1 | # This derives from the global common config |
---|
2 | lxc.include = /usr/share/lxc/config/common.conf |
---|
3 | |
---|
4 | # Capabilities |
---|
5 | # Uncomment these if you don't run anything that needs the capability, and |
---|
6 | # would like the container to run with less privilege. |
---|
7 | # |
---|
8 | # Dropping sys_admin disables container root from doing a lot of things |
---|
9 | # that could be bad like re-mounting lxc fstab entries rw for example, |
---|
10 | # but also disables some useful things like being able to nfs mount, and |
---|
11 | # things that are already namespaced with ns_capable() kernel checks, like |
---|
12 | # hostname(1). |
---|
13 | # lxc.cap.drop = sys_admin |
---|
14 | # lxc.cap.drop = net_raw # breaks dhcp/ping |
---|
15 | # lxc.cap.drop = setgid # breaks login (initgroups/setgroups) |
---|
16 | # lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) |
---|
17 | # lxc.cap.drop = setuid # breaks sshd,nfs statd |
---|
18 | # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) |
---|
19 | # lxc.cap.drop = audit_write |
---|
20 | lxc.cap.drop = sys_nice sys_pacct sys_rawio |
---|
21 | |
---|
22 | # Default mount entries |
---|
23 | lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 |
---|
24 | lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 |
---|
25 | lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 |
---|
26 | lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 |
---|
27 | |
---|
28 | # Extra cgroup device access |
---|
29 | ## rtc |
---|
30 | lxc.cgroup.devices.allow = c 254:0 rm |
---|
31 | ## tun |
---|
32 | lxc.cgroup.devices.allow = c 10:200 rwm |
---|
33 | ## hpet |
---|
34 | lxc.cgroup.devices.allow = c 10:228 rwm |
---|
35 | ## kvm |
---|
36 | lxc.cgroup.devices.allow = c 10:232 rwm |
---|
37 | ## To use loop devices, copy the following line to the container's |
---|
38 | ## configuration file (uncommented). |
---|
39 | #lxc.cgroup.devices.allow = b 7:* rwm |
---|