1 # Default configuration shared by all containers
3 # Setup the LXC devices in /dev/lxc/
6 # Allow for 1024 pseudo terminals
12 # Drop some harmful capabilities
13 lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
15 # Ensure hostname is changed on clone
16 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
19 lxc.cgroup.devices.deny = a
20 ## Allow any mknod (but not reading/writing the node)
21 lxc.cgroup.devices.allow = c *:* m
22 lxc.cgroup.devices.allow = b *:* m
23 ## Allow specific devices
25 lxc.cgroup.devices.allow = c 1:3 rwm
27 lxc.cgroup.devices.allow = c 1:5 rwm
29 lxc.cgroup.devices.allow = c 1:7 rwm
31 lxc.cgroup.devices.allow = c 5:0 rwm
33 lxc.cgroup.devices.allow = c 5:1 rwm
35 lxc.cgroup.devices.allow = c 5:2 rwm
37 lxc.cgroup.devices.allow = c 1:8 rwm
39 lxc.cgroup.devices.allow = c 1:9 rwm
41 lxc.cgroup.devices.allow = c 136:* rwm
43 lxc.cgroup.devices.allow = c 10:229 rwm
45 # Setup the default mounts
46 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
47 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
49 # Blacklist some syscalls which are not safe in privileged
51 lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
53 # Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
54 lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/