This set moves the cgroup creation before that of the container process, thus ensuring that it is put in the cgroup as well. As a result, I noticed that we need to allow device access to /dev/pts/*, and thus added a cgroup mechanism to allow a whole major device type. The LXC driver is made to allow major type 136 as a result. Note that this doesn't seem to do much to really restrict the container. While it does prevent them from opening devices other than what are allowed, the container can still mount (or access) the cgroup filesystem and move itself out of its own group and into the unrestricted root. Further, it can just add whitelist entries for the devices it wants to gain access. I tested code to restrict the devices in the per-driver cgroup, but that appears to have no effect, because from within the container, I can still add "b 8:* rwm" to my group's devices.allow and subsequently access SCSI disks. Even still, this patch set is crucial for proper cgroup membership of the container children. -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list