# Hostname
-lxc.utsname = template
+lxc.utsname = template.local
# Use this root filesystem
-lxc.rootfs = /var/lib/lxc/template/rootfs
+lxc.rootfs = /containers/template
# Log console output
lxc.console = /var/log/lxc/template.lxc
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
-# mounts point
-lxc.mount.entry=proc /var/lib/lxc/template/rootfs/proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry=sysfs /var/lib/lxc/template/rootfs/sys sysfs defaults 0 0
+# mounts (note that the second item in each list is the mount point, relative
+# to the rootfs)
+lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry=sysfs sys sysfs defaults 0 0
+lxc.mount.entry=/data/users data/users none defaults,bind 0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start