From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: For review: pid_namespaces(7) man page Date: Fri, 01 Mar 2013 01:10:23 -0800 Message-ID: <877glr5vuo.fsf@xmission.com> References: <87txowa2cm.fsf@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: (Michael Kerrisk's message of "Fri, 1 Mar 2013 09:50:16 +0100") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Cc: linux-man , Linux Containers , lkml List-Id: containers.vger.kernel.org Ik1pY2hhZWwgS2VycmlzayAobWFuLXBhZ2VzKSIgPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdy aXRlczoKCj4gSGkgRXJpYywKPgo+IE9uIFRodSwgRmViIDI4LCAyMDEzIGF0IDQ6MjQgUE0sIEVy aWMgVy4gQmllZGVybWFuCj4gPGViaWVkZXJtQHhtaXNzaW9uLmNvbT4gd3JvdGU6Cj4+ICJNaWNo YWVsIEtlcnJpc2sgKG1hbi1wYWdlcykiIDxtdGsubWFucGFnZXNAZ21haWwuY29tPiB3cml0ZXM6 Cj4KPiBbLi4uXQo+Cj4+PiA9PT09PT09PT09Cj4+PiBQSURfTkFNRVNQQUNFUyg3KSAgICAgIExp bnV4IFByb2dyYW1tZXIncyBNYW51YWwgICAgIFBJRF9OQU1FU1BBQ0VTKDcpCj4+Pgo+Pj4gTkFN RQo+Pj4gICAgICAgIHBpZF9uYW1lc3BhY2VzIC0gb3ZlcnZpZXcgb2YgTGludXggUElEIG5hbWVz cGFjZXMKPj4+Cj4+PiBERVNDUklQVElPTgo+IFsuLi5dCj4KPj4+ICAgIFRoZSBuYW1lc3BhY2Ug aW5pdCBwcm9jZXNzCj4+PiAgICAgICAgVGhlIGZpcnN0IHByb2Nlc3MgY3JlYXRlZCBpbiBhIG5l dyBuYW1lc3BhY2UgKGkuZS4sIHRoZSBwcm9jZXNzCj4+PiAgICAgICAgY3JlYXRlZCB1c2luZyBj bG9uZSgyKSB3aXRoIHRoZSBDTE9ORV9ORVdQSUQgZmxhZywgb3IgdGhlIGZpcnN0Cj4+PiAgICAg ICAgY2hpbGQgY3JlYXRlZCBieSBhIHByb2Nlc3MgYWZ0ZXIgYSBjYWxsIHRvIHVuc2hhcmUoMikg dXNpbmcgdGhlCj4+PiAgICAgICAgQ0xPTkVfTkVXUElEIGZsYWcpIGhhcyB0aGUgUElEIDEsIGFu ZCBpcyB0aGUgImluaXQiIHByb2Nlc3MgZm9yCj4+PiAgICAgICAgdGhlIG5hbWVzcGFjZSAoc2Vl IGluaXQoMSkpLiAgQ2hpbGRyZW4gdGhhdCBhcmUgb3JwaGFuZWQgd2l0aGluCj4+PiAgICAgICAg dGhlIG5hbWVzcGFjZSB3aWxsIGJlIHJlcGFyZW50ZWQgdG8gdGhpcyAgcHJvY2VzcyAgcmF0aGVy ICB0aGFuCj4+PiAgICAgICAgaW5pdCgxKS4KPj4+Cj4+PiAgICAgICAgSWYgdGhlICJpbml0IiBw cm9jZXNzIG9mIGEgUElEIG5hbWVzcGFjZSB0ZXJtaW5hdGVzLCB0aGUga2VybmVsCj4+PiAgICAg ICAgdGVybWluYXRlcyBhbGwgb2YgdGhlIHByb2Nlc3NlcyBpbiB0aGUgbmFtZXNwYWNlIHZpYSBh ICBTSUdLSUxMCj4+PiAgICAgICAgc2lnbmFsLiAgIFRoaXMgIGJlaGF2aW9yICByZWZsZWN0cyAg dGhlICBmYWN0ICB0aGF0ICB0aGUgImluaXQiCj4+PiAgICAgICAgcHJvY2VzcyBpcyBlc3NlbnRp YWwgZm9yIHRoZSBjb3JyZWN0IG9wZXJhdGlvbiBvZiBhIFBJRCAgbmFtZXPigJAKPj4+ICAgICAg ICBwYWNlLiAgIEluIHRoaXMgY2FzZSwgYSBzdWJzZXF1ZW50IGZvcmsoMikgaW50byB0aGlzIFBJ RCBuYW1lc+KAkAo+Pj4gICAgICAgIHBhY2UgKGUuZy4sIGZyb20gYSBwcm9jZXNzIHRoYXQgaGFz IGRvbmUgYSAgc2V0bnMoMikgIGludG8gIHRoZQo+Pj4gICAgICAgIG5hbWVzcGFjZSAgICB1c2lu ZyAgICBhbiAgICBvcGVuICAgIGZpbGUgICBkZXNjcmlwdG9yICAgZm9yICAgYQo+Pj4gICAgICAg IC9wcm9jL1twaWRdL25zL3BpZCBmaWxlIGNvcnJlc3BvbmRpbmcgdG8gYSBwcm9jZXNzIHRoYXQg d2FzICBpbgo+Pj4gICAgICAgIHRoZSAgbmFtZXNwYWNlKSB3aWxsIGZhaWwgd2l0aCB0aGUgZXJy b3IgRU5PTUVNOyBpdCBpcyBub3QgcG9z4oCQCj4+PiAgICAgICAgc2libGUgdG8gY3JlYXRlIGEg bmV3IHByb2Nlc3NlcyBpbiBhIFBJRCBuYW1lc3BhY2Ugd2hvc2UgImluaXQiCj4+PiAgICAgICAg cHJvY2VzcyBoYXMgdGVybWluYXRlZC4KPj4KPj4gSXQgbWF5IGJlIHVzZWZ1bCB0byBtZW50aW9u IHVuc2hhcmUgaW4gdGhlIGNhc2Ugb2YgZm9yaygyKSBmYWlsaW5nIGp1c3QKPj4gYmVjYXVzZSB0 aGF0IGlzIHN1Y2ggYW4gZWFzeSBtaXN0YWtlIHRvIG1ha2UuCj4+Cj4+IHVuc2hhcmUoQ0xPTkVf TkVXUElEKTsKPj4gcGlkID0gZm9yaygpOwo+PiB3YWl0cGlkKHBpZCwuLi4pOwo+PiBmb3JrKCkg LT4gRU5PTUVNCj4KPiBJJ20gbG9zdC4gV2h5IGRvZXMgdGhhdCBzZXF1ZW5jZSBmYWlsPyBUaGUg Y2hpbGQgb2YgZm9yaygpIGJlY29tZXMgUElECj4gMSBpbiB0aGUgbmV3IFBJRCBuYW1lc3BhY2Uu CgpDb3JyZWN0LgpUaGVuIHdlIHdhaXQgZm9yIHRoZSBjaGlsZCBvZiB0aGUgZm9yayB0byBleGl0 KCk7ClRoZW4gd2UgZm9yayBhZ2FpbiBpbnRvIHRoZSBuZXcgcGlkIG5hbWVzcGFjZS4KVGhlIHNl Y29uZCBmb3JrIGZhaWxzIGJlY2F1c2UgaW5pdCBoYXMgZXhpdGVkLgoKRXJpYwpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpDb250YWluZXJzIG1haWxpbmcg bGlzdApDb250YWluZXJzQGxpc3RzLmxpbnV4LWZvdW5kYXRpb24ub3JnCmh0dHBzOi8vbGlzdHMu bGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2NvbnRhaW5lcnM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751316Ab3CAJKe (ORCPT ); Fri, 1 Mar 2013 04:10:34 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:47632 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751192Ab3CAJK3 convert rfc822-to-8bit (ORCPT ); Fri, 1 Mar 2013 04:10:29 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: mtk.manpages@gmail.com Cc: Linux Containers , "Serge E. Hallyn" , lkml , linux-man References: <87txowa2cm.fsf@xmission.com> Date: Fri, 01 Mar 2013 01:10:23 -0800 In-Reply-To: (Michael Kerrisk's message of "Fri, 1 Mar 2013 09:50:16 +0100") Message-ID: <877glr5vuo.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-AID: U2FsdGVkX19yPN+O/06i8NrViV+708rYlguvqWZ8xqk= X-SA-Exim-Connect-IP: 98.207.153.68 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 TR_Symld_Words too many words that have symbols inside * 0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG * -3.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0005] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa01 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;mtk.manpages@gmail.com X-Spam-Relay-Country: Subject: Re: For review: pid_namespaces(7) man page X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Michael Kerrisk (man-pages)" writes: > Hi Eric, > > On Thu, Feb 28, 2013 at 4:24 PM, Eric W. Biederman > wrote: >> "Michael Kerrisk (man-pages)" writes: > > [...] > >>> ========== >>> PID_NAMESPACES(7) Linux Programmer's Manual PID_NAMESPACES(7) >>> >>> NAME >>> pid_namespaces - overview of Linux PID namespaces >>> >>> DESCRIPTION > [...] > >>> The namespace init process >>> The first process created in a new namespace (i.e., the process >>> created using clone(2) with the CLONE_NEWPID flag, or the first >>> child created by a process after a call to unshare(2) using the >>> CLONE_NEWPID flag) has the PID 1, and is the "init" process for >>> the namespace (see init(1)). Children that are orphaned within >>> the namespace will be reparented to this process rather than >>> init(1). >>> >>> If the "init" process of a PID namespace terminates, the kernel >>> terminates all of the processes in the namespace via a SIGKILL >>> signal. This behavior reflects the fact that the "init" >>> process is essential for the correct operation of a PID names‐ >>> pace. In this case, a subsequent fork(2) into this PID names‐ >>> pace (e.g., from a process that has done a setns(2) into the >>> namespace using an open file descriptor for a >>> /proc/[pid]/ns/pid file corresponding to a process that was in >>> the namespace) will fail with the error ENOMEM; it is not pos‐ >>> sible to create a new processes in a PID namespace whose "init" >>> process has terminated. >> >> It may be useful to mention unshare in the case of fork(2) failing just >> because that is such an easy mistake to make. >> >> unshare(CLONE_NEWPID); >> pid = fork(); >> waitpid(pid,...); >> fork() -> ENOMEM > > I'm lost. Why does that sequence fail? The child of fork() becomes PID > 1 in the new PID namespace. Correct. Then we wait for the child of the fork to exit(); Then we fork again into the new pid namespace. The second fork fails because init has exited. Eric