[lxc-devel] [Fwd: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control.]

Ciprian Dorin, Craciun ciprian.craciun at gmail.com
Mon Mar 8 17:51:01 UTC 2010


    Please let me know when such patchset / afferent tools are
available. (I hope that the patchset is also applicable to prior
kernel verions (.33, .34)...)

    Ciprian.

    P.S.: For those interested I'm playing with LXC to isolate
different applications, and my intent is that my working machine is
going to be a combination of Gentoo (or Debian?) (for boot,
networking, disk, and services), ArchLinux (for desktop applicaions
like Firefox and OpenOffice), and custom built applications (here LXC
allows me to separate the roots so that the package managers are not
going to interfere one with another). I also want that all my services
(dnscache, polipo proxy, etc.) to be contained in restricted
containers.


On Mon, Mar 8, 2010 at 5:37 PM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
>
> Hi all,
>
> just to let you know there is a discussion and a patchset to enter a
> container.
>
> I will prototype the two commands lxc-enter and lxc-exec to make use of
> this new kernel functionality. I will be happy if someone is willing to
> play with these new commands when they are finished.
>
> I hope the patchset will be available for 2.6.35 :)
>
>
>
> -------- Original Message --------
> Subject:        Re: [RFC][PATCH] ns: Syscalls for better namespace sharing
> control.
> Date:   Mon, 08 Mar 2010 00:32:49 -0800
> From:   ebiederm at xmission.com (Eric W. Biederman)
> To:     Daniel Lezcano <daniel.lezcano at free.fr>
> CC:     Pavel Emelyanov <xemul at parallels.com>, Sukadev Bhattiprolu
> <sukadev at linux.vnet.ibm.com>, Serge Hallyn <serue at us.ibm.com>, Linux
> Netdev List <netdev at vger.kernel.org>,
> containers at lists.linux-foundation.org, Netfilter Development Mailinglist
> <netfilter-devel at vger.kernel.org>, Ben Greear <greearb at candelatech.com>
> References:     <4B88E431.6040609 at parallels.com>
> <m1bpfbqajn.fsf at fess.ebiederm.org> <4B894564.7080104 at parallels.com>
> <m1iq9io5sc.fsf at fess.ebiederm.org> <4B89727C.9040602 at parallels.com>
> <m1ljeempk6.fsf at fess.ebiederm.org> <4B8AE8C1.1030305 at free.fr>
> <4B8D28CF.8060304 at parallels.com> <20100302211942.GA17816 at us.ibm.com>
> <m1y6iaqsmm.fsf at fess.ebiederm.org> <20100303000743.GA13744 at us.ibm.com>
> <m1ocj6qljj.fsf at fess.ebiederm.org> <4B8E9370.3050300 at parallels.com>
> <m17hptjh3m.fsf at fess.ebiederm.org> <4B9158F5.5040205 at parallels.com>
> <m1vdda1pmx.fsf at fess.ebiederm.org> <4B926B1B.5070207 at free.fr>
> <m1aaulyy5c.fsf at fess.ebiederm.org> <4B92C886.9020507 at free.fr>
>
>
>
> I have take an snapshot of my development tree and placed it at.
>
>
> git://git.kernel.org/pub/scm/linux/people/ebiederm/linux-2.6.33-nsfd-v5.git
>
>
>>> I am going to explore a bit more.  Given that nsfd is using the same
>>> permission checks as a proc file, I think I can just make it a proc
>>> file.  Something like "/proc/<pid>/ns/net".  With a little luck that
>>> won't suck too badly.
>>>
>> Ah ! yes. Good idea.
>
> It is a hair more code to use proc files but nothing worth counting.
>
> Probably the biggest thing I am aware of right now in my development
> tree is in getting uids to pass properly between unix domain sockets
> I would up writing this cred_to_ucred function.
>
> Serge can you take a look and check my logic, and do you have
> any idea of where we should place something like pid_vnr but
> for the uid namespace?
>
> void cred_to_ucred(struct pid *pid, const struct cred *cred,
>                   struct ucred *ucred)
> {
>        ucred->pid = pid_vnr(pid);
>        ucred->uid = ucred->gid = -1;
>        if (cred) {
>                struct user_namespace *cred_ns = cred->user->user_ns;
>                struct user_namespace *current_ns = current_user_ns();
>                struct user_namespace *tmp;
>
>                if (likely(cred_ns == current_ns)) {
>                        ucred->uid = cred->euid;
>                        ucred->gid = cred->egid;
>                } else {
>                        /* Is cred in a child user namespace */
>                        tmp = cred_ns;
>                        do {
>                                tmp = tmp->creator->user_ns;
>                                if (tmp == current_ns) {
>                                        ucred->uid = tmp->creator->uid;
>                                        ucred->gid = overflowgid;
>                                        return;
>                                }
>                        } while (tmp != &init_user_ns);
>
>                        /* Is cred the creator of my user namespace,
>                         * or the creator of one of it's parents?
>                         */
>                        for( tmp = current_ns; tmp != &init_user_ns;
>                             tmp = tmp->creator->user_ns) {
>                                if (cred->user == tmp->creator) {
>                                        ucred->uid = 0;
>                                        ucred->gid = 0;
>                                        return;
>                                }
>                        }
>
>                        /* No user namespace relationship so no mapping */
>                        ucred->uid = overflowuid;
>                        ucred->gid = overflowgid;
>                }
>        }
> }
>
> Eric
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>




More information about the lxc-devel mailing list