Container Interfaces for Storage
Are we There Yet?
Open Source Advocate
So s_user_ns is the answer?
To use it, you need a superpblock mount inside the container
Most container roots are bind mounts (no superblock)
struct mount, vfsmount and super_block (oh my!)
struct mount is fs internal, struct vfsmount is kernel visible
A filesystem tree is a set of struct mounts
Every mount namespace has a separate set of struct mounts (copied from the original)
Every struct mount points to a refcounted struct super_block
But the relation is many to one
If I mount something external I get a new super_block
But if I bind mount, I get a pointer to an old super_block
faking a bind mount simply to get a superblock feels "icky"
Can't we make the s_user_ns work?
Old proposal: inode view of user (uid, kuid, iuid)
Prototyped using security xattrs and it can be made to work
But: can't be made to work with s_user_ns
WTF is James thinking now?
In other words, make s_user_ns a property of vfsmount
Allows other vfsmount properties as well
Final alternative: abandon s_user_ns
Add inode mark (xattr) saying use user view or kernel view