[LU-9220] Support Kerberos authentication from unprivileged container Created: 16/Mar/17  Updated: 19/Jul/17  Resolved: 19/Jul/17

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.9.0
Fix Version/s: Lustre 2.11.0

Type: Improvement Priority: Minor
Reporter: Sebastien Buisson (Inactive) Assignee: John Hammond
Resolution: Fixed Votes: 0
Labels: gss

Rank (Obsolete): 9223372036854775807

 Description   

When a container runs unprivileged, it cannot access to /proc. However, Kerberos authentication in Lustre requires lgss_keyring to write (ioctl) to /proc/fs/lustre/sptlrpc/gss/init_channel, in order to do credentials negotiation.

The solution to support Kerberos authentication from unprivileged container is to delegate this ioctl (and only this part of the authentication process) to a parent thread that does not run in the container's namespace.

I will post a patch with my proposal.
Thanks,
Sebastien.

 Comments   
Comment by Gerrit Updater [ 16/Mar/17 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/26035
Subject: LU-9220 gss: support Kerberos auth from unprivileged container
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 3c49f6d16c8989489f93d007b296c86611e4dfa8

Comment by Peter Jones [ 16/Mar/17 ]

John

Could you please review this patch?

Thanks

Peter

Comment by Gerrit Updater [ 19/Jul/17 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26035/
Subject: LU-9220 gss: support Kerberos auth from unprivileged container
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: dd3e456294cd634c5491500c66946b4f67606745

Comment by Peter Jones [ 19/Jul/17 ]

Landed for 2.11

Generated at Sat Feb 10 02:24:16 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.