- Add LXD 3.11 package.

- Update to LXC 3.1.0.
- Update to LXCFS 3.0.3.

- Rework packaging to be a more modern openSUSE-style.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/lxd?expand=0&rev=1

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

lxd-3.11.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5d38ca401aedbba867f2b8b4cb491efe85047dd0729f22b31ae2feef21cfbf77
+size 27281796

lxd-3.11.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEYC9WdmPlk7y9FPM4xjiXTWR5LWcFAlx+4xIACgkQxjiXTWR5
+LWdkxBAAok+kHC31SJ6pBxSFXu2GBG3XHq+qwWtwfa4+QNHimOh0jtwwteo9sETw
+fiyQQLQ29+1DyonhRTMteZWEshYaNqyC6aQq8fkJ5i8wrySGa6/L+WFVH5UCdvvs
+L7Qg4wYz4GFS2zFBLazvj5wUhbPI6ksVqm1nMMj8B+r54aRsA1ITHsrLG9L3G3Lu
+x3cmtA0f/eM1sgrUgKQHkl3cK3nCU5GyQ+P3ybvv4Giar9tfCziE6h8xPiHNB8CB
+LOInaVCXcaBagjgZxFwRlUQ237ju0uU/Ky9/Fo7m+flJIak90mVoAo5Aaaz1Z9OZ
+SRhqoOzvnxrq0BFP7fZTQ/Wv3iB3h8whW7MG2qyXG+VhbqDZ+yubLH//Ptyo6XTD
+xAfUmaKo9E/AFQ8JsunjT+FM9waN6yyH9VthwHeIdcEZYW7ap27Jw+LMykwBO+gO
+TmvbmbR7JZTzwPZtDFbODPd+D/oZQIqD1BHaGse4jED2ndXIX5WqoMobIk3agDh0
+JbnxlSNz8Wzk69Tf0n/ovaNvobZBNSF+aN8AcYWHWoBBcIg/UzZFCvhmqW+80F5s
+uAnmeyGfws7NDUXAuYKIV/UqufljgXyJ24RHWUqG6yqJuWPx3K6RnSEgni0L2Fer
+wDXurLJlVha7sNu6dywWqRx/zWPkHjCYEudmMiGkKAfTWoEf9dM=
+=dhL3
+-----END PGP SIGNATURE-----

lxd.changes

@@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Tue Mar 26 02:44:05 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Initial packaging of LXD 3.11.

lxd.dnsmasq

@@ -0,0 +1,5 @@
+# Tell any system-wide dnsmasq instance to make sure to bind to interfaces
+# instead of listening on 0.0.0.0.
+# WARNING: changes to this file will get lost if lxd is removed.
+bind-interfaces
+except-interface=lxdbr0

lxd.keyring

@@ -0,0 +1,69 @@
+pub   rsa4096/0xC638974D64792D67 2010-10-23 [SC]
+      602F567663E593BCBD14F338C638974D64792D67
+uid                   [ unknown] Stéphane Graber <stgraber@stgraber.org>
+uid                   [ unknown] Stéphane Graber <stgraber@ubuntu.com>
+sub   rsa4096/0x9E4B2A99D7B3258F 2010-10-23 [E]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBEzDJtYBEADeY2GjCIHiP69HyT6dea1bcBYKHzGusmPjUGfNExAgseCgkFGo
+xROSpjt5ez8FGyvjvSevVTtWTO955eLrhj7fUzfcN8ot+Lj5EeCeyX6evR/jv/Kw
+dJZfKNHEKFlsRL74NEodSIvxDxANsu4iggpPWe+RMcZt7yP/4j5j7/yfZHCtDNVe
+6vYr6FvR9YmJ1TK3SudKQ0eLYBgW75V45xtgl1dzcTfmmnQKRq0NBgGHQ9P+VdA5
+TTaKDxDyVGuGL3eSBABLKiOTVxn8cLK75NOHH920PbOIKAfXh0StvIRbHL0EcwNj
+4nrSHHsDqFwQaieVueEpxaL3OfKXlF/4KdkCz8J1fXMiKd7MrOaVCGfriU4J9H3V
+2JUPzHCv1QOLlJFkzyfbAh/62xRuUKihqBnLvMStl1wCesbMSAUxZZs2u+emqjD7
+wqf7bj5u34bCb/7eBnirBhk7fCPrWeiw+tyr8focN3TB9ZjoFba+lzReP+ehYpFI
+15ro7wJ82VvEYw3/UIOyUhGBdGWZzwoag6Y2sm7zY84YGtNV44LsaKpJYZUi7er4
+2JQZ6PN68lfkGgTyjd3eFQ4la7pmhOWDZt9ldy8rz8dw0K8gKRP+b5NNmaPznCcM
+tg8s+mQqcjWpeqwmq93JrgbxGwgiI2qw9P+dZI0jn+Aoth+DDki3MC6ZXwARAQAB
+tCZTdMOpcGhhbmUgR3JhYmVyIDxzdGdyYWJlckB1YnVudHUuY29tPokCNwQTAQoA
+IQUCTMMuOgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDGOJdNZHktZ35S
+D/434tFecFY622NY/YLjQUN++bSvP+mbeCeOXnOULZozURQTuQzneTWFgkPOL7Uv
+RIrw0WznQEwhUMai7PUF3SbOYcj7iYSXJM6t3aNfW0zmjS185Ny2bRB7URihTAyE
+eM4Jpk6oMTmhqmH2OHnFQuNqmCl1tiH44KVv/sQAEzN/txjxj64YSq5NSzkQKlMG
+/n7QfLL+RhoB4db1wY8vhnrryP7vUx5DR1A5z9MYfFTIJb75vsQM6r4s3sVtwSTG
+kozJMUZAs0EXbI2Tgx2Wd7t2ix21lBu0PDb/RINpXQV0pyhT1kQxa1ZKfpLoM2LR
+Wp6ctqmU+qkryaW8cLEHkYmDKEQIgQ7/DrOJPrPgjfBIC9LOcXgI1LbIh1L7tNFA
+OiOVS/e4C3zxBowCS4VCWq9m0LrmC531sFF46cmAMhrmtStWqJpn/Yaxn8VmhhTU
+zIVOUr3gL9RzbynYGIiSif+LXsrPLzEaDTGjmKm3oFvDadUHmb6HyuQ0M9UCgLQK
+kWiOvybx6Q16doFm61VQsJMqHDSpLBjOc5cSHO9PiXlYzkK0dv8h8e0LG2MORHCJ
+K4s8SfsPAXBCJwoZufcohaO0DD/fx93ErcAyNlDiwL2TxrQ4wEMHj73lt18A/HqP
+VpU0zTWDpNDe/N12a3sfTfs9IdB/izq6k2kTzZwHmqgpKbQoU3TDqXBoYW5lIEdy
+YWJlciA8c3RncmFiZXJAc3RncmFiZXIub3JnPokCOgQTAQoAJAIbAwULCQgHAwUV
+CgkICwUWAgMBAAIeAQIXgAUCTMMuYQIZAQAKCRDGOJdNZHktZyTdEACcaGpJvqa8
+uDiVrmbyaK/LDWhKdVE9JujTg4g05xtRpEE/yQKwHXKKxQfe8wQRuNOXWLj66w4o
+UBKJs7Rc/DdNEM/RfYiTJD0dZ2fPq3GcU5rbZos1Tvmdpc1qVOyEMf3VJQ/vZEEy
+7SM+i+jHx7lCx8lE0D6TsdrLVyh9cvr5+MwiqcVQXqK0aqGKjCdbEjUtsPz1d5Cu
+Mq95ZQff6W6m1yNlxMnRMxdreYXCrjtv78RzlQi8dTgboaOOBC3TYQQwHx9ZrLGM
+3WuPmUl9uecPTOSxIqoZHEpvz5fUQ0DhnlcxCd3R2qgPneEq0yEuaZrq8UZNyp/o
+4iQAAz9BH/I7i34HySBuEzkCOSgRd1zMmuXGyrgg67kSMUFs8zyMqyjgups+ig1f
+x8mKmwykVdH5Wgc310sy2W9wG5lWET45Z7gCDiu9x8B+3l6Qwn4WNffSI39ryTG4
+aPGbQ/Z3+Ipm+uEV98Gm8TDcj0GUhL5XmsQ9DEcftGfw/Kxt4vaDtCOFaSZqmsoV
+b325sKF+LhCZTUwZVCHrkSIC75bJ0JtxRWu+4qWtBgbFTgx5jpr1zWP524x+c0a7
+aLGrsB1lAnmFqFoipzvfj2grNgtY7zDf3rcf/lBwt6VKGTCPuoJW0iRLhJQGK3AZ
+Nkeu4F9t4IC5XcNKSnWJNQg0PiF0sfxTFbkCDQRMwybWARAApvNuefvVycI47ABo
+T7AzBsHf0lbt4ihMpugZ+GfubzK98kn8pDRprUAfACx6+NLkxuAf9WyL7CFoFLSJ
+je1m7ZhYeeNckrF5Ir1VRsF+6DueantQzawL8tq6o/sr+4/F5e0jwpXAbHNKiuqj
+Q/DbLVPEmln29aYtJT3Vtm1eVzK2XkxicSlRROKHrGbaGSHEJgWr/7zqNcDPY9Ss
+/pms2lqGCWK7MMG/PGVhYIJ9LKNK4yGQtxD51UuruAy6MmRfu1cKDzJ4frQjJTkr
+c746uofRzK7F/uTQYFpXXd2uQ2/xi+dRnTyoqszvlS7Cm5/V2AhblbnUVE+gWgcR
+lg3WXetJmI/jMwPCYSy1wxWFwZGYs/VTXcimHBcOZWu7cAur8zDNkm6uQaMaFRrq
+LmkkLjoY0e8cXZIkcmQfvlWHdDkebQevRvKlNWIJChRXLU7SAKjrIe5y1lxyzy3y
+dS8saK1nt7swubf737jHahQkNev9QwZ3r9ZxsyRXXRkXpKOoHQ2MVqyId+6Nk8Pn
+/0yE6RPN+t01je/I731fLUZzsCs6y2e5d+xxQzQSTGBiJfxfHodBts3D6r3sxxYn
+nvIe3H2Trzv34lNmiwX6RhxqPGiHBSvRxoTXz4luydDKIrBdaN+sgTkMINa3KDhf
+VMmbdnwTOQbW2pi3qUCbjA0TI+EAEQEAAYkCHwQYAQoACQUCTMMm1gIbDAAKCRDG
+OJdNZHktZxrrD/97bryBoLKJNc4tAtDY8umo+phdL/kUTx9gVeKHpZZVoymHW7pS
+3stXC9UJigHuaDjkdvHq1v9fUdIp9mD8uqWgGJNO+hV99ARZSEkXfAFtNHYw0gVi
+izz0J0FEmMibJJBjj4kDi9Z/2fWRKsvNfwQ6UKrKtYkkM1DWNnqhNJVDVNJ+4Mr5
+Y8wbkItPV07f5L3kdYFE90K08IJh/pvalt383RuNmuqFwNGjStLcfo2YRpTyjmWA
+oR7qaGflTAKm0+Qj/vx8vfHu7WAfcdcAT6ftZ5Q7C0LcPPuNkTBGFUyvJwW+7AV5
+3Pln6vsbZg451J4iFQ0FTAYys40LbkLKYSAXfvfYHXY9ZOCvoZvsoeDG8zDUEGj5
+EnsiJNlJx2xCRwjIrCzujUs91HdxQoVtXWwtlknZNwO46x433+ukhkTGJGQ7YFao
+x/JxkvQOhndYJBKm5C1P7ZlLmcRndv7Lrld9rVsYGk4/lCLDPXb/ZJ0jmZLYNqez
+2z0Pcd0m+jtbVVuMxuIMI2NOFIccVsQxlrtWCdhnGfs+KH1D1eyLNB7PpzWq01yI
+z3pNBo5YYOLovpu0wVB0vxLTkDxmcl4aoM6MGkbnDfK4al+RQ+hDJlCAW+z3hUxH
+2CmlO+WHtRJyXqE37QX6y9xmflvckMvo+CB+gopGyzMJuLqkBL2sFHZbIw==
+=JVth
+-----END PGP PUBLIC KEY BLOCK-----

lxd.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=LXD Container Hypervisor
+After=network-online.target lxcfs.service
+Requires=network-online.target lxcfs.service
+Documentation=man:lxd(1)
+
+[Service]
+ExecStart=/usr/bin/lxd --group lxd --logfile=/var/log/lxd/lxd.log
+ExecStartPost=/usr/bin/lxd waitready --timeout=600
+TimeoutStartSec=600s
+TimeoutStopSec=30s
+Restart=on-failure
+
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+
+# No need to add a task limit.
+TasksMax=infinity
+
+# Set delegate yes so that systemd does not mess with LXD cgroups.
+Delegate=yes
+
+# Kill only the LXD process, not all processes in the cgroup.
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

lxd.spec

@@ -0,0 +1,243 @@
+#
+# spec file for package lxd
+#
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+%define import_path github.com/lxc/lxd
+
+Name:           lxd
+Version:        3.11
+Release:        0
+Summary:        Container hypervisor based on LXC
+License:        Apache-2.0
+Group:          System/Management
+URL:            https://linuxcontainers.org/lxd
+Source:         https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz
+Source1:        https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz.asc
+Source2:        %{name}.keyring
+# LXD upstream doesn't use systemd, they use snapd.
+Source100:      %{name}.service
+# Additional runtime configuration.
+Source200:      %{name}.sysctl
+Source201:      %{name}.dnsmasq
+BuildRequires:  golang-packaging
+BuildRequires:  golang(API) >= 1.10
+BuildRequires:  pkg-config
+BuildRequires:  pkgconfig(lxc) >= 3.0.0
+BuildRequires:  libacl-devel
+BuildRequires:  libcap-devel
+# Needed to build the sqlite fork and dqlite.
+BuildRequires:  autoconf
+BuildRequires:  libtool
+BuildRequires:  tcl-devel
+BuildRequires:  libuv-devel
+# Bits required for images and other things at runtime.
+Requires:       acl
+BuildRequires:  dnsmasq
+Requires:       dnsmasq
+Requires:       tar
+Requires:       xz
+Requires:       rsync
+Requires:       squashfs
+Requires:       criu
+Requires:       lxcfs
+# Storage backends -- we don't recommend ZFS since it's not *technically* a
+# blessed configuration.
+Recommends:     lvm2
+Recommends:     thin-provisioning-tools
+Recommends:     btrfsprogs
+Suggests:       zfs
+
+%description
+LXD is a next generation system container manager. It offers a user experience
+similar to virtual machines but using Linux containers (LXC) instead.
+
+%package bash-completion
+Summary:        Bash Completion for %{name}
+Group:          System/Management
+Requires:       %{name} = %{version}
+Supplements:    packageand(%{name}:bash-completion)
+BuildArch:      noarch
+
+%description bash-completion
+Bash command line completion support for %{name}.
+
+%prep
+%setup -q
+# Move dist/src (which is LXD's variant of vendoring) to vendor/.
+mv -v dist/src vendor
+
+%build
+# Make sure any leftover go build caches are gone.
+go clean -cache
+
+# Set up GOPATH.
+export GOPATH="$PWD/.gopath"
+export PKGDIR="$GOPATH/src/%{import_path}"
+mkdir -p "$PKGDIR"
+cp -a * "$PKGDIR"
+
+# First we need to build the sqlite fork and dqlite. We build them as static
+# libs because they are only ever going to be used for LXD, and so it makes no
+# sense to go through the pain of packaging them properly (hopefully the code
+# will one day be merged into upstream sqlite).
+export CFLAGS="%{optflags} -fPIC -DPIC"
+
+# SQLite
+pushd "$PKGDIR/dist/sqlite"
+autoreconf -fiv
+%configure \
+	--enable-static \
+	--disable-shared \
+	--enable-replication \
+	--disable-tcl \
+make clean
+make %{?_smp_mflags}
+popd
+
+# dqlite
+pushd "$PKGDIR/dist/dqlite"
+(
+# We need to make sure *our* sqlite build is used.
+export PKG_CONFIG_PATH="$PWD/../sqlite/"
+export CPPFLAGS="-I$PWD/../sqlite/"
+export LDFLAGS="-L$PWD/../sqlite/.libs/"
+
+autoreconf -fiv
+%configure \
+	--enable-static \
+	--disable-shared \
+	--with-pic
+make clean
+make %{?_smp_mflags}
+)
+popd
+
+# Find all of the main packages using go-list.
+readarray -t mainpkgs \
+	<<<"$(go list -f '{{.Name}}:{{.ImportPath}}' %{import_path}/... | \
+	      awk -F: '$1 == "main" { print $2 }' | \
+	      grep -Ev '^github.com/lxc/lxd/(test|shared)')"
+
+# And now we can finally build LXD and all of the related binaries.
+mkdir bin
+for mainpkg in "${mainpkgs[@]}"
+do
+	binary="$(basename "$mainpkg")"
+
+	export CGO_CFLAGS="%{optflags} -I$PKGDIR/dist/sqlite/ -I$PKGDIR/dist/dqlite/include/"
+	export PKG_CONFIG_PATH="$PKGDIR/dist/sqlite:$PKGDIR/dist/dqlite"
+	export LD_LIBRARY_PATH="$PKGDIR/dist/sqlite/.libs:$PKGDIR/dist/dqlite/.libs"
+	[[ "$binary" == "lxd" ]] && EXTRA_LIBS="-lsqlite3 -ldqlite -ldl -luv" ||:
+	export CGO_LDFLAGS="-L$PKGDIR/dist/sqlite/.libs/ -L$PKGDIR/dist/dqlite/.libs/ $EXTRA_LIBS"
+
+	go build -buildmode=pie -tags "libsqlite3" -o "bin/$binary" "$mainpkg"
+done
+
+# Generate man pages.
+mkdir man
+./bin/lxc manpage man/
+
+%install
+# Install all the binaries.
+pushd bin/
+for bin in *
+do
+	install -D -m 0755 "$bin" "%{buildroot}%{_bindir}/$bin"
+done
+popd
+
+# Install man pages.
+pushd man/
+for man in *
+do
+	section="${man##*.}"
+	install -D -m 0644 "$man" "%{buildroot}%{_mandir}/man$section/$man"
+done
+popd
+
+# bash-completion.
+install -D -m 0644 scripts/bash/lxd-client %{buildroot}%{_datadir}/bash-completion/completions/lxd-client
+
+# sysv-init and systemd setup.
+install -D -m 0644 %{S:100} %{buildroot}%{_unitdir}/%{name}.service
+mkdir -p %{buildroot}%{_sbindir}
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+
+# Run-time configuration.
+install -D -m 0644 %{S:200} %{buildroot}%{_sysctldir}/60-lxd.conf
+install -D -m 0644 %{S:201} %{buildroot}%{_sysconfdir}/dnsmasq.d/60-lxd.conf
+
+# Run-time directories.
+install -d -m 0711 %{buildroot}%{_localstatedir}/lib/%{name}
+install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name}
+
+%pre
+# Set up a user with subuid mappings so we can
+getent group %{name} &>/dev/null || groupadd -r %{name}
+
+# /etc/sub[ug]id should exist already (it's part of shadow-utils), but older
+# distros don't have it. LXD just parses it and doesn't need any special
+# shadow-utils helpers.
+touch /etc/sub{u,g}id
+
+# Add sub[ug]ids for LXD's unprivileged containers -- in order to support
+# isolated containers we add quite a few subuids. Since LXD runs as root we add
+# them for the root user (not the lxd group).
+#
+# We have no guarantee that the range we pick will be unique -- which ideally
+# we would want it to be. There isn't a nice way to do this without
+# reimplementing a bunch of range-handling code for /etc/sub[ug]id in bash. So
+# we just pick the 40-80 million range, and hope for the best (most tutorials
+# use the 1-million range, so we avoid that pitfall).
+grep '^root:' /etc/subuid &>/dev/null || \
+	usermod -v 40000000-80000000 root
+grep '^root:' /etc/subgid &>/dev/null || \
+	usermod -w 40000000-80000000 root
+
+%service_add_pre %{name}.service
+
+%post
+%sysctl_apply
+%service_add_post %{name}.service
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%sysctl_apply
+%service_del_postun %{name}.service
+
+%files
+%defattr(-,root,root)
+%doc AUTHORS README.md doc/
+%license COPYING
+%{_bindir}/*
+%{_mandir}/man*/*
+
+%{_sbindir}/rc%{name}
+%{_unitdir}/%{name}.service
+
+%dir %{_localstatedir}/lib/%{name}
+%dir %{_localstatedir}/log/%{name}
+
+%config %{_sysctldir}/60-lxd.conf
+%config %{_sysconfdir}/dnsmasq.d/60-lxd.conf
+
+%files bash-completion
+%defattr(-,root,root)
+%{_datadir}/bash-completion/
+
+%changelog

lxd.sysctl

@@ -0,0 +1,22 @@
+# These defaults come from doc/production-setup.md, but have been slightly
+# modified to be less extreme. The recommended value is included as a comment
+# below each changed value.
+
+# inotify limits.
+fs.inotify.max_queued_events  = 131072 # 1048576
+fs.inotify.max_user_instances = 131072 # 1048576
+fs.inotify.max_user_watches   = 131072 # 1048576
+
+# Number of memory mappings a process can have (lxd can have quite a lot).
+#vm.max_map_count = 262144
+
+# Deny container access to kmsg, but this also blocks non-root host users so
+# it's disabled by default. This isn't a bad hardening measure in general.
+#kernel.dmesg_restrict = 1
+
+# ARP table size (one per container)
+net.ipv4.neigh.default.gc_thresh3 = 2048 # 8192
+net.ipv6.neigh.default.gc_thresh3 = 2048 # 8192
+
+# Number of kernel keyrings for unprivileged users (one per container).
+kernel.keys.maxkeys = 2048