Please let me know when such patchset / afferent tools are
available. (I hope that the patchset is also applicable to prior
kernel verions (.33, .34)...)
Ciprian.
P.S.: For those interested I'm playing with LXC to isolate
different applications, and my intent is that my working machine is
going to be a combination of Gentoo (or Debian?) (for boot,
networking, disk, and services), ArchLinux (for desktop applicaions
like Firefox and OpenOffice), and custom built applications (here LXC
allows me to separate the roots so that the package managers are not
going to interfere one with another). I also want that all my services
(dnscache, polipo proxy, etc.) to be contained in restricted
containers.
On Mon, Mar 8, 2010 at 5:37 PM, Daniel Lezcano <daniel.lezc...@free.fr> wrote:
>
> Hi all,
>
> just to let you know there is a discussion and a patchset to enter a
> container.
>
> I will prototype the two commands lxc-enter and lxc-exec to make use of
> this new kernel functionality. I will be happy if someone is willing to
> play with these new commands when they are finished.
>
> I hope the patchset will be available for 2.6.35 :)
>
>
>
> -------- Original Message --------
> Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing
> control.
> Date: Mon, 08 Mar 2010 00:32:49 -0800
> From: ebied...@xmission.com (Eric W. Biederman)
> To: Daniel Lezcano <daniel.lezc...@free.fr>
> CC: Pavel Emelyanov <xe...@parallels.com>, Sukadev Bhattiprolu
> <suka...@linux.vnet.ibm.com>, Serge Hallyn <se...@us.ibm.com>, Linux
> Netdev List <net...@vger.kernel.org>,
> contain...@lists.linux-foundation.org, Netfilter Development Mailinglist
> <netfilter-de...@vger.kernel.org>, Ben Greear <gree...@candelatech.com>
> References: <4b88e431.6040...@parallels.com>
> <m1bpfbqajn....@fess.ebiederm.org> <4b894564.7080...@parallels.com>
> <m1iq9io5sc....@fess.ebiederm.org> <4b89727c.9040...@parallels.com>
> <m1ljeempk6....@fess.ebiederm.org> <4b8ae8c1.1030...@free.fr>
> <4b8d28cf.8060...@parallels.com> <20100302211942.ga17...@us.ibm.com>
> <m1y6iaqsmm....@fess.ebiederm.org> <20100303000743.ga13...@us.ibm.com>
> <m1ocj6qljj....@fess.ebiederm.org> <4b8e9370.3050...@parallels.com>
> <m17hptjh3m....@fess.ebiederm.org> <4b9158f5.5040...@parallels.com>
> <m1vdda1pmx....@fess.ebiederm.org> <4b926b1b.5070...@free.fr>
> <m1aaulyy5c....@fess.ebiederm.org> <4b92c886.9020...@free.fr>
>
>
>
> I have take an snapshot of my development tree and placed it at.
>
>
> git://git.kernel.org/pub/scm/linux/people/ebiederm/linux-2.6.33-nsfd-v5.git
>
>
>>> I am going to explore a bit more. Given that nsfd is using the same
>>> permission checks as a proc file, I think I can just make it a proc
>>> file. Something like "/proc/<pid>/ns/net". With a little luck that
>>> won't suck too badly.
>>>
>> Ah ! yes. Good idea.
>
> It is a hair more code to use proc files but nothing worth counting.
>
> Probably the biggest thing I am aware of right now in my development
> tree is in getting uids to pass properly between unix domain sockets
> I would up writing this cred_to_ucred function.
>
> Serge can you take a look and check my logic, and do you have
> any idea of where we should place something like pid_vnr but
> for the uid namespace?
>
> void cred_to_ucred(struct pid *pid, const struct cred *cred,
> struct ucred *ucred)
> {
> ucred->pid = pid_vnr(pid);
> ucred->uid = ucred->gid = -1;
> if (cred) {
> struct user_namespace *cred_ns = cred->user->user_ns;
> struct user_namespace *current_ns = current_user_ns();
> struct user_namespace *tmp;
>
> if (likely(cred_ns == current_ns)) {
> ucred->uid = cred->euid;
> ucred->gid = cred->egid;
> } else {
> /* Is cred in a child user namespace */
> tmp = cred_ns;
> do {
> tmp = tmp->creator->user_ns;
> if (tmp == current_ns) {
> ucred->uid = tmp->creator->uid;
> ucred->gid = overflowgid;
> return;
> }
> } while (tmp != &init_user_ns);
>
> /* Is cred the creator of my user namespace,
> * or the creator of one of it's parents?
> */
> for( tmp = current_ns; tmp != &init_user_ns;
> tmp = tmp->creator->user_ns) {
> if (cred->user == tmp->creator) {
> ucred->uid = 0;
> ucred->gid = 0;
> return;
> }
> }
>
> /* No user namespace relationship so no mapping */
> ucred->uid = overflowuid;
> ucred->gid = overflowgid;
> }
> }
> }
>
> Eric
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
