[Devel] [PATCH] netfilter: get UID and GID from container user ns on rule match
Cyrill Gorcunov
gorcunov at gmail.com
Tue Jun 6 13:27:43 MSK 2017
On Tue, Jun 06, 2017 at 01:23:55PM +0300, Cyrill Gorcunov wrote:
> On Tue, Jun 06, 2017 at 02:00:32PM +0400, Stanislav Kinsburskiy wrote:
> > It's good enough for us. It won't work properly in case of setting rules by
> > joining container network namespace without VE cgroup, but it's acceptable,
> > because proper fix needs a lot of backporting.
> >
> > https://jira.sw.ru/browse/PSBM-43609
> >
> > Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> Reviewed-by: Cyrill Gorcunov <gorcunov at openvz.org>
This should do a trick on one-level user-ns at least. Should be enough
for now but in longterm perspective we might still need to backport
the complete user-ns rework as in vanilla.
Cyrill
More information about the Devel
mailing list