[lxc-devel] [Devel] Re: LXC container, unmounting unneeded mount points (from the container namespace)

Michael H. Warfield mhw at WittsEnd.com
Wed Jan 13 14:38:36 UTC 2010


On Wed, 2010-01-13 at 15:23 +0100, Michael Holzt wrote: 
> > I should now mention that I've been digging into it further and found
> > that I can not reproduce this on a second, similar, system I'm testing
> > on at this point.
> 
> On my system /dev/shm is mounted as well, but umount works as intended. So
> it would be really interesting to see what is wrong on your system. Is there
> any chance that i could ssh into it and debug the issue? Or maybe it can
> be reproduced by cloning the installation (stripped of private data)?
> 
> > IAC, there should be some way to force the container to start, for
> > diagnostic purposes, in a case like this, without modifying the sources.
> 
> Ok.
> 
> > Having the old root directory still there isn't fatal to run the
> > container, particularly in a test system, even though highly undesirable
> > in a production VM.
> 
> Oh, i think it is fatal, as it allows root in the container to modify the
> host fs. As this is against the security goal, the container should never
> start in this case, at least unless told so.

Exactly.  Which is why I mentioned "in a test system" and "highly
undesirable in a production VM".  In my "day job", I'm a security
researcher and analyst at IBM Internet Security Systems.

> Regards,
> Michael

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20100113/c91fa86f/attachment.pgp>


More information about the lxc-devel mailing list