User Tools
docs:lxc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
docs:lxc [2013-12-09 15:33] glen load iptables from hook |
docs:lxc [2013-12-09 15:36] glen add full config dump |
||
|---|---|---|---|
| Line 141: | Line 141: | ||
| lxc.cap.drop = net_admin | lxc.cap.drop = net_admin | ||
| </file> | </file> | ||
| + | |||
| + | |||
| + | ==== full config ==== | ||
| + | |||
| + | <code bash> | ||
| + | # lxc for test | ||
| + | |||
| + | lxc.network.type = macvlan | ||
| + | lxc.network.flags = up | ||
| + | #lxc.network.hwaddr = 00:16:c0:a8:3:34 | ||
| + | lxc.network.link = eth0 | ||
| + | lxc.network.macvlan.mode = bridge | ||
| + | lxc.network.name = eth0 | ||
| + | lxc.network.ipv4 = 192.168.2.160/23 | ||
| + | lxc.network.ipv4.gateway = 192.168.2.1 | ||
| + | |||
| + | lxc.rootfs = /srv/test | ||
| + | lxc.utsname = pldmachine.local | ||
| + | lxc.tty = 4 | ||
| + | lxc.pts = 1024 | ||
| + | |||
| + | # load delfi-fw, if you want to setup firewall when container is already up | ||
| + | # you should run 'lxc-attach -e -n white -- fw-load' | ||
| + | lxc.hook.pre-mount = /sbin/service iptables start | ||
| + | |||
| + | # lxc.mount.entry is prefered, because it supports relative paths | ||
| + | lxc.mount = /var/lib/lxc/white/fstab | ||
| + | |||
| + | lxc.cap.drop = linux_immutable | ||
| + | #lxc.cap.drop = sys_boot # works as expected in newer kernels (3.4+) | ||
| + | lxc.cap.drop = syslog | ||
| + | |||
| + | # don't drop net_admin, allows firewall to be configured from inside | ||
| + | lxc.cap.drop = net_admin | ||
| + | |||
| + | # http://www.funtoo.org/Linux_Containers | ||
| + | ## Capabilities, see capabilities(7) what is available | ||
| + | #lxc.cap.drop = audit_control | ||
| + | lxc.cap.drop = audit_write | ||
| + | lxc.cap.drop = mac_admin | ||
| + | lxc.cap.drop = mac_override | ||
| + | lxc.cap.drop = mknod | ||
| + | lxc.cap.drop = setfcap | ||
| + | lxc.cap.drop = setpcap | ||
| + | lxc.cap.drop = sys_admin | ||
| + | #lxc.cap.drop = sys_boot | ||
| + | #lxc.cap.drop = sys_chroot # required by SSH | ||
| + | lxc.cap.drop = sys_module | ||
| + | #lxc.cap.drop = sys_nice | ||
| + | lxc.cap.drop = sys_pacct | ||
| + | lxc.cap.drop = sys_rawio | ||
| + | lxc.cap.drop = sys_resource | ||
| + | lxc.cap.drop = sys_time | ||
| + | #lxc.cap.drop = sys_tty_config # required by getty | ||
| + | |||
| + | lxc.autodev = 0 | ||
| + | |||
| + | # When using LXC with apparmor, uncomment the next line to run unconfined: | ||
| + | lxc.aa_profile = unconfined | ||
| + | |||
| + | # cgroups | ||
| + | # Devices | ||
| + | lxc.cgroup.devices.deny = a # Deny access to all devices | ||
| + | |||
| + | # /dev/null and zero | ||
| + | lxc.cgroup.devices.allow = c 1:3 rwm | ||
| + | lxc.cgroup.devices.allow = c 1:5 rwm | ||
| + | # consoles | ||
| + | lxc.cgroup.devices.allow = c 5:1 rwm | ||
| + | lxc.cgroup.devices.allow = c 5:0 rwm | ||
| + | lxc.cgroup.devices.allow = c 4:0 rwm | ||
| + | lxc.cgroup.devices.allow = c 4:1 rwm | ||
| + | # /dev/{,u}random | ||
| + | lxc.cgroup.devices.allow = c 1:9 rwm | ||
| + | lxc.cgroup.devices.allow = c 1:8 rwm | ||
| + | lxc.cgroup.devices.allow = c 136:* rwm | ||
| + | lxc.cgroup.devices.allow = c 5:2 rwm | ||
| + | # rtc | ||
| + | lxc.cgroup.devices.allow = c 254:0 rm | ||
| + | </code> | ||
docs/lxc.txt ยท Last modified: 2016-08-21 00:36 by glen
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
