[openstack-dev] [containers][nova][cinder] Cinder support in containers and unprivileged container-in-container

Eric Windisch ewindisch at docker.com
Wed Jun 25 13:06:50 UTC 2014


>
>
> I’m reasonably sure that nobody wants to intentionally relax compute host
> security in order to add this new functionality. Let’s find the right short
> term and long term approaches
>

>From our discussions, one approach that seemed popular for long-term
support was to find a way to gracefully allow mounting inside of the
containers by somehow trapping the syscall. It was presumed we would have
to make some change(s) to the kernel for this.

It turns out we can already do this using the kernel's seccomp feature.
Using seccomp, we should be able to trap the mount calls and handle them in
userspace.

References:
*
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/seccomp_filter.txt?id=HEAD
* http://chdir.org/~nico/seccomp-nurse/

-- 
Regards,
Eric Windisch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140625/fbe276ba/attachment.html>


More information about the OpenStack-dev mailing list