Rework priveleged mode and host-path volumes for modular libvirt
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tripleo |
New
|
High
|
Unassigned | ||
Bug Description
Some of modular libvirt containers do not require privileged execution mode. Also some may be omitted redundant /dev bind-mounts. Finlally, some may be just removed - e.g. nova does not use libvirt storage pools.
NOTE: The mixed-versions spec https:/
The host/container match requirement is just because the assumption is that privileged containers are likely to be using privileged kernel features.
We could w/a that by listing required capabilities instead of using the --privileged flag. Even if that would mean retaining the full list of CAPs, like if it were privileged...
| Changed in tripleo: | |
| importance: | Undecided → Medium |
| tags: | added: tech-debt |
| Changed in tripleo: | |
| importance: | Medium → High |
| description: | updated |
| Bogdan Dobrelya (bogdando) wrote | #1 |
virtqemud, which CAPs it needs?
https:/
# Needed when writting to the PCI config space
CAP_SYS_PACCT ??
https:/
# Needed for vfio
capability sys_resource
more to come:
https:/
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_pacct,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+ capability ipc_lock,
+ capability sys_rawio,
+ capability bpf,
+ capability perfmon,