On Wed, Aug 21, 2013 at 11:51:53AM +0200, Kay Sievers wrote: > On Wed, Aug 21, 2013 at 9:22 AM, Gao feng <gaof...@cn.fujitsu.com> wrote: > > On 08/21/2013 03:06 PM, Eric W. Biederman wrote: > > >> I suspect libvirt should simply not share /run or any other normally > >> writable directory with the host. Sharing /run /var/run or even /tmp > >> seems extremely dubious if you want some kind of containment, and > >> without strange things spilling through. > > Right, /run or /var cannot be shared. It's not only about sockets, > many other things will also go really wrong that way.
Libvirt already allows the app defining the container config to set private mounts for any directory including /run and /var. If an admin or app wants to run systemd inside a container, it is their responsibility to ensure they setup the filesystem in a suitable manner. Libvirt is not going to enforce use of a private /run or /var, since that's a policy decision for a specific use case. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
