[openstack-dev] [containers][nova][cinder] Cinder support in containers and unprivileged container-in-container

Daniel P. Berrange berrange at redhat.com
Fri Jun 13 08:09:27 UTC 2014


On Thu, Jun 12, 2014 at 09:57:41PM +0000, Adrian Otto wrote:
> Containers Team,
> 
> The nova-docker developers are currently discussing options for
> implementation for supporting mounting of Cinder volumes in
> containers, and creation of unprivileged containers-in-containters.
> Both of these currently require CAP_SYS_ADMIN[1] which is problematic
> because if granted within a container, can lead to an escape from the
> container back into the host.

NB it is fine for a container to have CAP_SYS_ADMIN if user namespaces
are enabled and the root user remapped.

Also, we should remember that mounting filesystems is not the only use
case for exposing block devices to containers. Some applications will
happily use raw block devices directly without needing to format and
mount any filesystem on them (eg databases).

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



More information about the OpenStack-dev mailing list