> > > I’m reasonably sure that nobody wants to intentionally relax compute host > security in order to add this new functionality. Let’s find the right short > term and long term approaches > >From our discussions, one approach that seemed popular for long-term support was to find a way to gracefully allow mounting inside of the containers by somehow trapping the syscall. It was presumed we would have to make some change(s) to the kernel for this. It turns out we can already do this using the kernel's seccomp feature. Using seccomp, we should be able to trap the mount calls and handle them in userspace. References: * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/seccomp_filter.txt?id=HEAD * http://chdir.org/~nico/seccomp-nurse/ -- Regards, Eric Windisch -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140625/fbe276ba/attachment.html>