Re: [PATCH]LXC doc: Add warns if net namespace not enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Sep 09, 2013 at 04:33:54PM +0800, Chen Hanxiao wrote:
> ping...
> 
> > -----Original Message-----
> > From: libvir-list-bounces@xxxxxxxxxx
> [mailto:libvir-list-bounces@xxxxxxxxxx]
> > On Behalf Of Chen Hanxiao
> > Sent: Tuesday, September 03, 2013 10:04 AM
> > To: 'Daniel P. Berrange'
> > Cc: libvir-list@xxxxxxxxxx
> > Subject: Re:  [PATCH]LXC doc: Add warns if net namespace not
> enabled
> > 
> > Hi
> > 	Any comments?
> > 
> > Thanks
> > 
> > > -----Original Message-----
> > > From: Chen Hanxiao [mailto:chenhanxiao@xxxxxxxxxxxxxx]
> > > Sent: Friday, August 23, 2013 1:18 PM
> > > To: libvir-list@xxxxxxxxxx
> > > Cc: chenhanxiao@xxxxxxxxxxxxxx
> > > Subject: [PATCH]LXC doc: Add warns if net namespace not
> > > enabled
> > >
> > > From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> > >
> > > If we don't enable network namespace, we could shutdown host by
> > > executing command 'shutdown' inside container.
> > > This patch will add some warnings in LXC docs and give some advice to
> > readers.
> > >
> > > Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> > > ---
> > >  docs/drvlxc.html.in |    7 +++++++
> > >  1 files changed, 7 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index
> > > 640968f..8f3a36a
> > > 100644
> > > --- a/docs/drvlxc.html.in
> > > +++ b/docs/drvlxc.html.in
> > > @@ -50,6 +50,13 @@ processes inside containers cannot be securely
> > > isolated from host  process without the use of a mandatory access
> > > control technology such as SELinux or AppArmor.</strong>  </p>
> > > +<p>
> > > +<strong>WARNING: If 'net' namespace <i>not</i> enabled for container,
> > > +host OS could be <i>shutdown</i> by executing command like 'reboot'
> > > +inside container.<br/>So make sure 'net' namespace was available and
> > > +set the &lt;privnet/&gt; feature in the XML, or configure virtual NICs.
> > > +Then this issue could be circumvented.</strong> </p>
> > >
> > >  <h2><a name="init">Default container setup</a></h2>

Sorry for the delay in responding. While this text looks fine, I think we
actually  need much more content about security issues in LXC. So I'm going
to create an entire section in the docs about this and include your warning.

I'll copy on you any patch i post.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]