Re: [Devel] Re: [PATCH] allow a task to join a pid namespace

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Glauber Costa <glommer@parallels.com>
To: Daniel Lezcano <daniel.lezcano@free.fr>
Cc: Serge Hallyn <serge.hallyn@canonical.com>, <kir@parallels.com>,
	<Michael@openvz.org>, Oleg Nesterov <oleg@redhat.com>,
	<linux-kernel@vger.kernel.org>, Kerrisk <mtk.manpages@gmail.com>,
	Tejun Heo <tj@kernel.org>, <cgroups@vger.kernel.org>,
	<devel@openvz.org>, "Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [Devel] Re: [PATCH] allow a task to join a pid namespace
Date: Tue, 5 Jun 2012 16:53:43 +0400	[thread overview]
Message-ID: <4FCE0157.4080007@parallels.com> (raw)
In-Reply-To: <4FCE0101.6010908@free.fr>

On 06/05/2012 04:52 PM, Daniel Lezcano wrote:
> On 06/05/2012 12:00 PM, Glauber Costa wrote:
>> On 06/05/2012 01:37 PM, Glauber Costa wrote:
>>> On 06/05/2012 01:36 PM, Daniel Lezcano wrote:
>>>> On 06/04/2012 03:33 PM, Glauber Costa wrote:
>>>>> Currently, it is possible for a process to join existing
>>>>> net, uts and ipc namespaces. This patch allows a process to join an
>>>>> existing pid namespace as well.
>>>>>
>>>>> For that to remain sane, some restrictions are made in the calling
>>>>> process:
>>>>>
>>>>> * It needs to be in the parent namespace of the namespace it wants to
>>>>> jump to
>>>>> * It needs to sit in its own session and group as a leader.
>>>>>
>>>>> The rationale for that, is that people want to trigger actions in a
>>>>> Container
>>>>> from the outside. For instance, mainstream linux recently gained the
>>>>> ability
>>>>> to safely reboot a container. It would be desirable, however, that
>>>>> this
>>>>> action is triggered from an admin in the outside world, very much
>>>>> like a
>>>>> power switch in a physical box.
>>>>>
>>>>> This would also allow us to connect a console to the container,
>>>>> provide a
>>>>> repair mode for setups without networking (or with a broken one), etc.
>>>>
>>>> Hi Glauber,
>>>>
>>>> I am in favor of this patch but I think the pidns support won't be
>>>> complete and some corner-cases are not handled.
>>>>
>>>> May be you can look at Eric's patchset [1] where, IMO, everything is
>>>> taken into account. Some of the patches may be already upstream.
>>>>
>>>> Thanks
>>>> -- Daniel
>>>
>>> I don't remember seeing such patchset in the mailing lists, but that
>>> might be my fault, due to traffic...
>>>
>>> I'll take a look. If it does what I need, I can just drop this.
>>>
>>
>> Ok. In a quick look, it does not seem to go all the way. This is just
>> by reading, but your reboot patch, for instance, is unlikely to work
>> with that, since if it doesn't alter pid->level, things like task
>> ns_of_pid won't work.
>>
>> Running the test scripts I wrote for my testing of that patch also
>> doesn't seem to produce the expected result:
>>
>> after doing setns, the pid won't show up in that namespace.
>
> Yes, AFAIR, pid won't show up, you have to do fork-exec.

Ah, so you mean the kid will show up... Well, ok.

That's acceptable, but how about the behavior I am proposing ? (in the 
patch I sent as a reply to this thread).

I believe it to be saner, even though there is a price tag attached to 
it. None of the other setns calls require you to do any such trickery...

next prev parent reply	other threads:[~2012-06-05 12:56 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-04 13:33 [PATCH] allow a task to join a pid namespace Glauber Costa
2012-06-04 16:51 ` Oleg Nesterov
2012-06-05  9:30   ` Daniel Lezcano
2012-06-05 17:18   ` Eric W. Biederman
2012-06-05  9:36 ` Daniel Lezcano
2012-06-05  9:37   ` Glauber Costa
2012-06-05 10:00     ` [Devel] " Glauber Costa
2012-06-05 12:52       ` Daniel Lezcano
2012-06-05 12:53         ` Glauber Costa [this message]
2012-06-05 13:18           ` Daniel Lezcano
2012-06-05 17:39       ` Eric W. Biederman
2012-06-05 11:33   ` Glauber Costa
2012-06-06 18:29     ` Eric W. Biederman
2012-06-05 16:49 ` Eric W. Biederman
2012-06-06  8:54   ` Glauber Costa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4FCE0157.4080007@parallels.com \
    --to=glommer@parallels.com \
    --cc=Michael@openvz.org \
    --cc=cgroups@vger.kernel.org \
    --cc=daniel.lezcano@free.fr \
    --cc=devel@openvz.org \
    --cc=ebiederm@xmission.com \
    --cc=kir@parallels.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=oleg@redhat.com \
    --cc=serge.hallyn@canonical.com \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox