common.conf.in revision 4662c6dee0b2f3ee065897aac616b6a8ad02b67e
02c335c23bf5fa225a467c19f2c063fb0dc7b8c3Timo Sirainen# Default configuration shared by all containers
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen# Setup the LXC devices in /dev/lxc/
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.devttydir = lxc
bdd36cfdba3ff66d25570a9ff568d69e1eb543cfTimo Sirainen
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen# Allow for 1024 pseudo terminals
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.pts = 1024
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen# Setup 4 tty devices
09060303d565e15d54e42b4ef722f9d3c26f5336Timo Sirainenlxc.tty = 4
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen
9522aa5f33cc37fe8ccd0d647cc51dd3ba6a9b55Timo Sirainen# Drop some harmful capabilities
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.cap.drop = mac_admin mac_override sys_time sys_module
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen# Set the pivot directory
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.pivotdir = lxc_putold
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen
4fda77c9e9fc68feb292c4dacae1fac49dd08165Timo Sirainen# Ensure hostname is changed on clone
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.hook.clone = @LXCHOOKDIR@/clonehostname
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen# CGroup whitelist
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.cgroup.devices.deny = a
f158d9a303bb15a6848ca276c9391c7ca52e452bTimo Sirainen## Allow any mknod (but not reading/writing the node)
f158d9a303bb15a6848ca276c9391c7ca52e452bTimo Sirainenlxc.cgroup.devices.allow = c *:* m
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.cgroup.devices.allow = b *:* m
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen## Allow specific devices
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainen### /dev/null
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainenlxc.cgroup.devices.allow = c 1:3 rwm
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainen### /dev/zero
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainenlxc.cgroup.devices.allow = c 1:5 rwm
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainen### /dev/full
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainenlxc.cgroup.devices.allow = c 1:7 rwm
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainen### /dev/tty
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainenlxc.cgroup.devices.allow = c 5:0 rwm
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainen### /dev/console
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainenlxc.cgroup.devices.allow = c 5:1 rwm
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainen### /dev/ptmx
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.cgroup.devices.allow = c 5:2 rwm
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen### /dev/random
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.cgroup.devices.allow = c 1:8 rwm
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen### /dev/urandom
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.cgroup.devices.allow = c 1:9 rwm
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen### /dev/pts/*
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.cgroup.devices.allow = c 136:* rwm
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen# Blacklist some syscalls which are not safe in privileged
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen# containers
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainenlxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
11ee3b40320a31669bd717fecbe1e332dad4fd84Timo Sirainen
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen# Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen