[PLDWWW] page changed: docs:lxc

"Elan Ruusamäe (glen)" glen at pld-linux.org
Mon Dec 9 15:36:23 CET 2013 

add full config dump

--- https://www.pld-linux.org/docs/lxc?rev=1386599621
+++ https://www.pld-linux.org/docs/lxc
@@ -139,4 +139,84 @@
  
  lxc.hook.pre-mount = /sbin/service iptables start
  lxc.cap.drop       = net_admin
  </file>
+ 
+ 
+ ==== full config ====
+ 
+ <code bash>
+ # lxc for test
+ 
+ lxc.network.type = macvlan
+ lxc.network.flags = up
+ #lxc.network.hwaddr = 00:16:c0:a8:3:34
+ lxc.network.link = eth0
+ lxc.network.macvlan.mode = bridge
+ lxc.network.name = eth0
+ lxc.network.ipv4 = 192.168.2.160/23
+ lxc.network.ipv4.gateway = 192.168.2.1
+ 
+ lxc.rootfs = /srv/test
+ lxc.utsname = pldmachine.local
+ lxc.tty = 4
+ lxc.pts = 1024
+ 
+ # load delfi-fw, if you want to setup firewall when container is already up
+ # you should  run 'lxc-attach -e -n white -- fw-load'
+ lxc.hook.pre-mount = /sbin/service iptables start
+ 
+ # lxc.mount.entry is prefered, because it supports relative paths
+ lxc.mount = /var/lib/lxc/white/fstab
+ 
+ lxc.cap.drop                            = linux_immutable
+ #lxc.cap.drop                            = sys_boot # works as expected in newer kernels (3.4+)
+ lxc.cap.drop                            = syslog
+ 
+ # don't drop net_admin, allows firewall to be configured from inside
+ lxc.cap.drop                            = net_admin
+ 
+ # http://www.funtoo.org/Linux_Containers
+ ## Capabilities, see capabilities(7) what is available
+ #lxc.cap.drop                            = audit_control
+ lxc.cap.drop                            = audit_write
+ lxc.cap.drop                            = mac_admin
+ lxc.cap.drop                            = mac_override
+ lxc.cap.drop                            = mknod
+ lxc.cap.drop                            = setfcap
+ lxc.cap.drop                            = setpcap
+ lxc.cap.drop                            = sys_admin
+ #lxc.cap.drop                            = sys_boot
+ #lxc.cap.drop                            = sys_chroot # required by SSH
+ lxc.cap.drop                            = sys_module
+ #lxc.cap.drop                            = sys_nice
+ lxc.cap.drop                            = sys_pacct
+ lxc.cap.drop                            = sys_rawio
+ lxc.cap.drop                            = sys_resource
+ lxc.cap.drop                            = sys_time
+ #lxc.cap.drop                            = sys_tty_config # required by getty
+ 
+ lxc.autodev = 0
+ 
+ # When using LXC with apparmor, uncomment the next line to run unconfined:
+ lxc.aa_profile = unconfined
+ 
+ # cgroups
+ # Devices
+ lxc.cgroup.devices.deny = a # Deny access to all devices
+ 
+ # /dev/null and zero
+ lxc.cgroup.devices.allow = c 1:3 rwm
+ lxc.cgroup.devices.allow = c 1:5 rwm
+ # consoles
+ lxc.cgroup.devices.allow = c 5:1 rwm
+ lxc.cgroup.devices.allow = c 5:0 rwm
+ lxc.cgroup.devices.allow = c 4:0 rwm
+ lxc.cgroup.devices.allow = c 4:1 rwm
+ # /dev/{,u}random
+ lxc.cgroup.devices.allow = c 1:9 rwm
+ lxc.cgroup.devices.allow = c 1:8 rwm
+ lxc.cgroup.devices.allow = c 136:* rwm
+ lxc.cgroup.devices.allow = c 5:2 rwm
+ # rtc
+ lxc.cgroup.devices.allow = c 254:0 rm
+ </code>


Diff URL:
  https://www.pld-linux.org/docs/lxc?do=diff&r1=1386599621&r2=1386599783
-- 
This mail was generated by DokuWiki at
https://www.pld-linux.org/

More information about the pld-cvs-commit mailing list