Quoting Daniel Lezcano (daniel.lezcano@xxxxxxx): > Krzysztof Taraszka wrote: > > Okey. > > I made few tests and this two ways work: > > > > First way: > > ======= > > lxc. smack enabled, policy loaded. cgroup not labeled. > > > > a) start container > > b) mount cgroup inside container > > c) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo > > d) secure the /cgroup on the host (ie: attr -S -s SMACK64 -V host /cgroup). > > > > this step can be done inside lxc tools ;) > > > > Second way: > > ========== > > lxc. smack enabled, policy loaded. cgroup not labeled. > > > > a) do not label whole /cgrop directory (DO NOT DO: attr -S -s SMACK64 -V > > host /cgroup). Label dedicate files only (for example: /cgroup/cpuset.cpus, > > /cgroup/vs1/cpuset.cpus, etc). Do not label the /cgrop/vs1 directory. Label > > with vs1 label only /cgroup/vs1/memory.meminfo. All other files label with > > host label to do not allow read them. > > b) start container > > c) mount cgroup inside container > > d) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo > > > > steps: b, c, d can be done inside lxc tools. step a can't and it is base on > > the admin policy. > > > > I think that the first solution is more automatic and can be done by lxc > > tools (maybe command line switch? I can prepare a patch for that. > > > > I do not know smack, what does smack here ? Will this solution avoid the > container to overwrite /proc/meminfo by remounting /proc ? Right, in the first way he is labeling the whole cgroupfs with a label which prevents the container from mounting it. In the second way, the specific files are labeled. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
