how to do not allow to mount /cgroup inside container?
Daniel Lezcano
daniel.lezcano at free.fr
Tue Aug 25 05:47:35 PDT 2009
Krzysztof Taraszka wrote:
> Hi,
>
> I was looking for possibility to secure lxc container to do not allow 'root
> container user' from changing limits from cgroup. Right now without STACK64
> or SELinux he can do this easily.
> I read the http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
> and decided to use STACK64 kernel mechanism.
> Well... mounting cgroup inside container fails (great!, i am looked for that
> ;)) but networking fails too (interface bring up, sshd bring up, connection
> beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
> fails and I do not know why). I secure my container exactly like in the
> cookbook.
>
> Is there any other possilbility to have secure container without network
> problems or any hint now to enable networking with stack64 enabled? If so,
> maybe the l-lxc-security cookbook have to updated? Maybe another kernel
> patch to do not allow container to mount cgroup when the mount call come
> from container?
>
> Any ideas?
>
I think Serge can help you on this area (Cc'ed).
More information about the Containers
mailing list