lxc-config/default-eve.conf

lxc.autodev = 1
lxc.kmsg = 0
lxc.cap.keep = chown dac_override dac_read_search fowner fsetid ipc_owner kill lease linux_immutable net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_tty_config sys_resource sys_boot audit_write audit_control mknod

# Setup the LXC devices in /dev/lxc/
lxc.devttydir = lxc

# Set the halt/stop signals
lxc.haltsignal=SIGRTMIN+4
lxc.stopsignal=SIGRTMIN+14

# Set the pivot directory
lxc.pivotdir = lxc_putold

# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /etc/lxc/default.seccomp

lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4.gateway = 172.23.75.2
lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::2

# cgroups
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm

lxc.cgroup.memory.soft_limit_in_bytes = 1500M
lxc.cgroup.memory.limit_in_bytes = 2000M
lxc.cgroup.cpu.shares = 256
lxc.cgroup.blkio.weight = 500

# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.mount.entry = /data/pacman/pkg var/cache/pacman/pkg none bind 0 0
lxc.mount.entry = /data/pacman/sync var/lib/pacman/sync none bind 0 0
lxc.mount.entry = /data/containers/login/rootfs/var/lib/aurrepo srv/repo none bind,ro,create=dir,umask=0 0 0
lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0

lxc.hook.clone = /etc/lxc/hooks/setup-machine-id
lxc.hook.clone = /etc/lxc/hooks/remove-journal
lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config
lxc.hook.clone = /etc/lxc/hooks/create-lxc-config
lxc.hook.clone = /etc/lxc/hooks/update-zone
lxc.hook.clone = /etc/lxc/hooks/update-hetzner-rdns
lxc.hook.clone = /etc/lxc/hooks/ansible
lxc.hook.autodev = /etc/lxc/hooks/dn42-routes
first commit 2014-08-18 08:29:43 +00:00			`lxc.autodev = 1`
			`lxc.kmsg = 0`
no ip range 2015-08-05 15:33:37 +00:00			`lxc.cap.keep = chown dac_override dac_read_search fowner fsetid ipc_owner kill lease linux_immutable net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_tty_config sys_resource sys_boot audit_write audit_control mknod`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00
			`# Setup the LXC devices in /dev/lxc/`
			`lxc.devttydir = lxc`

			`# Set the halt/stop signals`
			`lxc.haltsignal=SIGRTMIN+4`
			`lxc.stopsignal=SIGRTMIN+14`

			`# Set the pivot directory`
			`lxc.pivotdir = lxc_putold`

			`# Blacklist some syscalls which are not safe in privileged`
			`# containers`
extend seccomp based on systemd-nspawn 2015-03-31 06:46:30 +00:00			`lxc.seccomp = /etc/lxc/default.seccomp`
first commit 2014-08-18 08:29:43 +00:00
			`lxc.network.type = veth`
			`lxc.network.link = br0`
			`lxc.network.flags = up`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.network.name = eth0`
first commit 2014-08-18 08:29:43 +00:00			`lxc.network.mtu = 1500`
no ip range 2015-08-05 15:33:37 +00:00			`lxc.network.ipv4.gateway = 172.23.75.2`
			`lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::2`
first commit 2014-08-18 08:29:43 +00:00
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`# cgroups`
			`lxc.cgroup.devices.deny = a`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`## Allow any mknod (but not reading/writing the node)`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c : m`
			`lxc.cgroup.devices.allow = b : m`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`## Allow specific devices`
			`### /dev/null`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c 1:3 rwm`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`### /dev/zero`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c 1:5 rwm`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`### /dev/full`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c 1:7 rwm`
			`lxc.cgroup.devices.allow = c 4:1 rwm`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`### /dev/tty`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c 5:0 rwm`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`### /dev/console`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c 5:1 rwm`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`### /dev/ptmx`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c 5:2 rwm`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`### /dev/random`
			`lxc.cgroup.devices.allow = c 1:8 rwm`
			`### /dev/urandom`
			`lxc.cgroup.devices.allow = c 1:9 rwm`
			`### /dev/pts/*`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00			`lxc.cgroup.devices.allow = c 136:* rwm`
split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`### fuse`
			`lxc.cgroup.devices.allow = c 10:229 rwm`
default.conf: add cgroup restrictions 2014-10-23 22:09:01 +00:00
			`lxc.cgroup.memory.soft_limit_in_bytes = 1500M`
			`lxc.cgroup.memory.limit_in_bytes = 2000M`
			`lxc.cgroup.cpu.shares = 256`
			`lxc.cgroup.blkio.weight = 500`

split-zone, dn42-routes and more 2015-03-30 22:02:32 +00:00			`# Setup the default mounts`
			`lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed`
			`lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0`
			`lxc.mount.entry = /data/pacman/pkg var/cache/pacman/pkg none bind 0 0`
			`lxc.mount.entry = /data/pacman/sync var/lib/pacman/sync none bind 0 0`
no ip range 2015-08-05 15:33:37 +00:00			`lxc.mount.entry = /data/containers/login/rootfs/var/lib/aurrepo srv/repo none bind,ro,create=dir,umask=0 0 0`
first commit 2014-08-18 08:29:43 +00:00			`lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0`

			`lxc.hook.clone = /etc/lxc/hooks/setup-machine-id`
			`lxc.hook.clone = /etc/lxc/hooks/remove-journal`
			`lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config`
			`lxc.hook.clone = /etc/lxc/hooks/create-lxc-config`
			`lxc.hook.clone = /etc/lxc/hooks/update-zone`
add update-hetzner-rdns hook 2015-01-03 16:55:03 +00:00			`lxc.hook.clone = /etc/lxc/hooks/update-hetzner-rdns`
first commit 2014-08-18 08:29:43 +00:00			`lxc.hook.clone = /etc/lxc/hooks/ansible`
no ip range 2015-08-05 15:33:37 +00:00			`lxc.hook.autodev = /etc/lxc/hooks/dn42-routes`