[patch -mm 09/17] nsproxy: add namespace flags

Eric W. Biederman ebiederm at xmission.com
Mon Dec 11 12:02:15 PST 2006 

Cedric Le Goater <clg at fr.ibm.com> writes:

> Eric W. Biederman wrote:
>> Cedric Le Goater <clg at fr.ibm.com> writes:
>> 
>>>>>  /*
>>>>> + * namespaces flags
>>>>> + */
>>>>> +#define NS_MNT		0x00000001
>>>>> +#define NS_UTS		0x00000002
>>>>> +#define NS_IPC		0x00000004
>>>>> +#define NS_PID		0x00000008
>>>>> +#define NS_NET		0x00000010
>>>>> +#define NS_USER		0x00000020
>>>>> +#define NS_ALL		(NS_MNT|NS_UTS|NS_IPC|NS_PID|NS_NET|NS_USER)
>>>> hmm, why _another_ set of flags to refer to the
>>>> namespaces?
>>> well, because namespaces are a new kind in the kernel
>> 
>> Gratuitous incompatibility.
>
> ?

Changing the numbers for no good reason.  We can easily keep the existing numbers.

>>>> is the clone()/unshare() set of flags not sufficient
>>>> for that?
>>> because we are reaching the limits of the CLONE_ flags.
>> 
>> Not really.   There are at least 8 bits that clone cannot use
>> but that unshare can.
>
> please, could you list them ? 

CSIGNAL.  There are a several others as well that will never mean anything
in an unshare context:

I believe the 10 flags below are also nonsense from an unshare perspective.
CLONE_PTRACE		0x00002000
CLONE_VFORK		0x00004000
CLONE_PARENT		0x00008000
CLONE_SETTLS		0x00080000
CLONE_PARENT_SETTID	0x00100000
CLONE_CHILD_CLEARTID	0x00200000
CLONE_DETACHED		0x00400000
CLONE_UNTRACED		0x00800000
CLONE_CHILD_SETTID	0x01000000
CLONE_STOPPED		0x02000000

>>>> if so, shouldn't we switch (or even better change?
>>>> the unshare() too) to a new set of syscalls?
>>> unshare_ns() is a new syscall and we don't really need a
>>> clone anyway. nop ?
>> 
>> Huh?  Clone should be the primary.   There are certain namespaces
>> that it are very hard to unshare, without creating a new process.
>
> You just said above that clone had less available flags than
> unshare ...

I did.  It is just easier to support clone than unshare.

> anyway, could you elaborate a bit more ? I have the opposite 
> feeling and you gave me that impression also a few month ago. 
>
> No problem for me, i just want a way to use this stuff without

My feeling is basically that there are some things that we
can do much more cleanly at process creation time.

>From an implementation standpoint unshare is fairly nasty because
it keeps things from being invariants across the lifetime of a
process.  Which means it contains more races and is harder to support.
That's why we can't unshare we can share with clone right now.

Eric

More information about the Containers mailing list