From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Dwight Schauer <dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: LXC PIDs, UIDs, and halt
Date: Mon, 19 Oct 2009 17:24:45 -0500 [thread overview]
Message-ID: <20091019222445.GA16774@us.ibm.com> (raw)
In-Reply-To: <68e6eac60910191217s5d295e54ta6b0c528dce9ce55-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Quoting Dwight Schauer (dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> On Mon, Oct 12, 2009 at 10:03 AM, Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:
> > Quoting Dwight Schauer (dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> >> Hi all,
> >>
> >> I'm new to LXC but have been playing around with it some.
> >>
> >> I ran into a few issues:
> >> 1) PIDs for container processes show up on the controlling host (ps, top,
> >> etc). In OpenVZ there is a way to hide them.
> >
> > Hmm, yes, it's basically by design, and 'fixing' it will sully the
> > clean hierarchical pidns design.
> >
> > The easiest way to emulate that would be to have the host, during
> > boot, have init split off two child pid namespaces - one for most of the
> > host applications like the xserver, host's sshd, etc, and the other for
> > spawning off containers. Then management of pid namespaces by the
> > host has to be done either from the init pid-ns, or from the pid-ns
> > which spawns off containers.
> <snip>
> >> 3) A "kill -9 -1" run from a user in the controlling host kills all
> >> processes in all containers where the owner of the process has the same UID
> >> as the UID of the outside user. (At least the reverse is not the case).
> >
> > You can prevent this from happening using selinux or smack.
> >
> > Properly fixing this requires more work on the user namespace. I am (as
> > always) hoping to get time to work on that soon.
> >
> <snip>
>
> Well, I more or less solved #1 and #3 for myself by launching my
> gnome-session with lxc-execute.
>
> Is there anyway to readily know the id of the PID namespace one is in?
> keychain has some issues that I could correct if I could get at the
> PID namespace id.
No, because pid namespaces don't actually have an id.
What exactly are the keychain issues? So far the keychain/namespacing
handling is very basic (new user-namespace = new set of keyrings), bc
there really weren't any user requirements to draw on yet.
> I guess expecting apps like keychain to be namespace aware would be
> like expecting them to be "multiverse" aware.
>
> I know I can pass it in through lxc-execute via an environment
> variable, but I wondered if there was a more standard way.
Well if there is a clean and safe way to do it (whatever 'it' is) through
environment variable all the better, then we can avoid kernel changes.
But if you need kernel help pls let us know.
-serge
next prev parent reply other threads:[~2009-10-19 22:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-11 16:30 LXC PIDs, UIDs, and halt Dwight Schauer
[not found] ` <68e6eac60910110930q74358967o19e3d0e88e111bd5-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-12 15:03 ` Serge E. Hallyn
[not found] ` <20091012150355.GA5783-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 5:06 ` Dwight Schauer
[not found] ` <68e6eac60910122206i7c39fca0u52ab037748217336-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-13 19:59 ` Serge E. Hallyn
[not found] ` <68e6eac60910131318w56d9394bs9191f989b16e34f3@mail.gmail.com>
[not found] ` <20091014040222.GA4710@us.ibm.com>
[not found] ` <20091014040222.GA4710-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-15 0:42 ` Dwight Schauer
[not found] ` <68e6eac60910141742h557f558cke749cd76d5706f83-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-15 3:13 ` Serge E. Hallyn
2009-10-19 19:17 ` Dwight Schauer
[not found] ` <68e6eac60910191217s5d295e54ta6b0c528dce9ce55-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-19 22:24 ` Serge E. Hallyn [this message]
[not found] ` <20091019222445.GA16774-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-21 1:04 ` Dwight Schauer
[not found] ` <68e6eac60910201804h3f243cdel5a437701bf9c00ac-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-21 1:08 ` Dwight Schauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091019222445.GA16774@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.