Move setns within nsexec #454
Conversation
|
@dqminh ping |
|
|
||
| // IsNamespaceSupported returns the list of current kernel's supported | ||
| // namespaces. The namespaces will be sorted in order that we can safely setns | ||
| // to (i.e., mount namespace is at the bottom of the list) |
There was a problem hiding this comment.
this comment is outdated now. The function just check if the host supports a chosen namespace.
mlaventure
force-pushed
the
libcontainer-pidns
branch
from
5b4fdb4 to
3f726a1
Compare
| */ | ||
| char stack[4096] __attribute__ ((aligned(16))); | ||
| char stack_ptr[0]; | ||
| jmp_buf *env; |
There was a problem hiding this comment.
Just realized that I've used tab-width of 4 instead of 8, will fix sorry (although 7 seems to be what was used previously)
There was a problem hiding this comment.
mmm, what i did was to use indent -linux with https://github.com/crosbymichael/vim-cfmt
mlaventure
force-pushed
the
libcontainer-pidns
branch
3 times, most recently
from
fd31b6f to
a53b405
Compare
mlaventure
force-pushed
the
libcontainer-pidns
branch
from
c86d11c to
b3b5961
Compare
| #include <linux/limits.h> | ||
| #include <sys/types.h> | ||
| #include <sys/wait.h> | ||
| #include <sys/types.h> |
There was a problem hiding this comment.
We need to include sys/types.h
KILL(2)
NAME
kill - send signal to a process
SYNOPSIS
#include <sys/types.h>
#include <signal.h>
int kill(pid_t pid, int sig);
b3b5961 to
ff1449c
Compare
|
@mlaventure let's try to merge it after next libcontainer tag. |
mlaventure
force-pushed
the
libcontainer-pidns
branch
3 times, most recently
from
e8177bb to
cbfcb9a
Compare
mlaventure
force-pushed
the
libcontainer-pidns
branch
3 times, most recently
from
07a2e50 to
7ca7234
Compare
|
Rebased. |
mlaventure
force-pushed
the
libcontainer-pidns
branch
from
7ca7234 to
143787b
Compare
This adds `configs.IsNamespaceSupported(nsType)` to check if the host supports a namespace type. Signed-off-by: Daniel, Dao Quang Minh <[email protected]>
Signed-off-by: Daniel, Dao Quang Minh <[email protected]>
Signed-off-by: Daniel, Dao Quang Minh <[email protected]>
This adds orderNamespacePaths to get correct order of namespaces for the bootstrap program to join. Signed-off-by: Daniel, Dao Quang Minh <[email protected]>
An init process can join other namespaces (pidns, ipc etc.). This leverages C code defined in nsenter package to spawn a process with correct namespaces and clone if necessary. This moves all setns and cloneflags related code to nsenter layer, which mean that we dont use Go os/exec to create process with cloneflags and set uid/gid_map or setgroups anymore. The necessary data is passed from Go to C using a netlink binary-encoding format. With this change, setns and init processes are almost the same, which brings some opportunity for refactoring. Signed-off-by: Daniel, Dao Quang Minh <[email protected]> [[email protected]: adapted to apply on master @ d97d5e] Signed-off-by: Kenfe-Mickael Laventure <[email protected]>
Signed-off-by: Daniel, Dao Quang Minh <[email protected]>
Cut nsexec in smaller chunk routines to make it more readable. Signed-off-by: Kenfe-Mickael Laventure <[email protected]>
This simply move the call to the Prestart hooks to be made once we receive the procReady message from the client. This is necessary as we had to move the setns calls within nsexec in order to be accomodate joining namespaces that only affect future children (e.g. NEWPID). Signed-off-by: Kenfe-Mickael Laventure <[email protected]>
mlaventure
force-pushed
the
libcontainer-pidns
branch
from
143787b to
6325ab9
Compare
|
Rebased. |
|
LGTM |
1 similar comment
|
LGTM |
|
I've been playing with this PR and seems it allows usersn+(other namespaces) sharing properly, which should be good news for relaxing some of the disallowed combinations in Docker when user namespaces are enabled.. 👍 |
|
LGTM |
|
👍 I think this also fixes a potential issue with two containers sharing a user namespace. Since other namespaces are associated with the user namespace they were created from, it is best to join the user namespace before creating the new namespaces on |
This is a rebase of #105.
It move the
setnscalls within the init C code. This allows for namespaces that only affect future children (e.g.NEWPID) to correctly apply to created containers.