Re: [libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers
Am 13.02.2014 18:16, schrieb Daniel P. Berrange:
On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote:
> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD
> to containers.
> Currently it is not safe to allow a container access to a resource controller.
>
We *do* want to allow all controllers to be visible to the container.
eg it is valid for them to have read access to view things like block
I/O and CPU accounting information. We just don't want to make it writable
for usernamespaces.
Okay. But what if one does not enable user namespaces?
Then the controllers are writable within the container.
I've adjusted your first patch and reposted with you on CC, if
you can
confirm it works for you.
Will test it today. :)
Thanks,
//richard