[lxc-devel] [PATCH 1/1] ubuntu container configs: Add comments about other apparmor profiles

[Serge Hallyn]

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Mon, Dec 09, 2013 at 02:19:05PM -0600, Serge Hallyn wrote:
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> 
> Hmm, doesn't that duplicate the section on nesting?

Oh, feh.  So it does.  V2:

>From 34c19f26bb61ef11346b06b0094331b027a0e0c3 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Mon, 9 Dec 2013 14:18:19 -0600
Subject: [PATCH 1/1] ubuntu container configs: Add comments about other
 apparmor profiles

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 config/templates/ubuntu.common.conf.in | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index ef4e818..0575321 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -27,6 +27,11 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 #lxc.aa_profile = lxc-container-default-with-nesting
 #lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
 
+# If you wish to allow mounting block filesystems, then use the following
+# line instead, and make sure to grant access to the block device and/or loop
+# devices below in lxc.cgroup.devices.allow.
+#lxc.aa_profile = lxc-container-default-with-mounting
+
 # Default cgroup limits
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not using the node)
@@ -56,3 +61,6 @@ lxc.cgroup.devices.allow = c 1:7 rwm
 lxc.cgroup.devices.allow = c 10:228 rwm
 ## kvm
 lxc.cgroup.devices.allow = c 10:232 rwm
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
-- 
1.8.5.1