From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nicolas Dichtel Subject: Re: [RFC PATCH net-next v2 0/5] netns: allow to identify peer netns Date: Fri, 26 Sep 2014 15:38:57 +0200 Message-ID: <54256C71.20108@6wind.com> References: <1411478430-4989-1-git-send-email-nicolas.dichtel@6wind.com> <54228D87.3070309@6wind.com> <5422F1F7.8010308@6wind.com> <5423D808.7050800@6wind.com> Reply-To: nicolas.dichtel-pdR9zngts4EAvxtiuMwx3w@public.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Cong Wang Cc: netdev , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Andy Lutomirski , Stephen Hemminger , "Eric W. Biederman" , linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Andrew Morton , David Miller List-Id: containers.vger.kernel.org TGUgMjYvMDkvMjAxNCAwMzo1OCwgQ29uZyBXYW5nIGEgw6ljcml0IDoKPiBPbiBUaHUsIFNlcCAy NSwgMjAxNCBhdCAxOjUzIEFNLCBOaWNvbGFzIERpY2h0ZWwKPiA8bmljb2xhcy5kaWNodGVsQDZ3 aW5kLmNvbT4gd3JvdGU6Cj4+IExlIDI0LzA5LzIwMTQgMTg6NDgsIENvbmcgV2FuZyBhIMOpY3Jp dCA6Cj4+Cj4+PiBPbiBXZWQsIFNlcCAyNCwgMjAxNCBhdCA5OjMxIEFNLCBOaWNvbGFzIERpY2h0 ZWwKPj4+IDxuaWNvbGFzLmRpY2h0ZWxANndpbmQuY29tPiB3cm90ZToKPj4+Pj4KPj4+Pj4gSSB0 aGluayBpbiB0aGlzIGNhc2UgeW91ciBJRCdzIGFyZSBzdGlsbCBhdmFpbGFibGUsIGJ1dCBhcmVu J3QgeW91Cj4+Pj4+IHByb3ZpZGluZyBhIG5ldyB3YXkKPj4+Pj4gZm9yIHRoZSBpbm5lciBuZXRu cyBkZXZpY2UgdG8gZXNjYXBlIHdoaWNoIHdlIGFyZSB0cnlpbmcgdG8gYXZvaWQ/Cj4+Pj4KPj4+ Pgo+Pj4+IEl0J3Mgd2h5IHRoZSBpZHMgZGVwZW5kIG9uIHVzZXIgbnMuIE9ubHkgaWYgdXNlciBu cyBhcmUgdGhlIHNhbWUgd2UgYWxsb3cKPj4+PiB0bwo+Pj4+IGdldCBhbiBpZCBmb3IgYSBwZWVy IG5ldG5zLgo+Pj4KPj4+Cj4+PiBUb28gbGF0ZSwgdXNlcm5zIGlzIHJlbGF0aXZlbHkgbmV3LCBy ZWx5aW5nIG9uIGl0IGJyZWFrcyBvdXIgZXhpc3RpbmcKPj4+IGFzc3VtcHRpb24uCj4+Pgo+PiBJ IGRvbid0IGdldCB5b3VyIHBvaW50LiBuZXRucyBoYXMgYmVlbiBhZGRlZCBpbiBrZXJuZWwgYWZ0 ZXIgdXNlciBuczoKPj4gYWNjZTI5MmM4MmQ0IHVzZXIgbmFtZXNwYWNlOiBhZGQgdGhlIGZyYW1l d29yayA9PiAyLjYuMjMKPj4gNWYyNTZiZWNkODY4IFtORVRdOiBCYXNpYyBuZXR3b3JrIG5hbWVz cGFjZSBpbmZyYXN0cnVjdHVyZS4gPT4gMi42LjI0Cj4KPiBXYXMgaXQgY29tcGxldGUgb24gMi42 Lng/IEkgZG91YnQuLi4KPgo+IGh0dHBzOi8vbGttbC5vcmcvbGttbC8yMDE0LzgvMjAvODI2Cj4K PiAgICAgQXMgYXQgTGludXggMy44LCBtb3N0IHJlbGV2YW50IHN1YnN5c3RlbXMgc3VwcG9ydGVk ICB1c2VyICBuYW1lc+KAkAo+ICAgICAgICAgcGFjZXMsICBidXQgIGEgbnVtYmVyIG9mIGZpbGVz eXN0ZW1zIGRpZCBub3QgaGF2ZSB0aGUgaW5mcmFzdHJ1Y+KAkAo+ICAgICAgICAgdHVyZSBuZWVk ZWQgdG8gbWFwIHVzZXIgYW5kIGdyb3VwIElEcyAgYmV0d2VlbiAgdXNlciAgbmFtZXNwYWNlcy4K PiAgICAgICAgIExpbnV4ICAzLjkgIGFkZGVkIHRoZSByZXF1aXJlZCBpbmZyYXN0cnVjdHVyZSBz dXBwb3J0IGZvciBtYW55IG9mCj4gICAgICAgICB0aGUgcmVtYWluaW5nIHVuc3VwcG9ydGVkIGZp bGVzeXN0ZW1zIChQbGFuIDkgKDlQKSwgIEFuZHJldyAgRmlsZQo+ICAgICAgICAgU3lzdGVtICAo QUZTKSwgIENlcGgsICBDSUZTLCAgQ09EQSwgIE5GUywgYW5kIE9DRlMyKS4gIExpbnV4IDMuMTEK PiAgICAgICAgIGFkZGVkIHN1cHBvcnQgdGhlIGxhc3Qgb2YgdGhlIHVuc3VwcG9ydGVkIG1ham9y IGZpbGVzeXN0ZW1zLCBYRlMuCj4KPgo+Pgo+PiBJbiB0aGUga2VybmVsLCBlYWNoIG5ldG5zIGlz IGxpbmtlZCB3aXRoIGEgdXNlciBucy4KPgo+IEFyZSB5b3Ugc2F5aW5nIGV2ZXJ5IHRpbWUgd2Ug Y3JlYXRlIGEgbmV0bnMgd2UgaGF2ZSBhIG5ldyB1c2VybnM/Cj4gVGhpcyBkb2Vzbid0IG1ha2Ug c2Vuc2UgZm9yIG1lLgo+Ck5vLiBJIG1lYW4gdGhhdCBlYWNoIG5ldG5zIGRlcGVuZHMgb24gYSB1 c2VybnMuClNlZSBpbmNsdWRlL25ldC9uZXRfbmFtZXNwYWNlLmg6CnN0cnVjdCBuZXQgewpbc25p cF0KICAgICAgICAgc3RydWN0IHVzZXJfbmFtZXNwYWNlICAgKnVzZXJfbnM7ICAgICAgIC8qIE93 bmluZyB1c2VyIG5hbWVzcGFjZSAqLwpbc25pcF0KfQpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXwpDb250YWluZXJzIG1haWxpbmcgbGlzdApDb250YWluZXJz QGxpc3RzLmxpbnV4LWZvdW5kYXRpb24ub3JnCmh0dHBzOi8vbGlzdHMubGludXhmb3VuZGF0aW9u Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2NvbnRhaW5lcnM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754866AbaIZNjD (ORCPT ); Fri, 26 Sep 2014 09:39:03 -0400 Received: from mail-wi0-f175.google.com ([209.85.212.175]:61420 "EHLO mail-wi0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754508AbaIZNjA (ORCPT ); Fri, 26 Sep 2014 09:39:00 -0400 Message-ID: <54256C71.20108@6wind.com> Date: Fri, 26 Sep 2014 15:38:57 +0200 From: Nicolas Dichtel Reply-To: nicolas.dichtel@6wind.com Organization: 6WIND User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Cong Wang CC: netdev , containers@lists.linux-foundation.org, "linux-kernel@vger.kernel.org" , linux-api@vger.kernel.org, David Miller , "Eric W. Biederman" , Stephen Hemminger , Andrew Morton , Andy Lutomirski Subject: Re: [RFC PATCH net-next v2 0/5] netns: allow to identify peer netns References: <1411478430-4989-1-git-send-email-nicolas.dichtel@6wind.com> <54228D87.3070309@6wind.com> <5422F1F7.8010308@6wind.com> <5423D808.7050800@6wind.com> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 26/09/2014 03:58, Cong Wang a écrit : > On Thu, Sep 25, 2014 at 1:53 AM, Nicolas Dichtel > wrote: >> Le 24/09/2014 18:48, Cong Wang a écrit : >> >>> On Wed, Sep 24, 2014 at 9:31 AM, Nicolas Dichtel >>> wrote: >>>>> >>>>> I think in this case your ID's are still available, but aren't you >>>>> providing a new way >>>>> for the inner netns device to escape which we are trying to avoid? >>>> >>>> >>>> It's why the ids depend on user ns. Only if user ns are the same we allow >>>> to >>>> get an id for a peer netns. >>> >>> >>> Too late, userns is relatively new, relying on it breaks our existing >>> assumption. >>> >> I don't get your point. netns has been added in kernel after user ns: >> acce292c82d4 user namespace: add the framework => 2.6.23 >> 5f256becd868 [NET]: Basic network namespace infrastructure. => 2.6.24 > > Was it complete on 2.6.x? I doubt... > > https://lkml.org/lkml/2014/8/20/826 > > As at Linux 3.8, most relevant subsystems supported user names‐ > paces, but a number of filesystems did not have the infrastruc‐ > ture needed to map user and group IDs between user namespaces. > Linux 3.9 added the required infrastructure support for many of > the remaining unsupported filesystems (Plan 9 (9P), Andrew File > System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2). Linux 3.11 > added support the last of the unsupported major filesystems, XFS. > > >> >> In the kernel, each netns is linked with a user ns. > > Are you saying every time we create a netns we have a new userns? > This doesn't make sense for me. > No. I mean that each netns depends on a userns. See include/net/net_namespace.h: struct net { [snip] struct user_namespace *user_ns; /* Owning user namespace */ [snip] }