[Lxc-users] Using initctl inside a container with upstart?
Serge E. Hallyn
serue at us.ibm.com
Tue May 18 17:59:05 UTC 2010
Quoting Wilhelm (wilhelm.meier at fh-kl.de):
> Hi all,
>
> is it safe to use initctl in a container using upstart (as ubuntu lucid)?
>
> Especially, upstart-init uses an abstract unix-socket:
>
> connect(3, {sa_family=AF_FILE, path=@"/com/ubuntu/upstart"}, 22) = 0
>
> Is this socket separated from the parent (host) namespace, so the
> container can't affect the host-system?
Yes, so long as you use a private net_ns, it will be separated. If
you don't use a private net_ns, then not only will it talk to the
host's upstart, but, bc of current limitations on credentials passing,
upstart won't be able to tell if the container doesn't have
CAP_SYS_BOOT.
-serge
More information about the lxc-users
mailing list