From: James Bottomley <jbottomley-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
To: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
Cc: "systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org"
<systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org>,
"libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Kay Sievers <kay-tD+1rO4QERM@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
"lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org"
<lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>,
"davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org"
<davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Subject: Re: [systemd-devel] [PATCH] netns: unix: only allow to find out unix socket in same net namespace
Date: Mon, 26 Aug 2013 03:53:01 +0000 [thread overview]
Message-ID: <1377489181.2341.16.camel@dabdike> (raw)
In-Reply-To: <521ACCEF.4050101-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
On Mon, 2013-08-26 at 11:35 +0800, Gao feng wrote:
> On 08/26/2013 11:19 AM, James Bottomley wrote:
> > Yes, we are discussing this problem in this whole thread.
I wasn't really watching that bit, since the problem looks solved to me.
I was just reacting against the unfortunate notion that a container
should run init.
> If so, OpenVZ
> > has never suffered from that problem and I thought it was fixed
> > upstream. I've not tested lxc tools, but the latest vzctl from the
> > openvz website will bring up a container on the vanilla 3.9 kernel
> > (provided you have USER_NS compiled in) can also be used to reboot the
> > container, so I see no reason it wouldn't work for lxc as well.
> >
>
> I'm using libvirt lxc not lxc-tools.
> Not all of users enable user namespace, I trust these container
> management
> tools can have right/proper setting which inhibit this reboot-problem
> occur.
> but I don't think this reboot-problem won't happen in any
> configuration.
It sounds like you're setting up your containers wrongly. If a
container can reboot the system it means that host root capabilities
have leaked into the container, which is a big security no-no. The
upstream way of avoiding this is USER_NS (because root in the container
is now not root in the host). The OpenVZ kernel uses a different
mechanism to solve the problem, but we think USER_NS is the better way
to go on this.
James
next prev parent reply other threads:[~2013-08-26 3:53 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-21 4:31 [PATCH] netns: unix: only allow to find out unix socket in same net namespace Gao feng
[not found] ` <1377059473-25526-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 4:58 ` Gao feng
2013-08-21 5:30 ` Eric W. Biederman
[not found] ` <87d2p7vcdx.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-21 6:54 ` Gao feng
[not found] ` <5214641C.9030902-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 7:06 ` Eric W. Biederman
2013-08-21 7:22 ` Gao feng
[not found] ` <52146AC2.5070409-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 9:51 ` [systemd-devel] " Kay Sievers
[not found] ` <CAPXgP120YUEVnFiD0uPnqeO4x=5oRvHL79-cX5CnmEWc3d5mvQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-21 9:56 ` Daniel P. Berrange
2013-08-25 17:16 ` James Bottomley
2013-08-25 17:37 ` Kay Sievers
[not found] ` <CAPXgP115pEE8jxyCqauoMRWui3Qb0fBzPr9L2_SA411=gfnX3w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-25 18:16 ` James Bottomley
2013-08-26 1:06 ` Gao feng
[not found] ` <521AAA23.9050604-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-26 3:19 ` James Bottomley
2013-08-26 3:35 ` Gao feng
[not found] ` <521ACCEF.4050101-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-26 3:53 ` James Bottomley [this message]
2013-08-26 13:53 ` Serge Hallyn
2013-08-26 13:53 ` Serge Hallyn
2013-08-21 10:42 ` Eric W. Biederman
[not found] ` <87haejtjet.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-22 1:36 ` Gao feng
2013-08-22 1:36 ` Gao feng
[not found] ` <87wqnfttdf.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-21 7:22 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1377489181.2341.16.camel@dabdike \
--to=jbottomley-bzqdu9zft3wakbo8gow8eq@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org \
--cc=kay-tD+1rO4QERM@public.gmane.org \
--cc=libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.