keps/127: Support User Namespaces #3
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alban
reviewed
Sep 28, 2020
Co-authored-by: Alban Crequy <[email protected]>
Co-authored-by: Alban Crequy <[email protected]>
Co-authored-by: Alban Crequy <[email protected]>
Co-authored-by: Alban Crequy <[email protected]>
Co-authored-by: Alban Crequy <[email protected]>
Co-authored-by: Alban Crequy <[email protected]>
alban
reviewed
Sep 28, 2020
Co-authored-by: Alban Crequy <[email protected]>
Co-authored-by: Alban Crequy <[email protected]>
…ernetes-enhancements into mauricio/userns_proposal_new
rata
reviewed
Sep 28, 2020
Co-authored-by: rata <[email protected]>
Co-authored-by: rata <[email protected]>
Co-authored-by: rata <[email protected]>
Co-authored-by: rata <[email protected]>
rhatdan
reviewed
Oct 8, 2020
| Some runtimes, like cri-o, mitigate these problems by using the `metacopy` | ||
| option of overlayfs. This option avoids copying the whole file content when an | ||
| operation updating only the metadata, like `chown` or `chmod`, is performed. | ||
| This solution could be adopted by other runtimes until a more sophisticated |
There was a problem hiding this comment.
Metadata only copy up
--------------------
When metadata only copy up feature is enabled, overlayfs will only copy
up metadata (as opposed to whole file), when a metadata specific operation
like chown/chmod is performed. Full file will be copied up later when
file is opened for WRITE operation.
Container/storage used by CRI-O mounts an overlay file system with the metacopy=on flag set, it then chowns all of the lower files in the image to match the user namespace to which the container will run. This operation is very quick compared to standard chowning, since none of the files data has to be copied up. If a second container runs on the same image with the same user namespace, then the chowned image is shared, eliminating the need to chown again.
mrunalp
reviewed
Oct 15, 2020
mrunalp
reviewed
Oct 15, 2020
mrunalp
reviewed
Oct 15, 2020
mrunalp
reviewed
Oct 15, 2020
mrunalp
reviewed
Oct 15, 2020
mrunalp
reviewed
Oct 15, 2020
mrunalp
reviewed
Oct 15, 2020
margamanterola
pushed a commit
that referenced
this pull request
Oct 15, 2021
Additional updates to PRR docs
margamanterola
pushed a commit
that referenced
this pull request
Oct 15, 2021
Ensure Implementation stategy captured in the KEP matches latest implementation
rata
pushed a commit
that referenced
this pull request
Aug 9, 2022
chore: rename to `key_id` and use bytes for metadata
rata
pushed a commit
that referenced
this pull request
Aug 7, 2023
…ategy (kubernetes#3661) * Initial KEP for improving pruning in kubectl apply * Add design details Co-authored-by: Katrina Verey <[email protected]> * Add another open question * Links, clarifications, ownerRef and GKNN explanations * Follow-on to initial feedback, address some unresolved blocks * Fix lint errors * Add more detail about reference implementation (#2) * Apply prune jan25 (#3) * More clearly delineate specification vs kubectl details * Move design details of spec to Design Details section * Updates from synchronous conversation * Remove leftover paragraph (#5) Not an alternative rejected any more, given applyset.k8s.io/inventory * Justin has always been coauthor * KEP-3659: production readiness etc (#4) Fill in the testing/ PRR sections. * Fix test failures * Prune: document confused deputy attack and mitigations Likely pushes us to GKNN-derived IDs. * Constrain applyset id We just choose the constrained applyset id to prevent "applyset ID impersonation". * Update KEP and PRR metadata * Enhance testing description * ID vs name fixes * Fixes from soltysh's review --------- Co-authored-by: Justin Santa Barbara <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.