[Devel] [PATCH RH7 1/2] fs/overlay: set flag FS_VIRTUALIZED
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri May 20 03:51:54 PDT 2016
On 05/20/2016 11:59 AM, Vladimir Davydov wrote:
> On Thu, May 19, 2016 at 06:32:00PM +0300, Pavel Tikhomirov wrote:
>> these is temporary decision to make docker in CT work with overlayfs
>> storage driver, it can be unsafe to give access to fs-overlay module
>> from container.
>
> Why? (just curious)
As overlayfs works on files/folders level and not on block device level
unlike dm-thin it seem to be safe enough to give access to it in CT.
For dm-thin the access to a block device and it's raw data in image file
in CT was the stumbling-block.
But may be overlay driver need to be checked hard to really be safe.
From docker.com: "As promising as OverlayFS is, it is still relatively
young. Therefore caution should be taken before using it in production
Docker environments."
>
>>
>> *need to modprobe overlay module on host
>
> May be, we should add overlayfs module to the whitelist? (see
> ve0_allowed_mod)
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list