confile: rename lxc.devttydir to lxc.tty.dir

[mirror_lxc.git] / config / templates / gentoo.common.conf.in

diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
index cb312a36f1aee6dac05cbcc31be428e2a3bd0846..477a2abfb80666ff727a3fb52db9be4c3e7f440e 100644 (file)
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -1,54 +1,27 @@
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
 # Gentoo common default configuration
 # This is the most feature-full container configuration
 # But security is not the goal.
-# Looking for more security, see gentoo.hardened.conf
-
-# sysfs
-lxc.mount.entry=sys sys sysfs defaults 0 0
-
-# console access
-lxc.pts = 1024
+# Looking for more security, see gentoo.moresecure.conf
 
-# this part is based on 'linux capabilities', see: man 7 capabilities
-#  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
+# Doesn't support consoles in /dev/lxc/
+lxc.tty.dir =
 
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-#            ^     ^                   ^
-# char/block -'     \`- device number    \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
 ## rtc
 lxc.cgroup.devices.allow = c 254:0 rm
-## fuse
-lxc.cgroup.devices.allow = c 10:229 rwm
 ## tun
 lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
 ## hpet
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
 lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
-#lxc.cgroup.devices.allow = b 7:* rwm
\ No newline at end of file
+#lxc.cgroup.devices.allow = b 7:* rwm
+
+# /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328)
+# and possibly other packages.
+lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir