# Default configuration for Sabayon containers # Setup the default mounts lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed # Allow for 1024 pseudo terminals lxc.pty.max = 1024 # Setup 1 tty devices for lxc-console command lxc.tty.max = 1 # Needed for systemd distro lxc.autodev = 1 # Doesn't support consoles in /dev/lxc/ lxc.tty.dir = # CGroup whitelist lxc.cgroup.devices.deny = a ## Allow any mknod (but not reading/writing the node) #lxc.cgroup.devices.allow = c *:* m #lxc.cgroup.devices.allow = b *:* m ## Allow specific devices ### /dev/null lxc.cgroup.devices.allow = c 1:3 rwm ### /dev/zero lxc.cgroup.devices.allow = c 1:5 rwm ### /dev/full lxc.cgroup.devices.allow = c 1:7 rwm ### /dev/random lxc.cgroup.devices.allow = c 1:8 rwm ### /dev/urandom lxc.cgroup.devices.allow = c 1:9 rwm ### /dev/pts/* #lxc.cgroup.devices.allow = c 136:* rwm ### /dev/tty #lxc.cgroup.devices.allow = c 5:0 rwm ### /dev/console #lxc.cgroup.devices.allow = c 5:1 rwm ### /dev/ptmx #lxc.cgroup.devices.allow = c 5:2 rwm ### fuse #lxc.cgroup.devices.allow = c 10:229 rwm ## To use loop devices, copy the following line to the container's ## configuration file (uncommented). #lxc.cgroup.devices.allow = b 7:* rwm ## rtc #lxc.cgroup.devices.allow = c 254:0 rm ## tun #lxc.cgroup.devices.allow = c 10:200 rwm ## hpet #lxc.cgroup.devices.allow = c 10:228 rwm ## kvm #lxc.cgroup.devices.allow = c 10:232 rwm ## /dev/mem #lxc.cgroup.devices.allow = c 1:1 rwm # If something doesn't work, try to comment this out. # Dropping sys_admin disables container root from doing a lot of things # that could be bad like re-mounting lxc fstab entries rw for example, # but also disables some useful things like being able to nfs mount, and # things that are already namespaced with ns_capable() kernel checks, like # hostname(1). lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override #lxc.cap.drop = sys_admin # /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328) # and possibly other packages. lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir # Blacklist some syscalls which are not safe in privileged # containers lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp # Customize lxc options through common directory lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/