[libvirt] [PATCHv3] lxc: give RW access to /proc/sys/net/ipv[46] to containers
Richard Weinberger
richard.weinberger at gmail.com
Tue Dec 23 21:31:53 UTC 2014
On Wed, Dec 10, 2014 at 10:40 AM, Cédric Bosdonnat <cbosdonnat at suse.com> wrote:
> Some programs want to change some values for the network interfaces
> configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
> allows wicked to work on openSUSE 13.2+.
>
> Reusing the lxcNeedNetworkNamespace function to tell
> lxcContainerMountBasicFS if the netns is disabled. When no netns is
> set up, then we don't mount the /proc/sys/net/ipv[46] folder RW as
> these would provide full access to the host NICs config.
> ---
> Diff to v2:
> * mount from /.oldroot as suggested by Dan... removed the whole temporary
> mount related code as it turned out useless.
>
> src/lxc/lxc_container.c | 64 +++++++++++++++++++++++++++++++------------------
> 1 file changed, 41 insertions(+), 23 deletions(-)
So you continue ignoring my comments.
Now this kludge is in git and I see the next hack in the pipeline.
"[PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled"
Great software design that is...
Enough moaning, can we please just drop the RO /sys and /proc mounts?
I'll happily submit a patch but I really want a clear signal from
maintainers whether we want
to continue with pseudo security or not.
BTW: We do we setup all these mounts in lxc_container.c anyway.
Wouldn't it make sense to define them
in the XML definition?
--
Thanks,
//richard
More information about the libvir-list
mailing list