Hi Serge,
> That sounds good, but then to do it right the "which namespaces were
> unshared by the container" shouldn't be hardcoded in. Unfortunately,
> without the /proc/self/ns/ links there's no way to tell, so we can't
> answer your question.
>
> So I think we should do your point 1, but not your point 2. I'm
> still
> not happy about special casing user ns in the code. What will happen
> when we get devices namespaces and most people, but not all, have
> /proc/self/ns/user? More hard-coded exceptions?
>
> I don't have an answer right now, just not happy with any of the
> ones I can think of. (Will keep thinking)
What about if we update the command interface to add an additional
command along the lines of LXC_COMMAND_GET_NSFLAGS or similar, which
returns the bitmask of CLONE_* used for starting the container? Then
we would have the logic:
- no -s paramter for lxc-attach: attach to all namespaces found in
the bitmask retrieved via the command interface (and fail if
kernel doesn't support it)
- user supplied -s parameter: try only those and fail if that doesn't
work
Then nothing would be hard-coded and it'd be completely future-proof.
Thoughts?
Regards,
Christian
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
