51 lines
1.9 KiB
Text
51 lines
1.9 KiB
Text
# Taken from the oracle.common.conf.in
|
|
# Console settings
|
|
|
|
lxc.devttydir = lxc
|
|
lxc.tty = 4
|
|
lxc.pts = 1024
|
|
|
|
# Mount entries
|
|
lxc.mount.auto = proc:mixed sys:ro
|
|
|
|
# Ensure hostname is changed on clone
|
|
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
|
|
|
|
# Capabilities
|
|
# Uncomment these if you don't run anything that needs the capability, and
|
|
# would like the container to run with less privilege.
|
|
#
|
|
# Dropping sys_admin disables container root from doing a lot of things
|
|
# that could be bad like re-mounting lxc fstab entries rw for example,
|
|
# but also disables some useful things like being able to nfs mount, and
|
|
# things that are already namespaced with ns_capable() kernel checks, like
|
|
# hostname(1).
|
|
# lxc.cap.drop = sys_admin
|
|
# lxc.cap.drop = net_raw # breaks dhcp/ping
|
|
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
|
|
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
|
|
# lxc.cap.drop = setuid # breaks sshd,nfs statd
|
|
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
|
|
# lxc.cap.drop = audit_write
|
|
#
|
|
lxc.cap.drop = mac_admin mac_override setfcap setpcap
|
|
lxc.cap.drop = sys_module sys_nice sys_pacct
|
|
lxc.cap.drop = sys_rawio sys_time
|
|
|
|
# Control Group devices: all denied except those whitelisted
|
|
lxc.cgroup.devices.deny = a
|
|
# Allow any mknod (but not reading/writing the node)
|
|
lxc.cgroup.devices.allow = c *:* m
|
|
lxc.cgroup.devices.allow = b *:* m
|
|
lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
|
|
lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
|
|
lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
|
|
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
|
|
lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
|
|
lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
|
|
lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
|
|
lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
|
|
|
|
# Blacklist some syscalls which are not safe in privileged
|
|
# containers
|
|
lxc.seccomp = /usr/share/lxc/config/common.seccomp
|