[openstack-dev] [containers][nova][cinder] Cinder support in containers and unprivileged container-in-container

James Bottomley James.Bottomley at HansenPartnership.com
Fri Jun 13 22:04:05 UTC 2014


On Fri, 2014-06-13 at 09:09 +0100, Daniel P. Berrange wrote:
> On Thu, Jun 12, 2014 at 09:57:41PM +0000, Adrian Otto wrote:
> > Containers Team,
> > 
> > The nova-docker developers are currently discussing options for
> > implementation for supporting mounting of Cinder volumes in
> > containers, and creation of unprivileged containers-in-containters.
> > Both of these currently require CAP_SYS_ADMIN[1] which is problematic
> > because if granted within a container, can lead to an escape from the
> > container back into the host.
> 
> NB it is fine for a container to have CAP_SYS_ADMIN if user namespaces
> are enabled and the root user remapped.

Not if you want a truly secure container, but this is more of a
judgement call as to how secure the container should be.  CAP_SYS_ADMIN
is a nasty sinkhole of miscellaneous privielges which makes it a pretty
dangerous capability for an ordinary user.  You have to be really
careful because there's lots of ways an ordinary user with CAP_SYS_ADMIN
can actually become root.  What we did for OpenVZ was break
CAP_SYS_ADMIN up into more granular capabilities and put guards on the
dangerous ones, but even just mount can be problematic: you have to
forbid suid executables etc and you have to beware of fuzzing the
filesystem.

James

> Also, we should remember that mounting filesystems is not the only use
> case for exposing block devices to containers. Some applications will
> happily use raw block devices directly without needing to format and
> mount any filesystem on them (eg databases).
> 
> Regards,
> Daniel






More information about the OpenStack-dev mailing list