From: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
"libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org
Subject: Re: [PATCH] netns: unix: only allow to find out unix socket in same net namespace
Date: Wed, 21 Aug 2013 14:54:20 +0800 [thread overview]
Message-ID: <5214641C.9030902@cn.fujitsu.com> (raw)
In-Reply-To: <87d2p7vcdx.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
cc libvirt-list
On 08/21/2013 01:30 PM, Eric W. Biederman wrote:
> Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> writes:
>
>> Unix sockets are private resources of net namespace,
>> allowing one net namespace to access to other netns's unix
>> sockets is meaningless.
>
> Allowing one net namespace to access another netns's unix socket is
> deliberate behavior. This is a desired and useful feature, and
> only a misconfiguration of visible files would allow this to be a
> problem.
>
>> I'm researching a problem about shutdown from container,
>> if the cotainer shares the same file /run/systemd/private
>> with host, when we run shutdown -h xxx in container, the
>> shutdown message will be send to the systemd-shutdownd
>> through unix socket /run/systemd/private, and because
>> systemd-shutdownd is running in host, so finally, the host
>> will become shutdown.
>
> The simple answer is don't do that then. I can see no reason
> to share /run outside of the container unless you want this kind of
> behavior.
>
> Quite frankly I want this behavior if I am using network namespaces
> to support multiple routing contexts. That is if I am using scripts
> like:
>
> ip netns add other
> ip netns exec other script
>
> I don't want to have to remember to say
> ip netns orig exec shutdown -h now
>
> There are more compelling uses and there is no cost in supporting this
> in the kernel.
>
> What kind of misconfiguration caused someone to complain about this?
>
libvirt lxc allows user to set up a container which shares the same root
directory with host.
seems like the unix sockets whose sun_path is an abstract socket address
are net namespace aware.
Should we use "abstract" type of address instead of a file system pathname
for systemd in this case?
next prev parent reply other threads:[~2013-08-21 6:54 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-21 4:31 [PATCH] netns: unix: only allow to find out unix socket in same net namespace Gao feng
[not found] ` <1377059473-25526-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 4:58 ` Gao feng
2013-08-21 5:30 ` Eric W. Biederman
[not found] ` <87d2p7vcdx.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-21 6:54 ` Gao feng [this message]
[not found] ` <5214641C.9030902-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 7:06 ` Eric W. Biederman
2013-08-21 7:22 ` Gao feng
[not found] ` <52146AC2.5070409-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-21 9:51 ` [systemd-devel] " Kay Sievers
[not found] ` <CAPXgP120YUEVnFiD0uPnqeO4x=5oRvHL79-cX5CnmEWc3d5mvQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-21 9:56 ` Daniel P. Berrange
2013-08-25 17:16 ` James Bottomley
2013-08-25 17:37 ` Kay Sievers
[not found] ` <CAPXgP115pEE8jxyCqauoMRWui3Qb0fBzPr9L2_SA411=gfnX3w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-25 18:16 ` James Bottomley
2013-08-26 1:06 ` Gao feng
[not found] ` <521AAA23.9050604-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-26 3:19 ` James Bottomley
2013-08-26 3:35 ` Gao feng
[not found] ` <521ACCEF.4050101-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-08-26 3:53 ` James Bottomley
2013-08-26 13:53 ` Serge Hallyn
2013-08-26 13:53 ` Serge Hallyn
2013-08-21 10:42 ` Eric W. Biederman
[not found] ` <87haejtjet.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-22 1:36 ` Gao feng
2013-08-22 1:36 ` Gao feng
[not found] ` <87wqnfttdf.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-08-21 7:22 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5214641C.9030902@cn.fujitsu.com \
--to=gaofeng-bthxqxjhjhxqfuhtdcdx3a@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.