[libvirt] [PATCH]LXC doc: Add warns if net namespace not enabled

Daniel P. Berrange berrange at redhat.com
Tue Sep 10 09:19:40 UTC 2013 

On Mon, Sep 09, 2013 at 04:33:54PM +0800, Chen Hanxiao wrote:
> ping...
> 
> > -----Original Message-----
> > From: libvir-list-bounces at redhat.com
> [mailto:libvir-list-bounces at redhat.com]
> > On Behalf Of Chen Hanxiao
> > Sent: Tuesday, September 03, 2013 10:04 AM
> > To: 'Daniel P. Berrange'
> > Cc: libvir-list at redhat.com
> > Subject: Re: [libvirt] [PATCH]LXC doc: Add warns if net namespace not
> enabled
> > 
> > Hi
> > 	Any comments?
> > 
> > Thanks
> > 
> > > -----Original Message-----
> > > From: Chen Hanxiao [mailto:chenhanxiao at cn.fujitsu.com]
> > > Sent: Friday, August 23, 2013 1:18 PM
> > > To: libvir-list at redhat.com
> > > Cc: chenhanxiao at cn.fujitsu.com
> > > Subject: [libvirt][PATCH]LXC doc: Add warns if net namespace not
> > > enabled
> > >
> > > From: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> > >
> > > If we don't enable network namespace, we could shutdown host by
> > > executing command 'shutdown' inside container.
> > > This patch will add some warnings in LXC docs and give some advice to
> > readers.
> > >
> > > Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> > > ---
> > >  docs/drvlxc.html.in |    7 +++++++
> > >  1 files changed, 7 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index
> > > 640968f..8f3a36a
> > > 100644
> > > --- a/docs/drvlxc.html.in
> > > +++ b/docs/drvlxc.html.in
> > > @@ -50,6 +50,13 @@ processes inside containers cannot be securely
> > > isolated from host  process without the use of a mandatory access
> > > control technology such as SELinux or AppArmor.</strong>  </p>
> > > +<p>
> > > +<strong>WARNING: If 'net' namespace <i>not</i> enabled for container,
> > > +host OS could be <i>shutdown</i> by executing command like 'reboot'
> > > +inside container.<br/>So make sure 'net' namespace was available and
> > > +set the <privnet/> feature in the XML, or configure virtual NICs.
> > > +Then this issue could be circumvented.</strong> </p>
> > >
> > >  <h2><a name="init">Default container setup</a></h2>

Sorry for the delay in responding. While this text looks fine, I think we
actually  need much more content about security issues in LXC. So I'm going
to create an entire section in the docs about this and include your warning.

I'll copy on you any patch i post.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list