From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
Christian Brauner <christian.brauner@ubuntu.com>
Subject: Re: Use cases for multiple uid mapping?
Date: Tue, 01 Sep 2020 09:53:31 -0500 [thread overview]
Message-ID: <871rjleefo.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20200901060631.GA5193@mail.hallyn.com> (Serge E. Hallyn's message of "Tue, 1 Sep 2020 01:06:31 -0500")
"Serge E. Hallyn" <serge@hallyn.com> writes:
> On Fri, Aug 28, 2020 at 10:17:16AM -0500, Eric W. Biederman wrote:
>>
>> We had a discussion in the hackroom at LPC talking about use cases for
>> a shiftfs style setup where there are different mappings of uids to
>> disk.
>>
>> In the discussion we had a couple of ideas of kernel developments
>> we should look at that address some of these.
>>
>> - Fix rlimits in user namespaces (This potentially allows multiple
>> containers to run with the same userids simplifying the mapping
>> problem).
>>
>> - Look at extending kuid_t to 64bits and using the highbits to
>> implement uids that are private to user namespaces and don't
>> map out.
>>
>> - Look at ways for allowing setgroups unprivileged.
>>
>>
>> Together this has the potential that the existing uid & gid mappings
>> will be able to function the same as the proposed fusid mappings. Fingers crossed.
>>
>>
>> I had some problems with audio and a lot of people were talking
>> quickly. So I did not manage to capture everyone's use cases. And I
>> definitely was not able to see how everyone's use cases interacted with
>> the changes we are looking at.
>>
>> I know for certain I missed Serge's usecase (apologies).
>>
>> Can people follow up to this and report their use cases?
>
> Sorry - I'll do so later this week.
Thank you.
I know we have the OCI use case of overlayfs and sharing storage
between containers.
I know we have the lxc case of not wanting to be strangled by ulimits.
So not using the same uid between containers even when it is logically
the same users.
I know the brainstorming was going a lot of different directions and I
piped up and said that we should probably focus on handling the stranger
cases with fuse mounts, and the other capabilities we have now.
It really will be valuable to understand the other cases so we don't
code ourselves into a corner that only works for the most vocal of the
developers.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2020-09-01 14:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-28 15:17 Use cases for multiple uid mapping? Eric W. Biederman
2020-08-28 15:55 ` Stéphane Graber via Containers
2020-08-28 17:03 ` Sargun Dhillon
2020-08-30 5:48 ` James Bottomley
2020-09-01 6:06 ` Serge E. Hallyn
2020-09-01 14:53 ` Eric W. Biederman [this message]
2020-09-24 17:09 ` Alban Crequy
2020-09-25 8:13 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871rjleefo.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox