Host isolation tested?

[pwFoo]

@p8952 @frohoff @tst2005
At the moment I have no host to test it...

Is it possible to manipulate the host from inside of a bocker container or is there isolation (by cgroup?! haven't used it before...)

Simple unshare with chroot and proc mounted isn't isolated.

cgcreate -g "$cgroups:/$uuid"
	: "${BOCKER_CPU_SHARE:=512}" && cgset -r cpu.shares="$BOCKER_CPU_SHARE" "$uuid"
	: "${BOCKER_MEM_LIMIT:=512}" && cgset -r memory.limit_in_bytes="$((BOCKER_MEM_LIMIT * 1000000))" "$uuid"
	cgexec -g "$cgroups:$uuid" \
		ip netns exec netns_"$uuid" \
		unshare -fmuip --mount-proc \
		chroot "$btrfs_path/$uuid" \
		/bin/sh -c "/bin/mount -t proc proc /proc && $cmd" \
		2>&1 | tee "$btrfs_path/$uuid/$uuid.log" || true
	ip link del dev veth0_"$uuid"
	ip netns del netns_"$uuid"

If not that executed inside of a Container will reboot the host.

echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

[notpushkin]

by cgroup?! haven't used it before...

cgroups are what LXC uses (and if I understand correctly, Docker too, in default configuration) to provide isolation, so it's the matter of how exactly Bocker uses them I guess.