ubuntu: add comments about running unconfined or nested containers

Signed-off-by: S.Çağlar Onur <caglar@10ur.org> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

ubuntu: add comments about running unconfined or nested containers
d3928441 · S.Çağlar Onur · Stéphane Graber · 802f869f · d3928441
Commit d3928441 authored Dec 07, 2013 by S.Çağlar Onur Committed by Stéphane Graber Dec 09, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

ubuntu.common.conf.in config/templates/ubuntu.common.conf.in +10 -0

No files found.
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -17,6 +17,16 @@ lxc.pts = 1024
 # Default capabilities
 lxc.cap.drop = sys_module mac_admin mac_override sys_time

+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.aa_profile = unconfined
+
+# To support container nesting on an Ubuntu host while retaining most of
+# apparmor's added security, use the following two lines instead.
+#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+
 # Default cgroup limits
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not using the node)