[Devel] Re: [PATCH 5/9] cr: capabilities: define checkpoint and restore fns
Alexey Dobriyan
adobriyan at gmail.com
Mon Jun 15 02:58:12 PDT 2009
On Sat, Jun 06, 2009 at 08:02:28AM -0700, Andrew G. Morgan wrote:
> On Fri, Jun 5, 2009 at 12:41 PM, Serge E. Hallyn <serue at us.ibm.com> wrote:
> > Quoting Andrew G. Morgan (morgan at kernel.org):
> > ...
> >> > Now you mention using kernel_cap_t's... we can go partway
> >> > down that road, but the inherent problem is serializing the
> >> > relevant data so it can be streamed to some file. So I
> >> > think it's better if the subsystems are required to specify
> >> > a useful format (like struct ckpt_capabilities) and define
> >> > the checkpoint/restart helpers to serialize data into the
> >> > struct. We can try and get cute with dual mirrored
> >> > struct defs, one which is defined in terms the caps code
> >> > can understand, and one defined in more arch-independent
> >> > terms (which is why we need __u64s and packed, for instance).
> >> > But that seems more fragile than having clear and simple
> >> > requirements for the $SUBYSTEM_checkpoint() and $SUBSYSTEM_restart()
> >> > helpers.
> >>
> >> I like this $SUBSYSTEM_checkpoint() etc. thing.
> >>
> >> I like the ckpthdr.sed thing. I think a similar rule could be used to
> >> generate the calls to the list of $SUBSYSTEM_checkpoint() functions.
> >
> > Sorry, I don't follow. Could you say a bit more about this?
>
> See sketch below.
>
> >
> >> For serialization, could a kernel "gcc -E checkpoint-headers.h >
> >> this-kernel-checkpoint-file.h" build rule be enough?
> >
> > Again, I don't follow. Do you mean to turn something like kernel_cap_t
> > into something like struct ckpt_capabilities?
>
> Yes, but without manual effort.
>
> To return the the 1,2,3 breakdown. I think it should be possible for 1
> to provide code like this:
>
> $SUBSYSTEM_header.h:
> struct ckpt_$SUBSYSTEM_s {
> kernel_foo_t a, b, c;
> };
>
> $SUBSYSTEM_code.c:
> void $SUBSYSTEM_checkpoint(struct *storage_ptr)
> {
> }
>
> int $SUBSYSTEM_restore(struct *storage_ptr)
> {
> }
This doesn't work. Kernel internals don't have clearly defined subsystem boundaries,
capabilities or not.
As for capabilities, I think code below is everything what's needed:
typedef __u64 kstate_cap_t;
struct kstate_image_cred {
...
kstate_cap_t cap_inheritable;
kstate_cap_t cap_permitted;
kstate_cap_t cap_effective;
kstate_cap_t cap_bset;
...
};
static void dump_capabilities(kstate_cap_t *i, kernel_cap_t *cap)
{
BUILD_BUG_ON(sizeof(kstate_cap_t) != sizeof(kernel_cap_t));
memcpy(i, cap, sizeof(kstate_cap_t));
}
Kernel and userspace can do anything they want with such image easily.
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list