ubuntu.common.conf.in revision 5b99af0079813347d90c935ea540ed7f96dcea38
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# This derives from the global common config
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# Default mount entries
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholeslxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholeslxc.mount.entry = sysfs sys sysfs defaults 0 0
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholeslxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholeslxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholeslxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholeslxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# When using LXC with apparmor, the container will be confined by default.
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# If you wish for it to instead run unconfined, copy the following line
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# (uncommented) to the container's configuration file.
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# To support container nesting on an Ubuntu host while retaining most of
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# apparmor's added security, use the following two lines instead.
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes#lxc.aa_profile = lxc-container-default-with-nesting
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
70953fb44a7140fe206c3a5f011e24209c8c5c6abnicholes# Uncomment the following line to autodetect squid-deb-proxy configuration on the
70953fb44a7140fe206c3a5f011e24209c8c5c6abnicholes# host and forward it to the guest at start time.
70953fb44a7140fe206c3a5f011e24209c8c5c6abnicholes#lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# If you wish to allow mounting block filesystems, then use the following
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# line instead, and make sure to grant access to the block device and/or loop
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# devices below in lxc.cgroup.devices.allow.
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes#lxc.aa_profile = lxc-container-default-with-mounting
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# Extra cgroup device access
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes## To use loop devices, copy the following line to the container's
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes## configuration file (uncommented).
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholes# Blacklist some syscalls which are not safe in privileged
3c937b528ca923d5b51e63def9f888af4a77bb40bnicholeslxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp