Bug 591372
Summary: | [LXC] restart network on guest make the /etc/resolv.conf has been changed on host. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | dyuan |
Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> |
Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.0 | CC: | berrange, borgan, hbrock, llim, tyan, xen-maint, yoyzhang |
Target Milestone: | rc | Keywords: | TestBlocker |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-30 13:05:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 599016, 609429 |
Description
dyuan
2010-05-12 03:43:58 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. > <devices>
> <emulator>/usr/libexec/libvirt_lxc</emulator>
> <interface type='network'>
> <mac address='52:54:00:ca:84:12'/>
> <source network='default'/>
> <target dev='veth0'/>
> </interface>
> <console type='pty' tty='/dev/pts/2'>
> <source path='/dev/pts/2'/>
> <target port='0'/>
> </console>
> </devices>
There is no <filesystem> device configured in this guest, thus the container will inherit full access to the host filesystem. Thus any changes you make to /etc/resolv.conf in the container will obviously impact the host OS. This is essentially an 'application workload isolation' configuration, and not a 'virtual operating system container' configuration. You can't expect to run arbitrary apps in such a config and not have them impact the host, since the configuration isn't providing any security. If you want the container to be isolated, then you need to configure a custom filesystem for it.
|