ubuntu: add comments about running unconfined or nested containers

author S.Çağlar Onur <caglar@10ur.org>

Sat, 7 Dec 2013 23:04:10 +0000 (18:04 -0500)

committer Stéphane Graber <stgraber@ubuntu.com>

Mon, 9 Dec 2013 20:06:59 +0000 (15:06 -0500)
author S.Çağlar Onur <caglar@10ur.org>
Sat, 7 Dec 2013 23:04:10 +0000 (18:04 -0500)
committer Stéphane Graber <stgraber@ubuntu.com>
Mon, 9 Dec 2013 20:06:59 +0000 (15:06 -0500)
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in

index 8c6103365af3a447c2c41a0b155c1383fdf13052..ef4e818ee0387b66e8cf43e59feb611d4b8261d2 100644 (file)
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -17,6 +17,16 @@ lxc.pts = 1024
  # Default capabilities
  lxc.cap.drop = sys_module mac_admin mac_override sys_time
  
+# When using LXC with apparmor, the container will be confined by default.
+# If you wish for it to instead run unconfined, copy the following line
+# (uncommented) to the container's configuration file.
+#lxc.aa_profile = unconfined
+
+# To support container nesting on an Ubuntu host while retaining most of
+# apparmor's added security, use the following two lines instead.
+#lxc.aa_profile = lxc-container-default-with-nesting
+#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+
  # Default cgroup limits
  lxc.cgroup.devices.deny = a
  ## Allow any mknod (but not using the node)
author	S.Çağlar Onur <caglar@10ur.org>
	Sat, 7 Dec 2013 23:04:10 +0000 (18:04 -0500)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Mon, 9 Dec 2013 20:06:59 +0000 (15:06 -0500)