On Fri, 23.01.15 15:45, Christian Seiler ([email protected]) wrote: > Am 2015-01-23 08:29, schrieb Mantas Mikulėnas: > >IIRC, the reason for tmpfs on /run/user/* was lack of tmpfs quotas... > >if thats still a problem, maybe there could be one tmpfs at /run/user, > >still preventing users from touching root-only /run? > > Yes, that's a good idea. Initially when posting this thread I thought > that there just had to be a trade-off between dropping CAP_SYS_ADMIN > (and making it more difficult to escape the container), and a user > inside the container DOSing the container by filling up /run. > > But with your idea, I can at least separate /run/user from /run > itself
Hmm, which container manager are you using? I am tempted to just change nspawn to mount a private tmpfs into /run/user, too, as it already mounts /run anyway. > (the same way mode=1777 /run/lock is a separate tmpfs already) > by just a simple static mount entry for the container. Hmm, /run/lock is a sepatate tmpfs? /run/lock is a pretty useless, legacy thing. Which distro is this? Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
