[CRIU] [PATCH] add join-ns opt to criu restore

Pavel Emelyanov xemul at virtuozzo.com
Wed Mar 16 07:17:08 PDT 2016 

On 03/16/2016 06:39 AM, Dengguangxing wrote:
> Hi, Pavel and Andrew,
> 
> Thanks for your reviewing, I would never realize these problems by myself.
> I am not really familiar with namespace, so I don't know exactly what result
> this implementatin would lead to (I did some simple tests only).
> Really appreciate your opinions.
> 
> Here are my solutions to your suggestions, please check if they make sense.
> 
>> There are three things to sort out:
>>
>> 1. What if root task lives in netns, but we ask for --join-ns net?
> In such case, setns() will switch to the new ns.

That's OK, so the --join-ns is overriding the images. That's fine, just
emit a message about this in the log files with pr_info.

>> 2. What if we pass --unshare net and --join-ns net?
>> 3. What if we pass --empty-ns net and --join-ns net?
>>
> maybe should add flag_check rules(if we don't have one), --unshare, --empty-ns and
> --join-ns should conflict.

Yup. This would work I think. Please, add respective checks.

>>
>> Please, also fix the images/rpc.proto and criu/cr-service.c to support this option
>> in RPC API.
> Sorry for missing this, will append that

Awesome :)

Below are Andrey's comments, he would probably comment on them himself.

>>
>> A namespace may be mounted into a file:
>> [root at fc22-vm ~]# ip netns add test
>> [root at fc22-vm ~]# cat /proc/self/mountinfo | grep test
>> 82 80 0:3 net:[4026532214] /run/netns/test rw shared:32 - nsfs nsfs rw
> The opt can be in "NS:PID | PATH" format. finnally It will be parsed into filepath,
> like /proc/12345/ns/net and /run/netns/test
> 
>>
>> If a root task is restore in a new userns, you will not ablt to join
>> external namespaces here. setns() will return EPERM.
> leave user-ns setting to the last one to perform
> 
>>
>> You need to set proper uid and gid to joing an user namespace
> users can set uid and gid while joining user-ns. if not specified, use default one (0?)
> 
> 
>>
>> You need to open namespace files before calling setns for them,
>> because namespace files can become unaccessiable after switching into
>> another mount namespace.
> Awesome! I will amend this as you said
> 
> Ps I will complement and regulate the comment.
> 
> Best Regards!
> Deng
> 
> .
>

More information about the CRIU mailing list