(sorry for top post... mobiles don't make it easy otherwise) Yes it would be better if you deny all, then specifically allow any devices the container needs [to create].
Also, private devpts is already possible... just add "newinstance" to devpts mount options; you should also do this for the host, and ensure /dev/ptmx is a symlink to /dev/pts/ptmx for both host and containers. C Anthony [mobile] On Jul 30, 2010, at 8:21 PM, "Serge E. Hallyn" <serge.hal...@canonical.com > wrote: > Quoting Osvaldo Filho (arquivos...@gmail.com): >> The problem is with config file, on lxc-create >> lxc.cgroup.devices.deny = a >> >> Solved. > > That's ok if you don't mind, but not the generally preferred > solution, since without a custom selinux or smack policy you > don't have anything else protecting your devices. > > -serge > > --- > --- > --- > --------------------------------------------------------------------- > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > _______________________________________________ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
