[Lxc-users] Using initctl inside a container with upstart?

Serge E. Hallyn serue at us.ibm.com
Tue May 18 17:59:05 UTC 2010


Quoting Wilhelm (wilhelm.meier at fh-kl.de):
> Hi all,
> 
> is it safe to use initctl in a container using upstart (as ubuntu lucid)?
> 
> Especially, upstart-init uses an abstract unix-socket:
> 
> connect(3, {sa_family=AF_FILE, path=@"/com/ubuntu/upstart"}, 22) = 0
> 
> Is this socket separated from the parent (host) namespace, so the 
> container can't affect the host-system?

Yes, so long as you use a private net_ns, it will be separated.  If
you don't use a private net_ns, then not only will it talk to the
host's upstart, but, bc of current limitations on credentials passing,
upstart won't be able to tell if the container doesn't have
CAP_SYS_BOOT.

-serge




More information about the lxc-users mailing list