Daniel Lezcano wrote: > Pavel Emelyanov wrote: >>> Yes per namespace, I agree. >>> >>> If the option is controlled by the parent and it is done by sysctl, you >>> will have to make proc/sys per namespace like Pavel did with /proc/net, no ? >> /proc/sys is already per namespace actually ;) Or what did you mean by that? > > > Effectively I was not clear :) > > I meant, you can not access /proc/sys from outside the namespace like > /proc/net which can be followed up by /proc/<pid>/net outside the namespace. Ah! I've got it. Well, I think after Al Viro finishes with sysctl rework this possibility will appear, but Denis actually persuaded me in his POV - if we do want to disable shared sockets we *can* do this by putting containers in proper mount namespaces of chroot environments. > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers