On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
container. It seems to work for me. In fact... I thought LXC *always*
removed that capability, even if you never mentioned it?
Nice! Is there a list of capabilities
On Mon, 2011-02-07 at 03:58 -0800, Dean Mao wrote:
Yeah, would be nice to have this list -- I remember looking all over,
but I didn't see lxc.console. Is there a comprehensive list of these
abilities?
So far, for a container running apache and cron, plus the usual stuff
(init, getty, login),
On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote:
So far, for a container running apache and cron, plus the usual stuff
(init, getty, login), I managed to drop these:
audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner,
lease, linux_immutable, mac_admin, mac_override,
Hi,
On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote:
In the container, I can use the mount command with the -oremount,rw
options and then edit the file from the container.
So the bind read-only mounts are no protection against changing the
filesystem of the container,
Andre Nathan an...@digirati.com.br writes:
On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
container. It seems to work for me. In fact... I thought LXC *always*
removed that capability, even if you never mentioned
Matto Fransen ma...@matto.nl writes:
Hi,
On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote:
In the container, I can use the mount command with the -oremount,rw
options and then edit the file from the container.
So the bind read-only mounts are no protection against
On Mon, Feb 7, 2011 at 4:53 AM, Andre Nathan an...@digirati.com.br wrote:
On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote:
So far, for a container running apache and cron, plus the usual stuff
(init, getty, login), I managed to drop these:
audit_control, audit_write, fowner, fsetid,
Hi,
On Tue, Feb 08, 2011 at 11:19:20AM +1100, Trent W. Buck wrote:
Matto Fransen ma...@matto.nl writes:
This is a problem with the sshd bind readonly containers, because
lxc-init mounts /proc, /dev/shm and /dev/mqueue.
With lxc.cap.drop=sys_admin it is therefor not possible to use