Hello, Serge. On Tue, Nov 06, 2012 at 09:01:32AM -0600, Serge Hallyn wrote: > More practically, lacking user namespaces you can create a full (i.e. > ubuntu) container that doesn't have CAP_SYS_ADMIN, but not one without > root. So this allows you to prevent containers from bypassing devices > cgroup restrictions set by the parent. (In reality we are not using > that in ubuntu - we grant CAP_SYS_ADMIN and use apparmor to restrict - > but other distros do.) Do you even mount cgroupfs in containers? If you just bind-mount cgroupfs verbatim in containers, I don't think that's gonna work very well. If not, all this doesn't make any difference for containers. So, you don't really have any actual use case for the explicit CAP_* checks, right? Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
