mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-08-06 07:11:51 +00:00
6e39e4cbff
This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
20 lines
814 B
Plaintext
20 lines
814 B
Plaintext
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
|
|
lxc.cgroup.devices.deny =
|
|
lxc.cgroup.devices.allow =
|
|
|
|
# We can't move bind-mounts, so don't use /dev/lxc/
|
|
lxc.devttydir =
|
|
|
|
# Extra bind-mounts for userns
|
|
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
|
|
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
|
|
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
|
|
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
|
|
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
|
|
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
|
|
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
|
|
|
|
# Default seccomp policy is not needed for unprivileged containers, and
|
|
# non-root users cannot use seccmp without NNP anyway.
|
|
lxc.seccomp =
|