projects / lxc.git / blame
| Commit | Line | Data |
|---|---|---|
| f49c89ac WB |
1 | # Default console settings |
| 2 | lxc.tty.dir = lxc | |
| 3 | lxc.tty.max = 4 | |
| 4 | lxc.pty.max = 1024 | |
| 5 | ||
| 6 | # Default capabilities | |
| 7 | lxc.cap.drop = mac_admin | |
| 8 | lxc.cap.drop = mac_override | |
| 9 | lxc.cap.drop = sys_admin | |
| 10 | lxc.cap.drop = sys_module | |
| 11 | lxc.cap.drop = sys_nice | |
| 12 | lxc.cap.drop = sys_pacct | |
| 13 | lxc.cap.drop = sys_ptrace | |
| 14 | lxc.cap.drop = sys_rawio | |
| 15 | lxc.cap.drop = sys_resource | |
| 16 | lxc.cap.drop = sys_time | |
| 17 | lxc.cap.drop = sys_tty_config | |
| 18 | lxc.cap.drop = syslog | |
| 19 | lxc.cap.drop = wake_alarm | |
| 20 | ||
| 21 | # Default cgroups - all denied except those whitelisted | |
| 22 | lxc.cgroup.devices.deny = a | |
| 23 | ## /dev/null and zero | |
| 24 | lxc.cgroup.devices.allow = c 1:3 rwm | |
| 25 | lxc.cgroup.devices.allow = c 1:5 rwm | |
| 26 | ## consoles | |
| 27 | lxc.cgroup.devices.allow = c 5:0 rwm | |
| 28 | lxc.cgroup.devices.allow = c 5:1 rwm | |
| 29 | ## /dev/{,u}random | |
| 30 | lxc.cgroup.devices.allow = c 1:8 rwm | |
| 31 | lxc.cgroup.devices.allow = c 1:9 rwm | |
| 32 | ## /dev/pts/* | |
| 33 | lxc.cgroup.devices.allow = c 5:2 rwm | |
| 34 | lxc.cgroup.devices.allow = c 136:* rwm | |
| 35 | ## rtc | |
| 36 | lxc.cgroup.devices.allow = c 254:0 rm | |
| 37 | ## tun | |
| 38 | lxc.cgroup.devices.allow = c 10:200 rwm | |
| 39 | ## dev/tty0 | |
| 40 | lxc.cgroup.devices.allow = c 4:0 rwm | |
| 41 | ## dev/tty1 | |
| 42 | lxc.cgroup.devices.allow = c 4:1 rwm | |
| 43 | ||
| 44 | ## To use loop devices, copy the following line to the container's | |
| 45 | ## configuration file (uncommented). | |
| 46 | #lxc.cgroup.devices.allow = b 7:* rwm | |
| 47 | ||
| 48 | # Blacklist some syscalls which are not safe in privileged | |
| 49 | # containers | |
| 50 | lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp |