[lxc-devel] [ACK for the set] [PATCH v2 lxc 2/2] Added lxc.monitor.unshare

[Serge Hallyn]

Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> > On November 30, 2015 at 5:41 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > 
> > 
> > Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> > > If manual mounting with elevated permissions is required
> > > this can currently only be done in pre-start hooks or before
> > > starting LXC. In both cases the mounts would appear in the
> > > host's namespace.
> > > With this flag the namespace is unshared before the startup
> > > sequence, so that mounts performed in the pre-start hook
> > > don't show up on the host.
> > > 
> > > Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> > 
> > Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> > 
> > Note we should probably point out in the manpage that this
> > will only work for containers started by root.  Can you send
> > a separate patch for that?
> 
> Since CLONE_NEWNS needs CAP_SYS_ADMIN, should I write that or
> mention root by name?

CAP_SYS_ADMIN