]>
Commit | Line | Data |
---|---|---|
f49c89ac WB |
1 | # Default configuration for Sabayon containers |
2 | ||
3 | # Setup the default mounts | |
4 | lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed | |
5 | ||
6 | # Allow for 1024 pseudo terminals | |
7 | lxc.pty.max = 1024 | |
8 | ||
9 | # Setup 1 tty devices for lxc-console command | |
10 | lxc.tty.max = 1 | |
11 | ||
12 | # Needed for systemd distro | |
13 | lxc.autodev = 1 | |
14 | ||
15 | # Doesn't support consoles in /dev/lxc/ | |
16 | lxc.tty.dir = | |
17 | ||
18 | # CGroup whitelist | |
19 | lxc.cgroup.devices.deny = a | |
20 | ||
21 | ## Allow any mknod (but not reading/writing the node) | |
22 | #lxc.cgroup.devices.allow = c *:* m | |
23 | #lxc.cgroup.devices.allow = b *:* m | |
24 | ||
25 | ## Allow specific devices | |
26 | ### /dev/null | |
27 | lxc.cgroup.devices.allow = c 1:3 rwm | |
28 | ### /dev/zero | |
29 | lxc.cgroup.devices.allow = c 1:5 rwm | |
30 | ### /dev/full | |
31 | lxc.cgroup.devices.allow = c 1:7 rwm | |
32 | ### /dev/random | |
33 | lxc.cgroup.devices.allow = c 1:8 rwm | |
34 | ### /dev/urandom | |
35 | lxc.cgroup.devices.allow = c 1:9 rwm | |
36 | ### /dev/pts/* | |
37 | #lxc.cgroup.devices.allow = c 136:* rwm | |
38 | ### /dev/tty | |
39 | #lxc.cgroup.devices.allow = c 5:0 rwm | |
40 | ### /dev/console | |
41 | #lxc.cgroup.devices.allow = c 5:1 rwm | |
42 | ### /dev/ptmx | |
43 | #lxc.cgroup.devices.allow = c 5:2 rwm | |
44 | ### fuse | |
45 | #lxc.cgroup.devices.allow = c 10:229 rwm | |
46 | ## To use loop devices, copy the following line to the container's | |
47 | ## configuration file (uncommented). | |
48 | #lxc.cgroup.devices.allow = b 7:* rwm | |
49 | ## rtc | |
50 | #lxc.cgroup.devices.allow = c 254:0 rm | |
51 | ## tun | |
52 | #lxc.cgroup.devices.allow = c 10:200 rwm | |
53 | ## hpet | |
54 | #lxc.cgroup.devices.allow = c 10:228 rwm | |
55 | ## kvm | |
56 | #lxc.cgroup.devices.allow = c 10:232 rwm | |
57 | ## /dev/mem | |
58 | #lxc.cgroup.devices.allow = c 1:1 rwm | |
59 | ||
60 | # If something doesn't work, try to comment this out. | |
61 | # Dropping sys_admin disables container root from doing a lot of things | |
62 | # that could be bad like re-mounting lxc fstab entries rw for example, | |
63 | # but also disables some useful things like being able to nfs mount, and | |
64 | # things that are already namespaced with ns_capable() kernel checks, like | |
65 | # hostname(1). | |
66 | lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override | |
67 | #lxc.cap.drop = sys_admin | |
68 | ||
69 | ||
70 | # /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328) | |
71 | # and possibly other packages. | |
72 | lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir | |
73 | ||
74 | # Blacklist some syscalls which are not safe in privileged | |
75 | # containers | |
76 | lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp | |
77 | ||
78 | # Customize lxc options through common directory | |
79 | lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/ |