[lxc-devel] [PATCH] Unshare user namespace as well
Daniel Lezcano
daniel.lezcano at free.fr
Tue May 4 08:41:54 UTC 2010
Mikhail Gusarov wrote:
> Unshare user namespace to make sure setrlimit and other per-user limits are
> accounted properly in containers
>
> Signed-off-by: Mikhail Gusarov <dottedmag at dottedmag.net>
> ---
> src/lxc/start.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 3b5023c..f1ae2fa 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -450,7 +450,7 @@ int lxc_spawn(const char *name, struct lxc_handler *handler, char *const argv[])
> return -1;
> }
>
> - clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
> + clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER;
> if (!lxc_list_empty(&handler->conf->network)) {
>
> clone_flags |= CLONE_NEWNET;
>
Hi Mikhail,
I am not sure to see all the implications of having this namespace by
default, especially for application containers which can be executed by
non-root user. I think it would make sense to make this flag optional
with the configuration.
More information about the lxc-devel
mailing list