Re: [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 13.02.2014 18:16, schrieb Daniel P. Berrange:
> On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote:
>> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD
>> to containers.
>> Currently it is not safe to allow a container access to a resource controller.
>>
> 
> We *do* want to allow all controllers to be visible to the container.
> eg it is valid for them to have read access to view things like block
> I/O and CPU accounting information. We just don't want to make it writable
> for usernamespaces.

Okay. But what if one does not enable user namespaces?
Then the controllers are writable within the container.

> I've adjusted your first patch and reposted with you on CC, if you can
> confirm it works for you.

Will test it today. :)

Thanks,
//richard

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]