[libvirt] [PATCH] Update docs about user namespace for LXC
Gao feng
gaofeng at cn.fujitsu.com
Wed Sep 11 03:17:12 UTC 2013
On 09/10/2013 05:08 PM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> Mention that user namespace can be enabled using the UID/GID
> mapping schema.
>
> Fix typo in link anchor for container args in domain XML docs.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
ACK
> docs/drvlxc.html.in | 14 +++++---------
> docs/formatdomain.html.in | 2 +-
> 2 files changed, 6 insertions(+), 10 deletions(-)
>
> diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
> index 640968f..1e6aa1d 100644
> --- a/docs/drvlxc.html.in
> +++ b/docs/drvlxc.html.in
> @@ -40,15 +40,11 @@ primary "host" OS environment, the libvirt LXC driver requires that
> certain kernel namespaces are compiled in. Libvirt currently requires
> the 'mount', 'ipc', 'pid', and 'uts' namespaces to be available. If
> separate network interfaces are desired, then the 'net' namespace is
> -required. In the near future, the 'user' namespace will optionally be
> -supported.
> -</p>
> -
> -<p>
> -<strong>NOTE: In the absence of support for the 'user' namespace,
> -processes inside containers cannot be securely isolated from host
> -process without the use of a mandatory access control technology
> -such as SELinux or AppArmor.</strong>
> +required. If the guest configuration declares a
> +<a href="formatdomain.html#elementsOSContainer">UID or GID mapping</a>,
> +the 'user' namespace will be enabled to apply these. <strong>A suitably
> +configured UID/GID mapping is a pre-requisite to making containers
> +secure, in the absence of sVirt confinement.</strong>
> </p>
>
> <h2><a name="init">Default container setup</a></h2>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index f8bfe0b..971b059 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -263,7 +263,7 @@
> <span class="since">Since 1.0.4</span></dd>
> </dl>
>
> - <h4><a name="eleemntsOSContainer">Container boot</a></h4>
> + <h4><a name="elementsOSContainer">Container boot</a></h4>
>
> <p>
> When booting a domain using container based virtualization, instead
>
More information about the libvir-list
mailing list