From: Ian Kent <raven@themaw.net>
To: Oleg Nesterov <oleg@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>,
Jeff Layton <jlayton@redhat.com>,
Greg KH <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, devel@openvz.org,
bfields@fieldses.org, bharrosh@panasas.com
Subject: Re: call_usermodehelper in containers
Date: Thu, 24 Mar 2016 15:45:44 +0800 [thread overview]
Message-ID: <1458805544.3099.16.camel@themaw.net> (raw)
In-Reply-To: <20131118172844.GA10005@redhat.com>
On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> On 11/15, Eric W. Biederman wrote:
> >
> > I don't understand that one. Having a preforked thread with the
> > proper
> > environment that can act like kthreadd in terms of spawning user
> > mode
> > helpers works and is simple.
>
> Can't we ask ->child_reaper to create the non-daemonized kernel thread
> with the "right" ->nsproxy, ->fs, etc?
>
> IOW. Please the the "patch" below. It is obviously incomplete and
> wrong,
> and it can be more clear/clean. And probably we need another API. Just
> to explain what I mean.
>
> With this patch call_usermodehelper(..., UMH_IN_MY_NS) should do exec
> from the caller's namespace.
Umm ... I don't think this can work.
I don't think it can be assumed that the init process of a container
will behave like an init process.
If you try and do this with a Docker container that has /bin/bash as the
init process signals never arrive and work doesn't start until some
other signal arrives at which time it fails to create the kernel thread
returning an error ERESTARTNOINTER (IIRC).
In fact a number of other things relating to signalling processes to
cleanly shutdown in a container suffer the same problem.
I probably don't understand what's actually going on, this is just my
impression of what I'm seeing.
>
> Oleg.
> ---
>
> --- a/include/linux/kmod.h
> +++ b/include/linux/kmod.h
> @@ -24,6 +24,7 @@
> #include <linux/errno.h>
> #include <linux/compiler.h>
> #include <linux/workqueue.h>
> +#include <linux/task_work.h>
> #include <linux/sysctl.h>
>
> #define KMOD_PATH_LEN 256
> @@ -53,8 +54,14 @@ struct file;
> #define UMH_WAIT_PROC 2 /* wait for the process to
> complete */
> #define UMH_KILLABLE 4 /* wait for EXEC/PROC killable
> */
>
> +// FIXME: IMH_* is not actually a mask
> +#define UMH_IN_MY_NS 8
> +
> struct subprocess_info {
> - struct work_struct work;
> + union {
> + struct work_struct work;
> + struct callback_head twork;
> + };
> struct completion *complete;
> char *path;
> char **argv;
> --- a/kernel/kmod.c
> +++ b/kernel/kmod.c
> @@ -541,7 +541,6 @@ struct subprocess_info
> *call_usermodehelper_setup(char *path, char **argv,
> if (!sub_info)
> goto out;
>
> - INIT_WORK(&sub_info->work, __call_usermodehelper);
> sub_info->path = path;
> sub_info->argv = argv;
> sub_info->envp = envp;
> @@ -554,6 +553,24 @@ struct subprocess_info
> *call_usermodehelper_setup(char *path, char **argv,
> }
> EXPORT_SYMBOL(call_usermodehelper_setup);
>
> +static int call_call_usermodehelper(void *twork)
> +{
> + struct subprocess_info *sub_info =
> + container_of(twork, struct subprocess_info, twork);
> +
> + __call_usermodehelper(&sub_info->work);
> + do_exit(0);
> +
> +}
> +
> +static void fork_umh_helper(struct callback_head *twork)
> +{
> + if (current->flags & PF_EXITING)
> + return; // WRONG, FIXME
> +
> + kernel_thread(call_call_usermodehelper, twork, SIGCHLD);
> +}
> +
> /**
> * call_usermodehelper_exec - start a usermode application
> * @sub_info: information about the subprocessa
> @@ -570,6 +587,10 @@ int call_usermodehelper_exec(struct
> subprocess_info *sub_info, int wait)
> {
> DECLARE_COMPLETION_ONSTACK(done);
> int retval = 0;
> + bool in_my_ns;
> +
> + in_my_ns = wait & UMH_IN_MY_NS;
> + wait &= ~UMH_IN_MY_NS;
>
> if (!sub_info->path) {
> call_usermodehelper_freeinfo(sub_info);
> @@ -594,7 +615,21 @@ int call_usermodehelper_exec(struct
> subprocess_info *sub_info, int wait)
> sub_info->complete = &done;
> sub_info->wait = wait;
>
> - queue_work(khelper_wq, &sub_info->work);
> + if (likely(!in_my_ns)) {
> + INIT_WORK(&sub_info->work, __call_usermodehelper);
> + queue_work(khelper_wq, &sub_info->work);
> + } else {
> + // RACY, WRONG, ETC
> + struct task_struct *my_init =
> task_active_pid_ns(current)->child_reaper;
> +
> + init_task_work(&sub_info->twork, fork_umh_helper);
> + task_work_add(my_init, &sub_info->twork, false);
> +
> + // until we have task_work_add_interruptibel()
> + do_send_sig_info(SIGCHLD, SEND_SIG_FORCED, my_init,
> false);
> +
> + }
> +
> if (wait == UMH_NO_WAIT) /* task has freed sub_info */
> goto unlock;
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux
> -fsdevel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-03-24 7:46 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-11 12:18 call_usermodehelper in containers Jeff Layton
2013-11-11 12:43 ` [Devel] " Vasily Kulikov
2013-11-11 13:26 ` Jeff Layton
2013-11-12 0:47 ` Greg KH
2013-11-12 11:12 ` Jeff Layton
2013-11-12 13:02 ` Stanislav Kinsbursky
2013-11-12 13:30 ` Jeff Layton
2013-11-15 5:05 ` Eric W. Biederman
2013-11-15 10:40 ` Stanislav Kinsbursky
2013-11-15 11:03 ` Eric W. Biederman
2013-11-15 11:54 ` Stanislav Kinsbursky
2016-02-12 23:39 ` Ian Kent
2016-02-13 16:08 ` Stanislav Kinsburskiy
2016-02-15 0:11 ` Ian Kent
[not found] ` <1455495082.2941.32.camel-PKsaG3nR2I+sTnJN9+BGXg@public.gmane.org>
2016-02-18 3:17 ` Eric W. Biederman
2016-02-18 3:17 ` Eric W. Biederman
2013-11-18 17:28 ` Oleg Nesterov
2013-11-18 18:02 ` Oleg Nesterov
2013-11-19 14:51 ` Jeff Layton
2016-02-11 0:17 ` Ian Kent
[not found] ` <1455149857.2903.9.camel-PKsaG3nR2I+sTnJN9+BGXg@public.gmane.org>
2016-02-18 2:57 ` Eric W. Biederman
2016-02-18 2:57 ` Eric W. Biederman
[not found] ` <8737sq4teb.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-02-18 3:43 ` Kamezawa Hiroyuki
2016-02-18 3:43 ` Kamezawa Hiroyuki
2016-02-18 6:36 ` Ian Kent
2016-02-18 7:37 ` Ian Kent
[not found] ` <1455781033.2908.5.camel-PKsaG3nR2I+sTnJN9+BGXg@public.gmane.org>
2016-02-18 20:45 ` Eric W. Biederman
2016-02-18 20:45 ` Eric W. Biederman
[not found] ` <87r3g9ychc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-02-19 3:08 ` Kamezawa Hiroyuki
2016-02-19 3:08 ` Kamezawa Hiroyuki
[not found] ` <56C68714.2000900-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2016-02-19 5:37 ` Ian Kent
2016-02-19 5:37 ` Ian Kent
[not found] ` <1455860260.3356.31.camel-PKsaG3nR2I+sTnJN9+BGXg@public.gmane.org>
2016-02-19 9:30 ` Kamezawa Hiroyuki
2016-02-19 9:30 ` Kamezawa Hiroyuki
[not found] ` <56C6E0A8.3010806-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2016-02-20 3:28 ` Ian Kent
2016-02-20 3:28 ` Ian Kent
2016-02-19 5:14 ` Ian Kent
2016-02-19 5:14 ` Ian Kent
2016-02-23 2:55 ` Ian Kent
[not found] ` <1456196130.2911.10.camel-PKsaG3nR2I+sTnJN9+BGXg@public.gmane.org>
2016-02-23 14:36 ` J. Bruce Fields
2016-02-23 14:36 ` J. Bruce Fields
[not found] ` <20160223143627.GB31951-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2016-02-24 0:55 ` Ian Kent
2016-02-24 0:55 ` Ian Kent
[not found] ` <1455858850.3356.19.camel-PKsaG3nR2I+sTnJN9+BGXg@public.gmane.org>
2016-02-23 2:55 ` Ian Kent
[not found] ` <1455777387.3188.24.camel-PKsaG3nR2I+sTnJN9+BGXg@public.gmane.org>
2016-02-18 7:37 ` Ian Kent
[not found] ` <56C53DE3.1070108-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2016-02-18 6:36 ` Ian Kent
2016-03-24 7:45 ` Ian Kent [this message]
2016-03-25 1:28 ` Oleg Nesterov
2016-03-25 7:25 ` Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458805544.3099.16.camel@themaw.net \
--to=raven@themaw.net \
--cc=bfields@fieldses.org \
--cc=bharrosh@panasas.com \
--cc=devel@openvz.org \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=skinsbursky@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.