config/templates/ubuntu.common.conf.in

	ubuntu.common.conf.in revision d3928441889e4c91d986bbbb41e791e18d2b1e91
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger# Default pivot location
e8ceec219830407bded84634716d37d45d3a5872Julian Kornbergerlxc.pivotdir = lxc_putold
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger# Default mount entries
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.mount.entry = sysfs sys sysfs defaults 0 0
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa# Default console settings
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.devttydir = lxc
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.tty = 4
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.pts = 1024
287c635762a6d32ead332084a0ba2cbbd3e9c055Eugen Kuksa
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase# Default capabilities
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.cap.drop = sys_module mac_admin mac_override sys_time
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa# When using LXC with apparmor, the container will be confined by default.
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa# If you wish for it to instead run unconfined, copy the following line
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa# (uncommented) to the container's configuration file.
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase#lxc.aa_profile = unconfined
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase# To support container nesting on an Ubuntu host while retaining most of
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase# apparmor's added security, use the following two lines instead.
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase#lxc.aa_profile = lxc-container-default-with-nesting
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehase# Default cgroup limits
37376063320bfb86e0cb9fd4eda25c52c4a667b8Tim Reddehaselxc.cgroup.devices.deny = a
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger## Allow any mknod (but not using the node)
e8ceec219830407bded84634716d37d45d3a5872Julian Kornbergerlxc.cgroup.devices.allow = c *:* m
e8ceec219830407bded84634716d37d45d3a5872Julian Kornbergerlxc.cgroup.devices.allow = b *:* m
060405b0a2d5afdb551c6449e5cefec5651b4a5aEugen Kuksa## /dev/null and zero
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.cgroup.devices.allow = c 1:3 rwm
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.cgroup.devices.allow = c 1:5 rwm
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa## consoles
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.cgroup.devices.allow = c 5:0 rwm
287c635762a6d32ead332084a0ba2cbbd3e9c055Eugen Kuksalxc.cgroup.devices.allow = c 5:1 rwm
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa## /dev/{,u}random
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.cgroup.devices.allow = c 1:8 rwm
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.cgroup.devices.allow = c 1:9 rwm
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa## /dev/pts/*
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.cgroup.devices.allow = c 5:2 rwm
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksalxc.cgroup.devices.allow = c 136:* rwm
afd1d888784385307c9c0544597a513c2008d342Eugen Kuksa## rtc
e8ceec219830407bded84634716d37d45d3a5872Julian Kornbergerlxc.cgroup.devices.allow = c 254:0 rm
287c635762a6d32ead332084a0ba2cbbd3e9c055Eugen Kuksa## fuse
e8ceec219830407bded84634716d37d45d3a5872Julian Kornbergerlxc.cgroup.devices.allow = c 10:229 rwm
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger## tun
060405b0a2d5afdb551c6449e5cefec5651b4a5aEugen Kuksalxc.cgroup.devices.allow = c 10:200 rwm
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger## full
e8ceec219830407bded84634716d37d45d3a5872Julian Kornbergerlxc.cgroup.devices.allow = c 1:7 rwm
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger## hpet
060405b0a2d5afdb551c6449e5cefec5651b4a5aEugen Kuksalxc.cgroup.devices.allow = c 10:228 rwm
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger## kvm
e8ceec219830407bded84634716d37d45d3a5872Julian Kornbergerlxc.cgroup.devices.allow = c 10:232 rwm
e8ceec219830407bded84634716d37d45d3a5872Julian Kornberger