On Wed, Dec 10, 2014 at 10:40 AM, Cédric Bosdonnat <cbosdonnat@xxxxxxxx> wrote: > Some programs want to change some values for the network interfaces > configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them > allows wicked to work on openSUSE 13.2+. > > Reusing the lxcNeedNetworkNamespace function to tell > lxcContainerMountBasicFS if the netns is disabled. When no netns is > set up, then we don't mount the /proc/sys/net/ipv[46] folder RW as > these would provide full access to the host NICs config. > --- > Diff to v2: > * mount from /.oldroot as suggested by Dan... removed the whole temporary > mount related code as it turned out useless. > > src/lxc/lxc_container.c | 64 +++++++++++++++++++++++++++++++------------------ > 1 file changed, 41 insertions(+), 23 deletions(-) So you continue ignoring my comments. Now this kludge is in git and I see the next hack in the pipeline. "[PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled" Great software design that is... Enough moaning, can we please just drop the RO /sys and /proc mounts? I'll happily submit a patch but I really want a clear signal from maintainers whether we want to continue with pseudo security or not. BTW: We do we setup all these mounts in lxc_container.c anyway. Wouldn't it make sense to define them in the XML definition? -- Thanks, //richard -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list