Difference between revisions of "Start CT in a new user namespace: 1:1 user mapping"
(Created page with "Now CT starts in a new user namespace. This allows us: * to remove our capabilities (CAP_VE_*) * to improve security of our containers, because a process doesn't have privileg...") |
|||
| Line 11: | Line 11: | ||
* need to execute tests to check security of containers | * need to execute tests to check security of containers | ||
* execute all tests, because these changes are touching very general parts | * execute all tests, because these changes are touching very general parts | ||
| + | |||
| + | === Links === | ||
| + | |||
| + | * [https://lists.openvz.org/pipermail/devel/2015-October/033354.html TRD in devel@ mail archive] | ||
Revision as of 13:53, 13 October 2015
Now CT starts in a new user namespace. This allows us:
- to remove our capabilities (CAP_VE_*)
- to improve security of our containers, because a process doesn't have privileges outside the container
Here is a good article about user namespaces https://lwn.net/Articles/532593/
Users should not notice these changes, everything should work as before.
Testing
- need to execute tests to check security of containers
- execute all tests, because these changes are touching very general parts
