[lxc-devel] Status of usability of lxc
Christoph Mitasch
cmitasch at thomas-krenn.com
Mon May 2 14:17:28 UTC 2011
To disable the ability to trigger a reboot of the host system by sending
"b" to /proc/sysrq-trigger inside a container, I've dropped
CAP_SYS_ADMIN and set readonly for the /proc mount-point.
I'm interested what else capabilities are recommended to drop when using
LXC as a system container?
Thanks,
Christoph
On 04/19/2011 01:01 PM, richard -rw- weinberger wrote:
> On Tue, Mar 22, 2011 at 10:20 AM, Nathan McSween <nwmcsween at gmail.com> wrote:
>> Can I get a quick rundown of what is implemented w.r.t UID/GID
>> containerization, is it safe yet to give containerized root to an
>> everyday user without huge security issues?
>
> Drop all dangerous capabilities and mount /proc read-only.
>
> HTH,
> //richard
>
>> ------------------------------------------------------------------------------
>> Xperia(TM) PLAY
>> It's a major breakthrough. An authentic gaming
>> smartphone on the nation's most reliable network.
>> And it wants your games.
>> http://p.sf.net/sfu/verizon-sfdev
>> _______________________________________________
>> Lxc-devel mailing list
>> Lxc-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>>
>
>
>
More information about the lxc-devel
mailing list