[systemd-devel] systemd-nspawn containers
Michał Zegan
webczat_200 at poczta.onet.pl
Fri Nov 11 18:49:02 UTC 2016
well you can read user_namespaces(7), the beginning of it at least. it
probably says something about keyrings. so either this info is
incorrect, or I for example understand it wrongly, or whatever.
Also, you know, when you say that currently containers have holes and so
are still not really secure I don't actually see any example of that
except this small number of things you just cannot do there at all (for
example use/access audit or use fuse/file capabilities), and those like
cgroups that are work in progress at this very moment. Well, file caps
are also work in progress at the moment I believe, I saw some patches
lately. I don't see such problems probably because I am not a security
expert and I am not working with any kind of servers/containers in
production, this technology is just extremely interesting for me.
W dniu 11.11.2016 o 19:41, Lennart Poettering pisze:
> On Fri, 11.11.16 19:36, Michał Zegan (webczat_200 at poczta.onet.pl) wrote:
>
>> Why do you turn off keyrings? at least manpages say that userns
>> virtualizes keyrings or something similar...
>
> That'd be a new feature then...
>
> Lennart
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 492 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20161111/fd848be0/attachment.sig>
More information about the systemd-devel
mailing list