[PATCH 1/1] namespaces: introduce sys_hijack (v11)

Bastian Blank bastian at waldi.eu.org
Fri Aug 1 10:22:01 PDT 2008

Resend: Removed some recipients by accident.

On Fri, Aug 01, 2008 at 11:39:05AM -0500, Serge E. Hallyn wrote:
> Quoting Bastian Blank (bastian at waldi.eu.org):
> > Why is it not enough to use the pid of the ns creator? The ns cgroups
> pids wrap around

Ups, yes.

> > But I think I have a different problem. Currently, namespaces are
> > destructed if the last process using them exits. You change that, they
> > will survive until the cgroup dies. Or is that cgroup destructed when
> > there are no longer processes using the nsproxy? As the commit message
> > speaks about "pid wraparound" as problem, I doubt that.
> Correct.  Having the namespaces stick around, and being able to attach
> to an empty container, was something Paul Menage had wanted IIRC.

It may produce problems with pid namespaces. The namespace is cleared if
the child reaper dies and I'm not sure how well it behaves without a new
one, which you can't create.

> But I'll leave that as is for now, until I hear something other than
> "this is so wrong it isn't funny" from Pavel :)

I'm not sure if it is funny to add another piece which may hold
filesystems open. Currently we can have different namespaces. All of
them are attached to processes and can be removed with kill. Now this
code adds another copy to an (automatically created) cgroup.

IMHO, the cgroup should be destructed automatically if the nsproxy is
about to be die.


Deflector shields just came on, Captain.

More information about the Containers mailing list