[pve-devel] container block device access
Alexandre DERUMIER
aderumier at odiso.com
Mon Sep 7 12:19:59 CEST 2015
>>@Alexandre: what's the reason for the cgroup devices.allow listing? This
>>is the part that concerns me. It's fine for non-loop devices, but with
>>loop devices this is a problem.
>>IIRC it was something about resizing, but I'm going to handle this from
>>the outside via an API call, so the container wouldn't be required to
>>access the loop device directly anymore.
yes, it was for resizing inside the container
(expose the block device inside guest with mknod and allow to read it,
as resize2fs inside guest need it)
----- Mail original -----
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Cc: "aderumier" <aderumier at odiso.com>
Envoyé: Lundi 7 Septembre 2015 11:58:52
Objet: container block device access
I'm currently cleaning up the loop-devices code and am getting rid of
pretty much all of it for security reasons and ease of handling.
For one, losetup's listed paths aren't always accurate when
mount-namespaces are involved (you get a path relative to the
root of the filesystem the file resides on, eg I get
/images/104/vm-104-disk-1.raw instead of the whole /var/lib/vz/...)
More importantly if a container has full access to a loop device it can
detach the device, freeing it up to be used for the next container that
starts, after which it has full access to that other container's disk
attached to the same loop device. This is unacceptable.
@Alexandre: what's the reason for the cgroup devices.allow listing? This
is the part that concerns me. It's fine for non-loop devices, but with
loop devices this is a problem.
IIRC it was something about resizing, but I'm going to handle this from
the outside via an API call, so the container wouldn't be required to
access the loop device directly anymore.
Is there anything else to consider? Otherwise the loopdevice code will
be replaced in favor of `-o loop` as this sets the autoclear flag, which
means we don't need to cleanup after loops manually at all.
More information about the pve-devel
mailing list