From: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Kay Sievers <kay-tD+1rO4QERM@public.gmane.org>
Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
"libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: Re: [systemd-devel] [PATCH] netns: unix: only allow to find out unix socket in same net namespace
Date: Wed, 21 Aug 2013 10:56:24 +0100 [thread overview]
Message-ID: <20130821095624.GJ10012@redhat.com> (raw)
In-Reply-To: <CAPXgP120YUEVnFiD0uPnqeO4x=5oRvHL79-cX5CnmEWc3d5mvQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Wed, Aug 21, 2013 at 11:51:53AM +0200, Kay Sievers wrote:
> On Wed, Aug 21, 2013 at 9:22 AM, Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> wrote:
> > On 08/21/2013 03:06 PM, Eric W. Biederman wrote:
>
> >> I suspect libvirt should simply not share /run or any other normally
> >> writable directory with the host. Sharing /run /var/run or even /tmp
> >> seems extremely dubious if you want some kind of containment, and
> >> without strange things spilling through.
>
> Right, /run or /var cannot be shared. It's not only about sockets,
> many other things will also go really wrong that way.
Libvirt already allows the app defining the container config to
set private mounts for any directory including /run and /var.
If an admin or app wants to run systemd inside a container, it is
their responsibility to ensure they setup the filesystem in a
suitable manner. Libvirt is not going to enforce use of a private
/run or /var, since that's a policy decision for a specific
use case.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2013-08-21 9:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-21 4:31 [PATCH] netns: unix: only allow to find out unix socket in same net namespace Gao feng
[not found] ` <1377059473-25526-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 4:58 ` Gao feng
2013-08-21 5:30 ` Eric W. Biederman
[not found] ` <87d2p7vcdx.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-21 6:54 ` Gao feng
[not found] ` <5214641C.9030902-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 7:06 ` Eric W. Biederman
[not found] ` <87wqnfttdf.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-21 7:22 ` Gao feng
2013-08-21 7:22 ` Gao feng
[not found] ` <52146AC2.5070409-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 9:51 ` [systemd-devel] " Kay Sievers
[not found] ` <CAPXgP120YUEVnFiD0uPnqeO4x=5oRvHL79-cX5CnmEWc3d5mvQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-21 9:56 ` Daniel P. Berrange [this message]
2013-08-25 17:16 ` James Bottomley
2013-08-25 17:37 ` Kay Sievers
[not found] ` <CAPXgP115pEE8jxyCqauoMRWui3Qb0fBzPr9L2_SA411=gfnX3w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-25 18:16 ` James Bottomley
2013-08-26 1:06 ` Gao feng
[not found] ` <521AAA23.9050604-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-26 3:19 ` James Bottomley
2013-08-26 3:35 ` Gao feng
[not found] ` <521ACCEF.4050101-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-26 3:53 ` James Bottomley
2013-08-26 13:53 ` Serge Hallyn
2013-08-26 13:53 ` Serge Hallyn
2013-08-21 10:42 ` Eric W. Biederman
[not found] ` <87haejtjet.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-22 1:36 ` Gao feng
2013-08-22 1:36 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130821095624.GJ10012@redhat.com \
--to=berrange-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=kay-tD+1rO4QERM@public.gmane.org \
--cc=libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.