Hi,
On Tue, Feb 08, 2011 at 11:19:20AM +1100, Trent W. Buck wrote:
> Matto Fransen writes:
> > This is a problem with the sshd bind readonly containers, because
> > lxc-init mounts /proc, /dev/shm and /dev/mqueue.
> > With lxc.cap.drop=sys_admin it is therefor not possible to use
> > lxc-init.
>
On Mon, Feb 7, 2011 at 4:53 AM, Andre Nathan wrote:
> On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote:
>> So far, for a container running apache and cron, plus the usual stuff
>> (init, getty, login), I managed to drop these:
>>
>> audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_
Matto Fransen writes:
> Hi,
>
> On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote:
>
>> >> In the container, I can use the mount command with the -oremount,rw
>> >> options and then edit the file from the container.
>> >
>> > So the bind read-only mounts are no protection against ch
Andre Nathan writes:
> On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
>> lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
>> container. It seems to work for me. In fact... I thought LXC *always*
>> removed that capability, even if you never mentioned it?
>
> Nice! I
Hi,
On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote:
> >> In the container, I can use the mount command with the -oremount,rw
> >> options and then edit the file from the container.
> >
> > So the bind read-only mounts are no protection against changing the
> > filesystem of the co
> > can you advise me some simple solution
>
> Closing the fd is a workaround and that must wor, but maybe it is worth
> upgrading gdm and check the problem is resolved ?
>
I don't have gdm installed
--
The modern
On 02/07/2011 04:20 PM, Володя К. wrote:
>> > can you advise me some simple solution
>>
>> Closing the fd is a workaround and that must wor, but maybe it is worth
>> upgrading gdm and check the problem is resolved ?
>>
> I don't have gdm installed
hmm. An application is leaking a fd somewhe
07.02.11, 17:31, "Daniel Lezcano" :
> On 02/07/2011 03:15 PM, Володя К. wrote:
> >>
> >> Are you using Midnight Commander ?
> >>
> > yes, i have installed Midnight Commander and use it very often
>
> I don't remember exactly but there is a thread about this bug. This is
> not relate
On 02/07/2011 03:52 PM, Володя К. wrote:
> 07.02.11, 17:31, "Daniel Lezcano":
>
>> On 02/07/2011 03:15 PM, Володя К. wrote:
>> >>
>> >> Are you using Midnight Commander ?
>> >>
>> > yes, i have installed Midnight Commander and use it very often
>>
>> I don't remember exactly but t
On 02/07/2011 03:15 PM, Володя К. wrote:
>>
>> Are you using Midnight Commander ?
>>
> yes, i have installed Midnight Commander and use it very often
I don't remember exactly but there is a thread about this bug. This is
not related to lxc. There is a bug in debian where the file descriptors
>
> Are you using Midnight Commander ?
>
yes, i have installed Midnight Commander and use it very often
--
The modern datacenter depends on network connectivity to access resources
and provide services. The best p
On 02/07/2011 02:39 PM, Володя К. wrote:
> hello,
> i have gentoo with 2.6.37-gentoo #1 SMP kernel , and lxc-0.7.3-r1
> i successfully installed debian template and used it some time (about 1
> month). Today after turning off the container, i can't start it. I get
> the following messsag
hello,
i have gentoo with 2.6.37-gentoo #1 SMP kernel , and lxc-0.7.3-r1
i successfully installed debian template and used it some time (about 1
month). Today after turning off the container, i can't start it. I get the
following messsage
# lxc-start -n debian
lxc-start: inherited f
On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote:
> So far, for a container running apache and cron, plus the usual stuff
> (init, getty, login), I managed to drop these:
>
> audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner,
> lease, linux_immutable, mac_admin, mac_overrid
On Mon, 2011-02-07 at 03:58 -0800, Dean Mao wrote:
> Yeah, would be nice to have this list -- I remember looking all over,
> but I didn't see lxc.console. Is there a comprehensive list of these
> "abilities"?
So far, for a container running apache and cron, plus the usual stuff
(init, getty, logi
Yeah, would be nice to have this list -- I remember looking all over, but I
didn't see lxc.console. Is there a comprehensive list of these "abilities"?
On Mon, Feb 7, 2011 at 2:56 AM, Andre Nathan wrote:
> On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
> > lxc.cap.drop=sys_admin shoul
On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
> lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
> container. It seems to work for me. In fact... I thought LXC *always*
> removed that capability, even if you never mentioned it?
Nice! Is there a list of capabilities
17 matches
Mail list logo
