From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sukadev Bhattiprolu Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control. Date: Tue, 2 Mar 2010 13:19:42 -0800 Message-ID: <20100302211942.GA17816@us.ibm.com> References: <4B88D80A.8010701@parallels.com> <4B88E431.6040609@parallels.com> <4B894564.7080104@parallels.com> <4B89727C.9040602@parallels.com> <4B8AE8C1.1030305@free.fr> <4B8D28CF.8060304@parallels.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Daniel Lezcano , Linux Netdev List , containers@lists.linux-foundation.org, Netfilter Development Mailinglist , "Eric W. Biederman" , Ben Greear To: Pavel Emelyanov Return-path: Content-Disposition: inline In-Reply-To: <4B8D28CF.8060304@parallels.com> Sender: netdev-owner@vger.kernel.org List-Id: netfilter-devel.vger.kernel.org Pavel Emelyanov [xemul@parallels.com] wrote: | > I agree with all the points you and Pavel you talked about but I don't | > feel comfortable to have the current process to switch the pid namespace | > because of the process tree hierarchy (what will be the parent of the | > process when you enter the pid namespace for example). | | The answer is - the one, that used to be. I see no problems with it. | Do you? Just to be clear, when a process unshares its pid namespace, it takes on additional pid nr (== 1) in the new namespace but retains its original pid nr(s) in the parent (ancestor) namespaces right ? i.e the process becomes the container-init of the new namespace. When it exits, all its children belonging to the new namespace are killed too, but any children in the parent namespace (i.e children created before unshare()) are not killed. After the unshare() the process will not be able to signal any children it created before the unshare() (bc their active pid namespaces are different) Sukadev