[Lxc-users] udev

C Anthony Risinger anthony at extof.me
Sat Jul 31 01:40:07 UTC 2010


(sorry for top post... mobiles don't make it easy otherwise)

Yes it would be better if you deny all, then specifically allow any
devices the container needs [to create].

Also, private devpts is already possible... just add "newinstance" to
devpts mount options; you should also do this for the host, and
ensure /dev/ptmx is a symlink to /dev/pts/ptmx for both host and
containers.

C Anthony [mobile]

On Jul 30, 2010, at 8:21 PM, "Serge E. Hallyn" <serge.hallyn at canonical.com
 > wrote:

> Quoting Osvaldo Filho (arquivostcf at gmail.com):
>> The problem is with config file, on lxc-create
>> lxc.cgroup.devices.deny = a
>>
>> Solved.
>
> That's ok if you don't mind, but not the generally preferred
> solution, since without a custom selinux or smack policy you
> don't have anything else protecting your devices.
>
> -serge
>
> ---
> ---
> ---
> ---------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users




More information about the lxc-users mailing list