Re: patchset to enable user namespaces
Quoting Ben Hutchings (ben@decadent.org.uk):
> On Mon, Sep 30, 2013 at 09:56:10AM -0700, Eric W. Biederman wrote:
> > Ben Hutchings <ben@decadent.org.uk> writes:
> >
> > > On Tue, 2013-09-24 at 10:10 +0100, Andy Whitcroft wrote:
> > >> On Mon, Sep 23, 2013 at 05:08:26PM -0500, Serge Hallyn wrote:
> > >> > Hi,
> > >> >
> > >> > The final patches needed to resolve conflicts between XFS and user
> > >> > namespaces are in 3.12. I've backported them to saucy at
> > >> >
> > >> > http://kernel.ubuntu.com/git?p=serge/ubuntu-saucy.git;a=summary # m.sep23.xfs2
> > >> >
> > >> > This has 7 patches cherrypicked from Linus' tree, one patch by
> > >> > myself to add a sysctl, default off, to enable unprivileged use
> > >> > of CLONE_NEWUSER, and a packaging patch to set CONFIG_USER_NS=y.
> > >>
> > >> These are pretty big patches to be bringing so late to the party. I am
> > >> particularly concerned that you have missed the beta deadline so we will
> > >> be shovelling this into the kernel after the majority of the testing has
> > >> been completed.
> > >>
> > >> I assume we need these XFS patches because you cannot enable USER_NS at
> > >> all without disabling XFS en-toto, an obvious no-no. What feature does
> > >> this new code enable which would be lost if we don't have them.
> > >>
> > >> On the unpriveleged setup, I presume we are saying upstream will allow
> > >> it by default, it is just us who are adding this possible cut off if
> > >> there are issues?
> > > [...]
> > >
> > > I was planning to include the same sort of knob when USER_NS is enabled
> > > in Debian. I can probably just copy your patch now.
> >
> > Grumble. Just kill the binary sysctl bits from that patch.
> >
> > I sent an email mentioning that the sysctl change didn't need to
> > allocate any binary numbers but I think it may have been eaten by a
> > grue.
>
> No, I've seen your email and I'm assuming the actual committed version
> won't have a binary sysctl.
Sorry I never fixed that. I've actually removed the sysctl from my
latest ppa kernel, as it is not something we want long-term. Though if
the rm/DOS issue is not addressed in the next few weeks (when I next try
to push it into our s+1 tree) I'll have to re-introduce it.
-serge
Reply to: