Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Jun 2011 23:53:43 +0400
From: Vasiliy Kulikov <>
Subject: Re: procfs mount options


On Sun, Jun 05, 2011 at 23:40 +0400, Solar Designer wrote:
> Since recent versions of OpenVZ build upon the namespaces code that has
> been upstream'ed, I guess this will rely on upstream's namespaces code
> (once we move to RHEL6'ish OpenVZ kernels and beyond), correct?

Namespaces - yes.  But AFAIK, only a pair of sysctls is accessible in
containers, IIRC, only net sysctls.

> Now, leaving sysctl's aside and speaking of mount options only for now,
> what happens when a container mounts /proc with umask=007, but then
> another container mounts /proc without that option or with umask=0?
> Does the first container retain its restricted perms, including for
> newly appearing entries under its /proc?  If so, where is this different
> setting stored?  Is it per mount (preferable)?  Is it per pid namespace
> (OK)?

It is per-pid_namespace, it should be fully consistent with OpenVZ.



Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.