ACK: [PULL][Xenial SRU] Mount updates for snaps in lxd containers
Luis Henriques
luis.henriques at canonical.com
Tue Nov 8 15:04:11 UTC 2016
On Wed, Oct 26, 2016 at 02:31:38PM -0500, Seth Forshee wrote:
> BugLink: http://bugs.launchpad.net/bugs/1634964
>
> In order for xenial to support snaps in lxd containers by default, fuse
> mounts in user namespaces must also be enabled by default. These patches
> harden the namespace mount support in xenial by updating it to match
> yakkety, then they flip the fuse userns_mounts module parameter to be
> enabled by default. Mostly this is done by reverting sauce patches in
> xenial and replacing them with backports from yakkety or upstream.
>
> This is quite a bit of churn, however it brings us in line with what we
> have in yakkety and closer to upstream (version 4.8 at least).
>
Although this is a huge amount of changes, they all seem to be already in
yakkety. We also have testing results. Regression/verification testing
will hopefully catch any issues with these backports.
Cheers,
--
Luís
> Thanks,
> Seth
>
> The following changes since commit ed40d9290a09cb0b998c300d0f52b6b408f8d490:
>
> UBUNTU: Ubuntu-4.4.0-46.67 (2016-10-20 08:10:00 -0500)
>
> are available in the git repository at:
>
> git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1634964
>
> for you to fetch changes up to 742bfb82d4c7ed36b9e42624e1f134bb0d3884d7:
>
> UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default (2016-10-21 12:01:56 -0500)
>
> ----------------------------------------------------------------
> Eric W. Biederman (8):
> (namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns
> (namespace) vfs: Verify acls are valid within superblock's s_user_ns.
> (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs
> (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs
> (namespace) quota: Ensure qids map to the filesystem
> (namespace) quota: Handle quota data stored in s_user_ns in quota_setxquota
> (namespace) dquot: For now explicitly don't support filesystems outside of init_user_ns
> UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes
>
> Seth Forshee (13):
> (namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns"
> (namespace) fs: Refuse uid/gid changes which don't map into s_user_ns
> (namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts"
> UBUNTU: SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules
> UBUNTU: SAUCE: (namespace) fuse: Translate ids in posix acl xattrs
> (namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns"
> (namespace) Revert "UBUNTU: SAUCE: quota: Convert ids relative to s_user_ns"
> (namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs"
> UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs
> (namespace) Revert "UBUNTU: SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids"
> (namespace) Revert "UBUNTU: SAUCE: fs: Don't remove suid for CAP_FSETID in s_user_ns"
> UBUNTU: SAUCE: (namespace) fs: Don't remove suid for CAP_FSETID for userns root
> UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default
>
> drivers/staging/lustre/lustre/mdc/mdc_request.c | 2 +-
> fs/9p/acl.c | 2 +-
> fs/attr.c | 51 +++++++++----------
> fs/fuse/dir.c | 30 +++++++++--
> fs/fuse/inode.c | 2 +-
> fs/inode.c | 12 ++++-
> fs/kernfs/inode.c | 2 -
> fs/namei.c | 36 +++++++++++---
> fs/namespace.c | 4 --
> fs/ocfs2/quota_global.c | 6 +--
> fs/posix_acl.c | 61 ++++++++++-------------
> fs/proc/base.c | 7 ++-
> fs/proc/generic.c | 6 ++-
> fs/proc/proc_sysctl.c | 7 ++-
> fs/quota/dquot.c | 12 +++--
> fs/quota/quota.c | 10 ++--
> fs/quota/quota_tree.c | 66 +++++++++----------------
> fs/quota/quota_v1.c | 13 +----
> fs/quota/quota_v2.c | 43 ++++++----------
> fs/super.c | 4 ++
> fs/xattr.c | 26 +++++-----
> include/linux/dqblk_qtree.h | 4 +-
> include/linux/fs.h | 5 ++
> include/linux/posix_acl.h | 2 +-
> include/linux/posix_acl_xattr.h | 24 ++++-----
> include/linux/quota.h | 10 ++++
> security/integrity/digsig.c | 2 +-
> security/integrity/evm/evm_main.c | 6 ++-
> security/integrity/ima/ima_appraise.c | 4 +-
> zfs/module/zfs/zpl_xattr.c | 4 +-
> 30 files changed, 245 insertions(+), 218 deletions(-)
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list