Created
January 5, 2011 03:04
-
-
Save tobert/765867 to your computer and use it in GitHub Desktop.
LXC Config for Puppet testing on CentOS 5.x
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| lxc.utsname = test | |
| lxc.rootfs = /lxc/test/rootfs | |
| lxc.cgroup.cpuset.cpus = 0,1 | |
| lxc.cgroup.cpu.shares = 500 | |
| lxc.network.type = macvlan | |
| lxc.network.flags = up | |
| lxc.network.link = eth0 | |
| lxc.network.hwaddr = 4a:49:43:49:79:bf | |
| lxc.network.ipv4 = 192.168.122.10/24 | |
| lxc.mount.entry=none proc proc nodev,noexec,nosuid 0 0 | |
| lxc.mount.entry=none dev/shm tmpfs defaults 0 0 | |
| lxc.mount.entry=none dev/pts devpts defaults 0 0 | |
| lxc.cgroup.devices.deny = a | |
| # /dev/null|zero | |
| lxc.cgroup.devices.allow = c 1:3 rw | |
| lxc.cgroup.devices.allow = b 8:0 rw | |
| # /dev/console|tty | |
| lxc.cgroup.devices.allow = c 5:1 rwm | |
| lxc.cgroup.devices.allow = c 5:0 rwm | |
| # /dev/tty[01] | |
| lxc.cgroup.devices.allow = c 4:0 rwm | |
| lxc.cgroup.devices.allow = c 4:1 rwm | |
| # /dev/{,u}random | |
| lxc.cgroup.devices.allow = c 1:9 rwm | |
| lxc.cgroup.devices.allow = c 1:8 rwm | |
| # /dev/pts/* - pts namespaces are "coming soon" | |
| lxc.cgroup.devices.allow = c 136:* rwm | |
| lxc.cgroup.devices.allow = c 5:2 rwm | |
| # rtc | |
| lxc.cgroup.devices.allow = c 254:0 rwm | |
| # from capabilities(7) | |
| # only drop really dangerous stuff for now to make puppet testing more efficient | |
| lxc.cap.drop = sys_boot sys_module sys_time | |
| #lxc.cap.drop = audit_control audit_write chown dac_override | |
| #lxc.cap.drop = dac_read_search fowner fsetid ipc_lock | |
| #lxc.cap.drop = ipc_owner kill lease linux_immutable | |
| #lxc.cap.drop = mac_admin mac_override | |
| #lxc.cap.drop = mknod net_admin net_raw setgid setfcap | |
| #lxc.cap.drop = setpcap setuid sys_boot sys_chroot | |
| #lxc.cap.drop = sys_module sys_nice sys_pacct sys_ptrace | |
| #lxc.cap.drop = sys_rawio sys_resource sys_time sys_tty_config | |
| #lxc.cap.drop = net_broadcast | |
| #lxc.cap.drop = sys_admin # this breaks the git version of LXC I'm using | |
| ## lxc.cap.drop = net_bind_service # allow this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment