From: "J. Bruce Fields" <bfields@fieldses.org>
To: Kyle Moffett <kyle@moffetthome.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Theodore Tso <tytso@mit.edu>, Matt Helsley <matthltc@us.ibm.com>,
Lennart Poettering <mzxreary@0pointer.de>,
Kay Sievers <kay.sievers@vrfy.org>,
linux-kernel@vger.kernel.org, harald@redhat.com, david@fubar.dk,
greg@kroah.com, Linux Containers <containers@lists.osdl.org>,
Linux Containers <lxc-devel@lists.sourceforge.net>,
"Serge E. Hallyn" <serge@hallyn.com>,
Daniel Lezcano <daniel.lezcano@free.fr>,
Paul Menage <paul@paulmenage.org>
Subject: Re: Detecting if you are running in a container
Date: Wed, 12 Oct 2011 15:04:52 -0400 [thread overview]
Message-ID: <20111012190452.GA23845@fieldses.org> (raw)
In-Reply-To: <CAGZ=bqJxadNqaPCW3HufrMmQ57x082=pCDa6-mWLsdtfxHgdPw@mail.gmail.com>
On Wed, Oct 12, 2011 at 02:25:04PM -0400, Kyle Moffett wrote:
> On Wed, Oct 12, 2011 at 13:57, J. Bruce Fields <bfields@fieldses.org> wrote:
> > On Tue, Oct 11, 2011 at 02:16:24PM -0700, Eric W. Biederman wrote:
> >> Where all of this winds up interesting in the field of oncoming kernel
> >> work is that uids are persistent and are stored in file systems. So
> >> once we have all of the permission checks in the kernel tweaked to care
> >> about user namespaces we next look at the filesystems. The easy
> >> initial implementation is going to be just associating a user namespace
> >> with a super block. But farther out being able to store uids from
> >> different user namespaces on the same filesystem becomes an interesting
> >> problem.
> >
> > Yipes. Why would anyone want to do that?
>
> Consider an NFS file server providing collaborative access to multiple
> independently managed domains (EG: several different universities),
> each with their own LDAP userid database and Kerberos services.
>
> The common server is in its own realm and allows cross-realm
> authentication to the other university realms, using the origin realm
> to decide what namespace to map each user into.
>
> If you are just doing read-only operations then you don't need any
> kind of namespace persistence on the NFS server's storage. On the
> other hand, if you want to allow users to collaborate and create ACLs
> then you need something dramatically more involved.
Yeah, OK, I suppose I'd imagined mapping into the server's id space
somehow for that case, but I suppose this would be cleaner. Still,
seems like a big pain....
> On the wire, the kerberos server would simply identify each NFSv4 ACL
> entry with a particular realm ID, but in the backend it would need
> some filesystem-level disambiguation (possibly the recently-proposed
> RichACL features?)
That doesn't help with owner and group.
--b.
next prev parent reply other threads:[~2011-10-12 19:04 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1317943022.1095.25.camel@mop>
[not found] ` <20111007074904.GC16723@count0.beaverton.ibm.com>
[not found] ` <20111007160113.GB14201@tango.0pointer.de>
[not found] ` <m17h4g2jqy.fsf@fess.ebiederm.org>
[not found] ` <20111010163140.GA22191@tango.0pointer.de>
2011-10-10 20:59 ` Detecting if you are running in a container Eric W. Biederman
2011-10-10 21:41 ` Lennart Poettering
2011-10-11 5:40 ` Eric W. Biederman
2011-10-11 6:54 ` Eric W. Biederman
2011-10-12 16:59 ` Kay Sievers
2011-11-01 22:05 ` [lxc-devel] " Michael Tokarev
2011-11-01 23:51 ` Eric W. Biederman
2011-11-02 8:08 ` Michael Tokarev
2011-10-11 1:32 ` Ted Ts'o
[not found] ` <20111011020530.GG16723@count0.beaverton.ibm.com>
2011-10-11 3:25 ` Ted Ts'o
2011-10-11 6:42 ` Eric W. Biederman
2011-10-11 12:53 ` Theodore Tso
2011-10-11 21:16 ` Eric W. Biederman
2011-10-11 22:30 ` david
2011-10-12 4:26 ` Eric W. Biederman
2011-10-12 5:10 ` david
2011-10-12 15:08 ` Serge E. Hallyn
2011-10-12 17:57 ` J. Bruce Fields
2011-10-12 18:25 ` Kyle Moffett
2011-10-12 19:04 ` J. Bruce Fields [this message]
2011-10-12 19:12 ` Kyle Moffett
2011-10-14 15:54 ` Ted Ts'o
2011-10-14 18:04 ` Eric W. Biederman
2011-10-14 21:58 ` H. Peter Anvin
2011-10-16 9:42 ` Eric W. Biederman
2011-10-30 20:11 ` H. Peter Anvin
2011-11-01 13:38 ` Eric W. Biederman
2011-10-11 22:25 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111012190452.GA23845@fieldses.org \
--to=bfields@fieldses.org \
--cc=containers@lists.osdl.org \
--cc=daniel.lezcano@free.fr \
--cc=david@fubar.dk \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=harald@redhat.com \
--cc=kay.sievers@vrfy.org \
--cc=kyle@moffetthome.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lxc-devel@lists.sourceforge.net \
--cc=matthltc@us.ibm.com \
--cc=mzxreary@0pointer.de \
--cc=paul@paulmenage.org \
--cc=serge@hallyn.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox