From: ebiederm@xmission.com (Eric W. Biederman)
To: Oren Laadan <orenl@cs.columbia.edu>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>,
Pavel Emelyanov <xemul@parallels.com>,
Linux Netdev List <netdev@vger.kernel.org>,
containers@lists.linux-foundation.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
Ben Greear <greearb@candelatech.com>
Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control.
Date: Wed, 03 Mar 2010 13:05:23 -0800 [thread overview]
Message-ID: <m18wa9glpo.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <4B8ECD99.3040107@cs.columbia.edu> (Oren Laadan's message of "Wed\, 03 Mar 2010 15\:59\:05 -0500")
Oren Laadan <orenl@cs.columbia.edu> writes:
> Daniel Lezcano wrote:
>>
>> I agree with all the points you and Pavel you talked about but I don't feel
>> comfortable to have the current process to switch the pid namespace because of
>> the process tree hierarchy (what will be the parent of the process when you
>> enter the pid namespace for example). What is the difference with the
>> sys_bindns or the sys_hijack, proposed a couple of years ago ?
>>
>> I did a suggestion some weeks ago about a new syscall 'cloneat' where the
>> child process becomes the child of the targeted process specified in the
>> syscall. Maybe it would be interesting to replace the 'setns' by, or add, a
>> cloneat' syscall with the file descriptor passed as parameter. The
>> copy_process function shall not use the nsproxy of the caller but the one
>> provided in the fd argument.
>>
>> The newly created process becomes the child of the process where we retrieve
>> the namespace with nsfd and this one have to 'waitpid' it, (the caller of
>> cloneat' can not wait it). It's a bit similar with the CLONE_PARENT flag,
>> except the creation order is inverted (the father creates for the child).
>>
>> So when entering the container, we specify the pid 1 of the container which is
>> usually a child reaper.
>>
>> Does it make sense ?
>
> For what it's worth, I think that this suggestion (cloneat) is the
> so far the cleanest to allow a process to enter an existing namespace.
If the goal is to enter a container you are probably right. I don't
think I have seen how scary the cloneat code is.
At least for the network namespace there is a lot of value in being
able to just change that single namespace. Having multiple logical
network stacks has it's challenges but has a lot of practical
applications. Especially when there is the possibility of private
ipv4 addresses overlapping, or you have interfaces where you never
want to forward between them but you want forwarding enabled.
Eric
next prev parent reply other threads:[~2010-03-03 21:05 UTC|newest]
Thread overview: 183+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-14 14:05 RFC: netfilter: nf_conntrack: add support for "conntrack zones" Patrick McHardy
2010-01-14 15:05 ` jamal
2010-01-14 15:37 ` Patrick McHardy
2010-01-14 15:37 ` Patrick McHardy
2010-01-14 17:33 ` jamal
2010-01-15 10:15 ` Patrick McHardy
[not found] ` <4B50403A.6010507-dcUjhNyLwpNeoWH0uzbU5w@public.gmane.org>
2010-01-15 15:19 ` jamal
2010-01-15 15:19 ` jamal
2010-02-22 20:46 ` Eric W. Biederman
[not found] ` <m13a0tf17t.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-22 21:55 ` jamal
2010-02-22 21:55 ` jamal
2010-02-22 23:17 ` Eric W. Biederman
[not found] ` <m1wry46es9.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-23 13:27 ` jamal
2010-02-23 14:07 ` Eric W. Biederman
2010-02-23 14:07 ` Eric W. Biederman
2010-02-23 14:20 ` jamal
2010-02-23 20:00 ` Eric W. Biederman
2010-02-23 20:00 ` Eric W. Biederman
[not found] ` <m1r5obbu2w.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-23 23:09 ` jamal
2010-02-23 23:49 ` Matt Helsley
2010-02-23 23:09 ` jamal
2010-02-24 1:43 ` Eric W. Biederman
2010-02-24 1:43 ` Eric W. Biederman
2010-02-25 20:57 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control Eric W. Biederman
2010-02-25 20:57 ` Eric W. Biederman
2010-02-25 21:31 ` Daniel Lezcano
2010-02-25 21:49 ` Eric W. Biederman
[not found] ` <m1mxyx0yv7.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-25 22:13 ` Daniel Lezcano
2010-02-26 20:35 ` Eric W. Biederman
2010-02-25 22:13 ` Daniel Lezcano
2010-02-25 22:31 ` Eric W. Biederman
[not found] ` <4B86F5EC.60902-GANU6spQydw@public.gmane.org>
2010-02-25 22:31 ` Eric W. Biederman
2010-02-26 20:35 ` Eric W. Biederman
[not found] ` <4B86EC45.3060005-GANU6spQydw@public.gmane.org>
2010-02-25 21:49 ` Eric W. Biederman
2010-02-25 21:46 ` Matt Helsley
[not found] ` <20100225214656.GS3604-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-25 21:54 ` Eric W. Biederman
2010-02-26 0:53 ` Eric W. Biederman
2010-02-25 21:54 ` Eric W. Biederman
2010-02-26 0:53 ` Eric W. Biederman
2010-02-26 1:09 ` Matt Helsley
[not found] ` <20100226010915.GA20106-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-26 1:26 ` Eric W. Biederman
2010-02-26 1:26 ` Eric W. Biederman
2010-02-26 3:15 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control. v2 Eric W. Biederman
[not found] ` <m18wagy9f3.fsf_-_-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-03 20:29 ` Jonathan Corbet
2010-03-03 20:29 ` Jonathan Corbet
2010-03-03 20:50 ` Eric W. Biederman
[not found] ` <20100303132931.11afb659-vw3g6Xz/EtPk1uMJSBkQmQ@public.gmane.org>
2010-03-03 20:50 ` Eric W. Biederman
[not found] ` <m1pr3t2fvl.fsf_-_-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-25 21:31 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control Daniel Lezcano
2010-02-25 21:46 ` Matt Helsley
2010-02-26 1:09 ` Matt Helsley
2010-02-26 3:15 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control. v2 Eric W. Biederman
2010-02-26 21:13 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control Pavel Emelyanov
[not found] ` <4B883987.6090408-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-26 21:24 ` Eric W. Biederman
2010-02-26 21:24 ` Eric W. Biederman
2010-02-26 21:34 ` Pavel Emelyanov
[not found] ` <4B883E6F.1060907-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-26 21:42 ` Eric W. Biederman
2010-02-26 21:42 ` Eric W. Biederman
2010-02-26 21:58 ` Oren Laadan
[not found] ` <4B8843FE.4000404-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2010-02-26 22:16 ` Eric W. Biederman
2010-02-26 22:16 ` Eric W. Biederman
2010-02-26 22:52 ` Oren Laadan
[not found] ` <4B885093.4070807-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2010-02-26 23:13 ` Eric W. Biederman
2010-02-26 23:13 ` Eric W. Biederman
[not found] ` <m1zl2vtzg4.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-26 22:52 ` Oren Laadan
[not found] ` <m13a0nwu6p.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-26 21:58 ` Oren Laadan
2010-02-27 8:30 ` Pavel Emelyanov
2010-02-27 8:30 ` Pavel Emelyanov
2010-02-27 9:04 ` Eric W. Biederman
[not found] ` <m1mxyvrqvk.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-27 9:21 ` Pavel Emelyanov
[not found] ` <4B88E431.6040609-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 9:42 ` Eric W. Biederman
2010-02-27 9:42 ` Eric W. Biederman
2010-02-27 16:16 ` Pavel Emelyanov
[not found] ` <4B894564.7080104-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 19:08 ` Eric W. Biederman
2010-02-27 19:08 ` Eric W. Biederman
2010-02-27 19:29 ` Pavel Emelyanov
2010-02-27 19:44 ` Eric W. Biederman
2010-02-28 22:05 ` Daniel Lezcano
2010-03-01 19:24 ` Eric W. Biederman
[not found] ` <4B8AE8C1.1030305-GANU6spQydw@public.gmane.org>
2010-03-01 19:24 ` Eric W. Biederman
2010-03-01 21:42 ` Eric W. Biederman
2010-03-02 15:03 ` Pavel Emelyanov
2010-03-03 20:59 ` Oren Laadan
2010-03-01 21:42 ` Eric W. Biederman
2010-03-02 13:10 ` Cedric Le Goater
[not found] ` <m1ljebwwgd.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-02 13:10 ` Cedric Le Goater
2010-03-02 15:03 ` Pavel Emelyanov
2010-03-02 15:14 ` Jan Engelhardt
[not found] ` <alpine.LSU.2.01.1003021613570.17303-SHaQjdQMGhDmsUXKMKRlFA@public.gmane.org>
2010-03-02 21:45 ` Eric W. Biederman
2010-03-02 21:45 ` Eric W. Biederman
[not found] ` <4B8D28CF.8060304-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-03-02 15:14 ` Jan Engelhardt
2010-03-02 21:19 ` Sukadev Bhattiprolu
2010-03-02 21:19 ` Sukadev Bhattiprolu
2010-03-02 22:13 ` Eric W. Biederman
[not found] ` <m1y6iaqsmm.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-03 0:07 ` Sukadev Bhattiprolu
2010-03-03 0:07 ` Sukadev Bhattiprolu
[not found] ` <20100303000743.GA13744-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-03 0:46 ` Eric W. Biederman
2010-03-03 0:46 ` Eric W. Biederman
2010-03-03 15:38 ` Serge E. Hallyn
2010-03-03 19:47 ` Eric W. Biederman
2010-03-04 21:45 ` Eric W. Biederman
2010-03-04 22:55 ` Jan Engelhardt
[not found] ` <m1pr3j92x8.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-04 22:55 ` Jan Engelhardt
[not found] ` <m13a0hmblr.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-04 21:45 ` Eric W. Biederman
[not found] ` <20100303153800.GA937-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-03 19:47 ` Eric W. Biederman
[not found] ` <m1ocj6qljj.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-03 15:38 ` Serge E. Hallyn
2010-03-03 16:50 ` Pavel Emelyanov
2010-03-03 16:50 ` Pavel Emelyanov
2010-03-03 20:16 ` Eric W. Biederman
2010-03-05 19:18 ` Pavel Emelyanov
2010-03-05 20:26 ` Eric W. Biederman
2010-03-06 14:47 ` Daniel Lezcano
[not found] ` <4B926B1B.5070207-GANU6spQydw@public.gmane.org>
2010-03-06 20:48 ` Eric W. Biederman
[not found] ` <m1aaulyy5c.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-06 21:26 ` Daniel Lezcano
[not found] ` <4B92C886.9020507-GANU6spQydw@public.gmane.org>
2010-03-08 8:32 ` Eric W. Biederman
2010-03-08 8:32 ` Eric W. Biederman
2010-03-08 16:54 ` Daniel Lezcano
2010-03-08 17:29 ` Eric W. Biederman
[not found] ` <m11vfuvi1t.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 19:57 ` Daniel Lezcano
2010-03-08 19:57 ` Daniel Lezcano
2010-03-08 20:24 ` Eric W. Biederman
2010-03-08 20:42 ` Daniel Lezcano
2010-03-08 20:47 ` Eric W. Biederman
2010-03-08 21:12 ` Daniel Lezcano
2010-03-08 21:25 ` Eric W. Biederman
2010-03-08 21:49 ` Serge E. Hallyn
2010-03-08 22:24 ` Eric W. Biederman
[not found] ` <20100308214945.GA26617-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-08 22:24 ` Eric W. Biederman
2010-03-09 10:03 ` Daniel Lezcano
2010-03-09 10:13 ` Eric W. Biederman
2010-03-09 10:26 ` Daniel Lezcano
[not found] ` <m1ocixn6q3.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-09 10:26 ` Daniel Lezcano
[not found] ` <4B961D09.4010802-GANU6spQydw@public.gmane.org>
2010-03-09 10:13 ` Eric W. Biederman
[not found] ` <m1lje2qzf4.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 21:49 ` Serge E. Hallyn
2010-03-09 10:03 ` Daniel Lezcano
2010-03-10 21:16 ` Daniel Lezcano
2010-03-10 21:16 ` Daniel Lezcano
[not found] ` <4B956852.7050804-GANU6spQydw@public.gmane.org>
2010-03-08 21:25 ` Eric W. Biederman
[not found] ` <m1sk8ar15b.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 21:12 ` Daniel Lezcano
[not found] ` <4B95611C.5060403-GANU6spQydw@public.gmane.org>
2010-03-08 20:47 ` Eric W. Biederman
[not found] ` <m11vfusgsa.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 20:42 ` Daniel Lezcano
[not found] ` <4B9556A9.60206-GANU6spQydw@public.gmane.org>
2010-03-08 20:24 ` Eric W. Biederman
[not found] ` <4B952BBE.6070507-GANU6spQydw@public.gmane.org>
2010-03-08 17:29 ` Eric W. Biederman
[not found] ` <m1fx4bxlfy.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 16:54 ` Daniel Lezcano
2010-03-08 17:07 ` Serge E. Hallyn
2010-03-08 17:07 ` Serge E. Hallyn
[not found] ` <20100308170719.GD6399-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-08 17:35 ` Eric W. Biederman
2010-03-08 17:35 ` Eric W. Biederman
2010-03-08 17:47 ` Serge E. Hallyn
[not found] ` <m1pr3eu36u.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 17:47 ` Serge E. Hallyn
[not found] ` <4B9158F5.5040205-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-03-05 20:26 ` Eric W. Biederman
[not found] ` <m17hptjh3m.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-05 19:18 ` Pavel Emelyanov
[not found] ` <4B8E9370.3050300-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-03-03 20:16 ` Eric W. Biederman
[not found] ` <20100302211942.GA17816-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-02 22:13 ` Eric W. Biederman
2010-03-03 20:59 ` Oren Laadan
[not found] ` <4B8ECD99.3040107-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2010-03-03 21:05 ` Eric W. Biederman
2010-03-03 21:05 ` Eric W. Biederman [this message]
[not found] ` <m18wa9glpo.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-05-27 12:06 ` [Devel] " Enrico Weigelt
[not found] ` <m1ljeempk6.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-28 22:05 ` Daniel Lezcano
[not found] ` <4B89727C.9040602-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 19:44 ` Eric W. Biederman
[not found] ` <m1iq9io5sc.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-27 19:29 ` Pavel Emelyanov
[not found] ` <m1bpfbqajn.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-27 16:16 ` Pavel Emelyanov
[not found] ` <4B88D80A.8010701-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 9:04 ` Eric W. Biederman
[not found] ` <m1bpfbwuze.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-26 21:34 ` Pavel Emelyanov
2010-02-26 21:35 ` Pavel Emelyanov
[not found] ` <4B883EAF.5020607-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-26 21:49 ` Eric W. Biederman
2010-02-26 21:49 ` Eric W. Biederman
2010-05-27 12:28 ` [Devel] " Enrico Weigelt
[not found] ` <20100527122800.GC31480-q9I3ByPDOfiE+EvaaNYduQ@public.gmane.org>
2010-05-27 12:44 ` Daniel Lezcano
[not found] ` <4BFE6938.50607-GANU6spQydw@public.gmane.org>
2010-05-27 15:42 ` Enrico Weigelt
2010-02-23 23:49 ` RFC: netfilter: nf_conntrack: add support for "conntrack zones" Matt Helsley
2010-02-24 1:32 ` Eric W. Biederman
[not found] ` <m18waj2zc8.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-24 1:39 ` Serge E. Hallyn
2010-02-24 1:39 ` Serge E. Hallyn
[not found] ` <20100223234942.GO3604-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-24 1:32 ` Eric W. Biederman
[not found] ` <m1iq9ocafv.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-23 14:20 ` jamal
2010-02-22 23:17 ` Eric W. Biederman
2010-02-22 20:46 ` Eric W. Biederman
2010-01-15 10:15 ` Patrick McHardy
[not found] ` <4B4F3A50.1050400-dcUjhNyLwpNeoWH0uzbU5w@public.gmane.org>
2010-01-14 17:33 ` jamal
2010-01-14 18:32 ` Ben Greear
2010-01-15 15:03 ` jamal
[not found] ` <4B4F6332.50606-my8/4N5VtI7c+919tysfdA@public.gmane.org>
2010-01-15 15:03 ` jamal
[not found] ` <4B4F24AC.70105-dcUjhNyLwpNeoWH0uzbU5w@public.gmane.org>
2010-01-14 15:05 ` jamal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m18wa9glpo.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=daniel.lezcano@free.fr \
--cc=greearb@candelatech.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=orenl@cs.columbia.edu \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.