This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
docs:lxc [2013-12-09 15:33] glen load iptables from hook |
docs:lxc [2013-12-09 15:36] glen add full config dump |
||
---|---|---|---|
Line 141: | Line 141: | ||
lxc.cap.drop = net_admin | lxc.cap.drop = net_admin | ||
</file> | </file> | ||
+ | |||
+ | |||
+ | ==== full config ==== | ||
+ | |||
+ | <code bash> | ||
+ | # lxc for test | ||
+ | |||
+ | lxc.network.type = macvlan | ||
+ | lxc.network.flags = up | ||
+ | #lxc.network.hwaddr = 00:16:c0:a8:3:34 | ||
+ | lxc.network.link = eth0 | ||
+ | lxc.network.macvlan.mode = bridge | ||
+ | lxc.network.name = eth0 | ||
+ | lxc.network.ipv4 = 192.168.2.160/23 | ||
+ | lxc.network.ipv4.gateway = 192.168.2.1 | ||
+ | |||
+ | lxc.rootfs = /srv/test | ||
+ | lxc.utsname = pldmachine.local | ||
+ | lxc.tty = 4 | ||
+ | lxc.pts = 1024 | ||
+ | |||
+ | # load delfi-fw, if you want to setup firewall when container is already up | ||
+ | # you should run 'lxc-attach -e -n white -- fw-load' | ||
+ | lxc.hook.pre-mount = /sbin/service iptables start | ||
+ | |||
+ | # lxc.mount.entry is prefered, because it supports relative paths | ||
+ | lxc.mount = /var/lib/lxc/white/fstab | ||
+ | |||
+ | lxc.cap.drop = linux_immutable | ||
+ | #lxc.cap.drop = sys_boot # works as expected in newer kernels (3.4+) | ||
+ | lxc.cap.drop = syslog | ||
+ | |||
+ | # don't drop net_admin, allows firewall to be configured from inside | ||
+ | lxc.cap.drop = net_admin | ||
+ | |||
+ | # http://www.funtoo.org/Linux_Containers | ||
+ | ## Capabilities, see capabilities(7) what is available | ||
+ | #lxc.cap.drop = audit_control | ||
+ | lxc.cap.drop = audit_write | ||
+ | lxc.cap.drop = mac_admin | ||
+ | lxc.cap.drop = mac_override | ||
+ | lxc.cap.drop = mknod | ||
+ | lxc.cap.drop = setfcap | ||
+ | lxc.cap.drop = setpcap | ||
+ | lxc.cap.drop = sys_admin | ||
+ | #lxc.cap.drop = sys_boot | ||
+ | #lxc.cap.drop = sys_chroot # required by SSH | ||
+ | lxc.cap.drop = sys_module | ||
+ | #lxc.cap.drop = sys_nice | ||
+ | lxc.cap.drop = sys_pacct | ||
+ | lxc.cap.drop = sys_rawio | ||
+ | lxc.cap.drop = sys_resource | ||
+ | lxc.cap.drop = sys_time | ||
+ | #lxc.cap.drop = sys_tty_config # required by getty | ||
+ | |||
+ | lxc.autodev = 0 | ||
+ | |||
+ | # When using LXC with apparmor, uncomment the next line to run unconfined: | ||
+ | lxc.aa_profile = unconfined | ||
+ | |||
+ | # cgroups | ||
+ | # Devices | ||
+ | lxc.cgroup.devices.deny = a # Deny access to all devices | ||
+ | |||
+ | # /dev/null and zero | ||
+ | lxc.cgroup.devices.allow = c 1:3 rwm | ||
+ | lxc.cgroup.devices.allow = c 1:5 rwm | ||
+ | # consoles | ||
+ | lxc.cgroup.devices.allow = c 5:1 rwm | ||
+ | lxc.cgroup.devices.allow = c 5:0 rwm | ||
+ | lxc.cgroup.devices.allow = c 4:0 rwm | ||
+ | lxc.cgroup.devices.allow = c 4:1 rwm | ||
+ | # /dev/{,u}random | ||
+ | lxc.cgroup.devices.allow = c 1:9 rwm | ||
+ | lxc.cgroup.devices.allow = c 1:8 rwm | ||
+ | lxc.cgroup.devices.allow = c 136:* rwm | ||
+ | lxc.cgroup.devices.allow = c 5:2 rwm | ||
+ | # rtc | ||
+ | lxc.cgroup.devices.allow = c 254:0 rm | ||
+ | </code> |