Re: Detecting the use of a mount in another namespace

From: Alexander Larsson <alexl-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Linux Containers
	<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: Re: Detecting the use of a mount in another namespace
Date: Tue, 10 Feb 2015 11:34:42 +0100	[thread overview]
Message-ID: <1423564482.14469.8.camel@redhat.com> (raw)
In-Reply-To: <87d26cvuy8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>

On sön, 2015-01-18 at 11:51 -0600, Eric W. Biederman wrote:
> Alexander Larsson <alexl@redhat.com> writes:

> The way I would recommend is to give each of your containers a read-only
> snapshot of /usr, and then delete that snapshot when done.
> Aka:
> 
> cp -ldr /usr /usr-snapshot
> # Some time later when you are done
> rm -rf /usr-snapshot
> 
> There are more elegant ways (btrfs snapshots etc) but the above will
> work on every filesystem that supports hardlinks.
> 
> For what you were wanting to do with mounts in the general case the
> kernel has never had enough information to do what you want to do with
> mounts.  Think remote filesystems like nfs.  Information from remote
> filesystems about who if anyone has a mountpoint somewhere simply does
> not propagate between kernels.

I'm not trying to solve the generic problem though, but a very specific
one. I'm setting up a sandbox with a bind mount for /usr from a
directory I myself control, and I want to know if any sandbox (from any
user) is still running with that /usr mounted.

In the end I set up a /usr/.ref file and had pid 1 in the sandbox take
an advisory read lock on it. I can then try to get a write lock on this
file and if that fails some sandbox may still be using it. It is not
fail safe, as anyone else can grab a lock on this, but doing so is not
really a problem, as I can still force remove it if needed. 

The above allows me to do an automatic "live update" of such a /usr by
setting up the new /usr, then moving the old one to a "removed"
subdirectory and then delay remove until it is no longer in use (or the
user force removes it).

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl@redhat.com            alexander.larsson@gmail.com 
He's a short-sighted devious filmmaker who hides his scarred face behind 
a mask. She's a radical streetsmart lawyer with only herself to blame. 
They fight crime! 

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers