lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8760zpxgte.fsf@x220.int.ebiederm.org>
Date:	Wed, 23 Dec 2015 10:36:45 -0600
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Dongsheng Yang <yangds.fnst@...fujitsu.com>
Cc:	Al Viro <viro@...IV.linux.org.uk>,
	<containers@...ts.linux-foundation.org>,
	LKML <linux-kernel@...r.kernel.org>, <cgroups@...r.kernel.org>,
	Kamezawa Hiroyuki <kamezawa.hiroyu@...fujitsu.com>
Subject: Re: [Propose] Isolate core_pattern in mnt namespace.

Dongsheng Yang <yangds.fnst@...fujitsu.com> writes:

> On 12/22/2015 05:52 AM, Eric W. Biederman wrote:
>> For your case that sounds like it would work.  Unfortunately for this to
>> be generally applicable and to let the OS in the contianer control it's
>> fate the core dump pattern needs to be supported.
>>
>> Otherwise something clever in userspace that can be written now should
>> be sufficient to fill the gap.  There is enough information for the user
>> mode helper to implement the policy you would like today.
>
> Hi Eric,
>
> To make sure I understand your point correctly:
> 	Do you mean we can write a userspace helper in host such as
> /usr/libexec/docker-pipe to get what I want?
>
> Yes, I would say, for my case, it would work. This helper can get the
> dump data from containers and dispatch them to different path such
> as /var/lib/docker/cores/<ContainerID>/.

Yes.  And there is enough information present at that time it can
save the core dumpes inside the container the application was
running in.

> But there would be two problems in this solution.
> (1). It may affect core dump on host. Normally, other processes in
>  host would not be happy to use a helper of docker-pipe for themselves.
>  But host have to share the core_pattern with containers, can't config
>  it by itself.

So far figuring out how to share the core dump helper appears simpler
than fixing user mode helper.

> (2). If there are some containers don't want to pass the core files
> to host, they can't set the core_pattern in this solution.

Again so far fixing that in user space appears to be more tractable
and easier than anything that has been proposed kernel side.

> IMO, we can get core files on host currently, by either non-pipe way I
> described above or the pipe way you suggested. But the problem is both
> of these methods would affect the core_pattern on host and other
> containers.
>
> So, I think the key point here is just isolating the core dump related
> sysctl in mnt namespace.

You don't have to convince me it would be nice to do.  You have to
convince me it is practical to implement.  Which is an entirely
different problem.

Given the other constraints on an implementation the pid namespace looks
by far the one best suited to host such a sysctl if it is possible to
implement safely.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ