[Samba] LXC, ADDC and xattr_tdb...

Andrew Bartlett abartlet at samba.org
Fri Feb 28 18:38:02 UTC 2020 

On Fri, 2020-02-28 at 17:12 +0000, Rowland penny via samba wrote:
> On 28/02/2020 17:02, Marco Gaiarin via samba wrote:
> > I came back on this topic.
> > 
> > As just depicted on:
> > 
> > 	https://lists.samba.org/archive/samba/2019-December/227626.html
> > 
> > there's no way to run samba AD DC on a unprivileged LXC container,
> > because samba need the XATTR SYSTEM namespace that is reserved on
> > container.
> > 
> > Could be doable 'offloading' all XATTR from filesystem with a module
> > like xattr_tdb?
> > 	https://wiki.samba.org/index.php/Using_the_xattr_tdb_VFS_Module
> > how much is 'inefficient' for an AD DC?
> > 
> > There's some way, eventually,  to ''backup'' XATTR and restore it to
> > migrate from filesystem to xattr_tdb?
> > 
> > 
> > Thanks.
> > 
> It doesn't scale, if it did, don't you think Samba would do this ?

Marco,

I realise the attraction with putting a Samba AD DC into a container
but sadly we do need some privileged support from the OS to operate
safely. 

It isn't just that putting XATTRs in a TDB does not scale, and that
isn't even the main issue.  The issue is that if a file is deleted and
re-created outside Samba's knowledge, then the xattrs are silently
transferred between the old and new files.

This isn't theoretical, we had flapping tests in 'make test' (which is
the only legitimate use of this module) because of this. 

I've updated the wiki page.

The FreeBSD folks have a similar pain trying to run Samba in a FreeBSD
jail:  

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844

https://bugzilla.samba.org/show_bug.cgi?id=12912

Some there have attempted to get around the issue by changing the code
to use the unprivileged 'user' namespace, but this creates security
issues (we use the privileged XATTR namespaces for a reason). 

Sorry!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list