forked from neil/lxc-templates
47 lines
1.7 KiB
Plaintext
47 lines
1.7 KiB
Plaintext
# This derives from the global common config
|
|
lxc.include = @LXCTEMPLATECONFIG@/common.conf
|
|
|
|
# Doesn't support consoles in /dev/lxc/
|
|
lxc.tty.dir =
|
|
|
|
# Extra cgroup device access
|
|
## rtc
|
|
lxc.cgroup.devices.allow = c 254:0 rm
|
|
## tun
|
|
lxc.cgroup.devices.allow = c 10:200 rwm
|
|
## hpet
|
|
lxc.cgroup.devices.allow = c 10:228 rwm
|
|
## kvm
|
|
lxc.cgroup.devices.allow = c 10:232 rwm
|
|
## To use loop devices, copy the following line to the container's
|
|
## configuration file (uncommented).
|
|
#lxc.cgroup.devices.allow = b 7:* rwm
|
|
|
|
# mount /dev/shm as tmpfs
|
|
lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
|
|
|
|
# Capabilities
|
|
# Uncomment these if you don't run anything that needs the capability, and
|
|
# would like the container to run with less privilege.
|
|
# Note that some are already dropped in common.conf.
|
|
#
|
|
# Dropping sys_admin disables container root from doing a lot of things
|
|
# that could be bad like re-mounting lxc fstab entries rw for example,
|
|
# but also disables some useful things like being able to nfs mount, and
|
|
# things that are already namespaced with ns_capable() kernel checks, like
|
|
# hostname(1).
|
|
#
|
|
# Some of these don't apply in Slackware but are here for future reference.
|
|
#
|
|
# lxc.cap.drop = sys_admin # breaks systemd
|
|
# lxc.cap.drop = net_raw # breaks dhcp/ping
|
|
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
|
|
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
|
|
# lxc.cap.drop = setuid # breaks sshd,nfs statd
|
|
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
|
|
# lxc.cap.drop = audit_write
|
|
# lxc.cap.drop = setpcap # breaks journald
|
|
# lxc.cap.drop = sys_resource # breaks systemd
|
|
#
|
|
lxc.cap.drop = mknod setfcap setpcap
|