Quoting jeetu.gol...@gmail.com (jeetu.gol...@gmail.com): > Hi Serge, > > Thanks for taking the time :) > > > > > Note you can of course just add the network lines to this file by > > yourself, you don't have to create a whole new container right now :) > > > > > No, the automatic use of a system lxc.conf is just an ubuntu thing. Can't > > really go upstream because it's pretty distro-specific. > > That explains that :) > > >From my limited knowledge though it seems that lxc.cgroup.devices.deny > = a would deny access to all devices and shouldn't this therefore > isolate network interfaces in the host from the container? As I
the devices cgroup only prevents access to block and character device nodes in the filesystem. (i.e. /dev/loop0 which is block maj 7 minor 0) > mentioned in spite of this setting my container can see and operate on > interfaces in the host. Explicitly adding the network stanza to config > as recommended solves that however I'm wondering if this is deliberate > by design and if so the rationale behind this - just trying to get a > deeper understanding of design considerations of lxc. > > I'm also concerned that similarly there could be other devices / > resources not automatically isolated and that require explicity > configuration. Plenty. Containers are not root-secure. See https://wiki.ubuntu.com/LxcSecurity for starters. -serge ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
