-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC]: IMA Namespace support #1164
base: main
Are you sure you want to change the base?
Conversation
Add an IMA namespace field for containers to be able to create IMA namespace using json configuration Signed-off-by: Ilya Hanov <[email protected]>
@@ -218,6 +218,8 @@ const ( | |||
UTSNamespace LinuxNamespaceType = "uts" | |||
// UserNamespace for isolating user and group IDs | |||
UserNamespace LinuxNamespaceType = "user" | |||
// ImaNamespace for isolating PCR values | |||
ImaNamespace LinuxNamespaceType = "ima" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md needs to be updated too
Let me mark this as a draft, until the kernel patch gets merged into the upstream |
IMO this is a little bit premature -- ideally this functionality would be at least merged into the kernel (if not in an actual released version) before we implement or discuss it in this context. What I would suggest in the future would be a posting to the OCI dev mailing list, OCI #general channel on Slack, etc if your goal is to get folks from the OCI aware of and potentially involved in the upstream kernel discussions. |
I think it's Yes and No simultaneously... Of course, the IMA namespace feature is not merged in kernel mainline and may be will not for some time. |
Yes, you're right in a way, IMA namespaces is not in upstream, but there's another interesting problem with runC. This is related to why IMA namespace uses securityFS to create namespaces, but runC doesn't know about namespaces which are created not by using clone/unshare at all. This patchset (one for runC, one for runtime-spec) presented not only IMA namespace creation scheme, but tries to solve this problem as well, because if kernel community decides to invent another namespace, sooner or later this problem will show up. |
The Linux kernel community is now working on supporting IMA namespaces
and it is almost done. It is a new kernel feature that allows isolation of Platform Configuration Register (PCR) values, Measurement Logs (ML), etc. The related issue is #1163.
Signed-off-by: Ilya Hanov [email protected]
Advanced Software Technology Lab
Huawei