[lxc-devel] LXCFS update problems
Dietmar Maurer
dietmar at proxmox.com
Thu Nov 19 18:13:50 UTC 2015
> > Maybe, but breaking existing containers is even worse. So I would
> > do the following steps for now:
>
> No, on security update, breaking all containers is far better than
> having any container be able to run stuff as root on your host.
If you really want to do that, you can easily kill the lxcfs in
the postinst script (if you find a vulnerable version).
Besides, I would simply tell the users that they need to restart
the container in order to get the security updates.
We also do this on kernel security updates - instead of killing
the host immediately :-)
More information about the lxc-devel
mailing list