[systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?

microcai microcai at fedoraproject.org
Fri Apr 22 20:28:58 PDT 2011


于 2011年04月23日 10:55, Josh Triplett 写道:
> The systemd-nspawn manpage lists the various mechanisms used to isolate
> the container, and then says "Note that even though these security
> precautions are taken systemd-nspawn is not suitable for secure
> container setups. Many of the security features may be circumvented and
> are hence primarily useful to avoid accidental changes to the host
> system from the container."
> 
> How can a process in a systemd-nspawn container circumvent the container

remount /proc and /sys

> setup?  What additional steps would systemd-nspawn need to take to
> provide a secure container setup?
> 
> - Josh Triplett
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel



More information about the systemd-devel mailing list