Re: patchset to enable user namespaces
Ben Hutchings <ben@decadent.org.uk> writes:
> On Tue, 2013-09-24 at 10:10 +0100, Andy Whitcroft wrote:
>> On Mon, Sep 23, 2013 at 05:08:26PM -0500, Serge Hallyn wrote:
>> > Hi,
>> >
>> > The final patches needed to resolve conflicts between XFS and user
>> > namespaces are in 3.12. I've backported them to saucy at
>> >
>> > http://kernel.ubuntu.com/git?p=serge/ubuntu-saucy.git;a=summary # m.sep23.xfs2
>> >
>> > This has 7 patches cherrypicked from Linus' tree, one patch by
>> > myself to add a sysctl, default off, to enable unprivileged use
>> > of CLONE_NEWUSER, and a packaging patch to set CONFIG_USER_NS=y.
>>
>> These are pretty big patches to be bringing so late to the party. I am
>> particularly concerned that you have missed the beta deadline so we will
>> be shovelling this into the kernel after the majority of the testing has
>> been completed.
>>
>> I assume we need these XFS patches because you cannot enable USER_NS at
>> all without disabling XFS en-toto, an obvious no-no. What feature does
>> this new code enable which would be lost if we don't have them.
>>
>> On the unpriveleged setup, I presume we are saying upstream will allow
>> it by default, it is just us who are adding this possible cut off if
>> there are issues?
> [...]
>
> I was planning to include the same sort of knob when USER_NS is enabled
> in Debian. I can probably just copy your patch now.
Grumble. Just kill the binary sysctl bits from that patch.
I sent an email mentioning that the sysctl change didn't need to
allocate any binary numbers but I think it may have been eaten by a
grue.
sysctl(2) bad, /proc/sys/ good. stabs sysctl(2) a few for more time to
see if the corpse will disappear.
Eric
Reply to: