From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Howells Subject: Re: Containers don't handle keys, but should they? Date: Fri, 14 Mar 2008 15:49:20 +0000 Message-ID: <8853.1205509760@redhat.com> References: <20080314145447.GG9741@sergelap.austin.ibm.com> <7519.1205494679@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20080314145447.GG9741-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org List-Id: containers.vger.kernel.org Serge E. Hallyn wrote: > It looks like maybe just adding a struct user_namespace * to a struct key > should suffice. That's not quite sufficient. The per-UID key_user structs also need to be differentiated. Unfortunately, I can't just merge it into user_struct as I then end up with a reference loop user_struct -> uid_keyring -> user_struct. Rooting the key_user trees in user_namespace will probably do the trick. A couple of questions: (1) A process may inherit a session keyring over clone(). Should this be discarded if CLONE_NEWUSER is set? Or would I need to copy it? (2) In a recent patch, I've given the root user its own quota limits. Is UID 0 always the root user in any container? Or would it make more sense just to scrap the per-root quota limits? David