I am trying to mount a Gluster volume within a systemd-nspawn container. I found two methods to do it from the official Github repo, but I have questions about both methods' security.
- The
CAP_MKNOD+DeviceAllow=/dev/fuse rwm+mknod /dev/fuse c 10 229from https://github.com/systemd/systemd/issues/6553#issuecomment-350167906. But I can only make it work using a privileged container, am I doing it wrong, or it really only works in a privileged container?# /etc/systemd/nspawn/apps.nspawn [Exec] NotifyReady=yes PrivateUsers=no - The
/dev/fusebind mount method from https://github.com/systemd/systemd/issues/7669#issuecomment-352388204. It works in an unprivileged container, but the author stated that this method has security implications. I don't know what it means, is it worse than method 1?# /etc/systemd/nspawn/apps.nspawn [Files] Bind=/dev/fuse
