I don't know if it ??legal?? to send the email here ????
================
I am playing with libvirt 1.1.1 (lxc)
when I was starting a LXC container, the process location of cgroup is pretty
, just the root directory
from the process. But I could tune the cgroup in a container as an user that
logged, This is not accepted...
I wonder how to restrict it with apparmor ,so one can not modify files in the
cgroup fs, e.g the cpus or mem,
if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the
container woulld not start up .
"Permission denied", because that a process would mount the cgroup, it seems
done by libvirt_lxc,
Any way to restrict the cgroup in the container or just not mount cgroup in the
container ??
Any help would be appreciated, thanks .
------------------
????
--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list
