>
>
> > We consider mounting untrusted filesystems on the host kernel to be
> > an unacceptable security risk. A user can craft a malicious filesystem
> > that expliots bugs in the kernel filesystem drivers. This is particularly
> > bad if you allow the kernel to probe for filesystem type since Lin
On Fri, Jul 11, 2014 at 09:53:47AM -0400, Eric Windisch wrote:
> >
> >
> > > Actually, there's a hidden assumption here that makes this statement not
> > > necessarily correct for containers. You're assuming the container has
> > > to have raw access to the device it's mounting. For hypervisors,
>
>
> > Actually, there's a hidden assumption here that makes this statement not
> > necessarily correct for containers. You're assuming the container has
> > to have raw access to the device it's mounting. For hypervisors, this
> > is true, but it doesn't have to be for containers because the mo
On Thu, Jul 10, 2014 at 08:19:36AM -0700, James Bottomley wrote:
> On Thu, 2014-07-10 at 14:47 +0100, Daniel P. Berrange wrote:
> > On Thu, Jul 10, 2014 at 05:36:59PM +0400, Dmitry Guryanov wrote:
> > > I have a question about mounts - in OpenVZ project each container has its
> > > own
> > > file
On Thu, 2014-07-10 at 14:47 +0100, Daniel P. Berrange wrote:
> On Thu, Jul 10, 2014 at 05:36:59PM +0400, Dmitry Guryanov wrote:
> > I have a question about mounts - in OpenVZ project each container has its
> > own
> > filesystem in an image file. So to start a container we mount this
> > filesys
On Thu, Jul 10, 2014 at 06:18:52PM +0400, Dmitry Guryanov wrote:
> On Thursday 10 July 2014 14:47:11 Daniel P. Berrange wrote:
> > On Thu, Jul 10, 2014 at 05:36:59PM +0400, Dmitry Guryanov wrote:
> > > I have a question about mounts - in OpenVZ project each container has its
> > > own filesystem in
On Thursday 10 July 2014 14:47:11 Daniel P. Berrange wrote:
> On Thu, Jul 10, 2014 at 05:36:59PM +0400, Dmitry Guryanov wrote:
> > I have a question about mounts - in OpenVZ project each container has its
> > own filesystem in an image file. So to start a container we mount this
> > filesystem in h
On Thu, Jul 10, 2014 at 05:57:46PM +0400, Dmitry Guryanov wrote:
> On Tuesday 08 July 2014 14:10:25 Michael Still wrote:
> > Joe has a good answer, but you should also be aware of the hypervisor
> > support matrix (https://wiki.openstack.org/wiki/HypervisorSupportMatrix),
> > which hopefully comes
On Tuesday 08 July 2014 14:10:25 Michael Still wrote:
> Joe has a good answer, but you should also be aware of the hypervisor
> support matrix (https://wiki.openstack.org/wiki/HypervisorSupportMatrix),
> which hopefully comes some way to explaining what we expect of a nova
> driver.
I've seen this
On Monday 07 July 2014 16:11:21 Joe Gordon wrote:
> On Jul 3, 2014 11:43 AM, "Dmitry Guryanov" wrote:
> > Hi, All!
> >
> > As far as I know, there are some requirements, which virt driver must
>
> meet to
>
> > use Openstack 'label'. For example, it's not allowed to mount cinder
>
> volumes
>
On Thu, Jul 10, 2014 at 05:36:59PM +0400, Dmitry Guryanov wrote:
> I have a question about mounts - in OpenVZ project each container has its own
> filesystem in an image file. So to start a container we mount this filesystem
> in host OS (because all containers share the same linux kernel). Is it
On Monday 07 July 2014 16:11:21 Joe Gordon wrote:
> On Jul 3, 2014 11:43 AM, "Dmitry Guryanov" wrote:
> > Hi, All!
> >
> > As far as I know, there are some requirements, which virt driver must
>
> meet to
>
> > use Openstack 'label'. For example, it's not allowed to mount cinder
>
> volumes
>
Joe has a good answer, but you should also be aware of the hypervisor
support matrix (https://wiki.openstack.org/wiki/HypervisorSupportMatrix),
which hopefully comes some way to explaining what we expect of a nova
driver.
Cheers,
Michael
On Tue, Jul 8, 2014 at 9:11 AM, Joe Gordon wrote:
>
> On J
On Jul 3, 2014 11:43 AM, "Dmitry Guryanov" wrote:
>
> Hi, All!
>
> As far as I know, there are some requirements, which virt driver must
meet to
> use Openstack 'label'. For example, it's not allowed to mount cinder
volumes
> inside host OS.
I am a little unclear on what your question is. If it i
Hi, All!
As far as I know, there are some requirements, which virt driver must meet to
use Openstack 'label'. For example, it's not allowed to mount cinder volumes
inside host OS.
Are there any documents, describing all such things? How can I determine, if
my virtualization driver for nova (de
15 matches
Mail list logo
