configs/tomcat8.cfg - platform/external/nsjail - Git at Google

 # Example config for nsjail

 name: "tomcat8"

 description: "Tested under Ubuntu 16.04 with tomcat8=8.0.32-1ubuntu1.9,"
 description: "libnl-route-3-200=3.2.27-1ubuntu0.16.04.1,"
 description: "libprotobuf9v5=2.6.1-1.3,"
 description: "openjdk-8-jre=8u191-b12-2ubuntu0.16.04.1. "
 description: "Run as: sudo ./nsjail --config configs/tomcat.cfg"

 mode: ONCE
 hostname: "TOMCAT-NSJ"

 envar: "JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre"
 envar: "JVM_TMP=/tmp"
 envar: "CATALINA_TMPDIR=/tmp"
 envar: "CATALINA_HOME=/usr/share/tomcat8"
 envar: "CATALINA_BASE=/var/lib/tomcat8"
 envar: "CATALINA_OPTS=-server -XX:+UseParallelGC"
 envar: "JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xms256M -Xmx512M -Djava.security.egd=file:/dev/./urandom"

 rlimit_as: 2048
 rlimit_fsize: 1024
 rlimit_cpu_type: INF
 rlimit_nofile: 1024

 time_limit: 0

 cap: "CAP_NET_BIND_SERVICE"

 uidmap {
 	inside_id: "tomcat8"
 	outside_id: "tomcat8"
 }

 gidmap {
 	inside_id: "tomcat8"
 	outside_id: "tomcat8"
 }

 mount_proc: false

 mount {
 	src: "/etc/tomcat8"
 	dst: "/etc/tomcat8"
 	is_bind: true
 	rw: false
 }

 mount {
 	src: "/var/lib/tomcat8"
 	dst: "/var/lib/tomcat8"
 	is_bind: true
 	rw: true
 }

 mount {
 	src: "/var/log/tomcat8"
 	dst: "/var/log/tomcat8"
 	is_bind: true
 	rw: true
 }

 mount {
 	src: "/var/cache/tomcat8"
 	dst: "/var/cache/tomcat8"
 	is_bind: true
 	rw: true
 }

 mount {
 	src: "/usr/share/tomcat8"
 	dst: "/usr/share/tomcat8"
 	is_bind: true
 	rw: false
 }

 mount {
 	src: "/bin"
 	dst: "/bin"
 	is_bind: true
 	rw: false
 }

 mount {
 	src: "/lib"
 	dst: "/lib"
 	is_bind: true
 	rw: false
 }

 mount {
 	src: "/lib64"
 	dst: "/lib64"
 	is_bind: true
 	rw: false
 }

 mount {
 	src: "/usr/bin"
 	dst: "/usr/bin"
 	is_bind: true
 	rw: false
 }

 mount {
 	src: "/usr/lib"
 	dst: "/usr/lib"
 	is_bind: true
 	rw: false
 }

 mount {
 	src: "/usr/share/java"
 	dst: "/usr/share/java"
 	is_bind: true
 	rw: false
 }

 mount {
 	dst: "/tmp"
 	fstype: "tmpfs"
 	rw: true
 }

 mount {
 	dst: "/proc"
 	fstype: "proc"
 	rw: false
 }

 exec_bin {
 	path: "/usr/share/tomcat8/bin/catalina.sh"
 	arg : "run"
 }
	# Example config for nsjail

	name: "tomcat8"

	description: "Tested under Ubuntu 16.04 with tomcat8=8.0.32-1ubuntu1.9,"
	description: "libnl-route-3-200=3.2.27-1ubuntu0.16.04.1,"
	description: "libprotobuf9v5=2.6.1-1.3,"
	description: "openjdk-8-jre=8u191-b12-2ubuntu0.16.04.1. "
	description: "Run as: sudo ./nsjail --config configs/tomcat.cfg"

	mode: ONCE
	hostname: "TOMCAT-NSJ"

	envar: "JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre"
	envar: "JVM_TMP=/tmp"
	envar: "CATALINA_TMPDIR=/tmp"
	envar: "CATALINA_HOME=/usr/share/tomcat8"
	envar: "CATALINA_BASE=/var/lib/tomcat8"
	envar: "CATALINA_OPTS=-server -XX:+UseParallelGC"
	envar: "JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xms256M -Xmx512M -Djava.security.egd=file:/dev/./urandom"

	rlimit_as: 2048
	rlimit_fsize: 1024
	rlimit_cpu_type: INF
	rlimit_nofile: 1024

	time_limit: 0

	cap: "CAP_NET_BIND_SERVICE"

	uidmap {
	inside_id: "tomcat8"
	outside_id: "tomcat8"
	}

	gidmap {
	inside_id: "tomcat8"
	outside_id: "tomcat8"
	}

	mount_proc: false

	mount {
	src: "/etc/tomcat8"
	dst: "/etc/tomcat8"
	is_bind: true
	rw: false
	}

	mount {
	src: "/var/lib/tomcat8"
	dst: "/var/lib/tomcat8"
	is_bind: true
	rw: true
	}

	mount {
	src: "/var/log/tomcat8"
	dst: "/var/log/tomcat8"
	is_bind: true
	rw: true
	}

	mount {
	src: "/var/cache/tomcat8"
	dst: "/var/cache/tomcat8"
	is_bind: true
	rw: true
	}

	mount {
	src: "/usr/share/tomcat8"
	dst: "/usr/share/tomcat8"
	is_bind: true
	rw: false
	}

	mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
	rw: false
	}

	mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	rw: false
	}

	mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	rw: false
	}

	mount {
	src: "/usr/bin"
	dst: "/usr/bin"
	is_bind: true
	rw: false
	}

	mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
	rw: false
	}

	mount {
	src: "/usr/share/java"
	dst: "/usr/share/java"
	is_bind: true
	rw: false
	}

	mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	}

	mount {
	dst: "/proc"
	fstype: "proc"
	rw: false
	}

	exec_bin {
	path: "/usr/share/tomcat8/bin/catalina.sh"
	arg : "run"
	}