From: Dave Hansen <dave-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>
Subject: Re: [BIG RFC] Filesystem-based checkpoint
Date: Mon, 03 Nov 2008 09:23:19 -0800 [thread overview]
Message-ID: <1225732999.12673.442.camel@nimitz> (raw)
In-Reply-To: <m1r65wpjx2.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
On Fri, 2008-10-31 at 13:51 -0700, Eric W. Biederman wrote:
> Dave Hansen <dave-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> writes:
> > Eric, you were saying that my interface had way too many "dangerous
> > syscalls". How does this relate to user namespaces and creating objects
> > with particular ids? Surely if the true problem with my suggested
> > approach has to do with creating empty namespaces, the same problem
> > exists with the sys_checkpoint() approach.
...
> In a sys_restore() scenario at the very start you can check to make
> certain that the reference count for the namespaces is 1 and that they
> are empty. Which means there is no chance of confusing user space.
>
> With fork_and_set_child_pid() what is a simple cheap one time check
> becomes an expensive painful one, if you can even implement it at all.
>
> The difference is that with a bunch of small pieces you loose atomicity.
I think we're just trading trade-offs here. :)
I believe your suggestion is simply to constrain the problem. If we put
extra restrictions on sys_restart() to ensure that its job is simpler
then some of the implementation problems just go away. That's
definitely a good approach.
In this case you are saying that, during a call to sys_restart(), we
should ensure that the task doing the restoring holds the only reference
to those namespaces. If it does, that means that there can't possibly
be any security implications because no one else can possibly even *see*
those namespaces. This is a laudable goal, but I'm not sure it works in
practice without more code.
The problem is that we can't possibly use refcounts (at least the ones
we have today) alone. For instance, with the pid namespace, we would
have 1 ref for the 'init' process doing the sys_restore() call and then
a possible second refcount for /proc. Perhaps we could differentiate
references to namespaces that instantiate objects inside the namespaces
from purely references to the namespace *itself*.
Rather than offering a solution for the filesystem-based approach, I'll
venture this: whatever I come up with will be extra code to glue things
back together, to detect when namespaces are "fresh" and able to be
scribbled into.
Anyway, it's obvious that you and Oren don't like my approach just as
much as I don't like the syscalls. So, I'll just drop it for now. But,
please do keep it in the back of your minds in case it applies
somewhere.
-- Dave
next prev parent reply other threads:[~2008-11-03 17:23 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-28 18:37 [BIG RFC] Filesystem-based checkpoint Dave Hansen
2008-10-28 20:56 ` Serge E. Hallyn
[not found] ` <20081028205654.GA17487-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-28 21:00 ` Dave Hansen
2008-10-28 21:10 ` Dave Hansen
2008-10-30 16:25 ` Oren Laadan
[not found] ` <4909E000.9070201-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-30 16:36 ` Dave Hansen
2008-10-30 18:19 ` Oren Laadan
[not found] ` <4909FAA8.5000107-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-30 19:28 ` Serge E. Hallyn
[not found] ` <20081030192817.GA16340-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-30 19:39 ` Dave Hansen
2008-10-30 19:50 ` Serge E. Hallyn
2008-10-30 19:47 ` Oren Laadan
[not found] ` <490A0F67.5000303-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-30 20:03 ` Serge E. Hallyn
2008-10-30 20:11 ` Dave Hansen
2008-11-04 21:33 ` Mike Waychison
2008-10-30 19:37 ` Dave Hansen
2008-10-30 20:15 ` Oren Laadan
[not found] ` <490A15F5.6010702-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-30 20:40 ` Dave Hansen
2008-10-30 23:33 ` Eric W. Biederman
[not found] ` <m163n9y7yb.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-10-31 0:09 ` Dave Hansen
2008-10-31 3:12 ` Eric W. Biederman
[not found] ` <m1k5bpwj8j.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-10-31 10:22 ` Louis Rilling
2008-10-31 13:48 ` Serge E. Hallyn
2008-10-31 14:21 ` Dave Hansen
2008-10-31 20:51 ` Eric W. Biederman
[not found] ` <m1r65wpjx2.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-11-03 17:23 ` Dave Hansen [this message]
2008-11-03 17:48 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1225732999.12673.442.camel@nimitz \
--to=dave-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.