On Sat, 23.04.11 13:29, microcai (micro...@fedoraproject.org) wrote: > > Ah, good point. So, root inside the container can trivially circumvent > > the container that way. Any way to prevent that with current kernel > > support, or would fixing this require additional kernel changes to lock > > down other /proc and /sys mounts? > > > OpenVZ is what you need that way. OpenVZ is much like systemd-nspawn, > but with more secure. So it can be used to provide VPS ;)
I never looked in much detail into OpenVZ but quite honestly I have my doubts that it is completely sealed off and really doesn't suffer by any of the vulnerabilities I pointed out in my other mail. OpenVZ is probably at a better spot than the vanilla kernel whith container virtualization, but I think they define "secure" much more losely than some folks are aware of. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel