Re: [PATCH 2/2] net: Implement SO_PEERCGROUP

From: Vivek Goyal
Date: Thu Mar 13 2014 - 14:02:39 EST

Next message: Andy Lutomirski: "Re: [PATCH 2/2] net: Implement SO_PEERCGROUP"
Previous message: Sebastian Reichel: "Re: [RESEND] [PATCHv2 0/5] wl1251 device tree support"
In reply to: Eric W. Biederman: "Re: [PATCH 2/2] net: Implement SO_PEERCGROUP"
Next in thread: Vivek Goyal: "Re: [PATCH 2/2] net: Implement SO_PEERCGROUP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 13, 2014 at 01:51:17PM -0400, Simo Sorce wrote:

[..]
> > 1. Fix Docker to use user namespaces and use the uid of the requesting
> > process via SCM_CREDENTIALS.
>
> This is not practical, I have no control on what UIDs will be used
> within a container,

I guess uid to container mapping has to be managed by somebody, say systemd.
Then there systemd should export an API to query the container a uid is
mapped into. So that should not be the real problem.

> and IIRC user namespaces have severe limitations
> that may make them unusable in some situations. Forcing the use of user
> namespaces on docker to satisfy my use case is not in my power.

I think that's the real practical problem. Adoption of user name space.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andy Lutomirski: "Re: [PATCH 2/2] net: Implement SO_PEERCGROUP"
Previous message: Sebastian Reichel: "Re: [RESEND] [PATCHv2 0/5] wl1251 device tree support"
In reply to: Eric W. Biederman: "Re: [PATCH 2/2] net: Implement SO_PEERCGROUP"
Next in thread: Vivek Goyal: "Re: [PATCH 2/2] net: Implement SO_PEERCGROUP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]