[CRIU] [PATCH v2 00/36] Nested user namespaces support

Kirill Tkhai ktkhai at virtuozzo.com
Mon Feb 6 01:08:33 PST 2017


On 04.02.2017 01:50, Andrei Vagin wrote:
> On Fri, Feb 03, 2017 at 07:11:34PM +0300, Kirill Tkhai wrote:
>> Hi,
>>
>> this is the second version of nested user namespaces support.
>> There are also a couple of refactoring for pid namespaces
>> support, which is the thing I'm working at the moment.
>> In comparation to v1, rewritten almost everything.
>>
>> The details.
>> 1)User namespaces are generated before tasks. It's need,
>> because they are not correlated with tasks hierarhy in
>> any way: parent task may have a user_ns weaker than its
>> child.
>>
>> 2)NS_ROOT user namespace is created in the moment of clone()
>> of root_item, while child user_ns are generated from criu
>> main task. This is made to do child processes not inherite
>> open ns's file descriptors (so, they do not need close them),
>> if we'd generate them from root_item.
>>
>> 3)uids/gids/fsuid,fsgid are saved according to NS_ROOT,
>> if it exists, or NS_CRIU, if not. This is made, because
>> uid may do not have a mapping in a child user_ns. So,
>> we choose this format.
>> In ideally, every xid should be restored in the lowerst
>> user_ns, where it's mapped, but it's not implemented yet.
>>
>> 4)New format file for saving ns relationships is introduced.
>> Also, user_ns mappings are moved there. In ideal, other
>> namespaces should be also.
>> It's a single file, not an CR_FD_USERNS file for every
>> user_ns, like we use now.
>>
>> 5)Opening fd's of processes from other user_ns are implemented
>> using usernsd.
> 
> Files and sockets have to be opened from their user namespaces,
> did you think about this?
> 
> For example, you can look at sk_user_ns().

Here are already 38 patches, it's pretty much. I'm not going to add more functionality
to this patchset.

Functionality of opening files from specific user ns will be just an extension on
the skeleton, this patchset builds.
 
>>
>> https://travis-ci.org/tkhai/criu/builds/198046261
>>
>> ---
>>
>> Kirill Tkhai (36):
>>       files: Fix not populated helper ids
>>       files: Do not lost original errno value
>>       zdtm: Add userns00 test
>>       zdtm: Add userns01 test
>>       core: Introduce last_pid_mutex and use it to synchronize ns_last_pid assignment
>>       restore: Implement set_next_pid() helper
>>       ns: Set nested namespaces hookups
>>       ns: Set hookups for all namespaces
>>       ns: Change arguments of dump_user_ns()
>>       user_ns: Make collect_user_ns() allocate child UsernsEntry mappings
>>       user_ns: Make host_id() working with any mapping and rename it
>>       ns: Rename and export userns_id() and INVALID_ID
>>       ns: Implement target_userns_{u,g}id() and root_userns_{u,g}id()
>>       ns: Add user, net and pid ns_id on restore
>>       user_ns: Name loading UsernsEntry mappings on restore "old format"
>>       ns: Provide the case when root_item has !NS_ROOT user_ns in rst_add_ns_id()
>>       ns: Set pointer to root_user_ns in ns_ids
>>       ns: Implement dup_userns_entry()
>>       images: Move uid_gid_extent and userns_entry desctiptions
>>       proto: Add ns_hookup_entry description
>>       ns: Write/read ns entries in new way
>>       ns: Make prepare_userns() have ns map parameter
>>       ns: Make write_id_map() use CR_PROC_FD_OFF
>>       proc: Close CR_PROC_FD_OFF and TRANSPORT_FD_OFF later
>>       utils: Move getting real pid functionality to separate function
>>       ns: Add ns_owner
>>       ns: Generate user_ns tree
>>       utils: Introduce open_fd_of_real_pid()
>>       ns: Implement set_user_ns()
>>       ns: Set target user_ns after create_children_and_session()
>>       shmem: Fixup shmem_wait_and_open() opens foreign /proc/[pid]/fd/[i]
>>       rst: Pass pstree_item argument to alloc_groups_copy_creds()
>>       ns: Dump creds xids in root_user_ns
>>       ns: Convert task cred's xids to target user ns
>>       proc: Implement find_vma_size()
>>       ns: Allow nested user namespaces
>>
>>
>>  criu/cgroup.c                   |    2 
>>  criu/cr-dump.c                  |    6 
>>  criu/cr-restore.c               |  138 ++++---
>>  criu/files-reg.c                |    3 
>>  criu/files.c                    |    1 
>>  criu/image-desc.c               |    1 
>>  criu/include/cgroup.h           |    2 
>>  criu/include/image-desc.h       |    1 
>>  criu/include/magic.h            |    1 
>>  criu/include/namespaces.h       |   44 ++
>>  criu/include/parasite-syscall.h |    4 
>>  criu/include/proc_parse.h       |    1 
>>  criu/include/protobuf-desc.h    |    1 
>>  criu/include/pstree.h           |    2 
>>  criu/include/rst_info.h         |    1 
>>  criu/include/util.h             |    3 
>>  criu/namespaces.c               |  809 ++++++++++++++++++++++++++++++++++++---
>>  criu/parasite-syscall.c         |   42 +-
>>  criu/pie/restorer.c             |   56 +--
>>  criu/proc_parse.c               |   34 ++
>>  criu/protobuf-desc.c            |    2 
>>  criu/pstree.c                   |   18 +
>>  criu/shmem.c                    |    4 
>>  criu/util.c                     |   48 ++
>>  images/Makefile                 |    1 
>>  images/ns.proto                 |   29 +
>>  images/userns.proto             |   12 -
>>  lib/py/images/images.py         |    1 
>>  test/zdtm/static/Makefile       |    2 
>>  test/zdtm/static/userns00.c     |  289 ++++++++++++++
>>  test/zdtm/static/userns00.desc  |    1 
>>  test/zdtm/static/userns01.c     |  149 +++++++
>>  test/zdtm/static/userns01.desc  |    1 
>>  33 files changed, 1529 insertions(+), 180 deletions(-)
>>  delete mode 100644 images/userns.proto
>>  create mode 100644 test/zdtm/static/userns00.c
>>  create mode 100644 test/zdtm/static/userns00.desc
>>  create mode 100644 test/zdtm/static/userns01.c
>>  create mode 100644 test/zdtm/static/userns01.desc
>>
>> --
>> Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
>> _______________________________________________
>> CRIU mailing list
>> CRIU at openvz.org
>> https://lists.openvz.org/mailman/listinfo/criu


More information about the CRIU mailing list