On Wed, Nov 18, 2015 at 03:13:35PM +0000, Al Viro wrote: > On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote: > > > Yes, the host admin. I'm not talking about trusting the admin inside the > > container at all. > > Then why not have the same host admin just plain mount it when setting the > container up and be done with that? From the host namespace, before spawning > the docker instance or whatever framework you are using. IDGI... fwiw one example use case is building a livecd or vm image from inside container, on a system where each piece of functionality is compartmentalized in a separate container. For specific programs we can engineer them to call out to a helper in the init user_ns, but that doesn't work for existing tools. James Bottomley a year or two ago had mentioned the idea of using seccomp to have the mount syscall in a container trap into a init_user_ns helper, but we'd have to ptrace the whole container for its whole lifetime to do that, or use SECCOMP_RET_TRAP with a LD_PRELOAD that does goes through a proxy to do the remote request (which becomes infeasible bc LD_PRELOAD won't stick). If we did enable anything but FUSE I would hope each fs would have a separate sysctl to enable non-init-userns mounts. Then the admin could enable them just as they do the automount of whatever garbage is on a usb stick found lying on the trade floor. -serge -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
