[PATCH 9/9] Document usage of multiple-instances of devpts
Serge E. Hallyn
serue at us.ibm.com
Wed Oct 15 12:48:22 PDT 2008
Quoting H. Peter Anvin (hpa at zytor.com):
> Serge E. Hallyn wrote:
>> Looks good. In the very last part, you might say just a little more to
>> make sure it's clear: You want to mount -o newinstance before sshd
>> or gnome is started in the root container, so that a child container
>> can't reach your devpts by doing a mount -t devpts without -o
>> newinstance. It's not that it's not clear in what you write, it's
>> more that it's at the very end and brief, so I'm afraid it's not
>> attention-grabbing enough as is.
>
> Actually, you should just enable newinstance everywhere, in particular
> in your fstab, so that ALL instances of devpts in the system have
> newinstance (leaving the legacy one unreachable.)
>
> In that sense I think your text above is more confusing than what
> Sukadev had.
>
> -hpa
That's fine, I just want a clearer louder warning that without that, a
container is not isolated from your devpts.
Maybe just 'WARNING" above point 7?
Or just leave it. You're right, his text is plenty clear.
-serge
More information about the Containers
mailing list