mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
Update docs about user namespace for LXC
Mention that user namespace can be enabled using the UID/GID mapping schema. Fix typo in link anchor for container args in domain XML docs. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
f0b6d8d472
commit
420ebcfe01
@ -40,15 +40,11 @@ primary "host" OS environment, the libvirt LXC driver requires that
|
|||||||
certain kernel namespaces are compiled in. Libvirt currently requires
|
certain kernel namespaces are compiled in. Libvirt currently requires
|
||||||
the 'mount', 'ipc', 'pid', and 'uts' namespaces to be available. If
|
the 'mount', 'ipc', 'pid', and 'uts' namespaces to be available. If
|
||||||
separate network interfaces are desired, then the 'net' namespace is
|
separate network interfaces are desired, then the 'net' namespace is
|
||||||
required. In the near future, the 'user' namespace will optionally be
|
required. If the guest configuration declares a
|
||||||
supported.
|
<a href="formatdomain.html#elementsOSContainer">UID or GID mapping</a>,
|
||||||
</p>
|
the 'user' namespace will be enabled to apply these. <strong>A suitably
|
||||||
|
configured UID/GID mapping is a pre-requisite to making containers
|
||||||
<p>
|
secure, in the absence of sVirt confinement.</strong>
|
||||||
<strong>NOTE: In the absence of support for the 'user' namespace,
|
|
||||||
processes inside containers cannot be securely isolated from host
|
|
||||||
process without the use of a mandatory access control technology
|
|
||||||
such as SELinux or AppArmor.</strong>
|
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<h2><a name="init">Default container setup</a></h2>
|
<h2><a name="init">Default container setup</a></h2>
|
||||||
|
@ -263,7 +263,7 @@
|
|||||||
<span class="since">Since 1.0.4</span></dd>
|
<span class="since">Since 1.0.4</span></dd>
|
||||||
</dl>
|
</dl>
|
||||||
|
|
||||||
<h4><a name="eleemntsOSContainer">Container boot</a></h4>
|
<h4><a name="elementsOSContainer">Container boot</a></h4>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
When booting a domain using container based virtualization, instead
|
When booting a domain using container based virtualization, instead
|
||||||
|
Loading…
x
Reference in New Issue
Block a user