[Ksummit-discuss] [TECH TOPIC] Containerisation, namespaces and keyrings

Tue Jul 26 13:30:24 UTC 2016

Quoting James Bottomley (James.Bottomley at HansenPartnership.com):
> On Fri, 2016-07-22 at 12:01 +0100, David Howells wrote:
> > I'm not sure this is the right venue for this, but keyrings will need 
> > to be namespaced/containerised at some point.
> 
> There are various unvirtualised subsystems within Linux.  There has
> been discussion on the containers mailing list about how:
> 
> http://thread.gmane.org/gmane.linux.kernel.containers/30371
> 
> So far Eric has advocated for making things like this properties of the
> user namespace; I'm more inclined to a separate namespace for
> delegates, but nothing's been decided.
> 
> Proposing on the containers list should be your first step (I've added
> the list to the cc).
> 
> > The problem is that it's an icky problem given that different key 
> > types really want to live in different namespaces, and upcalls may 
> > want to done in different containers, depending on the key type.
> 
> Surely if you virtualize, you'll have a namespace label per key (or
> keyring) so they'll be in one and only one namespace.
> 
> The upcall problem sounds like it might be similar to the nfsd one,
> which is nasty.  Describing it on the list would help people
> understand.
> 
> > For example, DNS resolver keys - should they be in the network, the 
> > filesystem namespace or neither?  Should the upcall be in the current 
> > container or the root container?
> 
> Depends what the upcall does.
> 
> > Authentication keys, such as used by kafs and AF_RXRPC - should they 
> > be in the filesystem namespace (kafs is an fs), the network namespace 
> > (AF_RXRPC is a net protocol) or the user namespace?
> 
> I'm sort of starting to see Eric's point now, since every namespace has
> an owning user namespace, if they were in that the question is
> naturally answered.
> 
> > Should crypto keys, such as the asymmetric key type, be in the user 
> > namespace? What about use by module signing?  Should key operations 
> > in the current container have access to a blacklist in the root 
> > container?  Should key verification in the current container have 
> > access to system keyrings?   The TPM?
> > 
> > This might actually be right for a hallway track.

Hi,

Just chiming in to say that if there were to be namespace discussion at
ksummit I'd like to be involved.  Mostly staying quiet as I don't expect
it since m-l typically works fine.

> 
> Actually, I really think this isn't a KS issue, it should be proposed
> for the Plumbers Containers MC:
> 
> http://www.linuxplumbersconf.org/2016/ocw/events/LPC2016/tracks/519
> 
> You have all the correct people in that session.  At KS you'll have 50%
> bored, 48% hostile because they hate cgroups and 2% interested.

Eh, hostile is useful - forged in the crucible and all that.

> James

-serge