s/574917/
> >
> > I think I last tried it with CRIU 0.8 without much success
>
> I'm going to test this today on CentOS 6 with kernel 3.12. So if you
> want, you can wait for my results :)
Please do report back, I am interested if criu could be used for
container archival.
; lxc_fill_elevated_privileges() here.
Thanks, Serge.
I didn't check return value since it is really straight-forward and
simple in case the first argument is NULL. But, you're right, I'll
keep this in mind for the future.
--
Nikola Kotur
http://blog.kotur.org
PGP key: http://bin
; Signed-off-by: Nikola Kotur
>
> Acked-By: Christian Seiler
Thanks Christian. As soon as we get this in, I'll work on your proposal
regarding namespace dropping.
--
Nikola Kotur
http://blog.kotur.org
PGP key: http://bin.kotur.org/key.html
signat
opped
I agree that we should let people to be creative, and make all
combinations available.
So, what do you say you ACK my first patch (I do need it), and I will
work on your proposal, if others agree?
--
Nikola Kotur
http://blog.kotur.org
PGP key: http://bin.k
mment about -R implying -e, but I don't see it
> now, so that's fine :)
Great!
> > while not elevating cgroup, for example?
>
> But I suspect there's a simpler rationale.
Christian Seiler provided the explanation (he wrote the code in
question), but I
ainer.
Similar to namespaces, privileges to be elevated can be OR'd:
lxc-attach --elevated-privileges='CAP|CGROUP' ...
Backward compatibility with previous versions is retained. In case no
privileges are specified behaviour is the same as before: all of them
are elevated.
S
On Tue, 19 Nov 2013 15:48:36 -0600
Serge Hallyn wrote:
> Quoting Nikola Kotur (kotn...@gmail.com):
> > There are scenarios in which we want to execute process with
> > specific privileges elevated.
>
> thanks for submitting this patch. No objection overall, however
>
There are scenarios in which we want to execute process with specific
privileges elevated.
An example for this might be executing a process inside the container
securely, with capabilities dropped, but not in container's cgroup so
that we can have per process restrictions inside single container.
Signed-off-by: Nikola Kotur
---
src/lxc/lxc-top | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/lxc/lxc-top b/src/lxc/lxc-top
index a1f0250..b5b3a69 100755
--- a/src/lxc/lxc-top
+++ b/src/lxc/lxc-top
@@ -24,7 +24,6 @@
local lxc= require("lxc")
local core = require
