Whamcloud - gitweb
LU-7845 gss: support namespace in lgss_keyring
When we want Kerberos authentication for a Lustre client run from
a Docker container, it is necessary that request_key() forwards
to lgss_keyring userland helper sufficient information regarding
the namespace from which mount command was launched. That way,
helper function can bind to caller's namespace, and retrieve
Kerberos credentials of the container.
To achieve this:
- add a lpi_reftask field to struct llog_process_info: this is the
task_struct of the process initiating the mount;
- use lpi_reftask to put llog_process_thread_daemonize thread in
same namespace as calling llog_process_or_fork();
- add a reference PID to struct obd_import: this is the PID of
the init process of the namespace from which the import
creation was originated;
- use reference PID from struct obd_import as a new 'pid' parameter
to call-out information sent from kernel space to userspace
via request-key;
- in lgss_keyring, if necessary perform credentials retrieval
in caller's namespace, thanks to a call to 'setns'.
For user's credentials, use current PID instead of import's
reference PID to get the reference namespace.
Change-Id: I934ed857fdf323e55a2a5acf06e8799c3a6421f0
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/18781
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: James Simmons <uja.ornl@yahoo.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Li Xi <lixi@ddn.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>