[PATCH 4/6] user namespaces: add user_ns to super block

Eric W. Biederman ebiederm at xmission.com
Mon Jul 28 16:03:45 PDT 2008


Matt Helsley <matthltc at us.ibm.com> writes:

> 	Would this require passing the vfsmount to the filesystems themselves,
> or would they be within the VFS code only? 

The interesting bit is the user_namespace contained in the vfsmount.  We
can pass that down.  I think semantically it makes sense for a filesystem
mount to only operate in a single mount namespace.

> If not wholly within the VFS
> I wonder if Al Viro would object to this. He's resisted past attempts to
> pass the vfsmount structs into more filesystem code paths and I'm
> guessing that could affect whether or not this approach can be
> implemented.

Dave Hansen raised that concern when we were talking about it earlier.  Since
we just care about a property of the mount it isn't a big deal.

Actually thinking about this a little farther it may be simplest to have the
mnt_namespace capture the user_namespace, although that doesn't seem to map
semantically very well with cloning of the filesystem.

This is very much a question of how do we map the uid/gids store in the filesystem
into the uids/gids in the kernel.  Which user namespace do they belong in.

Especially in the case of read only mounts we can safely share a filesystem between
user_namespaces with no changes to the filesystem.    Which I suspect is the
first case we want to allow as that is a tremendous savings in space if you have
lots of instances of the same distro, and people have been doing it with /usr
for years.

Eric


More information about the Containers mailing list