lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <47bf8da26b5ec71f98b9bc736dbca2d8277417f2.camel@HansenPartnership.com>
Date:   Fri, 19 Nov 2021 11:42:18 -0500
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     "Yordan Karadzhov (VMware)" <y.karadz@...il.com>,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        viro@...iv.linux.org.uk, mingo@...hat.com, hagen@...u.net,
        rppt@...nel.org, akpm@...ux-foundation.org, vvs@...tuozzo.com,
        shakeelb@...gle.com, christian.brauner@...ntu.com,
        mkoutny@...e.com, Linux Containers <containers@...ts.linux.dev>,
        Steven Rostedt <rostedt@...dmis.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: [RFC PATCH 0/4] namespacefs: Proof-of-Concept

[resend due to header mangling causing loss on the lists]
On Fri, 2021-11-19 at 09:27 -0500, Steven Rostedt wrote:
> On Fri, 19 Nov 2021 07:45:01 -0500
> James Bottomley <James.Bottomley@...senPartnership.com> wrote:
> 
> > On Thu, 2021-11-18 at 14:24 -0500, Steven Rostedt wrote:
> > > On Thu, 18 Nov 2021 12:55:07 -0600
> > > ebiederm@...ssion.com (Eric W. Biederman) wrote:
> > >   
> > > > It is not correct to use inode numbers as the actual names for
> > > > namespaces.
> > > > 
> > > > I can not see anything else you can possibly uses as names for
> > > > namespaces.  
> > > 
> > > This is why we used inode numbers.
> > >   
> > > > To allow container migration between machines and similar
> > > > things the you wind up needing a namespace for your names of
> > > > namespaces.  
> > > 
> > > Is this why you say inode numbers are incorrect?  
> > 
> > The problem is you seem to have picked on one orchestration system
> > without considering all the uses of namespaces and how this would
> > impact them.  So let me explain why inode numbers are incorrect and
> > it will possibly illuminate some of the cans of worms you're
> > opening.
> > 
> > We have a container checkpoint/restore system called CRIU that can
> > be used to snapshot the state of a pid subtree and restore it.  It
> > can be used for the entire system or piece of it.  It is also used
> > by some orchestration systems to live migrate containers.  Any
> > property of a container system that has meaning must be saved and
> > restored by CRIU.
> > 
> > The inode number is simply a semi random number assigned to the
> > namespace.  it shows up in /proc/<pid>/ns but nowhere else and
> > isn't used by anything.  When CRIU migrates or restores containers,
> > all the namespaces that compose them get different inode values on
> > the restore.  If you want to make the inode number equivalent to
> > the container name, they'd have to restore to the previous number
> > because you've made it a property of the namespace.  The way
> > everything is set up now, that's just not possible and never will
> > be.  Inode numbers are a 32 bit space and can't be globally
> > unique.  If you want a container name, it will have to be something
> > like a new UUID and that's the first problem you should tackle.
> 
> So everyone seems to be all upset about using inode number. We could
> do what Kirill suggested and just create some random UUID and use
> that. We could have a file in the directory called inode that has the
> inode number (as that's what both docker and podman use to identify
> their containers, and it's nice to have something to map back to
> them).
> 
> On checkpoint restore, only the directories that represent the
> container that migrated matter, so as Kirill said, make sure they get
> the old UUID name, and expose that as the directory.
> 
> If a container is looking at directories of other containers on the
> system, then it gets migrated to another system, it should be treated
> as though those directories were deleted under them.
> 
> I still do not see what the issue is here.

The issue is you're introducing a new core property for namespaces they
didn't have before.  Everyone has different use cases for containers
and we need to make sure the new property works with all of them.

Having a "name" for a namespace has been discussed before which is the
landmine you stepped on when you advocated using the inode number as
the name, because that's already known to be unworkable.

Can we back up and ask what problem you're trying to solve before we
start introducing new objects like namespace name?  The problem
statement just seems to be "Being able to see the structure of the
namespaces can be very useful in the context of the containerized
workloads."  which you later expanded on as "trying to add more
visibility into the working of things like kubernetes".  If you just
want to see the namespace "tree" you can script that (as root) by
matching the process tree and the /proc/<pid>/ns changes without
actually needing to construct it in the kernel.  This can also be done
without introducing the concept of a namespace name.  However, there is
a subtlety of doing this matching in the way I described in that you
don't get proper parenting to the user namespace ownership ... but that
seems to be something you don't want anyway?

James



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ