Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-9220

Support Kerberos authentication from unprivileged container

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • Lustre 2.11.0
    • Lustre 2.9.0
    • 9223372036854775807

    Description

      When a container runs unprivileged, it cannot access to /proc. However, Kerberos authentication in Lustre requires lgss_keyring to write (ioctl) to /proc/fs/lustre/sptlrpc/gss/init_channel, in order to do credentials negotiation.

      The solution to support Kerberos authentication from unprivileged container is to delegate this ioctl (and only this part of the authentication process) to a parent thread that does not run in the container's namespace.

      I will post a patch with my proposal.
      Thanks,
      Sebastien.

      Attachments

        Activity

          [LU-9220] Support Kerberos authentication from unprivileged container
          pjones Peter Jones added a comment -

          Landed for 2.11

          pjones Peter Jones added a comment - Landed for 2.11

          Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26035/
          Subject: LU-9220 gss: support Kerberos auth from unprivileged container
          Project: fs/lustre-release
          Branch: master
          Current Patch Set:
          Commit: dd3e456294cd634c5491500c66946b4f67606745

          gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26035/ Subject: LU-9220 gss: support Kerberos auth from unprivileged container Project: fs/lustre-release Branch: master Current Patch Set: Commit: dd3e456294cd634c5491500c66946b4f67606745
          pjones Peter Jones added a comment -

          John

          Could you please review this patch?

          Thanks

          Peter

          pjones Peter Jones added a comment - John Could you please review this patch? Thanks Peter

          Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/26035
          Subject: LU-9220 gss: support Kerberos auth from unprivileged container
          Project: fs/lustre-release
          Branch: master
          Current Patch Set: 1
          Commit: 3c49f6d16c8989489f93d007b296c86611e4dfa8

          gerrit Gerrit Updater added a comment - Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/26035 Subject: LU-9220 gss: support Kerberos auth from unprivileged container Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 3c49f6d16c8989489f93d007b296c86611e4dfa8

          People

            jhammond John Hammond
            sbuisson Sebastien Buisson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: