[openstack-dev] [containers][nova][cinder] Cinder support in containers and unprivileged container-in-container
Adrian Otto
adrian.otto at rackspace.com
Thu Jun 12 21:57:41 UTC 2014
Containers Team,
The nova-docker developers are currently discussing options for implementation for supporting mounting of Cinder volumes in containers, and creation of unprivileged containers-in-containters. Both of these currently require CAP_SYS_ADMIN[1] which is problematic because if granted within a container, can lead to an escape from the container back into the host.
There are multiple options[2] for addressing this, each with some pro/con identified for your consideration. Please discuss the options with us.
https://etherpad.openstack.org/p/container-block-storage
Please add additional options, and your commentary to the etherpad. Please debate any controversial topics on this ML thread so we can gauge where we may have consensus, and where we do not. I plan to review this at the Containers Team Meeting[3] on Tuesday at 2200 UTC, so please make your feedback before then, if possible.
I’m reasonably sure that nobody wants to intentionally relax compute host security in order to add this new functionality. Let’s find the right short term and long term approaches
Thanks,
Adrian
References:
[1] http://linux.die.net/man/7/capabilities
[2] https://etherpad.openstack.org/p/container-block-storage
[3] https://wiki.openstack.org/wiki/Meetings/Containers
More information about the OpenStack-dev
mailing list