[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux 3.2 in wheezy

On Mon, Jan 30, 2012 at 02:31:15AM +0100, Marco d'Itri wrote:
> On Jan 30, Adam Borowski <kilobyte@angband.pl> wrote:
> > It would be nice to have some documentation about how lxc is different from
> > them, and how to work around bugs and limitations.  I for one spent ~10
> Let's start with this: in its current form, it is not designed to
> protect the host system from an untrusted root user in a guest.
> So far lxc is nice for testing, but not much more.
> http://blog.bofh.it/debian/id_413

This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
just mount the root filesystem into your own tree.

Linux-VServer does not help against processes with too much
capabilities, not sure about OpenVZ.

> > * how to execute a command in a running VM?  lxc-execute complains that the
> Lack of something like VE_ENTER also makes it unsuitable for me.

ssh works.

> AFAIK there is still no way to attach a process to an existing cgroup, 

You need execve to change most cgroups.


We Klingons believe as you do -- the sick should die.  Only the strong
should live.
		-- Kras, "Friday's Child", stardate 3497.2

Reply to: