[Lsf-pc] Authentication Contexts for network file systems and Containers was Re: [LSF/MM ATTEND] FS jitter testing, network caching, Lustre, cluster filesystems.

Jeffrey Altman jaltman at auristor.com
Tue Jan 17 16:29:04 UTC 2017


On 1/16/2017 4:03 PM, James Bottomley wrote:
> [...]
> 
> OK, so snipping all the details: it's a per process property and
> inherited, I don't even see that it needs anything container specific. 
> The pid namespace should be sufficient to keep any potential security
> leaks contained and the inheritance model should just work with
> containers.

Agreed.

>> While a file system can internally create an association between an
>> authentication content with a file descriptor once it is created and
>> with pages for write-back, I believe there would be benefit from a 
>> more generic method of tracking authentication contexts in file
>> descriptors and pages.  In particular would be better defined 
>> behavior when a file has been opened for "write" from processes 
>> associated with more than one authentication context.
> 
> As long as an "authentication" becomes a property of a file descriptor
> (like a token), then I don't see any container problems: fds are
> namespace blind, so they can be passed between containers and your
> authorizations would go with them.  If you need to go back to a process
> as part of the authorization, then there would be problems because
> processes are namespaced.
> 
>> For example, the problems that AFS is currently experiencing with
>> systemd. A good description of problem by Jonathan Billings can be
>> found at
>>
>>
>> https://docs.google.com/document/d/1P27fP1uj-C8QdxDKMKtI-Qh00c5_9zJa4
>> YHjn=pB6ODM/pub
> 
> This is giving me "Sorry, the file you have requested does not exist."

Not sure how an extra '=' got in there.

https://docs.google.com/document/d/1P27fP1uj-C8QdxDKMKtI-Qh00c5_9zJa4YHjnpB6ODM/pub

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: jaltman.vcf
Type: text/x-vcard
Size: 395 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/containers/attachments/20170117/153912f4/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4057 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.linuxfoundation.org/pipermail/containers/attachments/20170117/153912f4/attachment.p7s>


More information about the Containers mailing list