From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Cedric Le Goater <clg-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
Cc: kyle-hoO6YkzgTuCM0SS3m2neIg@public.gmane.org,
Dave Hansen <dave-gkUM19QKKo4@public.gmane.org>,
bastian-yyjItF7Rl6lg9hUCZPvPmw@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
"H. Peter Anvin" <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>,
containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org,
alan-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org,
xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org
Subject: Re: [RFC][PATCH 0/8][v2]: Enable multiple mounts of devpts
Date: Wed, 3 Sep 2008 08:41:59 -0500 [thread overview]
Message-ID: <20080903134159.GC9527@us.ibm.com> (raw)
In-Reply-To: <48BE7C98.1040004-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
Quoting Cedric Le Goater (clg-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org):
> Serge E. Hallyn wrote:
> > Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
> >> "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes:
> >>
> >>>> (3.2) mnt namespace maybe ?
> >>> I think the last one is the way to go.
> >>>
> >>> mnt_namespace points to mq_ns.
> >>>
> >>> At clone(CLONE_NEWMNT), the new mnt namespace receives a copy of the
> >>> parent's mq_ns.
> >>>
> >>> If a task does
> >>> mount -o newinstance -t mqueue none /dev/mqueue
> >>> then its current->nsproxy->mnt_namespace->mqns is switched
> >>> to point to a new instance of the mq_ns.
> >>>
> >>> mnt_ns->mq_ns has pointers to the sb (and hence root dentry) of the
> >>> devpts fs.
> >>>
> >>> When a task does mq_open(name, flag), then name is in the mqueuefs
> >>> found in current->nsproxy->mnt_namespace->mqns.
> >>>
> >>> But if a task does
> >>>
> >>> clone(CLONE_NEWMNT);
> >>> mount --move /dev/mqueue /oldmqueue
> >>> mount -o newinstance -t mqueue none /dev/mqueue
> >>>
> >>> then that task can find files for the old mqueuefs under
> >>> /oldmqueue, while mq_open() uses /dev/mqueue since that's
> >>> what it finds through its mnt_namespace.
> >> Serge if we can make the lookup a pure mount namespace operation
> >> i.e. a well known path. Than I don't have any problems with it.
> >> Otherwise it looks like abuse of the mount namespace.
> >
> > Why?
> >
> > Actually it may work to just put mq_ns straight in the nsproxy.
>
> ok. that's the path I was taking.
>
> > So let's see:
> >
> > mq_open(name, flag): opens name under the dentry pointed
> > to by current->nsproxy->mq_ns->mq_dentry
> > mount -t mqueue none /dev/mqueue: either returns -EBUSY
> > or just mounts current->nsproxy->mq_ns->mq_sb
> > under /dev/mqueue
> > mount -o newinstance -t mqueue none /dev/mqueue: mounts
> > a new mq_ns instance under /dev/mqueue
> >
> > While doing
> > mount --make-rshared /vs1
> > mount --bind /dev/mqueue /vs1/dev/mqueue
> > create_a_new_container_chrooted_at(/vs1)
> > mount -o newinstance -t mqueue none /dev/mqueue
> > would allow the host to see the child's /dev/mqueue under
> > /vs1/dev/mqueue while having its own mqueuefs continue to be
> > mounted under /dev/mqueue.
>
> ok. complete isolation would require 2 steps. I guess this is
> acceptable because mq uses a fs
What do you mean, it would require 2 steps? You mean umount followed
by a mount?
Not really, since /dev/mqueue never needed to be bind-mounted under
/vs1/dev/mqueue to begin with, so all the container has to do is
mount -o newinstance -t mqueue none /dev/mqueue (while chrooted under
/vs1)
IMO two steps means unshare(CLONE_NEWIPC) and mount /dev/mqueue,
which is what the last patchset required.
> allowing the host to see the child's /dev/mqueue is also 'a nice
> to have' feature. unfortunately, we can't do that for all namespaces,
> for sysvipc for example. So I'm wondering if we should allow it
> at all ?
>
> Thanks,
>
> C.
next prev parent reply other threads:[~2008-09-03 13:41 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-21 2:21 [RFC][PATCH 0/8][v2]: Enable multiple mounts of devpts sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20080821022126.GA29449-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 2:26 ` [RFC][PATCH 1/8]: /dev/tty tweak in init_dev() sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20080821022621.GA29658-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 9:19 ` Alan Cox
2008-08-21 9:26 ` Alan Cox
2008-08-21 2:26 ` [RFC][PATCH 2/8]: Add inode parameter devpts interfaces sukadev-r/Jw6+rmf7HQT0dZR+AlfA
2008-08-21 2:27 ` [RFC][PATCH 3/8]: Remove devpts_root global sukadev-r/Jw6+rmf7HQT0dZR+AlfA
2008-08-21 2:27 ` [RFC][PATCH 4/8]: Per-mount allocated_ptys sukadev-r/Jw6+rmf7HQT0dZR+AlfA
2008-08-21 2:28 ` [RFC][PATCH 5/8]: Per-mount 'config' object sukadev-r/Jw6+rmf7HQT0dZR+AlfA
2008-08-21 2:28 ` [RFC][PATCH 6/8]: Extract option parsing to new function sukadev-r/Jw6+rmf7HQT0dZR+AlfA
2008-08-21 2:29 ` [RFC][PATCH 7/8]: Auto-create ptmx node when mounting devpts sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20080821022908.GG29658-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 9:21 ` Alan Cox
[not found] ` <20080821102139.43c44f67-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2008-08-21 16:09 ` H. Peter Anvin
[not found] ` <48AD932F.8090908-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-08-21 16:27 ` Alan Cox
[not found] ` <20080821172700.781b0011-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2008-08-21 16:49 ` H. Peter Anvin
[not found] ` <48AD9C93.6080302-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-08-21 17:22 ` Serge E. Hallyn
[not found] ` <20080821172245.GA28411-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 17:07 ` Alan Cox
2008-08-21 17:23 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20080821172342.GA8059-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 17:38 ` Eric W. Biederman
[not found] ` <m18wuqtgj7.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-08-21 17:50 ` H. Peter Anvin
[not found] ` <48ADAAE2.6040700-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-08-21 18:23 ` Eric W. Biederman
[not found] ` <m1hc9eqlbo.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-08-21 18:36 ` H. Peter Anvin
2008-08-21 17:40 ` H. Peter Anvin
[not found] ` <48ADA890.4060309-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-08-21 18:11 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20080821181133.GB8059-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 18:17 ` H. Peter Anvin
2008-08-21 21:00 ` Serge E. Hallyn
[not found] ` <20080821210040.GA14532-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 22:16 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
2008-08-21 2:29 ` [RFC][PATCH 8/8]: Enable multiple mounts of devpts sukadev-r/Jw6+rmf7HQT0dZR+AlfA
2008-08-21 2:45 ` [RFC][PATCH 0/8][v2]: " H. Peter Anvin
[not found] ` <48ACD6CB.5030706-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-08-21 3:10 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20080821031028.GB30205-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-08-21 3:15 ` H. Peter Anvin
[not found] ` <48ACDDC7.3000704-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-08-21 16:34 ` Cedric Le Goater
[not found] ` <48AD991F.9010906-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-08-21 16:40 ` H. Peter Anvin
[not found] ` <48AD9A97.6000807-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-08-21 16:54 ` Cedric Le Goater
[not found] ` <48AD9DCD.3060306-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-08-21 16:56 ` H. Peter Anvin
2008-08-21 17:28 ` Serge E. Hallyn
2008-08-21 17:45 ` Eric W. Biederman
[not found] ` <m1fxoys1ng.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-08-21 21:02 ` Cedric Le Goater
[not found] ` <48ADD7D3.7080400-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-08-29 9:02 ` Cedric Le Goater
[not found] ` <48B7BB3C.5080404-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-09-02 3:04 ` Serge E. Hallyn
[not found] ` <20080902030426.GB12277-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-09-02 10:00 ` Eric W. Biederman
[not found] ` <m1vdxeeuk0.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-09-02 15:52 ` Serge E. Hallyn
[not found] ` <20080902155211.GF8524-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-09-03 12:01 ` Cedric Le Goater
[not found] ` <48BE7C98.1040004-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-09-03 13:12 ` Eric W. Biederman
2008-09-03 13:41 ` Serge E. Hallyn [this message]
2008-09-03 11:47 ` Cedric Le Goater
[not found] ` <48BE7959.1080109-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-09-03 13:24 ` Serge E. Hallyn
2008-09-03 11:43 ` Cedric Le Goater
[not found] ` <48BE7845.6070500-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-09-03 13:23 ` Serge E. Hallyn
[not found] ` <20080903132307.GA9527-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-09-03 13:52 ` Cedric Le Goater
2008-09-02 9:22 ` Eric W. Biederman
[not found] ` <m1d4jmhpgl.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-09-03 12:04 ` Cedric Le Goater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080903134159.GC9527@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=alan-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org \
--cc=bastian-yyjItF7Rl6lg9hUCZPvPmw@public.gmane.org \
--cc=clg-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=dave-gkUM19QKKo4@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org \
--cc=kyle-hoO6YkzgTuCM0SS3m2neIg@public.gmane.org \
--cc=xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox