From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753267Ab1JNPyT (ORCPT ); Fri, 14 Oct 2011 11:54:19 -0400 Received: from li9-11.members.linode.com ([67.18.176.11]:48336 "EHLO test.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753020Ab1JNPyQ (ORCPT ); Fri, 14 Oct 2011 11:54:16 -0400 Date: Fri, 14 Oct 2011 11:54:06 -0400 From: "Ted Ts'o" To: Kyle Moffett Cc: "J. Bruce Fields" , "Eric W. Biederman" , Matt Helsley , Lennart Poettering , Kay Sievers , linux-kernel@vger.kernel.org, harald@redhat.com, david@fubar.dk, greg@kroah.com, Linux Containers , Linux Containers , "Serge E. Hallyn" , Daniel Lezcano , Paul Menage Subject: Re: Detecting if you are running in a container Message-ID: <20111014155406.GC13119@thunk.org> Mail-Followup-To: Ted Ts'o , Kyle Moffett , "J. Bruce Fields" , "Eric W. Biederman" , Matt Helsley , Lennart Poettering , Kay Sievers , linux-kernel@vger.kernel.org, harald@redhat.com, david@fubar.dk, greg@kroah.com, Linux Containers , Linux Containers , "Serge E. Hallyn" , Daniel Lezcano , Paul Menage References: <20111011013201.GA7948@thunk.org> <20111011020530.GG16723@count0.beaverton.ibm.com> <20111011032523.GB7948@thunk.org> <203BBB0D-293D-4BFB-A57B-41C56F58F9B3@mit.edu> <20111012175702.GA23231@fieldses.org> <20111012190452.GA23845@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on test.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 12, 2011 at 03:12:34PM -0400, Kyle Moffett wrote: > Well, you're going to need to introduce a bunch of new xattrs to > handle the namespacing anyways. > > As I understand it you can use RichACLs to grant all the same > privileges as owner and group, so you can simply map the real > namespaced owner and group into RichACLs (or another xattr) and force > the inode uid/gid to be root/root (or maybe nobody/nogroup or > something). It's going to be all about mapping tables, and whether the mapping is done in userspace or kernel space. For example, you might want to take a Kerberos principal name, and mapping it to a 128bit identifier (64 bit realm id + 64 bit user id), and that in turn might require mapping to some 32-bit Linux uid namespace. If people want to support multiple 32-bit Linux uid namespaces, then it's a question of how you name these uid name spaces, and how to manage the mapping tables outside of kernel, and how the mapping tables get loaded into the kernel. > I am of course making it sound a million times easier than it's > actually likely to be, but I do think it's possible without too many > odd corner cases. It's not the corner cases, it's all of the different name spaces that different system administrators and their sites are going to want to use, and how to support them all.... And of course, once we start naming uid name spaces, eventually someone will want to virtualize containers, and then we will have namespaces for namespaces. (It's turtles all the way down! :-) - Ted