On Thu, Jun 12, 2014 at 09:57:41PM +0000, Adrian Otto wrote: > Containers Team, > > The nova-docker developers are currently discussing options for > implementation for supporting mounting of Cinder volumes in > containers, and creation of unprivileged containers-in-containters. > Both of these currently require CAP_SYS_ADMIN[1] which is problematic > because if granted within a container, can lead to an escape from the > container back into the host. NB it is fine for a container to have CAP_SYS_ADMIN if user namespaces are enabled and the root user remapped. Also, we should remember that mounting filesystems is not the only use case for exposing block devices to containers. Some applications will happily use raw block devices directly without needing to format and mount any filesystem on them (eg databases). Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|