Re: [RFC PATCH 00/27] Containers and using authenticated filesystems

From: David Howells
Date: Tue Feb 19 2019 - 18:42:22 EST


Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:

> So you missed the main mailing lists for discussion of this kind of
> thing

Yeah, sorry about that. I was primarily aiming it at Trond and Steve as I'd
like to consider how to go about interpolating request_key() into NFS and CIFS
so that they can make use of the key-related facilities that this makes
available with AFS. And I was in a bit tight for time to mail it out before
having to go out. I know, excuses... ;-)

> and the maintainer.

That would be me. I maintain keyrings.

No one is listed in MAINTAINERS as owning namespaces. If you feel that should
be you, please add a record.

> Looking at your description you are introducing a container id.

Yes. For audit logging, which was why I cc'd Richard.

> You don't descibe which namespace your contianer id lives in.

It doesn't. Not everything has to have a namespace. As you yourself pointed
out, it should be globally unique, in which case the world is the namespace,
maybe even the universe;-).

> Without the container id living in a container this breaks
> nested containers and process migration aka CRIU.

As long as IDs are globally unique, why should break container migration?
Having a kernel container object might even make CRIU easier.

And what does "Without the container id living in a container" mean anyway? I
have IDs attached to containers. A container can see the IDs of its child
containers. There should be no problem with nesting.

David