how to do not allow to mount /cgroup inside container?

Krzysztof Taraszka krzysztof.taraszka at
Tue Aug 25 05:17:39 PDT 2009


I was looking for possibility to secure lxc container to do not allow 'root
container user'  from changing limits from cgroup. Right now without STACK64
or SELinux he can do this easily.
I read the
and decided to use STACK64 kernel mechanism.
Well... mounting cgroup inside container fails (great!, i am looked for that
;)) but networking fails too (interface bring up, sshd bring up, connection
beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
fails and I do not know why). I secure my container exactly like in the

Is there any other possilbility to have secure container without network
problems or any hint now to enable networking with stack64 enabled? If so,
maybe the l-lxc-security cookbook have to updated? Maybe another kernel
patch to do not allow container to mount cgroup when the mount call come
from container?

Any ideas?

Krzysztof Taraszka

More information about the Containers mailing list