On Tue, Jan 3, 2017 at 7:48 AM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > On Sun, Jan 01, 2017 at 02:32:20PM -0600, Linas Vepstas wrote: > > [..] >> It's somehow ironic that the push for user-space mounts and containers >> comes from this general fuzzy sensation that they are somehow "safer", >> yet the changes to enable this provide a new attack surface for >> privilege escalation. Funny world we live in. :-) Happy New Year! > > Only if unprivileged users want to be able to mount overlayfs. Otherwise, a > privileged user can just mount overlayfs on host and bind mount that > inside container (this is what docker does). And then you don't have > to worry about allowing unprivileged users to be able to allow mounting. :-( The way that Ubuntu solves this is to carry patches to allow user-space mounts. Debian doesn't, which is how I tripped across this. Anyway, Docker and LXC are very different beasts: Docker makes for great demos, and can get the occasional newbie going, but is kind of klunky and awkward in real-life deployments. It certainly fails to provide the ease-of-use and flexibility that LXC offers. (Docker tries to solve two unrelated problems, and it handles both of them poorly: one problem is containerization, the other problem is container build. LXC solves the first problem much more elegantly, and completely ignores the second problem, which, in general, is easily solved with shell scripts, so what was the point of Docker reinventing a new kind of shell, badly?) -- linas -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
