Sep 9 – 11, 2019
Europe/Lisbon timezone

Using kernel keyrings with containers

Sep 10, 2019, 6:40 PM
Jade/room-I&II (Corinthia Hotel Lisbon)


Corinthia Hotel Lisbon



Mr David Howells (Red Hat)


The kernel contains a keyrings facility for handling tokens for filesystems and other kernel services to use. These are frequently disabled for container environments, however, because they were not made namespace aware by the authors of the user-namespace and others.

Unfortunately, this lack prevents various things from working inside containers. To get around this, keys are now being tagged with a namespace tag that allows keys operating in different namespaces to coexist in the same keyring and restrictions have been placed on joining session keyrings across namespaces.

This still isn't sufficient to make them truly useful here. Intended future developments include: granting a permit to use a key to a container; adding per-container keyrings; request-key upcall namespacing.

I agree to abide by the anti-harassment policy Yes

Primary author

Mr David Howells (Red Hat)

Presentation materials

There are no materials yet.