What is the fastest way to give an unprivileged container access to files that reside outside its rootfs?
By “fastest” I mean that the mount operation (or whatever it ends up being) should not take long. The containers are used as sandboxes to run untrusted code, but that code needs to be fed to the sandbox as quickly as possible.
Note that I do not need to change the owner and group ids of these files. They will always be created and used from within containers, so they’ll have ids matching the shared container namespace, and therefore no id mapping is necessary.
I have found that bind mounting is a fast operation in general, but mounting a volume using lxc is quite slow. So I’m inclined to try to bind mount independent of lxc, however I’m unclear how best to do that, and what the security implications are.
If anybody has any ideas how best to do this please let me know.
My primary concern is security, second is speed.