pct: move "security considerations" below CT settings

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/pct.adoc b/pct.adoc
index 9bedab7754edeae4484483745c784d256fc7705f..2502bcbedbb5e5bcf7725142cee2e857d5c60aba 100644 (file)
--- a/pct.adoc
+++ b/pct.adoc
@@ -86,26 +86,6 @@ Technology Overview
 * Container setup from host (network, DNS, storage, etc.)
 
 
-Security Considerations
------------------------
-
-Containers use the kernel of the host system. This creates a big attack surface
-for malicious users. This should be considered if containers are provided to
-untrustworthy people. In general, full virtual machines provide better
-isolation.
-
-However, LXC uses many security features like AppArmor, CGroups and kernel
-namespaces to reduce the attack surface.
-
-AppArmor profiles are used to restrict access to possibly dangerous actions.
-Some system calls, i.e. `mount`, are prohibited from execution.
-
-To trace AppArmor activity, use:
-
-----
-# dmesg | grep apparmor
-----
-
 [[pct_container_images]]
 Container Images
 ----------------
@@ -576,6 +556,26 @@ It will be called during various phases of the guests lifetime.  For an example
 and documentation see the example script under
 `/usr/share/pve-docs/examples/guest-example-hookscript.pl`.
 
+Security Considerations
+-----------------------
+
+Containers use the kernel of the host system. This exposes an attack surface
+for malicious users. In general, full virtual machines provide better
+isolation. This should be considered if containers are provided to unkown or
+untrusted people.
+
+To reduce the attack surface, LXC uses many security features like AppArmor,
+CGroups and kernel namespaces.
+
+AppArmor profiles are used to restrict access to possibly dangerous actions.
+Some system calls, i.e. `mount`, are prohibited from execution.
+
+To trace AppArmor activity, use:
+
+----
+# dmesg | grep apparmor
+----
+
 Guest Operating System Configuration
 ------------------------------------