ACK: [PULL][Xenial SRU] Mount updates for snaps in lxd containers

Luis Henriques luis.henriques at canonical.com
Tue Nov 8 15:04:11 UTC 2016 

On Wed, Oct 26, 2016 at 02:31:38PM -0500, Seth Forshee wrote:
> BugLink: http://bugs.launchpad.net/bugs/1634964
> 
> In order for xenial to support snaps in lxd containers by default, fuse
> mounts in user namespaces must also be enabled by default. These patches
> harden the namespace mount support in xenial by updating it to match
> yakkety, then they flip the fuse userns_mounts module parameter to be
> enabled by default. Mostly this is done by reverting sauce patches in
> xenial and replacing them with backports from yakkety or upstream.
> 
> This is quite a bit of churn, however it brings us in line with what we
> have in yakkety and closer to upstream (version 4.8 at least).
> 

Although this is a huge amount of changes, they all seem to be already in
yakkety.  We also have testing results.  Regression/verification testing
will hopefully catch any issues with these backports.

Cheers,
--
Luís

> Thanks,
> Seth
> 
> The following changes since commit ed40d9290a09cb0b998c300d0f52b6b408f8d490:
> 
>   UBUNTU: Ubuntu-4.4.0-46.67 (2016-10-20 08:10:00 -0500)
> 
> are available in the git repository at:
> 
>   git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1634964
> 
> for you to fetch changes up to 742bfb82d4c7ed36b9e42624e1f134bb0d3884d7:
> 
>   UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default (2016-10-21 12:01:56 -0500)
> 
> ----------------------------------------------------------------
> Eric W. Biederman (8):
>       (namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns
>       (namespace) vfs: Verify acls are valid within superblock's s_user_ns.
>       (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs
>       (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs
>       (namespace) quota: Ensure qids map to the filesystem
>       (namespace) quota: Handle quota data stored in s_user_ns in quota_setxquota
>       (namespace) dquot: For now explicitly don't support filesystems outside of init_user_ns
>       UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes
> 
> Seth Forshee (13):
>       (namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns"
>       (namespace) fs: Refuse uid/gid changes which don't map into s_user_ns
>       (namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts"
>       UBUNTU: SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules
>       UBUNTU: SAUCE: (namespace) fuse: Translate ids in posix acl xattrs
>       (namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns"
>       (namespace) Revert "UBUNTU: SAUCE: quota: Convert ids relative to s_user_ns"
>       (namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs"
>       UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs
>       (namespace) Revert "UBUNTU: SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids"
>       (namespace) Revert "UBUNTU: SAUCE: fs: Don't remove suid for CAP_FSETID in s_user_ns"
>       UBUNTU: SAUCE: (namespace) fs: Don't remove suid for CAP_FSETID for userns root
>       UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default
> 
>  drivers/staging/lustre/lustre/mdc/mdc_request.c |  2 +-
>  fs/9p/acl.c                                     |  2 +-
>  fs/attr.c                                       | 51 +++++++++----------
>  fs/fuse/dir.c                                   | 30 +++++++++--
>  fs/fuse/inode.c                                 |  2 +-
>  fs/inode.c                                      | 12 ++++-
>  fs/kernfs/inode.c                               |  2 -
>  fs/namei.c                                      | 36 +++++++++++---
>  fs/namespace.c                                  |  4 --
>  fs/ocfs2/quota_global.c                         |  6 +--
>  fs/posix_acl.c                                  | 61 ++++++++++-------------
>  fs/proc/base.c                                  |  7 ++-
>  fs/proc/generic.c                               |  6 ++-
>  fs/proc/proc_sysctl.c                           |  7 ++-
>  fs/quota/dquot.c                                | 12 +++--
>  fs/quota/quota.c                                | 10 ++--
>  fs/quota/quota_tree.c                           | 66 +++++++++----------------
>  fs/quota/quota_v1.c                             | 13 +----
>  fs/quota/quota_v2.c                             | 43 ++++++----------
>  fs/super.c                                      |  4 ++
>  fs/xattr.c                                      | 26 +++++-----
>  include/linux/dqblk_qtree.h                     |  4 +-
>  include/linux/fs.h                              |  5 ++
>  include/linux/posix_acl.h                       |  2 +-
>  include/linux/posix_acl_xattr.h                 | 24 ++++-----
>  include/linux/quota.h                           | 10 ++++
>  security/integrity/digsig.c                     |  2 +-
>  security/integrity/evm/evm_main.c               |  6 ++-
>  security/integrity/ima/ima_appraise.c           |  4 +-
>  zfs/module/zfs/zpl_xattr.c                      |  4 +-
>  30 files changed, 245 insertions(+), 218 deletions(-)
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list