From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
lkml <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
criu-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: Re: Introspecting userns relationships to other namespaces?
Date: Thu, 07 Jul 2016 12:17:35 -0700 [thread overview]
Message-ID: <1467919055.2322.36.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAKgNAkg+OiBngdFsdVR0gsSnVhMppuH2DxMBLCNAx8in5C0-zQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Thu, 2016-07-07 at 20:21 +0200, Michael Kerrisk (man-pages) wrote:
> On 7 July 2016 at 17:01, James Bottomley
> <James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> wrote:
[Serge already answered the parenting issue]
> > On Thu, 2016-07-07 at 08:36 -0500, Serge E. Hallyn wrote:
> > > Hm. Probably best-effort based on the process hierarchy. So
> > > yeah you could probably get a tree into a state that would be
> > > wrongly recreated. Create a new netns, bind mount it, exit; Have
> > > another task create a new user_ns, bind mount it, exit; Third
> > > task setns()s first to the new netns then to the new user_ns. I
> > > suspect criu will recreate that wrongly.
> >
> > This is a bit pathological, and you have to be root to do it: so
> > root can set up a nesting hierarchy, bind it and destroy the pids
> > but I know of no current orchestration system which does this.
> >
> > Actually, I have to back pedal a bit: the way I currently set up
> > architecture emulation containers does precisely this: I set up the
> > namespaces unprivileged with child mount namespaces, but then I ask
> > root to bind the userns and kill the process that created it so I
> > have a permanent handle to enter the namespace by, so I suspect
> > that when our current orchestration systems get more sophisticated,
> > they might eventually want to do something like this as well.
> >
> > In theory, we could get nsfs to show this information as an option
> > (just add a show_options entry to the superblock ops), but the
> > problem is that although each namespace has a parent user_ns,
> > there's no way to get it without digging in the namespace specific
> > structure. Probably we should restructure to move it into
> > ns_common, then we could display it (and enforce all namespaces
> > having owning user_ns) but it would be a
>
> I'm missing something here. Is it not already the case that all
> namespaces have an owning user_ns?
Um, yes, I don't believe I said they don't. The problem I thought you
were having is that there's no way of seeing what it is.
nsfs is the Namespace fileystem where bound namespaces appear to a cat
of /proc/self/mounts. It can display any information that's in
ns_common (the common core of namespaces) but the owning user_ns
pointer currently isn't in this structure. Every user namespace has a
pointer to it, but they're all privately embedded in the individual
namespace specific structures. What I was proposing was that since
every current namespace has a pointer somewhere to the owning user
namespace, we could abstract this out into ns_common so it's now
accessible to be displayed by nsfs, probably as a mount option.
James
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: mtk.manpages@gmail.com
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Linux API <linux-api@vger.kernel.org>,
Containers <containers@lists.linux-foundation.org>,
lkml <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
criu@openvz.org, "Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: Introspecting userns relationships to other namespaces?
Date: Thu, 07 Jul 2016 12:17:35 -0700 [thread overview]
Message-ID: <1467919055.2322.36.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAKgNAkg+OiBngdFsdVR0gsSnVhMppuH2DxMBLCNAx8in5C0-zQ@mail.gmail.com>
On Thu, 2016-07-07 at 20:21 +0200, Michael Kerrisk (man-pages) wrote:
> On 7 July 2016 at 17:01, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
[Serge already answered the parenting issue]
> > On Thu, 2016-07-07 at 08:36 -0500, Serge E. Hallyn wrote:
> > > Hm. Probably best-effort based on the process hierarchy. So
> > > yeah you could probably get a tree into a state that would be
> > > wrongly recreated. Create a new netns, bind mount it, exit; Have
> > > another task create a new user_ns, bind mount it, exit; Third
> > > task setns()s first to the new netns then to the new user_ns. I
> > > suspect criu will recreate that wrongly.
> >
> > This is a bit pathological, and you have to be root to do it: so
> > root can set up a nesting hierarchy, bind it and destroy the pids
> > but I know of no current orchestration system which does this.
> >
> > Actually, I have to back pedal a bit: the way I currently set up
> > architecture emulation containers does precisely this: I set up the
> > namespaces unprivileged with child mount namespaces, but then I ask
> > root to bind the userns and kill the process that created it so I
> > have a permanent handle to enter the namespace by, so I suspect
> > that when our current orchestration systems get more sophisticated,
> > they might eventually want to do something like this as well.
> >
> > In theory, we could get nsfs to show this information as an option
> > (just add a show_options entry to the superblock ops), but the
> > problem is that although each namespace has a parent user_ns,
> > there's no way to get it without digging in the namespace specific
> > structure. Probably we should restructure to move it into
> > ns_common, then we could display it (and enforce all namespaces
> > having owning user_ns) but it would be a
>
> I'm missing something here. Is it not already the case that all
> namespaces have an owning user_ns?
Um, yes, I don't believe I said they don't. The problem I thought you
were having is that there's no way of seeing what it is.
nsfs is the Namespace fileystem where bound namespaces appear to a cat
of /proc/self/mounts. It can display any information that's in
ns_common (the common core of namespaces) but the owning user_ns
pointer currently isn't in this structure. Every user namespace has a
pointer to it, but they're all privately embedded in the individual
namespace specific structures. What I was proposing was that since
every current namespace has a pointer somewhere to the owning user
namespace, we could abstract this out into ns_common so it's now
accessible to be displayed by nsfs, probably as a mount option.
James
next prev parent reply other threads:[~2016-07-07 19:17 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <c2a26220-69f2-f2f5-491a-e43abd9a6f92@gmail.com>
[not found] ` <87r3b7pxja.fsf@x220.int.ebiederm.org>
[not found] ` <87r3b7pxja.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-06 8:41 ` Introspecting userns relationships to other namespaces? Michael Kerrisk (man-pages)
2016-07-06 8:41 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgQbxLH-B3N3Xti3LLis+1Y-SJD2h1DEaXao7zTDA7pug-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-06 14:13 ` Serge E. Hallyn
2016-07-06 14:13 ` Serge E. Hallyn
2016-07-06 14:13 ` Serge E. Hallyn
[not found] ` <20160706141348.GB20728-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-07-06 15:46 ` Eric W. Biederman
2016-07-06 15:46 ` Eric W. Biederman
[not found] ` <871t36kbvq.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-08 1:57 ` [CRIU] " Andrew Vagin
2016-07-08 1:57 ` Andrew Vagin
[not found] ` <20160708015758.GA10512-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 7:44 ` Eric W. Biederman
2016-07-08 7:44 ` Eric W. Biederman
[not found] ` <87vb0gy3nr.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-08 14:35 ` James Bottomley
2016-07-08 14:35 ` James Bottomley
[not found] ` <1467988533.2322.118.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 20:38 ` Andrew Vagin
2016-07-08 20:38 ` Andrew Vagin
[not found] ` <20160708203818.GA2602-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 20:50 ` W. Trevor King
2016-07-08 20:50 ` W. Trevor King
2016-07-08 20:50 ` W. Trevor King
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
[not found] ` <5e4cc802-f0e0-4f4c-a2f7-585aaaa8feec-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2016-07-08 23:52 ` Eric W. Biederman
2016-07-08 23:52 ` Eric W. Biederman
[not found] ` <87wpkvpu1i.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-09 0:15 ` James Bottomley
2016-07-09 0:15 ` James Bottomley
[not found] ` <1468023332.2390.10.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-09 3:05 ` Eric W. Biederman
2016-07-09 3:05 ` Eric W. Biederman
[not found] ` <87bn27o6j5.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-09 7:26 ` Andrew Vagin
2016-07-09 7:26 ` Andrew Vagin
[not found] ` <20160709072627.GA7480-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-09 10:31 ` James Bottomley
2016-07-09 10:31 ` James Bottomley
2016-07-09 10:31 ` James Bottomley
2016-07-09 10:32 ` James Bottomley
2016-07-09 10:32 ` James Bottomley
2016-07-09 18:15 ` Eric W. Biederman
2016-07-09 18:15 ` Eric W. Biederman
2016-07-09 18:15 ` Eric W. Biederman
[not found] ` <87eg72llu0.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-09 18:29 ` Eric W. Biederman
2016-07-09 18:29 ` Eric W. Biederman
[not found] ` <871t32ll6n.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-13 0:08 ` Andrew Vagin
2016-07-13 0:08 ` Andrew Vagin
[not found] ` <20160713000842.GC5818-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-13 3:59 ` W. Trevor King
2016-07-13 3:59 ` W. Trevor King
2016-07-09 0:15 ` James Bottomley
2016-07-08 23:52 ` Eric W. Biederman
2016-07-08 22:19 ` James Bottomley
2016-07-08 7:44 ` Eric W. Biederman
2016-07-07 8:15 ` Michael Kerrisk (man-pages)
2016-07-07 8:15 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkhtQNg0mVv6ei_JigNz3njo_G3opE+rzd4OtKpa2hQe9g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-07 13:36 ` Serge E. Hallyn
2016-07-07 13:36 ` Serge E. Hallyn
[not found] ` <20160707133631.GA2994-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-07-07 15:01 ` James Bottomley
2016-07-07 15:01 ` James Bottomley
2016-07-07 15:01 ` James Bottomley
[not found] ` <1467903712.2347.16.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-07 18:21 ` Michael Kerrisk (man-pages)
2016-07-07 18:21 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkg+OiBngdFsdVR0gsSnVhMppuH2DxMBLCNAx8in5C0-zQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-07 18:24 ` Serge E. Hallyn
2016-07-07 18:24 ` Serge E. Hallyn
2016-07-07 18:24 ` Serge E. Hallyn
2016-07-07 19:17 ` James Bottomley [this message]
2016-07-07 19:17 ` James Bottomley
[not found] ` <1467919055.2322.36.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 2:16 ` [CRIU] " Andrew Vagin
2016-07-08 2:16 ` Andrew Vagin
[not found] ` <20160708021617.GB10512-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 3:00 ` Andrew Vagin
2016-07-08 3:00 ` Andrew Vagin
[not found] ` <20160708030055.GC10512-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 3:26 ` James Bottomley
2016-07-08 3:26 ` James Bottomley
2016-07-08 3:26 ` James Bottomley
[not found] ` <1467948407.2322.88.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 5:26 ` W. Trevor King
2016-07-08 5:26 ` W. Trevor King
2016-07-08 5:26 ` W. Trevor King
[not found] ` <20160708052650.GM4916-q4NCUed9G3sTnwFZoN752g@public.gmane.org>
2016-07-08 6:16 ` W. Trevor King
2016-07-08 6:16 ` W. Trevor King
2016-07-08 6:16 ` W. Trevor King
2016-07-08 6:54 ` Andrew Vagin
2016-07-08 6:54 ` Andrew Vagin
[not found] ` <20160708065453.GB14391-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 7:18 ` W. Trevor King
2016-07-08 7:18 ` W. Trevor King
2016-07-08 7:18 ` W. Trevor King
2016-07-08 5:41 ` [CRIU] " Andrei Vagin
2016-07-08 5:41 ` Andrei Vagin
2016-07-08 5:41 ` Andrei Vagin
[not found] ` <CANaxB-wBkHrsQXcruEDXWwU-X8y4szW3dgVd+9JvgCGrrNeW4g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-08 5:47 ` Andrei Vagin
2016-07-08 5:47 ` Andrei Vagin
2016-07-08 6:07 ` James Bottomley
2016-07-08 6:07 ` James Bottomley
2016-07-08 11:17 ` Michael Kerrisk (man-pages)
2016-07-08 11:17 ` Michael Kerrisk (man-pages)
2016-07-08 3:20 ` James Bottomley
2016-07-08 3:20 ` James Bottomley
[not found] ` <1467948005.2322.84.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 6:09 ` Andrew Vagin
2016-07-08 6:09 ` Andrew Vagin
2016-07-08 11:11 ` Michael Kerrisk (man-pages)
2016-07-08 11:11 ` Michael Kerrisk (man-pages)
2016-07-07 19:17 ` James Bottomley
2016-07-09 3:15 ` W. Trevor King
2016-07-09 3:15 ` W. Trevor King
2016-07-09 3:15 ` W. Trevor King
[not found] ` <20160709031528.GA25507-q4NCUed9G3sTnwFZoN752g@public.gmane.org>
2016-07-09 3:13 ` Eric W. Biederman
2016-07-09 3:13 ` Eric W. Biederman
[not found] ` <87ziprmrln.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-10 5:36 ` [CRIU] " Andrew Vagin
2016-07-10 5:36 ` Andrew Vagin
[not found] ` <20160710053609.GB4868-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-10 20:29 ` Eric W. Biederman
2016-07-10 20:29 ` Eric W. Biederman
2016-07-10 20:29 ` Eric W. Biederman
[not found] ` <87furhjkxw.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-10 21:06 ` James Bottomley
2016-07-10 21:06 ` James Bottomley
[not found] ` <1468184808.19833.30.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-11 20:55 ` Andrew Vagin
2016-07-11 20:55 ` Andrew Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1467919055.2322.36.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=criu-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.