Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Mon, Oct 03, 2022 at 06:51:42PM -0400, Colin Walters wrote: > > > On Thu, Sep 29, 2022, at 1:03 PM, Vivek Goyal wrote: > > > > So rust version of virtiofsd, already supports running unprivileged > > (inside a user namespace). > > I know, but as I already said, the use case here is running in

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Thu, Sep 29, 2022, at 1:03 PM, Vivek Goyal wrote: > > So rust version of virtiofsd, already supports running unprivileged > (inside a user namespace). I know, but as I already said, the use case here is running inside an OpenShift unprivileged pod where *we are already in a container*. >

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Thu, Sep 29, 2022 at 7:03 PM Vivek Goyal wrote: > > On Thu, Sep 29, 2022 at 11:47:32AM -0400, Colin Walters wrote: > > > > > > On Thu, Sep 29, 2022, at 10:10 AM, Vivek Goyal wrote: > > > > > What's your use case. How do you plan to use virtiofs. > > > > At the current time, the Kubernetes that

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Thu, Sep 29, 2022 at 11:47:32AM -0400, Colin Walters wrote: > > > On Thu, Sep 29, 2022, at 10:10 AM, Vivek Goyal wrote: > > > What's your use case. How do you plan to use virtiofs. > > At the current time, the Kubernetes that we run does not support user > namespaces. We want to do the pro

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Thu, Sep 29, 2022, at 10:10 AM, Vivek Goyal wrote: > What's your use case. How do you plan to use virtiofs. At the current time, the Kubernetes that we run does not support user namespaces. We want to do the production builds of our operating system (Fedora CoreOS and RHEL CoreOS) today

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Thu, Sep 29, 2022 at 10:04:36AM -0400, Colin Walters wrote: > On Wed, Sep 28, 2022, at 3:28 PM, Vivek Goyal wrote: > > > Sounds reasonable. In fact, we could probably do someting similar > > for "landlock" as well. > > Thanks for the discussion all! Can someone (vaguely) commit to look into

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Wed, Sep 28, 2022, at 3:28 PM, Vivek Goyal wrote: > Sounds reasonable. In fact, we could probably do someting similar > for "landlock" as well. Thanks for the discussion all! Can someone (vaguely) commit to look into this in say the next few months? It's not *urgent*, we can live with the

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Wed, Sep 28, 2022 at 10:33:40AM +0200, Sergio Lopez wrote: > On Tue, Sep 27, 2022 at 04:14:20PM -0400, Stefan Hajnoczi wrote: > > On Tue, Sep 27, 2022 at 01:51:41PM -0400, Colin Walters wrote: > > > > > > > > > On Tue, Sep 27, 2022, at 1:27 PM, German Maglione wrote: > > > > > > > >> > Now all

Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Tue, Sep 27, 2022 at 07:27:02PM +0200, German Maglione wrote: > On Tue, Sep 27, 2022 at 6:57 PM Vivek Goyal wrote: > > > > On Tue, Sep 27, 2022 at 12:37:15PM -0400, Vivek Goyal wrote: > > > On Fri, Sep 09, 2022 at 05:24:03PM -0400, Colin Walters wrote: > > > > We previously had a chat here > >

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Tue, Sep 27, 2022 at 04:14:20PM -0400, Stefan Hajnoczi wrote: > On Tue, Sep 27, 2022 at 01:51:41PM -0400, Colin Walters wrote: > > > > > > On Tue, Sep 27, 2022, at 1:27 PM, German Maglione wrote: > > > > > >> > Now all the development has moved to rust virtiofsd. > > > > Oh, awesome!! The co

Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Tue, Sep 27, 2022 at 01:51:41PM -0400, Colin Walters wrote: > > > On Tue, Sep 27, 2022, at 1:27 PM, German Maglione wrote: > > > >> > Now all the development has moved to rust virtiofsd. > > Oh, awesome!! The code there looks great. > > > I could work on this for the next major version and

Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Tue, Sep 27, 2022, at 1:27 PM, German Maglione wrote: > >> > Now all the development has moved to rust virtiofsd. Oh, awesome!! The code there looks great. > I could work on this for the next major version and see if anything breaks. > But I prefer to add this as a compilation feature, ins

Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Tue, Sep 27, 2022 at 6:57 PM Vivek Goyal wrote: > > On Tue, Sep 27, 2022 at 12:37:15PM -0400, Vivek Goyal wrote: > > On Fri, Sep 09, 2022 at 05:24:03PM -0400, Colin Walters wrote: > > > We previously had a chat here > > > https://lore.kernel.org/all/348d4774-bd5f-4832-bd7e-a21491fda...@www.fas

Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Tue, Sep 27, 2022 at 12:37:15PM -0400, Vivek Goyal wrote: > On Fri, Sep 09, 2022 at 05:24:03PM -0400, Colin Walters wrote: > > We previously had a chat here > > https://lore.kernel.org/all/348d4774-bd5f-4832-bd7e-a21491fda...@www.fastmail.com/T/ > > around virtiofsd and privileges and the case

Re: virtiofsd: Any reason why there's not an "openat2" sandbox mode?

On Fri, Sep 09, 2022 at 05:24:03PM -0400, Colin Walters wrote: > We previously had a chat here > https://lore.kernel.org/all/348d4774-bd5f-4832-bd7e-a21491fda...@www.fastmail.com/T/ > around virtiofsd and privileges and the case of trying to run virtiofsd > inside an unprivileged (Kubernetes) con

virtiofsd: Any reason why there's not an "openat2" sandbox mode?

We previously had a chat here https://lore.kernel.org/all/348d4774-bd5f-4832-bd7e-a21491fda...@www.fastmail.com/T/ around virtiofsd and privileges and the case of trying to run virtiofsd inside an unprivileged (Kubernetes) container. Right now we're still using 9p, and it has bugs (basically it