[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200730144254.uabteale5tvtpkzp@wittgenstein>
Date: Thu, 30 Jul 2020 16:42:54 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Kirill Tkhai <ktkhai@...tuozzo.com>, viro@...iv.linux.org.uk,
adobriyan@...il.com, davem@...emloft.net,
akpm@...ux-foundation.org, areber@...hat.com, serge@...lyn.com,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH 00/23] proc: Introduce /proc/namespaces/ directory to
expose namespaces lineary
On Thu, Jul 30, 2020 at 09:34:01AM -0500, Eric W. Biederman wrote:
> Kirill Tkhai <ktkhai@...tuozzo.com> writes:
>
> > Currently, there is no a way to list or iterate all or subset of namespaces
> > in the system. Some namespaces are exposed in /proc/[pid]/ns/ directories,
> > but some also may be as open files, which are not attached to a process.
> > When a namespace open fd is sent over unix socket and then closed, it is
> > impossible to know whether the namespace exists or not.
> >
> > Also, even if namespace is exposed as attached to a process or as open file,
> > iteration over /proc/*/ns/* or /proc/*/fd/* namespaces is not fast, because
> > this multiplies at tasks and fds number.
>
> I am very dubious about this.
>
> I have been avoiding exactly this kind of interface because it can
> create rather fundamental problems with checkpoint restart.
>
> You do have some filtering and the filtering is not based on current.
> Which is good.
>
> A view that is relative to a user namespace might be ok. It almost
> certainly does better as it's own little filesystem than as an extension
> to proc though.
>
> The big thing we want to ensure is that if you migrate you can restore
> everything. I don't see how you will be able to restore these files
> after migration. Anything like this without having a complete
> checkpoint/restore story is a non-starter.
>
> Further by not going through the processes it looks like you are
> bypassing the existing permission checks. Which has the potential
> to allow someone to use a namespace who would not be able to otherwise.
>
> So I think this goes one step too far but I am willing to be persuaded
> otherwise.
I think we discussed this at Plumbers (last year I want to say?) and
you were against making this a part of procfs already back then, I
think. The last known idead we could agree on was debugfs (shudder). But
a tiny separate fs might work as well.
We really would want those introspection abilities this provides though.
For us it was for debugging when namespaces linger and also to crawl
and inspect namespaces from LXD and various other use-cases. So if we
could make this happen in some form that'd be great.
Thanks!
Christian
Powered by blists - more mailing lists