[openstack-dev] [nova][cinder][neutron][security] Rootwrap on root-intensive nodes

Steven Dake (stdake) stdake at cisco.com
Fri Feb 6 06:51:07 UTC 2015



On 2/4/15, 10:24 AM, "Daniel P. Berrange" <berrange at redhat.com> wrote:

>On Wed, Feb 04, 2015 at 09:10:06AM -0800, James E. Blair wrote:
>> Thierry Carrez <thierry at openstack.org> writes:
>> 
>> > You make a good point when you mention "traditional distro" here. I
>> > would argue that containers are slightly changing the rules of the
>> > don't-run-as-root game.
>> >
>> > Solution (2) aligns pretty well with container-powered OpenStack
>> > deployments -- running compute nodes as root in a container (and
>> > embracing abovementioned simplicity/performance gains) sounds like a
>> > pretty strong combo.
>> 
>> This sounds at least a little like a suggestion that containers are a
>> substitute for the security provided by running non-root.  The security
>> landscape around containers is complex, and while there are a lot of
>> benefits, I believe the general consensus is that uid 0 processes should
>> not be seen as fully isolated.
>> 
>> From https://docs.docker.com/articles/security/ :
>> 
>>   Docker containers are, by default, quite secure; especially if you
>>   take care of running your processes inside the containers as
>>   non-privileged users (i.e., non-root).
>> 
>> Which is not to say that using containers is not a good idea, but
>> rather, if one does, one should avoid running as root (perhaps with
>> capabilities), and use selinux (or similar).
>
>Yep, I've seen attempts by some folks to run nova-compute and libvirtd
>and QEMU inside a docker container. Because of the inherantly privileged
>nature of what Nova/libvirt/qemu need to do, you end up having to share
>all the host namespaces with the docker container, except for the
>filesystem
>namespace and even that you need to bind mount a bunch of stuff over. As
>a result the container isn't really offerring any security benefit over
>running the things outside the container. IOW the use of containers to
>confine nova is only solving a managability problem rather than a security
>problem.
>
>Regards,
>Daniel

Daniel,

Agree 100% - compute in containers is all about an atomic image-based
upgrade and downgrade process, not about solving security problems.
Ideally the services that are within containers are as secure as running
natively without containers on bare metal although this might be a bit of
assumption since docker does run with all Linux capabilities enabled.

Regards
-steve

>-- 
>|: http://berrange.com      -o-
>http://www.flickr.com/photos/dberrange/ :|
>|: http://libvirt.org              -o-
>http://virt-manager.org :|
>|: http://autobuild.org       -o-
>http://search.cpan.org/~danberr/ :|
>|: http://entangle-photo.org       -o-
>http://live.gnome.org/gtk-vnc :|
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list