Extract default configuration data
This commit is contained in:
parent
ff2416b638
commit
fbf6e4d9a5
|
@ -0,0 +1,70 @@
|
||||||
|
# SPDX-FileCopyrightText: © 2024 Jip-Hop and the Jailmakers <https://github.com/Jip-Hop/jailmaker>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: LGPL-3.0-only
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT_CONFIG = """startup=0
|
||||||
|
gpu_passthrough_intel=0
|
||||||
|
gpu_passthrough_nvidia=0
|
||||||
|
# Turning off seccomp filtering improves performance at the expense of security
|
||||||
|
seccomp=1
|
||||||
|
|
||||||
|
# Below you may add additional systemd-nspawn flags behind systemd_nspawn_user_args=
|
||||||
|
# To mount host storage in the jail, you may add: --bind='/mnt/pool/dataset:/home'
|
||||||
|
# To readonly mount host storage, you may add: --bind-ro=/etc/certificates
|
||||||
|
# To use macvlan networking add: --network-macvlan=eno1 --resolv-conf=bind-host
|
||||||
|
# To use bridge networking add: --network-bridge=br1 --resolv-conf=bind-host
|
||||||
|
# Ensure to change eno1/br1 to the interface name you want to use
|
||||||
|
# To allow syscalls required by docker add: --system-call-filter='add_key keyctl bpf'
|
||||||
|
systemd_nspawn_user_args=
|
||||||
|
|
||||||
|
# Specify command/script to run on the HOST before starting the jail
|
||||||
|
# For example to load kernel modules and config kernel settings
|
||||||
|
pre_start_hook=
|
||||||
|
# pre_start_hook=#!/usr/bin/bash
|
||||||
|
# set -euo pipefail
|
||||||
|
# echo 'PRE_START_HOOK_EXAMPLE'
|
||||||
|
# echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
# modprobe br_netfilter
|
||||||
|
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
|
||||||
|
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
|
||||||
|
|
||||||
|
# Specify command/script to run on the HOST after starting the jail
|
||||||
|
# For example to attach to multiple bridge interfaces
|
||||||
|
# when using --network-veth-extra=ve-myjail-1:veth1
|
||||||
|
post_start_hook=
|
||||||
|
# post_start_hook=#!/usr/bin/bash
|
||||||
|
# set -euo pipefail
|
||||||
|
# echo 'POST_START_HOOK_EXAMPLE'
|
||||||
|
# ip link set dev ve-myjail-1 master br2
|
||||||
|
# ip link set dev ve-myjail-1 up
|
||||||
|
|
||||||
|
# Specify a command/script to run on the HOST after stopping the jail
|
||||||
|
post_stop_hook=
|
||||||
|
# post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE'
|
||||||
|
|
||||||
|
# Only used while creating the jail
|
||||||
|
distro=debian
|
||||||
|
release=bookworm
|
||||||
|
|
||||||
|
# Specify command/script to run IN THE JAIL on the first start (once networking is ready in the jail)
|
||||||
|
# Useful to install packages on top of the base rootfs
|
||||||
|
initial_setup=
|
||||||
|
# initial_setup=bash -c 'apt-get update && apt-get -y upgrade'
|
||||||
|
|
||||||
|
# Usually no need to change systemd_run_default_args
|
||||||
|
systemd_run_default_args=--collect
|
||||||
|
--property=Delegate=yes
|
||||||
|
--property=RestartForceExitStatus=133
|
||||||
|
--property=SuccessExitStatus=133
|
||||||
|
--property=TasksMax=infinity
|
||||||
|
--property=Type=notify
|
||||||
|
--setenv=SYSTEMD_NSPAWN_LOCK=0
|
||||||
|
--property=KillMode=mixed
|
||||||
|
|
||||||
|
# Usually no need to change systemd_nspawn_default_args
|
||||||
|
systemd_nspawn_default_args=--bind-ro=/sys/module
|
||||||
|
--boot
|
||||||
|
--inaccessible=/sys/module/apparmor
|
||||||
|
--quiet
|
||||||
|
--keep-unit"""
|
|
@ -30,71 +30,6 @@ from inspect import cleandoc
|
||||||
from pathlib import Path, PurePath
|
from pathlib import Path, PurePath
|
||||||
from textwrap import dedent
|
from textwrap import dedent
|
||||||
|
|
||||||
DEFAULT_CONFIG = """startup=0
|
|
||||||
gpu_passthrough_intel=0
|
|
||||||
gpu_passthrough_nvidia=0
|
|
||||||
# Turning off seccomp filtering improves performance at the expense of security
|
|
||||||
seccomp=1
|
|
||||||
|
|
||||||
# Below you may add additional systemd-nspawn flags behind systemd_nspawn_user_args=
|
|
||||||
# To mount host storage in the jail, you may add: --bind='/mnt/pool/dataset:/home'
|
|
||||||
# To readonly mount host storage, you may add: --bind-ro=/etc/certificates
|
|
||||||
# To use macvlan networking add: --network-macvlan=eno1 --resolv-conf=bind-host
|
|
||||||
# To use bridge networking add: --network-bridge=br1 --resolv-conf=bind-host
|
|
||||||
# Ensure to change eno1/br1 to the interface name you want to use
|
|
||||||
# To allow syscalls required by docker add: --system-call-filter='add_key keyctl bpf'
|
|
||||||
systemd_nspawn_user_args=
|
|
||||||
|
|
||||||
# Specify command/script to run on the HOST before starting the jail
|
|
||||||
# For example to load kernel modules and config kernel settings
|
|
||||||
pre_start_hook=
|
|
||||||
# pre_start_hook=#!/usr/bin/bash
|
|
||||||
# set -euo pipefail
|
|
||||||
# echo 'PRE_START_HOOK_EXAMPLE'
|
|
||||||
# echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
||||||
# modprobe br_netfilter
|
|
||||||
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
|
|
||||||
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
|
|
||||||
|
|
||||||
# Specify command/script to run on the HOST after starting the jail
|
|
||||||
# For example to attach to multiple bridge interfaces
|
|
||||||
# when using --network-veth-extra=ve-myjail-1:veth1
|
|
||||||
post_start_hook=
|
|
||||||
# post_start_hook=#!/usr/bin/bash
|
|
||||||
# set -euo pipefail
|
|
||||||
# echo 'POST_START_HOOK_EXAMPLE'
|
|
||||||
# ip link set dev ve-myjail-1 master br2
|
|
||||||
# ip link set dev ve-myjail-1 up
|
|
||||||
|
|
||||||
# Specify a command/script to run on the HOST after stopping the jail
|
|
||||||
post_stop_hook=
|
|
||||||
# post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE'
|
|
||||||
|
|
||||||
# Only used while creating the jail
|
|
||||||
distro=debian
|
|
||||||
release=bookworm
|
|
||||||
|
|
||||||
# Specify command/script to run IN THE JAIL on the first start (once networking is ready in the jail)
|
|
||||||
# Useful to install packages on top of the base rootfs
|
|
||||||
initial_setup=
|
|
||||||
# initial_setup=bash -c 'apt-get update && apt-get -y upgrade'
|
|
||||||
|
|
||||||
# Usually no need to change systemd_run_default_args
|
|
||||||
systemd_run_default_args=--collect
|
|
||||||
--property=Delegate=yes
|
|
||||||
--property=RestartForceExitStatus=133
|
|
||||||
--property=SuccessExitStatus=133
|
|
||||||
--property=TasksMax=infinity
|
|
||||||
--property=Type=notify
|
|
||||||
--setenv=SYSTEMD_NSPAWN_LOCK=0
|
|
||||||
--property=KillMode=mixed
|
|
||||||
|
|
||||||
# Usually no need to change systemd_nspawn_default_args
|
|
||||||
systemd_nspawn_default_args=--bind-ro=/sys/module
|
|
||||||
--boot
|
|
||||||
--inaccessible=/sys/module/apparmor
|
|
||||||
--quiet
|
|
||||||
--keep-unit"""
|
|
||||||
|
|
||||||
# Use mostly default settings for systemd-nspawn but with systemd-run instead of a service file:
|
# Use mostly default settings for systemd-nspawn but with systemd-run instead of a service file:
|
||||||
# https://github.com/systemd/systemd/blob/main/units/systemd-nspawn%40.service.in
|
# https://github.com/systemd/systemd/blob/main/units/systemd-nspawn%40.service.in
|
||||||
|
|
|
@ -6,7 +6,7 @@ import configparser
|
||||||
import io
|
import io
|
||||||
import re
|
import re
|
||||||
|
|
||||||
from donor.jlmkr import DEFAULT_CONFIG
|
from donor.data import DEFAULT_CONFIG
|
||||||
|
|
||||||
|
|
||||||
# Used in parser getters to indicate the default behavior when a specific
|
# Used in parser getters to indicate the default behavior when a specific
|
||||||
|
|
Loading…
Reference in New Issue