From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Pavel Emelyanov <xemul@openvz.org>
Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, Oren Laadan <orenl@cs.columbia.edu>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@osdl.org>,
torvalds@linux-foundation.org, mikew@google.com, mingo@elte.hu,
hpa@zytor.com, Nathan Lynch <nathanl@austin.ibm.com>,
arnd@arndb.de, peterz@infradead.org, Louis.Rilling@kerlabs.com,
roland@redhat.com, kosaki.motohiro@jp.fujitsu.com,
randy.dunlap@oracle.com, linux-api@vger.kernel.org,
Containers <containers@lists.linux-foundation.org>,
sukadev@us.ibm.com
Subject: Re: [RFC][v8][PATCH 3/10]: Make pid_max a pid_ns property
Date: Tue, 13 Oct 2009 11:28:18 -0500 [thread overview]
Message-ID: <20091013162818.GA13416@us.ibm.com> (raw)
In-Reply-To: <4AD4A676.3010603@openvz.org>
Quoting Pavel Emelyanov (xemul@openvz.org):
> > This patch isn't a core part of the clone_with_pid functionality,
> > just something Eric has asked for. So I don't object to dropping
> > it. But I disagree with Alexey's claim that this isn't a namespace
> > property. It should be.
>
> OK
>
> >> frankly I don't see the reason for doing so. Why should we?
> >> Especially taking into account, that we essentially cannot
> >> change thin in the namespace level 3 and deeper?
> >
> > What do you mean by that? With this patchset we're not, it's
> > true, but we trivially can - even now, userspace can simply not
> > give the container CAP_SYS_ADMIN or write access to the sysctl
> > so they can't do any more CLONE_NEWPIDS or change the sysctl.
>
> It's a misprint - I meant "level 2 and deeper". Sysctl is
> only pointing at the init_pid_ns variable.
Right, and I'm saying that's to be fixed up as with all other
containerized sysctl's. You're right that this patch doesn't
solve that problem, but you seem to be arguing that it bc it's
not done in this patch, we should act as though it can't be
done.
But again, maybe we're best off dropping this patch (sorry, Suka,
I had suggested you add it...) and focusing on the rest of the set
for now.
thanks,
-serge
next prev parent reply other threads:[~2009-10-13 16:28 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-13 4:49 [RFC][v8][PATCH 0/10] Implement clone3() system call Sukadev Bhattiprolu
[not found] ` <20091013044925.GA28181-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 4:49 ` [RFC][v8][PATCH 1/10]: Factor out code to allocate pidmap page Sukadev Bhattiprolu
2009-10-13 4:50 ` [RFC][v8][PATCH 2/10]: Have alloc_pidmap() return actual error code Sukadev Bhattiprolu
2009-10-13 4:50 ` [RFC][v8][PATCH 3/10]: Make pid_max a pid_ns property Sukadev Bhattiprolu
[not found] ` <20091013045041.GC28435-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 5:19 ` Alexey Dobriyan
2009-10-13 13:09 ` Pavel Emelyanov
[not found] ` <4AD47C1F.7040703-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2009-10-13 15:24 ` Serge E. Hallyn
2009-10-13 16:10 ` Pavel Emelyanov
2009-10-13 16:28 ` Serge E. Hallyn [this message]
2009-10-13 4:51 ` [RFC][v8][PATCH 4/10]: Add target_pid parameter to alloc_pidmap() Sukadev Bhattiprolu
[not found] ` <20091013045104.GD28435-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 11:50 ` Pavel Emelyanov
[not found] ` <4AD46977.5020303-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2009-10-15 0:24 ` Sukadev Bhattiprolu
2009-10-13 4:51 ` [RFC][v8][PATCH 5/10]: Add target_pids parameter to alloc_pid() Sukadev Bhattiprolu
2009-10-13 4:52 ` [RFC][v8][PATCH 6/10]: Add target_pids parameter to copy_process() Sukadev Bhattiprolu
2009-10-13 4:52 ` [RFC][v8][PATCH 7/10]: Check invalid clone flags Sukadev Bhattiprolu
[not found] ` <20091013045234.GG28435-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 18:35 ` Oren Laadan
[not found] ` <4AD4C88D.7040008-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-10-13 23:38 ` Sukadev Bhattiprolu
2009-10-13 4:52 ` [RFC][v8][PATCH 8/10]: Define do_fork_with_pids() Sukadev Bhattiprolu
2009-10-13 4:54 ` [RFC][v8][PATCH 9/10]: Define clone3() syscall Sukadev Bhattiprolu
[not found] ` <20091013045439.GI28435-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 18:46 ` Oren Laadan
2009-10-16 4:20 ` Sukadev Bhattiprolu
[not found] ` <20091016042041.GA7220-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-16 6:25 ` Michael Kerrisk
[not found] ` <cfd18e0f0910152325m4a9125c2q18f36f5bd7d4a0-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-16 18:06 ` Sukadev Bhattiprolu
[not found] ` <20091016180631.GA31036-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-19 17:44 ` Matt Helsley
[not found] ` <20091019174405.GE27627-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2009-10-19 21:31 ` H. Peter Anvin
[not found] ` <4ADCDAA8.5080408-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-10-19 23:50 ` Matt Helsley
[not found] ` <20091019235012.GF27627-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2009-10-21 4:26 ` Michael Kerrisk
2009-10-21 13:03 ` H. Peter Anvin
[not found] ` <4ADF06B7.50508-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-10-21 19:44 ` Sukadev Bhattiprolu
2009-10-21 22:03 ` H. Peter Anvin
[not found] ` <20091021194440.GA1283-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-22 10:40 ` Michael Kerrisk
[not found] ` <cfd18e0f0910220340n7c655daap78e395136c56f882-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-22 18:10 ` Sukadev Bhattiprolu
2009-10-22 10:26 ` Michael Kerrisk
2009-10-22 11:38 ` H. Peter Anvin
2009-10-22 12:14 ` Michael Kerrisk
[not found] ` <cfd18e0f0910220514y1bd5967aj3a04bc3f5b38948b-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-22 12:19 ` H. Peter Anvin
2009-10-22 13:57 ` Matt Helsley
2009-10-13 4:55 ` [RFC][v8][PATCH 10/10]: Document " Sukadev Bhattiprolu
[not found] ` <20091013045556.GJ28435-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-14 12:26 ` Arnd Bergmann
[not found] ` <200910141426.35338.arnd-r2nGTMty4D4@public.gmane.org>
2009-10-14 18:39 ` Sukadev Bhattiprolu
2009-10-19 21:36 ` Pavel Machek
[not found] ` <20091019213636.GB1482-+ZI9xUNit7I@public.gmane.org>
2009-10-21 8:37 ` Arnd Bergmann
2009-10-21 9:33 ` Pavel Machek
[not found] ` <20091021093338.GA11670-I/5MKhXcvmPrBKCeMvbIDA@public.gmane.org>
2009-10-21 13:26 ` Arnd Bergmann
[not found] ` <200910211526.50584.arnd-r2nGTMty4D4@public.gmane.org>
2009-10-21 19:09 ` Pavel Machek
2009-10-21 18:27 ` Sukadev Bhattiprolu
2009-10-13 20:50 ` [RFC][v8][PATCH 0/10] Implement clone3() system call Roland McGrath
[not found] ` <20091013205015.1ED524F7-nL1rrgvulkc2UH6IwYuUx0EOCMrvLtNR@public.gmane.org>
2009-10-13 23:27 ` Sukadev Bhattiprolu
[not found] ` <20091013232736.GA24392-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 23:53 ` Roland McGrath
[not found] ` <20091013235320.E90022746-nL1rrgvulkc2UH6IwYuUx0EOCMrvLtNR@public.gmane.org>
2009-10-14 1:13 ` H. Peter Anvin
[not found] ` <4AD525B3.2070906-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-10-14 4:36 ` Sukadev Bhattiprolu
[not found] ` <20091014043607.GA32114-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-14 4:38 ` H. Peter Anvin
2009-10-14 22:36 ` Sukadev Bhattiprolu
[not found] ` <20091014223634.GB3515-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-14 22:49 ` H. Peter Anvin
[not found] ` <4AD6557D.3090501-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-10-15 0:17 ` Sukadev Bhattiprolu
2009-10-13 23:49 ` H. Peter Anvin
[not found] ` <4AD511F1.7010207-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-10-14 1:39 ` Matt Helsley
[not found] ` <20091014013936.GC27627-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2009-10-14 2:24 ` H. Peter Anvin
[not found] ` <4AD5365E.5090709-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-10-14 4:40 ` Sukadev Bhattiprolu
[not found] ` <20091014044035.GB32114-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-14 4:50 ` H. Peter Anvin
2009-10-14 16:07 ` Serge E. Hallyn
2009-10-16 19:22 ` Daniel Lezcano
[not found] ` <4AD8C7E4.9000903-GANU6spQydw@public.gmane.org>
2009-10-16 19:44 ` Sukadev Bhattiprolu
[not found] ` <20091016194451.GA28706-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-19 20:34 ` Daniel Lezcano
[not found] ` <4ADCCD68.9030003-GANU6spQydw@public.gmane.org>
2009-10-19 21:47 ` Oren Laadan
2009-10-20 0:51 ` Matt Helsley
[not found] ` <20091020005125.GG27627-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2009-10-20 3:33 ` Eric W. Biederman
[not found] ` <m1vdiad9jd.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-10-20 4:03 ` Sukadev Bhattiprolu
[not found] ` <20091020040315.GA26632-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-20 10:46 ` Eric W. Biederman
[not found] ` <m1iqeauyvl.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-10-20 14:16 ` Serge E. Hallyn
2009-10-20 18:33 ` Sukadev Bhattiprolu
[not found] ` <20091020183329.GB22646-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-20 19:26 ` Eric W. Biederman
[not found] ` <m1r5sxsw7w.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-10-20 20:13 ` Oren Laadan
2009-10-21 6:20 ` Sukadev Bhattiprolu
[not found] ` <20091021062021.GA2667-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-21 9:16 ` Eric W. Biederman
[not found] ` <m1eioxrtsb.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-10-21 18:52 ` Sukadev Bhattiprolu
[not found] ` <20091021185242.GB12955-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-21 21:11 ` Eric W. Biederman
2009-10-23 0:42 ` Sukadev Bhattiprolu
[not found] ` <20091023004253.GA7915-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-23 1:03 ` Eric W. Biederman
2009-10-23 5:30 ` Sukadev Bhattiprolu
[not found] ` <20091023053001.GA24972-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-23 5:44 ` Eric W. Biederman
[not found] ` <m1ws2mpsuk.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-10-23 19:21 ` Sukadev Bhattiprolu
[not found] ` <20091023192124.GA11088-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-23 20:48 ` Sukadev Bhattiprolu
[not found] ` <20091023204812.GA26524-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-23 23:26 ` Eric W. Biederman
[not found] ` <m1y6n1lmk7.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-10-24 3:38 ` Sukadev Bhattiprolu
2009-10-23 19:16 ` Oren Laadan
[not found] ` <4AE20124.4010108-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-10-23 19:34 ` Oren Laadan
[not found] ` <4AE20532.6060809-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-10-23 23:12 ` Eric W. Biederman
2009-10-20 14:09 ` Serge E. Hallyn
[not found] ` <4ADCDE7F.4090501-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-10-21 15:53 ` Daniel Lezcano
[not found] ` <4ADF2E75.1020801-GANU6spQydw@public.gmane.org>
2009-10-21 18:45 ` Oren Laadan
[not found] ` <4ADF56D4.8030405-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-10-22 11:22 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091013162818.GA13416@us.ibm.com \
--to=serue@us.ibm.com \
--cc=Louis.Rilling@kerlabs.com \
--cc=adobriyan@gmail.com \
--cc=akpm@osdl.org \
--cc=arnd@arndb.de \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hpa@zytor.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mikew@google.com \
--cc=mingo@elte.hu \
--cc=nathanl@austin.ibm.com \
--cc=orenl@cs.columbia.edu \
--cc=peterz@infradead.org \
--cc=randy.dunlap@oracle.com \
--cc=roland@redhat.com \
--cc=sukadev@linux.vnet.ibm.com \
--cc=sukadev@us.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).