On 01/05/2011 10:40 AM, Mike Hommey wrote: > [Copy/pasted from a previous message to lkml, where it was suggested to > try contain...@] > > Hi, > > I noticed that from within a lxc container, writing "3" to > /proc/sys/vm/drop_caches would flush the host page cache. That sounds a > little dangerous for VPS offerings that would be based on lxc, as in one > VPS instance root user could impact the overall performance of the host. > I don't know about other containers but I've been told openvz isn't > subject to this problem. > I only tested the current Debian Squeeze kernel, which is based on > 2.6.32.27.
There is definitively a big work to do with /proc. Some files should be not accessible (/proc/sys/vm/drop_caches, /proc/sys/kernel/sysrq, ...) and some other should be virtualized (/proc/meminfo, /proc/cpuinfo, ...). Serge suggested to create something similar to the cgroup device whitelist but for /proc, maybe it is a good approach for denying access a specific proc's file. _______________________________________________ Containers mailing list contain...@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list Devel@openvz.org https://openvz.org/mailman/listinfo/devel