From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
LXC development mailing-list
<lxc-devel-cunTk1MwBs9qMoObBWhMNEqPaTDuhLve2LY78lusg7I@public.gmane.org>,
"open list:ABI/API"
<linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
cgroups mailinglist
<cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Subject: Re: CGroup Namespaces (v4)
Date: Mon, 16 Nov 2015 19:13:49 -0600 [thread overview]
Message-ID: <20151117011349.GA1958@mail.hallyn.com> (raw)
In-Reply-To: <87y4dxh9b8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote:
> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>
> > On Mon, Nov 16, 2015 at 09:50:55PM +0100, Richard Weinberger wrote:
> >> Am 16.11.2015 um 21:46 schrieb Serge E. Hallyn:
> >> > On Mon, Nov 16, 2015 at 09:41:15PM +0100, Richard Weinberger wrote:
> >> >> Serge,
> >> >>
> >> >> On Mon, Nov 16, 2015 at 8:51 PM, <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> wrote:
> >> >>> To summarize the semantics:
> >> >>>
> >> >>> 1. CLONE_NEWCGROUP re-uses 0x02000000, which was previously CLONE_STOPPED
> >> >>>
> >> >>> 2. unsharing a cgroup namespace makes all your current cgroups your new
> >> >>> cgroup root.
> >> >>>
> >> >>> 3. /proc/pid/cgroup always shows cgroup paths relative to the reader's
> >> >>> cgroup namespce root. A task outside of your cgroup looks like
> >> >>>
> >> >>> 8:memory:/../../..
> >> >>>
> >> >>> 4. when a task mounts a cgroupfs, the cgroup which shows up as root depends
> >> >>> on the mounting task's cgroup namespace.
> >> >>>
> >> >>> 5. setns to a cgroup namespace switches your cgroup namespace but not
> >> >>> your cgroups.
> >> >>>
> >> >>> With this, using github.com/hallyn/lxc #2015-11-09/cgns (and
> >> >>> github.com/hallyn/lxcfs #2015-11-10/cgns) we can start a container in a full
> >> >>> proper cgroup namespace, avoiding either cgmanager or lxcfs cgroup bind mounts.
> >> >>>
> >> >>> This is completely backward compatible and will be completely invisible
> >> >>> to any existing cgroup users (except for those running inside a cgroup
> >> >>> namespace and looking at /proc/pid/cgroup of tasks outside their
> >> >>> namespace.)
> >> >>> cgroupns-root.
> >> >>
> >> >> IIRC one downside of this series was that only the new "sane" cgroup
> >> >> layout was supported
> >> >> and hence it was useless for everything which expected the default layout.
> >> >> Hence, still no systemd for us. :)
> >> >>
> >> >> Is this now different?
> >> >
> >> > Yes, all hierachies are no supported.
> >> >
> >>
> >> Should read "now"? :-)
> >> If so, *awesome*!
> >
> > D'oh! Yes, now :-)
>
> I am glad to see multiple hierarchy support, that is something people
> can use today.
>
> A couple of quick questions before I delve into a review.
>
> Does this allow mixing of cgroupfs and cgroupfs2? That is can I: "mount
> -t cgroupfs" inside a container and "mount -t cgroupfs2" outside a
> container? and still have reasonable things happen? I suspect the
> semantics of cgroups prevent this but I am interested to know what happens.
As Tejun said, this is not an issue. There's not an actual separate cgroupfs2
filesystem, it's just a separate hierarchy which controllers can be bound to
or not, which has its own set of semantics (like no tasks on leafnodes). So
a legacy application would never be able to run on the unified hierarchy, but
this does not change that.
> Similary have you considered what it required to be able to safely set
> FS_USERNS_MOUNT?
I think the only thing we need to do is
1. go through and make sure that any ability to change mount flags is under
capable() (which I have not yet done). The cgroup_mount() itself checks that
flags are not changed, but there may be some subtle way to effect a change
that I'm not aware of yet.
2. Make sure that to bind a new controller you must be true root. It's
possible that a patch like the one below would suffice.
-serge
From 37699aa868cba3efb6ea0aa2e53e0b85b619f02d Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Date: Mon, 16 Nov 2015 19:11:07 -0600
Subject: [PATCH 1/1] Don't allow user namespaces to bind new subsystems
If memory was not mounted on the host, then root in a container
should not be able to mount it.
Signed-off-by: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
---
kernel/cgroup.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 0a3e893..db514b4 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2102,6 +2102,11 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
goto out_unlock;
}
+ if (!opts.none && !capable(CAP_SYS_ADMIN)) {
+ ret = -EPERM;
+ goto out_unlock;
+ }
+
root = kzalloc(sizeof(*root), GFP_KERNEL);
if (!root) {
ret = -ENOMEM;
--
2.5.0
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
LXC development mailing-list
<lxc-devel-cunTk1MwBs9qMoObBWhMNEqPaTDuhLve2LY78lusg7I@public.gmane.org>,
"open list:ABI/API"
<linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
cgroups mailinglist
<cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Subject: Re: CGroup Namespaces (v4)
Date: Mon, 16 Nov 2015 19:13:49 -0600 [thread overview]
Message-ID: <20151117011349.GA1958@mail.hallyn.com> (raw)
In-Reply-To: <87y4dxh9b8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote:
> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>
> > On Mon, Nov 16, 2015 at 09:50:55PM +0100, Richard Weinberger wrote:
> >> Am 16.11.2015 um 21:46 schrieb Serge E. Hallyn:
> >> > On Mon, Nov 16, 2015 at 09:41:15PM +0100, Richard Weinberger wrote:
> >> >> Serge,
> >> >>
> >> >> On Mon, Nov 16, 2015 at 8:51 PM, <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> wrote:
> >> >>> To summarize the semantics:
> >> >>>
> >> >>> 1. CLONE_NEWCGROUP re-uses 0x02000000, which was previously CLONE_STOPPED
> >> >>>
> >> >>> 2. unsharing a cgroup namespace makes all your current cgroups your new
> >> >>> cgroup root.
> >> >>>
> >> >>> 3. /proc/pid/cgroup always shows cgroup paths relative to the reader's
> >> >>> cgroup namespce root. A task outside of your cgroup looks like
> >> >>>
> >> >>> 8:memory:/../../..
> >> >>>
> >> >>> 4. when a task mounts a cgroupfs, the cgroup which shows up as root depends
> >> >>> on the mounting task's cgroup namespace.
> >> >>>
> >> >>> 5. setns to a cgroup namespace switches your cgroup namespace but not
> >> >>> your cgroups.
> >> >>>
> >> >>> With this, using github.com/hallyn/lxc #2015-11-09/cgns (and
> >> >>> github.com/hallyn/lxcfs #2015-11-10/cgns) we can start a container in a full
> >> >>> proper cgroup namespace, avoiding either cgmanager or lxcfs cgroup bind mounts.
> >> >>>
> >> >>> This is completely backward compatible and will be completely invisible
> >> >>> to any existing cgroup users (except for those running inside a cgroup
> >> >>> namespace and looking at /proc/pid/cgroup of tasks outside their
> >> >>> namespace.)
> >> >>> cgroupns-root.
> >> >>
> >> >> IIRC one downside of this series was that only the new "sane" cgroup
> >> >> layout was supported
> >> >> and hence it was useless for everything which expected the default layout.
> >> >> Hence, still no systemd for us. :)
> >> >>
> >> >> Is this now different?
> >> >
> >> > Yes, all hierachies are no supported.
> >> >
> >>
> >> Should read "now"? :-)
> >> If so, *awesome*!
> >
> > D'oh! Yes, now :-)
>
> I am glad to see multiple hierarchy support, that is something people
> can use today.
>
> A couple of quick questions before I delve into a review.
>
> Does this allow mixing of cgroupfs and cgroupfs2? That is can I: "mount
> -t cgroupfs" inside a container and "mount -t cgroupfs2" outside a
> container? and still have reasonable things happen? I suspect the
> semantics of cgroups prevent this but I am interested to know what happens.
As Tejun said, this is not an issue. There's not an actual separate cgroupfs2
filesystem, it's just a separate hierarchy which controllers can be bound to
or not, which has its own set of semantics (like no tasks on leafnodes). So
a legacy application would never be able to run on the unified hierarchy, but
this does not change that.
> Similary have you considered what it required to be able to safely set
> FS_USERNS_MOUNT?
I think the only thing we need to do is
1. go through and make sure that any ability to change mount flags is under
capable() (which I have not yet done). The cgroup_mount() itself checks that
flags are not changed, but there may be some subtle way to effect a change
that I'm not aware of yet.
2. Make sure that to bind a new controller you must be true root. It's
possible that a patch like the one below would suffice.
-serge
>From 37699aa868cba3efb6ea0aa2e53e0b85b619f02d Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Date: Mon, 16 Nov 2015 19:11:07 -0600
Subject: [PATCH 1/1] Don't allow user namespaces to bind new subsystems
If memory was not mounted on the host, then root in a container
should not be able to mount it.
Signed-off-by: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
---
kernel/cgroup.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 0a3e893..db514b4 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2102,6 +2102,11 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
goto out_unlock;
}
+ if (!opts.none && !capable(CAP_SYS_ADMIN)) {
+ ret = -EPERM;
+ goto out_unlock;
+ }
+
root = kzalloc(sizeof(*root), GFP_KERNEL);
if (!root) {
ret = -ENOMEM;
--
2.5.0
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Richard Weinberger <richard@nod.at>,
Richard Weinberger <richard.weinberger@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
"open list:ABI/API" <linux-api@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
LXC development mailing-list
<lxc-devel@lists.linuxcontainers.org>, Tejun Heo <tj@kernel.org>,
cgroups mailinglist <cgroups@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: CGroup Namespaces (v4)
Date: Mon, 16 Nov 2015 19:13:49 -0600 [thread overview]
Message-ID: <20151117011349.GA1958@mail.hallyn.com> (raw)
In-Reply-To: <87y4dxh9b8.fsf@x220.int.ebiederm.org>
On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote:
> "Serge E. Hallyn" <serge@hallyn.com> writes:
>
> > On Mon, Nov 16, 2015 at 09:50:55PM +0100, Richard Weinberger wrote:
> >> Am 16.11.2015 um 21:46 schrieb Serge E. Hallyn:
> >> > On Mon, Nov 16, 2015 at 09:41:15PM +0100, Richard Weinberger wrote:
> >> >> Serge,
> >> >>
> >> >> On Mon, Nov 16, 2015 at 8:51 PM, <serge@hallyn.com> wrote:
> >> >>> To summarize the semantics:
> >> >>>
> >> >>> 1. CLONE_NEWCGROUP re-uses 0x02000000, which was previously CLONE_STOPPED
> >> >>>
> >> >>> 2. unsharing a cgroup namespace makes all your current cgroups your new
> >> >>> cgroup root.
> >> >>>
> >> >>> 3. /proc/pid/cgroup always shows cgroup paths relative to the reader's
> >> >>> cgroup namespce root. A task outside of your cgroup looks like
> >> >>>
> >> >>> 8:memory:/../../..
> >> >>>
> >> >>> 4. when a task mounts a cgroupfs, the cgroup which shows up as root depends
> >> >>> on the mounting task's cgroup namespace.
> >> >>>
> >> >>> 5. setns to a cgroup namespace switches your cgroup namespace but not
> >> >>> your cgroups.
> >> >>>
> >> >>> With this, using github.com/hallyn/lxc #2015-11-09/cgns (and
> >> >>> github.com/hallyn/lxcfs #2015-11-10/cgns) we can start a container in a full
> >> >>> proper cgroup namespace, avoiding either cgmanager or lxcfs cgroup bind mounts.
> >> >>>
> >> >>> This is completely backward compatible and will be completely invisible
> >> >>> to any existing cgroup users (except for those running inside a cgroup
> >> >>> namespace and looking at /proc/pid/cgroup of tasks outside their
> >> >>> namespace.)
> >> >>> cgroupns-root.
> >> >>
> >> >> IIRC one downside of this series was that only the new "sane" cgroup
> >> >> layout was supported
> >> >> and hence it was useless for everything which expected the default layout.
> >> >> Hence, still no systemd for us. :)
> >> >>
> >> >> Is this now different?
> >> >
> >> > Yes, all hierachies are no supported.
> >> >
> >>
> >> Should read "now"? :-)
> >> If so, *awesome*!
> >
> > D'oh! Yes, now :-)
>
> I am glad to see multiple hierarchy support, that is something people
> can use today.
>
> A couple of quick questions before I delve into a review.
>
> Does this allow mixing of cgroupfs and cgroupfs2? That is can I: "mount
> -t cgroupfs" inside a container and "mount -t cgroupfs2" outside a
> container? and still have reasonable things happen? I suspect the
> semantics of cgroups prevent this but I am interested to know what happens.
As Tejun said, this is not an issue. There's not an actual separate cgroupfs2
filesystem, it's just a separate hierarchy which controllers can be bound to
or not, which has its own set of semantics (like no tasks on leafnodes). So
a legacy application would never be able to run on the unified hierarchy, but
this does not change that.
> Similary have you considered what it required to be able to safely set
> FS_USERNS_MOUNT?
I think the only thing we need to do is
1. go through and make sure that any ability to change mount flags is under
capable() (which I have not yet done). The cgroup_mount() itself checks that
flags are not changed, but there may be some subtle way to effect a change
that I'm not aware of yet.
2. Make sure that to bind a new controller you must be true root. It's
possible that a patch like the one below would suffice.
-serge
>From 37699aa868cba3efb6ea0aa2e53e0b85b619f02d Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Mon, 16 Nov 2015 19:11:07 -0600
Subject: [PATCH 1/1] Don't allow user namespaces to bind new subsystems
If memory was not mounted on the host, then root in a container
should not be able to mount it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
kernel/cgroup.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 0a3e893..db514b4 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2102,6 +2102,11 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
goto out_unlock;
}
+ if (!opts.none && !capable(CAP_SYS_ADMIN)) {
+ ret = -EPERM;
+ goto out_unlock;
+ }
+
root = kzalloc(sizeof(*root), GFP_KERNEL);
if (!root) {
ret = -ENOMEM;
--
2.5.0
next prev parent reply other threads:[~2015-11-17 1:13 UTC|newest]
Thread overview: 146+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-16 19:51 CGroup Namespaces (v4) serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-1-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-16 19:51 ` [PATCH 1/8] kernfs: Add API to generate relative kernfs path serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-2-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-24 16:16 ` Tejun Heo
2015-11-24 16:16 ` Tejun Heo
[not found] ` <20151124161630.GL17033-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-11-24 16:17 ` Tejun Heo
2015-11-24 16:17 ` Tejun Heo
2015-11-24 16:17 ` Tejun Heo
[not found] ` <20151124161709.GM17033-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-11-24 17:43 ` Serge E. Hallyn
2015-11-24 17:43 ` Serge E. Hallyn
2015-11-24 17:43 ` Serge E. Hallyn
2015-11-27 5:25 ` Serge E. Hallyn
2015-11-27 5:25 ` Serge E. Hallyn
[not found] ` <20151127052511.GA25490-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-30 15:11 ` Tejun Heo
2015-11-30 15:11 ` Tejun Heo
2015-11-30 15:11 ` Tejun Heo
[not found] ` <20151130151147.GG3535-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-11-30 18:37 ` Serge E. Hallyn
2015-11-30 18:37 ` Serge E. Hallyn
2015-11-30 18:37 ` Serge E. Hallyn
2015-11-30 22:53 ` Tejun Heo
[not found] ` <20151130225318.GD9039-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-12-01 2:08 ` Serge E. Hallyn
2015-12-01 2:08 ` Serge E. Hallyn
2015-12-01 2:08 ` Serge E. Hallyn
[not found] ` <20151130183758.GA25433-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-30 22:53 ` Tejun Heo
2015-11-27 5:25 ` Serge E. Hallyn
2015-11-24 16:16 ` Tejun Heo
2015-11-16 19:51 ` [PATCH 2/8] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
2015-11-16 19:51 ` [PATCH 3/8] cgroup: add function to get task's cgroup serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-4-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-24 16:27 ` Tejun Heo
2015-11-24 16:27 ` Tejun Heo
[not found] ` <20151124162728.GN17033-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-11-24 16:54 ` Tejun Heo
2015-11-24 16:54 ` Tejun Heo
2015-11-24 16:54 ` Tejun Heo
2015-11-16 19:51 ` [PATCH 4/8] cgroup: export cgroup_get() and cgroup_put() serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-5-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-24 16:30 ` Tejun Heo
2015-11-24 16:30 ` Tejun Heo
[not found] ` <20151124163056.GO17033-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-11-24 22:35 ` Serge E. Hallyn
2015-11-24 22:35 ` Serge E. Hallyn
2015-11-24 22:35 ` Serge E. Hallyn
2015-11-16 19:51 ` [PATCH 5/8] cgroup: introduce cgroup namespaces serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-6-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-24 16:49 ` Tejun Heo
2015-11-24 16:49 ` Tejun Heo
2015-11-24 16:49 ` Tejun Heo
2015-11-16 19:51 ` [PATCH 6/8] cgroup: cgroup namespace setns support serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-7-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-24 16:52 ` Tejun Heo
2015-11-24 16:52 ` Tejun Heo
2015-11-24 16:52 ` Tejun Heo
2015-11-16 19:51 ` [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-8-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-24 17:16 ` Tejun Heo
2015-11-24 17:16 ` Tejun Heo
2015-11-24 17:16 ` Tejun Heo
2015-11-25 6:01 ` Serge E. Hallyn
[not found] ` <20151125060156.GA678-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-25 19:10 ` Tejun Heo
2015-11-25 19:10 ` Tejun Heo
[not found] ` <20151125191041.GB14240-piEFEHQLUPpN0TnZuCh8vA@public.gmane.org>
2015-11-25 19:55 ` Serge Hallyn
2015-11-25 19:55 ` Serge Hallyn
2015-11-25 19:55 ` Serge Hallyn
2015-11-25 19:57 ` Tejun Heo
2015-11-25 19:57 ` Tejun Heo
2015-11-25 19:57 ` Tejun Heo
2015-11-25 19:10 ` Tejun Heo
[not found] ` <20151124171610.GS17033-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-11-25 6:01 ` Serge E. Hallyn
2015-11-27 5:17 ` Serge E. Hallyn
2015-11-27 5:17 ` Serge E. Hallyn
[not found] ` <20151127051745.GA24521-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-30 15:09 ` Tejun Heo
2015-11-30 15:09 ` Tejun Heo
[not found] ` <20151130150938.GF3535-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-12-01 4:07 ` Serge E. Hallyn
2015-12-01 4:07 ` Serge E. Hallyn
2015-12-01 4:07 ` Serge E. Hallyn
[not found] ` <20151201040704.GA31067-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-12-01 16:46 ` Tejun Heo
2015-12-01 16:46 ` Tejun Heo
[not found] ` <20151201164649.GD12922-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-12-01 21:58 ` Serge E. Hallyn
2015-12-01 21:58 ` Serge E. Hallyn
[not found] ` <20151201215853.GA9153-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-12-02 16:53 ` Tejun Heo
2015-12-02 16:53 ` Tejun Heo
[not found] ` <20151202165312.GB19878-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-12-02 16:56 ` Serge E. Hallyn
2015-12-02 16:56 ` Serge E. Hallyn
[not found] ` <20151202165637.GA20840-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-12-02 16:58 ` Tejun Heo
2015-12-02 16:58 ` Tejun Heo
[not found] ` <20151202165839.GD19878-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-12-02 17:02 ` Serge E. Hallyn
2015-12-02 17:02 ` Serge E. Hallyn
[not found] ` <20151202170239.GA21009-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-12-02 17:05 ` Tejun Heo
2015-12-02 17:05 ` Tejun Heo
[not found] ` <20151202170551.GE19878-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-12-03 22:47 ` Serge E. Hallyn
2015-12-03 22:47 ` Serge E. Hallyn
[not found] ` <20151203224706.GA19971-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-12-07 15:39 ` Tejun Heo
2015-12-07 15:39 ` Tejun Heo
2015-12-07 15:39 ` Tejun Heo
[not found] ` <20151207153911.GF9175-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-12-07 15:53 ` Serge Hallyn
2015-12-07 15:53 ` Serge Hallyn
2015-12-03 22:47 ` Serge E. Hallyn
2015-12-02 17:02 ` Serge E. Hallyn
2015-12-02 16:58 ` Tejun Heo
2015-12-02 16:56 ` Serge E. Hallyn
2015-12-02 16:53 ` Tejun Heo
2015-12-01 21:58 ` Serge E. Hallyn
2015-12-01 16:46 ` Tejun Heo
2015-11-30 15:09 ` Tejun Heo
2015-11-27 5:17 ` Serge E. Hallyn
2015-11-16 19:51 ` [PATCH 8/8] cgroup: Add documentation for cgroup namespaces serge-A9i7LUbDfNHQT0dZR+AlfA
2015-11-16 19:51 ` serge
[not found] ` <1447703505-29672-9-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2015-11-24 17:16 ` Tejun Heo
2015-11-24 17:16 ` Tejun Heo
2015-11-24 17:16 ` Tejun Heo
2015-11-16 20:41 ` CGroup Namespaces (v4) Richard Weinberger
2015-11-16 20:41 ` Richard Weinberger
2015-11-16 20:41 ` Richard Weinberger
[not found] ` <CAFLxGvzVmbZHrpaTmXUAK03hsnVPwEs3SJGNFNXfthh3NL8EDg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-11-16 20:46 ` Serge E. Hallyn
2015-11-16 20:46 ` Serge E. Hallyn
2015-11-16 20:46 ` Serge E. Hallyn
[not found] ` <20151116204606.GA30681-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-16 20:50 ` Richard Weinberger
2015-11-16 20:50 ` Richard Weinberger
2015-11-16 20:50 ` Richard Weinberger
[not found] ` <564A41AF.4040208-/L3Ra7n9ekc@public.gmane.org>
2015-11-16 20:54 ` Serge E. Hallyn
2015-11-16 20:54 ` Serge E. Hallyn
2015-11-16 20:54 ` Serge E. Hallyn
[not found] ` <20151116205452.GA30975-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-16 22:24 ` Eric W. Biederman
2015-11-16 22:24 ` Eric W. Biederman
2015-11-16 22:24 ` Eric W. Biederman
[not found] ` <87y4dxh9b8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-11-16 22:37 ` Tejun Heo
2015-11-16 22:37 ` Tejun Heo
2015-11-16 22:37 ` Tejun Heo
2015-11-17 1:13 ` Serge E. Hallyn [this message]
2015-11-17 1:13 ` Serge E. Hallyn
2015-11-17 1:13 ` Serge E. Hallyn
[not found] ` <20151117011349.GA1958-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-17 1:40 ` Serge E. Hallyn
2015-11-17 1:40 ` Serge E. Hallyn
[not found] ` <20151117014026.GA2331-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-17 3:54 ` Serge E. Hallyn
2015-11-17 3:54 ` Serge E. Hallyn
2015-11-17 3:54 ` Serge E. Hallyn
2015-11-17 1:40 ` Serge E. Hallyn
2015-11-18 2:30 ` Serge E. Hallyn
2015-11-18 2:30 ` Serge E. Hallyn
[not found] ` <20151118023022.GA17501-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-11-18 9:18 ` Eric W. Biederman
2015-11-18 9:18 ` Eric W. Biederman
[not found] ` <87r3jnfyx7.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-11-18 15:43 ` Serge E. Hallyn
2015-11-18 15:43 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151117011349.GA1958@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lxc-devel-cunTk1MwBs9qMoObBWhMNEqPaTDuhLve2LY78lusg7I@public.gmane.org \
--cc=richard-/L3Ra7n9ekc@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.