Received: by 2002:ac0:a679:0:0:0:0:0 with SMTP id p54csp625868imp; Wed, 20 Feb 2019 06:19:56 -0800 (PST) X-Google-Smtp-Source: AHgI3Iav3e4XPb6C6MmHc5LxeLaItSuxutU7yefGm8cQ5ZAInTVIhjZ5L2oExiUrVDZBMoxCcqLt X-Received: by 2002:a17:902:bcc7:: with SMTP id o7mr28521833pls.89.1550672396894; Wed, 20 Feb 2019 06:19:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550672396; cv=none; d=google.com; s=arc-20160816; b=qeQ4hbC9Lrtyc6qhHTfM2cu79ie57Ux2Z9rvlnJtb7URpiHT1JltVulPbNPhpEb8DB uYfQVBx0fVmhHqtC6Gbqyg51zMD7bg9U3z4zxiEuiCZTFPcV0iU41buhp+Nt08aTOwR0 FuFNHq0qekeyPxw48rGQWW0JbGGunoiaKR+sNGSR5dLeC/pBwtuchuUv1DTGgilgZbCm h5vMogSBMmrT/f8Y4TuTvJgjVcYuZ/6VHm/iYKofTQikcR+9eZ4OibYw4Z3YAvAUvaor mwTXqr8Nr+CPWcelWPV7e+wmr2eFT0XfYMaO/CZ8ejiTx5a1+yzOT6Eoxq0k2diLEY12 va/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=HYh/wMOJEjzj4yvU8ZgajL6TKXoZLNw8EN4YdASIjrg=; b=yjPnsTTPM3guJ/Wuy+RRmy6uRSxh3edF9YKPzE6Kuz2qWhVFfcXy3TaKHEyo65yAfm r3Z0u+/6mbe8LNTpptU02/Ntl1SroIyke/z+CQRCRjlzHQC7MtprYTD9pO/8XBLspqrq sDWpQZYYWpoAAOi4Rj0FlReG9aoCseM9qS3SNt2df3yb8w73V6W0O41RYKgNgobiqgpY 3UmMJ+gdavlpjWWtIakwx1kixes4ReeWeFmcmiSM7z6nNY8MoKLVDRgfYsBMAsyYqCIp 8kHV9HoY/2/fWTjTOiMwQxZEluV0oeB6iTjMpSnfjGAaVwWVfrAWJM1VPiXixb3me4pq h8Vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=SU7z7Wou; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s13si15041047pgp.347.2019.02.20.06.19.41; Wed, 20 Feb 2019 06:19:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=SU7z7Wou; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726990AbfBTOSm (ORCPT + 99 others); Wed, 20 Feb 2019 09:18:42 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:39753 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726395AbfBTOSl (ORCPT ); Wed, 20 Feb 2019 09:18:41 -0500 Received: by mail-wm1-f68.google.com with SMTP id z84so6619593wmg.4 for ; Wed, 20 Feb 2019 06:18:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=HYh/wMOJEjzj4yvU8ZgajL6TKXoZLNw8EN4YdASIjrg=; b=SU7z7Wou59v7qIuzNJjzzoKCPqdcMhzChZ+vYTQ2rxEq71vNRBFSWjPh4erTzQ34u9 3Yn8JydmugfvNT7RfPpybaUhO8i2FCif/B4E/4NSmlO/sOzRTbXXJ8yeScFjG0kY4HDi Fhy54cbyEsKIXLO4irgRdGfDDvRXxtXzPHgM3aSYVAXeIJDoxo46NojbhZ1t6pZIVF6y Cd7R+E5CJQmWJFasLWe98siHZNyTKeRTIyAD0syGve3jOuWA49UVErOTklRVwebLu1ge FxxkPdWGpRHK+C2coxSEzRf9pz3Kp+EjFCSYb39krWlClbsX/9qF83vYY9jc+GKAVSbA 1vow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=HYh/wMOJEjzj4yvU8ZgajL6TKXoZLNw8EN4YdASIjrg=; b=aUABsM34y3pAXf42ldeLlCarFzjgaE3nWd2IAoyM8NI8KbGak0ugl03JEO8WX+VnxB cWWq/QyX4cH78DoKjlYUsykrJkTFa1ZEBrKrzk+JF+h4OVTmW5Ykzo4INgBrnm1Qkhi/ RdmgKXkzbMK/6PnJZBSVmAjXY85Hyw8lDd2kdZACpt0bL2FgW/sY/VOIcPO7ucXGkj7O 23WlFqbvynZh9gcizSEn9qRIaqSNMKiqqCtjZcItO97sJK2PYNb4f6fjVYvv7oze4R9G DHugg3LvXg4XHao7aRIx3PQuYzbfa5dAMy4QNDzE0fLnfiv6DOeCqMYb/5fbpv1HzPqt k25Q== X-Gm-Message-State: AHQUAuZ3EZSWu3DzFYSnUQBOFA9vvkTsIUqNAnzn6LXo2kQNbLDuBy5Y yYkmE71P9EaSmnvAnOsj8nDR8A== X-Received: by 2002:a1c:3842:: with SMTP id f63mr6849753wma.25.1550672319714; Wed, 20 Feb 2019 06:18:39 -0800 (PST) Received: from brauner.io ([81.92.17.155]) by smtp.gmail.com with ESMTPSA id p16sm33606895wro.25.2019.02.20.06.18.37 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Wed, 20 Feb 2019 06:18:39 -0800 (PST) Date: Wed, 20 Feb 2019 15:18:37 +0100 From: Christian Brauner To: "Eric W. Biederman" Cc: David Howells , linux-cifs@vger.kernel.org, linux-nfs@vger.kernel.org, linux-api@vger.kernel.org, Linux Containers , linux-kernel@vger.kernel.org, sfrench@samba.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-fsdevel@vger.kernel.org, trond.myklebust@hammerspace.com Subject: Re: [RFC PATCH 00/27] Containers and using authenticated filesystems Message-ID: <20190220141715.ukjo5d4ctepahl43@brauner.io> References: <155024683432.21651.14153938339749694146.stgit@warthog.procyon.org.uk> <8736ojybw7.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <8736ojybw7.fsf@xmission.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 19, 2019 at 10:35:20AM -0600, Eric W. Biederman wrote: > > So you missed the main mailing lists for discussion of this kind of > thing, and the maintainer. So I have reservations about the quality of > your due diligence already. > > Looking at your description you are introducing a container id. > You don't descibe which namespace your contianer id lives in. > Without the container id living in a container this breaks > nested containers and process migration aka CRIU. > > So based on the your description. > > Nacked-by: "Eric W. Biederman" > > > > David Howells writes: > > > Here's a collection of patches that containerises the kernel keys and makes > > it possible to separate keys by namespace. This can be extended to any > > filesystem that uses request_key() to obtain the pertinent authentication > > token on entry to VFS or socket methods. /me puts on kernel hat: I'm not neccessarily opposed to making containers kernel objects even though I have been for quite a while (for brevity I'll use "kcontainers" for this). But I think the approach taken here is a little misguided. This patchsets pushes the argument that kcontainers are needed because of keyrings and authenticated filesystems and is designed around this use-case. Imho, that is bound to fall short of requirements and use-cases that have been piling up over the years. If we want to make kcontainers a thing we need to have a separate discussion and a separate patchset that is *solely* concerned with creating a kcontainer api. And frankly, that is likely going to take a long time. At this point containers have become a real "thing" on Linux - like it or not. So justifying it to making them in-kernel citizens doesn't need the detour over keyrings or something else. We should just discuss whether we think that the benefits of kcontainers (e.g. security) outweight the costs (e.g. maintenance). /me puts on runtime maintainer hat: One thing that is true is that userspace containers (let's call them "ucontainers") as implemented by runtimes today will not go away. We have been living with this ad-hoc concept and it's various implementations on upstream Linux at least since 2008. And kernels without kcontainers will be with us until the end of (Linux)time probably. So anyone who thinks that kcontainers will replace ucontainers and that'll be it will be thoroughly disappointed in the end. It is also very likely that not all use-cases we can currently cover with ucontainers can be covered by kcontainers. Now that might be ok but if we ever introduce kcontainers through a proper kernel api we will end up maintaining ucontainers and kcontainers simultaneously. That's a burden we shouldn't underestimate.