[lxc-devel] Device Namespaces
Andy Lutomirski
luto at amacapital.net
Tue Oct 1 17:27:45 UTC 2013
On Tue, Oct 1, 2013 at 7:19 AM, Janne Karhunen <janne.karhunen at gmail.com> wrote:
> On Thu, Sep 26, 2013 at 8:33 AM, Greg Kroah-Hartman
> <gregkh at linuxfoundation.org> wrote:
>
>>> - We can relay a call of /sbin/hotplug from outside of a container
>>> to inside of a container based on policy.
>>> (But no one uses /sbin/hotplug anymore).
>>
>> That's right, they should be listening to libudev events, so why can't
>> your daemon shuffle them off to the proper container, all in userspace?
>
> Which reminds me, one potential reason being..
> http://lists.linuxfoundation.org/pipermail/containers/2013-May/032591.html
>
Can't the daemon live outside the container and shuffle stuff in?
IOW, there seems to be little point in containerizing things if you're
just going to punch a privilege hole in the namespace.
FWIW, I think that the capability evolution rules are crap, but
changing them is a can of worms, and enough people seem to thing the
status quo is acceptable that this is unlikely to ever get fixed.
--Andy
More information about the lxc-devel
mailing list