Re: [PATCH 2/5] nsenter: add --all meaning all namespaces and cwd and root

["Ángel González" <ingenit@zoho.com>]

Eric W. Biederman writes:
> Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> writes:
>>>  Not sure if this is the right argument. From my point of view it's
>>>  better to be explicit for such things, something like --all sounds
>>>  like a magical blackbox where semantic depends on features implemented
>>>  by kernel and nsenter(1). 
> 
> Which is the reason I did not implement --all in the first place,
> although it is attractive.
> 
>> Hi,
>>
>> I'm was trying to document how a user should enter a namespace
>> container created by systemd-nspawn. I would prefer not to have the
>> user type 'nsenter -t $PID -muipn', but something simpler.
> 
> As I see it nsenter is the raw tool for when you need to get your
> hands dirty.  lxc already has a more integrated version.  And
> it isn't hard to define a simple wrapper such as:
> 
> cat > systemd-nsenter <<EOF
> #!/bin/sh
> PID=$1
> shift
> exec nsenter -t $PID --mount --ipc --pid --net --uts "$@"
> EOF
> 
> If you need things to be slightly simpler and it isn't worth deriving
> your own c wrapper.

Except that when you are distributing such script (eg. an init-like
script), your shell script will need to add code detecting which
namespaces the kernel supports (and adding appropiate flags to nsenter)
and checking if your nsenter version supports them or not.

It's better to have --all to enter all namespaces that nsenter supports.
If you want to, it could print a warning when using --all and nsenter
knows about more namespaces than the kernel or if it detects that the
kernel knows about more namespaces than itself.
But having a --all to enter “as namespaces as possible” would be the
right thing IMHO.