Re: [libvirt] [PATCH] Update docs about user namespace for LXC

From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; Mention that user namespace can be enabled using the UID/GID mapping schema. Fix typo in link anchor for container args in domain XML docs. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt; ---

docs/drvlxc.html.in | 14 +++++--------- docs/formatdomain.html.in | 2 +- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index 640968f..1e6aa1d 100644 --- a/docs/drvlxc.html.in +++ b/docs/drvlxc.html.in @@ -40,15 +40,11 @@ primary "host" OS environment, the libvirt LXC driver requires that certain kernel namespaces are compiled in. Libvirt currently requires the 'mount', 'ipc', 'pid', and 'uts' namespaces to be available. If separate network interfaces are desired, then the 'net' namespace is -required. In the near future, the 'user' namespace will optionally be -supported. -</p> - -<p> -<strong>NOTE: In the absence of support for the 'user' namespace, -processes inside containers cannot be securely isolated from host -process without the use of a mandatory access control technology -such as SELinux or AppArmor.</strong> +required. If the guest configuration declares a +<a href="formatdomain.html#elementsOSContainer">UID or GID mapping</a>, +the 'user' namespace will be enabled to apply these. <strong>A suitably +configured UID/GID mapping is a pre-requisite to making containers +secure, in the absence of sVirt confinement.</strong> </p> <h2><a name="init">Default container setup</a></h2> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index f8bfe0b..971b059 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -263,7 +263,7 @@ <span class="since">Since 1.0.4</span></dd> </dl> - <h4><a name="eleemntsOSContainer">Container boot</a></h4> + <h4><a name="elementsOSContainer">Container boot</a></h4> <p> When booting a domain using container based virtualization, instead