Hi all,
just to let you know there is a discussion and a patchset to enter a
container.
I will prototype the two commands lxc-enter and lxc-exec to make use of
this new kernel functionality. I will be happy if someone is willing to
play with these new commands when they are finished.
I hope the patchset will be available for 2.6.35 :)
-------- Original Message --------
Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing
control.
Date: Mon, 08 Mar 2010 00:32:49 -0800
From: ebied...@xmission.com (Eric W. Biederman)
To: Daniel Lezcano <daniel.lezc...@free.fr>
CC: Pavel Emelyanov <xe...@parallels.com>, Sukadev Bhattiprolu
<suka...@linux.vnet.ibm.com>, Serge Hallyn <se...@us.ibm.com>, Linux
Netdev List <net...@vger.kernel.org>,
contain...@lists.linux-foundation.org, Netfilter Development Mailinglist
<netfilter-de...@vger.kernel.org>, Ben Greear <gree...@candelatech.com>
References: <4b88e431.6040...@parallels.com>
<m1bpfbqajn....@fess.ebiederm.org> <4b894564.7080...@parallels.com>
<m1iq9io5sc....@fess.ebiederm.org> <4b89727c.9040...@parallels.com>
<m1ljeempk6....@fess.ebiederm.org> <4b8ae8c1.1030...@free.fr>
<4b8d28cf.8060...@parallels.com> <20100302211942.ga17...@us.ibm.com>
<m1y6iaqsmm....@fess.ebiederm.org> <20100303000743.ga13...@us.ibm.com>
<m1ocj6qljj....@fess.ebiederm.org> <4b8e9370.3050...@parallels.com>
<m17hptjh3m....@fess.ebiederm.org> <4b9158f5.5040...@parallels.com>
<m1vdda1pmx....@fess.ebiederm.org> <4b926b1b.5070...@free.fr>
<m1aaulyy5c....@fess.ebiederm.org> <4b92c886.9020...@free.fr>
I have take an snapshot of my development tree and placed it at.
git://git.kernel.org/pub/scm/linux/people/ebiederm/linux-2.6.33-nsfd-v5.git
>> I am going to explore a bit more. Given that nsfd is using the same
>> permission checks as a proc file, I think I can just make it a proc
>> file. Something like "/proc/<pid>/ns/net". With a little luck that
>> won't suck too badly.
>>
> Ah ! yes. Good idea.
It is a hair more code to use proc files but nothing worth counting.
Probably the biggest thing I am aware of right now in my development
tree is in getting uids to pass properly between unix domain sockets
I would up writing this cred_to_ucred function.
Serge can you take a look and check my logic, and do you have
any idea of where we should place something like pid_vnr but
for the uid namespace?
void cred_to_ucred(struct pid *pid, const struct cred *cred,
struct ucred *ucred)
{
ucred->pid = pid_vnr(pid);
ucred->uid = ucred->gid = -1;
if (cred) {
struct user_namespace *cred_ns = cred->user->user_ns;
struct user_namespace *current_ns = current_user_ns();
struct user_namespace *tmp;
if (likely(cred_ns == current_ns)) {
ucred->uid = cred->euid;
ucred->gid = cred->egid;
} else {
/* Is cred in a child user namespace */
tmp = cred_ns;
do {
tmp = tmp->creator->user_ns;
if (tmp == current_ns) {
ucred->uid = tmp->creator->uid;
ucred->gid = overflowgid;
return;
}
} while (tmp != &init_user_ns);
/* Is cred the creator of my user namespace,
* or the creator of one of it's parents?
*/
for( tmp = current_ns; tmp != &init_user_ns;
tmp = tmp->creator->user_ns) {
if (cred->user == tmp->creator) {
ucred->uid = 0;
ucred->gid = 0;
return;
}
}
/* No user namespace relationship so no mapping */
ucred->uid = overflowuid;
ucred->gid = overflowgid;
}
}
}
Eric
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
