Re: Private namespaces

Re: Private namespaces

[Andries Brouwer]

On Mon, May 05, 2003 at 10:23:56AM -0300, Adrian Etchevarne wrote:

> 	I've been looking for instructions to use private namespaces in Linux,
> without results. Can anyone tell where is the documentation about it?
> (I'm not refering to chroot(), but to /proc/<pid>/mounts). Or the proper
> files in the kernel sources?

A tiny demo program is given in
  http://www.win.tue.nl/~aeb/linux/lk/lk-6.html#ss6.3.3

In the kernel source, grep for CLONE_NEWNS.

Re: Private namespaces

[Lee Causier]

http://www.win.tue.nl/~aeb/linux/lk/lk-6.html

Take a look at 6.3.3 "Per-process namespaces"
[-- snip --]
"BUGS: The program mount does not know about this feature yet, so
updates /etc/mtab. Reality is visible in /proc/mounts. Some kernel
versions have a bug that would cause the new process to have a strange
working directory. Probably that is avoided if this is started with a
working directory / or so - not in some mounted filesystem."

I found symlinking /etc/mtab to /proc/self/mounts (or /proc/mounts,
mhich is a symlink to /proc/self/mounts) solved the mount bug.

HTH

Regards,

Lee Edward Causier.

On Mon, 2003-05-05 at 14:23, Adrian Etchevarne wrote:
> Hello,
> 	I've been looking for instructions to use private namespaces in Linux,
> without results. Can anyone tell where is the documentation about it?
> (I'm not refering to chroot(), but to /proc/<pid>/mounts). Or the proper
> files in the kernel sources?
> 
> Thanks,
> 	Adrian.
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: Private namespaces

[Florin Iucha]

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

On Wed, Apr 16, 2003 at 03:23:24PM +0200, Andries Brouwer wrote:
> On Mon, May 05, 2003 at 10:23:56AM -0300, Adrian Etchevarne wrote:
> 
> > 	I've been looking for instructions to use private namespaces in Linux,
> > without results. Can anyone tell where is the documentation about it?
> > (I'm not refering to chroot(), but to /proc/<pid>/mounts). Or the proper
> > files in the kernel sources?
> 
> A tiny demo program is given in
>   http://www.win.tue.nl/~aeb/linux/lk/lk-6.html#ss6.3.3
> 
> In the kernel source, grep for CLONE_NEWNS.

I have compiled the sample program on 2.5.67-pre6 and it fails with
   clone: Cannot allocate memory
when run as a regular user. Is there a workaround?

Thank you,
florin

-- 

"NT is to UNIX what a doughnut is to a particle accelerator."

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Private namespaces

[Andries Brouwer]

On Sat, Apr 19, 2003 at 09:52:39AM -0500, Florin Iucha wrote:

> I have compiled the sample program on 2.5.67-pre6 and it fails with
>    clone: Cannot allocate memory
> when run as a regular user. Is there a workaround?

Well, the comment says

"Exercise Play with this in several situations. You may have to be root."

and the source says

        if (! (flags & CLONE_NEWNS))
                return 0;

        if (!capable(CAP_SYS_ADMIN)) {
                put_namespace(namespace);
                return -EPERM;
        }

so there is not much hope for a regular user.

Now you ask: but why ENOMEM?
That is a tiny flaw in the kernel source.
I suppose

--- fork.c~     Tue Mar 25 04:54:46 2003
+++ fork.c      Sat Apr 19 18:21:44 2003
@@ -873,7 +873,8 @@
                goto bad_fork_cleanup_sighand;
        if (copy_mm(clone_flags, p))
                goto bad_fork_cleanup_signal;
-       if (copy_namespace(clone_flags, p))
+       retval = copy_namespace(clone_flags, p);
+       if (retval)
                goto bad_fork_cleanup_mm;
        retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs);
        if (retval)

would fix that.

Andries

Re: Private namespaces

[Andrew Morton]

Andries Brouwer <aebr@win.tue.nl> wrote:
>
> Now you ask: but why ENOMEM?
> That is a tiny flaw in the kernel source.

That code's all fairly careless with its return values, isn't it?

How does this look?


 kernel/fork.c |   23 +++++++++++------------
 1 files changed, 11 insertions(+), 12 deletions(-)

diff -puN kernel/fork.c~clone-retval-fix kernel/fork.c
--- 25/kernel/fork.c~clone-retval-fix	2003-04-19 14:28:05.000000000 -0700
+++ 25-akpm/kernel/fork.c	2003-04-19 14:31:26.000000000 -0700
@@ -568,7 +568,7 @@ static inline int copy_fs(unsigned long 
 	}
 	tsk->fs = __copy_fs_struct(current->fs);
 	if (!tsk->fs)
-		return -1;
+		return -ENOMEM;
 	return 0;
 }
 
@@ -703,7 +703,7 @@ static inline int copy_sighand(unsigned 
 	sig = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
 	tsk->sighand = sig;
 	if (!sig)
-		return -1;
+		return -ENOMEM;
 	spin_lock_init(&sig->siglock);
 	atomic_set(&sig->count, 1);
 	memcpy(sig->action, current->sighand->action, sizeof(sig->action));
@@ -721,7 +721,7 @@ static inline int copy_signal(unsigned l
 	sig = kmem_cache_alloc(signal_cachep, GFP_KERNEL);
 	tsk->signal = sig;
 	if (!sig)
-		return -1;
+		return -ENOMEM;
 	atomic_set(&sig->count, 1);
 	sig->group_exit = 0;
 	sig->group_exit_code = 0;
@@ -866,23 +866,22 @@ static struct task_struct *copy_process(
 	p->security = NULL;
 	p->as_io_context = NULL;
 
-	retval = -ENOMEM;
-	if (security_task_alloc(p))
+	if ((retval = security_task_alloc(p)))
 		goto bad_fork_cleanup;
 	/* copy all the process information */
-	if (copy_semundo(clone_flags, p))
+	if ((retval = copy_semundo(clone_flags, p)))
 		goto bad_fork_cleanup_security;
-	if (copy_files(clone_flags, p))
+	if ((retval = copy_files(clone_flags, p)))
 		goto bad_fork_cleanup_semundo;
-	if (copy_fs(clone_flags, p))
+	if ((retval = copy_fs(clone_flags, p)))
 		goto bad_fork_cleanup_files;
-	if (copy_sighand(clone_flags, p))
+	if ((retval = copy_sighand(clone_flags, p)))
 		goto bad_fork_cleanup_fs;
-	if (copy_signal(clone_flags, p))
+	if ((retval = copy_signal(clone_flags, p)))
 		goto bad_fork_cleanup_sighand;
-	if (copy_mm(clone_flags, p))
+	if ((retval = copy_mm(clone_flags, p)))
 		goto bad_fork_cleanup_signal;
-	if (copy_namespace(clone_flags, p))
+	if ((retval = copy_namespace(clone_flags, p)))
 		goto bad_fork_cleanup_mm;
 	retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs);
 	if (retval)

_

Re: Private namespaces

[Andries.Brouwer]

> How does this look?

Ach - just a moment ago I submitted only that single
improvement, but you do the whole list.

(It is OK, of course. I looked for a second and concluded that
in all other cases the return value was in fact -ENOMEM, so that
no change was required. Only in the case of security_task_alloc()
is a different value, -EPERM, likely.)

Concerning style - I don't like

	if ((retval = copy_sighand(clone_flags, p)))

very much.

Where there is an if() one expects a boolean condition,
and in superficial reading one can easily mistake = for ==,
in spite of the additional parentheses.

Just

	retval = copy_sighand(clone_flags, p);
	if (retval)

is so much clearer.

Andries

Re: Private namespaces

[Andrew Morton]

Andries.Brouwer@cwi.nl wrote:
>
> Concerning style - I don't like
> 
> 	if ((retval = copy_sighand(clone_flags, p)))
> 
> very much.

Me either.  But in this case there are so darn many of them it seems
acceptable.

Private namespaces

[Adrian Etchevarne]

Hello,
	I've been looking for instructions to use private namespaces in Linux,
without results. Can anyone tell where is the documentation about it?
(I'm not refering to chroot(), but to /proc/<pid>/mounts). Or the proper
files in the kernel sources?

Thanks,
	Adrian.