[OpenAFS] Re: containers / AFS / Ubuntu - stopped working

[Nathaniel W Filardo]

--DWnKfPfB2seWFM1r
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> From: Jeffrey Altman <jaltman@auristor.com>
>=20
> For Linux what we would want is the ability to start a container and all
> of its processes as part of a PAG where a process running in the host
> context (not the container's) would obtain the tokens for the container.

For whatever it's worth, we did some experimentation with this using lxc at
our cell.  In short,

k5start -f ${keytab} -U -t -k ${krbcc} -- \
  lxc-execute -n bar -f ${lxcconf} -- \
  ${command}

will spin up a container whose session keyring has a PAG that is associated
with the principal in ${keytab} and whose liveness is managed by a k5start
running on the host, using host-side ${krbcc} as the credentials cache.  I
believe it's possible for processes inside the container to detach
themselves from this PAG, which is unusual but hopefully not a concern.  You
can use "keyctl show" for ${command} to verify that the keyrings are not
exposing any keying material to processes in the container.  (We resorted to
using files for ${krbcc}, but it may be possible to use the process keyring
or an in-memory CC so that it's all internal to k5start?)

Cheers,
--nwf;

--DWnKfPfB2seWFM1r
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlZbOfgACgkQTeQabvr9Tc86VACfRb0kLT9WdoWg8b5WrgwAMO9A
/A0AnAw7/DeCyai5evwND0nkMs3pBXwx
=VdjP
-----END PGP SIGNATURE-----

--DWnKfPfB2seWFM1r--