In contrast to what the comment above the line disabling it said, it seems to work just fine. It also is needed on current kernels (until Eric's patch hits upstream) to prevent unprivileged containers from hosing fuse filesystems they inherit.
Signed-off-by: Serge Hallyn <[email protected]> --- config/templates/userns.conf.in | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in index 2d9d7d5..5dc19c7 100644 --- a/config/templates/userns.conf.in +++ b/config/templates/userns.conf.in @@ -13,7 +13,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = -- 2.1.0 _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
