On Fri, Jul 04, 2014 at 01:20:09AM +0200, Gianluigi Tiesi wrote: > Hi, > lxc creates a symlink from /dev/kmsg to /dev/console > but unfortunately syslogd (i.e. from inetutils) wants to read from > /proc/kmsg. > This caused very nasty problems on the host so I had to disable klog > part of inetutils-syslogd. > I would also prevent containers to read my kernel buffer ring > (dmesg) and hang the host syslogd, there is a way to have such kind > of isolation?
Properly blocking dmesg is kind of hard, if I recall coorectly you need a mix of apparmor and seccomp to block access to /proc/kmsg, /dev/kmsg and the syslog syscall. > > Regards > > -- > Gianluigi Tiesi <[email protected]> > EDP Project Leader > Netfarm S.r.l. - http://www.netfarm.it/ > Free Software: http://oss.netfarm.it/ > > Q: Because it reverses the logical flow of conversation. > A: Why is putting a reply at the top of the message frowned upon? > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
