[systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?
microcai at fedoraproject.org
Fri Apr 22 20:28:58 PDT 2011
于 2011年04月23日 10:55, Josh Triplett 写道:
> The systemd-nspawn manpage lists the various mechanisms used to isolate
> the container, and then says "Note that even though these security
> precautions are taken systemd-nspawn is not suitable for secure
> container setups. Many of the security features may be circumvented and
> are hence primarily useful to avoid accidental changes to the host
> system from the container."
> How can a process in a systemd-nspawn container circumvent the container
remount /proc and /sys
> setup? What additional steps would systemd-nspawn need to take to
> provide a secure container setup?
> - Josh Triplett
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
More information about the systemd-devel