On Fri, Feb 14, 2014 at 12:11:13PM +0100, Richard Weinberger wrote: > Am 14.02.2014 11:30, schrieb Daniel P. Berrange: > > On Fri, Feb 14, 2014 at 08:49:07AM +0100, Richard Weinberger wrote: > >> Am 13.02.2014 18:16, schrieb Daniel P. Berrange: > >>> On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote: > >>>> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD > >>>> to containers. > >>>> Currently it is not safe to allow a container access to a resource controller. > >>>> > >>> > >>> We *do* want to allow all controllers to be visible to the container. > >>> eg it is valid for them to have read access to view things like block > >>> I/O and CPU accounting information. We just don't want to make it writable > >>> for usernamespaces. > >> > >> Okay. But what if one does not enable user namespaces? > >> Then the controllers are writable within the container. > > > > If you don't enable user namespaces, then containers should be considered > > insecure unless all processes run non-root and all your filesystems are > > mounted no-setuid to prevent escalation fo privileges back to root, or you > > have SELinux applying controls. > > Yeah, I hope all users know that too. Do you plan to support non-user namespace > container in future? > > Maybe one should communicate this to docker.io folks as well. *scnr* Yep, I've gone into this in much detail with Red Hat folks who are working with Docker on their container impl, so they at least know the risks in what they're going.... Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list