Quoting Andreas Laut (andreas.l...@spark5.de): > Hi list, > > usually lxc container mounting proc and sysfs read-write. With this > configuration one container can easily kill the host system and all the > running containers on it. (as both are global) > > So we think about mounting proc and sysfs read-only. > Our test server/container runs smoothly and doesn't show any problems > until now. > > Has someone testing this already or productive in use? Why is the > default to mount both read-write?
Because you're only looking at part of the problem. In your test, did you prevent root from being able to remount /proc and /sys/rw? In Ubuntu we prevent writing to dangerous /proc and /sys paths using apparmor, and don't allow mounting proc and sys to anyplace but /proc and /sys. The same could be done using selinux and smack. You can also enable user namespaces (see lxc.idmap in lxc.conf manpage) after which files under /proc and /sys will be owned by users not mapped into the container's user ns, which will prevent the container writing to theose files. > Your help and ideas are appreciate, > > Regards > Andreas > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
