Re: [PATCH] allow a task to join a pid namespace

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Daniel Lezcano <daniel.lezcano@free.fr>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Glauber Costa <glommer@parallels.com>,
	linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
	devel@openvz.org, kir@parallels.com,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Tejun Heo <tj@kernel.org>
Subject: Re: [PATCH] allow a task to join a pid namespace
Date: Tue, 05 Jun 2012 11:30:08 +0200	[thread overview]
Message-ID: <4FCDD1A0.7040402@free.fr> (raw)
In-Reply-To: <20120604165117.GA13091@redhat.com>

On 06/04/2012 06:51 PM, Oleg Nesterov wrote:
> On 06/04, Glauber Costa wrote:
>>
>> Currently, it is possible for a process  to join existing
>> net, uts and ipc namespaces. This patch allows a process to join an
>> existing pid namespace as well.
> 
> I can't understand this patch... but probably I missed something,
> I never really understood setns.

Hi Oleg,

let me clarify why is needed setns. In the world of container, setns
allows to administrate the container from outside. One good example is
to shutdown the container. The users setup their hosts with the init's
services to startup the containers when the system starts, but they have
no way to invoke 'shutdown' from inside the container when the system
goes down except doing some trick with the signals. The setns syscall
with the pid namespace support will allow to do that.

Also a complete setns support will allow to write some administrative
tools to have a global view of the different separated resources running
in several containers.

For example, if you are the administrator of the host and you have
hundred of containers running on it, you can use setns to run netstat
within each container and build a view of the different network stack.
The same applies for 'ps' or 'top'.

Without setns, things are much more complicated and in some cases,
impossible. For instance, you can run a daemon inside the container,
send command to it and redirect its output to the fifo  but that
increase the number of processes and has some limitations. Also that
means the command you want to run is present in the container's FS.

The setns syscall is highly needed for the VRF, where a single process
can handle thousand of network namespaces and switch from a network
namespace to another network namespace with one syscall. The usage of
the file descriptors pins the namespace and prevent it from being
destroyed when switching from one namespace to another.

In other words, +1 for pid ns support with setns :)

  -- Daniel

next prev parent reply	other threads:[~2012-06-05  9:31 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-04 13:33 [PATCH] allow a task to join a pid namespace Glauber Costa
2012-06-04 16:51 ` Oleg Nesterov
2012-06-05  9:30   ` Daniel Lezcano [this message]
2012-06-05 17:18   ` Eric W. Biederman
2012-06-05  9:36 ` Daniel Lezcano
2012-06-05  9:37   ` Glauber Costa
2012-06-05 10:00     ` [Devel] " Glauber Costa
2012-06-05 12:52       ` Daniel Lezcano
2012-06-05 12:53         ` Glauber Costa
2012-06-05 13:18           ` Daniel Lezcano
2012-06-05 17:39       ` Eric W. Biederman
2012-06-05 11:33   ` Glauber Costa
2012-06-06 18:29     ` Eric W. Biederman
2012-06-05 16:49 ` Eric W. Biederman
2012-06-06  8:54   ` Glauber Costa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4FCDD1A0.7040402@free.fr \
    --to=daniel.lezcano@free.fr \
    --cc=cgroups@vger.kernel.org \
    --cc=devel@openvz.org \
    --cc=ebiederm@xmission.com \
    --cc=glommer@parallels.com \
    --cc=kir@parallels.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=oleg@redhat.com \
    --cc=serge.hallyn@canonical.com \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox