[PATCH 0/9] Multiple devpts instances
H. Peter Anvin
hpa at zytor.com
Thu Feb 19 14:46:37 PST 2009
Daniel Lezcano wrote:
>
> But if I am able to create a new instance of devpts for a container and
> modify the configuration of another devpts from this container, is it
> acceptable ? Can we convince people to use the containers for security
> and have anybody able to make a pty starvation from one container to
> another ?
> If it is too much complicated to handle one value per new devpts
> instance, IMHO /proc/sys/kernel/pty/max should be, at least, read-only
> for the new instance, no ?
>
First of all, there is no such thing... the devpts instance is simply
another filesystem, whereas the /proc/sys entry is a global limit on the
total number of ptys in the system. Again, one of thousands, and yes,
they probably should ALL be readonly in a container environment. That
has to be set up separately than the devpts filesystem, because the
devpts filesystem is not tied to procfs or even containers in any way.
-hpa
More information about the Containers
mailing list