I noticed using lxc.mount.auto feature solved (sysfs and proc will be mounted as read-only system).
/usr/share/lxc/config/debian.common.conf ---------------------------------------- --- debian.common.conf 2014-10-14 03:46:44.000000000 +0900 +++ debian.common.conf 2014-12-03 20:59:31.414601423 +0900 @@ -2,8 +2,7 @@ lxc.pivotdir = lxc_putold # Default mount entries -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = sysfs sys sysfs defaults 0 0 +lxc.mount.auto = proc sys cgroup # Default console settings lxc.tty = 4 ---------------------------------------- In my opinion it may be a serious problem that container users have a ability to modify everything of /proc or /sys of parent system. Thanks, -- Kenshi Muto km...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
