Am 19.11.2015 um 15:21 schrieb Serge E. Hallyn: > On Thu, Nov 19, 2015 at 08:53:26AM +0100, Richard Weinberger wrote: >> Am 19.11.2015 um 08:47 schrieb James Morris: >>> On Wed, 18 Nov 2015, Richard Weinberger wrote: >>> >>>> On Wed, Nov 18, 2015 at 4:13 PM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: >>>>> On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote: >>>>> >>>>>> Yes, the host admin. I'm not talking about trusting the admin inside the >>>>>> container at all. >>>>> >>>>> Then why not have the same host admin just plain mount it when setting the >>>>> container up and be done with that? From the host namespace, before spawning >>>>> the docker instance or whatever framework you are using. IDGI... >>>> >>>> Because hosting companies sell containers as "full virtual machines" >>>> and customers expect to be able mount stuff like disk images they upload. >>> >>> I don't think this is a valid reason for merging functionality into the >>> kernel. >> >> Erm, I don't want this in the kernel. That's why I've proposed the lklfuse approach. > > That would require the fuse-in-containers functionality, right? Correct. Still a less large attack surface. :-) Thanks, //richard -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
