[PATCH 1/2] Kconfig : remove pid_ns and net_ns experimental

[PATCH 1/2] Kconfig : remove pid_ns and net_ns experimental

[Daniel Lezcano]

The pid namespace is in the kernel since 2.6.27 and the net_ns
since 2.6.29. They are enabled in the distro by default and used by
userspace component. They are mature enough to remove the 'experimental'
label.

Signed-off-by: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
---
 init/Kconfig |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/init/Kconfig b/init/Kconfig
index a175935..a52124e 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -759,21 +759,18 @@ config USER_NS
 	  If unsure, say N.
 
 config PID_NS
-	bool "PID Namespaces (EXPERIMENTAL)"
+	bool "PID Namespaces"
 	default n
-	depends on NAMESPACES && EXPERIMENTAL
+	depends on NAMESPACES
 	help
 	  Support process id namespaces.  This allows having multiple
 	  processes with the same pid as long as they are in different
 	  pid namespaces.  This is a building block of containers.
 
-	  Unless you want to work with an experimental feature
-	  say N here.
-
 config NET_NS
 	bool "Network namespace"
 	default n
-	depends on NAMESPACES && EXPERIMENTAL && NET
+	depends on NAMESPACES && NET
 	help
 	  Allow user space to create what appear to be multiple instances
 	  of the network stack.
-- 
1.7.0.4

[PATCH 2/2] Kconfig : default all the namespaces to 'yes'

[Daniel Lezcano]

As the different namespaces depend on 'CONFIG_NAMESPACES', it is
logical to enable all the namespaces when we enable NAMESPACES.

Signed-off-by: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
---
 init/Kconfig |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/init/Kconfig b/init/Kconfig
index a52124e..a7fe61e 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -739,6 +739,7 @@ config NAMESPACES
 config UTS_NS
 	bool "UTS namespace"
 	depends on NAMESPACES
+	default y
 	help
 	  In this namespace tasks see different info provided with the
 	  uname() system call
@@ -746,6 +747,7 @@ config UTS_NS
 config IPC_NS
 	bool "IPC namespace"
 	depends on NAMESPACES && (SYSVIPC || POSIX_MQUEUE)
+	default y
 	help
 	  In this namespace tasks work with IPC ids which correspond to
 	  different IPC objects in different namespaces.
@@ -753,6 +755,7 @@ config IPC_NS
 config USER_NS
 	bool "User namespace (EXPERIMENTAL)"
 	depends on NAMESPACES && EXPERIMENTAL
+	default y
 	help
 	  This allows containers, i.e. vservers, to use user namespaces
 	  to provide different user info for different servers.
@@ -760,8 +763,8 @@ config USER_NS
 
 config PID_NS
 	bool "PID Namespaces"
-	default n
 	depends on NAMESPACES
+	default y
 	help
 	  Support process id namespaces.  This allows having multiple
 	  processes with the same pid as long as they are in different
@@ -769,8 +772,8 @@ config PID_NS
 
 config NET_NS
 	bool "Network namespace"
-	default n
 	depends on NAMESPACES && NET
+	default y
 	help
 	  Allow user space to create what appear to be multiple instances
 	  of the network stack.
-- 
1.7.0.4

Re: [PATCH 2/2] Kconfig : default all the namespaces to 'yes'

[Matt Helsley]

On Thu, Oct 07, 2010 at 03:15:33PM +0200, Daniel Lezcano wrote:
> As the different namespaces depend on 'CONFIG_NAMESPACES', it is
> logical to enable all the namespaces when we enable NAMESPACES.
> 
> Signed-off-by: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>

Subject of the patch email is a little confusing as it's not
quite what happens. I'm mostly OK with it but I'm not sure we
should enable user-ns by default just yet.

Acked-By: Matt Helsley <matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>

> ---
>  init/Kconfig |    7 +++++--
>  1 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/init/Kconfig b/init/Kconfig
> index a52124e..a7fe61e 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -739,6 +739,7 @@ config NAMESPACES
>  config UTS_NS
>  	bool "UTS namespace"
>  	depends on NAMESPACES
> +	default y
>  	help
>  	  In this namespace tasks see different info provided with the
>  	  uname() system call
> @@ -746,6 +747,7 @@ config UTS_NS
>  config IPC_NS
>  	bool "IPC namespace"
>  	depends on NAMESPACES && (SYSVIPC || POSIX_MQUEUE)
> +	default y
>  	help
>  	  In this namespace tasks work with IPC ids which correspond to
>  	  different IPC objects in different namespaces.
> @@ -753,6 +755,7 @@ config IPC_NS
>  config USER_NS
>  	bool "User namespace (EXPERIMENTAL)"
>  	depends on NAMESPACES && EXPERIMENTAL
> +	default y
>  	help
>  	  This allows containers, i.e. vservers, to use user namespaces
>  	  to provide different user info for different servers.
> @@ -760,8 +763,8 @@ config USER_NS
> 
>  config PID_NS
>  	bool "PID Namespaces"
> -	default n
>  	depends on NAMESPACES
> +	default y
>  	help
>  	  Support process id namespaces.  This allows having multiple
>  	  processes with the same pid as long as they are in different
> @@ -769,8 +772,8 @@ config PID_NS
> 
>  config NET_NS
>  	bool "Network namespace"
> -	default n
>  	depends on NAMESPACES && NET
> +	default y
>  	help
>  	  Allow user space to create what appear to be multiple instances
>  	  of the network stack.
> -- 
> 1.7.0.4
> 
> _______________________________________________
> Containers mailing list
> Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
> https://lists.linux-foundation.org/mailman/listinfo/containers

Re: [PATCH 2/2] Kconfig : default all the namespaces to 'yes'

[Serge E. Hallyn]

Quoting Matt Helsley (matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> On Thu, Oct 07, 2010 at 03:15:33PM +0200, Daniel Lezcano wrote:
> > As the different namespaces depend on 'CONFIG_NAMESPACES', it is
> > logical to enable all the namespaces when we enable NAMESPACES.
> > 
> > Signed-off-by: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
> 
> Subject of the patch email is a little confusing as it's not
> quite what happens. I'm mostly OK with it but I'm not sure we
> should enable user-ns by default just yet.
> 
> Acked-By: Matt Helsley <matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>

In fact, perhaps we should keep the experimental tag on user namespaces.
If/when I/someone returns to heavy hacking on user namespaces, the
changes will be very invasive.  (Of course then we get back to questions
of the usefulness of experimental tag)

In particular, when we start refusing access for certain accesses between
user namespaces, it might confuse userspace.

Definately Ack to the other two.

-serge

Re: [PATCH 1/2] Kconfig : remove pid_ns and net_ns experimental

[Oren Laadan]

Daniel,

Maybe you can throw this on in the series as well ?
http://www.mail-archive.com/linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org/msg01431.html

It's a one-liner to move the namespaces options into its own
sub-menu under 'General Setup'.

Oren.


On 10/07/2010 09:15 AM, Daniel Lezcano wrote:
> The pid namespace is in the kernel since 2.6.27 and the net_ns
> since 2.6.29. They are enabled in the distro by default and used by
> userspace component. They are mature enough to remove the 'experimental'
> label.
>
> Signed-off-by: Daniel Lezcano<daniel.lezcano-GANU6spQydw@public.gmane.org>
> ---
>   init/Kconfig |    9 +++------
>   1 files changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/init/Kconfig b/init/Kconfig
> index a175935..a52124e 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -759,21 +759,18 @@ config USER_NS
>   	  If unsure, say N.
>
>   config PID_NS
> -	bool "PID Namespaces (EXPERIMENTAL)"
> +	bool "PID Namespaces"
>   	default n
> -	depends on NAMESPACES&&  EXPERIMENTAL
> +	depends on NAMESPACES
>   	help
>   	  Support process id namespaces.  This allows having multiple
>   	  processes with the same pid as long as they are in different
>   	  pid namespaces.  This is a building block of containers.
>
> -	  Unless you want to work with an experimental feature
> -	  say N here.
> -
>   config NET_NS
>   	bool "Network namespace"
>   	default n
> -	depends on NAMESPACES&&  EXPERIMENTAL&&  NET
> +	depends on NAMESPACES&&  NET
>   	help
>   	  Allow user space to create what appear to be multiple instances
>   	  of the network stack.

Re: [PATCH 2/2] Kconfig : default all the namespaces to 'yes'

[Daniel Lezcano]

On 10/12/2010 07:16 PM, Serge E. Hallyn wrote:
> Quoting Matt Helsley (matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
>    
>> On Thu, Oct 07, 2010 at 03:15:33PM +0200, Daniel Lezcano wrote:
>>      
>>> As the different namespaces depend on 'CONFIG_NAMESPACES', it is
>>> logical to enable all the namespaces when we enable NAMESPACES.
>>>
>>> Signed-off-by: Daniel Lezcano<daniel.lezcano-GANU6spQydw@public.gmane.org>
>>>        
>> Subject of the patch email is a little confusing as it's not
>> quite what happens. I'm mostly OK with it but I'm not sure we
>> should enable user-ns by default just yet.
>>
>> Acked-By: Matt Helsley<matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
>>      
> In fact, perhaps we should keep the experimental tag on user namespaces.
>    

The experimental tag is kept on the user namespace. This one is 
defaulting to yes when the namespaces and experimental are selected.

Re: [PATCH 1/2] Kconfig : remove pid_ns and net_ns experimental

[Daniel Lezcano]

On 10/12/2010 07:53 PM, Oren Laadan wrote:
> Daniel,
>
> Maybe you can throw this on in the series as well ?
> http://www.mail-archive.com/linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org/msg01431.html
>
> It's a one-liner to move the namespaces options into its own
> sub-menu under 'General Setup'.

Right, that makes sense.

   -- Daniel

Re: [PATCH 2/2] Kconfig : default all the namespaces to 'yes'

[Serge E. Hallyn]

Quoting Daniel Lezcano (daniel.lezcano-GANU6spQydw@public.gmane.org):
> On 10/12/2010 07:16 PM, Serge E. Hallyn wrote:
> >Quoting Matt Helsley (matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> >>On Thu, Oct 07, 2010 at 03:15:33PM +0200, Daniel Lezcano wrote:
> >>>As the different namespaces depend on 'CONFIG_NAMESPACES', it is
> >>>logical to enable all the namespaces when we enable NAMESPACES.
> >>>
> >>>Signed-off-by: Daniel Lezcano<daniel.lezcano-GANU6spQydw@public.gmane.org>
> >>Subject of the patch email is a little confusing as it's not
> >>quite what happens. I'm mostly OK with it but I'm not sure we
> >>should enable user-ns by default just yet.
> >>
> >>Acked-By: Matt Helsley<matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> >In fact, perhaps we should keep the experimental tag on user namespaces.
> 
> The experimental tag is kept on the user namespace. This one is
> defaulting to yes when the namespaces and experimental are selected.

Oh, sounds good

-serge

Re: [PATCH 2/2] Kconfig : default all the namespaces to 'yes'

[Andrew Morton]

On Wed, 13 Oct 2010 09:44:30 -0500
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> wrote:

> Quoting Daniel Lezcano (daniel.lezcano-GANU6spQydw@public.gmane.org):
> > On 10/12/2010 07:16 PM, Serge E. Hallyn wrote:
> > >Quoting Matt Helsley (matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> > >>On Thu, Oct 07, 2010 at 03:15:33PM +0200, Daniel Lezcano wrote:
> > >>>As the different namespaces depend on 'CONFIG_NAMESPACES', it is
> > >>>logical to enable all the namespaces when we enable NAMESPACES.
> > >>>
> > >>>Signed-off-by: Daniel Lezcano<daniel.lezcano-GANU6spQydw@public.gmane.org>
> > >>Subject of the patch email is a little confusing as it's not
> > >>quite what happens. I'm mostly OK with it but I'm not sure we
> > >>should enable user-ns by default just yet.
> > >>
> > >>Acked-By: Matt Helsley<matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> > >In fact, perhaps we should keep the experimental tag on user namespaces.
> > 
> > The experimental tag is kept on the user namespace. This one is
> > defaulting to yes when the namespaces and experimental are selected.
> 
> Oh, sounds good
> 

My attention flagged.  Can we please confirm that the current patch is
still good?


From: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>

As the different namespaces depend on 'CONFIG_NAMESPACES', it is logical
to enable all the namespaces when we enable NAMESPACES.

Signed-off-by: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
Cc: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Acked-By: Matt Helsley <matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Signed-off-by: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
---

 init/Kconfig |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff -puN init/Kconfig~namespaces-default-all-the-namespaces-to-yes-when-config_namespaces-is-selected init/Kconfig
--- a/init/Kconfig~namespaces-default-all-the-namespaces-to-yes-when-config_namespaces-is-selected
+++ a/init/Kconfig
@@ -739,6 +739,7 @@ config NAMESPACES
 config UTS_NS
 	bool "UTS namespace"
 	depends on NAMESPACES
+	default y
 	help
 	  In this namespace tasks see different info provided with the
 	  uname() system call
@@ -746,6 +747,7 @@ config UTS_NS
 config IPC_NS
 	bool "IPC namespace"
 	depends on NAMESPACES && (SYSVIPC || POSIX_MQUEUE)
+	default y
 	help
 	  In this namespace tasks work with IPC ids which correspond to
 	  different IPC objects in different namespaces.
@@ -753,6 +755,7 @@ config IPC_NS
 config USER_NS
 	bool "User namespace (EXPERIMENTAL)"
 	depends on NAMESPACES && EXPERIMENTAL
+	default y
 	help
 	  This allows containers, i.e. vservers, to use user namespaces
 	  to provide different user info for different servers.
@@ -760,8 +763,8 @@ config USER_NS
 
 config PID_NS
 	bool "PID Namespaces"
-	default n
 	depends on NAMESPACES
+	default y
 	help
 	  Support process id namespaces.  This allows having multiple
 	  processes with the same pid as long as they are in different
@@ -769,8 +772,8 @@ config PID_NS
 
 config NET_NS
 	bool "Network namespace"
-	default n
 	depends on NAMESPACES && NET
+	default y
 	help
 	  Allow user space to create what appear to be multiple instances
 	  of the network stack.
_

Re: [PATCH 2/2] Kconfig : default all the namespaces to 'yes'

[Serge E. Hallyn]

Quoting Andrew Morton (akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org):
> On Wed, 13 Oct 2010 09:44:30 -0500
> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> wrote:
> 
> > Quoting Daniel Lezcano (daniel.lezcano-GANU6spQydw@public.gmane.org):
> > > On 10/12/2010 07:16 PM, Serge E. Hallyn wrote:
> > > >Quoting Matt Helsley (matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> > > >>On Thu, Oct 07, 2010 at 03:15:33PM +0200, Daniel Lezcano wrote:
> > > >>>As the different namespaces depend on 'CONFIG_NAMESPACES', it is
> > > >>>logical to enable all the namespaces when we enable NAMESPACES.
> > > >>>
> > > >>>Signed-off-by: Daniel Lezcano<daniel.lezcano-GANU6spQydw@public.gmane.org>
> > > >>Subject of the patch email is a little confusing as it's not
> > > >>quite what happens. I'm mostly OK with it but I'm not sure we
> > > >>should enable user-ns by default just yet.
> > > >>
> > > >>Acked-By: Matt Helsley<matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> > > >In fact, perhaps we should keep the experimental tag on user namespaces.
> > > 
> > > The experimental tag is kept on the user namespace. This one is
> > > defaulting to yes when the namespaces and experimental are selected.
> > 
> > Oh, sounds good
> > 
> 
> My attention flagged.  Can we please confirm that the current patch is
> still good?

Yup, the patch below only sets USER_NS=y when EXPERIMENTAL=y, which I'd
failed to notice the first time.

Acked-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>

> From: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
> 
> As the different namespaces depend on 'CONFIG_NAMESPACES', it is logical
> to enable all the namespaces when we enable NAMESPACES.
> 
> Signed-off-by: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
> Cc: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
> Cc: David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
> Acked-By: Matt Helsley <matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> Signed-off-by: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
> ---
> 
>  init/Kconfig |    7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff -puN init/Kconfig~namespaces-default-all-the-namespaces-to-yes-when-config_namespaces-is-selected init/Kconfig
> --- a/init/Kconfig~namespaces-default-all-the-namespaces-to-yes-when-config_namespaces-is-selected
> +++ a/init/Kconfig
> @@ -739,6 +739,7 @@ config NAMESPACES
>  config UTS_NS
>  	bool "UTS namespace"
>  	depends on NAMESPACES
> +	default y
>  	help
>  	  In this namespace tasks see different info provided with the
>  	  uname() system call
> @@ -746,6 +747,7 @@ config UTS_NS
>  config IPC_NS
>  	bool "IPC namespace"
>  	depends on NAMESPACES && (SYSVIPC || POSIX_MQUEUE)
> +	default y
>  	help
>  	  In this namespace tasks work with IPC ids which correspond to
>  	  different IPC objects in different namespaces.
> @@ -753,6 +755,7 @@ config IPC_NS
>  config USER_NS
>  	bool "User namespace (EXPERIMENTAL)"
>  	depends on NAMESPACES && EXPERIMENTAL
> +	default y
>  	help
>  	  This allows containers, i.e. vservers, to use user namespaces
>  	  to provide different user info for different servers.
> @@ -760,8 +763,8 @@ config USER_NS
>  
>  config PID_NS
>  	bool "PID Namespaces"
> -	default n
>  	depends on NAMESPACES
> +	default y
>  	help
>  	  Support process id namespaces.  This allows having multiple
>  	  processes with the same pid as long as they are in different
> @@ -769,8 +772,8 @@ config PID_NS
>  
>  config NET_NS
>  	bool "Network namespace"
> -	default n
>  	depends on NAMESPACES && NET
> +	default y
>  	help
>  	  Allow user space to create what appear to be multiple instances
>  	  of the network stack.
> _