[libvirt] LXC: making the private root filesystem more secure

Daniel Veillard veillard at redhat.com
Thu Sep 4 06:06:35 UTC 2008

On Fri, Aug 29, 2008 at 06:59:21AM -0700, Dan Smith wrote:
> DB>     mkdir /dev/cgroups/libvirt/lxc/{NAME}
> I have a small (and not-yet-working) patch that uses libcgroup[1] to
> setup a cgroup per container.  This provides the ability to enforce the
> <memory> quantity on the group through memory.limit_in_bytes.  I've also
> got some stubs that I plan to use to provide access to cpu.shares
> through the scheduling parameters interface.
> DB>     echo "a" > /dev/cgroups/libvirt/lxc/{NAME}/devices.deny
> DB>     echo "c 1:3 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> DB>     echo "c 1:5 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> DB>     echo "c 1:7 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> DB>     echo "c 5:1 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> DB>     echo "c 1:8 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> DB>     echo "c 1:9 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> Adding this functionality to what I have should be rather trivial, I
> think.
> I'm still working with the libcgroup folks to get some kinks ironed out,
> but I will post the patches when we get something that works against
> some version of libcgroup.
> [1]: http://libcg.sourceforge.net

  I just checked the libcgroup heaer file available under Fedora 9 and
I'm a bit afraid of the dependancy. They expose a lot of structure, some
clearly incomplete, which means liking to it in its current state may
turn into a problematic dependency.
  Maybe I need to look further, but really all those structures should
be hidden and accessors should be provided at the API level. I made that
mistake in libxml2, and still have the scars !


Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list