[openstack-dev] [nova][cinder][neutron][security] Rootwrap on root-intensive nodes

Daniel P. Berrange berrange at redhat.com
Wed Feb 4 17:24:20 UTC 2015


On Wed, Feb 04, 2015 at 09:10:06AM -0800, James E. Blair wrote:
> Thierry Carrez <thierry at openstack.org> writes:
> 
> > You make a good point when you mention "traditional distro" here. I
> > would argue that containers are slightly changing the rules of the
> > don't-run-as-root game.
> >
> > Solution (2) aligns pretty well with container-powered OpenStack
> > deployments -- running compute nodes as root in a container (and
> > embracing abovementioned simplicity/performance gains) sounds like a
> > pretty strong combo.
> 
> This sounds at least a little like a suggestion that containers are a
> substitute for the security provided by running non-root.  The security
> landscape around containers is complex, and while there are a lot of
> benefits, I believe the general consensus is that uid 0 processes should
> not be seen as fully isolated.
> 
> From https://docs.docker.com/articles/security/ :
> 
>   Docker containers are, by default, quite secure; especially if you
>   take care of running your processes inside the containers as
>   non-privileged users (i.e., non-root).
> 
> Which is not to say that using containers is not a good idea, but
> rather, if one does, one should avoid running as root (perhaps with
> capabilities), and use selinux (or similar).

Yep, I've seen attempts by some folks to run nova-compute and libvirtd
and QEMU inside a docker container. Because of the inherantly privileged
nature of what Nova/libvirt/qemu need to do, you end up having to share
all the host namespaces with the docker container, except for the filesystem
namespace and even that you need to bind mount a bunch of stuff over. As
a result the container isn't really offerring any security benefit over
running the things outside the container. IOW the use of containers to
confine nova is only solving a managability problem rather than a security
problem.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



More information about the OpenStack-dev mailing list