# work better with systemd: lxc.autodev = 1 # Taken from the oracle.common.conf.in # Console settings lxc.tty.dir = lxc lxc.tty.max = 4 lxc.pty.max = 1024 # Mount entries lxc.mount.auto = proc:mixed sys:ro # Ensure hostname is changed on clone lxc.hook.clone = /usr/share/lxc/hooks/clonehostname # Capabilities # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. # # Dropping sys_admin disables container root from doing a lot of things # that could be bad like re-mounting lxc fstab entries rw for example, # but also disables some useful things like being able to nfs mount, and # things that are already namespaced with ns_capable() kernel checks, like # hostname(1). # lxc.cap.drop = sys_admin # lxc.cap.drop = net_raw # breaks dhcp/ping # lxc.cap.drop = setgid # breaks login (initgroups/setgroups) # lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) # lxc.cap.drop = setuid # breaks sshd,nfs statd # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write # big big login delays in Fedora 20 systemd: #lxc.cap.drop = setpcap # lxc.cap.drop = mac_admin mac_override # needed for httpd #lxc.cap.drop = setfcap lxc.cap.drop = sys_module sys_pacct # sys_nice: needed to run CTDB #lxc.cap.drop = sys_nice sys_pacct lxc.cap.drop = sys_rawio sys_time # Control Group devices: all denied except those whitelisted lxc.cgroup.devices.deny = a # Allow any mknod (but not reading/writing the node) lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m ## /dev/null lxc.cgroup.devices.allow = c 1:3 rwm ## /dev/zero lxc.cgroup.devices.allow = c 1:5 rwm ## /dev/full lxc.cgroup.devices.allow = c 1:7 rwm ## /dev/tty lxc.cgroup.devices.allow = c 5:0 rwm ## /dev/random lxc.cgroup.devices.allow = c 1:8 rwm ## /dev/urandom lxc.cgroup.devices.allow = c 1:9 rwm ## /dev/tty[1-4] ptys and lxc console lxc.cgroup.devices.allow = c 136:* rwm ## /dev/ptmx pty master lxc.cgroup.devices.allow = c 5:2 rwm # Blacklist some syscalls which are not safe in privileged # containers lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp