[lxc-users] Virtualizing hardware for containers

Brian Allen Vanderburg II brianvanderburg2 at aim.com
Sun Jun 7 17:15:30 UTC 2015 

I didn't know where to post this but I had an idea, most likely of
little use but I thought I would put it out there.  Part of this idea is
inspired by FUSE, which allows creating a user space filesystem but also
takes care of basic security such as not allowing SUID.

I had an idea for a DUSE - Device driver in user space.  This would
probably not work without some sort of kernel support as well.  Like
FUSE, a DUSE application gets run by a normal user, and if that user is
a member of the duse group, that user can create device files.  For
security the device files can not be created under the host /dev, but
could be created under a different location which would eventually
become the container's /dev.  Any reads and writes to the device file,
and IOCTL calls would be directed to the application.  The device file
gets created as the launching user/group.

lxc-device simply make a device available within a container.  This a
couple allow several potential features.  First, a DUSE application
could be created to function as a filter before interacting in some way
with the host.  A virtual device could be exposed to a container, but
any interactions with that device from the container are monitored and
only certain interactions may be allowed to pass through and interact
with the host.  How this works would be device specific.  Second, a DUSE
application could provide a device that doesn't actually exist, a
virtual device.  Finally, such a feature might have use outside of
containers as well.

To support this within a container, special configurations could be
specified which would allow launching of the DUSE application as a
specific user after any user namespaces are set up, but before the rest
of the container is set up.  This would launch the application from the
host filesystem before any mount point changes, but allow specifying
which user,group the device file is owned as and what permissions are
set on the device file.


Brian Allen Vanderburg II


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150607/817e349a/attachment.sig>

More information about the lxc-users mailing list