On Mon, Sep 09, 2013 at 04:33:54PM +0800, Chen Hanxiao wrote:
ping...
-----Original Message----- From: libvir-list-bounces@redhat.com [mailto:libvir-list-bounces@redhat.com] On Behalf Of Chen Hanxiao Sent: Tuesday, September 03, 2013 10:04 AM To: 'Daniel P. Berrange' Cc: libvir-list@redhat.com Subject: Re: [libvirt] [PATCH]LXC doc: Add warns if net namespace not enabled
Hi Any comments?
Thanks
-----Original Message----- From: Chen Hanxiao [mailto:chenhanxiao@cn.fujitsu.com] Sent: Friday, August 23, 2013 1:18 PM To: libvir-list@redhat.com Cc: chenhanxiao@cn.fujitsu.com Subject: [libvirt][PATCH]LXC doc: Add warns if net namespace not enabled
From: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
If we don't enable network namespace, we could shutdown host by executing command 'shutdown' inside container. This patch will add some warnings in LXC docs and give some advice to readers.
Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com> --- docs/drvlxc.html.in | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index 640968f..8f3a36a 100644 --- a/docs/drvlxc.html.in +++ b/docs/drvlxc.html.in @@ -50,6 +50,13 @@ processes inside containers cannot be securely isolated from host process without the use of a mandatory access control technology such as SELinux or AppArmor.</strong> </p> +<p> +<strong>WARNING: If 'net' namespace <i>not</i> enabled for container, +host OS could be <i>shutdown</i> by executing command like 'reboot' +inside container.<br/>So make sure 'net' namespace was available and +set the <privnet/> feature in the XML, or configure virtual NICs. +Then this issue could be circumvented.</strong> </p>
<h2><a name="init">Default container setup</a></h2>
Sorry for the delay in responding. While this text looks fine, I think we actually need much more content about security issues in LXC. So I'm going to create an entire section in the docs about this and include your warning. I'll copy on you any patch i post. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|