From: Rik van Riel (riel_at_surriel.com)
Date: Sat 11 Oct 2003 - 01:42:22 BST
On Wed, 8 Oct 2003, Enrico Scholz wrote:
> * CLONE_NEWNS + pivot_root are requiring CAP_SYS_ADMIN (which
> is not acceptably for vservers); using a new capability for
> CLONE_NEWNS seems to be possible, but pivot_root(2) needs
> additional logic. Else, when executed in root-namespace,
> pivot_root(2) can do really bad things with your system.
Why pivot_root(2) instead of mount --recbind ?
-- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan