[Devel] TRD: Start CT in a new user namespace: 1:1 user mapping
Andrey Vagin
avagin at odin.com
Tue Oct 13 06:30:39 PDT 2015
Now CT starts in a new user namespace. This allows us
* to remove our capabilities (CAP_VE_*)
* to improve security of our containers, because a process doesn't have privileges outside the container
Here is a good article about user namespaces https://lwn.net/Articles/532593/
https://jira.sw.ru/browse/PSBM-33304
Users should not notice these changes, everything should work as before.
Testing:
* need to execute tests to check security of containers
* execute all tests, because these changes are touching very general parts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/devel/attachments/20151013/e590fd8a/attachment-0001.html>
More information about the Devel
mailing list