Quoting Sébastien NOBILI ([email protected]): > Hi, > > I'm not registered to the mailing list, so please keep me in CC. > > I've installed LXC on my Debian (stable, Wheezy) server (named "serveur"). > > I've got some containers (named "smtp", "xmpp" and "web") on this server. > > Each container's rsyslog is configured to send logs to main server. > > When I plug an USB HDD on the main server, I get the following trace: > > Dec 11 18:36:56 serveur kernel: [135361.732032] usb 1-8: new high-speed > USB device number 3 using ehci_hcd > Dec 11 18:36:56 xmpp kernel: [135361.865004] usb 1-8: New USB device > found, idVendor=152d, idProduct=2338 > Dec 11 18:36:56 xmpp kernel: [135361.865012] usb 1-8: New USB device > strings: Mfr=1, Product=2, SerialNumber=5 > Dec 11 18:36:56 xmpp kernel: [135361.865020] usb 1-8: Manufacturer: > JMicron > Dec 11 18:36:56 xmpp kernel: [135361.865023] usb 1-8: SerialNumber: > 7D2500BE6E50 > Dec 11 18:36:56 xmpp kernel: [135361.866020] scsi3 : usb-storage 1-8:1.0 > Dec 11 18:36:57 serveur kernel: [135362.884494] sd 3:0:0:0: [sdc] No > Caching mode page found > Dec 11 18:36:57 smtp kernel: [135362.881252] sd 3:0:0:0: [sdc] No Caching > mode page found > Dec 11 18:36:57 serveur kernel: [135362.937146] sdc: sdc1 sdc2 > Dec 11 18:36:57 serveur kernel: [135362.941606] sd 3:0:0:0: [sdc] No > Caching mode page found > Dec 11 18:36:57 serveur kernel: [135362.941728] sd 3:0:0:0: [sdc] > Attached SCSI disk > Dec 11 18:36:58 xmpp kernel: [135363.124089] usb 1-8: reset high-speed > USB device number 3 using ehci_hcd > Dec 11 19:00:24 smtp kernel: [136769.064234] usb 1-8: USB disconnect, > device number 3 > > Some events get caught by containers… > > When the HDD is plugged, containers can't access it (no device node under /dev > and no way to create it using mknod), which is normal. > > Why do containers "see" the device being plugged ?
Because the udev messages are being sent to all namespaces. In the future we may end up only sending those to the host namespace, with a userspace daemon on the host forwarding appropriate messages into containers (policy-driven). That's not there yet. > Is there any security issue with this behavior (I don't want any container to > be > able to mount this - or any - drive) ? Depends on your setup, but presumably the containers should be prevented from creating the device node as well as mounting that drive by the devices cgroup. -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
