On Thu, 2014-06-12 at 21:57 +0000, Adrian Otto wrote: > Containers Team, > > The nova-docker developers are currently discussing options for > implementation for supporting mounting of Cinder volumes in > containers, and creation of unprivileged containers-in-containters. > Both of these currently require CAP_SYS_ADMIN[1] which is problematic > because if granted within a container, can lead to an escape from the > container back into the host.
Why would you mount it from within the container? CAP_SYS_ADMIN is a per process property, so you use nsenter to execute the mount in the required mount namespace with CAP_SYS_ADMIN from outside of the container (i.e. the host). I assume this requires changes to cinder so it executes a mount rather than presenting a mountable device node, but it's the same type of change we have to do for mounts which have no node, like bind mounts. James _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
