Quoting Serge Hallyn (serge.hal...@canonical.com): > When you clone a new user_ns, the child cannot write to the fds > opened by the parent. Hnadle this by doing an extra fork. The > grandparent hangs around and waits for its child to tell it the > pid of of the grandchild, which will be the one attached to the > container. The grandparent then moves the grandchild into the > right cgroup, then waits for the child who in turn is waiting on > the grandchild to complete. > > This lets lxc-attach work into another user namespace, but more > is needed ( which will come in subsequent patches ). lxc-attach > will need to setuid to the uid of the container's init process, > because otherwise it is uid -1. It will also need to be entered > into the apparmor or selinux domain of the child to prevent it > being used by a task in the container as a stepping stone to > greater privilege (i.e. through ptrace).
Hold on, the version I sent here had a last minute change and may be bad. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412 _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
