On Mon, Jun 2, 2014 at 6:22 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
IIUC, we'd need to recursively chown the files under /proc/sys/net to give them the remapped UID/GID of the root user in the container, in order that they can be used.
So overall I think we'd have to do
- Make either /proc/sys/net or /proc/sys read-write
- If userns is active, recursive chown /proc/sys/net (or a subset of files in it that we explicitly want to grant access to)
Please just make /proc/ and /sys writeable (or at least the setting optional for paranoid folks). If the userns was setup correctly by libvirt and a container user/root still can do bad things this a plain kernel bug and needs fixing. No need to paper over it in libvirt. -- Thanks, //richard