[tripleo] Stop using host's /run|/var/run inside containers

Cédric Jeanneret cjeanner at redhat.com
Thu Jun 18 07:59:05 UTC 2020

On 6/18/20 9:42 AM, Cédric Jeanneret wrote:
> Hello all!
> While working on podman integration, especially the SELinux part of it,
> I was wondering why we kept using the host's /run (or its replicated
> /var/run) location inside containers. And I'm still wondering, 2 years
> later ;).
> Reasons:
> - from time to time, there are patches adding a ":z" flag to the run
> bind-mount. This breaks the system, since the host systemd can't
> write/access container_file_t SELinux context. Doing a relabeling might
> therefore prevent a service restart.
> - in order to keep things in a clean, understandable tree, getting a
> dedicated shared directory for the container's sockets makes sense, as
> it might make things easier to check (for instance, "is this or that
> service running in a container?")
> - if an operator runs a restorecon during runtime, it will break
> container services
> - mounting /run directly in the containers might expose unwanted
> sockets, such as DBus (this creates SELinux denials, and we're
> monkey-patching things and doing really ugly changes to prevent it).
> It's more than probable other unwanted shared sockets end in the
> containers, and it might expose the host at some point. Here again, from
> time to time we see new SELinux policies being added in order to solve
> the denials, and it creates big holes in the host security
> AFAIK, no *host* service is accessed by any container services, right?
> If so, could we imagine moving the shared /run to some other location on
> the host, such as /run/containers, or /container-run, or any other
> *dedicated* location we can manage as we want on a SELinux context?

Small addendum/errata:

some containers DO need to access some specific sockets/directories in
/run, such as /run/netns and, probably, /run/openvswitch (iirc this one
isn't running in a container).
For those specific cases, we can of course mount the specific locations
inside the container's /run.

This addendum doesn't change the main question though :)

> I would therefore get some feedback about this proposed change.
> For the containers, nothing should change:
> - they will get their /run populated with other containers sockets
> - they will NOT be able to access the host services at all.
> Thank you for your feedback, ideas and thoughts!
> Cheers,
> C.

Cédric Jeanneret (He/Him/His)
Sr. Software Engineer - OpenStack Platform
Deployment Framework TC
Red Hat EMEA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200618/e2d9bcf4/attachment-0001.sig>

More information about the openstack-discuss mailing list