On 2018-06-15, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote: > > - Supports any id maps possible for a user namespace > > Have we already ruled out storing the container's UID/GID/perms in an > extended attribute, and having all the files owned by the owner of the > container from the perspective of the unshifted fs. Then shiftfs reads > the xattr and presents the files with the container's idea of what the > UID is? I think, while simple, this idea has the problem that you couldn't really have a single directory be shifted more than once without copying it (or using an overlayfs which is then shiftfs'd). So for the usecase of giving each container on a system a unique allocation of host uids and gids (while using the same image storage) you would run into some issues. It does remind me of something similar we do as part of the "rootless containers" project -- we have "user.rootlesscontainers" which contains a protobuf payload with the "owner" information. Though in rootless containers we are using this xattr for something quite different: faking chown(2) and similar operations to make it look as though an unprivileged user namespace contains more than one user. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature