[lxc-users] [serge.hallyn at ubuntu.com: Re: Hardware log entries spread on containers]

Sébastien NOBILI sebnewsletter at free.fr
Tue Jan 6 08:45:15 UTC 2015


Hi,

Thanks for your reply.

Le lundi 05 janvier 2015 à 17:16, Serge Hallyn a écrit :
> > Why do containers "see" the device being plugged ?
> 
> Because the udev messages are being sent to all namespaces.  In the
> future we may end up only sending those to the host namespace, with a
> userspace daemon on the host forwarding appropriate messages into
> containers (policy-driven).  That's not there yet.

If the behavior is only udev-related, then it's OK for me.

> > Is there any security issue with this behavior (I don't want any container to be
> > able to mount this - or any - drive) ?
> 
> Depends on your setup, but presumably the containers should be prevented
> from creating the device node as well as mounting that drive by the devices
> cgroup.

I've tried creating the device node inside the container, which wasn't allowed.
No security issue, that's great.

Sébastien


More information about the lxc-users mailing list