Use cases for multiple uid mapping?

Stéphane Graber stgraber at stgraber.org
Fri Aug 28 15:55:44 UTC 2020 

On Fri, Aug 28, 2020 at 11:21 AM Eric W. Biederman
<ebiederm at xmission.com> wrote:
>
>
> We had a discussion in the hackroom at LPC talking about use cases for
> a shiftfs style setup where there are different mappings of uids to
> disk.
>
> In the discussion we had a couple of ideas of kernel developments
> we should look at that address some of these.
>
> - Fix rlimits in user namespaces (This potentially allows multiple
>   containers to run with the same userids simplifying the mapping
>   problem).
>
> - Look at extending kuid_t to 64bits and using the highbits to
>   implement uids that are private to user namespaces and don't
>   map out.
>
> - Look at ways for allowing setgroups unprivileged.
>
>
> Together this has the potential that the existing uid & gid mappings
> will be able to function the same as the proposed fusid mappings. Fingers crossed.
>
>
> I had some problems with audio and a lot of people were talking
> quickly.  So I did not manage to capture everyone's use cases.   And I
> definitely was not able to see how everyone's use cases interacted with
> the changes we are looking at.
>
> I know for certain I missed Serge's usecase (apologies).
>
> Can people follow up to this and report their use cases?
>
> There are some real challenges and I would like to see if we
> can solve them, while avoiding scary problems like changing
> uids on write.
>
> Eric

Hi Eric,

It was great to have you and everyone else participate in that session.
There was indeed a lot covered in there and a lot of use cases we'll
have to keep in mind!

The main outcomes we captured I believe were:
 - Fixing rlimits in user namespaces such that one namespace cannot
affect another
 - Consider switching the kernel uid/git types to 64bit, allowing for
a hidden 32bit identifier and fully usable 32bit uid/gid range for the
container
 - Find a way to allow setgroups() in a user namespace while keeping
in mind the case of groups used for negative access control
 - Add optional enforcement that overflow uid/gid as set through
sysctl cannot be used as regular uid/gid on the system

Christian is working on a comprehensive summary of the session based
on the shared notes document we circulated at the beginning of the
session which will try to separate the different topics and cover use
cases and potential solutions for each as we discussed in the BoF.

We'll make sure that everyone who attended the BoF gets CCed on that,
on top of the usual mailing-lists so that should any of the use raised
use cases have been missed in the notes, those folks can raise them
again so we don't end up missing anything :)

Stéphane

More information about the Containers mailing list