[libvirt] [PATCH 2 of 2] Use cgroup functions to set resource limits on LXC domains

Dan Smith danms at us.ibm.com
Thu Oct 16 15:16:36 UTC 2008

DB> The device whitelisting is all very nice, but we completely forgot
DB> / ignored the fact that there's nothing stopping a container
DB> mounting the cgroups device controller and giving itself the
DB> device access we just took away :-)

Ah, interesting.

DB> So, looks like we need to explicitly set the capabilities of
DB> containers to either mask out CAP_SYS_ADMIN from libvirtd's set,
DB> or construct an explicit capability whitelist

Yeah, I guess so.  I'll start looking into this :)

Dan Smith
IBM Linux Technology Center
Open Hypervisor Team
email: danms at us.ibm.com

More information about the libvir-list mailing list