On Thu, Oct 30, 2014 at 3:15 AM, Tom Gundersen <teg@xxxxxxx> wrote: > Do I understand you correctly that what you want is unnamed/anonymous > domains? Considering that domain creation is anyway privileged, why is > this necessary? As an executive summary, this is the *problem*, not a mitigation. Domain creation *should not require privilege*. You should be able to do it in a user namespace in which you have appropriate capabilities without needing systemd's (or whatever other daemon's) help from outside. Once you fix that (which may not have broken whatever you tested with but will absolutely break anyone who tries to use this in LXC, Docker, Sandstorm, etc. without awful hacks) then you will have all of the problems that you've currently mitigated. --Andy _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
