Am 13.02.2014 18:16, schrieb Daniel P. Berrange: > On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote: >> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD >> to containers. >> Currently it is not safe to allow a container access to a resource controller. >> > > We *do* want to allow all controllers to be visible to the container. > eg it is valid for them to have read access to view things like block > I/O and CPU accounting information. We just don't want to make it writable > for usernamespaces. Okay. But what if one does not enable user namespaces? Then the controllers are writable within the container. > I've adjusted your first patch and reposted with you on CC, if you can > confirm it works for you. Will test it today. :) Thanks, //richard -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list