On Tue, Oct 1, 2013 at 8:27 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >> http://lists.linuxfoundation.org/pipermail/containers/2013-May/032591.html > > Can't the daemon live outside the container and shuffle stuff in? > IOW, there seems to be little point in containerizing things if you're > just going to punch a privilege hole in the namespace. Yeah. I will try to experiment just how much can be 'stuffed in' without effective caps. It certainly would be better this way. > FWIW, I think that the capability evolution rules are crap, but > changing them is a can of worms, and enough people seem to thing the > status quo is acceptable that this is unlikely to ever get fixed. I have noted (Casey almost tried to strangle me during the last security summit for even daring to talk about it). -- Janne _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
