[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH]LXC doc: Add warns if net namespace not enabled



On Mon, Sep 09, 2013 at 04:33:54PM +0800, Chen Hanxiao wrote:
> ping...
> 
> > -----Original Message-----
> > From: libvir-list-bounces redhat com
> [mailto:libvir-list-bounces redhat com]
> > On Behalf Of Chen Hanxiao
> > Sent: Tuesday, September 03, 2013 10:04 AM
> > To: 'Daniel P. Berrange'
> > Cc: libvir-list redhat com
> > Subject: Re: [libvirt] [PATCH]LXC doc: Add warns if net namespace not
> enabled
> > 
> > Hi
> > 	Any comments?
> > 
> > Thanks
> > 
> > > -----Original Message-----
> > > From: Chen Hanxiao [mailto:chenhanxiao cn fujitsu com]
> > > Sent: Friday, August 23, 2013 1:18 PM
> > > To: libvir-list redhat com
> > > Cc: chenhanxiao cn fujitsu com
> > > Subject: [libvirt][PATCH]LXC doc: Add warns if net namespace not
> > > enabled
> > >
> > > From: Chen Hanxiao <chenhanxiao cn fujitsu com>
> > >
> > > If we don't enable network namespace, we could shutdown host by
> > > executing command 'shutdown' inside container.
> > > This patch will add some warnings in LXC docs and give some advice to
> > readers.
> > >
> > > Signed-off-by: Chen Hanxiao <chenhanxiao cn fujitsu com>
> > > ---
> > >  docs/drvlxc.html.in |    7 +++++++
> > >  1 files changed, 7 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index
> > > 640968f..8f3a36a
> > > 100644
> > > --- a/docs/drvlxc.html.in
> > > +++ b/docs/drvlxc.html.in
> > > @@ -50,6 +50,13 @@ processes inside containers cannot be securely
> > > isolated from host  process without the use of a mandatory access
> > > control technology such as SELinux or AppArmor.</strong>  </p>
> > > +<p>
> > > +<strong>WARNING: If 'net' namespace <i>not</i> enabled for container,
> > > +host OS could be <i>shutdown</i> by executing command like 'reboot'
> > > +inside container.<br/>So make sure 'net' namespace was available and
> > > +set the &lt;privnet/&gt; feature in the XML, or configure virtual NICs.
> > > +Then this issue could be circumvented.</strong> </p>
> > >
> > >  <h2><a name="init">Default container setup</a></h2>

Sorry for the delay in responding. While this text looks fine, I think we
actually  need much more content about security issues in LXC. So I'm going
to create an entire section in the docs about this and include your warning.

I'll copy on you any patch i post.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]