On Tue, Jan 19, 2021 at 08:04:29PM +0530, P J P wrote: > +-- On Mon, 18 Jan 2021, Stefan Hajnoczi wrote --+ > | Guest applications may run with different uids/gids. The host has no > control > | over that. > | > | Imagine booting a guest form a virtio-fs root file system and installing > | packages. The guest must be able to control uids/gids for that to work. > > * I see; I'll try to better understand how it's done. > > * With UID namespaces, I thought virtiofsd(1) would be able to operate files > with arbitrary uid/gid, even after dropping its root privileges to acquire > non-root privileges on the host; Because it has 'root' privileges under the > shared directory & UID namespace.
Excatly, this is the most promising direction but it has a limitation: the uid/gid on the host file system are in the uid/gid range that was assigned to the user namespace. If anything other than the VM needs to access those files then you need to either ensure it runs with the currect uid/gid on the host or chown the files. That complicates some use cases. It does seem worth offering as a feature but only works for some use cases. When Linux gets uid/gid mapping functionality this issue will be solved. virtiofsd will run unprivileged but the host files can have the correct uid/gids. Stefan
signature.asc
Description: PGP signature
_______________________________________________ Virtio-fs mailing list [email protected] https://www.redhat.com/mailman/listinfo/virtio-fs
