Difference between revisions of "Start CT in a new user namespace: 1:1 user mapping"
(added category) |
|||
Line 15: | Line 15: | ||
* [https://lists.openvz.org/pipermail/devel/2015-October/033354.html TRD in devel@ mail archive] | * [https://lists.openvz.org/pipermail/devel/2015-October/033354.html TRD in devel@ mail archive] | ||
+ | |||
+ | [[Category: TRD]] |
Latest revision as of 13:55, 13 October 2015
Now CT starts in a new user namespace. This allows us:
- to remove our capabilities (CAP_VE_*)
- to improve security of our containers, because a process doesn't have privileges outside the container
Here is a good article about user namespaces https://lwn.net/Articles/532593/
Users should not notice these changes, everything should work as before.
Testing[edit]
- need to execute tests to check security of containers
- execute all tests, because these changes are touching very general parts