[lxc-devel] LXC in the context of a grsecurity enabled kernel
Ciprian Dorin, Craciun
ciprian.craciun at gmail.com
Wed Jan 13 21:46:42 UTC 2010
Hello all!
I have a small question: does LXC run properly under an
grsec-enabled kernel?
For example I've enabled grser chroot enforcements, and now (as
expected from grsec), the `lxc-start` tool fails. (lxc-execute works
but somehow it seems it doesn't unmount the unneeded file-systems.)
The output of lxc start is:
~~~~~~~~
lxc/bin/lxc-start.elf --name isync--1.0.4+1--1--build-lxc --rcfile
/stores/erebus-1/ciprian/workbench/pacman-packages/tmp/isync--1.0.4+1--1/lxc.conf
/.workbench/tools/init/init
lxc-start: Device or resource busy - could not unmount old rootfs
lxc-start: failed to pivot_root to
'/stores/erebus-1/ciprian/workbench/pacman-packages/tmp/isync--1.0.4+1--1/rootfs'
lxc-start: failed to set rootfs for 'isync--1.0.4+1--1--build-lxc'
lxc-start: failed to setup the container
~~~~~~~~
So to put the question another way: is it recommended to use LXC
with a grsec kernel? If so what are the guide-lines? (What should not
be enabled?)
Thanks,
Ciprian.
More information about the lxc-devel
mailing list