On Tue, Jul 28, 2020 at 12:00:20PM +0200, Roman Mohr wrote: > On Tue, Jul 28, 2020 at 3:07 AM misono.tomoh...@fujitsu.com < > misono.tomoh...@fujitsu.com> wrote: > > > > Subject: [PATCH v2 3/3] virtiofsd: probe unshare(CLONE_FS) and print an > > error > > > > > > An assertion failure is raised during request processing if > > > unshare(CLONE_FS) fails. Implement a probe at startup so the problem can > > > be detected right away. > > > > > > Unfortunately Docker/Moby does not include unshare in the seccomp.json > > > list unless CAP_SYS_ADMIN is given. Other seccomp.json lists always > > > include unshare (e.g. podman is unaffected): > > > > > https://raw.githubusercontent.com/seccomp/containers-golang/master/seccomp.json > > > > > > Use "docker run --security-opt seccomp=path/to/seccomp.json ..." if the > > > default seccomp.json is missing unshare. > > > > Hi, sorry for a bit late. > > > > unshare() was added to fix xattr problem: > > > > https://github.com/qemu/qemu/commit/bdfd66788349acc43cd3f1298718ad491663cfcc# > > In theory we don't need to call unshare if xattr is disabled, but it is > > hard to get to know > > if xattr is enabled or disabled in fv_queue_worker(), right? > > > > > In kubevirt we want to run virtiofsd in containers. We would already not > have xattr support for e.g. overlayfs in the VM after this patch series (an > acceptable con at least for us right now). > If we can get rid of the unshare (and potentially of needing root) that > would be great. We always assume that everything which we run in containers > should work for cri-o and docker.
Root is required to access files with any uid/gid. Dave Gilbert is working on xattr support without CAP_SYS_ADMIN. He may be able to find a way to drop unshare (at least in containers). > "Just" pointing docker to a different seccomp.json file is something which > k8s users/admin in many cases can't do. There is a Moby PR to change the default seccomp.json file here but it's unclear if it will be merged: https://github.com/moby/moby/pull/41244 Stefan
signature.asc
Description: PGP signature