-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
checkProcMount() is too strict #2826
Comments
Looks like we first need to audit the kernel, and then allow this mount in case the container is running inside its own netns (similar to the netns check done in libcontainer/configs/validate/). In any case, this looks like a post-1.0 material to me. |
I guess a question I would have is: Is it the responsibility of |
So, yes, I think we can make an exception for /proc/sys/net mount, in case NETNS is enabled. It's too late for 1.1.0 I'm afraid though, as we do not even have a PR yet. Moving milestone to 1.2.0. @JonathonReinhart feel free to open a PR. |
Hi @kolyshkin. While I was away from this issue, I started down the road of auditing the kernel to verify that everything under
The details are available on the With these bugs fixed and making their way into the distros, I am now confident that allowing When I find some more time, I will try to put a PR together for this enhancement. |
… netns All sysctls in /proc/sys/net are netns-safe: https://github.com/JonathonReinhart/linux-netns-sysctl-verify Closes opencontainers#2826
… netns All sysctls in /proc/sys/net are netns-safe: https://github.com/JonathonReinhart/linux-netns-sysctl-verify Closes opencontainers#2826 Signed-off-by: Jonathon Reinhart <[email protected]>
@JonathonReinhart wow, great work, much appreciated! Looks like we're on the right track with #3224. |
… netns All sysctls in /proc/sys/net are netns-safe: https://github.com/JonathonReinhart/linux-netns-sysctl-verify Closes opencontainers#2826 Signed-off-by: Jonathon Reinhart <[email protected]>
TL;DR
checkProcMount()
won't let me mount/proc/sys/net
as read-write.I'm trying to run a libvirt KVM VM inside of a docker container without using
--privileged
. I've worked around a lot of other errors by:/dev/kvm
and/dev/net/tun
devicesCAP_NET_ADMIN
(safe: net-namespaced)/sys/fs/cgroup/*
read-write (safe?)/sys/devices/virtual/net
read-write (safe: net-namespaced)But there's one error I can't work around:
What I would like to do is allow
/proc/sys/net
to be mounted read-write inside of the container. My understanding is that this is safe because everything in that subdirectory is net-namespaced, so a container can't affect the host net ns. (I would have to audit some kernel code to be sure, but it's certainly better than--privileged
).The problem is that
checkProcMount()
won't let me:My only alternative to
--privileged
is grantingCAP_SYS_ADMIN
(formount(2)
) and remounting/proc/sys
inside the container. This is a horrible alternative because:CAP_SYS_ADMIN
is terribly overloaded/proc/sys
has lots of kernel global options which aren't namespacedThe text was updated successfully, but these errors were encountered: