[lxc-devel] Any way of inserting some process into specified namespace
Night Nord
nightnord at gmail.com
Thu Nov 5 23:24:45 UTC 2009
Greetings.
I'm trying to build some rc script, which should start and stop LXC
containers on system boot and system shutdown and I've runned into some
problems with proper container shutting down.
That is: to properly shutdown container, I should somehow execute
halt/shutdown -h inside container. Currently it may be done via hacking
sysvinit's inittab to change action of ctrlaltdel (SIGINT) to shutdown,
then sending SIGINT to container's init. But there is many howtos on
internet that suggest building own /sbin/init script for containers,
which may have unspecified behaviour on SIGINT/ignore inittab etc, so we
can't really rely on that.
So, there is a question: is there any way of inserting some process
(already running or new process) into namespace, without having some
process already inside that namespace to fork it?
I've checked some information about cgroups and namespaces, and what
i've have for now:
1) There is no method of assigning namespace. Only thing you can done -
it's to run new process via clone with NEW_* or make new namespace for
running process via unshare calls. Still, namespaces are attached to
cgroups, so, theoretically, they could be controlled by cgroups.
2) There is no API for controlling cgroups. All controls are done via
cgroups fs.
3) There is a 'tasks' file inside any cgroup hierarchy, which specifies
global pid's assigned to this cgroup. So, theoretically, if we insert
some pid (of current shell, for example) into this file, it should
inherit all namespaces of this cgroup.
So, let's test:
--------------------------------------------------------------------------
hellgate night # echo $$ > /lxc/cgroup/masq.niifaq.ru/tasks
hellgate night # lxc-ps --lxc
CONTAINER PID TTY TIME CMD
masq.niifaq.ru 2987 ? 00:00:00 init
template 2990 ? 00:00:00 init
masq.niifaq.ru 3538 ? 00:00:00 sleep
masq.niifaq.ru 3794 ? 00:00:00 syslog-ng
masq.niifaq.ru 3795 ? 00:00:00 syslog-ng
template 3878 ? 00:00:00 sleep
masq.niifaq.ru 3898 ? 00:00:00 sshd
masq.niifaq.ru 3967 ? 00:00:00 sleep
template 4040 ? 00:00:00 syslog-ng
template 4041 ? 00:00:00 syslog-ng
template 4055 ? 00:00:00 sshd
template 4073 ? 00:00:00 sleep
masq.niifaq.ru 4287 pts/0 00:00:00 zsh
masq.niifaq.ru 4302 pts/0 00:00:00 lxc-ps
hellgate night # chroot /proc/2987/root /bin/zsh
root at hellgate / # pstree
init─┬─2*[sleep]
├─sshd
└─syslog-ng───syslog-ng
root at hellgate / # su nightr
hellgate / # pstree
init-+-2*[sleep]
|-sshd
`-syslog-ng---syslog-ng
hellgate / # echo $$
4309
hellgate / # ls -l /proc/$$
ls: cannot access /proc/4309: No such file or directory
hellgate / # ps
Error, do this: mount -t proc proc /proc
hellgate / # shutdown -h now
hellgate / # shutdown -h now
hellgate / # reboot
<and here machine reboots, not container =)>
--------------------------------------------------------------------------
So, as you may see, task was included (/proc/$$/cgroup also changed,
here not shown, but yes), lxc-ps --lxc found it (so, tasks was only
updated), but now other effect - after chroot I still was a root - no
user namespace, container's proc had no idea of running process and
system commands works in non-clear fashion.
In other words: that don't work.
I've read some old (last message was year 2008) article on LWN about
'hijack' syscall, which, as I could see, was designed with exactly this
idea in mind. But it seems to be rejected.
Still, this seems to be possible for me (but I'm not an kernel developer,
even not an experienced C-programmer), kernel tree (kernel/nsproxy.c) has
function switch_task_namespaces which is used from fork.c while cloning,
so, theoreticaly, it could be used to replace nsproxy of current process
with some other nsproxy, still, it's open question how pid namespace
will react on such insertion, probably some other operations should be
done.
Or there is some other ways, which are already accessible?
--
Andrian Nord
More information about the lxc-devel
mailing list