# Ensure hostname is changed on clone
lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# Default legacy cgroup configuration
+#
# CGroup whitelist
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm
+# Default unified cgroup configuration
+#
+# CGroup whitelist
+lxc.cgroup2.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup2.devices.allow = c *:* m
+lxc.cgroup2.devices.allow = b *:* m
+## Allow specific devices
+### /dev/null
+lxc.cgroup2.devices.allow = c 1:3 rwm
+### /dev/zero
+lxc.cgroup2.devices.allow = c 1:5 rwm
+### /dev/full
+lxc.cgroup2.devices.allow = c 1:7 rwm
+### /dev/tty
+lxc.cgroup2.devices.allow = c 5:0 rwm
+### /dev/console
+lxc.cgroup2.devices.allow = c 5:1 rwm
+### /dev/ptmx
+lxc.cgroup2.devices.allow = c 5:2 rwm
+### /dev/random
+lxc.cgroup2.devices.allow = c 1:8 rwm
+### /dev/urandom
+lxc.cgroup2.devices.allow = c 1:9 rwm
+### /dev/pts/*
+lxc.cgroup2.devices.allow = c 136:* rwm
+### fuse
+lxc.cgroup2.devices.allow = c 10:229 rwm
+
# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+#
+# Default legacy cgroup configuration
+#
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
+# Default unified cgroup configuration
+#
+lxc.cgroup2.devices.deny =
+lxc.cgroup2.devices.allow =
+
# Start with a full set of capabilities in user namespaces.
lxc.cap.drop =
lxc.cap.keep =
projects / mirror_lxc.git / commitdiff