Re: [PATCH] Update docs about user namespace for LXC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/10/2013 05:08 PM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> 
> Mention that user namespace can be enabled using the UID/GID
> mapping schema.
> 
> Fix typo in link anchor for container args in domain XML docs.
> 
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> ---

ACK

>  docs/drvlxc.html.in       | 14 +++++---------
>  docs/formatdomain.html.in |  2 +-
>  2 files changed, 6 insertions(+), 10 deletions(-)
> 
> diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
> index 640968f..1e6aa1d 100644
> --- a/docs/drvlxc.html.in
> +++ b/docs/drvlxc.html.in
> @@ -40,15 +40,11 @@ primary "host" OS environment, the libvirt LXC driver requires that
>  certain kernel namespaces are compiled in. Libvirt currently requires
>  the 'mount', 'ipc', 'pid', and 'uts' namespaces to be available. If
>  separate network interfaces are desired, then the 'net' namespace is
> -required. In the near future, the 'user' namespace will optionally be
> -supported.
> -</p>
> -
> -<p>
> -<strong>NOTE: In the absence of support for the 'user' namespace,
> -processes inside containers cannot be securely isolated from host
> -process without the use of a mandatory access control technology
> -such as SELinux or AppArmor.</strong>
> +required. If the guest configuration declares a
> +<a href="formatdomain.html#elementsOSContainer">UID or GID mapping</a>,
> +the 'user' namespace will be enabled to apply these. <strong>A suitably
> +configured UID/GID mapping is a pre-requisite to making containers
> +secure, in the absence of sVirt confinement.</strong>
>  </p>
>  
>  <h2><a name="init">Default container setup</a></h2>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index f8bfe0b..971b059 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -263,7 +263,7 @@
>          <span class="since">Since 1.0.4</span></dd>
>      </dl>
>  
> -    <h4><a name="eleemntsOSContainer">Container boot</a></h4>
> +    <h4><a name="elementsOSContainer">Container boot</a></h4>
>  
>      <p>
>        When booting a domain using container based virtualization, instead
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]