[lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces
Michael J Coss
michael.coss at alcatel-lucent.com
Fri May 23 15:55:26 UTC 2014
On 5/23/2014 4:20 AM, Marian Marinov wrote:
>
> Can I suggest the usage of the devices cgroup to achieve that?
>
> Marian
We make use of devices cgroup as part of our overall solution. Given
that systemd has some embedded policy for the start of udev in a
container, we needed to enable CAP_MKNOD within the container to get
systemd to launch udev. To constrain what can and can not be done, we
added a deny all, and then enumerate the allowed devices access (rwm)
within the device cgroup for the container. It doesn't help the
visibility issue, but does provide needed resource constraints.
--
---Michael J Coss
More information about the lxc-devel
mailing list