proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-05 11:44:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0769b82a42
mirror_lxc/doc
History
Christian Seiler 0769b82a42 lxc.mount.auto: improve defaults for cgroup and cgroup-full 
If the user specifies cgroup or cgroup-full without a specifier (:ro,
:rw or :mixed), this changes the behavior. Previously, these were
simple aliases for the :mixed variants; now they depend on whether the
container also has CAP_SYS_ADMIN; if it does they resolve to the :rw
variants, if it doesn't to the :mixed variants (as before).

If a container has CAP_SYS_ADMIN privileges, any filesystem can be
remounted read-write from within, so initially mounting the cgroup
filesystems partially read-only as a default creates a false sense of
security. It is better to default to full read-write mounts to show the
administrator what keeping CAP_SYS_ADMIN entails.

If an administrator really wants both CAP_SYS_ADMIN and the :mixed
variant of cgroup or cgroup-full automatic mounts, they can still
specify that explicitly; this commit just changes the default without
specifier.

Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-05-06 10:20:10 -05:00
..
api Add '--enable-api-docs' for doxygen-generated public API docs. 2013-11-25 11:50:01 -05:00
examples Add the seccomp examples to EXTRA_DIST 2014-02-12 23:19:45 -05:00
ja doc: Update Japanese lxc-ls(1) for the new -g/--group argument 2014-05-02 13:04:23 -04:00
legacy licensing: Add missing headers and FSF address 2013-09-03 14:33:03 -04:00
rootfs Update rootfs README 2014-02-13 13:52:50 -05:00
common_options.sgml.in licensing: Add missing headers and FSF address 2013-09-03 14:33:03 -04:00
FAQ.txt Remove all trailing whitespaces. 2012-11-26 12:08:13 -05:00
lxc-attach.sgml.in doc: Update man pages to the latest information 2014-01-06 09:51:53 -05:00
lxc-autostart.sgml.in lxc-autostart: Add a new --ignore-auto/-A flag 2014-03-07 17:18:44 -05:00
lxc-cgroup.sgml.in licensing: Add missing headers and FSF address 2013-09-03 14:33:03 -04:00
lxc-checkconfig.sgml.in licensing: Add missing headers and FSF address 2013-09-03 14:33:03 -04:00
lxc-clone.sgml.in lxc-clone man page: fix typos 2014-04-28 08:42:24 -05:00
lxc-config.sgml.in doc: Add manpage for lxc-config 2014-01-23 12:51:47 -05:00
lxc-console.sgml.in Fix typos identified by lintian 2013-10-20 00:34:07 -04:00
lxc-create.sgml.in lxc-create: make 'none' bdev type work again 2014-05-01 13:54:16 -04:00
lxc-destroy.sgml.in doc: Update man pages to the latest information 2014-01-06 09:51:53 -05:00
lxc-device.sgml.in Fix some typos 2013-09-11 10:02:05 -04:00
lxc-execute.sgml.in Deprecate lxc-checkpoint, lxc-kill and lxc-restart 2014-01-18 10:13:50 -05:00
lxc-freeze.sgml.in licensing: Add missing headers and FSF address 2013-09-03 14:33:03 -04:00
lxc-info.sgml.in doc: lxc-info -c doesn't require RUNNING 2014-01-31 09:16:04 +00:00
lxc-ls.sgml.in lxc-ls: Typo in manpage 2014-05-02 11:13:08 -04:00
lxc-monitor.sgml.in let lxc-monitor command ask a lxc-monitord instance to quit 2013-12-06 16:03:23 -05:00
lxc-snapshot.sgml.in bdev: Add aufs support 2014-02-12 16:43:55 -05:00
lxc-start-ephemeral.sgml.in lxc-start-ephemeral: fix the man page 2014-01-06 10:21:11 -05:00
lxc-start.sgml.in Cosmetic: shorten the options summary in documentation 2013-11-13 07:04:27 -08:00
lxc-stop.sgml.in lxc_*.c: don't exit with -1 2014-04-07 17:19:14 -04:00
lxc-top.sgml.in lxc-top: show kernel memory being used if available 2013-11-04 06:37:11 -06:00
lxc-unfreeze.sgml.in licensing: Add missing headers and FSF address 2013-09-03 14:33:03 -04:00
lxc-unshare.sgml.in Teach lxc_unshare about interfaces, mounts, hostname, daemonize 2014-01-15 15:42:36 -06:00
lxc-user-nic.sgml.in doc: fix See Also lxc-usernet.conf -> lxc-usernet 2014-01-24 13:07:50 -05:00
lxc-usernet.sgml.in add manpages for lxc-user-nic 2013-12-17 11:15:57 -06:00
lxc-usernsexec.sgml.in lxc-usernsexec manpage: fix typo (command name is not lxc-unshare) 2014-02-13 22:40:51 -06:00
lxc-wait.sgml.in licensing: Add missing headers and FSF address 2013-09-03 14:33:03 -04:00
lxc.conf.sgml.in doc: Try to clear some confusion about lxc.conf 2014-01-22 22:16:20 -05:00
lxc.container.conf doc: Try to clear some confusion about lxc.conf 2014-01-22 22:16:20 -05:00
lxc.container.conf.sgml.in lxc.mount.auto: improve defaults for cgroup and cgroup-full 2014-05-06 10:20:10 -05:00
lxc.sgml.in Remove lxc-version, lxc-ps and lxc-netstat 2014-01-22 13:38:46 -05:00
lxc.system.conf doc: Try to clear some confusion about lxc.conf 2014-01-22 22:16:20 -05:00
lxc.system.conf.sgml.in doc: Add Japanese lxc.container.conf(5), lxc.system.conf(5) and update lxc.conf(5) 2014-01-23 10:53:06 -05:00
Makefile.am doc: Add manpage for lxc-config 2014-01-23 12:51:47 -05:00
see_also.sgml.in Remove lxc-version, lxc-ps and lxc-netstat 2014-01-22 13:38:46 -05:00