[lxc-users] Disable lxc-attach

Claudio Cesar Sanchez Tejeda demonccc.y at gmail.com
Mon Jan 12 15:11:24 UTC 2015 

Ok, but I'm not selling anything... It is only to prevent a misuse of
the applications and prevent some issues... Anyway... Thanks!

On Mon, Jan 12, 2015 at 11:15 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Please stop discussing this here.  Aside from the fact that your goal is
> insulting to your users and anathema to open source, containers can not
> help you with your goal.  Users always have been able to, as root on the
> host, ptrace-attach to your task.  Options like disabling the pidns (which
> Vijay was suggesting) or using a custom LSM require you to prevent the
> user from running a custom kernel.
>
> Perhaps you really want to sell your software on a little usb-disk-sized
> mini-processor talking to the user's computer over usb3.  That would be
> more platform-independent, safer for you, and safer for the user, and
> given the value you place on your software should be worth the cost.
>
> Quoting Claudio Cesar Sanchez Tejeda (demonccc.y at gmail.com):
>> Thanks!
>>
>> But... how can I remove the pid of the namespace?
>>
>> What functionalities are we going to lose by removing the pid?
>>
>> Regards.
>>
>> On Fri, Jan 9, 2015 at 9:02 PM, Vijay Viswanathan <vijay.vishy at gmail.com> wrote:
>> > There is no straight forward way.
>> >
>> > There is one hack with some functionality sacrifice.
>> > You could remove the pid namespace and start your container and
>> > lxc-attach will break.
>> >
>> > lxc-attach: No such file or directory - failed to open '/proc/4579/ns/pid'
>> > lxc-attach: failed to enter the namespace
>> >
>> >
>> >
>> > On Tue, Jan 6, 2015 at 11:15 AM, Claudio Cesar Sanchez Tejeda
>> > <demonccc.y at gmail.com> wrote:
>> >> Hi,
>> >>
>> >> Does someone know how I can disable the lxc-attach command / functionality?
>> >>
>> >> I wan't to create a complete isolated LXC container, and I don't want
>> >> that someone could start processes or enter to the container using a
>> >> shell (or run commands).
>> >>
>> >> Regards.
>> >> _______________________________________________
>> >> lxc-users mailing list
>> >> lxc-users at lists.linuxcontainers.org
>> >> http://lists.linuxcontainers.org/listinfo/lxc-users
>> > _______________________________________________
>> > lxc-users mailing list
>> > lxc-users at lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-users
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list