Re: For review: pid_namespaces(7) man page

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: mtk.manpages@gmail.com
Cc: Rob Landley <rob@landley.net>,
	linux-man <linux-man@vger.kernel.org>,
	Linux Containers <containers@lists.linux-foundation.org>,
	lkml <linux-kernel@vger.kernel.org>
Subject: Re: For review: pid_namespaces(7) man page
Date: Fri, 01 Mar 2013 07:35:38 -0800	[thread overview]
Message-ID: <87wqtr3zg5.fsf@xmission.com> (raw)
In-Reply-To: <CAKgNAkgVKnhRT1Lpq4a_UdBKB+tn6XmWSDF2QJXG0aSLtNH6dg@mail.gmail.com> (Michael Kerrisk's message of "Fri, 1 Mar 2013 10:57:40 +0100")

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Rob,
>
> On Fri, Mar 1, 2013 at 5:01 AM, Rob Landley <rob@landley.net> wrote:
>> On 02/28/2013 05:24:07 AM, Michael Kerrisk (man-pages) wrote:
> [...]
>
>>> DESCRIPTION
>>>        For an overview of namespaces, see namespaces(7).
>>>
>>>        PID  namespaces  isolate  the  process ID number space, meaning
>>>        that processes in different PID namespaces can  have  the  same
>>>        PID.
>>
>>
>> Um, perhaps "different processes"? Slightly repetitive, but trying to avoid
>> the potential misreading that "a processes can have the same PID in
>> different namespaces". (A single process can't be a member of more than one
>> namespace. This is not about selective visibility.)
>
> I'm not sure this clarifies things...
>
>>> PID namespaces allow containers to migrate to a new host
>>>        while the processes inside  the  container  maintain  the  same
>>>        PIDs.
>>
>>
>> I thought suspend/resume a container was the simple case. Migration to a new
>> host is built on top of that. (On resume in a new container on the same
>> system, if other stuff is going on in the system so the available PIDs have
>> shifted.)
>
> I'll add some words here on suspend/resume.
>
>>>        Likewise, a process in an ancestor namespace can—subject to the
>>>        usual permission checks described in  kill(2)—send  signals  to
>>>        the  "init" process of a child PID namespace only if the "init"
>>>        process has established a handler for that signal.  (Within the
>>>        handler,  the  siginfo_t si_pid field described in sigaction(2)
>>>        will be zero.)  SIGKILL or SIGSTOP are  treated  exceptionally:
>>>        these signals are forcibly delivered when sent from an ancestor
>>>        PID namespace.  Neither of these signals can be caught  by  the
>>>        "init" process, and so will result in the usual actions associ‐
>>>        ated with those signals (respectively, terminating and stopping
>>>        the process).
>>
>>
>> If SIGKILL to init is propogated to all the children of init, is SIGSTOP
>> also propogated to all the children? (I.E. will SIGSTOP to container's init
>> suspend the whole container, and will SIGCONT resume the whole container? If
>> the latter, will it only resume processes that weren't previously stopped?
>> :)
>
> Covered by Eric.
>
>>>        To put things another way: a process's PID namespace membership
>>>        is determined when the process is created and cannot be changed
>>>        thereafter.  Among other things, this means that  the  parental
>>>        relationship between processes mirrors the parental between PID
>>
>>
>> mirrors the relationship
>
> Thanks.
>
>>>        namespaces: the parent of a  process  is  either  in  the  same
>>>        namespace or resides in the immediate parent PID namespace.
>>>
>>>        Every  thread  in  a process must be in the same PID namespace.
>>>        For this reason, the two following call sequences will fail:
>>>
>>>            unshare(CLONE_NEWPID);
>>>            clone(..., CLONE_VM, ...);    /* Fails */
>>>
>>>            setns(fd, CLONE_NEWPID);
>>>            clone(..., CLONE_VM, ...);    /* Fails */
>>
>>
>> They fail with -EUNDOCUMENTED
>
> Added EINVAL, as per Eric's reply. (Eric does that error also apply
> for the two new cases you added?).
>
>>>        Because the above unshare(2) and setns(2) calls only change the
>>>        PID  namespace  for created children, the clone(2) calls neces‐
>>>        sarily put the new thread in a different PID namespace from the
>>>        calling thread.
>>
>>
>> Um, no they don't. They fail. That's the point.
>
> (Good catch.)
>
>> They _would_ put the new
>> thread in a different PID namespace, which breaks the definition of threads.
>>
>> How about:
>>
>> The above unshare(2) and setns(2) calls change the PID namespace of
>> children created by subsequent clone(2) calls, which is incompatible
>> with CLONE_VM.
>
> I decided on:
>
>        The  point  here is that unshare(2) and setns(2) change the PID
>        namespace for created children but not for the calling process,
>        while  clone(2) CLONE_VM specifies the creation of a new thread
>        in the same process.

Can we make that "for all new tasks created" instead of "created
children"

Othewise someone might expect CLONE_THREAD would work as you
CLONE_THREAD creates a thread and not a child...

Eric

next prev parent reply	other threads:[~2013-03-01 15:35 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-28 11:24 For review: pid_namespaces(7) man page Michael Kerrisk (man-pages)
2013-02-28 14:24 ` Vasily Kulikov
2013-03-01  8:03   ` Michael Kerrisk (man-pages)
2013-03-01  8:36     ` Eric W. Biederman
2013-03-01  8:53       ` Michael Kerrisk (man-pages)
2013-02-28 15:24 ` Eric W. Biederman
2013-03-01  8:50   ` Michael Kerrisk (man-pages)
2013-03-01  9:10     ` Eric W. Biederman
2013-03-01 10:20       ` Michael Kerrisk (man-pages)
2013-03-01  4:01 ` Rob Landley
2013-03-01  6:58   ` Eric W. Biederman
2013-03-01  9:57   ` Michael Kerrisk (man-pages)
2013-03-01 15:35     ` Eric W. Biederman [this message]
2013-03-04 12:46       ` Michael Kerrisk (man-pages)
2013-03-04 17:52         ` Eric W. Biederman
     [not found]           ` <CAKgNAkjYmvjMzC+nYqsjHf4bQn2ZwdE5wawoP2p32ZSo+0dfcQ@mail.gmail.com>
2013-03-05  6:23             ` Michael Kerrisk (man-pages)
2013-03-05  6:41             ` Eric W. Biederman
2013-03-05  8:37               ` Michael Kerrisk (man-pages)
2013-03-06  0:40                 ` Eric W. Biederman
2013-03-07  8:20                   ` Michael Kerrisk (man-pages)
2013-03-07  8:31                     ` Eric W. Biederman
2013-03-06  1:58           ` Rob Landley
2013-03-06  2:23             ` Eric W. Biederman
2013-03-04  3:50     ` Rob Landley
2013-03-04  4:03       ` Eric W. Biederman
2013-03-04 12:48         ` Michael Kerrisk (man-pages)
2013-03-04 19:27         ` Rob Landley
2013-03-05  7:01           ` Michael Kerrisk (man-pages)
2013-03-04 12:50       ` Michael Kerrisk (man-pages)
  -- strict thread matches above, loose matches on Subject: below --
2014-08-20 23:38 Michael Kerrisk (man-pages)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87wqtr3zg5.fsf@xmission.com \
    --to=ebiederm@xmission.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-man@vger.kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=rob@landley.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox