Please find my reply inline. Best regards, Hongbin
On Tue, Jan 2, 2018 at 2:06 PM, João Paulo Sá da Silva < joao-sa-si...@alticelabs.com> wrote: > Thanks for your answer, Hongbin, it is very appreciated. > > > > The use case is to use Virtualized Network Functions in containers instead > of virtual machines. The rational for using containers instead of VMs is > better VNF density in resource constrained hosts. > > The goal is to have several VNFs (DHCP, FW, etc) running on severely > resource constrained Openstack compute node. But without NET_ADMIN cap I > can’t even start dnsmasq. > Make sense. Would you help writing a blueprint for this feature: https://blueprints.launchpad.net/zun ? We use blueprint to track all requested features. > > > Is it possible to use clear container with zun/openstack? > Yes, it is possible. We are adding documentation about that: https://review.openstack.org/#/c/527611/ . > > > From checking gerrit it seems that this point was already address and > dropped? Regarding the security concerns I disagree, if users choose to > allow such situation they should be allowed. > > It is the user responsibility to recognize the dangers and act > accordingly. > > > > In Neutron you can go as far as fully disabling port security, this was > implemented again with VNFs in mind. > Make sense as well. IMHO, we should disallow privilege escalation by default, but I am open to introduce a configurable option to allow it. I can see this is necessary for some use cases. Cloud administrators should be reminded the security implication of doing that. > > > Kind regards, > > João > > > > > > >Hi Joao, > > > > > >Right now, it is impossible to create containers with escalated > privileged, > > >such as setting privileged mode or adding additional caps. This is > > >intentional for security reasons. Basically, what Zun currently provides > is > > >"serverless" containers, which means Zun is not using VMs to isolate > > >containers (for people who wanted strong isolation as VMs, they can choose > > >secure container runtime such as Clear Container). Therefore, it is > > >insecure to give users control of any kind of privilege escalation. > > >However, if you want this feature, I would love to learn more about the > use > > >cases. > > > > > >Best regards, > > >Hongbin > > > > > >On Tue, Jan 2, 2018 at 10:20 AM, João Paulo Sá da Silva < > > >joao-sa-silva at alticelabs.com> wrote: > > > > > >> Hello! > > >> > > >> Is it possible to create containers in privileged mode or to add caps as > > >> NET_ADMIN? > > >> > > >> > > >> > > >> Kind regards, > > >> > > >> João > > >> > > >> > > >> > > >> ____________________________________________________________ > ______________ > > >> OpenStack Development Mailing List (not for usage questions) > > >> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject: > unsubscribe > > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > >> > > >> > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: <http://lists.openstack.org/pipermail/openstack-dev/ > attachments/20180102/e1ecb71a/attachment.html> > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
