Containers Team, The nova-docker developers are currently discussing options for implementation for supporting mounting of Cinder volumes in containers, and creation of unprivileged containers-in-containters. Both of these currently require CAP_SYS_ADMIN[1] which is problematic because if granted within a container, can lead to an escape from the container back into the host.
There are multiple options[2] for addressing this, each with some pro/con identified for your consideration. Please discuss the options with us. https://etherpad.openstack.org/p/container-block-storage Please add additional options, and your commentary to the etherpad. Please debate any controversial topics on this ML thread so we can gauge where we may have consensus, and where we do not. I plan to review this at the Containers Team Meeting[3] on Tuesday at 2200 UTC, so please make your feedback before then, if possible. I’m reasonably sure that nobody wants to intentionally relax compute host security in order to add this new functionality. Let’s find the right short term and long term approaches Thanks, Adrian References: [1] http://linux.die.net/man/7/capabilities [2] https://etherpad.openstack.org/p/container-block-storage [3] https://wiki.openstack.org/wiki/Meetings/Containers _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
