[lxc-devel] [PATCH 1/1] ubuntu container configs: Add comments about other apparmor profiles
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Dec 9 20:19:05 UTC 2013
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/templates/ubuntu.common.conf.in | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index ef4e818..4aeea7d 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -21,6 +21,10 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined
+# If you wish to only allow starting nested containers, then use the following:
+#lxc.aa_profile = lxc-container-default-with-nesting
+# If you wish to allow mounting block filesystems, then use the following:
+#lxc.aa_profile = lxc-container-default-with-mounting
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
@@ -56,3 +60,6 @@ lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
--
1.8.5.1
More information about the lxc-devel
mailing list