Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-688

Enable privileged containers to view rootfs of other containers


    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • 0
    • Program Call

      1. Proposed title of this feature request

      Enable privileged containers to view rootfs of other containers


      2. What is the nature and description of the request?

      The skip_mount_home=true field in the /etc/containers/storage.conf causes the mount propegation of container mounts to not be private, which allows privileged containers to access the rootfs of other containers. This is a fix for  bug 2065283 (see comment #32 [2]).

      This RFE is to enable that field by default in Openshift, as well as verify there are no performance regressions when applying it.


      3. Why does the customer need this? (List the business requirements here)

      Customer's use case:

      Our agent runs as a daemonset in k8s clusters and monitors the node.
      Running with mount propagation set to HostToContainer allows the agent to access any container file, also containers which start running after agent startup. With this settings, when a new container starts, a new mount is created and added to the host mount namespace and also to the agent container and by that the agent can access the container files
      e.g. the agent is mounted to /host and can access to the filesystem of other container by path

      This approach works in k8s clusters and OpenShift 3, but not in OpenShift 4. How can I make the agent pod to get noticed about any new mount which was created on the node and get access to it as well?

      The workaround for that was provided in bug 2065283 (see comment #32 [2]).


      4. List any affected packages or components.

      CRI-O, Node, MCO.


      Additional information in this Slack discussion [3].



      [1] https://docs.openshift.com/container-platform/4.11/post_installation_configuration/machine-configuration-tasks.html#create-a-containerruntimeconfig_post-install-machine-configuration-tasks
      [2] https://bugzilla.redhat.com/show_bug.cgi?id=2065283#c32
      [3] https://coreos.slack.com/archives/CK1AE4ZCK/p1670491480185299

            gausingh@redhat.com Gaurav Singh
            gausingh@redhat.com Gaurav Singh
            Aruna Naik
            Aruna Naik Aruna Naik
            Matthew Werner Matthew Werner
            Peter Hunt Peter Hunt
            Derrick Ornelas Derrick Ornelas
            0 Vote for this issue
            8 Start watching this issue