how to do not allow to mount /cgroup inside container?

Daniel Lezcano daniel.lezcano at
Tue Aug 25 05:47:35 PDT 2009

Krzysztof Taraszka wrote:
> Hi,
> I was looking for possibility to secure lxc container to do not allow 'root
> container user'  from changing limits from cgroup. Right now without STACK64
> or SELinux he can do this easily.
> I read the
> and decided to use STACK64 kernel mechanism.
> Well... mounting cgroup inside container fails (great!, i am looked for that
> ;)) but networking fails too (interface bring up, sshd bring up, connection
> beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
> fails and I do not know why). I secure my container exactly like in the
> cookbook.
> Is there any other possilbility to have secure container without network
> problems or any hint now to enable networking with stack64 enabled? If so,
> maybe the l-lxc-security cookbook have to updated? Maybe another kernel
> patch to do not allow container to mount cgroup when the mount call come
> from container?
> Any ideas?
I think Serge can help you on this area (Cc'ed).

More information about the Containers mailing list