]>
Commit | Line | Data |
---|---|---|
5b99af00 SG |
1 | # Default configuration shared by all containers |
2 | ||
3 | # Setup the LXC devices in /dev/lxc/ | |
4 | lxc.devttydir = lxc | |
5 | ||
6 | # Allow for 1024 pseudo terminals | |
7 | lxc.pts = 1024 | |
8 | ||
9 | # Setup 4 tty devices | |
10 | lxc.tty = 4 | |
11 | ||
12 | # Drop some harmful capabilities | |
13 | lxc.cap.drop = mac_admin mac_override sys_time sys_module | |
14 | ||
15 | # Set the pivot directory | |
16 | lxc.pivotdir = lxc_putold | |
17 | ||
18 | # Ensure hostname is changed on clone | |
19 | lxc.hook.clone = @LXCHOOKDIR@/clonehostname | |
20 | ||
21 | # CGroup whitelist | |
22 | lxc.cgroup.devices.deny = a | |
23 | ## Allow any mknod (but not reading/writing the node) | |
24 | lxc.cgroup.devices.allow = c *:* m | |
25 | lxc.cgroup.devices.allow = b *:* m | |
26 | ## Allow specific devices | |
27 | lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null | |
28 | lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero | |
29 | lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full | |
30 | lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty | |
31 | lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console | |
32 | lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx | |
33 | lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random | |
34 | lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom | |
35 | lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* | |
6e39e4cb SG |
36 | |
37 | # Blacklist some syscalls which are not safe in privileged | |
38 | # containers | |
39 | lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp |