]>
Commit | Line | Data |
---|---|---|
74e75741 G |
1 | # Default configuration for Sabayon containers |
2 | ||
3 | # Setup the default mounts | |
4 | lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed | |
5 | ||
6 | # Allow for 1024 pseudo terminals | |
7 | lxc.pts = 1024 | |
8 | ||
9 | # Setup 1 tty devices for lxc-console command | |
10 | lxc.tty = 1 | |
11 | ||
12 | # Needed for systemd distro | |
13 | lxc.autodev = 1 | |
14 | ||
15 | # Doesn't support consoles in /dev/lxc/ | |
16 | lxc.devttydir = | |
17 | ||
18 | # CGroup whitelist | |
19 | lxc.cgroup.devices.deny = a | |
20 | ||
21 | ## Allow any mknod (but not reading/writing the node) | |
22 | #lxc.cgroup.devices.allow = c *:* m | |
23 | #lxc.cgroup.devices.allow = b *:* m | |
24 | ||
25 | ## Allow specific devices | |
26 | ### /dev/null | |
27 | lxc.cgroup.devices.allow = c 1:3 rwm | |
28 | ### /dev/zero | |
29 | lxc.cgroup.devices.allow = c 1:5 rwm | |
30 | ### /dev/full | |
31 | lxc.cgroup.devices.allow = c 1:7 rwm | |
32 | ### /dev/random | |
33 | lxc.cgroup.devices.allow = c 1:8 rwm | |
34 | ### /dev/urandom | |
35 | lxc.cgroup.devices.allow = c 1:9 rwm | |
36 | ### /dev/pts/* | |
37 | #lxc.cgroup.devices.allow = c 136:* rwm | |
38 | ### /dev/tty | |
39 | #lxc.cgroup.devices.allow = c 5:0 rwm | |
40 | ### /dev/console | |
41 | #lxc.cgroup.devices.allow = c 5:1 rwm | |
42 | ### /dev/ptmx | |
43 | #lxc.cgroup.devices.allow = c 5:2 rwm | |
44 | ### fuse | |
45 | #lxc.cgroup.devices.allow = c 10:229 rwm | |
46 | ## To use loop devices, copy the following line to the container's | |
47 | ## configuration file (uncommented). | |
48 | #lxc.cgroup.devices.allow = b 7:* rwm | |
49 | ## rtc | |
50 | #lxc.cgroup.devices.allow = c 254:0 rm | |
51 | ## tun | |
52 | #lxc.cgroup.devices.allow = c 10:200 rwm | |
53 | ## hpet | |
54 | #lxc.cgroup.devices.allow = c 10:228 rwm | |
55 | ## kvm | |
56 | #lxc.cgroup.devices.allow = c 10:232 rwm | |
57 | ||
58 | # If something doesn't work, try to comment this out. | |
59 | # Dropping sys_admin disables container root from doing a lot of things | |
60 | # that could be bad like re-mounting lxc fstab entries rw for example, | |
61 | # but also disables some useful things like being able to nfs mount, and | |
62 | # things that are already namespaced with ns_capable() kernel checks, like | |
63 | # hostname(1). | |
64 | lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override | |
65 | #lxc.cap.drop = sys_admin | |
66 | ||
67 | ||
68 | # /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328) | |
69 | # and possibly other packages. | |
70 | lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir | |
71 | ||
72 | # Blacklist some syscalls which are not safe in privileged | |
73 | # containers | |
74 | lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp | |
75 | ||
76 | # Customize lxc options through common directory | |
77 | lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/ |