From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: "Colin Walters" <walters@verbum.org>,
"Marc-André Lureau" <marcandre.lureau@gmail.com>,
QEMU <qemu-devel@nongnu.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [PATCH] virtiofsd: Use clone() and not unshare(), support non-root
Date: Tue, 5 May 2020 16:32:19 +0100 [thread overview]
Message-ID: <20200505153219.GS764268@redhat.com> (raw)
In-Reply-To: <20200505152359.GG381978@stefanha-x1.localdomain>
On Tue, May 05, 2020 at 04:23:59PM +0100, Stefan Hajnoczi wrote:
> On Mon, May 04, 2020 at 04:07:22PM +0200, Marc-André Lureau wrote:
> > Hi
> >
> > On Fri, May 1, 2020 at 8:29 PM Colin Walters <walters@verbum.org> wrote:
> > >
> > > I'd like to make use of virtiofs as part of our tooling in
> > > https://github.com/coreos/coreos-assembler
> > > Most of the code runs as non-root today; qemu also runs as non-root.
> > > We use 9p right now.
> > >
> > > virtiofsd's builtin sandboxing effectively assumes it runs as
> > > root.
> > >
> > > First, change the code to use `clone()` and not `unshare()+fork()`.
> > >
> > > Next, automatically use `CLONE_NEWUSER` if we're running as non root.
> > >
> > > This is similar logic to that in https://github.com/containers/bubblewrap
> > > (Which...BTW, it could make sense for virtiofs to depend on bubblewrap
> > > and re-exec itself rather than re-implementing the containerization
> > > itself)
> > >
> >
> > Now that systemd-nspawn works without privileges, isn't that also a
> > solution? One that would fit both system and session level
> > permissions, and integration with other services?
>
> Does systemd-nspawn work inside containers?
>
> I think virtiofsd will need to run inside containers in the future and
> remember systemd being difficult to use in containers.
It can be made to work, but my gut tells me people won't be happy if
system were a mandatory requirement for virtiofsd usage. Also there
are current Linux distros which don't even use systemd.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-05-05 15:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 18:25 [PATCH] virtiofsd: Use clone() and not unshare(), support non-root Colin Walters
2020-05-04 9:51 ` Daniel P. Berrangé
2020-05-04 13:49 ` Stefan Hajnoczi
2020-05-04 13:49 ` [Virtio-fs] " Stefan Hajnoczi
2020-05-04 14:07 ` Marc-André Lureau
2020-05-04 14:20 ` Colin Walters
2020-05-04 15:43 ` Marc-André Lureau
2020-05-05 15:23 ` Stefan Hajnoczi
2020-05-05 15:32 ` Daniel P. Berrangé [this message]
2020-05-06 19:16 ` Dr. David Alan Gilbert
2020-05-07 9:28 ` Daniel P. Berrangé
2020-05-21 10:19 ` Stefan Hajnoczi
2020-05-21 10:43 ` Daniel P. Berrangé
2020-05-27 11:16 ` Stefan Hajnoczi
2020-06-02 9:55 ` Stefan Hajnoczi
2020-06-03 1:53 ` Colin Walters
2020-06-17 12:50 ` Stefan Hajnoczi
2020-06-17 12:55 ` Colin Walters
2020-06-23 12:34 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200505153219.GS764268@redhat.com \
--to=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.