[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandb
From: |
German Maglione |
Subject: |
Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode? |
Date: |
Fri, 30 Sep 2022 10:13:59 +0200 |
On Thu, Sep 29, 2022 at 7:03 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>
> On Thu, Sep 29, 2022 at 11:47:32AM -0400, Colin Walters wrote:
> >
> >
> > On Thu, Sep 29, 2022, at 10:10 AM, Vivek Goyal wrote:
> >
> > > What's your use case. How do you plan to use virtiofs.
> >
> > At the current time, the Kubernetes that we run does not support user
> > namespaces. We want to do the production builds of our operating system
> > (Fedora CoreOS and RHEL CoreOS) today inside an *unprivileged* Kubernetes
> > pod (actually in OpenShift using anyuid, i.e. random unprivileged uid too),
> > just with /dev/kvm exposed from the host (which is safe). Operating system
> > builds *and* tests in qemu are just another workload that can be shared
> > with other tenants.
> >
> > qemu works fine in this model, as does 9p. It's just the virtiofs
> > isolation requires privileges to be used today.
>
> [ cc German ]
>
> Hi Colin,
>
> So rust version of virtiofsd, already supports running unprivileged
> (inside a user namespace).
>
> https://gitlab.com/virtio-fs/virtiofsd/-/blob/main/README.md#running-as-non-privileged-user
>
> host$ podman unshare -- virtiofsd --socket-path=/tmp/vfsd.sock --shared-dir
> /mnt \
> --announce-submounts --sandbox chroot &
>
> I think only privileged operation it needs is assigning a range of
> subuid/subgid to the uid you are using on host.
>
> I think that should be usable for you as of now.
>
> Having said that, openat2() and landlock are interesting improvements,
> especially when somebody does not want to use user namespaces. Without
> user namespaces, one will not be able to do arbitrary swithing of uid/gid.
> IOW, inside guest, you will be limited to one uid/gid.
>
> I am hoping German or somebody else can have a look openat2() and landlock
> improvements in near future.
I will do it.
>
> I am assuming you are fine with using user namespaces on host. And by
> assigning subuid/subgid range, it will allow you arbitrary swithching
> of uid/gid inside guest.
>
> Can you give rust virtiofsd (unprivileged) a try.
>
> Thanks
> Vivek
>
--
German
- Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?, (continued)
- Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Vivek Goyal, 2022/09/27
- Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?, German Maglione, 2022/09/27
- Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Colin Walters, 2022/09/27
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Stefan Hajnoczi, 2022/09/27
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Sergio Lopez, 2022/09/28
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Vivek Goyal, 2022/09/28
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Colin Walters, 2022/09/29
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Vivek Goyal, 2022/09/29
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Colin Walters, 2022/09/29
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Vivek Goyal, 2022/09/29
- Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?,
German Maglione <=
- Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?, Vivek Goyal, 2022/09/28