Re: [Devel] Re: [PATCH] allow a task to join a pid namespace

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Daniel Lezcano <daniel.lezcano@free.fr>
To: Glauber Costa <glommer@parallels.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
	kir@parallels.com, Michael@openvz.org,
	Oleg Nesterov <oleg@redhat.com>,
	linux-kernel@vger.kernel.org, Kerrisk <mtk.manpages@gmail.com>,
	Tejun Heo <tj@kernel.org>,
	cgroups@vger.kernel.org, devel@openvz.org,
	"Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [Devel] Re: [PATCH] allow a task to join a pid namespace
Date: Tue, 05 Jun 2012 14:52:17 +0200	[thread overview]
Message-ID: <4FCE0101.6010908@free.fr> (raw)
In-Reply-To: <4FCDD8A0.1070608@parallels.com>

On 06/05/2012 12:00 PM, Glauber Costa wrote:
> On 06/05/2012 01:37 PM, Glauber Costa wrote:
>> On 06/05/2012 01:36 PM, Daniel Lezcano wrote:
>>> On 06/04/2012 03:33 PM, Glauber Costa wrote:
>>>> Currently, it is possible for a process to join existing
>>>> net, uts and ipc namespaces. This patch allows a process to join an
>>>> existing pid namespace as well.
>>>>
>>>> For that to remain sane, some restrictions are made in the calling
>>>> process:
>>>>
>>>> * It needs to be in the parent namespace of the namespace it wants to
>>>> jump to
>>>> * It needs to sit in its own session and group as a leader.
>>>>
>>>> The rationale for that, is that people want to trigger actions in a
>>>> Container
>>>> from the outside. For instance, mainstream linux recently gained the
>>>> ability
>>>> to safely reboot a container. It would be desirable, however, that
>>>> this
>>>> action is triggered from an admin in the outside world, very much
>>>> like a
>>>> power switch in a physical box.
>>>>
>>>> This would also allow us to connect a console to the container,
>>>> provide a
>>>> repair mode for setups without networking (or with a broken one), etc.
>>>
>>> Hi Glauber,
>>>
>>> I am in favor of this patch but I think the pidns support won't be
>>> complete and some corner-cases are not handled.
>>>
>>> May be you can look at Eric's patchset [1] where, IMO, everything is
>>> taken into account. Some of the patches may be already upstream.
>>>
>>> Thanks
>>> -- Daniel
>>
>> I don't remember seeing such patchset in the mailing lists, but that
>> might be my fault, due to traffic...
>>
>> I'll take a look. If it does what I need, I can just drop this.
>>
>
> Ok. In a quick look, it does not seem to go all the way. This is just
> by reading, but your reboot patch, for instance, is unlikely to work
> with that, since if it doesn't alter pid->level, things like task
> ns_of_pid won't work.
>
> Running the test scripts I wrote for my testing of that patch also
> doesn't seem to produce the expected result:
>
> after doing setns, the pid won't show up in that namespace.

Yes, AFAIR, pid won't show up, you have to do fork-exec.

next prev parent reply	other threads:[~2012-06-05 12:52 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-04 13:33 [PATCH] allow a task to join a pid namespace Glauber Costa
2012-06-04 16:51 ` Oleg Nesterov
2012-06-05  9:30   ` Daniel Lezcano
2012-06-05 17:18   ` Eric W. Biederman
2012-06-05  9:36 ` Daniel Lezcano
2012-06-05  9:37   ` Glauber Costa
2012-06-05 10:00     ` [Devel] " Glauber Costa
2012-06-05 12:52       ` Daniel Lezcano [this message]
2012-06-05 12:53         ` Glauber Costa
2012-06-05 13:18           ` Daniel Lezcano
2012-06-05 17:39       ` Eric W. Biederman
2012-06-05 11:33   ` Glauber Costa
2012-06-06 18:29     ` Eric W. Biederman
2012-06-05 16:49 ` Eric W. Biederman
2012-06-06  8:54   ` Glauber Costa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4FCE0101.6010908@free.fr \
    --to=daniel.lezcano@free.fr \
    --cc=Michael@openvz.org \
    --cc=cgroups@vger.kernel.org \
    --cc=devel@openvz.org \
    --cc=ebiederm@xmission.com \
    --cc=glommer@parallels.com \
    --cc=kir@parallels.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=oleg@redhat.com \
    --cc=serge.hallyn@canonical.com \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox