Re: LXC+overlayfs in unprivileged mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 03, 2017 at 10:08:25AM -0600, Linas Vepstas wrote:
> On Tue, Jan 3, 2017 at 7:48 AM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> > On Sun, Jan 01, 2017 at 02:32:20PM -0600, Linas Vepstas wrote:
> >
> > [..]
> >> It's somehow ironic that the push for user-space mounts and containers
> >> comes from this general fuzzy sensation that they are somehow "safer",
> >> yet the changes to enable this provide a new attack surface for
> >> privilege escalation. Funny world we live in. :-)  Happy New Year!
> >
> > Only if unprivileged users want to be able to mount overlayfs. Otherwise, a
> > privileged user can just mount overlayfs on host and bind mount that
> > inside container (this is what docker does). And then you don't have
> > to worry about allowing unprivileged users to be able to allow mounting.
> 
> :-(   The way that Ubuntu solves this is to carry patches to allow user-space
> mounts.  Debian doesn't, which is how I tripped across this.  Anyway, Docker
> and LXC are very different beasts: Docker makes for great demos, and
> can get the occasional newbie going, but is kind of klunky and awkward
> in real-life deployments.  It certainly fails to provide the ease-of-use and
> flexibility that LXC offers.   (Docker tries to solve two unrelated problems,
> and it handles both of them poorly: one problem is containerization, the
> other problem is container build. LXC solves the first problem much more
> elegantly, and completely ignores the second problem, which, in general,
> is easily solved with shell scripts, so what was the point of Docker
> reinventing a new kind of shell, badly?)

I will not go into comparing LXC and Docker. For me, I do think that they
handled the ease of use case very well. I just had to run two commands
to get a container running.

- yum install docker
- docker run -ti fedora bash

I think LXC vs Docker conversation is besides the point for this thread.

Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux