On Tue, 2016-10-25 at 21:41 +0100, David Howells wrote: > Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > > > ... Perhaps we could simply *remove* the concept of named keys and > > keyrings. > > See Linus's dictum about breaking userspace. We wouldn't have to ... we'd simply declare the current interface to be a legacy one, which means it doesn't work with containers and namespaces, give it a new compile time option so the distros could remove it if they had no actual users, and then present a v2 which does what we need and works with namespaces. > The problem isn't named keys: keys have to be named - the description > is how they're looked up typically. Further, non-keyring keys can't > be looked up directly by name - you have to search for them in a > keyring. > > The issue here is named keyrings and keyctl_join_session_keyring(). > It might well have been a bad idea - though I've seen some people > arguing for a single session keyring shared across all a user's > logins, in which case, we might want this after all (or use the user > -default session). > > One thing we perhaps do want to do, though, is restrict the names of > keyrings to the user_namespace in which the keyring was created. Sounds fine to me since most things created within a namespace either get destroyed or placed in the parent when it is destroyed. Perhaps we want to agree on what semantics we want first before we start inventing the new API. James _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
