[libvirt] [PATCH 0 of 2] Cgroup and LXC fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This set moves the cgroup creation before that of the container process,
thus ensuring that it is put in the cgroup as well.  As a result, I noticed
that we need to allow device access to /dev/pts/*, and thus added a cgroup
mechanism to allow a whole major device type.  The LXC driver is made to
allow major type 136 as a result.

Note that this doesn't seem to do much to really restrict the container.
While it does prevent them from opening devices other than what are allowed,
the container can still mount (or access) the cgroup filesystem and move
itself out of its own group and into the unrestricted root.  Further,
it can just add whitelist entries for the devices it wants to gain access.

I tested code to restrict the devices in the per-driver cgroup, but that
appears to have no effect, because from within the container, I can still
add "b 8:* rwm" to my group's devices.allow and subsequently access SCSI
disks.  Even still, this patch set is crucial for proper cgroup membership of 
the container children.

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]