On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote: > Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD > to containers. > Currently it is not safe to allow a container access to a resource controller. > We *do* want to allow all controllers to be visible to the container. eg it is valid for them to have read access to view things like block I/O and CPU accounting information. We just don't want to make it writable for usernamespaces. I've adjusted your first patch and reposted with you on CC, if you can confirm it works for you. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list