[CRIU] [PATCH 1/4] Support for dumping/restoring user namespaces

Ying Han yinghan at google.com
Mon Aug 18 08:31:45 PDT 2014 

On Wed, Aug 13, 2014 at 10:12 PM, Pavel Emelyanov <xemul at parallels.com>
wrote:

> On 08/14/2014 01:55 AM, Aditya Kali wrote:
> > On Wed, Aug 13, 2014 at 12:53 AM, Cyrill Gorcunov <gorcunov at gmail.com>
> wrote:
> >> On Mon, Aug 11, 2014 at 05:17:10PM +0400, Andrew Vagin wrote:
> >>> Hi Sophie,
> >>>
> >>> On Fri, Aug 08, 2014 at 10:21:19PM -0700, Sophie Blee-Goldman wrote:
> >>>> Adds basic support for user namespaces by dumping and restoring
> >>>> the namespace itself and the uid/gid maps of the root process.
> >>>
> >>> How do you test your patches? ZDTM test suite can execute tests in
> >>> namespaces, but the current version knows nothing about userns. Have
> you
> >>> try to add userns in ZDTM lib?
> >>>
> >>>>
> >>>> Currently depends on a kernel patch to avoid failing on the prctl
> >>>> syscall by checking for CAP_SYS_RESOURCE in the user namespace
> >>>> instead of in the global one.
> >>>
> >>> It isn't so simple.
> >>> Kirill is trying to fix this issue: https://lkml.org/lkml/2014/8/4/570
> >>
> >> Yes, this particular series is acked by Serge but didn't reach -mm
> >> or -next tree yet, I think people need more time to think if it is
> >> safe.
> >>
> >>>
> >>> We have a number of other kernel issues, which are described here:
> >>> http://criu.org/UserNamespace
> >>>
> >>> Have you seen my patches for userns?
> >>> http://lists.openvz.org/pipermail/criu/2014-February/012399.html
> >>>
> >>> and here is updated version:
> >>> https://github.com/avagin/criu/tree/userns2
> >>>
> >>> I suggest to find the difference between our patch sets and make a new
> one,
> >>> which will contain best things from both ones.
> >
> > Some of Sophie's changes/fixes are applicable to main criu branch even
> > without userns support. Other userns specific changes could be applied
> > to the Andrew Vagin's userns tree. They will need to be split
> > accordingly.
>
> Yup, Sophie's fix for parasite args size calculation is already merged :)
>
> https://github.com/xemul/criu/commit/3faaed2f6461d018c8d4e05010967f8085a5a5e5
>
> >>
> >> Guys, actually I don't see much point in implementing user-ns support
> until
> >> all restrictions from kernel are moved off. I mean we can prepare kind
> of
> >> scaffold code (I must admit I didn't read the series precisely) but
> without
> >> kernel support it might be a waste of time, the kernel interface variant
> >> which will be eventually merged might be completely different from
> initial
> >> proposal. Thus, from my POV -- priority number 1 is to address the
> kernel.
> >>
> >> Still, if we need a scaffold code -- it should be quite "common" and
> won't
> >> require much efforts to change once kernel get stabilized in new
> interfaces.
> >>
> >> Don't get me wrong please, I'm not against user-ns development in criu
> at
> >> the current stage but it must be done by very small pieces keeping in
> mind
> >> that kernel migh be heavily changed.
> >
> > Even with kernel changes not finalized, I find it useful to have
> > userns changes in CRIU done somewhere. With Sophie's patches, the
> > CRIU-userns support atleast lets us dump and restore uid mappings &
> > capabilities (with experimental kernel). I feel its valuable to be
> > able to test these as it lets us find issues in our container setup
> > early on.
>
> I do agree, that userns support is better to get merged early and kernel
> to get fixed eventually. What I ask is two things:
>
> 1. We need to know exactly what is not working and using zdtm tests
>    for this seems the best way to me.
>
> 2. Since we have two experts in this area -- Andrey and Sophie -- it
>    would be great if they come to an agreement on how things should
>    look like, so we have really great userns code.
>

​Sophie finished her internship last week, and ​remove her email from here
which won't work from this moment.

Pavel, I think you have merged all the patches she recently pushed and the
remaining ones are the actual user namespace support which also being
covered by Andrew's patches. So let us know what you guys need help with
and we will follow-up from there.

Thanks

--Ying



>
> Thanks,
> Pavel
>
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20140818/44732d0d/attachment.html>

More information about the CRIU mailing list