[CRIU] [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces
W. Trevor King
wking at tremily.us
Sat Jul 23 14:58:02 PDT 2016
On Sat, Jul 23, 2016 at 02:38:56PM -0700, James Bottomley wrote:
> On Sat, 2016-07-23 at 14:14 -0700, W. Trevor King wrote:
> > namespaces(7) and clone(2) both have:
> >
> > When a network namespace is freed (i.e., when the last process
> > in the namespace terminates), its physical network devices are
> > moved back to the initial network namespace (not to the parent
> > of the process).
> >
> > So the initial network namespace (the head of net_namespace_list?)
> > is special [1]. To understand how physical network devices will
> > be handled, it seems like we want to treat network devices as a
> > depth-1 tree, with all non-initial net namespaces as children of
> > the initial net namespace. Can we extend this series'
> > NS_GET_PARENT to return:
> >
> > * EPERM for an unprivileged caller (like this series currently does
> > for PID namespaces),
> > * ENOENT when called on net_namespace_list, and
> > * net_namespace_list when called on any other net namespace.
>
> What's the practical application of this? independent net
> namespaces are managed by the ip netns command. It pins them by a
> bind mount in a flat fashion; if we make them hierarchical the tool
> would probably need updating to reflect this, so we're going to need
> a reason to give the network people. Just having the interfaces not
> go back to root when you do an ip netns delete doesn't seem very
> compelling.
I'm not suggesting we add support for deeper nesting, I'm suggesting
we use NS_GET_PARENT to allow sufficiently privileged users to
determine if a given net namespace is the initial net namespace. You
could do this already with something like:
1. Create a new net namespace.
2. Add a physical network device to that namespace.
3. Delete that namespace.
4. See if the physical network device shows up in your
initial-net-namespace candidate.
5. Delete the physical network device (hopefully it ended up somewhere
you can find it ;).
But using an NS_GET_PARENT call seems much safer and easier.
Cheers,
Trevor
--
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openvz.org/pipermail/criu/attachments/20160723/3c917578/attachment.sig>
More information about the CRIU
mailing list