[Lxc-users] Jumping out of a read-only bind mount container

Andre Nathan andre at digirati.com.br
Mon Feb 7 12:27:32 UTC 2011


On Mon, 2011-02-07 at 03:58 -0800, Dean Mao wrote:
> Yeah, would be nice to have this list -- I remember looking all over,
> but I didn't see lxc.console.  Is there a comprehensive list of these
> "abilities"?

So far, for a container running apache and cron, plus the usual stuff
(init, getty, login), I managed to drop these:

  audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, 
  lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, 
  setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, 
  sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, 
  sys_tty_config

So far everything seems to be working, but possibly some more will have
to be removed from the list.

Andre






More information about the lxc-users mailing list