# File ................. : /etc/lxc/auto/vn-ntp-320 # From ................. : jean-Marc LACROIX (jeanmarc.lacroix@free.fr) # Abstract ............. : file used by Debian package 'lxc' to define Virtual element container (VE) # Current distribution . : Debian # Current release ...... : 13.2 # Current version ...... : trixie # Current mode ......... : mode_production # Current architecture.. : aarch64 (64 bits) # Current node name .... : hn-orangepi5b-320 # Current python version : 3.13.5 # Current Git branch : br-master # Current Git tree hash : 31b10be2183146f5fc91123deeafb154281e74aa # Current Git tree state : clean # Please don't change this local file, instead of that, update git # ansible repository # This code is valid for either LXC 2.x (for Debian 9.x) or LXC 3.x # (for Debian 10.x) # Please look at following page fore recent information on Debian # Stretch and Buster release # https://linuxcontainers.org/fr/lxc/news/ # https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487 # section 1/10: global parameters: ################################## # Specify the hardware architecture for the container lxc.arch = aarch64 # Container name, please use same name as DNS name lxc.utsname = vn-ntp-320 # This container start on boot according order definition lxc.start.auto = 1 # define start order (lower number for first start) lxc.start.order = 40 # Define delay time (in second) before launching one another container lxc.start.delay = 0 # Define the name to cgroup this container which each others or not lxc.group = grp_lxc_start_on_boot # lxc.init.cmd: Absolute path from container rootfs to the binary to # use as init. This mostly makes sense for lxc-start. Default is # /sbin/init (old value is lxc.init_cmd) # not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2, please # use lxc.init_cmd lxc.init_cmd = /sbin/init # lxc.idmap : A container can be started in a private user namespace # with user and group id mappings. For instance, you can map userid 0 # in the container to userid 200000 on the host. The root user in the # container will be privileged in the container, but unprivileged on # the host. Normally a system container will want a range of ids, so # you would map, for instance, user and group ids 0 through 20,000 in # the container to the ids 200,000 through 220,000. Four values must # be provided. First a character, either 'u', or 'g', to specify # whether user or group ids are being mapped. Next is the first userid # as seen in the user namespace of the container. Next is the userid # as seen on the host. Finally, a range indicating the number of # consecutive ids to map. #(not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2) #lxc.idmap = u 0 400000 65536 #lxc.idmap = g 0 400000 65536 # UID to use for init (not available on Debian Stretch 9.5 with LXC # 1:2.0.7-2+deb9u2) # GID to use for init (not available on Debian Stretch 9.5 with LXC # 1:2.0.7-2+deb9u2) # lxc.ephemeral: Allows one to specify whether a container will be # destroyed on shutdown. The only allowed values are 0 and 1. Set this # to 1 to destroy a container on shutdown. lxc.ephemeral = 0 # lxc.init.cwd: Absolute path inside the container to use as the # working directory. # (not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2) #lxc.init.cwd = /var/lib/lxc/vn-ntp-320/rootfs/init_cwd # section 2/10: log & syslog & ring buffer & tty: ################################################# # lxc.console.buffer.size: size of ring buffer (should be a power of # 2) in byte for the console output # parameter not available on LXC 2.x release # lxc.console.size: limit of the ring buffer (should be a power of 2) # in byte for the console output as defiend by lxc.console.buffer.size # parameter not available on LXC 2.x release # lxc.log.level: The level at which to log. The log level is an # integer in the range of 0..8 inclusive, where a lower number means # more verbose debugging. In particular 0 = trace, 1 = debug, 2 = # info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, and # 8 = fatal. If unspecified, the level defaults to 5 (error), so that # only errors and above are logged. # following parameters are ok with lxc 1:2.0.0-3~bpo8+1 d <# # (jessie-backports) (debian bugreport #827156) lxc.loglevel = DEBUG # lxc.log.file: The file to which logging info should be written. lxc.logfile = /var/log/lxc/vn-ntp-320.log # lxc.log.syslog: Send logging info to syslog. It respects the log # level defined in lxc.log.level. The argument should be the syslog # facility to use, valid ones are: daemon, local0, local1, local2, # local3, local4, local5, local5, local6, local7. # lxc.log.syslog not used here because file is prefered as defined by # lxc.log.file variable # lxc.tty.max: CONSOLE THROUGH THE TTYS: This option is useful if the # container is configured with a root filesystem and the inittab file # is setup to launch a getty on the ttys. The option specifies the # number of ttys to be available for the container. The number of # gettys in the inittab file of the container should not be greater # than the number of ttys specified in this option, otherwise the # excess getty sessions will die and respawn indefinitely giving # annoying messages on the console or in /var/log/messages. # not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2, use # lxc.tty lxc.tty = 4 # lxc.pty.max : If set, the container will have a new pseudo tty # instance, making this private to it. The value specifies the maximum # number of pseudo ttys allowed for a pts instance (this limitation is # not implemented yet). # On debian 9.7, old value = lxc.pts lxc.pts = 10 # section 3/10: Posix signals parameters: ######################################### # lxc.signal.halt: Allows one to specify signal name or number sent to # the container's init process to cleanly shutdown the container. # Different init systems could use different signals to perform clean # shutdown sequence. This option allows the signal to be specified in # kill(1) fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain # number. The default signal is SIGPWR. # not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2, use # lxc.haltsignal lxc.haltsignal = SIGPWR # lxc.signal.reboot: Allows one to specify signal name or number to # reboot the container. This option allows signal to be specified in # kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain # number. The default signal is SIGINT # (not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2) #lxc.signal.reboot = SIGINT # lxc.signal.stop: Allows one to specify signal name or number to # forcibly shutdown the container. This option allows signal to be # specified in kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 # or plain number. The default signal is SIGKILL # (not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2) #lxc.signal.stop = SIGKILL # section 4/10: Cgroup, CPU & Memory: ##################################### # Warning, order declaration is important : # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/sec-memory.html # lxc.cgroup.memory.limit_in_bytes: maximum number of memory used by the container # 2025/03/12: Debian 12.9 (bookworm). Not possible to use following # declaration. It seems that memory cgroup hierarhy is not mounted ? # ansible@hn-cubie5-175:~$ uname -a # Linux hn-cubie5-175 6.12.12-armmp-lpae #1 SMP Debian 6.12.12-1 (2025-02-02) armv7l GNU/Linux #lxc.cgroup.memory.limit_in_bytes = 313M # lxc.cgroup.memory.memsw.limit_in_bytes: maximum number of (memory + # swap) used by the container Warning, in order to use this option, # kernel command line must be modified according : #lxc.cgroup.memory.memsw.limit_in_bytes = 313M # lxc.kmsg: disable message from kernel into the container. lxc.kmsg = 0 # lxc.cgroup.cpuset.cpus: define how many CPUs are used on this # container lxc.cgroup.cpuset.cpus = 1 # lxc.cgroup.cpuset.share: define how is shared CPU container with # each other on the same CPU list lxc.cgroup.cpu.shares = 200 # total number of tty , remember, must be >= to total number defined # in /etc/inittab # section 5/10: char and block devices: ####################################### lxc.cgroup.devices.deny = a # lxc.autodev: if 1, then LXC will mount a fresh tmpfs under /dev lxc.autodev = 1 # lxc.autodev.tmpfs.size: this parameter semms not supported (!) on # Debian lxc 1:3.1.0+really3.0.3-8 # lxc.autodev.tmpfs.size = 20000 # lxc.cgroup.devices.allow : device /dev/null on target vn-ntp-320 lxc.cgroup.devices.allow = c 1:3 rwm # lxc.cgroup.devices.allow : device /dev/zero on target vn-ntp-320 lxc.cgroup.devices.allow = c 1:5 rwm # lxc.cgroup.devices.allow : device /dev/random on target vn-ntp-320 lxc.cgroup.devices.allow = c 1:8 rwm # lxc.cgroup.devices.allow : device /dev/urandom on target vn-ntp-320 lxc.cgroup.devices.allow = c 1:9 rwm # lxc.cgroup.devices.allow : device /dev/console on target vn-ntp-320 lxc.cgroup.devices.allow = c 5:1 rwm # lxc.cgroup.devices.allow : device /dev/ptmx on target vn-ntp-320 lxc.cgroup.devices.allow = c 5:2 rwm # lxc.cgroup.devices.allow : device /dev/pts/[0-9] on target vn-ntp-320 lxc.cgroup.devices.allow = c 136:0 rwm lxc.cgroup.devices.allow = c 136:1 rwm lxc.cgroup.devices.allow = c 136:2 rwm lxc.cgroup.devices.allow = c 136:3 rwm lxc.cgroup.devices.allow = c 136:4 rwm lxc.cgroup.devices.allow = c 136:5 rwm lxc.cgroup.devices.allow = c 136:6 rwm lxc.cgroup.devices.allow = c 136:7 rwm lxc.cgroup.devices.allow = c 136:8 rwm lxc.cgroup.devices.allow = c 136:9 rwm # lxc.cgroup.devices.allow : device /dev/tty on target vn-ntp-320 lxc.cgroup.devices.allow = c 5:0 rwm # lxc.cgroup.devices.allow : device /dev/ttyS[0-1] on target vn-ntp-320 lxc.cgroup.devices.allow = c 4:64 rwm lxc.cgroup.devices.allow = c 4:65 rwm # lxc.cgroup.devices.allow : device /dev/tty[0-6] on target vn-ntp-320 lxc.cgroup.devices.allow = c 4:0 rwm lxc.cgroup.devices.allow = c 4:1 rwm lxc.cgroup.devices.allow = c 4:2 rwm lxc.cgroup.devices.allow = c 4:3 rwm lxc.cgroup.devices.allow = c 4:4 rwm lxc.cgroup.devices.allow = c 4:5 rwm lxc.cgroup.devices.allow = c 4:6 rwm # section 6/10: mount point and File Systems (Warning, order is mandatory !) ############################################################################ # lxc.rootfs: step 1: define mount point before making pivot_root(8) syscall lxc.rootfs = /var/lib/lxc/vn-ntp-320/rootfs lxc.rootfs.path = /dev/mapper/vg_vn_ntp_320-lv_rootfs lxc.rootfs.options = defaults,noatime,nodiratime # lxc.rootfs.managed in LXC 1:3.1.0+really3.0.3-8 on Debian Buster # 10.2 not supported but defined in man (!) # lxc-start: srv-ntp-170: parse.c: lxc_file_for_each_line_mmap: 142 # Failed to parse config file "/var/lib/lxc/srv-ntp-170/config" at # line "lxc.rootfs.managed = 0" # lxc.rootfs.managed = 0 # lxc.mount.entry: step 3: this mount point is used for /proc lxc.mount.entry = proc /var/lib/lxc/vn-ntp-320/rootfs/proc proc nodev,noexec,nosuid 0 0 # lxc.mount.entry: step 4: this mount point is used for pseudo devices /devpts lxc.mount.entry = devpts /var/lib/lxc/vn-ntp-320/rootfs/dev/pts devpts defaults 0 0 # lxc.mount.entry:step 5: this mount point is used for pseudo devices /sys lxc.mount.entry = sysfs /var/lib/lxc/vn-ntp-320/rootfs/sys sysfs defaults 0 0 # lxc.mount.entry: step 6: this mount point is used for rootfs mount point on target vn-ntp-320 # lxc.mount.entry: step 6: this mount point is used for /usr mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_usr /var/lib/lxc/vn-ntp-320/rootfs/usr ext4 defaults,noatime,nodiratime # lxc.mount.entry: step 6: this mount point is used for /var mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_var /var/lib/lxc/vn-ntp-320/rootfs/var ext4 defaults,noatime,nodiratime # lxc.mount.entry: step 6: this mount point is used for /tmp mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_tmp /var/lib/lxc/vn-ntp-320/rootfs/tmp ext4 defaults,noatime,nodiratime # lxc.mount.entry: step 6: this mount point is used for /home mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_home /var/lib/lxc/vn-ntp-320/rootfs/home ext4 defaults,noatime,nodiratime # lxc.mount.entry: step 6: this mount point is used for /var/log mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_var_log /var/lib/lxc/vn-ntp-320/rootfs/var/log ext4 defaults,noatime,nodiratime # lxc.mount.entry: step 6: this mount point is used for /var/lib mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_var_lib /var/lib/lxc/vn-ntp-320/rootfs/var/lib ext4 defaults,noatime,nodiratime # lxc.mount.entry: step 6: this mount point is used for /var/cache mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_var_cache /var/lib/lxc/vn-ntp-320/rootfs/var/cache ext4 defaults,noatime,nodiratime # lxc.mount.entry: step 6: this mount point is used for /var/lib/apt mount point on target vn-ntp-320 lxc.mount.entry = /dev/mapper/vg_vn_ntp_320-lv_var_lib_apt /var/lib/lxc/vn-ntp-320/rootfs/var/lib/apt ext4 defaults,noatime,nodiratime # section 7/10: Posix Capabilities ################################## # On all containers, modules management are prohibited lxc.cap.drop = sys_ptrace lxc.cap.drop = mknod lxc.cap.drop = sys_module # not possible to drop capabilities "audit_xx" because used by sshd # daemon # 2022-12-17T23:38:44+01:00 s_dev_log@vn-bullseye-amd64-400 sshd[931]: # fatal: linux_audit_write_entry failed: Operation not permitted #lxc.cap.drop = audit_control #lxc.cap.drop = audit_read #lxc.cap.drop = audit_write # not possible to drop capabilities "chroot" because used by sshd # daemon #2022-12-18T09:42:35+01:00 s_dev_log@vn-bullseye-amd64-400 sshd[937]: #fatal: chroot("/run/sshd"): Operation not permitted [preauth] #lxc.cap.drop = sys_chroot lxc.cap.drop = sys_rawio lxc.cap.drop = syslog # Remove CAP_SYS_BOOT, so that "kexec_load" can not be launched. Bad # effect is that shutdown, halt & reboot commands can not work (!). As # a result, let it valid for this moment (!), and think about defining # seccomp profile #lxc.cap.drop = sys_boot # Because target vn-ntp-320 is one member of Ansible # group "group_ntp", then never drop CAP_SYS_TIME # section 8/10: network interfaces: ################################### # Interface 1/13 : network interface used on network network-admin for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-admin lxc.network.name = if-admin lxc.network.hwaddr = 02:00:40:50:04:73 lxc.network.veth.pair = if-ntp-adm # Interface 2/13 : network interface used on network net-alarm for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-alarm lxc.network.name = if-alarm lxc.network.hwaddr = 02:00:40:50:04:68 lxc.network.veth.pair = if-ntp-alar # Interface 3/13 : network interface used on network net-user for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-user lxc.network.name = if-user lxc.network.hwaddr = 02:00:40:50:04:72 lxc.network.veth.pair = if-ntp-usr # Interface 4/13 : network interface used on network net-ntp for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-ntp lxc.network.name = if-ntp lxc.network.hwaddr = 02:00:40:50:04:71 lxc.network.veth.pair = if-ntp-ntp # Interface 5/13 : network interface used on network net-vpn for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-vpn lxc.network.name = if-vpn lxc.network.hwaddr = 02:00:40:50:04:77 lxc.network.veth.pair = if-ntp-vpn # Interface 6/13 : network interface used on network net-wifi for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-wifi lxc.network.name = if-wifi lxc.network.hwaddr = 02:00:40:50:04:75 lxc.network.veth.pair = if-ntp-wifi # Interface 7/13 : network interface used on network net-srv for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-service lxc.network.name = if-service lxc.network.hwaddr = 02:00:40:50:04:70 lxc.network.veth.pair = if-ntp-srv # Interface 8/13 : network interface used on network net-trusted for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-trusted lxc.network.name = if-trusted lxc.network.hwaddr = 02:00:40:50:04:76 lxc.network.veth.pair = if-ntp-trus # Interface 9/13 : network interface used on network net-fone for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-fone lxc.network.name = if-fone lxc.network.hwaddr = 02:00:40:50:04:67 lxc.network.veth.pair = if-ntp-fone # Interface 10/13 : network interface used on network net-factory for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-factory lxc.network.name = if-factory lxc.network.hwaddr = 02:00:40:50:04:79 lxc.network.veth.pair = if-ntp-fact # Interface 11/13 : network interface used on network net-tst1 for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-tst1 lxc.network.name = if-tst1 lxc.network.hwaddr = 02:00:40:50:04:65 lxc.network.veth.pair = if-ntp-tst1 # Interface 12/13 : network interface used on network net-tst2 for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-tst2 lxc.network.name = if-tst2 lxc.network.hwaddr = 02:00:40:50:04:66 lxc.network.veth.pair = if-ntp-tst2 # Interface 13/13 : network interface used on network net-tst3 for target vn-ntp-320 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br-tst3 lxc.network.name = if-tst3 lxc.network.hwaddr = 02:00:40:50:04:74 lxc.network.veth.pair = if-ntp-tst3 # section 9/10: Apparmor support: ################################# # please look at : https://github.com/lxc/lxc/issues/1895 # APPARMOR PROFILE. If lxc was compiled and installed with apparmor # support, and the host system has apparmor enabled, then the apparmor # profile under which the container should be run can be specified in # the container configuration. The default is # lxc-container-default-cgns if the host kernel is cgroup namespace # aware, or lxc-container-default otherwise. Apparmor profiles are # pathname based. Therefore many file restrictions require mount # restrictions to be effective against a determined attacker. # However, these mount restrictions are not yet implemented in the # upstream kernel. Without the mount restrictions, the apparmor # profiles still protect against accidental damager. # On Debian kernel 4.13.0-0.bpo.1-amd64, set apparmor flags, # otherwise, can not start container with following error: # lxc.apparmor.allow_incomplete: If this flag is 0 (default), then the # container will not be started if the kernel lacks the apparmor mount # features, so that a regression after a kernel upgrade will be # detected. To start the container under partial apparmor protection, # set this flag to 1. # not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2, use # lxc.aa_allow_incomplete lxc.aa_allow_incomplete = 1 # On Debian kernel armhf srv-hc1-110 4.18.0-0.bpo.3-armmp-lpae #1 SMP # Debian 4.18.20-2~bpo9+1 not possible to start container if following # line is not set https://github.com/lxc/lxc/issues/1895 # lxc.apparmor_profile: Specify the apparmor profile under which the # container should be run. To specify that the container should be # unconfined, use "unconfined keyword". If the apparmor profile # should remain unchanged (i.e. if you are nesting containers and are # already confined), then use "unchanged" keyword lxc.aa_profile = unconfined # section 10/10: Seccomp support: #################################