projects / mirror_lxc.git / blame
| Commit | Line | Data |
|---|---|---|
| 5b99af00 SG |
1 | # Default configuration shared by all containers |
| 2 | ||
| 3 | # Setup the LXC devices in /dev/lxc/ | |
| 4 | lxc.devttydir = lxc | |
| 5 | ||
| 6 | # Allow for 1024 pseudo terminals | |
| 7 | lxc.pts = 1024 | |
| 8 | ||
| 9 | # Setup 4 tty devices | |
| 10 | lxc.tty = 4 | |
| 11 | ||
| 12 | # Drop some harmful capabilities | |
| 13 | lxc.cap.drop = mac_admin mac_override sys_time sys_module | |
| 14 | ||
| 15 | # Set the pivot directory | |
| 16 | lxc.pivotdir = lxc_putold | |
| 17 | ||
| 18 | # Ensure hostname is changed on clone | |
| 19 | lxc.hook.clone = @LXCHOOKDIR@/clonehostname | |
| 20 | ||
| 21 | # CGroup whitelist | |
| 22 | lxc.cgroup.devices.deny = a | |
| 23 | ## Allow any mknod (but not reading/writing the node) | |
| 24 | lxc.cgroup.devices.allow = c *:* m | |
| 25 | lxc.cgroup.devices.allow = b *:* m | |
| 26 | ## Allow specific devices | |
| 27 | lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null | |
| 28 | lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero | |
| 29 | lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full | |
| 30 | lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty | |
| 31 | lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console | |
| 32 | lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx | |
| 33 | lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random | |
| 34 | lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom | |
| 35 | lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* | |
| 6e39e4cb SG |
36 | |
| 37 | # Blacklist some syscalls which are not safe in privileged | |
| 38 | # containers | |
| 39 | lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp |