config/templates/sabayon.common.conf.in

   1 # Default configuration for Sabayon containers
   2
   3 # Setup the default mounts
   4 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
   5
   6 # Allow for 1024 pseudo terminals
   7 lxc.pts = 1024
   8
   9 # Setup 1 tty devices for lxc-console command
  10 lxc.tty = 1
  11
  12 # Needed for systemd distro
  13 lxc.autodev = 1
  14
  15 # Doesn't support consoles in /dev/lxc/
  16 lxc.devttydir =
  17
  18 # CGroup whitelist
  19 lxc.cgroup.devices.deny = a
  20
  21 ## Allow any mknod (but not reading/writing the node)
  22 #lxc.cgroup.devices.allow = c *:* m
  23 #lxc.cgroup.devices.allow = b *:* m
  24
  25 ## Allow specific devices
  26 ### /dev/null
  27 lxc.cgroup.devices.allow = c 1:3 rwm
  28 ### /dev/zero
  29 lxc.cgroup.devices.allow = c 1:5 rwm
  30 ### /dev/full
  31 lxc.cgroup.devices.allow = c 1:7 rwm
  32 ### /dev/random
  33 lxc.cgroup.devices.allow = c 1:8 rwm
  34 ### /dev/urandom
  35 lxc.cgroup.devices.allow = c 1:9 rwm
  36 ### /dev/pts/*
  37 #lxc.cgroup.devices.allow = c 136:* rwm
  38 ### /dev/tty
  39 #lxc.cgroup.devices.allow = c 5:0 rwm
  40 ### /dev/console
  41 #lxc.cgroup.devices.allow = c 5:1 rwm
  42 ### /dev/ptmx
  43 #lxc.cgroup.devices.allow = c 5:2 rwm
  44 ### fuse
  45 #lxc.cgroup.devices.allow = c 10:229 rwm
  46 ## To use loop devices, copy the following line to the container's
  47 ## configuration file (uncommented).
  48 #lxc.cgroup.devices.allow = b 7:* rwm
  49 ## rtc
  50 #lxc.cgroup.devices.allow = c 254:0 rm
  51 ## tun
  52 #lxc.cgroup.devices.allow = c 10:200 rwm
  53 ## hpet
  54 #lxc.cgroup.devices.allow = c 10:228 rwm
  55 ## kvm
  56 #lxc.cgroup.devices.allow = c 10:232 rwm
  57 ## /dev/mem
  58 #lxc.cgroup.devices.allow = c 1:1 rwm
  59
  60 # If something doesn't work, try to comment this out.
  61 # Dropping sys_admin disables container root from doing a lot of things
  62 # that could be bad like re-mounting lxc fstab entries rw for example,
  63 # but also disables some useful things like being able to nfs mount, and
  64 # things that are already namespaced with ns_capable() kernel checks, like
  65 # hostname(1).
  66 lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
  67 #lxc.cap.drop = sys_admin
  68
  69
  70 # /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328)
  71 # and possibly other packages.
  72 lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
  73
  74 # Blacklist some syscalls which are not safe in privileged
  75 # containers
  76 lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
  77
  78 # Customize lxc options through common directory
  79 lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/