Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

[Serge Hallyn <serge.hallyn@ubuntu.com>]

Quoting Serge Hallyn (serge.hallyn@ubuntu.com):
> Quoting Seth Forshee (seth.forshee@canonical.com):
> > On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> > > Quoting Seth Forshee (seth.forshee@canonical.com):
> > > > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > > > > Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> > > > > 
> > > > > > On Fri, May 16, 2014 at 01:49:59AM +0000, Serge Hallyn wrote:
> > > > > >> > I think having to pick and choose what device nodes you want in a
> > > > > >> > container is a good thing.  Becides, you would have to do the same thing
> > > > > >> > in the kernel anyway, what's wrong with userspace making the decision
> > > > > >> > here, especially as it knows exactly what it wants to do much more so
> > > > > >> > than the kernel ever can.
> > > > > >> 
> > > > > >> For 'real' devices that sounds sensible.  The thing about loop devices
> > > > > >> is that we simply want to allow a container to say "give me a loop
> > > > > >> device to use" and have it receive a unique loop device (or 3), without
> > > > > >> having to pre-assign them.  I think that would be cleaner to do using
> > > > > >> a pseudofs and loop-control device, rather than having to have a
> > > > > >> daemon in userspace on the host farming those out in response to
> > > > > >> some, I don't know, dbus request?
> > > > > >
> > > > > > I agree that loop devices would be nice to have in a container, and that
> > > > > > the existing loop interface doesn't really lend itself to that.  So
> > > > > > create a new type of thing that acts like a loop device in a container.
> > > > > > But don't try to mess with the whole driver core just for a single type
> > > > > > of device.
> > > > > 
> > > > > Yes. Something like devpts (without the newinstance option).  Built to
> > > > > allow unprivileged users to create loopback devices.
> > > > 
> > > > That's where I started, and I've got code, so I guess I'll clean it up
> > > > and send patches. If the stance is that only system-wide CAP_SYS_ADMIN
> > > > gets to do privileged block device ioctls, including reading partitions
> > > 
> > > Sorry, where did that come from?  What Eric was referring to below is
> > > the fs superblock readers not being trusted.  Maybe I glossed over another
> > > email where it was mentioned?
> > 
> > You must have. Take a look at [1].
> > 
> > To repeat the point: the ioctl to reread partitions (along with several
> > other block device ioctls) has a capable(CAP_SYS_ADMIN) check. We can't
> > change this to an ns_capable check without at minimum the block layer
> > knowing about the namespace associated with the block device. Ergo we
> 
> Which only means those changes are necessary :)
> 
> So far as I understand, a namespaced devtmpfs is nacked, but a loopfs
> is interesting (and, depending on the implementation, acceptable).  That
> necessarily includes the minimal blockdev changes to support it.
> 
> > can't reread paritions if this is done entirely within the loop driver
> > via a psuedo fs.
> > 
> > [1] http://article.gmane.org/gmane.linux.kernel.containers.lxc.devel/8191

Hm, yeah, I was confuddling two issues.  Nevertheless, for real block devices I
absolutely agree.  For loop devices I don't.  My answer to

> I don't think unpriviliged containers should be able to do partitioning.
> An unpriviliged user can't do that, so why should a container be any
> different?

would be that the loop device is a convenience built atop the backing image,
and if the user had the rights to loop-attach the backing image, he can
just as will partition using write(2), so why artificially plac this limit?

Nevertheless this is not really a debate worth having until we have a
blockdev fs mountable in a userns.

My main interest currently is with privileged containers.  I think we can
learn plenty from that for now.