Re: Playing around with ostree for apps

From: Colin Walters <walters verbum org>
To: Alexander Larsson <alexl redhat com>
Cc: gnome-os-list gnome org
Subject: Re: Playing around with ostree for apps
Date: Wed, 15 Oct 2014 15:34:59 -0400

On Wed, Oct 15, 2014, at 06:24 AM, Alexander Larsson wrote:


We have similar issues with selinux and docker actually. For the docker
devmapper backend we're using a single unique COW dm device for each
container, so we can mount that with a selinux context and everything is
fine. This doesn't work for the btrfs and overlayfs backends though. For
the btrfs backend we're looking at changing btrfs itself to allow
subvolume mount contexts, but that wouldn't neccessarily work for us
anyway, as we're not using a unique subvolume per running app instance.


Offhand, I think this only matters if the container files are mutable. 
In a model
where containers are read-only (and your data in /var and /etc is
mounted to
permanent storage elsewhere with distinct labeling), then you just need
unique labeling for those. Your /usr can just be the same as the host's
usr_t.

Docker's model is really oriented towards mutable containers, so it's
hard
to do there.

References:
- Playing around with ostree for apps
  - From: Alexander Larsson
- Re: Playing around with ostree for apps
  - From: Colin Walters
- Re: Playing around with ostree for apps
  - From: Alexander Larsson
- Re: Playing around with ostree for apps
  - From: Colin Walters
- Re: Playing around with ostree for apps
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]