How to deal with LXC cgroup access control with apparmor ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I don't know if it ¡°legal¡± to send the email here £º£©
================

I am playing with libvirt 1.1.1 (lxc)
when I was starting a LXC container,  the process location of cgroup is pretty ,  just the root directory
from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted...

I wonder how to restrict it with apparmor ,so one can not modify files in  the cgroup fs, e.g  the cpus or mem,
if i restrict it with "deny /sys/fs/cgroup/** wrklx,"  in apparmor ,the container woulld not start up .
"Permission denied", because that a process would mount the cgroup, it seems done by libvirt_lxc,
Any way to restrict the cgroup in the container or just not mount cgroup in the container ?? 

Any help would be appreciated, thanks .

------------------
Ö¹Óï
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]