[CRIU] [PATCH v2 00/36] Nested user namespaces support
Andrei Vagin
avagin at virtuozzo.com
Mon Feb 6 11:15:57 PST 2017
On Mon, Feb 06, 2017 at 12:08:33PM +0300, Kirill Tkhai wrote:
> On 04.02.2017 01:50, Andrei Vagin wrote:
> > On Fri, Feb 03, 2017 at 07:11:34PM +0300, Kirill Tkhai wrote:
> >> Hi,
> >>
> >> this is the second version of nested user namespaces support.
> >> There are also a couple of refactoring for pid namespaces
> >> support, which is the thing I'm working at the moment.
> >> In comparation to v1, rewritten almost everything.
> >>
> >> The details.
> >> 1)User namespaces are generated before tasks. It's need,
> >> because they are not correlated with tasks hierarhy in
> >> any way: parent task may have a user_ns weaker than its
> >> child.
> >>
> >> 2)NS_ROOT user namespace is created in the moment of clone()
> >> of root_item, while child user_ns are generated from criu
> >> main task. This is made to do child processes not inherite
> >> open ns's file descriptors (so, they do not need close them),
> >> if we'd generate them from root_item.
> >>
> >> 3)uids/gids/fsuid,fsgid are saved according to NS_ROOT,
> >> if it exists, or NS_CRIU, if not. This is made, because
> >> uid may do not have a mapping in a child user_ns. So,
> >> we choose this format.
> >> In ideally, every xid should be restored in the lowerst
> >> user_ns, where it's mapped, but it's not implemented yet.
> >>
> >> 4)New format file for saving ns relationships is introduced.
> >> Also, user_ns mappings are moved there. In ideal, other
> >> namespaces should be also.
> >> It's a single file, not an CR_FD_USERNS file for every
> >> user_ns, like we use now.
> >>
> >> 5)Opening fd's of processes from other user_ns are implemented
> >> using usernsd.
> >
> > Files and sockets have to be opened from their user namespaces,
> > did you think about this?
> >
> > For example, you can look at sk_user_ns().
>
> Here are already 38 patches, it's pretty much. I'm not going to add more functionality
> to this patchset.
>
> Functionality of opening files from specific user ns will be just an extension on
> the skeleton, this patchset builds.
Ok.
>
> >>
> >> https://travis-ci.org/tkhai/criu/builds/198046261
> >>
> >> ---
> >>
> >> Kirill Tkhai (36):
> >> files: Fix not populated helper ids
> >> files: Do not lost original errno value
> >> zdtm: Add userns00 test
> >> zdtm: Add userns01 test
> >> core: Introduce last_pid_mutex and use it to synchronize ns_last_pid assignment
> >> restore: Implement set_next_pid() helper
> >> ns: Set nested namespaces hookups
> >> ns: Set hookups for all namespaces
> >> ns: Change arguments of dump_user_ns()
> >> user_ns: Make collect_user_ns() allocate child UsernsEntry mappings
> >> user_ns: Make host_id() working with any mapping and rename it
> >> ns: Rename and export userns_id() and INVALID_ID
> >> ns: Implement target_userns_{u,g}id() and root_userns_{u,g}id()
> >> ns: Add user, net and pid ns_id on restore
> >> user_ns: Name loading UsernsEntry mappings on restore "old format"
> >> ns: Provide the case when root_item has !NS_ROOT user_ns in rst_add_ns_id()
> >> ns: Set pointer to root_user_ns in ns_ids
> >> ns: Implement dup_userns_entry()
> >> images: Move uid_gid_extent and userns_entry desctiptions
> >> proto: Add ns_hookup_entry description
> >> ns: Write/read ns entries in new way
> >> ns: Make prepare_userns() have ns map parameter
> >> ns: Make write_id_map() use CR_PROC_FD_OFF
> >> proc: Close CR_PROC_FD_OFF and TRANSPORT_FD_OFF later
> >> utils: Move getting real pid functionality to separate function
> >> ns: Add ns_owner
> >> ns: Generate user_ns tree
> >> utils: Introduce open_fd_of_real_pid()
> >> ns: Implement set_user_ns()
> >> ns: Set target user_ns after create_children_and_session()
> >> shmem: Fixup shmem_wait_and_open() opens foreign /proc/[pid]/fd/[i]
> >> rst: Pass pstree_item argument to alloc_groups_copy_creds()
> >> ns: Dump creds xids in root_user_ns
> >> ns: Convert task cred's xids to target user ns
> >> proc: Implement find_vma_size()
> >> ns: Allow nested user namespaces
> >>
> >>
> >> criu/cgroup.c | 2
> >> criu/cr-dump.c | 6
> >> criu/cr-restore.c | 138 ++++---
> >> criu/files-reg.c | 3
> >> criu/files.c | 1
> >> criu/image-desc.c | 1
> >> criu/include/cgroup.h | 2
> >> criu/include/image-desc.h | 1
> >> criu/include/magic.h | 1
> >> criu/include/namespaces.h | 44 ++
> >> criu/include/parasite-syscall.h | 4
> >> criu/include/proc_parse.h | 1
> >> criu/include/protobuf-desc.h | 1
> >> criu/include/pstree.h | 2
> >> criu/include/rst_info.h | 1
> >> criu/include/util.h | 3
> >> criu/namespaces.c | 809 ++++++++++++++++++++++++++++++++++++---
> >> criu/parasite-syscall.c | 42 +-
> >> criu/pie/restorer.c | 56 +--
> >> criu/proc_parse.c | 34 ++
> >> criu/protobuf-desc.c | 2
> >> criu/pstree.c | 18 +
> >> criu/shmem.c | 4
> >> criu/util.c | 48 ++
> >> images/Makefile | 1
> >> images/ns.proto | 29 +
> >> images/userns.proto | 12 -
> >> lib/py/images/images.py | 1
> >> test/zdtm/static/Makefile | 2
> >> test/zdtm/static/userns00.c | 289 ++++++++++++++
> >> test/zdtm/static/userns00.desc | 1
> >> test/zdtm/static/userns01.c | 149 +++++++
> >> test/zdtm/static/userns01.desc | 1
> >> 33 files changed, 1529 insertions(+), 180 deletions(-)
> >> delete mode 100644 images/userns.proto
> >> create mode 100644 test/zdtm/static/userns00.c
> >> create mode 100644 test/zdtm/static/userns00.desc
> >> create mode 100644 test/zdtm/static/userns01.c
> >> create mode 100644 test/zdtm/static/userns01.desc
> >>
> >> --
> >> Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
> >> _______________________________________________
> >> CRIU mailing list
> >> CRIU at openvz.org
> >> https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list