From: Pavel Emelyanov <xemul@parallels.com>
To: Tejun Heo <tj@kernel.org>, Pedro Alves <pedro@codesourcery.com>,
Oleg Nesterov <oleg@redhat.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Cyrill Gorcunov <gorcunov@openvz.org>,
James Bottomley <jbottomley@parallels.com>
Subject: Re: [RFC][PATCH 0/3] fork: Add the ability to create tasks with given pids
Date: Thu, 24 Nov 2011 00:14:36 +0400 [thread overview]
Message-ID: <4ECD542C.7010705@parallels.com> (raw)
In-Reply-To: <4ECD3946.1030503@parallels.com>
On 11/23/2011 10:19 PM, Pavel Emelyanov wrote:
> On 11/23/2011 08:24 PM, Tejun Heo wrote:
>> Hello,
>>
>> On Wed, Nov 23, 2011 at 04:20:44PM +0000, Pedro Alves wrote:
>>>> Would CAP_CHECKPOINT be a shame too?
>>>
>>> I think CAP_CHECKPOINT (or something through some LSM) would be
>>> definitely better.
>>>
>>>> I'm reluctant about priviledge
>>>> through fd inheritance mostly because of its unusualness. I don't
>>>> think priv management is a good problem space for small creative
>>>> solutions. We're much better off with mundane mechanisms which people
>>>> are already familiar with and is easy to account for.
>>>
>>> fd inheritance wouldn't work for gdb; a user spawned gdb
>>> wouldn't inherit an open fd to kernel.ns_last_pid from anywhere.
>>
>> I see. So, let's do it for root for now and later add finer grained
>> CAP as necessary/viable. Pavel, what do you think?
>
> OK, I'll send the respective patches soon.
Hm... Started testing this stuff and thought about Pedro's wish to use this
in gdb one more time :(
The thing is, that we (in checkpoint/restore) are going to use this sysctl
when creating a pid namespace from scratch, thus having full control over
all the forks happening in this namespace.
But when it comes to the ability for gdb to create a task with a given pid in
a _living_ namespace this solution simply won't work! It doesn't guarantee,
that after setting the last_pid via sysctl this last_pid stays the same at
the time we do call fork()/clone(). Because there are other tasks that can call
fork themselves ignoring any lask_pid locking we can play with.
That said I see only two real-life scenarios of how to use _this_ API:
1. creating tasks in a new pid namespace, making sure all the fork-ers care
about the proper locking;
2. forking tasks in a loop checking that getpid() returns desired value and
hoping that other tasks do not fork() at speed high enough for spoiling
every single last_pid value set via sysctl.
Is any of these scenarios suitable for Pedro? Other thoughts on this?
>> Thanks.
>>
>
next prev parent reply other threads:[~2011-11-23 20:15 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 11:41 [RFC][PATCH 0/3] fork: Add the ability to create tasks with given pids Pavel Emelyanov
2011-11-17 11:42 ` [PATCH 1/3] pids: Make alloc_pid return error Pavel Emelyanov
2011-11-17 11:42 ` [PATCH 2/3] pids: Split alloc_pidmap into parts Pavel Emelyanov
2011-11-17 11:43 ` [PATCH 3/3] pids: Make it possible to clone tasks with given pids Pavel Emelyanov
2011-11-17 15:32 ` Oleg Nesterov
2011-11-17 15:49 ` Pavel Emelyanov
2011-11-17 16:00 ` Oleg Nesterov
2011-11-17 17:28 ` Linus Torvalds
2011-11-17 19:04 ` Oleg Nesterov
2011-11-17 18:36 ` Oleg Nesterov
2011-11-18 10:05 ` Pavel Emelyanov
2011-11-17 15:49 ` [RFC][PATCH 0/3] fork: Add the ability to create " Oleg Nesterov
2011-11-17 16:01 ` Pavel Emelyanov
2011-11-17 16:02 ` Oleg Nesterov
2011-11-18 23:30 ` Tejun Heo
2011-11-21 9:15 ` Pavel Emelyanov
2011-11-21 22:50 ` Tejun Heo
2011-11-22 11:11 ` Pavel Emelyanov
2011-11-22 12:04 ` Pedro Alves
2011-11-22 15:33 ` Tejun Heo
2011-11-23 16:20 ` Pedro Alves
2011-11-23 16:24 ` Tejun Heo
2011-11-23 17:26 ` Oleg Nesterov
2011-11-23 17:37 ` Tejun Heo
2011-11-23 18:19 ` Pavel Emelyanov
2011-11-23 20:14 ` Pavel Emelyanov [this message]
2011-11-24 17:31 ` Oleg Nesterov
2011-11-25 10:14 ` Pavel Emelyanov
2011-11-25 16:22 ` Oleg Nesterov
2011-11-25 16:44 ` Pavel Emelyanov
2011-11-25 16:54 ` Oleg Nesterov
2011-11-25 17:03 ` Pavel Emelyanov
2011-11-25 22:36 ` Pedro Alves
2011-11-27 16:24 ` [RFC][PATCH 0/3] fork: Add the ability to create tasks with?given pids Oleg Nesterov
2011-11-27 9:41 ` [RFC][PATCH 0/3] fork: Add the ability to create tasks with given pids Konstantin Khlebnikov
2011-11-27 17:34 ` Oleg Nesterov
2011-11-27 18:47 ` Tejun Heo
2011-11-28 10:38 ` Pavel Emelyanov
2011-11-28 16:25 ` Tejun Heo
2011-11-22 15:23 ` Tejun Heo
2011-11-22 15:29 ` Tejun Heo
2011-11-22 16:30 ` Pavel Emelyanov
2011-11-22 16:44 ` Linus Torvalds
2011-11-22 19:29 ` Pavel Emelyanov
2012-01-26 23:28 ` Kay Sievers
2011-11-22 21:16 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ECD542C.7010705@parallels.com \
--to=xemul@parallels.com \
--cc=gorcunov@openvz.org \
--cc=jbottomley@parallels.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=pedro@codesourcery.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.