[OpenAFS] containers / AFS / Ubuntu - stopped working
Neil Davies
semanticphilosopher@gmail.com
Sat, 28 Nov 2015 21:19:38 +0000
I can confirm that this sis the problem
There was a change in docker 1.2.1 (a CVE related fix) that now forces =
/proc/fs to be mounted read-only
use of the --privileged argument to docker run does allow openafs to =
run ok, but only at the cost of loosing
all of the container isolation!
I spent some time trying to work out how to _just_ permit read-write =
access to the appropriate portion of=20
the /proc/fs filestore, but not cracked it.=20
It is potentially possible to mount the host's /proc/fs/openafs under a =
different name (with read-write access)
within the container - but that would imply a change to the openafs =
building process....
Obviously I could modify the docker sources, submit a patch etc..=20
Any suggestions? I'm just wondering if there is any other bits of =
functionality that the docker folks might have=20
broken this way - looking to see if there we, as a community, are not =
alone here.
Neil
On 27 Nov 2015, at 19:06, Charles (Chas) Williams <3chas3@gmail.com> =
wrote:
> On Nov 27, 2015, at 13:42 , Neil Davies wrote:
>> After this upgrade I am no longer able, in the container, able to =
push tokens into the kernel - it gives a pioctl.
>=20
> Is there any chance you can run an strace on this?
>=20
> I believe that /proc was changed to read-only at some point for docker
> containers. OpenAFS tries to open /proc/fs/openafs/afs_ioctl =
read/write
> in order to handle pioctl's.
>=20
>=20