| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 May 2014 12:20:08 -0700 From: James Bottomley <James.Bottomley@...senPartnership.com> To: mhw@...tsEnd.com Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Serge Hallyn <serge.hallyn@...ntu.com>, linux-kernel@...r.kernel.org, Jens Axboe <axboe@...nel.dk>, Arnd Bergmann <arnd@...db.de>, Eric Biederman <ebiederm@...ssion.com>, Serge Hallyn <serge.hallyn@...onical.com>, lxc-devel@...ts.linuxcontainers.org Subject: Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces On Thu, 2014-05-15 at 21:42 -0400, Michael H. Warfield wrote: > On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote: > > > PS - Apparently both parallels and Michael independently > > > project devices which are hot-plugged on the host into containers. > > > That also seems like something worth talking about (best practices, > > > shortcomings, use cases not met by it, any ways tha the kernel can > > > help out) at ksummit/linuxcon. > > > I was told that containers would never want devices hotplugged into > > them. > > Interesting. You were told they (who they?) would never want them? Who > said that? I would have never thought that given that other > implementations can provide that. I would certainly want them. Seems > strange to explicitly relegate LXC containers to being second class > citizens behind OpenVZ, Parallels, BSD Gaols, and Solaris Zones. That would probably be me. Running hotplug inside a container is a security problem and, since containers are easily entered by the host, it's very easy to listen for the hotplug in the host and inject it into the container using nsenter. I don't think the intention is to label anyone's implementation as preferred. What this shows, I think, is that we all have different practises when it comes to setting up containers. Some are necessary because our containers are different. Some could do with serious examination to see if there's really a best way to do the action which we would then all use. > I might believe you were never told they would need them, but that's a > totally different sense. Are we going to tell RedHat and the Docker > people that LXC is an inferior technology that is complex and unreliable > (to quote another poster) compared to these others? They're saying this > will be enterprise technology. If I go to Amazon AWS or other VPS > services and compare, are we not going to stand on a level playing > field? Admittedly, I don't expect Amazon AWS to provide me with serial > consoles, but I do expect to be able to mount file system images within > my VPS. Well, that's another nasty, isn't it. We all have different ways of coping with mount in the container. I think at plumbers we need to sit down with some of this plumbing and work out which pipes carry the same fluids and whether we could unify them. As an aside (probably requiring a new thread) we were wondering about some type of notifier on the mount call that we could vector into the host to perform the action. The main issue for us is mount of procfs, which really needs to be a bind mount in a container. All of this led me to speculate that we could use some type of syscall notifier mechanism to manage capabilities in the host and even intercept and complete the syscall action within the host rather than having to keep evolving more an more complex kernel drivers to do this. James -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists