)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"7845bfec06590acddfa1f48a7ba27b6b86ce0c14","unresolved":false,"context_lines":[{"line_number":15,"context_line":"3- drop \"z\" flag from libvirt related mounts"},{"line_number":16,"context_line":"This avoids relabelling issues from non-privileged containers"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Note this will require an update to podman-1.6.4 in order to allow"},{"line_number":19,"context_line":"passing multiple security-opt[1], and allow to actually USE security-opt"},{"line_number":20,"context_line":"when --privileged is passed[2]"},{"line_number":21,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"bf51134e_41220fa6","line":18,"range":{"start_line":18,"start_character":36,"end_line":18,"end_character":48},"updated":"2020-06-17 13:36:44.000000000","message":"I think you meant podman-1.9.3 (and _not_ 1.6.4?)","commit_id":"416b1b51b36d3d032678be304198b5aa9dabe744"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"033cdc8a8a673f2167a371dc643c89fea4a7c76a","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Note this will require to patch podman-1.6.4 in order to allow"},{"line_number":19,"context_line":"passing multiple security-opt[1], and allow to actually USE security-opt"},{"line_number":20,"context_line":"when --privileged is passed[2]."},{"line_number":21,"context_line":"The tests were done using a podman 1.9.3 in order to work around the"},{"line_number":22,"context_line":"mentionned issues."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"bf51134e_619c5a5d","line":20,"updated":"2020-06-18 11:52:55.000000000","message":"I think it\u0027s possible to run libvirt without the privileged flag. We can do that by adding only the devices that it needs, following the principle of least privilege.\nThere is a good writeup about that [1], although it\u0027s for lxd:\n\nhttps://dshcherb.github.io/2017/12/04/qemu-kvm-virtual-machines-in-unprivileged-lxd.html","commit_id":"a48c205e77268d916cf11a4191fbdb247fa6aa82"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"81683ac86dd9674628e5d9d57afff5975ad5b859","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Note this will require to patch podman-1.6.4 in order to allow"},{"line_number":19,"context_line":"passing multiple security-opt[1], and allow to actually USE security-opt"},{"line_number":20,"context_line":"when --privileged is passed[2]."},{"line_number":21,"context_line":"The tests were done using a podman 1.9.3 in order to work around the"},{"line_number":22,"context_line":"mentionned issues."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"bf51134e_65ea2ad8","line":20,"in_reply_to":"bf51134e_619c5a5d","updated":"2020-06-25 14:46:02.000000000","message":"Hi, please note the important point below:\n\n\u0027nova_libvirt\u0027 container is \"inherently a highly privileged container because Nova requires it to be able to perform many highly privileged actions.\"\n\nIn other words, we\u0027re *NOT* using containers for security isolation—but only for ease of deployment.\n\nSecuring VMs from each other is taken care by sVirt.\n\nHope that makes things clear.","commit_id":"a48c205e77268d916cf11a4191fbdb247fa6aa82"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"5289d0c2c1f05baba0dd9f4e66b276f9a3cdea51","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Note this will require to patch podman-1.6.4 in order to allow"},{"line_number":19,"context_line":"passing multiple security-opt[1], and allow to actually USE security-opt"},{"line_number":20,"context_line":"when --privileged is passed[2]."},{"line_number":21,"context_line":"The tests were done using a podman 1.9.3 in order to work around the"},{"line_number":22,"context_line":"mentionned issues."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"bf51134e_647b2cf4","line":20,"in_reply_to":"bf51134e_65ea2ad8","updated":"2020-06-29 07:46:53.000000000","message":"Hi, I agree containers in TripleO were initially used for ease of delivery and not security (a quick look at the code is sufficient to get to this conclusion), but there is an ongoing effort to change that. This is because any security audit will point at the current usage of containers and expect it to be \"fixed\". I\u0027ll send you an email with some details which I can\u0027t discuss on the wide forum here. This long term effort was discussed at the PTG:\n\nhttps://etherpad.opendev.org/p/tripleo-ptg-victoria-distro-transition\n\nIn this instance, container isolation wouldn\u0027t be used for securing the VMs, but for isolating the TripleO services from each other.\n\nHaving said that, nova_libvirt, which probably needs the most privileges, is not necessarily the one container we are focusing on right now. We already moved some containers off of running privileged, but there are still more services, which shouldn\u0027t have any privileges at all, using the privileged option (originally created only for running docker inside docker).","commit_id":"a48c205e77268d916cf11a4191fbdb247fa6aa82"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"efe367e17d437b41a1efca692778feaec2ae9799","unresolved":false,"context_lines":[{"line_number":15,"context_line":"3- drop \"z\" flag from libvirt related mounts"},{"line_number":16,"context_line":"This avoids relabelling issues from non-privileged containers"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"4- set specific labels for the container itself. Note the new"},{"line_number":19,"context_line":"\"container_ro_file_t\" is replacing late \"container_share_t\"."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Notes:"},{"line_number":22,"context_line":"1. This will require to patch podman-1.6.4 in order to allow to actually"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":7,"id":"bf51134e_bb2feca5","line":19,"range":{"start_line":18,"start_character":0,"end_line":19,"end_character":60},"updated":"2020-07-02 08:31:25.000000000","message":"The point four here can be confusing as it gives the impression that this patch is using \u0027container_ro_file_t\u0027—now it\u0027s not anymore, given the \"Notes\" below.\n\nHow about this:\n\n4- In this patch, we use the SELinux \u0027container_share_t\u0027.  In a future patch we will update it to \u0027container_ro_file_t\u0027. This is purely a cosmetic change to better reflect the actual behavior of the SELinux label; this does not alter functionality.  (Also, refer to point 2 in the \"Notes\" section below.)","commit_id":"1bbf84d9f87f097a9986a21747d0f98085659512"}],"deployment/nova/nova-libvirt-container-puppet.yaml":[{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"91b45e09c85de5cbc1e2dff57d63c84d5329bf24","unresolved":false,"context_lines":[{"line_number":692,"context_line":"            security_opt:"},{"line_number":693,"context_line":"              - label\u003dlevel:s0"},{"line_number":694,"context_line":"              - label\u003dtype:spc_t"},{"line_number":695,"context_line":"              - label\u003dfiletype:container_share_t"},{"line_number":696,"context_line":"            restart: always"},{"line_number":697,"context_line":"            depends_on:"},{"line_number":698,"context_line":"              - tripleo_nova_virtlogd.service"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"bf51134e_5b6ebeff","line":695,"range":{"start_line":695,"start_character":31,"end_line":695,"end_character":48},"updated":"2020-06-29 15:44:02.000000000","message":"The SELinux folks said \u0027container_share_t\u0027 is a \"bad name\" (because it is read-only!) hence they changed it to \u0027container_ro_file_t\u0027.\n\nSo we should make sure to change \u0027container_share_t\u0027 to \u0027container_ro_file_t\u0027 here.","commit_id":"a48c205e77268d916cf11a4191fbdb247fa6aa82"}]}