[Lxc-users] Dropping sys_admin capability and procfs and sysfs ro-mount security

[Nd Dn]

How secure is combination of dropping sys_admin capability and mounting
proc and sys read-only?
What would be potential attack vector to break out from such container?

What are downsides of running such container? I've tried running debian
with nginx, php-fpm and standard stuff like syslog, ssh, getty and it seems
to work fine. Changing hostname and mount inside container doesn't work,
but that's not a big deal, since I'm controlling both host and container,
so I can set hostname and mount points in container config file.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130417/22b955c3/attachment.html>