Re: [libvirt] [PATCHv2] lxc: give RW access to /proc/sys/net/ipv[46] to containers
On Tue, Dec 9, 2014 at 10:47 AM, Cédric Bosdonnat <cbosdonnat(a)suse.com> wrote:
Some programs want to change some values for the network interfaces
configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
allows wicked to work on openSUSE 13.2+.
In order to mount those folders RW but keep the rest of /proc/sys RO,
we add temporary mounts for these folders before bind-mounting
/proc/sys. Those mounts will be skipped if the container doesn't have
its own network namespace.
It may happen that one of the temporary mounts in /proc/ filesystem
isn't available due to a missing kernel feature. We need not to fail
in that case.
IMHO we should drop the read-only /proc mount completely.
The idea behind having a read-only /proc was to make a container less insecure
because user namespaces did not exist yet.
Now as user namespaces are mainline and considered stable we should
start dropping such hacks
instead of adding more of them.
As consequence of that libvirt has to decide what kind of container it
wants to support.
IMHO the only sane way is to enforce user namespaces to provide
reasonable isolation.
If an user can do bad things with a read-write /proc it need to be
fixed in the kernel
and not in libvirt.
Containers without user namespaces and a root within are insecure and
broken by design.
Just my two cents.
--
Thanks,
//richard