From ccde91ca850232957768ba0de51d397bafd9cbab Mon Sep 17 00:00:00 2001
From: Matthijs Kooijman <matthijs@stdin.nl>
Date: Tue, 13 Sep 2011 21:01:16 +0200
Subject: [PATCH] lxc: Add ldap container configuration

---
 var/lib/lxc/ldap/config | 69 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 var/lib/lxc/ldap/config

diff --git a/var/lib/lxc/ldap/config b/var/lib/lxc/ldap/config
new file mode 100644
index 0000000..fc6c1c0
--- /dev/null
+++ b/var/lib/lxc/ldap/config
@@ -0,0 +1,69 @@
+# Hostname
+lxc.utsname = ldap
+
+# Use this root filesystem
+lxc.rootfs = /containers/ldap
+
+# Log console output
+lxc.console = /var/log/lxc/ldap.lxc
+
+# The container gets a single virtual eth0 interface with a statically assigned
+# address (assigned by lxc-start, no need for the container to assign any
+# address itself).
+lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.veth.pair = lxc-ldap
+lxc.network.name = eth0
+lxc.network.link = br-lxc
+lxc.network.ipv4 = 10.42.0.11/24
+lxc.network.ipv4.gateway = auto
+
+# The number of ttys available (shouldn't be less than the getty's
+# configured in the inittab).
+lxc.tty = 4
+
+# Use private pts for the container
+lxc.pts = 256
+
+# Deny all devices, except the following
+lxc.cgroup.devices.deny = a
+# /dev/null
+lxc.cgroup.devices.allow = c 1:3 rwm
+# /dev/zero
+lxc.cgroup.devices.allow = c 1:5 rwm
+# /dev/console
+lxc.cgroup.devices.allow = c 5:1 rwm
+# /dev/tty
+lxc.cgroup.devices.allow = c 5:0 rwm
+# /dev/tty0
+lxc.cgroup.devices.allow = c 4:0 rwm
+# /dev/tty1
+lxc.cgroup.devices.allow = c 4:1 rwm
+# /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:9 rwm
+lxc.cgroup.devices.allow = c 1:8 rwm
+# /dev/pts/0 - /dev/pts/255
+lxc.cgroup.devices.allow = c 136:* rwm
+# /dev/ptmx
+lxc.cgroup.devices.allow = c 5:2 rwm
+# rtc
+lxc.cgroup.devices.allow = c 254:0 rwm
+
+# mounts (note that the second item in each list is the mount point, relative
+# to the rootfs)
+lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry=sysfs sys sysfs defaults  0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start
-- 
2.30.2