[lxc-devel] LXCFS update problems

Dietmar Maurer dietmar at proxmox.com
Thu Nov 19 18:13:50 UTC 2015


> > Maybe, but breaking existing containers is even worse. So I would
> > do the following steps for now:
> 
> No, on security update, breaking all containers is far better than
> having any container be able to run stuff as root on your host.

If you really want to do that, you can easily kill the lxcfs in
the postinst script (if you find a vulnerable version).

Besides, I would simply tell the users that they need to restart
the container in order to get the security updates.

We also do this on kernel security updates - instead of killing 
the host immediately :-)



More information about the lxc-devel mailing list