[Devel] [PATCH RH7 0/3] capability fixes for docker
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue Jun 30 05:17:51 PDT 2015
allow what docker wants, need it to run integration-cli tests
when we will prohibit CAP_SYS_ADMIN and CAP_NET_ADMIN in CT
* after switching to user namespaces we won't need those patches
https://jira.sw.ru/browse/PSBM-34523
to test without CAP_SYS_ADMIN and CAP_NET_ADMIN:
vzctl set 206 --capability net_admin:off \
--capability sys_admin:off --save
Pavel Tikhomirov (3):
vfs: allow mount/umount, pivot_root with CAP_VE_SYS_ADMIN
rtnl: allow move network devices into network namespace in CT
vfs: allow mount proc and mqueue inside container
fs/namespace.c | 4 +++-
fs/proc/root.c | 3 ++-
ipc/mqueue.c | 3 ++-
net/core/rtnetlink.c | 3 ++-
4 files changed, 9 insertions(+), 4 deletions(-)
--
1.9.3
More information about the Devel
mailing list