subject:"\[openstack\-dev\] \[Zun\] Containers in privileged mode"

Re: [openstack-dev] [Zun] Containers in privileged mode

2018-01-03 Thread Hongbin Lu

On Wed, Jan 3, 2018 at 10:41 AM, João Paulo Sá da Silva <
joao-sa-si...@alticelabs.com> wrote:

> Hello,
>
>
>
> I created the BP: https://blueprints.launchpad.
> net/zun/+spec/add-capacities-to-containers .
>
Thanks for creating the BP.


>
>
> About the clear containers, I’m not quite sure how using them solves my
> capabilities situation. Can you elaborate on that?
>
What I was trying to say is that Zun offers choice of container runtime:
runc or clear container. I am not sure how clear container deal with
capabilities and privilege escalation. I will leave this question to others.


>
>
> Will zun ever be able to launch LXD containers?
>
Not for now. Only Docker is supported.


>
>
> Kind regards,
>
> João
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Zun] Containers in privileged mode

2018-01-03 Thread João Paulo Sá da Silva

Hello,

I created the BP: 
https://blueprints.launchpad.net/zun/+spec/add-capacities-to-containers .

About the clear containers, I'm not quite sure how using them solves my 
capabilities situation. Can you elaborate on that?

Will zun ever be able to launch LXD containers?

Kind regards,
João
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Zun] Containers in privileged mode

2018-01-02 Thread Hongbin Lu

Please find my reply inline.

Best regards,
Hongbin

On Tue, Jan 2, 2018 at 2:06 PM, João Paulo Sá da Silva <
joao-sa-si...@alticelabs.com> wrote:

> Thanks for your answer, Hongbin, it is very appreciated.
>
>
>
> The use case is to use Virtualized Network Functions in containers instead
> of virtual machines. The rational for using containers instead of VMs is
> better VNF density in resource constrained hosts.
>
> The goal is to have several VNFs (DHCP, FW, etc) running on severely
> resource constrained Openstack compute node.  But without NET_ADMIN cap I
> can’t even start dnsmasq.
>
Make sense. Would you help writing a blueprint for this feature:
https://blueprints.launchpad.net/zun ? We use blueprint to track all
requested features.


>
>
> Is it possible to use clear container with zun/openstack?
>
Yes, it is possible. We are adding documentation about that:
https://review.openstack.org/#/c/527611/ .

>
>
> From checking gerrit it seems that this point was already address and
> dropped? Regarding the security concerns I disagree, if users choose to
> allow such situation they should be allowed.
>
> It is the user responsibility to recognize the dangers and act
> accordingly.
>
>
>
> In Neutron you can go as far as fully disabling  port security, this was
> implemented again with VNFs in mind.
>
Make sense as well. IMHO, we should disallow privilege escalation by
default, but I am open to introduce a configurable option to allow it. I
can see this is necessary for some use cases. Cloud administrators should
be reminded the security implication of doing that.


>
>
> Kind regards,
>
> João
>
>
>
>
>
> >Hi Joao,
>
> >
>
> >Right now, it is impossible to create containers with escalated
> privileged,
>
> >such as setting privileged mode or adding additional caps. This is
>
> >intentional for security reasons. Basically, what Zun currently provides
> is
>
> >"serverless" containers, which means Zun is not using VMs to isolate
>
> >containers (for people who wanted strong isolation as VMs, they can choose
>
> >secure container runtime such as Clear Container). Therefore, it is
>
> >insecure to give users control of any kind of privilege escalation.
>
> >However, if you want this feature, I would love to learn more about the
> use
>
> >cases.
>
> >
>
> >Best regards,
>
> >Hongbin
>
> >
>
> >On Tue, Jan 2, 2018 at 10:20 AM, João Paulo Sá da Silva <
>
> >joao-sa-silva at alticelabs.com> wrote:
>
> >
>
> >> Hello!
>
> >>
>
> >> Is it possible to create containers in privileged mode or to add caps as
>
> >> NET_ADMIN?
>
> >>
>
> >>
>
> >>
>
> >> Kind regards,
>
> >>
>
> >> João
>
> >>
>
> >>
>
> >>
>
> >> 
> __
>
> >> OpenStack Development Mailing List (not for usage questions)
>
> >> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> >>
>
> >>
>
> -- next part --
>
> An HTML attachment was scrubbed...
>
> URL:  attachments/20180102/e1ecb71a/attachment.html>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Zun] Containers in privileged mode

2018-01-02 Thread João Paulo Sá da Silva

Thanks for your answer, Hongbin, it is very appreciated.

The use case is to use Virtualized Network Functions in containers instead of 
virtual machines. The rational for using containers instead of VMs is better 
VNF density in resource constrained hosts.
The goal is to have several VNFs (DHCP, FW, etc) running on severely resource 
constrained Openstack compute node.  But without NET_ADMIN cap I can't even 
start dnsmasq.

Is it possible to use clear container with zun/openstack?

>From checking gerrit it seems that this point was already address and dropped? 
>Regarding the security concerns I disagree, if users choose to allow such 
>situation they should be allowed.
It is the user responsibility to recognize the dangers and act accordingly.

In Neutron you can go as far as fully disabling  port security, this was 
implemented again with VNFs in mind.

Kind regards,
João


>Hi Joao,
>
>Right now, it is impossible to create containers with escalated privileged,
>such as setting privileged mode or adding additional caps. This is
>intentional for security reasons. Basically, what Zun currently provides is
>"serverless" containers, which means Zun is not using VMs to isolate
>containers (for people who wanted strong isolation as VMs, they can choose
>secure container runtime such as Clear Container). Therefore, it is
>insecure to give users control of any kind of privilege escalation.
>However, if you want this feature, I would love to learn more about the use
>cases.
>
>Best regards,
>Hongbin
>
>On Tue, Jan 2, 2018 at 10:20 AM, João Paulo Sá da Silva <
>joao-sa-silva at alticelabs.com> wrote:
>
>> Hello!
>>
>> Is it possible to create containers in privileged mode or to add caps as
>> NET_ADMIN?
>>
>>
>>
>> Kind regards,
>>
>> João
>>
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
-- next part --
An HTML attachment was scrubbed...
URL: 


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Zun] Containers in privileged mode

2018-01-02 Thread Hongbin Lu

Hi Joao,

Right now, it is impossible to create containers with escalated privileged,
such as setting privileged mode or adding additional caps. This is
intentional for security reasons. Basically, what Zun currently provides is
"serverless" containers, which means Zun is not using VMs to isolate
containers (for people who wanted strong isolation as VMs, they can choose
secure container runtime such as Clear Container). Therefore, it is
insecure to give users control of any kind of privilege escalation.
However, if you want this feature, I would love to learn more about the use
cases.

Best regards,
Hongbin

On Tue, Jan 2, 2018 at 10:20 AM, João Paulo Sá da Silva <
joao-sa-si...@alticelabs.com> wrote:

> Hello!
>
> Is it possible to create containers in privileged mode or to add caps as
> NET_ADMIN?
>
>
>
> Kind regards,
>
> João
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Zun] Containers in privileged mode

2018-01-02 Thread João Paulo Sá da Silva

Hello!

Is it possible to create containers in privileged mode or to add caps as 
NET_ADMIN?

Kind regards,
João

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Zun] Containers in privileged mode

Re: [openstack-dev] [Zun] Containers in privileged mode

Re: [openstack-dev] [Zun] Containers in privileged mode

[openstack-dev] [Zun] Containers in privileged mode

Re: [openstack-dev] [Zun] Containers in privileged mode

[openstack-dev] [Zun] Containers in privileged mode

6 matches

Site Navigation

Mail list logo

Footer information