Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-9220

Support Kerberos authentication from unprivileged container

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • Lustre 2.11.0
    • Lustre 2.9.0
    • 9223372036854775807

    Description

      When a container runs unprivileged, it cannot access to /proc. However, Kerberos authentication in Lustre requires lgss_keyring to write (ioctl) to /proc/fs/lustre/sptlrpc/gss/init_channel, in order to do credentials negotiation.

      The solution to support Kerberos authentication from unprivileged container is to delegate this ioctl (and only this part of the authentication process) to a parent thread that does not run in the container's namespace.

      I will post a patch with my proposal.
      Thanks,
      Sebastien.

      Attachments

        Activity

          People

            jhammond John Hammond
            sbuisson Sebastien Buisson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: