-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow fuse in systemd-nspawn containers #17607
Comments
@paravoid Uhhh.... And wow does it work.... This one-line, eight-character simple patch is exactly what we needed, even without being tested. Thank you! (Well, err, I guess we just tested it) Technically our usage case makes significant use of nspawn and we've been having difficulties with everything from filesystem binds when our usage case involves I am curious as to whether any issues (security or otherwise) will occur with this patch, but we're hopeful considering at least we have it working and no longer need to rely on unnecessarily redundant data consuming large amounts of disk space anymore. If we come across any issues regarding this patch, I will post another comment. The only one I can think of currently would be where the userspace FUSE tools are not present on the container or host system and the device itself would be unnecessary in that case. I do hope, however, that the systemd developers (presumably in combination with the kernel developers) inevitably decide upon a preferred solution, but, well, this should work for now in our systems! Thanks again! |
Thank you for testing this and reporting back!
The most obvious one is that older kernels (for mainline that's <= 4.17), there was no namespace support for fuse, and this has no version check, which I believe would create an insecure confiugration. In another issue @poettering expressed his preference for guarding a similar feature behind a kernel feature flag, rather than a version check (to account for backports etc.), but I'm not sure what we could check here to conditionally enable this support. |
If there's no sane way to check for the feature explicitly I figure we could query the fuse minor version FUSE_KERNEL_MINOR_VERSION) from the device and base things on that. |
(i.e. the point i am making, if we have to do a version check, then it should be a runtime hceck against the fuse version, and not the kernel. i.e. the more focussed and dynamic the better, since people backport features all the time to older kernels) Anyway, happy to review/merge a patch for this. |
I'm investigating how to complete this issue. Apparently it "only" needs a run-time version check on the fuse version, but I've not been able to figure out how that should be done.
Guidance please! |
@poettering, in #2178 (comment) (Dec 2015) wrote:
and in #7669 (comment) (Dec 2017) also wrote:
Evidently, this has actually changed :) Linux torvalds/linux@da315f6 (v4.18-rc1); excerpt from the commit message:
Given
@mount
is already part of the seccomp allow list for nspawn, and even/sys/fs/fuse/
is exposed, I think that, effectively, this should do it (completely untested):#2178 (sshfs) and #6553 (glusterfs) have some real-world use cases. I'm interested in fuse-overlayfs (for podman) myself.
The text was updated successfully, but these errors were encountered: