Re: [libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers
On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote:
Due to security concerns we delegate only
VIR_CGROUP_CONTROLLER_SYSTEMD
to containers.
Currently it is not safe to allow a container access to a resource controller.
We *do* want to allow all controllers to be visible to the container.
eg it is valid for them to have read access to view things like block
I/O and CPU accounting information. We just don't want to make it writable
for usernamespaces.
I've adjusted your first patch and reposted with you on CC, if you can
confirm it works for you.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|