lxc: Add log container configuration

[matthijs/servers/tika.git] / var / lib / lxc / template / config

diff --git a/var/lib/lxc/template/config b/var/lib/lxc/template/config
index 4a071648d7eb3388791292241615a884a2404893..c891c663c6f1336c1b4101c72ee34d6fdb87b58d 100644 (file)
--- a/var/lib/lxc/template/config
+++ b/var/lib/lxc/template/config
@@ -1,5 +1,5 @@
 # Hostname
-lxc.utsname = template
+lxc.utsname = template.local
 
 # Use this root filesystem
 lxc.rootfs = /containers/template
@@ -50,6 +50,22 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 254:0 rwm
 
 # mounts (note that the second item in each list is the mount point, relative
-# to the rootfs)
+ to the rootfs)
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry=sysfs sys sysfs defaults  0 0
+lxc.mount.entry=/data/users data/users none defaults,bind 0 0
+lxc.mount.entry=/etc/skel etc/skel none defaults,bind,ro 0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start