qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandb


From: Colin Walters
Subject: Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?
Date: Thu, 29 Sep 2022 11:47:32 -0400
User-agent: Cyrus-JMAP/3.7.0-alpha0-968-g04df58079d-fm-20220921.001-g04df5807


On Thu, Sep 29, 2022, at 10:10 AM, Vivek Goyal wrote:

> What's your use case. How do you plan to use virtiofs.

At the current time, the Kubernetes that we run does not support user 
namespaces.  We want to do the production builds of our operating system 
(Fedora CoreOS and RHEL CoreOS) today inside an *unprivileged* Kubernetes pod 
(actually in OpenShift using anyuid, i.e. random unprivileged uid too), just 
with /dev/kvm exposed from the host (which is safe).  Operating system builds 
*and* tests in qemu are just another workload that can be shared with other 
tenants.

qemu works fine in this model, as does 9p.  It's just the virtiofs isolation 
requires privileges to be used today.





reply via email to

[Prev in Thread] Current Thread [Next in Thread]