Re: [linux-lvm] disabling udev_sync and udev_rules

From: "Steven Dake (stdake)" <stdake@cisco.com>
To: "linux-lvm@redhat.com" <linux-lvm@redhat.com>
Subject: Re: [linux-lvm] disabling udev_sync and udev_rules
Date: Wed, 16 Mar 2016 16:58:32 +0000	[thread overview]
Message-ID: <D30EDE5A.19FFD%stdake@cisco.com> (raw)
In-Reply-To: <56E98F71.5000706@redhat.com>

On 3/16/16, 9:53 AM, "linux-lvm-bounces@redhat.com on behalf of Zdenek
Kabelac" <linux-lvm-bounces@redhat.com on behalf of zkabelac@redhat.com>
wrote:

>Dne 16.3.2016 v 17:17 Serguei Bezverkhi (sbezverk) napsal(a):
>> Hi John,
>>
>> At least in our situation, Dockers do not own LV and nothing prevents
>>in theory LV created by a process in one container, to be removed by
>>another process in another container. It is exactly the same if two
>>processed are trying to do the same thing.  In both cases if a volume is
>>busy no process will be able to remove it.
>>
>> In our case, dockers are more like process wrapper, it does not holds
>>any resources other than it needs to run this one process.
>>
>> I hope it clarifies a bit the approach we took.
>>
>
>Giving docker container root privileges to execute lvm2 command (or in
>effect 
>any other root commands!) is just not the docker is supposed to be used
>(IMHO).
>
>You are just making the security hole bigger and bigger...
>
>But I assume there is no way to convince you it's serious mistake with
>this 
>approach...
>
>Regards
>
>Zdenek
Zdenek,

Our project (kolla) assumes the host is completely secured and used for
one purpose (deployed OpenStack).  This is not a general purpose solution
for those that want to share the host with other applications outside of
the scope of one application (OpenStack) per physical machine.

We run the lvm commands via sudo with an appropriate locked down sudoers
file.

Regards,
-steve

>
>
>>
>> -----Original Message-----
>> From: linux-lvm-bounces@redhat.com
>>[mailto:linux-lvm-bounces@redhat.com] On Behalf Of John Stoffel
>> Sent: Wednesday, March 16, 2016 11:43 AM
>> To: LVM general discussion and development <linux-lvm@redhat.com>
>> Subject: Re: [linux-lvm] disabling udev_sync and udev_rules
>>
>>
>> So what's to keep a docker container from deleting all your other LVs
>>that it shouldn't know about?
>>
>> If I have a VG called coontainers, with a bunch of LVs called c1, c2,
>>... , cN.
>>
>> What is to keep c1 from nuking the LV in c2?
>>
>> John
>>
>> _______________________________________________
>> linux-lvm mailing list
>> linux-lvm@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-lvm
>> read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
>>
>> _______________________________________________
>> linux-lvm mailing list
>> linux-lvm@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-lvm
>> read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
>>
>
>_______________________________________________
>linux-lvm mailing list
>linux-lvm@redhat.com
>https://www.redhat.com/mailman/listinfo/linux-lvm
>read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/