On Mon, 2012-10-22 at 16:21 -0500, Serge Hallyn wrote: > Quoting Michael H. Warfield (m...@wittsend.com): > > On Mon, 2012-10-22 at 15:14 -0500, Serge Hallyn wrote:
<Trimming some overhead we've seen enough of...> > > > How about just a devtmpfs? We actually now do this by default (as of very > > > recently) in ubuntu by adding > > > > > devtmpfs dev devtmpfs defaults 0 0 > > > > NO! That's the problem! That leads to the container connecting to the > > hosts console and other devices and committing random acts of terrorism. > No, it shouldn't, because lxc sets up the console after doing the mounts. Damn, dude! That worked! That kludge rang da bell. Of course, I also discovered the boneheaded typo I had in attempting the tmpfs mount in the process. :-P I now have a container running systemd up and running with Fedora 17 in it. I'm not sure I'm totally happy with it. Because of doing the devtmpfs thing, the guest can immediately see things like removable drives coming and going and might, presumably, be able to mount them. Not thrilled with that from a security standpoint. Would also mean the guests could access things like my permanent forensic CDs that are in the CD drives. I guess that can be restricted in the config but still makes me a bit uncomfortable that the guest has complete visibility into the hosts dev system. Another gotcha, albeit a much more minor one... When systemd drops into this mode, you no longer have vty consoles available so lxc-console won't work. That's actually on their page. I remember seeing this: -- If systemd detects it is run in a container it will spawn a single shell on /dev/console, and not care about VTs or multiple gettys on VTs -- Suboptimal but a small price to pay I suppose. > -serge Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
