Daniel Lezcano wrote: > > But if I am able to create a new instance of devpts for a container and > modify the configuration of another devpts from this container, is it > acceptable ? Can we convince people to use the containers for security > and have anybody able to make a pty starvation from one container to > another ? > If it is too much complicated to handle one value per new devpts > instance, IMHO /proc/sys/kernel/pty/max should be, at least, read-only > for the new instance, no ? > First of all, there is no such thing... the devpts instance is simply another filesystem, whereas the /proc/sys entry is a global limit on the total number of ptys in the system. Again, one of thousands, and yes, they probably should ALL be readonly in a container environment. That has to be set up separately than the devpts filesystem, because the devpts filesystem is not tied to procfs or even containers in any way. -hpa _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers