Open pwFoo opened 5 years ago
@p8952 @frohoff @tst2005 At the moment I have no host to test it...
Is it possible to manipulate the host from inside of a bocker container or is there isolation (by cgroup?! haven't used it before...)
Simple unshare with chroot and proc mounted isn't isolated.
cgcreate -g "$cgroups:/$uuid" : "${BOCKER_CPU_SHARE:=512}" && cgset -r cpu.shares="$BOCKER_CPU_SHARE" "$uuid" : "${BOCKER_MEM_LIMIT:=512}" && cgset -r memory.limit_in_bytes="$((BOCKER_MEM_LIMIT * 1000000))" "$uuid" cgexec -g "$cgroups:$uuid" \ ip netns exec netns_"$uuid" \ unshare -fmuip --mount-proc \ chroot "$btrfs_path/$uuid" \ /bin/sh -c "/bin/mount -t proc proc /proc && $cmd" \ 2>&1 | tee "$btrfs_path/$uuid/$uuid.log" || true ip link del dev veth0_"$uuid" ip netns del netns_"$uuid"
If not that executed inside of a Container will reboot the host.
echo 1 > /proc/sys/kernel/sysrq echo b > /proc/sysrq-trigger
by cgroup?! haven't used it before...
cgroups are what LXC uses (and if I understand correctly, Docker too, in default configuration) to provide isolation, so it's the matter of how exactly Bocker uses them I guess.
@p8952 @frohoff @tst2005 At the moment I have no host to test it...
Is it possible to manipulate the host from inside of a bocker container or is there isolation (by cgroup?! haven't used it before...)
Simple unshare with chroot and proc mounted isn't isolated.
If not that executed inside of a Container will reboot the host.