From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alin Dobre <alin.dobre@elastichosts.com>
Subject: Re: User namespace over 9p
Date: Tue, 27 May 2014 11:51:31 +0100
Message-ID: <53846E33.4030601@elastichosts.com>
References: <53846804.6080408@elastichosts.com> <87fvjvpksl.fsf@x220.int.ebiederm.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: linux-fsdevel@vger.kernel.org,
	containers@lists.linux-foundation.org,
	v9fs-developer@lists.sourceforge.net,
	Eric Van Hensbergen <ericvh@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from old.lon-b.elastichosts.com ([84.45.121.3]:34730 "EHLO
	lon-b.elastichosts.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1751705AbaE0KvL (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 27 May 2014 06:51:11 -0400
In-Reply-To: <87fvjvpksl.fsf@x220.int.ebiederm.org>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Eric, thanks for the response.

On 27/05/14 11:39, Eric W. Biederman wrote:
>> Do I understand this correctly as a problem, or does it work as
>> > intended? If latter, do you have any insights on how to achieve running
>> > containers in this scenario?
> If the permission check is made on the kernel with user namespaces we
> can reasonablly make it work.  Otherwise we can not.  That is a danger
> of using remote filesystems they can sometimes have weird arbitrary
> rules you were not expected.
> 

I'm using diod as the 9p server, and it seems that it receives the
calling UID as -2 from the 9p kernel module on the client side, which
has user namespaces enabled.

Cheers,
Alin.