Hi all, just to let you know there is a discussion and a patchset to enter a container.
I will prototype the two commands lxc-enter and lxc-exec to make use of this new kernel functionality. I will be happy if someone is willing to play with these new commands when they are finished. I hope the patchset will be available for 2.6.35 :) -------- Original Message -------- Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control. Date: Mon, 08 Mar 2010 00:32:49 -0800 From: [email protected] (Eric W. Biederman) To: Daniel Lezcano <[email protected]> CC: Pavel Emelyanov <[email protected]>, Sukadev Bhattiprolu <[email protected]>, Serge Hallyn <[email protected]>, Linux Netdev List <[email protected]>, [email protected], Netfilter Development Mailinglist <[email protected]>, Ben Greear <[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> I have take an snapshot of my development tree and placed it at. git://git.kernel.org/pub/scm/linux/people/ebiederm/linux-2.6.33-nsfd-v5.git >> I am going to explore a bit more. Given that nsfd is using the same >> permission checks as a proc file, I think I can just make it a proc >> file. Something like "/proc/<pid>/ns/net". With a little luck that >> won't suck too badly. >> > Ah ! yes. Good idea. It is a hair more code to use proc files but nothing worth counting. Probably the biggest thing I am aware of right now in my development tree is in getting uids to pass properly between unix domain sockets I would up writing this cred_to_ucred function. Serge can you take a look and check my logic, and do you have any idea of where we should place something like pid_vnr but for the uid namespace? void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred) { ucred->pid = pid_vnr(pid); ucred->uid = ucred->gid = -1; if (cred) { struct user_namespace *cred_ns = cred->user->user_ns; struct user_namespace *current_ns = current_user_ns(); struct user_namespace *tmp; if (likely(cred_ns == current_ns)) { ucred->uid = cred->euid; ucred->gid = cred->egid; } else { /* Is cred in a child user namespace */ tmp = cred_ns; do { tmp = tmp->creator->user_ns; if (tmp == current_ns) { ucred->uid = tmp->creator->uid; ucred->gid = overflowgid; return; } } while (tmp != &init_user_ns); /* Is cred the creator of my user namespace, * or the creator of one of it's parents? */ for( tmp = current_ns; tmp != &init_user_ns; tmp = tmp->creator->user_ns) { if (cred->user == tmp->creator) { ucred->uid = 0; ucred->gid = 0; return; } } /* No user namespace relationship so no mapping */ ucred->uid = overflowuid; ucred->gid = overflowgid; } } } Eric ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Lxc-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-devel
