On Tue, Dec 9, 2014 at 10:47 AM, Cédric Bosdonnat <cbosdonnat@xxxxxxxx> wrote: > Some programs want to change some values for the network interfaces > configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them > allows wicked to work on openSUSE 13.2+. > > In order to mount those folders RW but keep the rest of /proc/sys RO, > we add temporary mounts for these folders before bind-mounting > /proc/sys. Those mounts will be skipped if the container doesn't have > its own network namespace. > > It may happen that one of the temporary mounts in /proc/ filesystem > isn't available due to a missing kernel feature. We need not to fail > in that case. IMHO we should drop the read-only /proc mount completely. The idea behind having a read-only /proc was to make a container less insecure because user namespaces did not exist yet. Now as user namespaces are mainline and considered stable we should start dropping such hacks instead of adding more of them. As consequence of that libvirt has to decide what kind of container it wants to support. IMHO the only sane way is to enforce user namespaces to provide reasonable isolation. If an user can do bad things with a read-write /proc it need to be fixed in the kernel and not in libvirt. Containers without user namespaces and a root within are insecure and broken by design. Just my two cents. -- Thanks, //richard -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list