Re: [lxc-devel] Status of usability of lxc

2011-05-08 Thread Yamamoto - Joe's Web Hosting
Hi, I've just realized that the env name in my previous post was opposite in meaning. ENABLE_INSECURE_MODE -> ENABLE_SECURE_MODE Just for correction. -- Masahide Yamamoto - Joe's Web Hosting -- WhatsUp Gold - Downlo

Re: [lxc-devel] Status of usability of lxc

2011-05-07 Thread Yamamoto - Joe's Web Hosting
Hi, Here is my work-around for increasing security in LXC guest environment, keeping some usability. But, I had to modify some code both in kernel and LXC user-land tool to fulfill this. * Kernel patch(2.6.32.39) diff -uwBr linux-2.6.32.39/fs/namespace.c linux-2.6.32.39-jwh/fs/namespace.c --- l

Re: [lxc-devel] Status of usability of lxc

2011-05-02 Thread Christoph Mitasch
To disable the ability to trigger a reboot of the host system by sending "b" to /proc/sysrq-trigger inside a container, I've dropped CAP_SYS_ADMIN and set readonly for the /proc mount-point. I'm interested what else capabilities are recommended to drop when using LXC as a system container? Thanks

Re: [lxc-devel] Status of usability of lxc

2011-04-19 Thread richard -rw- weinberger
On Tue, Mar 22, 2011 at 10:20 AM, Nathan McSween wrote: > Can I get a quick rundown of what is implemented w.r.t  UID/GID > containerization, is it safe yet to give containerized root to an > everyday user without huge security issues? Drop all dangerous capabilities and mount /proc read-only. H

Re: [lxc-devel] Status of usability of lxc

2011-04-11 Thread Stéphane Graber
On Wed, 2011-04-06 at 08:08 -0500, Rob Landley wrote: > On 04/06/2011 05:43 AM, Daniel Lezcano wrote: > > On 03/22/2011 10:20 AM, Nathan McSween wrote: > >> Can I get a quick rundown of what is implemented w.r.t UID/GID > >> containerization, is it safe yet to give containerized root to an > >> ev

Re: [lxc-devel] Status of usability of lxc

2011-04-06 Thread Marian Marinov
On Wednesday 06 April 2011 16:08:18 Rob Landley wrote: > On 04/06/2011 05:43 AM, Daniel Lezcano wrote: > > On 03/22/2011 10:20 AM, Nathan McSween wrote: > >> Can I get a quick rundown of what is implemented w.r.t UID/GID > >> containerization, is it safe yet to give containerized root to an > >> e

Re: [lxc-devel] Status of usability of lxc

2011-04-06 Thread Rob Landley
On 04/06/2011 05:43 AM, Daniel Lezcano wrote: > On 03/22/2011 10:20 AM, Nathan McSween wrote: >> Can I get a quick rundown of what is implemented w.r.t UID/GID >> containerization, is it safe yet to give containerized root to an >> everyday user without huge security issues? > > Nope, it is not s

Re: [lxc-devel] Status of usability of lxc

2011-04-06 Thread Daniel Lezcano
On 03/22/2011 10:20 AM, Nathan McSween wrote: > Can I get a quick rundown of what is implemented w.r.t UID/GID > containerization, is it safe yet to give containerized root to an > everyday user without huge security issues? Nope, it is not secure at all for a root user inside the container. ---

[lxc-devel] Status of usability of lxc

2011-04-05 Thread Nathan McSween
Can I get a quick rundown of what is implemented w.r.t UID/GID containerization, is it safe yet to give containerized root to an everyday user without huge security issues? -- Xperia(TM) PLAY It's a major breakthrough.