On Tue, Oct 1, 2013 at 7:19 AM, Janne Karhunen <janne.karhunen@xxxxxxxxx> wrote: > On Thu, Sep 26, 2013 at 8:33 AM, Greg Kroah-Hartman > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > >>> - We can relay a call of /sbin/hotplug from outside of a container >>> to inside of a container based on policy. >>> (But no one uses /sbin/hotplug anymore). >> >> That's right, they should be listening to libudev events, so why can't >> your daemon shuffle them off to the proper container, all in userspace? > > Which reminds me, one potential reason being.. > http://lists.linuxfoundation.org/pipermail/containers/2013-May/032591.html > Can't the daemon live outside the container and shuffle stuff in? IOW, there seems to be little point in containerizing things if you're just going to punch a privilege hole in the namespace. FWIW, I think that the capability evolution rules are crap, but changing them is a can of worms, and enough people seem to thing the status quo is acceptable that this is unlikely to ever get fixed. --Andy _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
