On Fri, Sep 30, 2022 at 2:04 AM Chris Dunlop <chris@xxxxxxxxxxxx> wrote: > > Hi all, > > On Thu, Sep 29, 2022 at 01:14:17PM +0200, Ilya Dryomov wrote: > > On Fri, Sep 23, 2022 at 5:58 AM Chris Dunlop <chris@xxxxxxxxxxxx> wrote: > >> Why is the ceph container getting access to the entire host > >> filesystem in the first place? > ... > > Right, I see your point, particularly around /rootfs location making it > > obvious that it's not a standard shell. I don't have a strong opinion > > here, ultimately the fix is up to Adam and Guillaume (although I would > > definitely prefer a set of targeted mounts over a blanket -v /:/rootfs > > mount, whether slave or not). > > Perhaps this topic should be raised at a team meeting or however project > directions are managed - i.e. whether or not to keep the blanket mount of > the entire host filesystem or the containers should be aiming for the > minimal filesystem access required to run. If such a discussion were to > take place I think the general safety principals around providing minimum > privileged access should be noted. Indeed. I added this as a topic for the upcoming Ceph Developer Monthly meeting [1]. [1] https://lists.ceph.io/hyperkitty/list/dev@xxxxxxx/thread/VDV5YVZSLFMUAAUI2NBZMYSKCFRC5AIV/ Thanks, Ilya
