Public bug reported: Out of the box on Ubuntu oneiric, lxc-checkconfig produces the current output:
ubuntu@panda4:~$ lxc-checkconfig --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup namespace: required Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: missing enabled Note that cgroup_ns says 'Required'. cgroup_ns was replaced with clone_children (which is a mount option for cgroup lines; if this is done, then that line changes to clone_children is available). Regardless of this 'Required' item being around, lxc-* still works, and you can still create and start instances. It appears that even though namespaces are unavailable. This suggests that LXC will run without warning even if full cgroup isolation is unavailable. As part of the move to 3.0, we need to make it so LXC uses the clone_children as a replacement for cgroup_ns, and understand why LXC works without namespace support, and the security implications of this ... ** Affects: lxc (Ubuntu) Importance: High Status: New ** Changed in: lxc (Ubuntu) Importance: Undecided => High ** Changed in: lxc (Ubuntu) Milestone: None => ubuntu-11.10-beta-1 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/827798 Title: LXC works without warning regardless if cgroup namespaces are properly available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/827798/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs