[LU-9220] Support Kerberos authentication from unprivileged container Created: 16/Mar/17 Updated: 19/Jul/17 Resolved: 19/Jul/17 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.9.0 |
| Fix Version/s: | Lustre 2.11.0 |
| Type: | Improvement | Priority: | Minor |
| Reporter: | Sebastien Buisson (Inactive) | Assignee: | John Hammond |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | gss | ||
| Rank (Obsolete): | 9223372036854775807 |
| Description |
|
When a container runs unprivileged, it cannot access to /proc. However, Kerberos authentication in Lustre requires lgss_keyring to write (ioctl) to /proc/fs/lustre/sptlrpc/gss/init_channel, in order to do credentials negotiation. The solution to support Kerberos authentication from unprivileged container is to delegate this ioctl (and only this part of the authentication process) to a parent thread that does not run in the container's namespace. I will post a patch with my proposal. |
| Comments |
| Comment by Gerrit Updater [ 16/Mar/17 ] |
|
Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/26035 |
| Comment by Peter Jones [ 16/Mar/17 ] |
|
John Could you please review this patch? Thanks Peter |
| Comment by Gerrit Updater [ 19/Jul/17 ] |
|
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26035/ |
| Comment by Peter Jones [ 19/Jul/17 ] |
|
Landed for 2.11 |