Re: Linux 3.2 in wheezy
On Mon, Jan 30, 2012 at 02:31:15AM +0100, Marco d'Itri wrote:
> On Jan 30, Adam Borowski <email@example.com> wrote:
> > It would be nice to have some documentation about how lxc is different from
> > them, and how to work around bugs and limitations. I for one spent ~10
> Let's start with this: in its current form, it is not designed to
> protect the host system from an untrusted root user in a guest.
> So far lxc is nice for testing, but not much more.
This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
just mount the root filesystem into your own tree.
Linux-VServer does not help against processes with too much
capabilities, not sure about OpenVZ.
> > * how to execute a command in a running VM? lxc-execute complains that the
> Lack of something like VE_ENTER also makes it unsuitable for me.
> AFAIK there is still no way to attach a process to an existing cgroup,
You need execve to change most cgroups.
We Klingons believe as you do -- the sick should die. Only the strong
-- Kras, "Friday's Child", stardate 3497.2