On mer., 2012-02-01 at 10:33 +0800, Paul Wise wrote: > On Wed, Feb 1, 2012 at 5:37 AM, Ben Hutchings wrote: > > > Just to be clear, 'that work' is not just a matter of forwarding > > messages back and forward between the Debian BTS and the Linux-VServer > > developers. Unless the VServer project continues to support whichever > > version we use in a stable release (3.2 in this case) then Debian > > users are likely to run into different bugs that they won't want to > > deal with. There will also be integration issues to be resolved when > > fixes from the stable/longterm branch conflict with the VServer > > changes. This requires real understanding of Linux and VServer > > internals (see #618485 for an example of what happens without that). > > Data point; there is a VServer patch for 3.2 (marked as experimental though): > > http://vserver.13thfloor.at/Experimental/patch-3.2.2-vs2.3.2.6.diff > > It was also claimed on IRC that when using the Debian template for lxc > (see below) that the security issues mentioned in the Linux 3.2 thread > do not apply. > > lxc-create -t debian > /usr/lib/lxc/templates/lxc-debian
Note that the template “only” drops CAP_MAC_ADMIN, CAP_MAC_OVERRIDE, CAP_SYS_ADMIN and CAP_SYS_MODULE. Are we really sure this is enough? http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00977.html thread gives some pointer, but it seems that in the end they advise to drop quite some more caps than just those. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
