1,734
edits
Changes
Created page with "Now CT starts in a new user namespace. This allows us: * to remove our capabilities (CAP_VE_*) * to improve security of our containers, because a process doesn't have privileg..."
Now CT starts in a new user namespace. This allows us:
* to remove our capabilities (CAP_VE_*)
* to improve security of our containers, because a process doesn't have privileges outside the container
Here is a good article about user namespaces https://lwn.net/Articles/532593/
Users should not notice these changes, everything should work as before.
=== Testing ===
* need to execute tests to check security of containers
* execute all tests, because these changes are touching very general parts
* to remove our capabilities (CAP_VE_*)
* to improve security of our containers, because a process doesn't have privileges outside the container
Here is a good article about user namespaces https://lwn.net/Articles/532593/
Users should not notice these changes, everything should work as before.
=== Testing ===
* need to execute tests to check security of containers
* execute all tests, because these changes are touching very general parts
