Adding more of lxc3 config bits and bobs that might be useful
This commit is contained in:
Adam Boardman
parent
16f2aa94f1
commit
a9dc3cc4be
1 changed files with 60 additions and 7 deletions
|
|
@ -1,12 +1,21 @@
|
||||||
lxc.rootfs.path = /var/lib/lxc/android/rootfs
|
|
||||||
|
|
||||||
#lxc.net.0.type = none
|
lxc.net.0.type = none
|
||||||
|
|
||||||
#lxc.devttydir = lxc
|
lxc.rootfs.path = dir:/var/lib/lxc/android/rootfs
|
||||||
#lxc.tty = 4
|
|
||||||
#lxc.pts = 1024
|
#lxc.tty.dir = lxc
|
||||||
#lxc.arch = arm64
|
lxc.tty.dir =
|
||||||
#lxc.cap.drop = mac_admin mac_override
|
lxc.tty.max = 4
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.arch = arm64
|
||||||
|
|
||||||
|
# Drop some harmful capabilities
|
||||||
|
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
|
||||||
|
|
||||||
|
# Blacklist some syscalls which are not safe in privileged containers
|
||||||
|
lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
|
||||||
|
|
||||||
|
# Appears to be removed in latest lxc versions
|
||||||
#lxc.pivotdir = lxc_putold
|
#lxc.pivotdir = lxc_putold
|
||||||
|
|
||||||
lxc.hook.pre-start = /var/lib/lxc/android/pre-start.sh
|
lxc.hook.pre-start = /var/lib/lxc/android/pre-start.sh
|
||||||
|
|
@ -17,6 +26,50 @@ lxc.hook.pre-start = /var/lib/lxc/android/pre-start.sh
|
||||||
lxc.apparmor.profile = unconfined
|
lxc.apparmor.profile = unconfined
|
||||||
lxc.autodev = 0
|
lxc.autodev = 0
|
||||||
|
|
||||||
|
# CGroup whitelist
|
||||||
|
lxc.cgroup.devices.deny = a
|
||||||
|
## Allow any mknod (but not reading/writing the node)
|
||||||
|
lxc.cgroup.devices.allow = c *:* m
|
||||||
|
lxc.cgroup.devices.allow = b *:* m
|
||||||
|
## Allow specific devices
|
||||||
|
### /dev/null
|
||||||
|
lxc.cgroup.devices.allow = c 1:3 rwm
|
||||||
|
### /dev/zero
|
||||||
|
lxc.cgroup.devices.allow = c 1:5 rwm
|
||||||
|
### /dev/full
|
||||||
|
lxc.cgroup.devices.allow = c 1:7 rwm
|
||||||
|
### /dev/tty
|
||||||
|
lxc.cgroup.devices.allow = c 5:0 rwm
|
||||||
|
### /dev/console
|
||||||
|
lxc.cgroup.devices.allow = c 5:1 rwm
|
||||||
|
### /dev/ptmx
|
||||||
|
lxc.cgroup.devices.allow = c 5:2 rwm
|
||||||
|
### /dev/random
|
||||||
|
lxc.cgroup.devices.allow = c 1:8 rwm
|
||||||
|
### /dev/urandom
|
||||||
|
lxc.cgroup.devices.allow = c 1:9 rwm
|
||||||
|
### /dev/pts/*
|
||||||
|
lxc.cgroup.devices.allow = c 136:* rwm
|
||||||
|
### fuse
|
||||||
|
lxc.cgroup.devices.allow = c 10:229 rwm
|
||||||
|
|
||||||
|
# Extra cgroup device access
|
||||||
|
## rtc
|
||||||
|
lxc.cgroup.devices.allow = c 254:0 rm
|
||||||
|
## tun
|
||||||
|
lxc.cgroup.devices.allow = c 10:200 rwm
|
||||||
|
## hpet
|
||||||
|
lxc.cgroup.devices.allow = c 10:228 rwm
|
||||||
|
## kvm
|
||||||
|
lxc.cgroup.devices.allow = c 10:232 rwm
|
||||||
|
## To use loop devices, copy the following line to the container's
|
||||||
|
## configuration file (uncommented).
|
||||||
|
#lxc.cgroup.devices.allow = b 7:* rwm
|
||||||
|
|
||||||
|
lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook
|
||||||
|
lxc.hook.post-stop = /usr/share/lxcfs/lxc.reboot.hook
|
||||||
|
|
||||||
|
|
||||||
#lxc.mount.entry = tmpfs dev tmpfs nosuid 0 0
|
#lxc.mount.entry = tmpfs dev tmpfs nosuid 0 0
|
||||||
#lxc.mount.entry = /dev/__properties__ dev/__properties__ bind bind,create=dir 0 0
|
#lxc.mount.entry = /dev/__properties__ dev/__properties__ bind bind,create=dir 0 0
|
||||||
#lxc.mount.entry = /dev/socket dev/socket bind bind,create=dir 0 0
|
#lxc.mount.entry = /dev/socket dev/socket bind bind,create=dir 0 0
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue