Re: Linux 3.2 in wheezy

To: debian-devel@lists.debian.org
Subject: Re: Linux 3.2 in wheezy
From: Bastian Blank <waldi@debian.org>
Date: Fri, 3 Feb 2012 12:31:03 +0100
Message-id: <[🔎] 20120203113103.GA16544@wavehammer.waldi.eu.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <20120130013115.GB19215@bongo.bofh.it>
References: <20120129182205.GR12704@decadent.org.uk> <1327867067.13223.3.camel@hidalgo> <1327872371.5400.375.camel@deadeye> <20120130004459.GA22039@angband.pl> <20120130013115.GB19215@bongo.bofh.it>

On Mon, Jan 30, 2012 at 02:31:15AM +0100, Marco d'Itri wrote:
> On Jan 30, Adam Borowski <kilobyte@angband.pl> wrote:
> > It would be nice to have some documentation about how lxc is different from
> > them, and how to work around bugs and limitations.  I for one spent ~10
> Let's start with this: in its current form, it is not designed to
> protect the host system from an untrusted root user in a guest.
> So far lxc is nice for testing, but not much more.
> http://blog.bofh.it/debian/id_413

This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
just mount the root filesystem into your own tree.

Linux-VServer does not help against processes with too much
capabilities, not sure about OpenVZ.

> > * how to execute a command in a running VM?  lxc-execute complains that the
> Lack of something like VE_ENTER also makes it unsuitable for me.

ssh works.

> AFAIK there is still no way to attach a process to an existing cgroup, 

You need execve to change most cgroups.

Bastian

-- 
We Klingons believe as you do -- the sick should die.  Only the strong
should live.
		-- Kras, "Friday's Child", stardate 3497.2

Reply to:

Follow-Ups:
- Re: Linux 3.2 in wheezy
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Linux 3.2 in wheezy
  - From: md@Linux.IT (Marco d'Itri)

Prev by Date: Re: Suhosin patch disabled by default in Debian php5 builds
Next by Date: Re: Linux 3.2 in wheezy
Previous by thread: Re: Linux 3.2 in wheezy
Next by thread: Re: Linux 3.2 in wheezy
Index(es):
- Date
- Thread