6515faa115664909351ac241763bcb374ff62608Jakub Jirutka# This derives from the global common config.

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.include = @LXCTEMPLATECONFIG@/common.conf

6515faa115664909351ac241763bcb374ff62608Jakub Jirutka

6515faa115664909351ac241763bcb374ff62608Jakub Jirutka# Doesn't support consoles in /dev/lxc/.

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.devttydir =

6515faa115664909351ac241763bcb374ff62608Jakub Jirutka

6515faa115664909351ac241763bcb374ff62608Jakub Jirutka# Drop another (potentially) harmful capabilities.

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = audit_write

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = ipc_owner

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = mknod

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = setpcap

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = sys_nice

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = sys_pacct

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = sys_ptrace

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = sys_rawio

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = sys_resource

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = sys_tty_config

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = syslog

6515faa115664909351ac241763bcb374ff62608Jakub Jirutkalxc.cap.drop = wake_alarm

166f25a5d5574393fa492c049f8397f207c89b46Jakub Jirutka

51ee5e0cec79793575ee8c64909b965a132a064dJakub Jirutka# Mount /run as tmpfs.

166f25a5d5574393fa492c049f8397f207c89b46Jakub Jirutkalxc.mount.entry=run run tmpfs rw,nodev,relatime,mode=755 0 0

51ee5e0cec79793575ee8c64909b965a132a064dJakub Jirutka

51ee5e0cec79793575ee8c64909b965a132a064dJakub Jirutka# Mount /dev/shm as tmpfs; needed for building python and possibly other packages.

51ee5e0cec79793575ee8c64909b965a132a064dJakub Jirutkalxc.mount.entry=shm dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,mode=1777,create=dir 0 0