[lxc-users] bind-mounting kernel directories
Michael H. Warfield
mhw at WittsEnd.com
Wed Apr 1 16:54:17 UTC 2015
On Wed, 2015-04-01 at 12:07 -0400, Chris Burroughs wrote:
> Userland tools can be confused if the running kernel does not match
> anything in /lib/modules, and 'per-container' modules are nonsensical
> notion anyway. Is there any reason not to ready only bind-mount
> /lib/modules & /usr/src/kernels from the host into the container? I've
> seen a few references in blogs but this does not appear to be the
> default behavior of the templates.
Which could be a really BAD practice if you are running privileged
containers (cue the comments that any priv containers are a security
risk, yeah yeah, but still...). That would allow root in a container to
modify the contents of the host's kernel modules potentially
compromising the host. Very bad thing.
Doing a read-only bind mount is marginal at best. We've had issues with
remounts in containers propagating out (that I think/hope are finally
fixed) and some containers need mount privs in order to mount images or
do nfs/afs/cifs mounts, so prohibiting the cap_sysadmin is not a viable
option in general there.
Bind mounting the kernel src MIGHT be OK (only if the host never uses it
for anything) but I'm not sure I would take that risk either.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150401/4ddad9ad/attachment.sig>
More information about the lxc-users
mailing list