From: Jon Bendtsen (jon707_at_kollegiegaarden.dk)
Date: Sun 07 Dec 2003 - 14:16:45 GMT
On Sunday 07 December 2003 15:01, Dariush Pietrzak wrote:
> > For the people that forget to remove the dev entries.
> That's not really wise, what about that want to use block devices?
They can set CAP_SYS_BLOCK_ACCESS
> > Also, for this option:
> > a bootable vserver cdrom, that starts your regular linux
> > partition inside a vserver.
> wouldn't that need access to your block devices?
*sigh* not the vserver. The root server would, and i dont want to
restrict that. The idea is just that the cdrom contains a script that
checks the harddisk for partitions, finds the "/" mounts it, checks
"/etc" for the hostname and network setup, and then start a vserver
with the previously found "/" as the root of that vserver, and gives
it the needed network setup. For this, the vserver does not need
block access, and yet it would have all the /dev entries.
> > > >> Thats why you could have a CAP_BLOCK_ACCESS
> > >
> > > Hmm, that would actually be nice. Is there already such CAP?
> > i dont know.
> If there would be, it would be great - change the default to
> remove such CAP and then you're happy - you can't access your block
> devices by accident, and you're happy - you can start your regular
> linux inside a vserver.
correct, but i dont think there is such a capability :(
Vserver mailing list