> From: Jeffrey Altman <[email protected]> > > For Linux what we would want is the ability to start a container and all > of its processes as part of a PAG where a process running in the host > context (not the container's) would obtain the tokens for the container.
For whatever it's worth, we did some experimentation with this using lxc at
our cell. In short,
k5start -f ${keytab} -U -t -k ${krbcc} -- \
lxc-execute -n bar -f ${lxcconf} -- \
${command}
will spin up a container whose session keyring has a PAG that is associated
with the principal in ${keytab} and whose liveness is managed by a k5start
running on the host, using host-side ${krbcc} as the credentials cache. I
believe it's possible for processes inside the container to detach
themselves from this PAG, which is unusual but hopefully not a concern. You
can use "keyctl show" for ${command} to verify that the keyrings are not
exposing any keying material to processes in the container. (We resorted to
using files for ${krbcc}, but it may be possible to use the process keyring
or an in-memory CC so that it's all internal to k5start?)
Cheers,
--nwf;
pgpq7b8cCC3d3.pgp
Description: PGP signature
