doc · 0769b82a42ccdb8daa378b493be8ea092a283b24 · Chen Yisong / lxc

lxc.mount.auto: improve defaults for cgroup and cgroup-full · 0769b82a

authored May 03, 2014

If the user specifies cgroup or cgroup-full without a specifier (:ro,
:rw or :mixed), this changes the behavior. Previously, these were
simple aliases for the :mixed variants; now they depend on whether the
container also has CAP_SYS_ADMIN; if it does they resolve to the :rw
variants, if it doesn't to the :mixed variants (as before).

If a container has CAP_SYS_ADMIN privileges, any filesystem can be
remounted read-write from within, so initially mounting the cgroup
filesystems partially read-only as a default creates a false sense of
security. It is better to default to full read-write mounts to show the
administrator what keeping CAP_SYS_ADMIN entails.

If an administrator really wants both CAP_SYS_ADMIN and the :mixed
variant of cgroup or cgroup-full automatic mounts, they can still
specify that explicitly; this commit just changes the default without
specifier.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

0769b82a

Name	Last commit	Last update
..
api		Loading commit data...
examples		Loading commit data...
ja		Loading commit data...
legacy		Loading commit data...
rootfs		Loading commit data...
FAQ.txt		Loading commit data...
Makefile.am		Loading commit data...
common_options.sgml.in		Loading commit data...
lxc-attach.sgml.in		Loading commit data...
lxc-autostart.sgml.in		Loading commit data...
lxc-cgroup.sgml.in		Loading commit data...
lxc-checkconfig.sgml.in		Loading commit data...
lxc-clone.sgml.in		Loading commit data...
lxc-config.sgml.in		Loading commit data...
lxc-console.sgml.in		Loading commit data...
lxc-create.sgml.in		Loading commit data...
lxc-destroy.sgml.in		Loading commit data...
lxc-device.sgml.in		Loading commit data...
lxc-execute.sgml.in		Loading commit data...
lxc-freeze.sgml.in		Loading commit data...
lxc-info.sgml.in		Loading commit data...
lxc-ls.sgml.in		Loading commit data...
lxc-monitor.sgml.in		Loading commit data...
lxc-snapshot.sgml.in		Loading commit data...
lxc-start-ephemeral.sgml.in		Loading commit data...
lxc-start.sgml.in		Loading commit data...
lxc-stop.sgml.in		Loading commit data...
lxc-top.sgml.in		Loading commit data...
lxc-unfreeze.sgml.in		Loading commit data...
lxc-unshare.sgml.in		Loading commit data...
lxc-user-nic.sgml.in		Loading commit data...
lxc-usernet.sgml.in		Loading commit data...
lxc-usernsexec.sgml.in		Loading commit data...
lxc-wait.sgml.in		Loading commit data...
lxc.conf.sgml.in		Loading commit data...
lxc.container.conf		Loading commit data...
lxc.container.conf.sgml.in		Loading commit data...
lxc.sgml.in		Loading commit data...
lxc.system.conf		Loading commit data...
lxc.system.conf.sgml.in		Loading commit data...
see_also.sgml.in		Loading commit data...