From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael Kerrisk (man-pages)" Subject: Re: [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces Date: Mon, 25 Jul 2016 16:46:25 +0200 Message-ID: <44ca0e41-dc92-45b1-2a6c-c41a048a072d@gmail.com> References: <1468520419-28220-1-git-send-email-avagin@openvz.org> <20160721210650.GA10989@outlook.office365.com> <1515f5f2-5a49-fcab-61f4-8b627d3ba3e2@gmail.com> <87lh0pg8jx.fsf@x220.int.ebiederm.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <87lh0pg8jx.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: Serge Hallyn , Andrew Vagin , Linux API , Linux Containers , LKML , Alexander Viro , "criu-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org" , mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, linux-fsdevel , James Bottomley , Andrey Vagin List-Id: containers.vger.kernel.org SGkgRXJpYywKCk9uIDA3LzI1LzIwMTYgMDM6MTggUE0sIEVyaWMgVy4gQmllZGVybWFuIHdyb3Rl Ogo+ICJNaWNoYWVsIEtlcnJpc2sgKG1hbi1wYWdlcykiIDxtdGsubWFucGFnZXNAZ21haWwuY29t PiB3cml0ZXM6Cj4KPj4gSGkgQW5kcmV5LAo+Pgo+PiBPbiAwNy8yMi8yMDE2IDA4OjI1IFBNLCBB bmRyZXkgVmFnaW4gd3JvdGU6Cj4+PiBPbiBUaHUsIEp1bCAyMSwgMjAxNiBhdCAxMTo0OCBQTSwg TWljaGFlbCBLZXJyaXNrIChtYW4tcGFnZXMpCj4+PiA8bXRrLm1hbnBhZ2VzQGdtYWlsLmNvbT4g d3JvdGU6Cj4+Pj4gSGkgQW5kcmV5LAo+Pj4+Cj4+Pj4KPj4+PiBPbiAwNy8yMS8yMDE2IDExOjA2 IFBNLCBBbmRyZXcgVmFnaW4gd3JvdGU6Cj4+Pj4+Cj4+Pj4+IE9uIFRodSwgSnVsIDIxLCAyMDE2 IGF0IDA0OjQxOjEyUE0gKzAyMDAsIE1pY2hhZWwgS2VycmlzayAobWFuLXBhZ2VzKQo+Pj4+PiB3 cm90ZToKPj4+Pj4+Cj4+Pj4+PiBIaSBBbmRyZXksCj4+Pj4+Pgo+Pj4+Pj4gT24gMDcvMTQvMjAx NiAwODoyMCBQTSwgQW5kcmV5IFZhZ2luIHdyb3RlOgo+Pj4+Pgo+Pj4+Pgo+Pj4+PiA8c25pcD4K Pj4+Pj4KPj4+Pj4+Cj4+Pj4+PiBDb3VsZCB5b3UgYWRkIGhlcmUgYW4gb2YgdGhlIEFQSSBpbiBk ZXRhaWw6IHdoYXQgZG8gdGhlc2UgRkRzIHJlZmVyIHRvLAo+Pj4+Pj4gYW5kIGhvdyBkbyB5b3Ug dXNlIHRoZW0gdG8gc29sdmUgdGhlIHVzZSBjYXNlPyBBbmQgY291bGQgeW91IHlvdSBhZGQKPj4+ Pj4+IHRoYXQgaW5mbyB0byB0aGUgY29tbWl0IG1lc3NhZ2VzIHBsZWFzZS4KPj4+Pj4KPj4+Pj4K Pj4+Pj4gSGkgTWljaGFlbCwKPj4+Pj4KPj4+Pj4gQSBwYXRjaCBmb3IgbWFuLXBhZ2VzIGlzIGF0 dGFjaGVkLiBJdCBhZGRzIHRoZSBmb2xsb3dpbmcgdGV4dCB0bwo+Pj4+PiBuYW1lc3BhY2VzKDcp Lgo+Pj4+Pgo+Pj4+PiBTaW5jZSAgTGludXggNC5YLCB0aGUgZm9sbG93aW5nIGlvY3RsKDIpIGNh bGxzIGFyZSBzdXBwb3J0ZWQgZm9yIG5hbWVz4oCQCj4+Pj4+IHBhY2UgZmlsZSBkZXNjcmlwdG9y cy4gIFRoZSBjb3JyZWN0IHN5bnRheCBpczoKPj4+Pj4KPj4+Pj4gICAgICAgZmQgPSBpb2N0bChu c19mZCwgaW9jdGxfdHlwZSk7Cj4+Pj4+Cj4+Pj4+IHdoZXJlIGlvY3RsX3R5cGUgaXMgb25lIG9m IHRoZSBmb2xsb3dpbmc6Cj4+Pj4+Cj4+Pj4+IE5TX0dFVF9VU0VSTlMKPj4+Pj4gICAgICAgUmV0 dXJucyBhIGZpbGUgZGVzY3JpcHRvciB0aGF0IHJlZmVycyB0byBhbiBvd25pbmcgIHVzZXIgIG5h bWVz4oCQCj4+Pj4+ICAgICAgIHBhY2UuCj4+Pj4+Cj4+Pj4+IE5TX0dFVF9QQVJFTlQKPj4+Pj4g ICAgICAgUmV0dXJucyAgYSAgZmlsZSAgZGVzY3JpcHRvciAgdGhhdCByZWZlcnMgdG8gYSBwYXJl bnQgbmFtZXNwYWNlLgo+Pj4+PiAgICAgICBUaGlzIGlvY3RsKDIpIGNhbiBiZSB1c2VkIGZvciBw aWQgYW5kIHVzZXIgbmFtZXNwYWNlcy4gRm9yICB1c2VyCj4+Pj4+ICAgICAgIG5hbWVzcGFjZXMs ICBOU19HRVRfUEFSRU5UIGFuZCBOU19HRVRfVVNFUk5TIGhhdmUgdGhlIHNhbWUgbWVhbuKAkAo+ Pj4+PiAgICAgICBpbmcuCj4+Cj4+IEZvciBlYWNoIG9mIHRoZSBhYm92ZSwgSSB0aGluayBpdCBp cyB3b3J0aCBtZW50aW9uaW5nIHRoYXQgdGhlCj4+IGNsb3NlLW9uLWV4ZWMgZmxhZyBpcyBzZXQg Zm9yIHRoZSByZXR1cm5lZCBmaWxlIGRlc2NyaXB0b3IuCj4KPiBIbW0uICBUaGF0IGlzIGFuIG9k ZCBkZWZhdWx0LgoKV2h5IGRvIHlvdSBzYXkgdGhhdD8gSXQncyBwcmV0dHkgY29tbW9uIGFzIHRo ZSBkZWZhdWx0IGZvciB2YXJpb3VzCkFQSXMgdGhhdCBjcmVhdGUgbmV3IEZEcyB0aGVzZSBkYXlz LiAoVGhlcmUncyBvZiBjb3Vyc2UgYSBzdHJvbmcgYXJndW1lbnQKdGhhdCB0aGUgb3JpZ2luYWwg VU5JWCBkZWZhdWx0IHdhcyBhIGRlc2lnbiBibHVuZGVyLi4uKQoKPj4+Pj4KPj4+Pj4gSW4gYWRk aXRpb24gdG8gZ2VuZXJpYyBpb2N0bCgyKSBlcnJvcnMsIHRoZSBmb2xsb3dpbmcgc3BlY2lmaWMg b25lcyBjYW4KPj4+Pj4gb2NjdXI6Cj4+Pj4+Cj4+Pj4+IEVJTlZBTCBOU19HRVRfUEFSRU5UIHdh cyBjYWxsZWQgZm9yIGEgbm9uaGllcmFyY2hpY2FsIG5hbWVzcGFjZS4KPj4+Pj4KPj4+Pj4gRVBF Uk0gIFRoZSAgcmVxdWVzdGVkICBuYW1lc3BhY2UgIGlzICBvdXRzaWRlICBvZiB0aGUgY3VycmVu dCBuYW1lc3BhY2UKPj4+Pj4gICAgICAgc2NvcGUuCj4+Cj4+IFBlcmhhcHMgYWRkICJhbmQgdGhl IGNhbGxlciBkb2VzIG5vdCBoYXZlIENBUF9TWVNfQURNSU4iIGluIHRoZSBpbml0aWFsCj4+IHVz ZXIgbmFtZXNwYWNlIj8KPgo+IEhhdmluZyBsb29rZWQgYXQgdGhhdCBiaXQgb2YgY29kZSBJIGRv bid0IHRoaW5rIGNhcGFiaWxpdGllcyByZWFsbHkKPiBoYXZlIGEgcm9sZSB0byBwbGF5LgoKWWVz LCBJIGNhdWdodCB1cCB3aXRoIHRoYXQgbm93LiBJIGF3YWl0IHRvIHNlZSBob3cgdGhpcyBwbGF5 cyBvdXQKaW4gdGhlIG5leHQgcGF0Y2ggdmVyc2lvbi4KCj4+Pj4+IEVOT0VOVCBuc19mZCByZWZl cnMgdG8gdGhlIGluaXQgbmFtZXNwYWNlLgo+Pj4+Cj4+Pj4KPj4+PiBUaGFua3MgZm9yIHRoaXMu IEJ1dCBzdGlsbCBwYXJ0IG9mIHRoZSBxdWVzdGlvbiByZW1haW5zIHVuYW5zd2VyZWQuCj4+Pj4g SG93IGRvIHdlIChpbiB1c2VyLXNwYWNlKSB1c2UgdGhlIGZpbGUgZGVzY3JpcHRvcnMgdG8gYW5z d2VyIGFueSBvZgo+Pj4+IHRoZSBxdWVzdGlvbnMgdGhhdCB0aGlzIHBhdGNoIHNlcmllcyB3YXMg ZGVzaWduZWQgdG8gc29sdmU/IChUaGlzCj4+Pj4gaW5mbyBzaG91bGQgYmUgaW4gdGhlIGNvbW1p dCBtZXNzYWdlIGFuZCB0aGUgbWFuLXBhZ2VzIHBhdGNoLikKPj4+Cj4+PiBJJ20gc29ycnksIGJ1 dCBJIGFtIG5vdCBzdXJlIHRoYXQgSSB1bmRlcnN0YW5kIHdoYXQgeW91IGFzay4KPj4+Cj4+PiBI ZXJlIGFyZSB0aGUgb3JpZ2luIHF1ZXN0aW9uczoKPj4+IFNvbWVvbmUgZWxzZSB0aGVuIGFza2Vk IG1lIGEgcXVlc3Rpb24gdGhhdCBsZWQgbWUgdG8gd29uZGVyIGFib3V0Cj4+PiBnZW5lcmFsbHkg aW50cm9zcGVjdGluZyBvbiB0aGUgcGFyZW50YWwgcmVsYXRpb25zaGlwcyBiZXR3ZWVuIHVzZXIK Pj4+IG5hbWVzcGFjZXMgYW5kIHRoZSBhc3NvY2lhdGlvbiBvZiBvdGhlciBuYW1lc3BhY2VzIHR5 cGVzIHdpdGggdXNlcgo+Pj4gbmFtZXNwYWNlcy4gT25lIHVzZSB3b3VsZCBiZSB2aXN1YWxpemF0 aW9uLCBpbiBvcmRlciB0byB1bmRlcnN0YW5kIHRoZQo+Pj4gcnVubmluZyBzeXN0ZW0uIEFub3Ro ZXIgd291bGQgYmUgdG8gYW5zd2VyIHRoZSBxdWVzdGlvbiBJIGFscmVhZHkKPj4+IG1lbnRpb25l ZDogd2hhdCBjYXBhYmlsaXR5IGRvZXMgcHJvY2VzcyBYIGhhdmUgdG8gcGVyZm9ybSBvcGVyYXRp b25zCj4+PiBvbiBhIHJlc291cmNlIGdvdmVybmVkIGJ5IG5hbWVzcGFjZSBZPwo+Pj4KPj4+IEhl cmUgaXMgYW4gZXhhbXBsZSB3aGljaCBzaG93cyBob3cgd2UgY2FuIGdldCB0aGUgb3duaW5nIG5h bWVzcGFjZQo+Pj4gaW5vZGUgbnVtYmVyIGJ5IHVzaW5nIHRoZXNlIGlvY3RsLXMuCj4+Pgo+Pj4g JCBscyAtbCAvcHJvYy8xMzkyOS9ucy9waWQKPj4+IGxyd3hyd3hyd3ggMSByb290IHJvb3QgMCBK dWwgMjIgMjE6MDMgL3Byb2MvMTM5MjkvbnMvcGlkIC0+ICdwaWQ6WzQwMjY1MzIyMjhdJwo+Pj4K Pj4+ICQgLi9uc293bmVyIC9wcm9jLzEzOTI5L25zL3BpZAo+Pj4gdXNlcjpbNDAyNjUzMjIyN10K Pj4+Cj4+PiBUaGUgb3duaW5nIHVzZXIgbmFtZXNwYWNlIGZvciBwaWQ6WzQwMjY1MzIyMjhdIGlz IHVzZXI6WzQwMjY1MzIyMjddLgo+Pj4KPj4+IFRoZSBuc293bmVyICB0b29sIGlzIGNpbXBpbGVk IGZyb20gdGhpcyBjb2RlOgo+Pj4KPj4+IGludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10p Cj4+PiB7Cj4+PiAgICAgICAgIGNoYXIgYnVmWzEyOF0sIHBhdGhbXSA9ICIvcHJvYy9zZWxmL2Zk LzAxMjM0NTY3ODkiOwo+Pj4gICAgICAgICBpbnQgbnMsIHVucywgcmV0Owo+Pj4KPj4+ICAgICAg ICAgbnMgPSBvcGVuKGFyZ3ZbMV0sIE9fUkRPTkxZKTsKPj4+ICAgICAgICAgaWYgKG5zIDwgMCkK Pj4+ICAgICAgICAgICAgICAgICByZXR1cm4gMTsKPj4+Cj4+PiAgICAgICAgIHVucyA9IGlvY3Rs KG5zLCBOU19HRVRfVVNFUk5TKTsKPj4+ICAgICAgICAgaWYgKHVucyA8IDApCj4+PiAgICAgICAg ICAgICAgICAgcmV0dXJuIDE7Cj4+Pgo+Pj4gICAgICAgICBzbnByaW50ZihwYXRoLCBzaXplb2Yo cGF0aCksICIvcHJvYy9zZWxmL2ZkLyVkIiwgdW5zKTsKPj4+ICAgICAgICAgcmV0ID0gcmVhZGxp bmsocGF0aCwgYnVmLCBzaXplb2YoYnVmKSAtIDEpOwo+Pj4gICAgICAgICBpZiAocmV0IDwgMCkK Pj4+ICAgICAgICAgICAgICAgICByZXR1cm4gMTsKPj4+ICAgICAgICAgYnVmW3JldF0gPSAwOwo+ Pj4KPj4+ICAgICAgICAgcHJpbnRmKCIlc1xuIiwgYnVmKTsKPj4+Cj4+PiAgICAgICAgIHJldHVy biAwOwo+Pj4gfQo+Pgo+PiBTbywgZnJvbSBteSBwb2ludCBvZiB2aWV3LCB0aGUgaW1wb3J0YW50 IHBpZWNlIHRoYXQgd2FzIG1pc3NpbmcgZnJvbQo+PiB5b3VyIGNvbW1pdCBtZXNzYWdlIHdhcyB0 aGUgbm90ZSB0byB1c2UgcmVhZGxpbmsoIi9wcm9jL3NlbGYvZmQvJWQiKQo+PiBvbiB0aGUgcmV0 dXJuZWQgRkRzLiBJIHRoaW5rIHRoYXQgZGV0YWlsIG5lZWRzIHRvIGJlIHBhcnQgb2YgdGhlCj4+ IGNvbW1pdCBtZXNzYWdlIChhbmQgYWxzbyB0aGUgbWFuIHBhZ2UgdGV4dCkuIEkgdGhpbmsgaXQg ZXZlbiBiZQo+PiBoZWxwZnVsIHRvIGluY2x1ZGUgdGhlIGFib3ZlIHByb2dyYW0gYXMgcGFydCBv ZiB0aGUgY29tbWl0IG1lc3NhZ2U6Cj4+IGl0IGhlbHBzIHBlb3BsZSBtb3JlIHF1aWNrbHkgZ3Jh c3AgdGhlIEFQSS4KPgo+IFBsZWFzZSwgcGxlYXNlIG1ha2UgdGhlIHN0YW5kYXJkIHdheSB0byBj b21wYXJlIHRoZXNlIHRoaW5ncyBmc3RhdC4KPiBUaGF0IGlzIG11Y2ggbGVzcyBtYWdpYyB0aGFu IGEgc3ltbGluaywgYW5kIGEgbGl0dGxlIG1vcmUgZnV0dXJlIHByb29mLgo+IFBvc3NpYmx5IGV2 ZW4ga2NtcC4KCkFzIGluIGZzdGF0KCkgdG8gZ2V0IHRoZSBzdF9pbm8gZmllbGQsIHJpZ2h0PwoK Q2hlZXJzLAoKTWljaGFlbAoKPiBBdCBzb21lIHBvaW50IHdlIHdpbGwgY2FyZSBhYm91dCBtaWdy YXRpbmcgYSBtaWdyYXRpbmcgc3ViLWNvbnRhaW5lciBhbmQgd2UKPiBtYXkgaGF2ZSB0byBoYXZl IHNvbWUgbWlub3IgY2hhbmdlcy4KPgo+IEVyaWMKPgoKCi0tIApNaWNoYWVsIEtlcnJpc2sKTGlu dXggbWFuLXBhZ2VzIG1haW50YWluZXI7IGh0dHA6Ly93d3cua2VybmVsLm9yZy9kb2MvbWFuLXBh Z2VzLwpMaW51eC9VTklYIFN5c3RlbSBQcm9ncmFtbWluZyBUcmFpbmluZzogaHR0cDovL21hbjcu b3JnL3RyYWluaW5nLwpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXwpDb250YWluZXJzIG1haWxpbmcgbGlzdApDb250YWluZXJzQGxpc3RzLmxpbnV4LWZvdW5k YXRpb24ub3JnCmh0dHBzOi8vbGlzdHMubGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL2NvbnRhaW5lcnM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752924AbcGYOqg (ORCPT ); Mon, 25 Jul 2016 10:46:36 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:32774 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751145AbcGYOq3 (ORCPT ); Mon, 25 Jul 2016 10:46:29 -0400 Subject: Re: [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces To: "Eric W. Biederman" References: <1468520419-28220-1-git-send-email-avagin@openvz.org> <20160721210650.GA10989@outlook.office365.com> <1515f5f2-5a49-fcab-61f4-8b627d3ba3e2@gmail.com> <87lh0pg8jx.fsf@x220.int.ebiederm.org> Cc: mtk.manpages@gmail.com, Andrey Vagin , Serge Hallyn , Andrew Vagin , "criu@openvz.org" , Linux API , Linux Containers , LKML , James Bottomley , linux-fsdevel , Alexander Viro From: "Michael Kerrisk (man-pages)" Message-ID: <44ca0e41-dc92-45b1-2a6c-c41a048a072d@gmail.com> Date: Mon, 25 Jul 2016 16:46:25 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <87lh0pg8jx.fsf@x220.int.ebiederm.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Eric, On 07/25/2016 03:18 PM, Eric W. Biederman wrote: > "Michael Kerrisk (man-pages)" writes: > >> Hi Andrey, >> >> On 07/22/2016 08:25 PM, Andrey Vagin wrote: >>> On Thu, Jul 21, 2016 at 11:48 PM, Michael Kerrisk (man-pages) >>> wrote: >>>> Hi Andrey, >>>> >>>> >>>> On 07/21/2016 11:06 PM, Andrew Vagin wrote: >>>>> >>>>> On Thu, Jul 21, 2016 at 04:41:12PM +0200, Michael Kerrisk (man-pages) >>>>> wrote: >>>>>> >>>>>> Hi Andrey, >>>>>> >>>>>> On 07/14/2016 08:20 PM, Andrey Vagin wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> Could you add here an of the API in detail: what do these FDs refer to, >>>>>> and how do you use them to solve the use case? And could you you add >>>>>> that info to the commit messages please. >>>>> >>>>> >>>>> Hi Michael, >>>>> >>>>> A patch for man-pages is attached. It adds the following text to >>>>> namespaces(7). >>>>> >>>>> Since Linux 4.X, the following ioctl(2) calls are supported for names‐ >>>>> pace file descriptors. The correct syntax is: >>>>> >>>>> fd = ioctl(ns_fd, ioctl_type); >>>>> >>>>> where ioctl_type is one of the following: >>>>> >>>>> NS_GET_USERNS >>>>> Returns a file descriptor that refers to an owning user names‐ >>>>> pace. >>>>> >>>>> NS_GET_PARENT >>>>> Returns a file descriptor that refers to a parent namespace. >>>>> This ioctl(2) can be used for pid and user namespaces. For user >>>>> namespaces, NS_GET_PARENT and NS_GET_USERNS have the same mean‐ >>>>> ing. >> >> For each of the above, I think it is worth mentioning that the >> close-on-exec flag is set for the returned file descriptor. > > Hmm. That is an odd default. Why do you say that? It's pretty common as the default for various APIs that create new FDs these days. (There's of course a strong argument that the original UNIX default was a design blunder...) >>>>> >>>>> In addition to generic ioctl(2) errors, the following specific ones can >>>>> occur: >>>>> >>>>> EINVAL NS_GET_PARENT was called for a nonhierarchical namespace. >>>>> >>>>> EPERM The requested namespace is outside of the current namespace >>>>> scope. >> >> Perhaps add "and the caller does not have CAP_SYS_ADMIN" in the initial >> user namespace"? > > Having looked at that bit of code I don't think capabilities really > have a role to play. Yes, I caught up with that now. I await to see how this plays out in the next patch version. >>>>> ENOENT ns_fd refers to the init namespace. >>>> >>>> >>>> Thanks for this. But still part of the question remains unanswered. >>>> How do we (in user-space) use the file descriptors to answer any of >>>> the questions that this patch series was designed to solve? (This >>>> info should be in the commit message and the man-pages patch.) >>> >>> I'm sorry, but I am not sure that I understand what you ask. >>> >>> Here are the origin questions: >>> Someone else then asked me a question that led me to wonder about >>> generally introspecting on the parental relationships between user >>> namespaces and the association of other namespaces types with user >>> namespaces. One use would be visualization, in order to understand the >>> running system. Another would be to answer the question I already >>> mentioned: what capability does process X have to perform operations >>> on a resource governed by namespace Y? >>> >>> Here is an example which shows how we can get the owning namespace >>> inode number by using these ioctl-s. >>> >>> $ ls -l /proc/13929/ns/pid >>> lrwxrwxrwx 1 root root 0 Jul 22 21:03 /proc/13929/ns/pid -> 'pid:[4026532228]' >>> >>> $ ./nsowner /proc/13929/ns/pid >>> user:[4026532227] >>> >>> The owning user namespace for pid:[4026532228] is user:[4026532227]. >>> >>> The nsowner tool is cimpiled from this code: >>> >>> int main(int argc, char *argv[]) >>> { >>> char buf[128], path[] = "/proc/self/fd/0123456789"; >>> int ns, uns, ret; >>> >>> ns = open(argv[1], O_RDONLY); >>> if (ns < 0) >>> return 1; >>> >>> uns = ioctl(ns, NS_GET_USERNS); >>> if (uns < 0) >>> return 1; >>> >>> snprintf(path, sizeof(path), "/proc/self/fd/%d", uns); >>> ret = readlink(path, buf, sizeof(buf) - 1); >>> if (ret < 0) >>> return 1; >>> buf[ret] = 0; >>> >>> printf("%s\n", buf); >>> >>> return 0; >>> } >> >> So, from my point of view, the important piece that was missing from >> your commit message was the note to use readlink("/proc/self/fd/%d") >> on the returned FDs. I think that detail needs to be part of the >> commit message (and also the man page text). I think it even be >> helpful to include the above program as part of the commit message: >> it helps people more quickly grasp the API. > > Please, please make the standard way to compare these things fstat. > That is much less magic than a symlink, and a little more future proof. > Possibly even kcmp. As in fstat() to get the st_ino field, right? Cheers, Michael > At some point we will care about migrating a migrating sub-container and we > may have to have some minor changes. > > Eric > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/