On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
container. It seems to work for me. In fact... I thought LXC *always*
removed that capability, even if you never mentioned it?
Nice! Is there a list of capabilities
On Mon, 2011-02-07 at 03:58 -0800, Dean Mao wrote:
Yeah, would be nice to have this list -- I remember looking all over,
but I didn't see lxc.console. Is there a comprehensive list of these
abilities?
So far, for a container running apache and cron, plus the usual stuff
(init, getty, login),
On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote:
So far, for a container running apache and cron, plus the usual stuff
(init, getty, login), I managed to drop these:
audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner,
lease, linux_immutable, mac_admin, mac_override,
hello,
i have gentoo with 2.6.37-gentoo #1 SMP kernel , and lxc-0.7.3-r1
i successfully installed debian template and used it some time (about 1
month). Today after turning off the container, i can't start it. I get the
following messsage
# lxc-start -n debian
lxc-start: inherited
On 02/07/2011 03:52 PM, Володя К. wrote:
07.02.11, 17:31, Daniel Lezcanodaniel.lezc...@free.fr:
On 02/07/2011 03:15 PM, Володя К. wrote:
Are you using Midnight Commander ?
yes, i have installed Midnight Commander and use it very often
I don't remember exactly but
On 02/07/2011 04:20 PM, Володя К. wrote:
can you advise me some simple solution
Closing the fd is a workaround and that must wor, but maybe it is worth
upgrading gdm and check the problem is resolved ?
I don't have gdm installed
hmm. An application is leaking a fd somewhere.
You
can you advise me some simple solution
Closing the fd is a workaround and that must wor, but maybe it is worth
upgrading gdm and check the problem is resolved ?
I don't have gdm installed
--
The modern
Hi,
On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote:
In the container, I can use the mount command with the -oremount,rw
options and then edit the file from the container.
So the bind read-only mounts are no protection against changing the
filesystem of the container,
Andre Nathan an...@digirati.com.br writes:
On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
container. It seems to work for me. In fact... I thought LXC *always*
removed that capability, even if you never mentioned
Matto Fransen ma...@matto.nl writes:
Hi,
On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote:
In the container, I can use the mount command with the -oremount,rw
options and then edit the file from the container.
So the bind read-only mounts are no protection against
On Mon, Feb 7, 2011 at 4:53 AM, Andre Nathan an...@digirati.com.br wrote:
On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote:
So far, for a container running apache and cron, plus the usual stuff
(init, getty, login), I managed to drop these:
audit_control, audit_write, fowner, fsetid,
Hi,
On Tue, Feb 08, 2011 at 11:19:20AM +1100, Trent W. Buck wrote:
Matto Fransen ma...@matto.nl writes:
This is a problem with the sshd bind readonly containers, because
lxc-init mounts /proc, /dev/shm and /dev/mqueue.
With lxc.cap.drop=sys_admin it is therefor not possible to use
12 matches
Mail list logo