![]() Specifies whether a container will be started during system bootup. Name of the network device as seen from inside the container. Whether this interface should be disconnected (like pulling the plug). Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume.Ĭontrols whether this interface’s firewall rules should be used.Ī common MAC address with the I/G (Individual/Group) bit not set. Script that will be exectued during various steps in the containers lifetime. Note that this will expose procfs and sysfs contents of the host to the guest. Best used with unprivileged containers with additional id mapping. With access to a loop device, mounting a file can circumvent the mknod permission of the devices cgroup, mounting an NFS file system can block the host’s I/O completely and prevent it from rebooting, etc.Īllow nesting. Note that this can have negative effects on the container’s security. This should be a list of file system types as used with the mount command. This is experimental.Īllow mounting file systems of specific types. This requires a kernel with seccomp trap to user space support (5.3 or newer). Essentially, you can choose between running systemd-networkd or docker.Īllow unprivileged containers to use mknod() to add certain device nodes. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. ![]() ![]() By default unprivileged containers will see this system call as non-existent. This is required to use docker inside a container. Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.įor unprivileged containers only: Allow the use of the keyctl() system call. This can break networking under newer (>= v245) systemd-network use.Īllow using fuse file systems in a container. Mount /sys in unprivileged containers as rw instead of mixed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |