From d3928441889e4c91d986bbbb41e791e18d2b1e91 Mon Sep 17 00:00:00 2001 From: =?utf8?q?S=2E=C3=87a=C4=9Flar=20Onur?= Date: Sat, 7 Dec 2013 18:04:10 -0500 Subject: [PATCH] ubuntu: add comments about running unconfined or nested containers MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: S.Çağlar Onur Acked-by: Stéphane Graber --- config/templates/ubuntu.common.conf.in | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in index 8c6103365..ef4e818ee 100644 --- a/config/templates/ubuntu.common.conf.in +++ b/config/templates/ubuntu.common.conf.in @@ -17,6 +17,16 @@ lxc.pts = 1024 # Default capabilities lxc.cap.drop = sys_module mac_admin mac_override sys_time +# When using LXC with apparmor, the container will be confined by default. +# If you wish for it to instead run unconfined, copy the following line +# (uncommented) to the container's configuration file. +#lxc.aa_profile = unconfined + +# To support container nesting on an Ubuntu host while retaining most of +# apparmor's added security, use the following two lines instead. +#lxc.aa_profile = lxc-container-default-with-nesting +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups + # Default cgroup limits lxc.cgroup.devices.deny = a ## Allow any mknod (but not using the node) -- 2.47.2