[CRIU] [PATCH v2 00/36] Nested user namespaces support

Kirill Tkhai ktkhai at virtuozzo.com
Fri Feb 3 08:11:34 PST 2017 

Hi,

this is the second version of nested user namespaces support.
There are also a couple of refactoring for pid namespaces
support, which is the thing I'm working at the moment.
In comparation to v1, rewritten almost everything.

The details.
1)User namespaces are generated before tasks. It's need,
because they are not correlated with tasks hierarhy in
any way: parent task may have a user_ns weaker than its
child.

2)NS_ROOT user namespace is created in the moment of clone()
of root_item, while child user_ns are generated from criu
main task. This is made to do child processes not inherite
open ns's file descriptors (so, they do not need close them),
if we'd generate them from root_item.

3)uids/gids/fsuid,fsgid are saved according to NS_ROOT,
if it exists, or NS_CRIU, if not. This is made, because
uid may do not have a mapping in a child user_ns. So,
we choose this format.
In ideally, every xid should be restored in the lowerst
user_ns, where it's mapped, but it's not implemented yet.

4)New format file for saving ns relationships is introduced.
Also, user_ns mappings are moved there. In ideal, other
namespaces should be also.
It's a single file, not an CR_FD_USERNS file for every
user_ns, like we use now.

5)Opening fd's of processes from other user_ns are implemented
using usernsd.

https://travis-ci.org/tkhai/criu/builds/198046261

---

Kirill Tkhai (36):
      files: Fix not populated helper ids
      files: Do not lost original errno value
      zdtm: Add userns00 test
      zdtm: Add userns01 test
      core: Introduce last_pid_mutex and use it to synchronize ns_last_pid assignment
      restore: Implement set_next_pid() helper
      ns: Set nested namespaces hookups
      ns: Set hookups for all namespaces
      ns: Change arguments of dump_user_ns()
      user_ns: Make collect_user_ns() allocate child UsernsEntry mappings
      user_ns: Make host_id() working with any mapping and rename it
      ns: Rename and export userns_id() and INVALID_ID
      ns: Implement target_userns_{u,g}id() and root_userns_{u,g}id()
      ns: Add user, net and pid ns_id on restore
      user_ns: Name loading UsernsEntry mappings on restore "old format"
      ns: Provide the case when root_item has !NS_ROOT user_ns in rst_add_ns_id()
      ns: Set pointer to root_user_ns in ns_ids
      ns: Implement dup_userns_entry()
      images: Move uid_gid_extent and userns_entry desctiptions
      proto: Add ns_hookup_entry description
      ns: Write/read ns entries in new way
      ns: Make prepare_userns() have ns map parameter
      ns: Make write_id_map() use CR_PROC_FD_OFF
      proc: Close CR_PROC_FD_OFF and TRANSPORT_FD_OFF later
      utils: Move getting real pid functionality to separate function
      ns: Add ns_owner
      ns: Generate user_ns tree
      utils: Introduce open_fd_of_real_pid()
      ns: Implement set_user_ns()
      ns: Set target user_ns after create_children_and_session()
      shmem: Fixup shmem_wait_and_open() opens foreign /proc/[pid]/fd/[i]
      rst: Pass pstree_item argument to alloc_groups_copy_creds()
      ns: Dump creds xids in root_user_ns
      ns: Convert task cred's xids to target user ns
      proc: Implement find_vma_size()
      ns: Allow nested user namespaces


 criu/cgroup.c                   |    2 
 criu/cr-dump.c                  |    6 
 criu/cr-restore.c               |  138 ++++---
 criu/files-reg.c                |    3 
 criu/files.c                    |    1 
 criu/image-desc.c               |    1 
 criu/include/cgroup.h           |    2 
 criu/include/image-desc.h       |    1 
 criu/include/magic.h            |    1 
 criu/include/namespaces.h       |   44 ++
 criu/include/parasite-syscall.h |    4 
 criu/include/proc_parse.h       |    1 
 criu/include/protobuf-desc.h    |    1 
 criu/include/pstree.h           |    2 
 criu/include/rst_info.h         |    1 
 criu/include/util.h             |    3 
 criu/namespaces.c               |  809 ++++++++++++++++++++++++++++++++++++---
 criu/parasite-syscall.c         |   42 +-
 criu/pie/restorer.c             |   56 +--
 criu/proc_parse.c               |   34 ++
 criu/protobuf-desc.c            |    2 
 criu/pstree.c                   |   18 +
 criu/shmem.c                    |    4 
 criu/util.c                     |   48 ++
 images/Makefile                 |    1 
 images/ns.proto                 |   29 +
 images/userns.proto             |   12 -
 lib/py/images/images.py         |    1 
 test/zdtm/static/Makefile       |    2 
 test/zdtm/static/userns00.c     |  289 ++++++++++++++
 test/zdtm/static/userns00.desc  |    1 
 test/zdtm/static/userns01.c     |  149 +++++++
 test/zdtm/static/userns01.desc  |    1 
 33 files changed, 1529 insertions(+), 180 deletions(-)
 delete mode 100644 images/userns.proto
 create mode 100644 test/zdtm/static/userns00.c
 create mode 100644 test/zdtm/static/userns00.desc
 create mode 100644 test/zdtm/static/userns01.c
 create mode 100644 test/zdtm/static/userns01.desc

--
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>

More information about the CRIU mailing list