Proposal: Put the 3 bind mounted network files into a size-limited loopback filesystem #14956
Labels
area/networking
area/runtime
kind/enhancement
Enhancements are not bugs or new features but can improve usability or performance.
Issue:
The docker daemon creates the 3 configuration files /etc/resolv.conf, /etc/hostname, and /etc/hosts in the in the filesystem of the host and then bind mounts them into the filesystem of the container. To leave control over these files and aspects of network configuration to the container user, they need to be writeable. The problem that arises with these bind-mounted files being writeable is that a user can write large amounts of data into these 3 files and fill up the host's disk, which can lead to adverse side effects.
Proposed solution:
We propose a solution in which the docker daemon creates a loopback mounted filesystem whose contents are held in a file whose size can be chosen via command line option.
In our current prototype code we experiment with the following command line:
docker run -ti --nwfiles-size 100 fedora /bin/bash
This command line causes the docker daemon to create a 100kb file, format it with ext4 filesystem, and mount it using a loopback device. It subsequently writes the contents of the above mentioned 3 files into files in this filesystem and bind-mounts them as usual.
The result then is the following:
The container user was only able to create a file with 33kb size.
Implementation details:
The prototype code is located here:
https://github.com/stefanberger/docker/commits/loopbackfs
The go code calls into an external script called 'dockerloopfs' that takes the following parameters for setting up this filesystem:
The script internally checks whether the filesystem has already been mounted and returns.
It creates the file of the given size otherwise and mounts it; if new loopback devices need to be created, it creates a new one using 'mknod'. The reason for having to create additional loopback devices is that typically only 8 loopback devices are available but many more containers can be created.
It seems easier to implement this functionality in an external (bash) script calling a sequence of tools rather than having golang code call a sequence of external tools.
A side effect of using many loopback devices may be that other software, that counts on the availability of a free loopback devices, will now have to create additional loopback devices.
Contacts
Stefan Berger stefanb@us.ibm.com
Salman Baset sabaset@us.ibm.com
The text was updated successfully, but these errors were encountered: