From 4ad6fa387ff4d150456aba7b1196ef44215c448b Mon Sep 17 00:00:00 2001
From: root <root@eve.lxc>
Date: Fri, 24 Oct 2014 00:09:01 +0200
Subject: [PATCH] default.conf: add cgroup restrictions

---
 default.conf | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/default.conf b/default.conf
index d5495ed..f8bae6f 100644
--- a/default.conf
+++ b/default.conf
@@ -5,11 +5,31 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin
 lxc.network.type = veth
 lxc.network.link = br0
 lxc.network.flags = up
-lxc.network.name =eth0
+lxc.network.name = eth0
 lxc.network.mtu = 1500
 lxc.network.ipv4.gateway = auto
 lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1
 
+# cgroups
+lxc.cgroup.devices.deny = a
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+lxc.cgroup.devices.allow = c 1:7 rwm
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+lxc.cgroup.devices.allow = c 4:1 rwm
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+
+lxc.cgroup.memory.soft_limit_in_bytes = 1500M
+lxc.cgroup.memory.limit_in_bytes = 2000M
+lxc.cgroup.cpu.shares = 256
+lxc.cgroup.blkio.weight = 500
+
 lxc.mount.entry = /data/pacman-pkg-cache var/cache/pacman/pkg none bind 0 0
 lxc.mount.entry = /data/repo srv/repo none bind,ro 0 0
 lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0