From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:59584 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751653AbeAZQt2 (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Fri, 26 Jan 2018 11:49:28 -0500
Message-ID: <1516985364.4000.15.camel@HansenPartnership.com>
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity
 protection
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Colin Walters <walters@verbum.org>, Theodore Ts'o <tytso@mit.edu>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        lsf-pc@lists.linux-foundation.org
Date: Fri, 26 Jan 2018 08:49:24 -0800
In-Reply-To: <1516984812.1011043.1249268528.30144C24@webmail.messagingengine.com>
References: <20180125191152.GA11197@thunk.org>
         <1516953519.3900697.1248768528.0ABC456B@webmail.messagingengine.com>
         <20180126152928.GB2841@thunk.org>
         <1516984812.1011043.1249268528.30144C24@webmail.messagingengine.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Fri, 2018-01-26 at 11:40 -0500, Colin Walters wrote:
> On Fri, Jan 26, 2018, at 10:29 AM, Theodore Ts'o wrote:
> > 
> > The problem is not the userspace API, it's the bike-shedding over
> > all of the different ways we could *do* immutability, all of which
> > would require separate bits in the on-disk representation of the
> > inode.  You can have any combination of:
> > 
> > * Immutable data
> > * Immutable metadata
> >    * Immutable xattrs
> 
> Everyone here wants immutable data (*all* of the data I hope),

No, no, I don't.   In the world today most linux distributions from
which we produce containers do have the annoying property of writing
stuff where they shouldn't (mostly into /etc).  Systemd is working on
fixing this and when you can make everything other than your /tmp and
/var/tmp read only on your distro, then I will be able to have fully
immutable container images.  But, until that day comes, I'm going to
need a mix of immutable and mutable files on one filesystem.

So when container people boast about immutable images, what they
actually mean is *mostly* immutable apart from bits we can't fix.  What
they actually mean is we don't patch the image in situ but instead
deploy an upgraded image and when we start each time we start from the
pristine state but as the image is running it can mutate slightly.

James