Note that since we don't drop CAP_SYS_ADMIN, root in the container can remount proc or sys however they want to, however this at least improves the default situation.
Signed-off-by: Dwight Engen <dwight.en...@oracle.com> --- templates/lxc-oracle.in | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index ddc6d74..78d99ee 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -350,7 +350,7 @@ lxc.utsname = $name lxc.devttydir = lxc lxc.tty = 4 lxc.pts = 1024 -lxc.mount = $cfg_dir/fstab +lxc.mount.auto = proc:mixed sys:ro lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. @@ -404,11 +404,6 @@ lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master EOF - - cat <<EOF > $cfg_dir/fstab || die "unable to create $cfg_dir/fstab" -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 -EOF } container_rootfs_clone() -- 1.8.3.1 ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
