5b99af0079813347d90c935ea540ed7f96dcea38Stéphane Graber# This derives from the global common config

5b99af0079813347d90c935ea540ed7f96dcea38Stéphane Graberlxc.include = @LXCTEMPLATECONFIG@/common.conf

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber# Default mount entries

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0

8fafe2de03fcdd347b6df22999f1ef21511595d9Serge Hallynlxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber

d3928441889e4c91d986bbbb41e791e18d2b1e91S.Çağlar Onur# When using LXC with apparmor, the container will be confined by default.

d3928441889e4c91d986bbbb41e791e18d2b1e91S.Çağlar Onur# If you wish for it to instead run unconfined, copy the following line

d3928441889e4c91d986bbbb41e791e18d2b1e91S.Çağlar Onur# (uncommented) to the container's configuration file.

d3928441889e4c91d986bbbb41e791e18d2b1e91S.Çağlar Onur#lxc.aa_profile = unconfined

d3928441889e4c91d986bbbb41e791e18d2b1e91S.Çağlar Onur

f4e8a9186190660c3cc8b7bcc8c3a90165fba370Chris Glass# Uncomment the following line to autodetect squid-deb-proxy configuration on the

f4e8a9186190660c3cc8b7bcc8c3a90165fba370Chris Glass# host and forward it to the guest at start time.

f4e8a9186190660c3cc8b7bcc8c3a90165fba370Chris Glass#lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client

f4e8a9186190660c3cc8b7bcc8c3a90165fba370Chris Glass

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber# If you wish to allow mounting block filesystems, then use the following

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber# line instead, and make sure to grant access to the block device and/or loop

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber# devices below in lxc.cgroup.devices.allow.

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber#lxc.aa_profile = lxc-container-default-with-mounting

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber

5b99af0079813347d90c935ea540ed7f96dcea38Stéphane Graber# Extra cgroup device access

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber## rtc

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.cgroup.devices.allow = c 254:0 rm

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber## tun

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.cgroup.devices.allow = c 10:200 rwm

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber## hpet

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.cgroup.devices.allow = c 10:228 rwm

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber## kvm

f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.cgroup.devices.allow = c 10:232 rwm

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber## To use loop devices, copy the following line to the container's

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber## configuration file (uncommented).

6472dcc2c944a757f4f373f1cf1fc86b4369feeaStéphane Graber#lxc.cgroup.devices.allow = b 7:* rwm