Re: [lxc-devel] [PATCH] Unshare user namespace as well

2010-05-05 Thread Daniel Lezcano 
Mikhail Gusarov wrote:
> Daniel.
>
>  >> Unshare user namespace to make sure setrlimit and other per-user
>  >> limits are accounted properly in containers
>
> [skip]
>
>  DL> I am not sure to see all the implications of having this namespace
>  DL> by default, especially for application containers which can be
>  DL> executed by non-root user. I think it would make sense to make this
>  DL> flag optional with the configuration.
>
> Fully agree. I don't use LXC at the moment, so don't expect new patch
> From me -- I will scratch one when I get to using LXC again unless
> someone else implements it before.
>   

Ok, thanks Mikhail.

--
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] Unshare user namespace as well

2010-05-04 Thread Mikhail Gusarov 
Daniel.

 >> Unshare user namespace to make sure setrlimit and other per-user
 >> limits are accounted properly in containers

[skip]

 DL> I am not sure to see all the implications of having this namespace
 DL> by default, especially for application containers which can be
 DL> executed by non-root user. I think it would make sense to make this
 DL> flag optional with the configuration.

Fully agree. I don't use LXC at the moment, so don't expect new patch
From me -- I will scratch one when I get to using LXC again unless
someone else implements it before.

-- 
  http://fossarchy.blogspot.com/


pgpaCp89G9PTj.pgp
Description: PGP signature
--
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] Unshare user namespace as well

2010-05-04 Thread Daniel Lezcano 
Mikhail Gusarov wrote:
> Unshare user namespace to make sure setrlimit and other per-user limits are
> accounted properly in containers
>
> Signed-off-by: Mikhail Gusarov 
> ---
>  src/lxc/start.c |2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 3b5023c..f1ae2fa 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -450,7 +450,7 @@ int lxc_spawn(const char *name, struct lxc_handler 
> *handler, char *const argv[])
>   return -1;
>   }
>  
> - clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
> + clone_flags = 
> CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER;
>   if (!lxc_list_empty(&handler->conf->network)) {
>  
>   clone_flags |= CLONE_NEWNET;
>   

Hi Mikhail,

I am not sure to see all the implications of having this namespace by 
default, especially for application containers which can be executed by 
non-root user. I think it would make sense to make this flag optional 
with the configuration.

--
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] Unshare user namespace as well

2010-04-08 Thread Daniel Lezcano 
Mikhail Gusarov wrote:
> Unshare user namespace to make sure setrlimit and other per-user limits are
> accounted properly in containers
> 
> Signed-off-by: Mikhail Gusarov 
> ---
>  src/lxc/start.c |2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 3b5023c..f1ae2fa 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -450,7 +450,7 @@ int lxc_spawn(const char *name, struct lxc_handler 
> *handler, char *const argv[])
>   return -1;
>   }
> 
> - clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
> + clone_flags = 
> CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER;
>   if (!lxc_list_empty(&handler->conf->network)) {
> 
>   clone_flags |= CLONE_NEWNET;

Thanks Mikhail for the patch. I will apply it.

--
Download IntelĀ® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

[lxc-devel] [PATCH] Unshare user namespace as well

2010-04-08 Thread Mikhail Gusarov 
Unshare user namespace to make sure setrlimit and other per-user limits are
accounted properly in containers

Signed-off-by: Mikhail Gusarov 
---
 src/lxc/start.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 3b5023c..f1ae2fa 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -450,7 +450,7 @@ int lxc_spawn(const char *name, struct lxc_handler 
*handler, char *const argv[])
return -1;
}
 
-   clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
+   clone_flags = 
CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER;
if (!lxc_list_empty(&handler->conf->network)) {
 
clone_flags |= CLONE_NEWNET;
-- 
1.7.0


--
Download IntelĀ® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel