[openstack-dev] [containers][nova][cinder] Cinder support in containers and unprivileged container-in-container
James Bottomley
James.Bottomley at HansenPartnership.com
Thu Jun 12 22:31:19 UTC 2014
On Thu, 2014-06-12 at 21:57 +0000, Adrian Otto wrote:
> Containers Team,
>
> The nova-docker developers are currently discussing options for
> implementation for supporting mounting of Cinder volumes in
> containers, and creation of unprivileged containers-in-containters.
> Both of these currently require CAP_SYS_ADMIN[1] which is problematic
> because if granted within a container, can lead to an escape from the
> container back into the host.
Why would you mount it from within the container? CAP_SYS_ADMIN is a
per process property, so you use nsenter to execute the mount in the
required mount namespace with CAP_SYS_ADMIN from outside of the
container (i.e. the host). I assume this requires changes to cinder so
it executes a mount rather than presenting a mountable device node, but
it's the same type of change we have to do for mounts which have no
node, like bind mounts.
James
More information about the OpenStack-dev
mailing list