[CRIU] [PATCH v1 00/17] Nested user namespaces support

Kirill Tkhai ktkhai at virtuozzo.com
Thu Jan 12 09:51:54 PST 2017 

This patchset adds support for nested user namespace hierarhies
in container.

The scheme of restore is the following. All tasks are restoring
in the same namespace (NS_ROOT), until they are comming
to the very end of the restorer.

Then, namespaces are restoring by tasks, which are their owners,
in hierarhical order from the NS_ROOT to NS_OTHER leafs.
The tasks, which are not a namespace owners, are waiting till
their namespaces are restored, and do setns() there. Also,
a namespace owners are writing their children's user_ns mappings.

1)The ordering is implemented on shared memory futexes. To have
mappings on restore, we dump UsernsEntry for each NS_OTHER
(related to its parent).

2)Since a namespace may do not have a mapping to its parent,
we can't dump uids/gids using parasite anymore, as in this
case a namespace's task sees invalid (-1) xids. To fix
that, dumping of xids were rewritten to parse /proc/[pid]/status
file instead.

3)To test nested user namespace feature, kernel should have
nsfs with ioctl(.., NS_GET_PARENT) support.

https://travis-ci.org/tkhai/criu/builds/191377143
(travis currently does not have, so the new test is marked "noauto")
---

Kirill Tkhai (17):
      zdtm: Add userns00 test
      arch: Add sys_unshare() description
      user_ns: Set nested namespaces hierarhy
      ns: Change arguments of dump_user_ns()
      user_ns: Prepare check_user_ns() for working with NS_OTHER
      user_ns: Make collect_user_ns() allocate child UsernsEntry mappings
      user_ns: Make host_id() working with any mapping and rename it
      ns: Rename and export userns_id()
      user_ns: Load UsernsEntry mappings on restore
      user_ns: Dump parent user_ns id
      core: Dump task credential xids from criu namespace
      rst: Implement rst_mem_free_last_bytes()
      user_ns: Add rst mem for synchronization on restore
      user_ns: setup arguments for restorer
      user_ns: Add user_ns ordering to restorer and restore user_ns
      restorer: Move uids/gids assignment above setns() and unshare()
      ns: Allow nested user namespaces


 compel/arch/arm/plugins/std/syscalls/syscall.def   |    1 
 .../ppc64/plugins/std/syscalls/syscall-ppc64.tbl   |    1 
 .../arch/x86/plugins/std/syscalls/syscall_32.tbl   |    1 
 .../arch/x86/plugins/std/syscalls/syscall_64.tbl   |    1 
 criu/cr-dump.c                                     |   86 ++++
 criu/cr-restore.c                                  |   53 +++
 criu/include/namespaces.h                          |   42 ++
 criu/include/parasite.h                            |   25 -
 criu/include/restorer.h                            |    6 
 criu/include/rst-malloc.h                          |    1 
 criu/namespaces.c                                  |  386 +++++++++++++++++---
 criu/parasite-syscall.c                            |   22 -
 criu/pie/parasite.c                                |   50 ---
 criu/pie/restorer.c                                |  238 +++++++++---
 criu/pstree.c                                      |   17 +
 criu/rst-malloc.c                                  |   16 +
 images/userns.proto                                |    1 
 test/zdtm/static/Makefile                          |    1 
 test/zdtm/static/userns00.c                        |  186 ++++++++++
 test/zdtm/static/userns00.desc                     |    1 
 20 files changed, 924 insertions(+), 211 deletions(-)
 create mode 100644 test/zdtm/static/userns00.c
 create mode 100644 test/zdtm/static/userns00.desc

--
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>

More information about the CRIU mailing list