On Mon, Jun 2, 2014 at 6:22 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > IIUC, we'd need to recursively chown the files under /proc/sys/net to > give them the remapped UID/GID of the root user in the container, in > order that they can be used. > > So overall I think we'd have to do > > - Make either /proc/sys/net or /proc/sys read-write > > - If userns is active, recursive chown /proc/sys/net (or a subset of > files in it that we explicitly want to grant access to) Please just make /proc/ and /sys writeable (or at least the setting optional for paranoid folks). If the userns was setup correctly by libvirt and a container user/root still can do bad things this a plain kernel bug and needs fixing. No need to paper over it in libvirt. -- Thanks, //richard -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list