[lxc-devel] [PATCH 1/2] lxc_attach: fix break with user namespaces (v3)
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Mar 4 18:40:59 UTC 2013
Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> Quoting Christian Seiler (christian at iwakd.de):
> > When you clone a new user_ns, the child cannot write to the fds
> > opened by the parent. Hnadle this by doing an extra fork. The
> > grandparent hangs around and waits for its child to tell it the
> > pid of of the grandchild, which will be the one attached to the
> > container. The grandparent then moves the grandchild into the
> > right cgroup, then waits for the child who in turn is waiting on
> > the grandchild to complete.
> >
> > Secondly, when attaching to a new user namespace, your old uid is
> > not valid, so you are uid -1. This patch simply does setid+setuid
> > to 0 if that is the case. We probably want to be smarter, but
> > for now this allows lxc-attach to work.
> >
> > Signed-off-by: Christian Seiler <christian at iwakd.de>
>
> Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
>
> Thanks, Christian, this looks good.
And, pushed to staging. I'll be posting my new cgroup patchset
(supplanting your patch 2) today.
thanks,
-serge
More information about the lxc-devel
mailing list