El vie., 28 de agosto de 2020 10:47 a. m., < containers-request@xxxxxxxxxxxxxxxxxxxxxxxxxx> escribió: > Send Containers mailing list submissions to > containers@xxxxxxxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.linuxfoundation.org/mailman/listinfo/containers > or, via email, send a message with subject or body 'help' to > containers-request@xxxxxxxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > containers-owner@xxxxxxxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Containers digest..." > > > Today's Topics: > > 1. Use cases for multiple uid mapping? (Eric W. Biederman) > 2. Re: Overlayfs @Plumbers (Eric W. Biederman) > 3. Re: Use cases for multiple uid mapping? (St?phane Graber) > 4. Re: Overlayfs @Plumbers (Aleksa Sarai) > 5. Re: Use cases for multiple uid mapping? (Sargun Dhillon) > 6. HELLO (WIDOW COLON DENISE.G) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 28 Aug 2020 10:17:16 -0500 > From: ebiederm@xxxxxxxxxxxx (Eric W. Biederman) > To: Linux Containers <containers@xxxxxxxxxxxxxxxxxxxxxxxxxx> > Cc: Christian Brauner <christian.brauner@xxxxxxxxxx> > Subject: Use cases for multiple uid mapping? > Message-ID: <87zh6eiyv7.fsf@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain > > > We had a discussion in the hackroom at LPC talking about use cases for > a shiftfs style setup where there are different mappings of uids to > disk. > > In the discussion we had a couple of ideas of kernel developments > we should look at that address some of these. > > - Fix rlimits in user namespaces (This potentially allows multiple > containers to run with the same userids simplifying the mapping > problem). > > - Look at extending kuid_t to 64bits and using the highbits to > implement uids that are private to user namespaces and don't > map out. > > - Look at ways for allowing setgroups unprivileged. > > > Together this has the potential that the existing uid & gid mappings > will be able to function the same as the proposed fusid mappings. Fingers > crossed. > > > I had some problems with audio and a lot of people were talking > quickly. So I did not manage to capture everyone's use cases. And I > definitely was not able to see how everyone's use cases interacted with > the changes we are looking at. > > I know for certain I missed Serge's usecase (apologies). > > Can people follow up to this and report their use cases? > > There are some real challenges and I would like to see if we > can solve them, while avoiding scary problems like changing > uids on write. > > Eric > > > > > > > > > > > > > ------------------------------ > > Message: 2 > Date: Fri, 28 Aug 2020 10:33:16 -0500 > From: ebiederm@xxxxxxxxxxxx (Eric W. Biederman) > To: Amir Goldstein <amir73il@xxxxxxxxx> > Cc: Linux Containers <containers@xxxxxxxxxxxxxxxxxxxxxxxxxx>, > overlayfs <linux-unionfs@xxxxxxxxxxxxxxx> > Subject: Re: Overlayfs @Plumbers > Message-ID: <87tuwmiy4j.fsf@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain > > Amir Goldstein <amir73il@xxxxxxxxx> writes: > > > Hi Guys, > > > > It's been nice to virtually meet with you yesterday. > > Some of you wanted to follow up on overlayfs related issues. > > > > If you want to discuss, try to find me in one of the > > https://meet.2020.linuxplumbersconf.org/hackrooms > > today between 16:00-17:00 UTC > > (No need to enter the room to see who's inside) > > > > If those times do not work for you, contact me and we can try > > to schedule another time. > > Did this conversation wind up happening? Do we need to reschedule? > > Eric > > > ------------------------------ > > Message: 3 > Date: Fri, 28 Aug 2020 11:55:44 -0400 > From: St?phane Graber <stgraber@xxxxxxxxxxxx> > To: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > Cc: Linux Containers <containers@xxxxxxxxxxxxxxxxxxxxxxxxxx>, > Christian Brauner <christian.brauner@xxxxxxxxxx> > Subject: Re: Use cases for multiple uid mapping? > Message-ID: > <CA+enf= > u7nenUStSs-UHzQouPVaJSHnEOcoQ_ecvhkrjLuxLkeA@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset="UTF-8" > > On Fri, Aug 28, 2020 at 11:21 AM Eric W. Biederman > <ebiederm@xxxxxxxxxxxx> wrote: > > > > > > We had a discussion in the hackroom at LPC talking about use cases for > > a shiftfs style setup where there are different mappings of uids to > > disk. > > > > In the discussion we had a couple of ideas of kernel developments > > we should look at that address some of these. > > > > - Fix rlimits in user namespaces (This potentially allows multiple > > containers to run with the same userids simplifying the mapping > > problem). > > > > - Look at extending kuid_t to 64bits and using the highbits to > > implement uids that are private to user namespaces and don't > > map out. > > > > - Look at ways for allowing setgroups unprivileged. > > > > > > Together this has the potential that the existing uid & gid mappings > > will be able to function the same as the proposed fusid mappings. > Fingers crossed. > > > > > > I had some problems with audio and a lot of people were talking > > quickly. So I did not manage to capture everyone's use cases. And I > > definitely was not able to see how everyone's use cases interacted with > > the changes we are looking at. > > > > I know for certain I missed Serge's usecase (apologies). > > > > Can people follow up to this and report their use cases? > > > > There are some real challenges and I would like to see if we > > can solve them, while avoiding scary problems like changing > > uids on write. > > > > Eric > > Hi Eric, > > It was great to have you and everyone else participate in that session. > There was indeed a lot covered in there and a lot of use cases we'll > have to keep in mind! > > The main outcomes we captured I believe were: > - Fixing rlimits in user namespaces such that one namespace cannot > affect another > - Consider switching the kernel uid/git types to 64bit, allowing for > a hidden 32bit identifier and fully usable 32bit uid/gid range for the > container > - Find a way to allow setgroups() in a user namespace while keeping > in mind the case of groups used for negative access control > - Add optional enforcement that overflow uid/gid as set through > sysctl cannot be used as regular uid/gid on the system > > Christian is working on a comprehensive summary of the session based > on the shared notes document we circulated at the beginning of the > session which will try to separate the different topics and cover use > cases and potential solutions for each as we discussed in the BoF. > > We'll make sure that everyone who attended the BoF gets CCed on that, > on top of the usual mailing-lists so that should any of the use raised > use cases have been missed in the notes, those folks can raise them > again so we don't end up missing anything :) > > St?phane > > > ------------------------------ > > Message: 4 > Date: Sat, 29 Aug 2020 01:58:49 +1000 > From: Aleksa Sarai <asarai@xxxxxxx> > To: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > Cc: Linux Containers <containers@xxxxxxxxxxxxxxxxxxxxxxxxxx>, > overlayfs <linux-unionfs@xxxxxxxxxxxxxxx> > Subject: Re: Overlayfs @Plumbers > Message-ID: <20200828155849.k46uk3x63aio3g3o@xxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > On 2020-08-28, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > Amir Goldstein <amir73il@xxxxxxxxx> writes: > > > > > Hi Guys, > > > > > > It's been nice to virtually meet with you yesterday. > > > Some of you wanted to follow up on overlayfs related issues. > > > > > > If you want to discuss, try to find me in one of the > > > https://meet.2020.linuxplumbersconf.org/hackrooms > > > today between 16:00-17:00 UTC > > > (No need to enter the room to see who's inside) > > > > > > If those times do not work for you, contact me and we can try > > > to schedule another time. > > > > Did this conversation wind up happening? Do we need to reschedule? > > This conversation already happened in a Hackroom on Tuesday. I'm not > sure if the Hackrooms will have their recordings published, so maybe > Amir can post any of the takeaways we had? > > -- > Aleksa Sarai > Senior Software Engineer (Containers) > SUSE Linux GmbH > <https://www.cyphar.com/> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 833 bytes > Desc: not available > URL: < > http://lists.linuxfoundation.org/pipermail/containers/attachments/20200829/ee719859/attachment-0001.sig > > > > ------------------------------ > > Message: 5 > Date: Fri, 28 Aug 2020 10:03:45 -0700 > From: Sargun Dhillon <sargun@xxxxxxxxx> > To: St?phane Graber <stgraber@xxxxxxxxxxxx> > Cc: Linux Containers <containers@xxxxxxxxxxxxxxxxxxxxxxxxxx>, "Eric W. > Biederman" <ebiederm@xxxxxxxxxxxx>, Christian Brauner > <christian.brauner@xxxxxxxxxx> > Subject: Re: Use cases for multiple uid mapping? > Message-ID: > < > CAMp4zn_Z6GVPvx6cuRhsJAfOhez-V-V-io0NXuzaQrWSgqadYw@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset="UTF-8" > > On Fri, Aug 28, 2020 at 8:56 AM St?phane Graber via Containers > <containers@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > On Fri, Aug 28, 2020 at 11:21 AM Eric W. Biederman > > <ebiederm@xxxxxxxxxxxx> wrote: > > > > > > > > > We had a discussion in the hackroom at LPC talking about use cases for > > > a shiftfs style setup where there are different mappings of uids to > > > disk. > > > > > > In the discussion we had a couple of ideas of kernel developments > > > we should look at that address some of these. > > > > > > - Fix rlimits in user namespaces (This potentially allows multiple > > > containers to run with the same userids simplifying the mapping > > > problem). > > > > > > - Look at extending kuid_t to 64bits and using the highbits to > > > implement uids that are private to user namespaces and don't > > > map out. > > > > > > - Look at ways for allowing setgroups unprivileged. > > > > > > > > > Together this has the potential that the existing uid & gid mappings > > > will be able to function the same as the proposed fusid mappings. > Fingers crossed. > > > > > > > > > I had some problems with audio and a lot of people were talking > > > quickly. So I did not manage to capture everyone's use cases. And I > > > definitely was not able to see how everyone's use cases interacted with > > > the changes we are looking at. > > > > > > I know for certain I missed Serge's usecase (apologies). > > > > > > Can people follow up to this and report their use cases? > > > > > > There are some real challenges and I would like to see if we > > > can solve them, while avoiding scary problems like changing > > > uids on write. > > > > > > Eric > > > > Hi Eric, > > > > It was great to have you and everyone else participate in that session. > > There was indeed a lot covered in there and a lot of use cases we'll > > have to keep in mind! > > > > The main outcomes we captured I believe were: > > - Fixing rlimits in user namespaces such that one namespace cannot > > affect another > > - Consider switching the kernel uid/git types to 64bit, allowing for > > a hidden 32bit identifier and fully usable 32bit uid/gid range for the > > container > Seconding this. We run into a lot of problems with high UIDs. Some > systems think that uid 2**31-1 (I think it's 2**31-1) is their version of > 'nobody'. Being able to have 64-bit UIDs would solve this. > > Also making sure this works with NFSv4 (both ID mapped, and non- > ID mapped) is very important to us. It's fine if the UID / GID is just > "passthrough", and we don't need different mappings between > different filesystems in NFS (for now). We would like to be able > to be able to run idmapper in the user / pid / net namespace of > the container. > > > - Find a way to allow setgroups() in a user namespace while keeping > > in mind the case of groups used for negative access control > > - Add optional enforcement that overflow uid/gid as set through > > sysctl cannot be used as regular uid/gid on the system > > > > Christian is working on a comprehensive summary of the session based > > on the shared notes document we circulated at the beginning of the > > session which will try to separate the different topics and cover use > > cases and potential solutions for each as we discussed in the BoF. > > > > We'll make sure that everyone who attended the BoF gets CCed on that, > > on top of the usual mailing-lists so that should any of the use raised > > use cases have been missed in the notes, those folks can raise them > > again so we don't end up missing anything :) > > > > St?phane > > _______________________________________________ > > Containers mailing list > > Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx > > https://lists.linuxfoundation.org/mailman/listinfo/containers > > > ------------------------------ > > Message: 6 > Date: 20 Aug 2020 19:07:50 -0700 > From: WIDOW COLON DENISE.G <epaper@xxxxxxxxxxxxxxxx>, > =?UTF-8?B?wqA=?=@osuosl.org > To: containers@xxxxxxxxxxxxxxxxxxxxxxxxxx > Subject: HELLO > Message-ID: <20200820190749.BE3DDB5A761D02BF@xxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > Hello, > > Thank you for the attention you give to my dearest wish, I would > like you to know that I did not get the wrong person by sending > you this message. My ardent wish has always been to meet an > anonymous natural person so that the latter leads social actions > through a foundation. However, I would understand your amazement > at how I do it. My name is COLON DENISE .G born on July 27, 1942, > of French nationality and I am currently under medical > observation in a hospital in PORTUGAL. I had to contact you in > this way because I wish to make a donation of ? 1,500,000 to help > people in need, make poor families, orphans happy, help young > entrepreneurs who are at fundraising to grow their business > sectors ... those around you. My professional life has been a > long, calm river, especially since I have always lived far from > my country. First in Kuwait, where I worked in the petroleum > sector for two years. Then I went to the Republic of Benin (2001) > where I set up several companies (real estate, industrial ...). > It is in this country so welcoming that I experienced real > happiness, that of a marriage with a Canadian who also worked in > this country. Unfortunately we were not fortunate enough to have > children. After five years of living together, my husband died > after a long illness. So I was left alone again with a butler at > my disposal and a dog until this cancer came to limit my life. I > have been fighting this disease for almost four years and > medicine can do nothing more following the results of medical > examinations which indicate that my days are numbered, following > the confessions of my doctor. I had blocked this large sum in one > of the Benin Banks for a construction project. I will be grateful > to entrust this money to you so that my donation project > succeeds. I take you accept this, because it is a gift from a > dying woman and that without asking anything in return. Please > reply to me as soon as possible at my email address, which is: > colondeniseglmv@xxxxxxxxxx > > WIDOW COLON DENISE .G > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Containers mailing list > Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx > https://lists.linuxfoundation.org/mailman/listinfo/containers > > ------------------------------ > > End of Containers Digest, Vol 169, Issue 34 > ******************************************* > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
