Now CT starts in a new user namespace. This allows us * to remove our capabilities (CAP_VE_*) * to improve security of our containers, because a process doesn't have privileges outside the container
Here is a good article about user namespaces https://lwn.net/Articles/532593/ https://jira.sw.ru/browse/PSBM-33304 Users should not notice these changes, everything should work as before. Testing: * need to execute tests to check security of containers * execute all tests, because these changes are touching very general parts
_______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
