On 9/24/21 06:19, Christian Brauner wrote:
On Wed, Sep 22, 2021 at 01:06:49PM -0700, Andy Lutomirski wrote:
I just meant that the programs in the container can see the modules available on the host. Simplest thing could be bind-mounting in the host's module folder with suitable protection (locked read-only mount). But yeah, it can likely be as simple as allowing it to ask for a module and not bother telling it about what is available.
If the container gets to see host modules, interesting races when containers are migrated CRIU-style will result.