From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: Andrew Vagin <avagin-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>
Cc: criu-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
lkml <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Subject: Re: [CRIU] Introspecting userns relationships to other namespaces?
Date: Thu, 07 Jul 2016 20:20:05 -0700 [thread overview]
Message-ID: <1467948005.2322.84.camel@HansenPartnership.com> (raw)
In-Reply-To: <20160708021617.GB10512-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
On Thu, 2016-07-07 at 19:16 -0700, Andrew Vagin wrote:
> On Thu, Jul 07, 2016 at 12:17:35PM -0700, James Bottomley wrote:
> > On Thu, 2016-07-07 at 20:21 +0200, Michael Kerrisk (man-pages)
> > wrote:
> > > On 7 July 2016 at 17:01, James Bottomley
> > > <James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> wrote:
> > [Serge already answered the parenting issue]
> > > > On Thu, 2016-07-07 at 08:36 -0500, Serge E. Hallyn wrote:
> > > > > Hm. Probably best-effort based on the process hierarchy. So
> > > > > yeah you could probably get a tree into a state that would be
> > > > > wrongly recreated. Create a new netns, bind mount it, exit;
> > > > > Have
> > > > > another task create a new user_ns, bind mount it, exit;
> > > > > Third
> > > > > task setns()s first to the new netns then to the new user_ns.
> > > > > I
> > > > > suspect criu will recreate that wrongly.
> > > >
> > > > This is a bit pathological, and you have to be root to do it:
> > > > so
> > > > root can set up a nesting hierarchy, bind it and destroy the
> > > > pids
> > > > but I know of no current orchestration system which does this.
> > > >
> > > > Actually, I have to back pedal a bit: the way I currently set
> > > > up
> > > > architecture emulation containers does precisely this: I set up
> > > > the
> > > > namespaces unprivileged with child mount namespaces, but then I
> > > > ask
> > > > root to bind the userns and kill the process that created it so
> > > > I
> > > > have a permanent handle to enter the namespace by, so I suspect
> > > > that when our current orchestration systems get more
> > > > sophisticated,
> > > > they might eventually want to do something like this as well.
> > > >
> > > > In theory, we could get nsfs to show this information as an
> > > > option
> > > > (just add a show_options entry to the superblock ops), but the
> > > > problem is that although each namespace has a parent user_ns,
> > > > there's no way to get it without digging in the namespace
> > > > specific
> > > > structure. Probably we should restructure to move it into
> > > > ns_common, then we could display it (and enforce all namespaces
> > > > having owning user_ns) but it would be a
> > >
> > > I'm missing something here. Is it not already the case that all
> > > namespaces have an owning user_ns?
> >
> > Um, yes, I don't believe I said they don't. The problem I thought
> > you
> > were having is that there's no way of seeing what it is.
> >
> > nsfs is the Namespace fileystem where bound namespaces appear to a
> > cat
> > of /proc/self/mounts. It can display any information that's in
> > ns_common (the common core of namespaces) but the owning user_ns
> > pointer currently isn't in this structure. Every user namespace
> > has a
> > pointer to it, but they're all privately embedded in the individual
> > namespace specific structures. What I was proposing was that since
> > every current namespace has a pointer somewhere to the owning user
> > namespace, we could abstract this out into ns_common so it's now
> > accessible to be displayed by nsfs, probably as a mount option.
>
> James, I am not sure that I understood you correctly. We have one
> file system for all namespace files, how we can show per-file
> properties in mount options.
We have two ways of getting information. For a namespace that only
exists as a bind mount we only have what the mount/mountinfo shows, so
you see something like this:
jejb@jarvis:~> mount|grep nsfs
nsfs on /run/build-container/userns type nsfs (rw)
nsfs on /run/build-container/ppc64 type nsfs (rw)
the (rw) are the mount options. We could add the ability to add other
mount options to this via the superblock .show_options callback. We
could make it show the type and parent user namespace.
> I think we can show all required information in fdinfo. We open a
> namespaces file (/proc/pid/ns/N) and then read /proc/pid/fdinfo/X for
> it.
Not if we don't have an extant process in the namespace, we can't use
these files because they don't exist, plus fdinfo on the
/proc/<pid>/ns/X doesn't tell you what the parent user_ns of X is
(again, we could add this information somewhere ... not sure where
yet).
James
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Andrew Vagin <avagin@virtuozzo.com>
Cc: Linux API <linux-api@vger.kernel.org>,
Containers <containers@lists.linux-foundation.org>,
lkml <linux-kernel@vger.kernel.org>,
criu@openvz.org, mtk.manpages@gmail.com
Subject: Re: [CRIU] Introspecting userns relationships to other namespaces?
Date: Thu, 07 Jul 2016 20:20:05 -0700 [thread overview]
Message-ID: <1467948005.2322.84.camel@HansenPartnership.com> (raw)
In-Reply-To: <20160708021617.GB10512@outlook.office365.com>
On Thu, 2016-07-07 at 19:16 -0700, Andrew Vagin wrote:
> On Thu, Jul 07, 2016 at 12:17:35PM -0700, James Bottomley wrote:
> > On Thu, 2016-07-07 at 20:21 +0200, Michael Kerrisk (man-pages)
> > wrote:
> > > On 7 July 2016 at 17:01, James Bottomley
> > > <James.Bottomley@hansenpartnership.com> wrote:
> > [Serge already answered the parenting issue]
> > > > On Thu, 2016-07-07 at 08:36 -0500, Serge E. Hallyn wrote:
> > > > > Hm. Probably best-effort based on the process hierarchy. So
> > > > > yeah you could probably get a tree into a state that would be
> > > > > wrongly recreated. Create a new netns, bind mount it, exit;
> > > > > Have
> > > > > another task create a new user_ns, bind mount it, exit;
> > > > > Third
> > > > > task setns()s first to the new netns then to the new user_ns.
> > > > > I
> > > > > suspect criu will recreate that wrongly.
> > > >
> > > > This is a bit pathological, and you have to be root to do it:
> > > > so
> > > > root can set up a nesting hierarchy, bind it and destroy the
> > > > pids
> > > > but I know of no current orchestration system which does this.
> > > >
> > > > Actually, I have to back pedal a bit: the way I currently set
> > > > up
> > > > architecture emulation containers does precisely this: I set up
> > > > the
> > > > namespaces unprivileged with child mount namespaces, but then I
> > > > ask
> > > > root to bind the userns and kill the process that created it so
> > > > I
> > > > have a permanent handle to enter the namespace by, so I suspect
> > > > that when our current orchestration systems get more
> > > > sophisticated,
> > > > they might eventually want to do something like this as well.
> > > >
> > > > In theory, we could get nsfs to show this information as an
> > > > option
> > > > (just add a show_options entry to the superblock ops), but the
> > > > problem is that although each namespace has a parent user_ns,
> > > > there's no way to get it without digging in the namespace
> > > > specific
> > > > structure. Probably we should restructure to move it into
> > > > ns_common, then we could display it (and enforce all namespaces
> > > > having owning user_ns) but it would be a
> > >
> > > I'm missing something here. Is it not already the case that all
> > > namespaces have an owning user_ns?
> >
> > Um, yes, I don't believe I said they don't. The problem I thought
> > you
> > were having is that there's no way of seeing what it is.
> >
> > nsfs is the Namespace fileystem where bound namespaces appear to a
> > cat
> > of /proc/self/mounts. It can display any information that's in
> > ns_common (the common core of namespaces) but the owning user_ns
> > pointer currently isn't in this structure. Every user namespace
> > has a
> > pointer to it, but they're all privately embedded in the individual
> > namespace specific structures. What I was proposing was that since
> > every current namespace has a pointer somewhere to the owning user
> > namespace, we could abstract this out into ns_common so it's now
> > accessible to be displayed by nsfs, probably as a mount option.
>
> James, I am not sure that I understood you correctly. We have one
> file system for all namespace files, how we can show per-file
> properties in mount options.
We have two ways of getting information. For a namespace that only
exists as a bind mount we only have what the mount/mountinfo shows, so
you see something like this:
jejb@jarvis:~> mount|grep nsfs
nsfs on /run/build-container/userns type nsfs (rw)
nsfs on /run/build-container/ppc64 type nsfs (rw)
the (rw) are the mount options. We could add the ability to add other
mount options to this via the superblock .show_options callback. We
could make it show the type and parent user namespace.
> I think we can show all required information in fdinfo. We open a
> namespaces file (/proc/pid/ns/N) and then read /proc/pid/fdinfo/X for
> it.
Not if we don't have an extant process in the namespace, we can't use
these files because they don't exist, plus fdinfo on the
/proc/<pid>/ns/X doesn't tell you what the parent user_ns of X is
(again, we could add this information somewhere ... not sure where
yet).
James
next prev parent reply other threads:[~2016-07-08 3:20 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <c2a26220-69f2-f2f5-491a-e43abd9a6f92@gmail.com>
[not found] ` <87r3b7pxja.fsf@x220.int.ebiederm.org>
[not found] ` <87r3b7pxja.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-06 8:41 ` Introspecting userns relationships to other namespaces? Michael Kerrisk (man-pages)
2016-07-06 8:41 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgQbxLH-B3N3Xti3LLis+1Y-SJD2h1DEaXao7zTDA7pug-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-06 14:13 ` Serge E. Hallyn
2016-07-06 14:13 ` Serge E. Hallyn
[not found] ` <20160706141348.GB20728-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-07-06 15:46 ` Eric W. Biederman
2016-07-06 15:46 ` Eric W. Biederman
[not found] ` <871t36kbvq.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-08 1:57 ` [CRIU] " Andrew Vagin
2016-07-08 1:57 ` Andrew Vagin
[not found] ` <20160708015758.GA10512-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 7:44 ` Eric W. Biederman
2016-07-08 7:44 ` Eric W. Biederman
2016-07-08 7:44 ` Eric W. Biederman
[not found] ` <87vb0gy3nr.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-08 14:35 ` James Bottomley
2016-07-08 14:35 ` James Bottomley
[not found] ` <1467988533.2322.118.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 20:38 ` Andrew Vagin
2016-07-08 20:38 ` Andrew Vagin
[not found] ` <20160708203818.GA2602-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 20:50 ` W. Trevor King
2016-07-08 20:50 ` W. Trevor King
2016-07-08 20:50 ` W. Trevor King
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
[not found] ` <5e4cc802-f0e0-4f4c-a2f7-585aaaa8feec-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2016-07-08 23:52 ` Eric W. Biederman
2016-07-08 23:52 ` Eric W. Biederman
[not found] ` <87wpkvpu1i.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-09 0:15 ` James Bottomley
2016-07-09 0:15 ` James Bottomley
[not found] ` <1468023332.2390.10.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-09 3:05 ` Eric W. Biederman
2016-07-09 3:05 ` Eric W. Biederman
[not found] ` <87bn27o6j5.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-09 7:26 ` Andrew Vagin
2016-07-09 7:26 ` Andrew Vagin
[not found] ` <20160709072627.GA7480-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-09 10:31 ` James Bottomley
2016-07-09 10:31 ` James Bottomley
2016-07-09 10:31 ` James Bottomley
2016-07-09 10:32 ` James Bottomley
2016-07-09 10:32 ` James Bottomley
2016-07-09 18:15 ` Eric W. Biederman
2016-07-09 18:15 ` Eric W. Biederman
2016-07-09 18:15 ` Eric W. Biederman
[not found] ` <87eg72llu0.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-09 18:29 ` Eric W. Biederman
2016-07-09 18:29 ` Eric W. Biederman
[not found] ` <871t32ll6n.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-13 0:08 ` Andrew Vagin
2016-07-13 0:08 ` Andrew Vagin
[not found] ` <20160713000842.GC5818-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-13 3:59 ` W. Trevor King
2016-07-13 3:59 ` W. Trevor King
2016-07-09 0:15 ` James Bottomley
2016-07-08 23:52 ` Eric W. Biederman
2016-07-07 8:15 ` Michael Kerrisk (man-pages)
2016-07-07 8:15 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkhtQNg0mVv6ei_JigNz3njo_G3opE+rzd4OtKpa2hQe9g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-07 13:36 ` Serge E. Hallyn
2016-07-07 13:36 ` Serge E. Hallyn
[not found] ` <20160707133631.GA2994-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-07-07 15:01 ` James Bottomley
2016-07-07 15:01 ` James Bottomley
2016-07-07 15:01 ` James Bottomley
[not found] ` <1467903712.2347.16.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-07 18:21 ` Michael Kerrisk (man-pages)
2016-07-07 18:21 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkg+OiBngdFsdVR0gsSnVhMppuH2DxMBLCNAx8in5C0-zQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-07 18:24 ` Serge E. Hallyn
2016-07-07 18:24 ` Serge E. Hallyn
2016-07-07 18:24 ` Serge E. Hallyn
2016-07-07 19:17 ` James Bottomley
2016-07-07 19:17 ` James Bottomley
[not found] ` <1467919055.2322.36.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 2:16 ` [CRIU] " Andrew Vagin
2016-07-08 2:16 ` Andrew Vagin
[not found] ` <20160708021617.GB10512-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 3:00 ` Andrew Vagin
2016-07-08 3:00 ` Andrew Vagin
[not found] ` <20160708030055.GC10512-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 3:26 ` James Bottomley
2016-07-08 3:26 ` James Bottomley
2016-07-08 3:26 ` James Bottomley
[not found] ` <1467948407.2322.88.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 5:26 ` W. Trevor King
2016-07-08 5:26 ` W. Trevor King
2016-07-08 5:26 ` W. Trevor King
[not found] ` <20160708052650.GM4916-q4NCUed9G3sTnwFZoN752g@public.gmane.org>
2016-07-08 6:16 ` W. Trevor King
2016-07-08 6:16 ` W. Trevor King
2016-07-08 6:16 ` W. Trevor King
2016-07-08 6:54 ` Andrew Vagin
2016-07-08 6:54 ` Andrew Vagin
[not found] ` <20160708065453.GB14391-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-08 7:18 ` W. Trevor King
2016-07-08 7:18 ` W. Trevor King
2016-07-08 7:18 ` W. Trevor King
2016-07-08 5:41 ` [CRIU] " Andrei Vagin
2016-07-08 5:41 ` Andrei Vagin
2016-07-08 5:41 ` Andrei Vagin
[not found] ` <CANaxB-wBkHrsQXcruEDXWwU-X8y4szW3dgVd+9JvgCGrrNeW4g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-08 5:47 ` Andrei Vagin
2016-07-08 5:47 ` Andrei Vagin
2016-07-08 6:07 ` James Bottomley
2016-07-08 6:07 ` James Bottomley
2016-07-08 11:17 ` Michael Kerrisk (man-pages)
2016-07-08 11:17 ` Michael Kerrisk (man-pages)
2016-07-08 3:20 ` James Bottomley [this message]
2016-07-08 3:20 ` James Bottomley
[not found] ` <1467948005.2322.84.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-08 6:09 ` Andrew Vagin
2016-07-08 6:09 ` Andrew Vagin
2016-07-08 11:11 ` Michael Kerrisk (man-pages)
2016-07-08 11:11 ` Michael Kerrisk (man-pages)
2016-07-07 19:17 ` James Bottomley
2016-07-09 3:15 ` W. Trevor King
2016-07-09 3:15 ` W. Trevor King
2016-07-09 3:15 ` W. Trevor King
[not found] ` <20160709031528.GA25507-q4NCUed9G3sTnwFZoN752g@public.gmane.org>
2016-07-09 3:13 ` Eric W. Biederman
2016-07-09 3:13 ` Eric W. Biederman
[not found] ` <87ziprmrln.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-10 5:36 ` [CRIU] " Andrew Vagin
2016-07-10 5:36 ` Andrew Vagin
[not found] ` <20160710053609.GB4868-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>
2016-07-10 20:29 ` Eric W. Biederman
2016-07-10 20:29 ` Eric W. Biederman
[not found] ` <87furhjkxw.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-10 21:06 ` James Bottomley
2016-07-10 21:06 ` James Bottomley
[not found] ` <1468184808.19833.30.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-11 20:55 ` Andrew Vagin
2016-07-11 20:55 ` Andrew Vagin
2016-07-10 20:29 ` Eric W. Biederman
2016-07-06 14:13 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1467948005.2322.84.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=avagin-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=criu-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.