Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces
From: Michael H. Warfield
Date: Fri May 16 2014 - 15:44:42 EST
On Fri, 2014-05-16 at 12:20 -0700, James Bottomley wrote:
> On Thu, 2014-05-15 at 21:42 -0400, Michael H. Warfield wrote:
> > On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
> > > > PS - Apparently both parallels and Michael independently
> > > > project devices which are hot-plugged on the host into containers.
> > > > That also seems like something worth talking about (best practices,
> > > > shortcomings, use cases not met by it, any ways tha the kernel can
> > > > help out) at ksummit/linuxcon.
> >
> > > I was told that containers would never want devices hotplugged into
> > > them.
> >
> > Interesting. You were told they (who they?) would never want them? Who
> > said that? I would have never thought that given that other
> > implementations can provide that. I would certainly want them. Seems
> > strange to explicitly relegate LXC containers to being second class
> > citizens behind OpenVZ, Parallels, BSD Gaols, and Solaris Zones.
> That would probably be me. Running hotplug inside a container is a
> security problem and, since containers are easily entered by the host,
> it's very easy to listen for the hotplug in the host and inject it into
> the container using nsenter.
In all virtualization... The host, particularly root on the host,
exists as deus ex machina, the "god outside the machine". They are at
my mercy. Even hardware virtualization can not protect you from the
host. You wanna hear some frightening talks on virtualization, catch
Joanna (miss little blue pill) Rutkowska some time. I'm particularly
interesting in her takes on the "anti evil-maid attacks" and I sat in on
her talks on the "north bridge" and "south bridge" malware evasion
techniques. She's a good speaker who makes powerful points that makes
you sweat but is pleasant in face to face conversation. I've played
with her Qubes distribution a couple of times and the way it works with
the TPM to insure a secure boot is interesting. But that's a completely
different topic on trusted computing.
OTOH, there are plenty of other things to worry about in all forms of
virtualization. At Internet Security Systems, where I was a founder,
fellow, and "X-Force Senior Wizard", we were looking at the ability to
leak information through the USB subsystem. No isolation is perfect,
especially when you have USB enabled.
But that's my turf.
> I don't think the intention is to label anyone's implementation as
> preferred. What this shows, I think, is that we all have different
> practises when it comes to setting up containers. Some are necessary
> because our containers are different. Some could do with serious
> examination to see if there's really a best way to do the action which
> we would then all use.
And I hope to contribute to the discussion of said actions.
> > I might believe you were never told they would need them, but that's a
> > totally different sense. Are we going to tell RedHat and the Docker
> > people that LXC is an inferior technology that is complex and unreliable
> > (to quote another poster) compared to these others? They're saying this
> > will be enterprise technology. If I go to Amazon AWS or other VPS
> > services and compare, are we not going to stand on a level playing
> > field? Admittedly, I don't expect Amazon AWS to provide me with serial
> > consoles, but I do expect to be able to mount file system images within
> > my VPS.
> Well, that's another nasty, isn't it. We all have different ways of
> coping with mount in the container. I think at plumbers we need to sit
> down with some of this plumbing and work out which pipes carry the same
> fluids and whether we could unify them.
Concur
> As an aside (probably requiring a new thread) we were wondering about
> some type of notifier on the mount call that we could vector into the
> host to perform the action. The main issue for us is mount of procfs,
> which really needs to be a bind mount in a container. All of this led
> me to speculate that we could use some type of syscall notifier
> mechanism to manage capabilities in the host and even intercept and
> complete the syscall action within the host rather than having to keep
> evolving more an more complex kernel drivers to do this.
Interesting. That could be very useful. That might even help with the
loop device case where the mounts have to go through loop devices for
things like file system images and builds. Very interesting...
> James
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw@xxxxxxxxxxxx
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part