[libvirt] [PATCH 2 of 2] Use cgroup functions to set resource limits on LXC domains
Dan Smith
danms at us.ibm.com
Thu Oct 16 15:16:36 UTC 2008
DB> The device whitelisting is all very nice, but we completely forgot
DB> / ignored the fact that there's nothing stopping a container
DB> mounting the cgroups device controller and giving itself the
DB> device access we just took away :-)
Ah, interesting.
DB> So, looks like we need to explicitly set the capabilities of
DB> containers to either mask out CAP_SYS_ADMIN from libvirtd's set,
DB> or construct an explicit capability whitelist
Yeah, I guess so. I'll start looking into this :)
--
Dan Smith
IBM Linux Technology Center
Open Hypervisor Team
email: danms at us.ibm.com
More information about the libvir-list
mailing list