Mateusz Guzik <mguzik@xxxxxxxxxx> writes: > On Tue, Feb 16, 2016 at 07:33:39PM +0800, Zhao Lei wrote: >> Currently, each container shared one copy of coredump setting >> with the host system, if host system changed the setting, each >> running containers will be affected. >> >> Moreover, it is not easy to let each container keeping their own >> coredump setting. >> >> We can use some workaround as pipe program to make the second >> requirement possible, but it is not simple, and both host and >> container are limited to set to fixed pipe program. >> In one word, for host running contailer, we can't change core_pattern >> anymore. >> To make the problem more hard, if a host running more than one >> container product, each product will try to snatch the global >> coredump setting to fit their own requirement. >> >> For container based on namespace design, it is good to allow >> each container keeping their own coredump setting. >> >> It will bring us following benefit: >> 1: Each container can change their own coredump setting >> based on operation on /proc/sys/kernel/core_pattern >> 2: Coredump setting changed in host will not affect >> running containers. >> 3: Support both case of "putting coredump in guest" and >> "putting curedump in host". >> >> Each namespace-based software(lxc, docker, ..) can use this function >> to custom their dump setting. >> >> And this function makes each continer working as separate system, >> it fit for design goal of namespace. >> > > Sorry if this is a false alarm, I don't have easy means to test it, but > is not this an immediate privilege escalation? It is. This is why we do not currently have a per namespace setting. Solving the user mode helper problem is technically a fair amount of work, if not theoretically challenging. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
