-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Alban Crequy <[email protected]>
- Loading branch information
Showing
2 changed files
with
46 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| --- | ||
| title: Use cases | ||
| weight: 10 | ||
| description: > | ||
| Use cases for the Seccomp Agent. | ||
| --- | ||
|
|
||
| There are several possible use cases for the Seccomp Agent. Not all of them are | ||
| implemented. | ||
|
|
||
| ## Mounting procfs in unprivileged containers | ||
|
|
||
| - unprivileged container builds (procfs mounts with masked entries) | ||
|
|
||
| ## Support for a subset of device mknod | ||
|
|
||
| A VPN container might need `/dev/net/tun` but cannot create the device without | ||
| `CAP_MKNOD`. Giving this capability to the container could be risky: the | ||
| container would be able to abuse the mknod call to get access to disks such as | ||
| `/dev/sda`. | ||
|
|
||
| The alternative could be to keep the container without `CAP_MKNOD` and add a | ||
| seccomp filter on `mknod` to let the Seccomp Agent run `mknod()` on behalf of | ||
| the container, | ||
|
|
||
| ## Userspace emulation of idmapped mounts | ||
|
|
||
| When running containers in a user namespace, the files in volumes could appear | ||
| to have wrong ownership. This could be fixed with shiftfs or the idmapped mount | ||
| patch set. But without that | ||
|
|
||
| See: | ||
| https://github.com/rootless-containers/subuidless | ||
|
|
||
| ## Accelerator for slirp4netns | ||
|
|
||
| When using slirp4netns as a networking solution for rootless containers, the | ||
| performance impact can be big. However, by capturing the `connect` call and | ||
| handling it in the seccomp agent, we avoid the performance impact: the network | ||
| traffic is no longer routed through a userspace process. | ||
|
|
||
| See: | ||
| https://github.com/rootless-containers/bypass4netns | ||
|
|