[lxc-users] [serge.hallyn at ubuntu.com: Re: Hardware log entries spread on containers]
Sébastien NOBILI
sebnewsletter at free.fr
Tue Jan 6 08:45:15 UTC 2015
Hi,
Thanks for your reply.
Le lundi 05 janvier 2015 à 17:16, Serge Hallyn a écrit :
> > Why do containers "see" the device being plugged ?
>
> Because the udev messages are being sent to all namespaces. In the
> future we may end up only sending those to the host namespace, with a
> userspace daemon on the host forwarding appropriate messages into
> containers (policy-driven). That's not there yet.
If the behavior is only udev-related, then it's OK for me.
> > Is there any security issue with this behavior (I don't want any container to be
> > able to mount this - or any - drive) ?
>
> Depends on your setup, but presumably the containers should be prevented
> from creating the device node as well as mounting that drive by the devices
> cgroup.
I've tried creating the device node inside the container, which wasn't allowed.
No security issue, that's great.
Sébastien
More information about the lxc-users
mailing list