[lxc-devel] [PATCH v2] lxc-attach: Consider cgroups/personality/capabilities of container

Fri Feb 17 14:19:54 UTC 2012

On 02/17/2012 01:53 PM, Christian Seiler wrote:
> Hi there,
>
>> This is the new version of my patch that implements the features
>> discussed
>> in the previous thread.
>>
>>   - The current status of the container is now read from
>> /proc/init_pid/*,
>>     where init_pid is the pid of the container's init process.
>>   - By default:
>>      * The attached process acquires the personality of the container
>> (i.e.
>>        architecture: 32bit vs. 64bit)
>>      * The attached process drops its capabilities according to those
>> of the
>>        container
>>      * The attached process is put into the same cgroup as the
>> container
>>        itself
>>   - Overrides:
>>      * -a/--arch option to set the architecture which the attached
>> process
>>        sees manually
>>      * -e/--elevated-privileges option to stop the attached process
>> from being
>>        put in the same cgroup as the container and to let it retain
>> the
>>        capability bounding set it already posesses.
>>   - Add a manual page for lxc-attach(1)
> Any comments on this?

Hi Christian,

your patchset is in my tree. I will do some tests and push it.

Thanks
   -- Daniel