On 07/21/2015 07:47 AM, Daniel J Walsh wrote: > > On 07/21/2015 09:28 AM, Trevor Jay wrote: >> On Tue, Jul 21, 2015 at 08:22:50AM -0400, Daniel J Walsh wrote: >>> Yes we actually recommend using something like >>> >>> docker run -ti -v /:/host -v /run:/run -v /dev:/dev --privileged fedora >>> /bin/sh >>> >>> And then you can add stuff like >>> --net=host --pid=host --ipc=host >>> >>> And you slowly end up where only /usr inside your container is separate >>> from the host system. >>> >> Yup. On the other end of the spectrum: if all you want to do is start and >> stop services with systemctlin a container, you can usually get by with: >> >> -v /run/dbus:/var/run/dbus -v /run/systemd:/var/run/systemd >> >> And you don't even need --privileged. Of course, there's a whole world >> in-between the two approaches. Right, we'd rather use as few privileges as possible. Access to systemd = access to everything in our mind, so maybe that should suffice. Direct docker access is just convenience but of the kind one can't live without. I think context is important. We are running bare metal machines with Atomic on them. There would be nothing on the hosts if we could help it. For now etcd and flannel are on the hosts. Other than that everything goes to containers. So, we're not really looking to be on the host while in a container. No super privilege, rather, we want to control all those containers running on it. Storage is another one.
It's a very informative discussion. Thank you for your insight. Atomic will probably continue evolving away from standard distros. >> >> It all depends on exactly what you're looking to do. strace is your friend. >> :) >> >> _Trevor >> > Well SELinux might get in the way of the no privileged part. (At least > it should). > > > >