[libvirt] [PATCH 0 of 2] Cgroup and LXC fixes

Dan Smith danms at us.ibm.com
Thu Oct 16 21:07:55 UTC 2008

This set moves the cgroup creation before that of the container process,
thus ensuring that it is put in the cgroup as well.  As a result, I noticed
that we need to allow device access to /dev/pts/*, and thus added a cgroup
mechanism to allow a whole major device type.  The LXC driver is made to
allow major type 136 as a result.

Note that this doesn't seem to do much to really restrict the container.
While it does prevent them from opening devices other than what are allowed,
the container can still mount (or access) the cgroup filesystem and move
itself out of its own group and into the unrestricted root.  Further,
it can just add whitelist entries for the devices it wants to gain access.

I tested code to restrict the devices in the per-driver cgroup, but that
appears to have no effect, because from within the container, I can still
add "b 8:* rwm" to my group's devices.allow and subsequently access SCSI
disks.  Even still, this patch set is crucial for proper cgroup membership of 
the container children.

More information about the libvir-list mailing list