[ovs-dev] [PATCH 0/3][RFC] Implement a chroot for ovsdb-server
Flavio Leitner
fbl at redhat.com
Wed Jul 16 13:39:17 UTC 2014
On Fri, Jul 11, 2014 at 01:24:01PM +0200, Eric Sesterhenn wrote:
> Hi,
>
> on my debian installation, the ovsdb-server is running as root. Since I
> prefer to add additional mitigations for running services, I was looking
> into putting the ovsdb-server into a chroot and implemented it in the
> following three patches.
>
> These patches are send as a request for comments, since there are still
> some issues left. The first patch introduces a file descriptor leak, and
> some testcases fail when the chroot is enabled (these are 1293 1294 1297
> 1298 1299 1301 ). If --run-command is passed, the chroot is not active,
> since the ovsdb-server requires to access further files.
>
> Is this something worthwile pursuing or are there reasons, why chrooting
> was not already implemented for ovsdb-server?
I liked the idea as well.
The main_loop refactoring is a nice thing even without the series, I find
the code easier to understand.
I don't think there is a need to pre-open files in /dev since they usually
are available inside of the chroot, right? I did a quick test with mock
and this is what I found in there:
<mock-chroot>[root at t520 /]# ls /dev
console full ptmx random stderr stdout urandom
fd null pts shm stdin tty zero
It's been a while since I worked with chroots though.
I also didn't understand why chroot to a writeable directory isn't allowed.
Thanks,
fbl
More information about the dev
mailing list