patchset to enable user namespaces

Serge Hallyn serge.hallyn at ubuntu.com
Wed Sep 25 23:04:51 UTC 2013


Quoting Andy Whitcroft (apw at canonical.com):
> On Mon, Sep 23, 2013 at 05:08:26PM -0500, Serge Hallyn wrote:
> > Hi,
> > 
> > The final patches needed to resolve conflicts between XFS and user
> > namespaces are in 3.12.  I've backported them to saucy at
> > 
> > 	http://kernel.ubuntu.com/git?p=serge/ubuntu-saucy.git;a=summary # m.sep23.xfs2
> > 
> > This has 7 patches cherrypicked from Linus' tree, one patch by
> > myself to add a sysctl, default off, to enable unprivileged use
> > of CLONE_NEWUSER, and a packaging patch to set CONFIG_USER_NS=y.
> 
> These are pretty big patches to be bringing so late to the party.  I am
> particularly concerned that you have missed the beta deadline so we will
> be shovelling this into the kernel after the majority of the testing has
> been completed.
> 
> I assume we need these XFS patches because you cannot enable USER_NS at
> all without disabling XFS en-toto, an obvious no-no.  What feature does
> this new code enable which would be lost if we don't have them.
> 
> On the unpriveleged setup, I presume we are saying upstream will allow
> it by default, it is just us who are adding this possible cut off if
> there are issues?
> 
> As this heavily affects xfs what testing has been done there with your
> patches to confirm basic xfs operation after they are applied.  It not

Just creating and running containers on an XFS filesystem.  Installing
packages, building lxc - working the fs hard but not in imaginative
ways.  For future reference is there any particular test you use
nowadays?

-serge




More information about the kernel-team mailing list