On Thu, Feb 23, 2006 at 12:17:58AM +0100, Bruno wrote: > On Wednesday 22 February 2006 23:44, Jon Scottorn wrote: > > Is it recommended to not use mount within a vserver, should I just mount > > it from the host side or does it not really matter if I do mount it > > within the vserver?
> You should only add mount capabilities to the guest if you trust what's > running inside. > If you can it's better to mount your NFS mountpoints from the host > (from either host or guest network context, depending on your choice) I agree here, but the main reason is that NFS mounts have a potential for DoS (think timeout) > This is more of a personal decision on what permissions you give to > your guest's root. But if mounting is possible, you can't prevent the > guest from accessing any devices (e.g. by mounting a pre-made /dev to > work around missing mkdev capability). that's not that easy, as the secure_mount adds nodev by default HTH, Herbert > best, > Bruno > > > Thanks again. > > > > On Wed, 2006-02-22 at 23:15 +0100, Herbert Poetzl wrote: > > > On Wed, Feb 22, 2006 at 03:08:46PM -0700, Jon Scottorn wrote: > > > > Hi All, > > > > > > > > I am wondering if the mount command can be run within a vserver? > > > > I am trying to mount a nfs mount within a vserver and I get permission > > > > denied. I can mount the nfs share from another machine that is not a > > > > vserver and it works. > > > > > > with sufficient capabilities you can do that > > > > > > http://linux-vserver.org/Caps+and+Flags > > > > > > check out binary_mount and secure_mount capability > > > > > > HTH, > > > Herbert > > > > > > > Thanks in advance, > > > > > > > > Jon Scottorn > > > > Systems Administrator > > > > The Possibility Forge, Inc. > > > > http://www.possibilityforge.com > > > > 435.635.0591 x.1004 > > > > > > > > _______________________________________________ > > > > Vserver mailing list > > > > [email protected] > > > > http://list.linux-vserver.org/mailman/listinfo/vserver > > > > Jon Scottorn > > Systems Administrator > > The Possibility Forge, Inc. > > http://www.possibilityforge.com > > 435.635.0591 x.1004 > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
