBjOc5cSHO9PiXlYzkK0dv8h8e0LG2MORHCJ +K4s8SfsPAXBCJwoZufcohaO0DD/fx93ErcAyNlDiwL2TxrQ4wEMHj73lt18A/HqP +VpU0zTWDpNDe/N12a3sfTfs9IdB/izq6k2kTzZwHmqgpKbQoU3TDqXBoYW5lIEdy +YWJlciA8c3RncmFiZXJAc3RncmFiZXIub3JnPokCOgQTAQoAJAIbAwULCQgHAwUV +CgkICwUWAgMBAAIeAQIXgAUCTMMuYQIZAQAKCRDGOJdNZHktZyTdEACcaGpJvqa8 +uDiVrmbyaK/LDWhKdVE9JujTg4g05xtRpEE/yQKwHXKKxQfe8wQRuNOXWLj66w4o +UBKJs7Rc/DdNEM/RfYiTJD0dZ2fPq3GcU5rbZos1Tvmdpc1qVOyEMf3VJQ/vZEEy +7SM+i+jHx7lCx8lE0D6TsdrLVyh9cvr5+MwiqcVQXqK0aqGKjCdbEjUtsPz1d5Cu +Mq95ZQff6W6m1yNlxMnRMxdreYXCrjtv78RzlQi8dTgboaOOBC3TYQQwHx9ZrLGM +3WuPmUl9uecPTOSxIqoZHEpvz5fUQ0DhnlcxCd3R2qgPneEq0yEuaZrq8UZNyp/o +4iQAAz9BH/I7i34HySBuEzkCOSgRd1zMmuXGyrgg67kSMUFs8zyMqyjgups+ig1f +x8mKmwykVdH5Wgc310sy2W9wG5lWET45Z7gCDiu9x8B+3l6Qwn4WNffSI39ryTG4 +aPGbQ/Z3+Ipm+uEV98Gm8TDcj0GUhL5XmsQ9DEcftGfw/Kxt4vaDtCOFaSZqmsoV +b325sKF+LhCZTUwZVCHrkSIC75bJ0JtxRWu+4qWtBgbFTgx5jpr1zWP524x+c0a7 +aLGrsB1lAnmFqFoipzvfj2grNgtY7zDf3rcf/lBwt6VKGTCPuoJW0iRLhJQGK3AZ +Nkeu4F9t4IC5XcNKSnWJNQg0PiF0sfxTFbkCDQRMwybWARAApvNuefvVycI47ABo +T7AzBsHf0lbt4ihMpugZ+GfubzK98kn8pDRprUAfACx6+NLkxuAf9WyL7CFoFLSJ +je1m7ZhYeeNckrF5Ir1VRsF+6DueantQzawL8tq6o/sr+4/F5e0jwpXAbHNKiuqj +Q/DbLVPEmln29aYtJT3Vtm1eVzK2XkxicSlRROKHrGbaGSHEJgWr/7zqNcDPY9Ss +/pms2lqGCWK7MMG/PGVhYIJ9LKNK4yGQtxD51UuruAy6MmRfu1cKDzJ4frQjJTkr +c746uofRzK7F/uTQYFpXXd2uQ2/xi+dRnTyoqszvlS7Cm5/V2AhblbnUVE+gWgcR +lg3WXetJmI/jMwPCYSy1wxWFwZGYs/VTXcimHBcOZWu7cAur8zDNkm6uQaMaFRrq +LmkkLjoY0e8cXZIkcmQfvlWHdDkebQevRvKlNWIJChRXLU7SAKjrIe5y1lxyzy3y +dS8saK1nt7swubf737jHahQkNev9QwZ3r9ZxsyRXXRkXpKOoHQ2MVqyId+6Nk8Pn +/0yE6RPN+t01je/I731fLUZzsCs6y2e5d+xxQzQSTGBiJfxfHodBts3D6r3sxxYn +nvIe3H2Trzv34lNmiwX6RhxqPGiHBSvRxoTXz4luydDKIrBdaN+sgTkMINa3KDhf +VMmbdnwTOQbW2pi3qUCbjA0TI+EAEQEAAYkCHwQYAQoACQUCTMMm1gIbDAAKCRDG +OJdNZHktZxrrD/97bryBoLKJNc4tAtDY8umo+phdL/kUTx9gVeKHpZZVoymHW7pS +3stXC9UJigHuaDjkdvHq1v9fUdIp9mD8uqWgGJNO+hV99ARZSEkXfAFtNHYw0gVi +izz0J0FEmMibJJBjj4kDi9Z/2fWRKsvNfwQ6UKrKtYkkM1DWNnqhNJVDVNJ+4Mr5 +Y8wbkItPV07f5L3kdYFE90K08IJh/pvalt383RuNmuqFwNGjStLcfo2YRpTyjmWA +oR7qaGflTAKm0+Qj/vx8vfHu7WAfcdcAT6ftZ5Q7C0LcPPuNkTBGFUyvJwW+7AV5 +3Pln6vsbZg451J4iFQ0FTAYys40LbkLKYSAXfvfYHXY9ZOCvoZvsoeDG8zDUEGj5 +EnsiJNlJx2xCRwjIrCzujUs91HdxQoVtXWwtlknZNwO46x433+ukhkTGJGQ7YFao +x/JxkvQOhndYJBKm5C1P7ZlLmcRndv7Lrld9rVsYGk4/lCLDPXb/ZJ0jmZLYNqez +2z0Pcd0m+jtbVVuMxuIMI2NOFIccVsQxlrtWCdhnGfs+KH1D1eyLNB7PpzWq01yI +z3pNBo5YYOLovpu0wVB0vxLTkDxmcl4aoM6MGkbnDfK4al+RQ+hDJlCAW+z3hUxH +2CmlO+WHtRJyXqE37QX6y9xmflvckMvo+CB+gopGyzMJuLqkBL2sFHZbIw== +=JVth +-----END PGP PUBLIC KEY BLOCK----- diff --git a/lxd.service b/lxd.service new file mode 100644 index 0000000..e4b0166 --- /dev/null +++ b/lxd.service @@ -0,0 +1,30 @@ +[Unit] +Description=LXD Container Hypervisor +After=network-online.target lxcfs.service +Requires=network-online.target lxcfs.service +Documentation=man:lxd(1) + +[Service] +ExecStart=/usr/bin/lxd --group lxd --logfile=/var/log/lxd/lxd.log +ExecStartPost=/usr/bin/lxd waitready --timeout=600 +TimeoutStartSec=600s +TimeoutStopSec=30s +Restart=on-failure + +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNOFILE=1048576 +LimitNPROC=infinity +LimitCORE=infinity + +# No need to add a task limit. +TasksMax=infinity + +# Set delegate yes so that systemd does not mess with LXD cgroups. +Delegate=yes + +# Kill only the LXD process, not all processes in the cgroup. +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/lxd.spec b/lxd.spec new file mode 100644 index 0000000..cc1310c --- /dev/null +++ b/lxd.spec @@ -0,0 +1,243 @@ +# +# spec file for package lxd +# +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + +%define import_path github.com/lxc/lxd + +Name: lxd +Version: 3.11 +Release: 0 +Summary: Container hypervisor based on LXC +License: Apache-2.0 +Group: System/Management +URL: https://linuxcontainers.org/lxd +Source: https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz +Source1: https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz.asc +Source2: %{name}.keyring +# LXD upstream doesn't use systemd, they use snapd. +Source100: %{name}.service +# Additional runtime configuration. +Source200: %{name}.sysctl +Source201: %{name}.dnsmasq +BuildRequires: golang-packaging +BuildRequires: golang(API) >= 1.10 +BuildRequires: pkg-config +BuildRequires: pkgconfig(lxc) >= 3.0.0 +BuildRequires: libacl-devel +BuildRequires: libcap-devel +# Needed to build the sqlite fork and dqlite. +BuildRequires: autoconf +BuildRequires: libtool +BuildRequires: tcl-devel +BuildRequires: libuv-devel +# Bits required for images and other things at runtime. +Requires: acl +BuildRequires: dnsmasq +Requires: dnsmasq +Requires: tar +Requires: xz +Requires: rsync +Requires: squashfs +Requires: criu +Requires: lxcfs +# Storage backends -- we don't recommend ZFS since it's not *technically* a +# blessed configuration. +Recommends: lvm2 +Recommends: thin-provisioning-tools +Recommends: btrfsprogs +Suggests: zfs + +%description +LXD is a next generation system container manager. It offers a user experience +similar to virtual machines but using Linux containers (LXC) instead. + +%package bash-completion +Summary: Bash Completion for %{name} +Group: System/Management +Requires: %{name} = %{version} +Supplements: packageand(%{name}:bash-completion) +BuildArch: noarch + +%description bash-completion +Bash command line completion support for %{name}. + +%prep +%setup -q +# Move dist/src (which is LXD's variant of vendoring) to vendor/. +mv -v dist/src vendor + +%build +# Make sure any leftover go build caches are gone. +go clean -cache + +# Set up GOPATH. +export GOPATH="$PWD/.gopath" +export PKGDIR="$GOPATH/src/%{import_path}" +mkdir -p "$PKGDIR" +cp -a * "$PKGDIR" + +# First we need to build the sqlite fork and dqlite. We build them as static +# libs because they are only ever going to be used for LXD, and so it makes no +# sense to go through the pain of packaging them properly (hopefully the code +# will one day be merged into upstream sqlite). +export CFLAGS="%{optflags} -fPIC -DPIC" + +# SQLite +pushd "$PKGDIR/dist/sqlite" +autoreconf -fiv +%configure \ + --enable-static \ + --disable-shared \ + --enable-replication \ + --disable-tcl \ +make clean +make %{?_smp_mflags} +popd + +# dqlite +pushd "$PKGDIR/dist/dqlite" +( +# We need to make sure *our* sqlite build is used. +export PKG_CONFIG_PATH="$PWD/../sqlite/" +export CPPFLAGS="-I$PWD/../sqlite/" +export LDFLAGS="-L$PWD/../sqlite/.libs/" + +autoreconf -fiv +%configure \ + --enable-static \ + --disable-shared \ + --with-pic +make clean +make %{?_smp_mflags} +) +popd + +# Find all of the main packages using go-list. +readarray -t mainpkgs \ + <<<"$(go list -f '{{.Name}}:{{.ImportPath}}' %{import_path}/... | \ + awk -F: '$1 == "main" { print $2 }' | \ + grep -Ev '^github.com/lxc/lxd/(test|shared)')" + +# And now we can finally build LXD and all of the related binaries. +mkdir bin +for mainpkg in "${mainpkgs[@]}" +do + binary="$(basename "$mainpkg")" + + export CGO_CFLAGS="%{optflags} -I$PKGDIR/dist/sqlite/ -I$PKGDIR/dist/dqlite/include/" + export PKG_CONFIG_PATH="$PKGDIR/dist/sqlite:$PKGDIR/dist/dqlite" + export LD_LIBRARY_PATH="$PKGDIR/dist/sqlite/.libs:$PKGDIR/dist/dqlite/.libs" + [[ "$binary" == "lxd" ]] && EXTRA_LIBS="-lsqlite3 -ldqlite -ldl -luv" ||: + export CGO_LDFLAGS="-L$PKGDIR/dist/sqlite/.libs/ -L$PKGDIR/dist/dqlite/.libs/ $EXTRA_LIBS" + + go build -buildmode=pie -tags "libsqlite3" -o "bin/$binary" "$mainpkg" +done + +# Generate man pages. +mkdir man +./bin/lxc manpage man/ + +%install +# Install all the binaries. +pushd bin/ +for bin in * +do + install -D -m 0755 "$bin" "%{buildroot}%{_bindir}/$bin" +done +popd + +# Install man pages. +pushd man/ +for man in * +do + section="${man##*.}" + install -D -m 0644 "$man" "%{buildroot}%{_mandir}/man$section/$man" +done +popd + +# bash-completion. +install -D -m 0644 scripts/bash/lxd-client %{buildroot}%{_datadir}/bash-completion/completions/lxd-client + +# sysv-init and systemd setup. +install -D -m 0644 %{S:100} %{buildroot}%{_unitdir}/%{name}.service +mkdir -p %{buildroot}%{_sbindir} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} + +# Run-time configuration. +install -D -m 0644 %{S:200} %{buildroot}%{_sysctldir}/60-lxd.conf +install -D -m 0644 %{S:201} %{buildroot}%{_sysconfdir}/dnsmasq.d/60-lxd.conf + +# Run-time directories. +install -d -m 0711 %{buildroot}%{_localstatedir}/lib/%{name} +install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name} + +%pre +# Set up a user with subuid mappings so we can +getent group %{name} &>/dev/null || groupadd -r %{name} + +# /etc/sub[ug]id should exist already (it's part of shadow-utils), but older +# distros don't have it. LXD just parses it and doesn't need any special +# shadow-utils helpers. +touch /etc/sub{u,g}id + +# Add sub[ug]ids for LXD's unprivileged containers -- in order to support +# isolated containers we add quite a few subuids. Since LXD runs as root we add +# them for the root user (not the lxd group). +# +# We have no guarantee that the range we pick will be unique -- which ideally +# we would want it to be. There isn't a nice way to do this without +# reimplementing a bunch of range-handling code for /etc/sub[ug]id in bash. So +# we just pick the 40-80 million range, and hope for the best (most tutorials +# use the 1-million range, so we avoid that pitfall). +grep '^root:' /etc/subuid &>/dev/null || \ + usermod -v 40000000-80000000 root +grep '^root:' /etc/subgid &>/dev/null || \ + usermod -w 40000000-80000000 root + +%service_add_pre %{name}.service + +%post +%sysctl_apply +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%sysctl_apply +%service_del_postun %{name}.service + +%files +%defattr(-,root,root) +%doc AUTHORS README.md doc/ +%license COPYING +%{_bindir}/* +%{_mandir}/man*/* + +%{_sbindir}/rc%{name} +%{_unitdir}/%{name}.service + +%dir %{_localstatedir}/lib/%{name} +%dir %{_localstatedir}/log/%{name} + +%config %{_sysctldir}/60-lxd.conf +%config %{_sysconfdir}/dnsmasq.d/60-lxd.conf + +%files bash-completion +%defattr(-,root,root) +%{_datadir}/bash-completion/ + +%changelog diff --git a/lxd.sysctl b/lxd.sysctl new file mode 100644 index 0000000..ddc2a1a --- /dev/null +++ b/lxd.sysctl @@ -0,0 +1,22 @@ +# These defaults come from doc/production-setup.md, but have been slightly +# modified to be less extreme. The recommended value is included as a comment +# below each changed value. + +# inotify limits. +fs.inotify.max_queued_events = 131072 # 1048576 +fs.inotify.max_user_instances = 131072 # 1048576 +fs.inotify.max_user_watches = 131072 # 1048576 + +# Number of memory mappings a process can have (lxd can have quite a lot). +#vm.max_map_count = 262144 + +# Deny container access to kmsg, but this also blocks non-root host users so +# it's disabled by default. This isn't a bad hardening measure in general. +#kernel.dmesg_restrict = 1 + +# ARP table size (one per container) +net.ipv4.neigh.default.gc_thresh3 = 2048 # 8192 +net.ipv6.neigh.default.gc_thresh3 = 2048 # 8192 + +# Number of kernel keyrings for unprivileged users (one per container). +kernel.keys.maxkeys = 2048