[openstack-dev] [containers][nova][cinder] Cinder support in containers and unprivileged container-in-container
Eric Windisch
ewindisch at docker.com
Fri Jun 13 21:30:53 UTC 2014
On Fri, Jun 13, 2014 at 4:09 AM, Daniel P. Berrange <berrange at redhat.com>
wrote:
> On Thu, Jun 12, 2014 at 09:57:41PM +0000, Adrian Otto wrote:
> > Containers Team,
> >
> > The nova-docker developers are currently discussing options for
> > implementation for supporting mounting of Cinder volumes in
> > containers, and creation of unprivileged containers-in-containters.
> > Both of these currently require CAP_SYS_ADMIN[1] which is problematic
> > because if granted within a container, can lead to an escape from the
> > container back into the host.
>
> NB it is fine for a container to have CAP_SYS_ADMIN if user namespaces
> are enabled and the root user remapped.
>
Part of the discussion was in the context of filesystem modules in the
kernel being an exploit vector. Allowing FUSE is an option for safer mounts
(granted it too needs CAP_SYS_ADMIN).
> Also, we should remember that mounting filesystems is not the only use
> case for exposing block devices to containers. Some applications will
> happily use raw block devices directly without needing to format and
> mount any filesystem on them (eg databases).
>
Correct. This is reflected in the etherpad. My approach to this question
was already with the presumption there is value in having access to block
devices without filesystems, but that there would be additional utility
should we have a viable story for mounting filesystems.
--
Regards,
Eric Windisch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140613/6f00b42f/attachment.html>
More information about the OpenStack-dev
mailing list