Add Debian Bullseye support

Switching to proc:mixed improves container isolation and is not required
for Bullseye.
But cgroup:mixed is required for container to start, as it provides
ability for the container to manage own cgroups (but not parents).

Change-Id: Ifce5b9673319d077e57cdf8a28b182b57b7d4507
This commit is contained in:
Dmitriy Rabotyagov 2021-06-01 10:44:24 +03:00
parent 8c6c6caa04
commit 3834c32c0e

View File

@ -28,8 +28,8 @@
- name: Ensure containers have access RO cgroups
lineinfile:
dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
line: "lxc.mount.auto = proc:rw sys:ro cgroup:ro"
regexp: "^lxc.mount.auto = proc:rw sys:ro cgroup:ro$"
line: "lxc.mount.auto = proc:mixed sys:ro cgroup:mixed"
regexp: "^lxc.mount.auto = proc:(rw|mixed) sys:ro cgroup:(ro|mixed)$"
insertafter: "^lxc.mount.auto"
backup: "true"
delegate_to: "{{ physical_host }}"