default.conf: add cgroup restrictions
This commit is contained in:
parent
6656e70364
commit
4ad6fa387f
22
default.conf
22
default.conf
@ -5,11 +5,31 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin
|
|||||||
lxc.network.type = veth
|
lxc.network.type = veth
|
||||||
lxc.network.link = br0
|
lxc.network.link = br0
|
||||||
lxc.network.flags = up
|
lxc.network.flags = up
|
||||||
lxc.network.name =eth0
|
lxc.network.name = eth0
|
||||||
lxc.network.mtu = 1500
|
lxc.network.mtu = 1500
|
||||||
lxc.network.ipv4.gateway = auto
|
lxc.network.ipv4.gateway = auto
|
||||||
lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1
|
lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1
|
||||||
|
|
||||||
|
# cgroups
|
||||||
|
lxc.cgroup.devices.deny = a
|
||||||
|
lxc.cgroup.devices.allow = c *:* m
|
||||||
|
lxc.cgroup.devices.allow = b *:* m
|
||||||
|
lxc.cgroup.devices.allow = c 1:3 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 1:5 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 1:7 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 1:8 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 1:9 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 4:1 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 5:0 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 5:1 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 5:2 rwm
|
||||||
|
lxc.cgroup.devices.allow = c 136:* rwm
|
||||||
|
|
||||||
|
lxc.cgroup.memory.soft_limit_in_bytes = 1500M
|
||||||
|
lxc.cgroup.memory.limit_in_bytes = 2000M
|
||||||
|
lxc.cgroup.cpu.shares = 256
|
||||||
|
lxc.cgroup.blkio.weight = 500
|
||||||
|
|
||||||
lxc.mount.entry = /data/pacman-pkg-cache var/cache/pacman/pkg none bind 0 0
|
lxc.mount.entry = /data/pacman-pkg-cache var/cache/pacman/pkg none bind 0 0
|
||||||
lxc.mount.entry = /data/repo srv/repo none bind,ro 0 0
|
lxc.mount.entry = /data/repo srv/repo none bind,ro 0 0
|
||||||
lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
|
lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
|
||||||
|
Loading…
Reference in New Issue
Block a user