My understanding is that the unprivileged user owning the container can still alter the cgroups, right?
The use case that we have in mind is to allow an unprivileged user run a preconfigured container, which configuration is only writable for power users. Ideally the unprivileged user should not be able to meddle with the cgroups or even create new containers. Is such a scenario feasible to implement using LXC and cgroups? Todor > On 16. May 2017, at 05:31, Fajar A. Nugraha <[email protected]> wrote: > > On Tue, May 16, 2017 at 1:18 AM, Dr. Todor Dimitrov <[email protected] > <mailto:[email protected]>> wrote: > Hallo, > > LXC automatically creates the "/sys/fs/cgroup/*/lxc/some-container-name" > cgroups, which are setup to reflect the restrictions as defined in the > container configuration file. I was wondering whether it would be possible to > use a predefined cgroups hierarchy, which is not writable by LXC. Thus it > would be possible for a super-user to place resource restrictions for the > containers run by the unprivileged users. Is it possible to implement such a > scenario using cgroups? > > > It should already does what you want. IIRC unpriv containers are unable to > increase their limits by writing to the cgroup. And if needed, root on the > host could always write values to the desired cgroups. > > Any particular use case in mind? > > -- > Fajar > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
