how to do not allow to mount /cgroup inside container?
krzysztof.taraszka at gnuhosting.net
Tue Aug 25 05:17:39 PDT 2009
I was looking for possibility to secure lxc container to do not allow 'root
container user' from changing limits from cgroup. Right now without STACK64
or SELinux he can do this easily.
I read the http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
and decided to use STACK64 kernel mechanism.
Well... mounting cgroup inside container fails (great!, i am looked for that
;)) but networking fails too (interface bring up, sshd bring up, connection
beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
fails and I do not know why). I secure my container exactly like in the
Is there any other possilbility to have secure container without network
problems or any hint now to enable networking with stack64 enabled? If so,
maybe the l-lxc-security cookbook have to updated? Maybe another kernel
patch to do not allow container to mount cgroup when the mount call come
More information about the Containers