From: S.Çağlar Onur <caglar@10ur.org>
Date: Sat, 7 Dec 2013 23:04:10 +0000 (-0500)
Subject: ubuntu: add comments about running unconfined or nested containers
X-Git-Tag: lxc-1.0.0.beta1~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3928441889e4c91d986bbbb41e791e18d2b1e91;p=thirdparty%2Flxc.git

ubuntu: add comments about running unconfined or nested containers

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index 8c6103365..ef4e818ee 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -17,6 +17,16 @@ lxc.pts = 1024
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.aa_profile = unconfined
+
+# To support container nesting on an Ubuntu host while retaining most of
+# apparmor's added security, use the following two lines instead.
+#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+
 # Default cgroup limits
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not using the node)