Re: [PATCH 0/4 v3] Add an interface to discover relationships between namespaces

[ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)]

Andrei Vagin <avagin@openvz.org> writes:

> From: Andrey Vagin <avagin@openvz.org>
>
> Each namespace has an owning user namespace and now there is not way
> to discover these relationships.
>
> Pid and user namepaces are hierarchical. There is no way to discover
> parent-child relationships too.
>
> Why we may want to know relationships between namespaces?
>
> One use would be visualization, in order to understand the running
> system.  Another would be to answer the question: what capability does
> process X have to perform operations on a resource governed by namespace
> Y?
>
> One more use-case (which usually called abnormal) is checkpoint/restart.
> In CRIU we are going to dump and restore nested namespaces.
>
> There [1] was a discussion about which interface to choose to determing
> relationships between namespaces.
>
> Eric suggested to add two ioctl-s [2]:
>> Grumble, Grumble.  I think this may actually a case for creating ioctls
>> for these two cases.  Now that random nsfs file descriptors are bind
>> mountable the original reason for using proc files is not as pressing.
>>
>> One ioctl for the user namespace that owns a file descriptor.
>> One ioctl for the parent namespace of a namespace file descriptor.
>
> Here is an implementaions of these ioctl-s.
>
> $ man man7/namespaces.7
> ...
> Since  Linux  4.X,  the  following  ioctl(2)  calls are supported for
> namespace file descriptors.  The correct syntax is:
>
>       fd = ioctl(ns_fd, ioctl_type);
>
> where ioctl_type is one of the following:
>
> NS_GET_USERNS
>       Returns a file descriptor that refers to an owning user names‐
>       pace.
>
> NS_GET_PARENT
>       Returns  a  file descriptor that refers to a parent namespace.
>       This ioctl(2) can be used for pid  and  user  namespaces.  For
>       user namespaces, NS_GET_PARENT and NS_GET_USERNS have the same
>       meaning.
>
> In addition to generic ioctl(2) errors, the following  specific  ones
> can occur:
>
> EINVAL NS_GET_PARENT was called for a nonhierarchical namespace.
>
> EPERM  The  requested  namespace  is outside of the current namespace
>       scope.
>
> [1] https://lkml.org/lkml/2016/7/6/158
> [2] https://lkml.org/lkml/2016/7/9/101
>
> Changes for v2:
> * don't return ENOENT for init_user_ns and init_pid_ns. There is nothing
>   outside of the init namespace, so we can return EPERM in this case too.
>> The fewer special cases the easier the code is to get
>> correct, and the easier it is to read. // Eric
>
> Changes for v3:
> * rename ns->get_owner() to ns->owner(). get_* usually means that it
>   grabs a reference.
>
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
> Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
> Cc: "W. Trevor King" <wking@tremily.us>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Serge Hallyn <serge.hallyn@canonical.com>
>

Applied thanks.

I didn't see any issues except your patch __ns_get_path was missing a
mntput in the retry case. So I just fixed that.

Eric

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers