lxc: Drop a bunch of capabilities in the template container

[matthijs/servers/tika.git] / var / lib / lxc / template / config

diff --git a/var/lib/lxc/template/config b/var/lib/lxc/template/config
index 7b1fd74dc2fef9819f3f639b942febb56c11b282..0509ae6e49d6b90e50a783e19adbdf1d8ed25fa2 100644 (file)
--- a/var/lib/lxc/template/config
+++ b/var/lib/lxc/template/config
@@ -2,11 +2,22 @@
 lxc.utsname = template
 
 # Use this root filesystem
-lxc.rootfs = /var/lib/lxc/template/rootfs
+lxc.rootfs = /containers/template
 
 # Log console output
 lxc.console = /var/log/lxc/template.lxc
 
+# The container gets a single virtual eth0 interface with a statically assigned
+# address (assigned by lxc-start, no need for the container to assign any
+# address itself).
+lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.veth.pair = lxc-template
+lxc.network.name = eth0
+lxc.network.link = br-lxc
+lxc.network.ipv4 = 10.42.0.10/24
+lxc.network.ipv4.gateway = auto
+
 # The number of ttys available (shouldn't be less than the getty's
 # configured in the inittab).
 lxc.tty = 4
@@ -38,6 +49,21 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
 lxc.cgroup.devices.allow = c 254:0 rwm
 
-# mounts point
-lxc.mount.entry=proc /var/lib/lxc/template/rootfs/proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry=sysfs /var/lib/lxc/template/rootfs/sys sysfs defaults  0 0
+# mounts (note that the second item in each list is the mount point, relative
+# to the rootfs)
+lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry=sysfs sys sysfs defaults  0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start