On Mon, Sep 09, 2013 at 04:33:54PM +0800, Chen Hanxiao wrote: > ping... > > > -----Original Message----- > > From: libvir-list-bounces@xxxxxxxxxx > [mailto:libvir-list-bounces@xxxxxxxxxx] > > On Behalf Of Chen Hanxiao > > Sent: Tuesday, September 03, 2013 10:04 AM > > To: 'Daniel P. Berrange' > > Cc: libvir-list@xxxxxxxxxx > > Subject: Re: [PATCH]LXC doc: Add warns if net namespace not > enabled > > > > Hi > > Any comments? > > > > Thanks > > > > > -----Original Message----- > > > From: Chen Hanxiao [mailto:chenhanxiao@xxxxxxxxxxxxxx] > > > Sent: Friday, August 23, 2013 1:18 PM > > > To: libvir-list@xxxxxxxxxx > > > Cc: chenhanxiao@xxxxxxxxxxxxxx > > > Subject: [PATCH]LXC doc: Add warns if net namespace not > > > enabled > > > > > > From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > > > > > > If we don't enable network namespace, we could shutdown host by > > > executing command 'shutdown' inside container. > > > This patch will add some warnings in LXC docs and give some advice to > > readers. > > > > > > Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > > > --- > > > docs/drvlxc.html.in | 7 +++++++ > > > 1 files changed, 7 insertions(+), 0 deletions(-) > > > > > > diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index > > > 640968f..8f3a36a > > > 100644 > > > --- a/docs/drvlxc.html.in > > > +++ b/docs/drvlxc.html.in > > > @@ -50,6 +50,13 @@ processes inside containers cannot be securely > > > isolated from host process without the use of a mandatory access > > > control technology such as SELinux or AppArmor.</strong> </p> > > > +<p> > > > +<strong>WARNING: If 'net' namespace <i>not</i> enabled for container, > > > +host OS could be <i>shutdown</i> by executing command like 'reboot' > > > +inside container.<br/>So make sure 'net' namespace was available and > > > +set the <privnet/> feature in the XML, or configure virtual NICs. > > > +Then this issue could be circumvented.</strong> </p> > > > > > > <h2><a name="init">Default container setup</a></h2> Sorry for the delay in responding. While this text looks fine, I think we actually need much more content about security issues in LXC. So I'm going to create an entire section in the docs about this and include your warning. I'll copy on you any patch i post. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list