Arun Chandran:
> # id
> uid=1001(test) gid=1001(test) groups=1001(test)
:::
> # cd layer1/
> # >.wh..wh.aufs
> # ln .wh..wh.aufs .wh.0.txt
Ok, succeeded with a normal user.
How about as a superuser?
cd layer1
sudo touch .wh..wh.aufs
ln .wh..wh.aufs .wh.0.txt
Is .wh..wh.aufs created with access="_"?
Is .wh.0.txt failed to be linked?
> From the root terminal I can change labels of all the .wh* files and
> can also change their ownership to normal user.
> This can be performed after the mount operation and it will allow me
> to get the desired result.
>
> Do you see any security risk in doing so?
It seems breaking what smack is trying to protect by access="_". I don't
know what it is. But as long as it is acceptable for you and you can get
the desired result, it might be a good way to go.
> Is their any way of differing the formation of .wh.* files till
> somebody really starts doing some
> file operations? In that way those files will always get the label of
> the guy who is doing the operation.
It is up to how the smack label is set.
Note that aufs doesn't care about smack settings, and just follows the
behaviour of its branch fs's and smack's. As long as
- smack sets access="_" to the files which a superuser created.
- you mount aufs as a superuser.
then, the symptom looks a correct result.
If you just want to set access= other than "_", then you can do it by
either resetting after mount or changing the mount-user other than root
(based on the capability).
> root user will label the layers and do aufs mount of the layers before
> starting the container. The processes running inside the container
> will also have a unique label such as k0,k1,... kN and they should be
> able to do any kind of operations in their respective aufs mounted
> directories.
So all the files which are set the label are unique to the container
respectively, right? There will be no files shared between cocntainers
at all? Or a single file can have multiple smack labels?
J. R. Okajima
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
