On Fri, 2014-06-13 at 09:09 +0100, Daniel P. Berrange wrote: > On Thu, Jun 12, 2014 at 09:57:41PM +0000, Adrian Otto wrote: > > Containers Team, > > > > The nova-docker developers are currently discussing options for > > implementation for supporting mounting of Cinder volumes in > > containers, and creation of unprivileged containers-in-containters. > > Both of these currently require CAP_SYS_ADMIN[1] which is problematic > > because if granted within a container, can lead to an escape from the > > container back into the host. > > NB it is fine for a container to have CAP_SYS_ADMIN if user namespaces > are enabled and the root user remapped.
Not if you want a truly secure container, but this is more of a judgement call as to how secure the container should be. CAP_SYS_ADMIN is a nasty sinkhole of miscellaneous privielges which makes it a pretty dangerous capability for an ordinary user. You have to be really careful because there's lots of ways an ordinary user with CAP_SYS_ADMIN can actually become root. What we did for OpenVZ was break CAP_SYS_ADMIN up into more granular capabilities and put guards on the dangerous ones, but even just mount can be problematic: you have to forbid suid executables etc and you have to beware of fuzzing the filesystem. James > Also, we should remember that mounting filesystems is not the only use > case for exposing block devices to containers. Some applications will > happily use raw block devices directly without needing to format and > mount any filesystem on them (eg databases). > > Regards, > Daniel _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
