Quoting H. Peter Anvin (hpa@xxxxxxxxx): > Serge E. Hallyn wrote: >> Looks good. In the very last part, you might say just a little more to >> make sure it's clear: You want to mount -o newinstance before sshd >> or gnome is started in the root container, so that a child container >> can't reach your devpts by doing a mount -t devpts without -o >> newinstance. It's not that it's not clear in what you write, it's >> more that it's at the very end and brief, so I'm afraid it's not >> attention-grabbing enough as is. > > Actually, you should just enable newinstance everywhere, in particular > in your fstab, so that ALL instances of devpts in the system have > newinstance (leaving the legacy one unreachable.) > > In that sense I think your text above is more confusing than what > Sukadev had. > > -hpa That's fine, I just want a clearer louder warning that without that, a container is not isolated from your devpts. Maybe just 'WARNING" above point 7? Or just leave it. You're right, his text is plenty clear. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers