From: Liu Bo <bo.li.liu@oracle.com>
To: Chris Murphy <lists@colorremedies.com>
Cc: Tobias Hunger <tobias.hunger@gmail.com>,
Btrfs BTRFS <linux-btrfs@vger.kernel.org>
Subject: Re: btrfs and containers
Date: Tue, 8 Mar 2016 11:58:57 -0800 [thread overview]
Message-ID: <20160308195857.GB26981@localhost.localdomain> (raw)
In-Reply-To: <CAJCQCtSPEY1c-=GTJwH3-qRNxGCEsd0bVu9A_srdFt03bX7BcQ@mail.gmail.com>
On Mon, Mar 07, 2016 at 04:45:09PM -0700, Chris Murphy wrote:
> On Mon, Mar 7, 2016 at 3:55 PM, Tobias Hunger <tobias.hunger@gmail.com> wrote:
> > Hi,
> >
> > I have been running systemd-nspawn containers on top of a btrfs
> > filesystem for a while now.
> >
> > This works great: Snapshots are a huge help to manage containers!
> >
> > But today I ran btrfs subvol list . *inside* a container. To my
> > surprise I got a list of *all* subvolumes on that drive. That is
> > basically a complete list of containers running on the machine. I do
> > not want to have that kind of information exposed to my containers.
> >
> > Is there a way to stop btrfs from listing subvolumes "above" the
> > current location? So that "btrfs subvol list /" in a container will
> > only show subvolumes that are set up in the container?
That's a good question.
Looks like that "btrfs subvolume list -o" match the needs here.
>
> I'm not sure whether this is something that goes in Btrfs proper,
> since this is presumably a privileged container? The same thing
> happens with Docker containers. One way to do this is if it's not
> privileged, as non-root can't list subvolumes. I think some work is
> needed to make it possible for users to list subvolumes they own.
> Right now a user can create a subvolume but then now list or get
> information on it. By default they can't delete it either unless a
> special mount option is used. So I think there's work that's needed
> one way or another, and maybe in more than one part.
Unfortunately, btrfs subvolume list 's various usage is built on top of TREE_SEARCH ioctl
which requires CAP_SYS_ADMIN.
So what we need here might be to teach 'btrfs sub list' to recognize
container's CAP_SYS_XXX (if this is possible?)
Thanks,
-liubo
>
> --
> Chris Murphy
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-03-08 19:56 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-07 22:55 btrfs and containers Tobias Hunger
2016-03-07 23:45 ` Chris Murphy
2016-03-08 19:58 ` Liu Bo [this message]
2016-03-08 21:28 ` Chris Murphy
2016-03-09 12:15 ` Austin S. Hemmelgarn
2016-03-10 2:55 ` Duncan
2016-03-10 17:04 ` Austin S. Hemmelgarn
2016-03-10 19:35 ` Chris Murphy
2016-03-10 22:34 ` Liu Bo
2016-03-11 2:50 ` Duncan
2016-03-08 12:12 ` Austin S. Hemmelgarn
2016-03-09 21:10 ` Marc MERLIN
2016-03-09 21:21 ` Chris Murphy
2016-03-09 21:45 ` Marc MERLIN
2016-03-09 23:28 ` Rich Freeman
-- strict thread matches above, loose matches on Subject: below --
2016-03-11 3:55 Tomasz Chmielewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160308195857.GB26981@localhost.localdomain \
--to=bo.li.liu@oracle.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=lists@colorremedies.com \
--cc=tobias.hunger@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).