1 # Default configuration shared by all containers
3 # Setup the LXC devices in /dev/lxc/
6 # Allow for 1024 pseudo terminals
12 # Drop some harmful capabilities
13 lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
15 # Set the pivot directory
16 lxc.pivotdir = lxc_putold
18 # Ensure hostname is changed on clone
19 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
22 lxc.cgroup.devices.deny = a
23 ## Allow any mknod (but not reading/writing the node)
24 lxc.cgroup.devices.allow = c *:* m
25 lxc.cgroup.devices.allow = b *:* m
26 ## Allow specific devices
28 lxc.cgroup.devices.allow = c 1:3 rwm
30 lxc.cgroup.devices.allow = c 1:5 rwm
32 lxc.cgroup.devices.allow = c 1:7 rwm
34 lxc.cgroup.devices.allow = c 5:0 rwm
36 lxc.cgroup.devices.allow = c 5:1 rwm
38 lxc.cgroup.devices.allow = c 5:2 rwm
40 lxc.cgroup.devices.allow = c 1:8 rwm
42 lxc.cgroup.devices.allow = c 1:9 rwm
44 lxc.cgroup.devices.allow = c 136:* rwm
46 lxc.cgroup.devices.allow = c 10:229 rwm
48 # Setup the default mounts
49 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
50 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
52 # Blacklist some syscalls which are not safe in privileged
54 lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
56 # Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
57 lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/