From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jeff Layton <jlayton@redhat.com>
Cc: Boaz Harrosh <bharrosh@panasas.com>,
Stanislav Kinsbursky <skinsbursky@parallels.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
viro@zeniv.linux.org.uk, serge.hallyn@canonical.com,
lucas.demarchi@profusion.mobi, rusty@rustcorp.com.au,
linux-kernel@vger.kernel.org, oleg@redhat.com,
linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org,
devel@openvz.org
Subject: Re: [RFC PATCH] fs: call_usermodehelper_root helper introduced
Date: Thu, 23 May 2013 15:55:47 -0400 [thread overview]
Message-ID: <20130523195547.GA13640@fieldses.org> (raw)
In-Reply-To: <20130523090526.63fc153e@corrin.poochiereds.net>
On Thu, May 23, 2013 at 09:05:26AM -0400, Jeff Layton wrote:
> On Thu, 23 May 2013 15:25:20 +0300
> > I'm not familiar with nfsdcltrack but I would imagine it receives it's information from
> > Kernel as a command line parameters.
> >
> > Would it not be the simplest approach to add a --chroot=/path/to/root optional
> > parameter to nfsdcltrack so it should access an alternate DB relative to
> > --chroot.
> >
> > This would address Eric's concern of not executing user-privileged executable
> > from Kernel. I think
> >
> > Just my $0.017
> > Boaz
> >
>
> I think that sounds reasonable. Is it always the case
> that /path/to/root is reachable from the "primary" namespace?
I don't think we can assume that.
> If not, you may need to do something more exotic there.
We should be able to pass a file descriptor and then work relative to
that.
> Also, do you have to do anything like change the uid/gid to a different
> user who is root within the container?
Yeah, you may need to create files, for example, right?
> What might help most here is to lay out a particular scenario for how
> you envision setting up knfsd in a container so we can ensure that it's
> addressed properly by whatever solution you settle on.
It would seem cleaner to me the less userspace has to understand about
containers--ideally someone could run a general-purpose distro with its
nfs-utils in a container and have nfs and nfsd just work.
So I'd like to understand whether it is feasible to spawn helpers from a
thread that's descended from whoever started nfsd (or whatever the
proper ancestor is).
(And, what about the nfsd threads themselves? If we're going to allow
unprivileged users to start nfsd, then we probably want the nfsd threads
to inherit from the user somehow, don't we?)
As I understand it recent clients use request_key to do idmapping. I
don't understand that (or keyrings) well. How should they work? I
would have expected that you'd want a separate request-key for each
container rather than a single request-key working on behalf of all
containers.
--b.
next prev parent reply other threads:[~2013-05-23 19:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-22 7:29 [RFC PATCH] fs: call_usermodehelper_root helper introduced Stanislav Kinsbursky
2013-05-22 16:03 ` Oleg Nesterov
2013-05-22 17:33 ` Eric W. Biederman
2013-05-22 18:35 ` Eric W. Biederman
2013-05-22 19:23 ` J. Bruce Fields
2013-05-23 3:37 ` Eric W. Biederman
2013-05-23 19:06 ` J. Bruce Fields
2013-05-23 8:11 ` Stanislav Kinsbursky
2013-05-23 8:07 ` Stanislav Kinsbursky
2013-05-23 10:00 ` Eric W. Biederman
2013-05-23 10:35 ` Stanislav Kinsbursky
2013-05-23 11:31 ` Jeff Layton
2013-05-23 11:38 ` Stanislav Kinsbursky
2013-05-23 11:56 ` Jeff Layton
2013-05-23 11:58 ` Stanislav Kinsbursky
2013-05-23 12:25 ` Boaz Harrosh
2013-05-23 13:05 ` Jeff Layton
2013-05-23 19:55 ` J. Bruce Fields [this message]
2013-05-23 20:14 ` J. Bruce Fields
2013-05-23 21:32 ` Eric W. Biederman
2013-05-24 6:04 ` Stanislav Kinsbursky
2013-11-08 11:58 ` Jeff Layton
2013-05-24 5:44 ` Stanislav Kinsbursky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130523195547.GA13640@fieldses.org \
--to=bfields@fieldses.org \
--cc=akpm@linux-foundation.org \
--cc=bharrosh@panasas.com \
--cc=devel@openvz.org \
--cc=ebiederm@xmission.com \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucas.demarchi@profusion.mobi \
--cc=oleg@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=serge.hallyn@canonical.com \
--cc=skinsbursky@parallels.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).