[OpenAFS] Re: containers / AFS / Ubuntu - stopped working
Nathaniel W Filardo
nwf@cs.jhu.edu
Sun, 29 Nov 2015 12:46:33 -0500
--DWnKfPfB2seWFM1r
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> From: Jeffrey Altman <jaltman@auristor.com>
>=20
> For Linux what we would want is the ability to start a container and all
> of its processes as part of a PAG where a process running in the host
> context (not the container's) would obtain the tokens for the container.
For whatever it's worth, we did some experimentation with this using lxc at
our cell. In short,
k5start -f ${keytab} -U -t -k ${krbcc} -- \
lxc-execute -n bar -f ${lxcconf} -- \
${command}
will spin up a container whose session keyring has a PAG that is associated
with the principal in ${keytab} and whose liveness is managed by a k5start
running on the host, using host-side ${krbcc} as the credentials cache. I
believe it's possible for processes inside the container to detach
themselves from this PAG, which is unusual but hopefully not a concern. You
can use "keyctl show" for ${command} to verify that the keyrings are not
exposing any keying material to processes in the container. (We resorted to
using files for ${krbcc}, but it may be possible to use the process keyring
or an in-memory CC so that it's all internal to k5start?)
Cheers,
--nwf;
--DWnKfPfB2seWFM1r
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlZbOfgACgkQTeQabvr9Tc86VACfRb0kLT9WdoWg8b5WrgwAMO9A
/A0AnAw7/DeCyai5evwND0nkMs3pBXwx
=VdjP
-----END PGP SIGNATURE-----
--DWnKfPfB2seWFM1r--