proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-06 08:23:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
cb6d63a7aa
mirror_lxc/config/templates/archlinux.common.conf.in
Stéphane Graber f24a52d5f5 Use consistent /proc, /sys and /sys/fs/cgroup (v2) 
- Implements mixed mode for /sys where it's mounted read-only but with
   /sys/devices/virtual/net/ writable.

 - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all
   templates.

 - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup.

 - Get rid of the fstab file by default, using lxc.mount.entry instead.

 - Set sys:mixed as the default for "sys". sys:mixed is slightly more
   permissive than sys:ro so this shouldn't be a problem.

The read-only bind mount of /sys on top of itself is there so that
mountall and other init systems don't attempt to remount /sys
read-write.

v2 changes:
 - Fix the mount list, don't specify a source for the remount.
 - Update the documentation.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2015-01-29 11:44:02 +01:00

33 lines
1.2 KiB
Plaintext
Raw Blame History

# This derives from the global common config
lxc.include = @LXCTEMPLATECONFIG@/common.conf
# Allow for 6 tty devices by default
lxc.tty = 6
# Set the halt/stop signals
lxc.haltsignal=SIGRTMIN+4
lxc.stopsignal=SIGRTMIN+14
# Uncomment to disable creating tty devices subdirectory in /dev
# lxc.devttydir =
# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
#
# Dropping sys_admin disables container root from doing a lot of things
# that could be bad like re-mounting lxc fstab entries rw for example,
# but also disables some useful things like being able to nfs mount, and
# things that are already namespaced with ns_capable() kernel checks, like
# hostname(1).
# lxc.cap.drop = sys_admin
# lxc.cap.drop = net_raw # breaks dhcp/ping
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd
#
lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
Reference in New Issue View Git Blame Copy Permalink