Fatest way of giving a container access to a directory


#1

Hello,

What is the fastest way to give an unprivileged container access to files that reside outside its rootfs?

By “fastest” I mean that the mount operation (or whatever it ends up being) should not take long. The containers are used as sandboxes to run untrusted code, but that code needs to be fed to the sandbox as quickly as possible.

Note that I do not need to change the owner and group ids of these files. They will always be created and used from within containers, so they’ll have ids matching the shared container namespace, and therefore no id mapping is necessary.

I have found that bind mounting is a fast operation in general, but mounting a volume using lxc is quite slow. So I’m inclined to try to bind mount independent of lxc, however I’m unclear how best to do that, and what the security implications are.

If anybody has any ideas how best to do this please let me know.

My primary concern is security, second is speed.

Thanks!


#2

After some experimenting I have found that the simplest thing to do is simply to bind mount directories by reaching all the way in to the LXD’s directory structure where the container rootfs are stored. Essentially doing:

mount --bind /var/snap/lxd/common/lxd/storage-pools/dir-pool/containers/ds-trusted/rootfs/data/apps/0/ /var/snap/lxd/common/lxd/storage-pools/dir-pool/containers/ds-sandbox-0/app/

I think I read somewhere in LXD articles or discussions that reaching into the rootfs from outside LXD should be avoided, but I’m not sure why (apart from the obvious problem that LXD may decide to use a different directory structure in a future version).

If there is a more correct way to do this (without taking a hit on performance) I’d love to hear it.

Edit: I’m using directory pool for now for both containers and data which simplifies things too. I may move to btrfs or ZFS in future which may complicate things.