On Tue, Oct 1, 2013 at 8:27 PM, Andy Lutomirski <l...@amacapital.net> wrote:
>> http://lists.linuxfoundation.org/pipermail/containers/2013-May/032591.html > > Can't the daemon live outside the container and shuffle stuff in? > IOW, there seems to be little point in containerizing things if you're > just going to punch a privilege hole in the namespace. Yeah. I will try to experiment just how much can be 'stuffed in' without effective caps. It certainly would be better this way. > FWIW, I think that the capability evolution rules are crap, but > changing them is a can of worms, and enough people seem to thing the > status quo is acceptable that this is unlikely to ever get fixed. I have noted (Casey almost tried to strangle me during the last security summit for even daring to talk about it). -- Janne ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
