[Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?
Colin Walters
walters at verbum.org
Thu Sep 29 15:47:32 UTC 2022
On Thu, Sep 29, 2022, at 10:10 AM, Vivek Goyal wrote:
> What's your use case. How do you plan to use virtiofs.
At the current time, the Kubernetes that we run does not support user namespaces. We want to do the production builds of our operating system (Fedora CoreOS and RHEL CoreOS) today inside an *unprivileged* Kubernetes pod (actually in OpenShift using anyuid, i.e. random unprivileged uid too), just with /dev/kvm exposed from the host (which is safe). Operating system builds *and* tests in qemu are just another workload that can be shared with other tenants.
qemu works fine in this model, as does 9p. It's just the virtiofs isolation requires privileges to be used today.
More information about the Virtio-fs
mailing list