From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
To: Andrei Vagin <avagin@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>,
viro@zeniv.linux.org.uk, adobriyan@gmail.com,
davem@davemloft.net, akpm@linux-foundation.org,
christian.brauner@ubuntu.com, areber@redhat.com,
serge@hallyn.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 00/23] proc: Introduce /proc/namespaces/ directory to expose namespaces lineary
Date: Tue, 4 Aug 2020 15:11:55 +0300
Message-ID: <b64dc485-de42-cd42-a0d6-b9962d9ca4fd@virtuozzo.com> (raw)
In-Reply-To: <20200804054313.GA100819@gmail.com>
On 8/4/20 8:43 AM, Andrei Vagin wrote:
> On Thu, Jul 30, 2020 at 06:01:20PM +0300, Kirill Tkhai wrote:
>> On 30.07.2020 17:34, Eric W. Biederman wrote:
>>> Kirill Tkhai <ktkhai@virtuozzo.com> writes:
>>>
>>>> Currently, there is no a way to list or iterate all or subset of namespaces
>>>> in the system. Some namespaces are exposed in /proc/[pid]/ns/ directories,
>>>> but some also may be as open files, which are not attached to a process.
>>>> When a namespace open fd is sent over unix socket and then closed, it is
>>>> impossible to know whether the namespace exists or not.
>>>>
>>>> Also, even if namespace is exposed as attached to a process or as open file,
>>>> iteration over /proc/*/ns/* or /proc/*/fd/* namespaces is not fast, because
>>>> this multiplies at tasks and fds number.
>
> Could you describe with more details when you need to iterate
> namespaces?
>
> There are three ways to hold namespaces.
>
> * processes
> * bind-mounts
> * file descriptors
>
> When CRIU dumps a container, it enumirates all processes, collects file
> descriptors and mounts. This means that we will be able to collect all
> namespaces, doesn't it?
Yes we can. But it would be much easier for us to have all namespaces in
one place isn't it?
And this patch-set has another non-CRIU use case. It can simplify a view
to namespaces for a normal user. Lets consider some cases:
Lets assume we have an empty (no processes) mount namespace M which is
held by single open fd, which was put in a unix socket and closed, unix
socket has single open fd to it which was in it's turn put to another
unix socket and again and again until we reach unix socket max depth...
How should normal user find this mount namespace M?
Lets assume that M also has a nsfs bindmount which helds some empty
network namespace N... How should normal user find N?
Lets also assume that M has overmounted "/":
mount -t tmpfs tmpfs /
Now if you would enter M you would see single tmpfs (because of implicit
chroot to overmount on setns) in mountinfo and there is no way to see
full mountinfo if you does not know real root dentry... How should
normal user (or even CRIU) find N?
So my personal opinion is that we need this interface, maybe it should
be done somehow different but we need it.
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
next prev parent reply other threads:[~2020-08-04 12:21 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 11:59 Kirill Tkhai
2020-07-30 11:59 ` [PATCH 01/23] ns: Add common refcount into ns_common add use it as counter for net_ns Kirill Tkhai
2020-07-30 13:35 ` Christian Brauner
2020-07-30 14:07 ` Kirill Tkhai
2020-07-30 15:59 ` Christian Brauner
2020-07-30 14:30 ` Christian Brauner
2020-07-30 14:34 ` Kirill Tkhai
2020-07-30 14:39 ` Christian Brauner
2020-07-30 11:59 ` [PATCH 02/23] uts: Use generic ns_common::count Kirill Tkhai
2020-07-30 14:30 ` Christian Brauner
2020-07-30 11:59 ` [PATCH 03/23] ipc: " Kirill Tkhai
2020-07-30 14:32 ` Christian Brauner
2020-07-30 11:59 ` [PATCH 04/23] pid: " Kirill Tkhai
2020-07-30 14:37 ` Christian Brauner
2020-07-30 11:59 ` [PATCH 05/23] user: " Kirill Tkhai
2020-07-30 14:46 ` Christian Brauner
2020-07-30 11:59 ` [PATCH 06/23] mnt: " Kirill Tkhai
2020-07-30 14:49 ` Christian Brauner
2020-07-30 11:59 ` [PATCH 07/23] cgroup: " Kirill Tkhai
2020-07-30 14:50 ` Christian Brauner
2020-07-30 12:00 ` [PATCH 08/23] time: " Kirill Tkhai
2020-07-30 14:52 ` Christian Brauner
2020-07-30 12:00 ` [PATCH 09/23] ns: Introduce ns_idr to be able to iterate all allocated namespaces in the system Kirill Tkhai
2020-07-30 12:23 ` Matthew Wilcox
2020-07-30 13:32 ` Kirill Tkhai
2020-07-30 13:56 ` Matthew Wilcox
2020-07-30 14:12 ` Kirill Tkhai
2020-07-30 14:15 ` Matthew Wilcox
2020-07-30 14:20 ` Kirill Tkhai
2020-07-30 12:00 ` [PATCH 10/23] fs: Rename fs/proc/namespaces.c into fs/proc/task_namespaces.c Kirill Tkhai
2020-07-30 12:00 ` [PATCH 11/23] fs: Add /proc/namespaces/ directory Kirill Tkhai
2020-07-30 12:18 ` Alexey Dobriyan
2020-07-30 13:22 ` Kirill Tkhai
2020-07-30 13:26 ` Christian Brauner
2020-07-30 14:30 ` Kirill Tkhai
2020-07-30 20:47 ` kernel test robot
2020-07-30 22:20 ` kernel test robot
2020-08-05 8:17 ` kernel test robot
2020-08-05 8:17 ` [RFC PATCH] fs: namespaces_dentry_operations can be static kernel test robot
2020-07-30 12:00 ` [PATCH 12/23] user: Free user_ns one RCU grace period after final counter put Kirill Tkhai
2020-07-30 12:00 ` [PATCH 13/23] user: Add user namespaces into ns_idr Kirill Tkhai
2020-07-30 12:00 ` [PATCH 14/23] net: Add net " Kirill Tkhai
2020-07-30 12:00 ` [PATCH 15/23] pid: Eextract child_reaper check from pidns_for_children_get() Kirill Tkhai
2020-07-30 12:00 ` [PATCH 16/23] proc_ns_operations: Add can_get method Kirill Tkhai
2020-07-30 12:00 ` [PATCH 17/23] pid: Add pid namespaces into ns_idr Kirill Tkhai
2020-07-30 12:00 ` [PATCH 18/23] uts: Free uts namespace one RCU grace period after final counter put Kirill Tkhai
2020-07-30 12:01 ` [PATCH 19/23] uts: Add uts namespaces into ns_idr Kirill Tkhai
2020-07-30 12:01 ` [PATCH 20/23] ipc: Add ipc " Kirill Tkhai
2020-07-30 12:01 ` [PATCH 21/23] mnt: Add mount " Kirill Tkhai
2020-07-30 12:01 ` [PATCH 22/23] cgroup: Add cgroup " Kirill Tkhai
2020-07-30 12:01 ` [PATCH 23/23] time: Add time " Kirill Tkhai
2020-07-30 13:08 ` [PATCH 00/23] proc: Introduce /proc/namespaces/ directory to expose namespaces lineary Christian Brauner
2020-07-30 13:38 ` Christian Brauner
2020-07-30 14:34 ` Eric W. Biederman
2020-07-30 14:42 ` Christian Brauner
2020-07-30 15:01 ` Kirill Tkhai
2020-07-30 22:13 ` Eric W. Biederman
2020-07-31 8:48 ` Pavel Tikhomirov
2020-08-03 10:03 ` Kirill Tkhai
2020-08-03 10:51 ` Alexey Dobriyan
2020-08-06 8:05 ` Andrei Vagin
2020-08-07 8:47 ` Kirill Tkhai
2020-08-10 17:34 ` Andrei Vagin
2020-08-11 10:23 ` Kirill Tkhai
2020-08-12 17:53 ` Andrei Vagin
2020-08-13 8:12 ` Kirill Tkhai
2020-08-14 1:16 ` Andrei Vagin
2020-08-14 15:11 ` Kirill Tkhai
2020-08-14 19:21 ` Andrei Vagin
2020-08-17 14:05 ` Kirill Tkhai
2020-08-17 15:48 ` Eric W. Biederman
2020-08-17 17:47 ` Christian Brauner
2020-08-17 18:53 ` Eric W. Biederman
2020-08-04 5:43 ` Andrei Vagin
2020-08-04 12:11 ` Pavel Tikhomirov [this message]
2020-08-04 14:47 ` Kirill Tkhai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b64dc485-de42-cd42-a0d6-b9962d9ca4fd@virtuozzo.com \
--to=ptikhomirov@virtuozzo.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=areber@redhat.com \
--cc=avagin@gmail.com \
--cc=christian.brauner@ubuntu.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=ktkhai@virtuozzo.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Unnamed repository; edit this file 'description' to name the repository.
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://archive.lwn.net:8080/linux-fsdevel/0 linux-fsdevel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 linux-fsdevel linux-fsdevel/ http://archive.lwn.net:8080/linux-fsdevel \
linux-fsdevel@vger.kernel.org lwn-linux-fsdevel@archive.lwn.net
public-inbox-index linux-fsdevel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://archive.lwn.net/lwn.kernel.linux-fsdevel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git