Here is mine: # Capabilities # # You don't need to drop capabilities. But for security, you probably # want to drop as many capabilities as you can. (See "man capabilities".) # # - WARNING: Any read-only mount in $HOST.fstab can be remounted as # read-write unless sys_admin is dropped. You have been warned. # # - The hostname command needs sys_admin. So if you drop sys_admin here, # you'll see this harmless warning at lxc-start: # init: hostname main process (4) terminated with status 1 # # - iptables / ufw (and ping?) needs net_raw, so it is not dropped. # - OpenSSH needs sys_resource, so it is not dropped. # lxc.cap.drop=sys_admin audit_control audit_write fsetid ipc_lock ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap setpcap sys_boot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_tty_config sys_time
Thanks, Derek Simkowiak http://derek.simkowiak.net On 10/26/2011 10:31 AM, Ulli Horlacher wrote: > Is there a "best practises" for lxc.cap.drop configuration? > > I have so far as default: > > # no MAC change > lxc.cap.drop = mac_override > > # no kernel module (un)loading > lxc.cap.drop = sys_module > > # no reboot > lxc.cap.drop = sys_boot > > # no (un/re)mounting > lxc.cap.drop = sys_admin > > # no time setting > lxc.cap.drop = sys_time > > > All the corresponding tasks should be done via host and not via container. > ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
