From: Bastian Blank <bastian-yyjItF7Rl6lg9hUCZPvPmw@public.gmane.org>
To: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
Pavel Emelyanov <xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
Subject: Re: [PATCH 1/1] namespaces: introduce sys_hijack (v11)
Date: Fri, 1 Aug 2008 17:51:48 +0200 [thread overview]
Message-ID: <20080801155148.GA16760@wavehammer.waldi.eu.org> (raw)
In-Reply-To: <20080801141152.GA11553-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
On Fri, Aug 01, 2008 at 09:11:53AM -0500, Serge E. Hallyn wrote:
> Quoting Bastian Blank (bastian-yyjItF7Rl6lg9hUCZPvPmw@public.gmane.org):
> > On Thu, Jul 31, 2008 at 01:32:13PM -0500, Serge E. Hallyn wrote:
> > > The effect is a sort of namespace enter. The following program
> > > uses sys_hijack to 'enter' all namespaces of the specified
> > > cgroup.
> >
> > I currently fail to see what the differences to a normal cgroup attach
> > is.
>
> A normal cgroup attach doesn't switch a task's root and nsproxies.
> Current functionality doesn't suffice because namespaces and
> fs_struct are not switched with cgroup attach. Cgroup attach is
> just about tracking tasks, and keeping stats and enforcing limits or
> guarantees on the groups.
If you apply a nsproxy to a cgroup, it is part of its limits.
> The problem with implementing this feature using the attach
> semantics is that it would move an existing task into the new
> cgroup. That would get much more complicated, especially when
> you consider pid namespaces, where we explicitly refuse to
> unshare for the same reason.
Okay, this is a reason. But I think it should disallow attach after the
nsproxy is set, otherwise you can use attach and hijack for the same
cgroup and produce different behaviour. The description of the
can_attach method does not mention such a test, but it seems to do one.
Why is it not enough to use the pid of the ns creator? The ns cgroups
are created including the pid in the name. And it would avoid using that
weird interface with fd of a cgroups file.
> That is why, with hijack, we clone a new task which is started
> afresh in the new namespaces.
Why did you name it "hijack"? If I had not read the mail, I'd no idea
what this is about. It does not take away the information from something
else, it overrides the information (nsprox, fs) on the new task.
But I think I have a different problem. Currently, namespaces are
destructed if the last process using them exits. You change that, they
will survive until the cgroup dies. Or is that cgroup destructed when
there are no longer processes using the nsproxy? As the commit message
speaks about "pid wraparound" as problem, I doubt that.
Bastian
--
To live is always desirable.
-- Eleen the Capellan, "Friday's Child", stardate 3498.9
next prev parent reply other threads:[~2008-08-01 15:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-31 18:32 [PATCH 1/1] namespaces: introduce sys_hijack (v11) Serge E. Hallyn
[not found] ` <20080731183213.GA12033-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-01 8:30 ` KOSAKI Motohiro
[not found] ` <20080801172811.FEC3.KOSAKI.MOTOHIRO-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2008-08-01 14:22 ` Serge E. Hallyn
2008-08-07 19:23 ` Serge E. Hallyn
2008-08-01 9:23 ` Bastian Blank
[not found] ` <20080801092318.GA2002-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2008-08-01 14:11 ` Serge E. Hallyn
[not found] ` <20080801141152.GA11553-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-01 15:51 ` Bastian Blank [this message]
[not found] ` <20080801155148.GA16760-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2008-08-01 16:39 ` Serge E. Hallyn
[not found] ` <20080801163905.GA4647-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-01 17:19 ` Bastian Blank
[not found] ` <20080801171951.GA23754-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2008-08-01 17:38 ` Serge E. Hallyn
[not found] ` <20080801173817.GA21367-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-12 17:06 ` Serge E. Hallyn
2008-08-01 17:22 ` Bastian Blank
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080801155148.GA16760@wavehammer.waldi.eu.org \
--to=bastian-yyjitf7rl6lg9huczpvpmw@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
--cc=xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.