# Example config for nsjail

name: "tomcat8"

description: "Tested under Ubuntu 16.04 with tomcat8=8.0.32-1ubuntu1.9,"
description: "libnl-route-3-200=3.2.27-1ubuntu0.16.04.1,"
description: "libprotobuf9v5=2.6.1-1.3,"
description: "openjdk-8-jre=8u191-b12-2ubuntu0.16.04.1. "
description: "Run as: sudo ./nsjail --config configs/tomcat.cfg"

mode: ONCE
hostname: "TOMCAT-NSJ"

envar: "JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre"
envar: "JVM_TMP=/tmp"
envar: "CATALINA_TMPDIR=/tmp"
envar: "CATALINA_HOME=/usr/share/tomcat8"
envar: "CATALINA_BASE=/var/lib/tomcat8"
envar: "CATALINA_OPTS=-server -XX:+UseParallelGC"
envar: "JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xms256M -Xmx512M -Djava.security.egd=file:/dev/./urandom"

rlimit_as: 2048
rlimit_fsize: 1024
rlimit_cpu_type: INF
rlimit_nofile: 1024

time_limit: 0

cap: "CAP_NET_BIND_SERVICE"

uidmap {
	inside_id: "tomcat8"
	outside_id: "tomcat8"
}

gidmap {
	inside_id: "tomcat8"
	outside_id: "tomcat8"
}

mount_proc: false

mount {
	src: "/etc/tomcat8"
	dst: "/etc/tomcat8"
	is_bind: true
	rw: false
}

mount {
	src: "/var/lib/tomcat8"
	dst: "/var/lib/tomcat8"
	is_bind: true
	rw: true
}

mount {
	src: "/var/log/tomcat8"
	dst: "/var/log/tomcat8"
	is_bind: true
	rw: true
}

mount {
	src: "/var/cache/tomcat8"
	dst: "/var/cache/tomcat8"
	is_bind: true
	rw: true
}

mount {
	src: "/usr/share/tomcat8"
	dst: "/usr/share/tomcat8"
	is_bind: true
	rw: false
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
	rw: false
}

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	rw: false
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	rw: false
}

mount {
	src: "/usr/bin"
	dst: "/usr/bin"
	is_bind: true
	rw: false
}

mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
	rw: false
}

mount {
	src: "/usr/share/java"
	dst: "/usr/share/java"
	is_bind: true
	rw: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
}

mount {
	dst: "/proc"
	fstype: "proc"
	rw: false
}

exec_bin {
	path: "/usr/share/tomcat8/bin/catalina.sh"
	arg : "run"
}