X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=var%2Flib%2Flxc%2Ftemplate%2Fconfig;h=0509ae6e49d6b90e50a783e19adbdf1d8ed25fa2;hb=a08ca92cb5112693560c9b2d8454f49d56a23230;hp=48899db2c7c1ede5d10e0c0bd3aa965062c0a146;hpb=5b1acc5d8ffe291583a3c64d92b0dc16bd928fa7;p=matthijs%2Fservers%2Ftika.git diff --git a/var/lib/lxc/template/config b/var/lib/lxc/template/config index 48899db..0509ae6 100644 --- a/var/lib/lxc/template/config +++ b/var/lib/lxc/template/config @@ -1,23 +1,69 @@ +# Hostname +lxc.utsname = template + +# Use this root filesystem +lxc.rootfs = /containers/template + +# Log console output +lxc.console = /var/log/lxc/template.lxc + +# The container gets a single virtual eth0 interface with a statically assigned +# address (assigned by lxc-start, no need for the container to assign any +# address itself). +lxc.network.type = veth +lxc.network.flags = up +lxc.network.veth.pair = lxc-template +lxc.network.name = eth0 +lxc.network.link = br-lxc +lxc.network.ipv4 = 10.42.0.10/24 +lxc.network.ipv4.gateway = auto + +# The number of ttys available (shouldn't be less than the getty's +# configured in the inittab). lxc.tty = 4 -lxc.pts = 1024 -lxc.rootfs = /var/lib/lxc/template/rootfs + +# Use private pts for the container +lxc.pts = 256 + +# Deny all devices, except the following lxc.cgroup.devices.deny = a -# /dev/null and zero +# /dev/null lxc.cgroup.devices.allow = c 1:3 rwm +# /dev/zero lxc.cgroup.devices.allow = c 1:5 rwm -# consoles +# /dev/console lxc.cgroup.devices.allow = c 5:1 rwm +# /dev/tty lxc.cgroup.devices.allow = c 5:0 rwm +# /dev/tty0 lxc.cgroup.devices.allow = c 4:0 rwm +# /dev/tty1 lxc.cgroup.devices.allow = c 4:1 rwm # /dev/{,u}random lxc.cgroup.devices.allow = c 1:9 rwm lxc.cgroup.devices.allow = c 1:8 rwm +# /dev/pts/0 - /dev/pts/255 lxc.cgroup.devices.allow = c 136:* rwm +# /dev/ptmx lxc.cgroup.devices.allow = c 5:2 rwm # rtc lxc.cgroup.devices.allow = c 254:0 rwm -# mounts point -lxc.mount.entry=proc /var/lib/lxc/template/rootfs/proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry=sysfs /var/lib/lxc/template/rootfs/sys sysfs defaults 0 0 +# mounts (note that the second item in each list is the mount point, relative +# to the rootfs) +lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0 +lxc.mount.entry=sysfs sys sysfs defaults 0 0 + +# Disallow module (un)loading +lxc.cap.drop = sys_module +# Disallow doing raw io +lxc.cap.drop = sys_rawio +# Disallow changing the clock +lxc.cap.drop = sys_time +# Disallow changing network settings +lxc.cap.drop = net_admin +# Disallow changing auditing settings +lxc.cap.drop = audit_control +# Disallow various admin tasks (probably has side-effects) +lxc.cap.drop = sys_admin +# sys_boot is always dropped by lxc-start