[mirror_lxc.git] / config / templates / archlinux.common.conf.in

# Based on fedora.common.conf.in
# Console settings

lxc.autodev = 1
lxc.tty = 6
lxc.pts = 1024
lxc.kmsg = 0

lxc.haltsignal=SIGRTMIN+4
lxc.stopsignal=SIGRTMIN+14

# Mount entries
lxc.mount.auto = proc:mixed sys:ro

# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
#
# Dropping sys_admin disables container root from doing a lot of things
# that could be bad like re-mounting lxc fstab entries rw for example,
# but also disables some useful things like being able to nfs mount, and
# things that are already namespaced with ns_capable() kernel checks, like
# hostname(1).
# lxc.cap.drop = sys_admin
# lxc.cap.drop = net_raw          # breaks dhcp/ping
# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
# lxc.cap.drop = setuid           # breaks sshd,nfs statd
# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap          # big big login delays in Fedora 20 systemd
#
lxc.cap.drop = mac_admin mac_override
lxc.cap.drop = setfcap
lxc.cap.drop = sys_module sys_nice sys_pacct
lxc.cap.drop = sys_rawio sys_time

# Control Group devices: all denied except those whitelisted
lxc.cgroup.devices.deny = a
# Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-6] ptys and lxc console
lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
Commit	Line	Data
c194ffc1 AV	1	# Based on fedora.common.conf.in
	2	# Console settings
	3
	4	lxc.autodev = 1
	5	lxc.tty = 6
	6	lxc.pts = 1024
	7	lxc.kmsg = 0
	8
	9	lxc.haltsignal=SIGRTMIN+4
	10	lxc.stopsignal=SIGRTMIN+14
	11
	12	# Mount entries
	13	lxc.mount.auto = proc:mixed sys:ro
	14
	15	# Capabilities
	16	# Uncomment these if you don't run anything that needs the capability, and
	17	# would like the container to run with less privilege.
	18	#
	19	# Dropping sys_admin disables container root from doing a lot of things
	20	# that could be bad like re-mounting lxc fstab entries rw for example,
	21	# but also disables some useful things like being able to nfs mount, and
	22	# things that are already namespaced with ns_capable() kernel checks, like
	23	# hostname(1).
	24	# lxc.cap.drop = sys_admin
	25	# lxc.cap.drop = net_raw # breaks dhcp/ping
	26	# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
	27	# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
	28	# lxc.cap.drop = setuid # breaks sshd,nfs statd
	29	# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
	30	# lxc.cap.drop = audit_write
	31	# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
	32	#
	33	lxc.cap.drop = mac_admin mac_override
	34	lxc.cap.drop = setfcap
	35	lxc.cap.drop = sys_module sys_nice sys_pacct
	36	lxc.cap.drop = sys_rawio sys_time
	37
	38	# Control Group devices: all denied except those whitelisted
	39	lxc.cgroup.devices.deny = a
	40	# Allow any mknod (but not reading/writing the node)
	41	lxc.cgroup.devices.allow = c : m
	42	lxc.cgroup.devices.allow = b : m
	43	lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
	44	lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
	45	lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
	46	lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
	47	lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
	48	lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
	49	lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-6] ptys and lxc console
	50	lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master