[mirror_lxc.git] / config / templates / common.conf.in

# Default configuration shared by all containers

# Setup the LXC devices in /dev/lxc/
lxc.tty.dir = lxc

# Allow for 1024 pseudo terminals
lxc.pts = 1024

# Setup 4 tty devices
lxc.tty = 4

# Drop some harmful capabilities
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio

# Ensure hostname is changed on clone
lxc.hook.clone = @LXCHOOKDIR@/clonehostname

# CGroup whitelist
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm

# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0

# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

# Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
Commit	Line	Data
5b99af00 SG	1	# Default configuration shared by all containers
	2
	3	# Setup the LXC devices in /dev/lxc/
42e53c29	4	lxc.tty.dir = lxc
5b99af00 SG	5
	6	# Allow for 1024 pseudo terminals
	7	lxc.pts = 1024
	8
	9	# Setup 4 tty devices
	10	lxc.tty = 4
	11
	12	# Drop some harmful capabilities
4845c17a	13	lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
5b99af00	14
5b99af00 SG	15	# Ensure hostname is changed on clone
	16	lxc.hook.clone = @LXCHOOKDIR@/clonehostname
	17
	18	# CGroup whitelist
	19	lxc.cgroup.devices.deny = a
	20	## Allow any mknod (but not reading/writing the node)
	21	lxc.cgroup.devices.allow = c : m
	22	lxc.cgroup.devices.allow = b : m
	23	## Allow specific devices
de9a4bfc SG	24	### /dev/null
	25	lxc.cgroup.devices.allow = c 1:3 rwm
	26	### /dev/zero
	27	lxc.cgroup.devices.allow = c 1:5 rwm
	28	### /dev/full
	29	lxc.cgroup.devices.allow = c 1:7 rwm
	30	### /dev/tty
	31	lxc.cgroup.devices.allow = c 5:0 rwm
	32	### /dev/console
	33	lxc.cgroup.devices.allow = c 5:1 rwm
	34	### /dev/ptmx
	35	lxc.cgroup.devices.allow = c 5:2 rwm
	36	### /dev/random
	37	lxc.cgroup.devices.allow = c 1:8 rwm
	38	### /dev/urandom
	39	lxc.cgroup.devices.allow = c 1:9 rwm
	40	### /dev/pts/*
	41	lxc.cgroup.devices.allow = c 136:* rwm
a38e3e32	42	### fuse
a38e3e32	43	lxc.cgroup.devices.allow = c 10:229 rwm
6e39e4cb	44
f24a52d5 SG	45	# Setup the default mounts
f24a52d5 SG	46	lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
a38e3e32	47	lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
f24a52d5	48
6e39e4cb SG	49	# Blacklist some syscalls which are not safe in privileged
	50	# containers
	51	lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
4662c6de SG	52
	53	# Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
	54	lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/