[mirror_lxc.git] / config / templates / sabayon.common.conf.in

# Default configuration for Sabayon containers

# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed

# Allow for 1024 pseudo terminals
lxc.pts = 1024

# Setup 1 tty devices for lxc-console command
lxc.tty = 1

# Needed for systemd distro
lxc.autodev = 1

# Doesn't support consoles in /dev/lxc/
lxc.tty.dir =

# CGroup whitelist
lxc.cgroup.devices.deny = a

## Allow any mknod (but not reading/writing the node)
#lxc.cgroup.devices.allow = c *:* m
#lxc.cgroup.devices.allow = b *:* m

## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
#lxc.cgroup.devices.allow = c 136:* rwm
### /dev/tty
#lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
#lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
#lxc.cgroup.devices.allow = c 5:2 rwm
### fuse
#lxc.cgroup.devices.allow = c 10:229 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm
## rtc
#lxc.cgroup.devices.allow = c 254:0 rm
## tun
#lxc.cgroup.devices.allow = c 10:200 rwm
## hpet
#lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
#lxc.cgroup.devices.allow = c 10:232 rwm
## /dev/mem
#lxc.cgroup.devices.allow = c 1:1 rwm

# If something doesn't work, try to comment this out.
# Dropping sys_admin disables container root from doing a lot of things
# that could be bad like re-mounting lxc fstab entries rw for example,
# but also disables some useful things like being able to nfs mount, and
# things that are already namespaced with ns_capable() kernel checks, like
# hostname(1).
lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
#lxc.cap.drop = sys_admin


# /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328)
# and possibly other packages.
lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir

# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

# Customize lxc options through common directory
lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
Commit	Line	Data
74e75741 G	1	# Default configuration for Sabayon containers
	2
	3	# Setup the default mounts
	4	lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
	5
	6	# Allow for 1024 pseudo terminals
	7	lxc.pts = 1024
	8
	9	# Setup 1 tty devices for lxc-console command
	10	lxc.tty = 1
	11
	12	# Needed for systemd distro
	13	lxc.autodev = 1
	14
	15	# Doesn't support consoles in /dev/lxc/
42e53c29	16	lxc.tty.dir =
74e75741 G	17
	18	# CGroup whitelist
	19	lxc.cgroup.devices.deny = a
	20
	21	## Allow any mknod (but not reading/writing the node)
	22	#lxc.cgroup.devices.allow = c : m
	23	#lxc.cgroup.devices.allow = b : m
	24
	25	## Allow specific devices
	26	### /dev/null
	27	lxc.cgroup.devices.allow = c 1:3 rwm
	28	### /dev/zero
	29	lxc.cgroup.devices.allow = c 1:5 rwm
	30	### /dev/full
	31	lxc.cgroup.devices.allow = c 1:7 rwm
	32	### /dev/random
	33	lxc.cgroup.devices.allow = c 1:8 rwm
	34	### /dev/urandom
	35	lxc.cgroup.devices.allow = c 1:9 rwm
	36	### /dev/pts/*
	37	#lxc.cgroup.devices.allow = c 136:* rwm
	38	### /dev/tty
	39	#lxc.cgroup.devices.allow = c 5:0 rwm
	40	### /dev/console
	41	#lxc.cgroup.devices.allow = c 5:1 rwm
	42	### /dev/ptmx
	43	#lxc.cgroup.devices.allow = c 5:2 rwm
	44	### fuse
	45	#lxc.cgroup.devices.allow = c 10:229 rwm
	46	## To use loop devices, copy the following line to the container's
	47	## configuration file (uncommented).
	48	#lxc.cgroup.devices.allow = b 7:* rwm
	49	## rtc
	50	#lxc.cgroup.devices.allow = c 254:0 rm
	51	## tun
	52	#lxc.cgroup.devices.allow = c 10:200 rwm
	53	## hpet
	54	#lxc.cgroup.devices.allow = c 10:228 rwm
	55	## kvm
	56	#lxc.cgroup.devices.allow = c 10:232 rwm
3d288bbe G	57	## /dev/mem
3d288bbe G	58	#lxc.cgroup.devices.allow = c 1:1 rwm
74e75741 G	59
	60	# If something doesn't work, try to comment this out.
	61	# Dropping sys_admin disables container root from doing a lot of things
	62	# that could be bad like re-mounting lxc fstab entries rw for example,
	63	# but also disables some useful things like being able to nfs mount, and
	64	# things that are already namespaced with ns_capable() kernel checks, like
	65	# hostname(1).
	66	lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
	67	#lxc.cap.drop = sys_admin
	68
	69
	70	# /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328)
	71	# and possibly other packages.
	72	lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
	73
	74	# Blacklist some syscalls which are not safe in privileged
	75	# containers
	76	lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
	77
	78	# Customize lxc options through common directory
	79	lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/