Krzysztof Taraszka wrote: > Hi, > > I was looking for possibility to secure lxc container to do not allow 'root > container user' from changing limits from cgroup. Right now without STACK64 > or SELinux he can do this easily. > I read the http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook > and decided to use STACK64 kernel mechanism. > Well... mounting cgroup inside container fails (great!, i am looked for that > ;)) but networking fails too (interface bring up, sshd bring up, connection > beetween host and container is, but 'mtr', 'ping' even 'apt-get update' > fails and I do not know why). I secure my container exactly like in the > cookbook. > > Is there any other possilbility to have secure container without network > problems or any hint now to enable networking with stack64 enabled? If so, > maybe the l-lxc-security cookbook have to updated? Maybe another kernel > patch to do not allow container to mount cgroup when the mount call come > from container? > > Any ideas? > I think Serge can help you on this area (Cc'ed). _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers