richard -rw- weinberger
<richard.weinber...@gmail.com> writes:
> I'm using lxc to run a few virtual private servers.
> What capabilities are harmful and should be dropped using "lxc.cap.drop"?
FWIW...
Running 10.04 both as the "dom0" and in the containers, I am dropping
the following capabilities. Basically I started by dropping ALL
capabilities, then twiddled individual caps until <things> worked
again -- which you can see in the commented-out lines.
The "root_squash" ones are a bit like NFS root_squash, which treats root:root
as nobody:nogroup. They basically broke a lot of "apt-get install foo"
postinst scripts.
I get around upstart wanting sys_admin by adding lxc.mount.entry lines
for proc and sys, and diverting mount/umount/swapon/swapoff and
symlinking them to /bin/true within the guest. The main reason I did
that was to prevent / being mount -o remount,ro by
/etc/init.d/umountnfs during halt.
bad_caps=(
# chown net_admin setgid # getty or login
# net_bind_service net_raw net_broadcast # dhclient
# setuid # rsyslog
# sys_chroot # openssh-server
# fowner dac_override dac_read_search # lots of things (like
root_squash)
audit_control audit_write fsetid ipc_lock ipc_owner kill lease
linux_immutable mac_admin mac_override mknod setfcap setpcap
sys_admin sys_boot sys_module sys_nice sys_pacct sys_ptrace
sys_rawio sys_resource sys_time sys_tty_config )
------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
