[OpenAFS] Re: containers / AFS / Ubuntu - stopped working

Nathaniel W Filardo nwf@cs.jhu.edu
Sun, 29 Nov 2015 12:46:33 -0500

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> From: Jeffrey Altman <jaltman@auristor.com>
> For Linux what we would want is the ability to start a container and all
> of its processes as part of a PAG where a process running in the host
> context (not the container's) would obtain the tokens for the container.

For whatever it's worth, we did some experimentation with this using lxc at
our cell.  In short,

k5start -f ${keytab} -U -t -k ${krbcc} -- \
  lxc-execute -n bar -f ${lxcconf} -- \

will spin up a container whose session keyring has a PAG that is associated
with the principal in ${keytab} and whose liveness is managed by a k5start
running on the host, using host-side ${krbcc} as the credentials cache.  I
believe it's possible for processes inside the container to detach
themselves from this PAG, which is unusual but hopefully not a concern.  You
can use "keyctl show" for ${command} to verify that the keyrings are not
exposing any keying material to processes in the container.  (We resorted to
using files for ${krbcc}, but it may be possible to use the process keyring
or an in-memory CC so that it's all internal to k5start?)


Content-Type: application/pgp-signature

Version: GnuPG v1