linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Ted Ts'o" <tytso@mit.edu>
To: Kyle Moffett <kyle@moffetthome.net>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Matt Helsley <matthltc@us.ibm.com>,
	Lennart Poettering <mzxreary@0pointer.de>,
	Kay Sievers <kay.sievers@vrfy.org>,
	linux-kernel@vger.kernel.org, harald@redhat.com, david@fubar.dk,
	greg@kroah.com, Linux Containers <containers@lists.osdl.org>,
	Linux Containers <lxc-devel@lists.sourceforge.net>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Daniel Lezcano <daniel.lezcano@free.fr>,
	Paul Menage <paul@paulmenage.org>
Subject: Re: Detecting if you are running in a container
Date: Fri, 14 Oct 2011 11:54:06 -0400	[thread overview]
Message-ID: <20111014155406.GC13119@thunk.org> (raw)
In-Reply-To: <CAGZ=bqJjgmtBfyXJ2eK1C0PfzkgBVWFTjkTYkC211ZT+-5f-UQ@mail.gmail.com>

On Wed, Oct 12, 2011 at 03:12:34PM -0400, Kyle Moffett wrote:
> Well, you're going to need to introduce a bunch of new xattrs to
> handle the namespacing anyways.
> 
> As I understand it you can use RichACLs to grant all the same
> privileges as owner and group, so you can simply map the real
> namespaced owner and group into RichACLs (or another xattr) and force
> the inode uid/gid to be root/root (or maybe nobody/nogroup or
> something).

It's going to be all about mapping tables, and whether the mapping is
done in userspace or kernel space.  For example, you might want to
take a Kerberos principal name, and mapping it to a 128bit identifier
(64 bit realm id + 64 bit user id), and that in turn might require
mapping to some 32-bit Linux uid namespace.

If people want to support multiple 32-bit Linux uid namespaces, then
it's a question of how you name these uid name spaces, and how to
manage the mapping tables outside of kernel, and how the mapping
tables get loaded into the kernel.

> I am of course making it sound a million times easier than it's
> actually likely to be, but I do think it's possible without too many
> odd corner cases.

It's not the corner cases, it's all of the different name spaces that
different system administrators and their sites are going to want to
use, and how to support them all....

And of course, once we start naming uid name spaces, eventually
someone will want to virtualize containers, and then we will have
namespaces for namespaces.  (It's turtles all the way down!  :-)

						- Ted

  reply	other threads:[~2011-10-14 15:54 UTC|newest]

Thread overview: 78+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-06 23:17 A Plumber’s Wish List for Linux Kay Sievers
2011-10-06 23:46 ` Andi Kleen
2011-10-07  0:13   ` Lennart Poettering
2011-10-07  1:57     ` Andi Kleen
2011-10-07 15:58       ` Lennart Poettering
2011-10-19 23:16     ` H. Peter Anvin
2011-10-07  7:49 ` Matt Helsley
2011-10-07 16:01   ` Lennart Poettering
2011-10-08  4:24     ` Eric W. Biederman
2011-10-10 16:31       ` Lennart Poettering
2011-10-10 20:59         ` Detecting if you are running in a container Eric W. Biederman
2011-10-10 21:41           ` Lennart Poettering
2011-10-11  5:40             ` Eric W. Biederman
2011-10-11  6:54             ` Eric W. Biederman
2011-10-12 16:59             ` Kay Sievers
2011-11-01 22:05               ` [lxc-devel] " Michael Tokarev
2011-11-01 23:51                 ` Eric W. Biederman
2011-11-02  8:08                   ` Michael Tokarev
2011-10-11  1:32           ` Ted Ts'o
2011-10-11  2:05             ` Matt Helsley
2011-10-11  3:25               ` Ted Ts'o
2011-10-11  6:42                 ` Eric W. Biederman
2011-10-11 12:53                   ` Theodore Tso
2011-10-11 21:16                     ` Eric W. Biederman
2011-10-11 22:30                       ` david
2011-10-12  4:26                         ` Eric W. Biederman
2011-10-12  5:10                           ` david
2011-10-12 15:08                             ` Serge E. Hallyn
2011-10-12 17:57                       ` J. Bruce Fields
2011-10-12 18:25                         ` Kyle Moffett
2011-10-12 19:04                           ` J. Bruce Fields
2011-10-12 19:12                             ` Kyle Moffett
2011-10-14 15:54                               ` Ted Ts'o [this message]
2011-10-14 18:04                                 ` Eric W. Biederman
2011-10-14 21:58                                   ` H. Peter Anvin
2011-10-16  9:42                                     ` Eric W. Biederman
2011-10-30 20:11                                       ` H. Peter Anvin
2011-11-01 13:38                                         ` Eric W. Biederman
2011-10-11 22:25               ` david
2011-10-07 10:12 ` A Plumber’s Wish List for Linux Alan Cox
2011-10-07 10:28   ` Kay Sievers
2011-10-07 10:38     ` Alan Cox
2011-10-07 12:46       ` Kay Sievers
2011-10-07 13:39         ` Theodore Tso
2011-10-07 15:21         ` Hugo Mills
2011-10-10 11:18           ` A Plumber???s " David Sterba
2011-10-10 13:09             ` Theodore Tso
2011-10-13  0:28               ` Dave Chinner
2011-10-14 15:47                 ` Ted Ts'o
2011-10-11 13:14             ` Serge E. Hallyn
2011-10-11 15:49               ` Andrew G. Morgan
2011-10-12  2:31                 ` Serge E. Hallyn
2011-10-12 20:51                 ` Lennart Poettering
2011-10-08  9:53         ` A Plumber’s " Bastien ROUCARIES
2011-10-09  3:15           ` Alex Elsayed
2011-10-07 16:07       ` Valdis.Kletnieks
2011-10-07 12:35 ` Vivek Goyal
2011-10-07 18:59 ` Greg KH
2011-10-09 12:20   ` Kay Sievers
2011-10-09  8:45 ` Rusty Russell
2011-10-11 23:16 ` Andrew Morton
2011-10-12  0:53   ` Frederic Weisbecker
2011-10-12  0:59   ` Frederic Weisbecker
     [not found]     ` <20111012174014.GE6281@google.com>
2011-10-12 18:16       ` Cyrill Gorcunov
2011-10-14 15:38         ` Frederic Weisbecker
2011-10-14 16:01           ` Cyrill Gorcunov
2011-10-14 16:08             ` Cyrill Gorcunov
2011-10-14 16:19               ` Frederic Weisbecker
2011-10-19 21:19           ` Paul Menage
2011-10-19 21:12 ` Paul Menage
2011-10-19 23:03   ` Lennart Poettering
2011-10-19 23:09     ` Paul Menage
2011-10-19 23:31       ` Lennart Poettering
2011-10-22 10:21         ` Frederic Weisbecker
2011-10-22 15:28           ` Lennart Poettering
2011-10-25  5:40             ` Li Zefan
2011-10-30 17:18               ` Lennart Poettering
2011-11-01  1:27                 ` Li Zefan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111014155406.GC13119@thunk.org \
    --to=tytso@mit.edu \
    --cc=bfields@fieldses.org \
    --cc=containers@lists.osdl.org \
    --cc=daniel.lezcano@free.fr \
    --cc=david@fubar.dk \
    --cc=ebiederm@xmission.com \
    --cc=greg@kroah.com \
    --cc=harald@redhat.com \
    --cc=kay.sievers@vrfy.org \
    --cc=kyle@moffetthome.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lxc-devel@lists.sourceforge.net \
    --cc=matthltc@us.ibm.com \
    --cc=mzxreary@0pointer.de \
    --cc=paul@paulmenage.org \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).