[Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Hi! I am new to the technology and thread. I have two basic questions, hope you can provide some guidance. 1. UID Privilege Isolation. ~ If I understand it right, currently if a host-uid and guest-uid have the same numerical value, they essentially have the same file access privilege. Posting from 01/14/11 indicated that a patchset related to 'user namespace' is in works to address this issue. Link in the LXC home/user indicated two possible approach are being considered. I was wondering if there has been any conclusion in this front ? 2. Guest modifying its own cgroup It appears that from a guest one can mount the cgroup and modify its own constraints specified in the cgroup. Is there a way, I can prevent a guest from doing so? Thanks in advance for your help --- Regards, Sanjay -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Quoting sanjay (genacct...@gmail.com): Hi! I am new to the technology and thread. I have two basic questions, hope you can provide some guidance. 1. UID Privilege Isolation. ~ If I understand it right, currently if a host-uid and guest-uid have the same numerical value, they essentially have the same file access privilege. Posting from 01/14/11 indicated that a patchset related to 'user namespace' is in works to address this issue. Link in the LXC home/user indicated two possible approach are being considered. I was wondering if there has been any conclusion in this front ? I don't know what link you mean. There is a clear roadmap, there is plenty of work to be done. 2. Guest modifying its own cgroup It appears that from a guest one can mount the cgroup and modify its own constraints specified in the cgroup. Is there a way, I can prevent a guest from doing so? LSM -serge -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Hi Serge! Thanks for your help. (The link I was referring in original mail: http://lxc.sourceforge.net/index.php/about/kernel-namespaces/user/). Regards, Sanjay On Thu, Apr 14, 2011 at 3:19 PM, Serge Hallyn serge.hal...@canonical.comwrote: Quoting sanjay (genacct...@gmail.com): Hi! I am new to the technology and thread. I have two basic questions, hope you can provide some guidance. 1. UID Privilege Isolation. ~ If I understand it right, currently if a host-uid and guest-uid have the same numerical value, they essentially have the same file access privilege. Posting from 01/14/11 indicated that a patchset related to 'user namespace' is in works to address this issue. Link in the LXC home/user indicated two possible approach are being considered. I was wondering if there has been any conclusion in this front ? I don't know what link you mean. There is a clear roadmap, there is plenty of work to be done. 2. Guest modifying its own cgroup It appears that from a guest one can mount the cgroup and modify its own constraints specified in the cgroup. Is there a way, I can prevent a guest from doing so? LSM -serge -- Regards, Sanjay -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
