1 |
Rich Freeman <rich0@g.o> wrote: |
2 |
> On Sun, Sep 24, 2017 at 4:24 AM, Martin Vaeth <martin@×××××.de> wrote: |
3 |
>> Tim Harder <radhermit@g.o> wrote: |
4 |
>> |
5 |
>> It is the big advantage of overlay that it is implemented in |
6 |
>> kernel and does not involve any time-consuming checks during |
7 |
>> normal file operations. |
8 |
> |
9 |
> Why would you expect containers to behave any differently? |
10 |
|
11 |
For overlay, there is only one directory to be checked in |
12 |
addition for every file access. |
13 |
|
14 |
For containers, at least a dozens of binds are minimally required |
15 |
(/usr /proc /sys /dev ...). But as you mentioned in your posting, |
16 |
if you want to take more care you easily have thousands of bind mounts. |
17 |
At least implicitly in the kernel, all of these binds must be checked |
18 |
for every file access. I am not sure whether this happens very quickly |
19 |
by hashing (so that essentially really only the creation costs time). |
20 |
|
21 |
As mentioned, I do not have actual timing results. I am just afraid |
22 |
that it might easily cost more than a context-switch which already |
23 |
gives a slowdown for fuse-overlay which is so large that I would |
24 |
not recommend it for a sandbox. |
25 |
|
26 |
> Now, I am concerned about the time to create the container, if we're |
27 |
> going to specify individual files, but the same would be true of an |
28 |
> overlay. [...] |
29 |
> to populate an overlayfs with just that specific list of files. |
30 |
|
31 |
No. For overlay you need only one mount (not even a bind) |
32 |
and only one directory traversal at the end to check for |
33 |
violations. |
34 |
The nice thing is that this is practically independent of |
35 |
the number or structure of directories/files you want to protect, |
36 |
i.e. it scales perfectly well. |
37 |
For the more fine-grained approach, you just delete the files |
38 |
you do not want to have in the beginning. Not sure, how quick this |
39 |
can be done, but once it is done, the slowdown when running the |
40 |
sandbox is independent of the number of deleted files (because |
41 |
here certainly only one hash lookup is required). |
42 |
|
43 |
Of course, as mgorny already observed, overlay alone is not an |
44 |
absolute protection (e.g. against writing to some /dev/...), |
45 |
so perhaps it is a good idea to use containers as an additional |
46 |
protection level. |
47 |
|
48 |
> If you just replicate the current sandbox |
49 |
> functionality then setup time is tiny |
50 |
|
51 |
I am not so much concerned about the setup time but more about the |
52 |
delay caused for file operations once the sandbox is set up. |
53 |
Perhaps even a dozen bind directories already give a considerable |
54 |
slowdown... |