archlinux.userns.conf \
centos.common.conf \
centos.userns.conf \
+ common.conf \
debian.common.conf \
debian.userns.conf \
fedora.common.conf \
ubuntu-cloud.userns.conf \
ubuntu.common.conf \
ubuntu.lucid.conf \
+ ubuntu.priv.seccomp \
ubuntu.userns.conf \
- ubuntu.priv.seccomp
+ userns.conf
-# Based on fedora.common.conf.in
-# Console settings
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-lxc.autodev = 1
+# Allow for 6 tty devices by default
lxc.tty = 6
-lxc.pts = 1024
+
+# Turn on autodev for systemd
+lxc.autodev = 1
+
+# Disable kmsg
lxc.kmsg = 0
+# Set the halt/stop signals
lxc.haltsignal=SIGRTMIN+4
lxc.stopsignal=SIGRTMIN+14
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = setfcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-6] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
-# Based on fedora.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-# lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-# Taken from the oracle.common.conf.in
-# Console settings
-
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
-
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override setfcap setpcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
--- /dev/null
+# Default configuration shared by all containers
+
+# Setup the LXC devices in /dev/lxc/
+lxc.devttydir = lxc
+
+# Allow for 1024 pseudo terminals
+lxc.pts = 1024
+
+# Setup 4 tty devices
+lxc.tty = 4
+
+# Drop some harmful capabilities
+lxc.cap.drop = mac_admin mac_override sys_time sys_module
+
+# Set the pivot directory
+lxc.pivotdir = lxc_putold
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+
+# CGroup whitelist
+lxc.cgroup.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## Allow specific devices
+lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
+lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
+lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
+lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
+lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console
+lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx
+lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
+lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
+lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/*
-# Default pivot location
-lxc.pivotdir = lxc_putold
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
-# Default console settings
-lxc.tty = 4
-lxc.pts = 1024
-
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
#lxc.aa_profile = lxc-container-default-with-nesting
-#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+#lxc.mount.auto = cgroup:mixed
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-# Taken from the oracle.common.conf.in
-# Console settings
-
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
-
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = setfcap
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
# Gentoo common default configuration
# This is the most feature-full container configuration
# But security is not the goal.
# Looking for more security, see gentoo.moresecure.conf
-# sysfs
+# Default mount entries
lxc.mount.entry=sys sys sysfs defaults 0 0
-# console access
-lxc.pts = 1024
-
-# this part is based on 'linux capabilities', see: man 7 capabilities
-# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
-
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-# ^ ^ ^
-# char/block -' \`- device number \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
-#lxc.cgroup.devices.allow = b 7:* rwm
\ No newline at end of file
+#lxc.cgroup.devices.allow = b 7:* rwm
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
+
# Gentoo security oriented default configuration
# This is a more security oriented container configuration
# "More" because this is far from fully secure
lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
-# console access
-lxc.pts = 1024
-
# this part is based on 'linux capabilities', see: man 7 capabilities
# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
#
# conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
# aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
-lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
-
-# deny access to all devices by default, explicitly grant some permissions
-#
-# format is [c|b] [major|*]:[minor|*] [r][w][m]
-# ^ ^ ^
-# char/block -' \`- device number \`-- read, write, mknod
-#
-# first deny all...
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rw
-lxc.cgroup.devices.allow = c 1:5 rw
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rw
-lxc.cgroup.devices.allow = c 1:8 r
-# /dev/pts/*
-lxc.cgroup.devices.allow = c 136:* rw
-lxc.cgroup.devices.allow = c 5:2 rw
-# /dev/tty{0,1}
-lxc.cgroup.devices.allow = c 4:1 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-# /dev/tty
-lxc.cgroup.devices.allow = c 5:0 rwm
-# /dev/console
-lxc.cgroup.devices.allow = c 5:1 rwm
\ No newline at end of file
+lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-lxc.autodev = 1
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Mount entries
-# lxc.mount.auto = proc:mixed sys:ro
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# Enable autodev
+lxc.autodev = 1
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
# lxc.cap.drop = setfcap
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
-# Taken from the oracle.userns.conf.in
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-# Console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Mount entries
lxc.mount.auto = proc:mixed sys:ro
-# Ensure hostname is changed on clone
-lxc.hook.clone = @LXCHOOKDIR@/clonehostname
-
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
-#
-lxc.cap.drop = mac_admin mac_override
-lxc.cap.drop = sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_rawio sys_time
-
-# Control Group devices: all denied except those whitelisted
-lxc.cgroup.devices.deny = a
-# Allow any mknod (but not reading/writing the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
-lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
-lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
-lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
-lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
-lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
-lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
-lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
+lxc.cap.drop = sys_nice sys_pacct sys_rawio
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Extra fstab entries as mountall can't mount those by itself
-lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
-lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-# Default console settings
-lxc.tty = 4
-lxc.pts = 1024
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Default mount
lxc.mount.auto = proc sys cgroup
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
+# Doesn't support consoles in /dev/lxc/
+lxc.devttydir =
-lxc.cgroup.devices.deny = a
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-# consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
-# rtc
+# Extra cgroup device access
+## rtc
lxc.cgroup.devices.allow = c 254:0 rm
-# fuse
+## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
-# Default pivot location
-lxc.pivotdir = lxc_putold
+# This derives from the global common config
+lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
-# Default console settings
-lxc.devttydir = lxc
-lxc.tty = 4
-lxc.pts = 1024
-
-# Default capabilities
-lxc.cap.drop = sys_module mac_admin mac_override sys_time
-
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
-# Default cgroup limits
-lxc.cgroup.devices.deny = a
-## Allow any mknod (but not using the node)
-lxc.cgroup.devices.allow = c *:* m
-lxc.cgroup.devices.allow = b *:* m
-## /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-## consoles
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 5:1 rwm
-## /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
-## /dev/pts/*
-lxc.cgroup.devices.allow = c 5:2 rwm
-lxc.cgroup.devices.allow = c 136:* rwm
+# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
-## full
-lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
-# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
-lxc.cgroup.devices.deny =
-lxc.cgroup.devices.allow =
-
-# We can't move bind-mounts, so don't use /dev/lxc/
-lxc.devttydir =
-
-# Extra bind-mounts for userns
-lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
-lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
-lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
-lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
-lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
-lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
-lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# This derives from the global userns config
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
--- /dev/null
+# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+lxc.cgroup.devices.deny =
+lxc.cgroup.devices.allow =
+
+# We can't move bind-mounts, so don't use /dev/lxc/
+lxc.devttydir =
+
+# Extra bind-mounts for userns
+lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
+lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
+lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
+lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
+lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
+lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
+lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
config/templates/archlinux.userns.conf
config/templates/centos.common.conf
config/templates/centos.userns.conf
+ config/templates/common.conf
config/templates/debian.common.conf
config/templates/debian.userns.conf
config/templates/fedora.common.conf
config/templates/ubuntu.common.conf
config/templates/ubuntu.lucid.conf
config/templates/ubuntu.userns.conf
+ config/templates/userns.conf
config/yum/Makefile
doc/Makefile
# Note that /etc/hostname is updated by lxc itself
for file in \
$LXC_ROOTFS_PATH/etc/sysconfig/network \
- $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* ;
+ $LXC_ROOTFS_PATH/etc/sysconfig/network-scripts/ifcfg-* \
+ $LXC_ROOTFS_PATH/etc/hosts ;
do
if [ -f $file ]; then
sed -i "s|$LXC_SRC_NAME|$LXC_NAME|" $file
projects / thirdparty / lxc.git / commitdiff
