From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-fsdevel <linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> Cc: Jan Kara <jack-AlSwsSmVLrQ@public.gmane.org>, Al Viro <viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org> Subject: [Patch v3 0/3] allow the creation of architecture emulation containers where the emulator binary is outside the container Date: Thu, 31 Mar 2016 07:54:06 -0700 [thread overview] Message-ID: <1459436046.2958.21.camel@HansenPartnership.com> (raw) Changes in v3: * Collected acks from Jan Kara and Serge Hallyn * Fixed doc spelling errors * fput -> put_filp in error path Changes in v2: * Use oldfile f_creds for the vfs_open credentials in filp_clone_open() * remove spurious fput() after filp_close() * Add documentation for the F option There's also now a git tree at https://git.kernel.org/cgit/linux/kernel/git/jejb/binfmt_misc.git Original cover letter: I've recently been playing a lot with architecture emulation containers using qemu, mainly so I can build and test the arm secure boot toolchain on my x86 laptop (not having any arm server hardware). The process for bringing up architecture emulation containers using qemu-user is very cumbersome because the emulation has to be installed within the container. This is bad for several reasons, firstly because it contaminates the container image to have an emulator sitting inside it. Secondly it means that all orchestration systems have to be explicitly modified to work with non-native architectures and thirdly it means that the consumer of the container can accidentally destroy the emulation and thus permanently crash the container. The fix for this is to add a mode to binfmt_misc where the emulation can be permanently installed from the current mount namespace and where it survives both chroot and changes of mount namespace, effectively allowing the container to run using the emulator, but where the emulator itself isn't present within the container. There are a couple of downsides to this, firstly the mapping of the interpreter is accessible inside the container even if the actual file isn't (I don't think this is really a security problem) and secondly, to update the emulator package, you now have to remove the emulation update and reinstall it, but this should be easy to do with packaging scripts. Finally, the emulator must be static otherwise the container would crash when the elf binary format attempted to run the elf interpreter. I'm not really a regular FS developer, so I'd appreciate FS people taking a look at the new filp_clone_open() API and whether I got everything correct. Thanks, James --- James Bottomley (3): fs: add filp_clone_open API binfmt_misc: add persistent opened binary handler for containers binfmt_misc: add F option description to documentation Documentation/binfmt_misc.txt | 7 +++++++ fs/binfmt_misc.c | 41 +++++++++++++++++++++++++++++++++++++++-- fs/internal.h | 1 + fs/open.c | 20 ++++++++++++++++++++ 4 files changed, 67 insertions(+), 2 deletions(-)
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com> To: containers@lists.linux-foundation.org, linux-fsdevel <linux-fsdevel@vger.kernel.org> Cc: Al Viro <viro@ZenIV.linux.org.uk>, Jan Kara <jack@suse.cz> Subject: [Patch v3 0/3] allow the creation of architecture emulation containers where the emulator binary is outside the container Date: Thu, 31 Mar 2016 07:54:06 -0700 [thread overview] Message-ID: <1459436046.2958.21.camel@HansenPartnership.com> (raw) Changes in v3: * Collected acks from Jan Kara and Serge Hallyn * Fixed doc spelling errors * fput -> put_filp in error path Changes in v2: * Use oldfile f_creds for the vfs_open credentials in filp_clone_open() * remove spurious fput() after filp_close() * Add documentation for the F option There's also now a git tree at https://git.kernel.org/cgit/linux/kernel/git/jejb/binfmt_misc.git Original cover letter: I've recently been playing a lot with architecture emulation containers using qemu, mainly so I can build and test the arm secure boot toolchain on my x86 laptop (not having any arm server hardware). The process for bringing up architecture emulation containers using qemu-user is very cumbersome because the emulation has to be installed within the container. This is bad for several reasons, firstly because it contaminates the container image to have an emulator sitting inside it. Secondly it means that all orchestration systems have to be explicitly modified to work with non-native architectures and thirdly it means that the consumer of the container can accidentally destroy the emulation and thus permanently crash the container. The fix for this is to add a mode to binfmt_misc where the emulation can be permanently installed from the current mount namespace and where it survives both chroot and changes of mount namespace, effectively allowing the container to run using the emulator, but where the emulator itself isn't present within the container. There are a couple of downsides to this, firstly the mapping of the interpreter is accessible inside the container even if the actual file isn't (I don't think this is really a security problem) and secondly, to update the emulator package, you now have to remove the emulation update and reinstall it, but this should be easy to do with packaging scripts. Finally, the emulator must be static otherwise the container would crash when the elf binary format attempted to run the elf interpreter. I'm not really a regular FS developer, so I'd appreciate FS people taking a look at the new filp_clone_open() API and whether I got everything correct. Thanks, James --- James Bottomley (3): fs: add filp_clone_open API binfmt_misc: add persistent opened binary handler for containers binfmt_misc: add F option description to documentation Documentation/binfmt_misc.txt | 7 +++++++ fs/binfmt_misc.c | 41 +++++++++++++++++++++++++++++++++++++++-- fs/internal.h | 1 + fs/open.c | 20 ++++++++++++++++++++ 4 files changed, 67 insertions(+), 2 deletions(-)
next reply other threads:[~2016-03-31 14:54 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-03-31 14:54 James Bottomley [this message] 2016-03-31 14:54 ` [Patch v3 0/3] allow the creation of architecture emulation containers where the emulator binary is outside the container James Bottomley [not found] ` <1459436046.2958.21.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> 2016-03-31 14:55 ` [Patch v3 1/3] fs: add filp_clone_open API James Bottomley 2016-03-31 14:55 ` James Bottomley 2016-03-31 14:56 ` [Patch v3 2/3] binfmt_misc: add persistent opened binary handler for containers James Bottomley 2016-03-31 14:56 ` James Bottomley [not found] ` <1459436179.2958.23.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> 2016-04-13 21:02 ` Matthew Helsley [not found] ` <CA+RrjuV3VOjLRMm_bnk-9CKF_3NqX6DVNBgAUVpxW0+NE0bLHg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2016-04-14 22:33 ` johnny frazier 2016-03-31 14:57 ` [Patch v3 3/3] binfmt_misc: add F option description to documentation James Bottomley 2016-03-31 14:57 ` James Bottomley
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1459436046.2958.21.camel@HansenPartnership.com \ --to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \ --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \ --cc=jack-AlSwsSmVLrQ@public.gmane.org \ --cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.