[lxc-devel] Any way of inserting some process into specified namespace

Daniel Lezcano daniel.lezcano at free.fr
Fri Nov 6 13:52:58 UTC 2009 

Night Nord wrote:
> Greetings.
>
> I'm trying to build some rc script, which should start and stop LXC
> containers on system boot and system shutdown and I've runned into some
> problems with proper container shutting down.
>
> That is: to properly shutdown container, I should somehow execute
> halt/shutdown -h inside container. Currently it may be done via hacking
> sysvinit's inittab to change action of ctrlaltdel (SIGINT) to shutdown,
> then sending SIGINT to container's init. But there is many howtos on
> internet that suggest building own /sbin/init script for containers,
> which may have unspecified behaviour on SIGINT/ignore inittab etc, so we
> can't really rely on that.
>
> So, there is a question: is there any way of inserting some process
> (already running or new process) into namespace, without having some
> process already inside that namespace to fork it? 
>
> I've checked some information about cgroups and namespaces, and what
> i've have for now:
>
> 1) There is no method of assigning namespace. Only thing you can done -
> it's to run new process via clone with NEW_* or make new namespace for
> running process via unshare calls. Still, namespaces are attached to
> cgroups, so, theoretically, they could be controlled by cgroups.
>
> 2) There is no API for controlling cgroups. All controls are done via
> cgroups fs. 
>
> 3) There is a 'tasks' file inside any cgroup hierarchy, which specifies
> global pid's assigned to this cgroup. So, theoretically, if we insert
> some pid (of current shell, for example) into this file, it should
> inherit all namespaces of this cgroup. 
>
> So, let's test:
> --------------------------------------------------------------------------
> hellgate night # echo $$ > /lxc/cgroup/masq.niifaq.ru/tasks
> hellgate night # lxc-ps --lxc
> CONTAINER    PID TTY          TIME CMD
> masq.niifaq.ru  2987 ?        00:00:00 init
> template    2990 ?        00:00:00 init
> masq.niifaq.ru  3538 ?        00:00:00 sleep
> masq.niifaq.ru  3794 ?        00:00:00 syslog-ng
> masq.niifaq.ru  3795 ?        00:00:00 syslog-ng
> template    3878 ?        00:00:00 sleep
> masq.niifaq.ru  3898 ?        00:00:00 sshd
> masq.niifaq.ru  3967 ?        00:00:00 sleep
> template    4040 ?        00:00:00 syslog-ng
> template    4041 ?        00:00:00 syslog-ng
> template    4055 ?        00:00:00 sshd
> template    4073 ?        00:00:00 sleep
> masq.niifaq.ru  4287 pts/0    00:00:00 zsh
> masq.niifaq.ru  4302 pts/0    00:00:00 lxc-ps
> hellgate night # chroot /proc/2987/root /bin/zsh  
> root at hellgate / # pstree 
> init─┬─2*[sleep]
>      ├─sshd
>           └─syslog-ng───syslog-ng
> root at hellgate / # su nightr
> hellgate / # pstree 
> init-+-2*[sleep]
>      |-sshd
>           `-syslog-ng---syslog-ng
> hellgate / # echo $$
> 4309
> hellgate / # ls -l /proc/$$
> ls: cannot access /proc/4309: No such file or directory
> hellgate / # ps
> Error, do this: mount -t proc proc /proc
> hellgate / # shutdown -h now
> hellgate / # shutdown -h now
> hellgate / # reboot
> <and here machine reboots, not container =)>
> --------------------------------------------------------------------------
>
> So, as you may see, task was included (/proc/$$/cgroup also changed,
> here not shown, but yes), lxc-ps --lxc found it (so, tasks was only
> updated), but now other effect - after chroot I still was a root - no
> user namespace, container's proc had no idea of running process and
> system commands works in non-clear fashion.
>
> In other words: that don't work.
>
> I've read some old (last message was year 2008) article on LWN about
> 'hijack' syscall, which, as I could see, was designed with exactly this
> idea in mind. But it seems to be rejected.
>
> Still, this seems to be possible for me (but I'm not an kernel developer,
> even not an experienced C-programmer), kernel tree (kernel/nsproxy.c) has
> function switch_task_namespaces which is used from fork.c while cloning,
> so, theoreticaly, it could be used to replace nsproxy of current process
> with some other nsproxy, still, it's open question how pid namespace
> will react on such insertion, probably some other operations should be
> done.
>
> Or there is some other ways, which are already accessible?
>   
No, there is no way to insert a process in a new namespace without an 
daemon running inside the container.
There is a prototype with a daemon, done by Dietmar, working very well, 
in the git branch 'forker';
it is not up-to-date with the master.

http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=shortlog;h=refs/heads/forker

But unfortunately it is not compatible with the application containers.
May be there is a solution but I had no time to investigate.

There was a discussion around a cloneat syscall, making possible to fork 
a process and re-parent it to the specified process.

https://lists.linux-foundation.org/pipermail/containers/2009-October/021476.html

Maybe you can react to this email ?

Thanks
 -- Daniel

More information about the lxc-devel mailing list