[9916] | 1 | # This derives from the global common config |
---|
| 2 | lxc.include = /usr/share/lxc/config/common.conf |
---|
| 3 | |
---|
| 4 | # Capabilities |
---|
| 5 | # Uncomment these if you don't run anything that needs the capability, and |
---|
| 6 | # would like the container to run with less privilege. |
---|
| 7 | # |
---|
| 8 | # Dropping sys_admin disables container root from doing a lot of things |
---|
| 9 | # that could be bad like re-mounting lxc fstab entries rw for example, |
---|
| 10 | # but also disables some useful things like being able to nfs mount, and |
---|
| 11 | # things that are already namespaced with ns_capable() kernel checks, like |
---|
| 12 | # hostname(1). |
---|
| 13 | # lxc.cap.drop = sys_admin |
---|
| 14 | # lxc.cap.drop = net_raw # breaks dhcp/ping |
---|
| 15 | # lxc.cap.drop = setgid # breaks login (initgroups/setgroups) |
---|
| 16 | # lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) |
---|
| 17 | # lxc.cap.drop = setuid # breaks sshd,nfs statd |
---|
| 18 | # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) |
---|
| 19 | # lxc.cap.drop = audit_write |
---|
| 20 | lxc.cap.drop = sys_nice sys_pacct sys_rawio |
---|
| 21 | |
---|
| 22 | # Default mount entries |
---|
| 23 | lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 |
---|
| 24 | lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 |
---|
| 25 | lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 |
---|
| 26 | lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 |
---|
| 27 | |
---|
| 28 | # Extra cgroup device access |
---|
| 29 | ## rtc |
---|
| 30 | lxc.cgroup.devices.allow = c 254:0 rm |
---|
| 31 | ## tun |
---|
| 32 | lxc.cgroup.devices.allow = c 10:200 rwm |
---|
| 33 | ## hpet |
---|
| 34 | lxc.cgroup.devices.allow = c 10:228 rwm |
---|
| 35 | ## kvm |
---|
| 36 | lxc.cgroup.devices.allow = c 10:232 rwm |
---|
| 37 | ## To use loop devices, copy the following line to the container's |
---|
| 38 | ## configuration file (uncommented). |
---|
| 39 | #lxc.cgroup.devices.allow = b 7:* rwm |
---|