I have been running systemd-nspawn containers on top of a btrfs
filesystem for a while now.
This works great: Snapshots are a huge help to manage containers!
But today I ran btrfs subvol list . *inside* a container. To my
surprise I got a list of *all* subvolumes on that drive. That is
basically a complete list of containers running on the machine. I do
not want to have that kind of information exposed to my containers.
You seem to be running a privileged container, i.e. container's root is
the same UID as host root. This is typically undesired and means that
your containers have full access to data on host and on other
containers.
For the record, with a privileged container you can not only list the
subvolumes, but also list disk data (i.e. dd if=/dev/sda) or even
destroy that data (dd if=/dev/zero of = / dev / sda).
So, think twice if the container setup you have is what you want!
LXD is particularly easy to run unprivileged containers:
https://linuxcontainers.org/ (starts containers as unprivileged by
default, and has lots of many goodies in general).
Tomasz Chmielewski
http://wpkg.org
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
