From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces Date: Mon, 25 Jul 2016 08:18:42 -0500 Message-ID: <87lh0pg8jx.fsf@x220.int.ebiederm.org> References: <1468520419-28220-1-git-send-email-avagin@openvz.org> <20160721210650.GA10989@outlook.office365.com> <1515f5f2-5a49-fcab-61f4-8b627d3ba3e2@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: (Michael Kerrisk's message of "Mon, 25 Jul 2016 13:47:51 +0200") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Michael Kerrisk (man-pages)" Cc: Serge Hallyn , Andrey Vagin , Linux API , Linux Containers , LKML , "criu-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org" , Alexander Viro , linux-fsdevel , James Bottomley , Andrew Vagin List-Id: containers.vger.kernel.org Ik1pY2hhZWwgS2VycmlzayAobWFuLXBhZ2VzKSIgPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdy aXRlczoKCj4gSGkgQW5kcmV5LAo+Cj4gT24gMDcvMjIvMjAxNiAwODoyNSBQTSwgQW5kcmV5IFZh Z2luIHdyb3RlOgo+PiBPbiBUaHUsIEp1bCAyMSwgMjAxNiBhdCAxMTo0OCBQTSwgTWljaGFlbCBL ZXJyaXNrIChtYW4tcGFnZXMpCj4+IDxtdGsubWFucGFnZXNAZ21haWwuY29tPiB3cm90ZToKPj4+ IEhpIEFuZHJleSwKPj4+Cj4+Pgo+Pj4gT24gMDcvMjEvMjAxNiAxMTowNiBQTSwgQW5kcmV3IFZh Z2luIHdyb3RlOgo+Pj4+Cj4+Pj4gT24gVGh1LCBKdWwgMjEsIDIwMTYgYXQgMDQ6NDE6MTJQTSAr MDIwMCwgTWljaGFlbCBLZXJyaXNrIChtYW4tcGFnZXMpCj4+Pj4gd3JvdGU6Cj4+Pj4+Cj4+Pj4+ IEhpIEFuZHJleSwKPj4+Pj4KPj4+Pj4gT24gMDcvMTQvMjAxNiAwODoyMCBQTSwgQW5kcmV5IFZh Z2luIHdyb3RlOgo+Pj4+Cj4+Pj4KPj4+PiA8c25pcD4KPj4+Pgo+Pj4+Pgo+Pj4+PiBDb3VsZCB5 b3UgYWRkIGhlcmUgYW4gb2YgdGhlIEFQSSBpbiBkZXRhaWw6IHdoYXQgZG8gdGhlc2UgRkRzIHJl ZmVyIHRvLAo+Pj4+PiBhbmQgaG93IGRvIHlvdSB1c2UgdGhlbSB0byBzb2x2ZSB0aGUgdXNlIGNh c2U/IEFuZCBjb3VsZCB5b3UgeW91IGFkZAo+Pj4+PiB0aGF0IGluZm8gdG8gdGhlIGNvbW1pdCBt ZXNzYWdlcyBwbGVhc2UuCj4+Pj4KPj4+Pgo+Pj4+IEhpIE1pY2hhZWwsCj4+Pj4KPj4+PiBBIHBh dGNoIGZvciBtYW4tcGFnZXMgaXMgYXR0YWNoZWQuIEl0IGFkZHMgdGhlIGZvbGxvd2luZyB0ZXh0 IHRvCj4+Pj4gbmFtZXNwYWNlcyg3KS4KPj4+Pgo+Pj4+IFNpbmNlICBMaW51eCA0LlgsIHRoZSBm b2xsb3dpbmcgaW9jdGwoMikgY2FsbHMgYXJlIHN1cHBvcnRlZCBmb3IgbmFtZXPigJAKPj4+PiBw YWNlIGZpbGUgZGVzY3JpcHRvcnMuICBUaGUgY29ycmVjdCBzeW50YXggaXM6Cj4+Pj4KPj4+PiAg ICAgICBmZCA9IGlvY3RsKG5zX2ZkLCBpb2N0bF90eXBlKTsKPj4+Pgo+Pj4+IHdoZXJlIGlvY3Rs X3R5cGUgaXMgb25lIG9mIHRoZSBmb2xsb3dpbmc6Cj4+Pj4KPj4+PiBOU19HRVRfVVNFUk5TCj4+ Pj4gICAgICAgUmV0dXJucyBhIGZpbGUgZGVzY3JpcHRvciB0aGF0IHJlZmVycyB0byBhbiBvd25p bmcgIHVzZXIgIG5hbWVz4oCQCj4+Pj4gICAgICAgcGFjZS4KPj4+Pgo+Pj4+IE5TX0dFVF9QQVJF TlQKPj4+PiAgICAgICBSZXR1cm5zICBhICBmaWxlICBkZXNjcmlwdG9yICB0aGF0IHJlZmVycyB0 byBhIHBhcmVudCBuYW1lc3BhY2UuCj4+Pj4gICAgICAgVGhpcyBpb2N0bCgyKSBjYW4gYmUgdXNl ZCBmb3IgcGlkIGFuZCB1c2VyIG5hbWVzcGFjZXMuIEZvciAgdXNlcgo+Pj4+ICAgICAgIG5hbWVz cGFjZXMsICBOU19HRVRfUEFSRU5UIGFuZCBOU19HRVRfVVNFUk5TIGhhdmUgdGhlIHNhbWUgbWVh buKAkAo+Pj4+ICAgICAgIGluZy4KPgo+IEZvciBlYWNoIG9mIHRoZSBhYm92ZSwgSSB0aGluayBp dCBpcyB3b3J0aCBtZW50aW9uaW5nIHRoYXQgdGhlCj4gY2xvc2Utb24tZXhlYyBmbGFnIGlzIHNl dCBmb3IgdGhlIHJldHVybmVkIGZpbGUgZGVzY3JpcHRvci4KCkhtbS4gIFRoYXQgaXMgYW4gb2Rk IGRlZmF1bHQuCgo+Pj4+Cj4+Pj4gSW4gYWRkaXRpb24gdG8gZ2VuZXJpYyBpb2N0bCgyKSBlcnJv cnMsIHRoZSBmb2xsb3dpbmcgc3BlY2lmaWMgb25lcyBjYW4KPj4+PiBvY2N1cjoKPj4+Pgo+Pj4+ IEVJTlZBTCBOU19HRVRfUEFSRU5UIHdhcyBjYWxsZWQgZm9yIGEgbm9uaGllcmFyY2hpY2FsIG5h bWVzcGFjZS4KPj4+Pgo+Pj4+IEVQRVJNICBUaGUgIHJlcXVlc3RlZCAgbmFtZXNwYWNlICBpcyAg b3V0c2lkZSAgb2YgdGhlIGN1cnJlbnQgbmFtZXNwYWNlCj4+Pj4gICAgICAgc2NvcGUuCj4KPiBQ ZXJoYXBzIGFkZCAiYW5kIHRoZSBjYWxsZXIgZG9lcyBub3QgaGF2ZSBDQVBfU1lTX0FETUlOIiBp biB0aGUgaW5pdGlhbAo+IHVzZXIgbmFtZXNwYWNlIj8KCkhhdmluZyBsb29rZWQgYXQgdGhhdCBi aXQgb2YgY29kZSBJIGRvbid0IHRoaW5rIGNhcGFiaWxpdGllcyByZWFsbHkKaGF2ZSBhIHJvbGUg dG8gcGxheS4KCj4+Pj4gRU5PRU5UIG5zX2ZkIHJlZmVycyB0byB0aGUgaW5pdCBuYW1lc3BhY2Uu Cj4+Pgo+Pj4KPj4+IFRoYW5rcyBmb3IgdGhpcy4gQnV0IHN0aWxsIHBhcnQgb2YgdGhlIHF1ZXN0 aW9uIHJlbWFpbnMgdW5hbnN3ZXJlZC4KPj4+IEhvdyBkbyB3ZSAoaW4gdXNlci1zcGFjZSkgdXNl IHRoZSBmaWxlIGRlc2NyaXB0b3JzIHRvIGFuc3dlciBhbnkgb2YKPj4+IHRoZSBxdWVzdGlvbnMg dGhhdCB0aGlzIHBhdGNoIHNlcmllcyB3YXMgZGVzaWduZWQgdG8gc29sdmU/IChUaGlzCj4+PiBp bmZvIHNob3VsZCBiZSBpbiB0aGUgY29tbWl0IG1lc3NhZ2UgYW5kIHRoZSBtYW4tcGFnZXMgcGF0 Y2guKQo+Pgo+PiBJJ20gc29ycnksIGJ1dCBJIGFtIG5vdCBzdXJlIHRoYXQgSSB1bmRlcnN0YW5k IHdoYXQgeW91IGFzay4KPj4KPj4gSGVyZSBhcmUgdGhlIG9yaWdpbiBxdWVzdGlvbnM6Cj4+IFNv bWVvbmUgZWxzZSB0aGVuIGFza2VkIG1lIGEgcXVlc3Rpb24gdGhhdCBsZWQgbWUgdG8gd29uZGVy IGFib3V0Cj4+IGdlbmVyYWxseSBpbnRyb3NwZWN0aW5nIG9uIHRoZSBwYXJlbnRhbCByZWxhdGlv bnNoaXBzIGJldHdlZW4gdXNlcgo+PiBuYW1lc3BhY2VzIGFuZCB0aGUgYXNzb2NpYXRpb24gb2Yg b3RoZXIgbmFtZXNwYWNlcyB0eXBlcyB3aXRoIHVzZXIKPj4gbmFtZXNwYWNlcy4gT25lIHVzZSB3 b3VsZCBiZSB2aXN1YWxpemF0aW9uLCBpbiBvcmRlciB0byB1bmRlcnN0YW5kIHRoZQo+PiBydW5u aW5nIHN5c3RlbS4gQW5vdGhlciB3b3VsZCBiZSB0byBhbnN3ZXIgdGhlIHF1ZXN0aW9uIEkgYWxy ZWFkeQo+PiBtZW50aW9uZWQ6IHdoYXQgY2FwYWJpbGl0eSBkb2VzIHByb2Nlc3MgWCBoYXZlIHRv IHBlcmZvcm0gb3BlcmF0aW9ucwo+PiBvbiBhIHJlc291cmNlIGdvdmVybmVkIGJ5IG5hbWVzcGFj ZSBZPwo+Pgo+PiBIZXJlIGlzIGFuIGV4YW1wbGUgd2hpY2ggc2hvd3MgaG93IHdlIGNhbiBnZXQg dGhlIG93bmluZyBuYW1lc3BhY2UKPj4gaW5vZGUgbnVtYmVyIGJ5IHVzaW5nIHRoZXNlIGlvY3Rs LXMuCj4+Cj4+ICQgbHMgLWwgL3Byb2MvMTM5MjkvbnMvcGlkCj4+IGxyd3hyd3hyd3ggMSByb290 IHJvb3QgMCBKdWwgMjIgMjE6MDMgL3Byb2MvMTM5MjkvbnMvcGlkIC0+ICdwaWQ6WzQwMjY1MzIy MjhdJwo+Pgo+PiAkIC4vbnNvd25lciAvcHJvYy8xMzkyOS9ucy9waWQKPj4gdXNlcjpbNDAyNjUz MjIyN10KPj4KPj4gVGhlIG93bmluZyB1c2VyIG5hbWVzcGFjZSBmb3IgcGlkOls0MDI2NTMyMjI4 XSBpcyB1c2VyOls0MDI2NTMyMjI3XS4KPj4KPj4gVGhlIG5zb3duZXIgIHRvb2wgaXMgY2ltcGls ZWQgZnJvbSB0aGlzIGNvZGU6Cj4+Cj4+IGludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10p Cj4+IHsKPj4gICAgICAgICBjaGFyIGJ1ZlsxMjhdLCBwYXRoW10gPSAiL3Byb2Mvc2VsZi9mZC8w MTIzNDU2Nzg5IjsKPj4gICAgICAgICBpbnQgbnMsIHVucywgcmV0Owo+Pgo+PiAgICAgICAgIG5z ID0gb3Blbihhcmd2WzFdLCBPX1JET05MWSk7Cj4+ICAgICAgICAgaWYgKG5zIDwgMCkKPj4gICAg ICAgICAgICAgICAgIHJldHVybiAxOwo+Pgo+PiAgICAgICAgIHVucyA9IGlvY3RsKG5zLCBOU19H RVRfVVNFUk5TKTsKPj4gICAgICAgICBpZiAodW5zIDwgMCkKPj4gICAgICAgICAgICAgICAgIHJl dHVybiAxOwo+Pgo+PiAgICAgICAgIHNucHJpbnRmKHBhdGgsIHNpemVvZihwYXRoKSwgIi9wcm9j L3NlbGYvZmQvJWQiLCB1bnMpOwo+PiAgICAgICAgIHJldCA9IHJlYWRsaW5rKHBhdGgsIGJ1Ziwg c2l6ZW9mKGJ1ZikgLSAxKTsKPj4gICAgICAgICBpZiAocmV0IDwgMCkKPj4gICAgICAgICAgICAg ICAgIHJldHVybiAxOwo+PiAgICAgICAgIGJ1ZltyZXRdID0gMDsKPj4KPj4gICAgICAgICBwcmlu dGYoIiVzXG4iLCBidWYpOwo+Pgo+PiAgICAgICAgIHJldHVybiAwOwo+PiB9Cj4KPiBTbywgZnJv bSBteSBwb2ludCBvZiB2aWV3LCB0aGUgaW1wb3J0YW50IHBpZWNlIHRoYXQgd2FzIG1pc3Npbmcg ZnJvbQo+IHlvdXIgY29tbWl0IG1lc3NhZ2Ugd2FzIHRoZSBub3RlIHRvIHVzZSByZWFkbGluaygi L3Byb2Mvc2VsZi9mZC8lZCIpCj4gb24gdGhlIHJldHVybmVkIEZEcy4gSSB0aGluayB0aGF0IGRl dGFpbCBuZWVkcyB0byBiZSBwYXJ0IG9mIHRoZQo+IGNvbW1pdCBtZXNzYWdlIChhbmQgYWxzbyB0 aGUgbWFuIHBhZ2UgdGV4dCkuIEkgdGhpbmsgaXQgZXZlbiBiZQo+IGhlbHBmdWwgdG8gaW5jbHVk ZSB0aGUgYWJvdmUgcHJvZ3JhbSBhcyBwYXJ0IG9mIHRoZSBjb21taXQgbWVzc2FnZToKPiBpdCBo ZWxwcyBwZW9wbGUgbW9yZSBxdWlja2x5IGdyYXNwIHRoZSBBUEkuCgpQbGVhc2UsIHBsZWFzZSBt YWtlIHRoZSBzdGFuZGFyZCB3YXkgdG8gY29tcGFyZSB0aGVzZSB0aGluZ3MgZnN0YXQuClRoYXQg aXMgbXVjaCBsZXNzIG1hZ2ljIHRoYW4gYSBzeW1saW5rLCBhbmQgYSBsaXR0bGUgbW9yZSBmdXR1 cmUgcHJvb2YuClBvc3NpYmx5IGV2ZW4ga2NtcC4KCkF0IHNvbWUgcG9pbnQgd2Ugd2lsbCBjYXJl IGFib3V0IG1pZ3JhdGluZyBhIG1pZ3JhdGluZyBzdWItY29udGFpbmVyIGFuZCB3ZQptYXkgaGF2 ZSB0byBoYXZlIHNvbWUgbWlub3IgY2hhbmdlcy4KCkVyaWMKX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18KQ29udGFpbmVycyBtYWlsaW5nIGxpc3QKQ29udGFp bmVyc0BsaXN0cy5saW51eC1mb3VuZGF0aW9uLm9yZwpodHRwczovL2xpc3RzLmxpbnV4Zm91bmRh dGlvbi5vcmcvbWFpbG1hbi9saXN0aW5mby9jb250YWluZXJz From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752535AbcGYNcG (ORCPT ); Mon, 25 Jul 2016 09:32:06 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:42095 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752331AbcGYNbz convert rfc822-to-8bit (ORCPT ); Mon, 25 Jul 2016 09:31:55 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" Cc: Andrey Vagin , Serge Hallyn , Andrew Vagin , "criu\@openvz.org" , Linux API , Linux Containers , LKML , James Bottomley , linux-fsdevel , Alexander Viro References: <1468520419-28220-1-git-send-email-avagin@openvz.org> <20160721210650.GA10989@outlook.office365.com> <1515f5f2-5a49-fcab-61f4-8b627d3ba3e2@gmail.com> Date: Mon, 25 Jul 2016 08:18:42 -0500 In-Reply-To: (Michael Kerrisk's message of "Mon, 25 Jul 2016 13:47:51 +0200") Message-ID: <87lh0pg8jx.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1bRfyv-0005N5-73;;;mid=<87lh0pg8jx.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/I/pOVMC5oUKgbM20brzAfl9c3j9Up9oE= X-SA-Exim-Connect-IP: 67.3.204.119 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 1.2 LotsOfNums_01 BODY: Lots of long strings of numbers * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4997] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;"Michael Kerrisk \(man-pages\)" X-Spam-Relay-Country: X-Spam-Timing: total 817 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 6 (0.8%), b_tie_ro: 5 (0.6%), parse: 1.04 (0.1%), extract_message_metadata: 5 (0.6%), get_uri_detail_list: 3.3 (0.4%), tests_pri_-1000: 4.3 (0.5%), tests_pri_-950: 1.29 (0.2%), tests_pri_-900: 1.06 (0.1%), tests_pri_-400: 36 (4.4%), check_bayes: 35 (4.2%), b_tokenize: 10 (1.3%), b_tok_get_all: 12 (1.5%), b_comp_prob: 3.5 (0.4%), b_tok_touch_all: 4.0 (0.5%), b_finish: 0.80 (0.1%), tests_pri_0: 748 (91.5%), check_dkim_signature: 0.63 (0.1%), check_dkim_adsp: 4.6 (0.6%), tests_pri_500: 3.7 (0.5%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Michael Kerrisk (man-pages)" writes: > Hi Andrey, > > On 07/22/2016 08:25 PM, Andrey Vagin wrote: >> On Thu, Jul 21, 2016 at 11:48 PM, Michael Kerrisk (man-pages) >> wrote: >>> Hi Andrey, >>> >>> >>> On 07/21/2016 11:06 PM, Andrew Vagin wrote: >>>> >>>> On Thu, Jul 21, 2016 at 04:41:12PM +0200, Michael Kerrisk (man-pages) >>>> wrote: >>>>> >>>>> Hi Andrey, >>>>> >>>>> On 07/14/2016 08:20 PM, Andrey Vagin wrote: >>>> >>>> >>>> >>>> >>>>> >>>>> Could you add here an of the API in detail: what do these FDs refer to, >>>>> and how do you use them to solve the use case? And could you you add >>>>> that info to the commit messages please. >>>> >>>> >>>> Hi Michael, >>>> >>>> A patch for man-pages is attached. It adds the following text to >>>> namespaces(7). >>>> >>>> Since Linux 4.X, the following ioctl(2) calls are supported for names‐ >>>> pace file descriptors. The correct syntax is: >>>> >>>> fd = ioctl(ns_fd, ioctl_type); >>>> >>>> where ioctl_type is one of the following: >>>> >>>> NS_GET_USERNS >>>> Returns a file descriptor that refers to an owning user names‐ >>>> pace. >>>> >>>> NS_GET_PARENT >>>> Returns a file descriptor that refers to a parent namespace. >>>> This ioctl(2) can be used for pid and user namespaces. For user >>>> namespaces, NS_GET_PARENT and NS_GET_USERNS have the same mean‐ >>>> ing. > > For each of the above, I think it is worth mentioning that the > close-on-exec flag is set for the returned file descriptor. Hmm. That is an odd default. >>>> >>>> In addition to generic ioctl(2) errors, the following specific ones can >>>> occur: >>>> >>>> EINVAL NS_GET_PARENT was called for a nonhierarchical namespace. >>>> >>>> EPERM The requested namespace is outside of the current namespace >>>> scope. > > Perhaps add "and the caller does not have CAP_SYS_ADMIN" in the initial > user namespace"? Having looked at that bit of code I don't think capabilities really have a role to play. >>>> ENOENT ns_fd refers to the init namespace. >>> >>> >>> Thanks for this. But still part of the question remains unanswered. >>> How do we (in user-space) use the file descriptors to answer any of >>> the questions that this patch series was designed to solve? (This >>> info should be in the commit message and the man-pages patch.) >> >> I'm sorry, but I am not sure that I understand what you ask. >> >> Here are the origin questions: >> Someone else then asked me a question that led me to wonder about >> generally introspecting on the parental relationships between user >> namespaces and the association of other namespaces types with user >> namespaces. One use would be visualization, in order to understand the >> running system. Another would be to answer the question I already >> mentioned: what capability does process X have to perform operations >> on a resource governed by namespace Y? >> >> Here is an example which shows how we can get the owning namespace >> inode number by using these ioctl-s. >> >> $ ls -l /proc/13929/ns/pid >> lrwxrwxrwx 1 root root 0 Jul 22 21:03 /proc/13929/ns/pid -> 'pid:[4026532228]' >> >> $ ./nsowner /proc/13929/ns/pid >> user:[4026532227] >> >> The owning user namespace for pid:[4026532228] is user:[4026532227]. >> >> The nsowner tool is cimpiled from this code: >> >> int main(int argc, char *argv[]) >> { >> char buf[128], path[] = "/proc/self/fd/0123456789"; >> int ns, uns, ret; >> >> ns = open(argv[1], O_RDONLY); >> if (ns < 0) >> return 1; >> >> uns = ioctl(ns, NS_GET_USERNS); >> if (uns < 0) >> return 1; >> >> snprintf(path, sizeof(path), "/proc/self/fd/%d", uns); >> ret = readlink(path, buf, sizeof(buf) - 1); >> if (ret < 0) >> return 1; >> buf[ret] = 0; >> >> printf("%s\n", buf); >> >> return 0; >> } > > So, from my point of view, the important piece that was missing from > your commit message was the note to use readlink("/proc/self/fd/%d") > on the returned FDs. I think that detail needs to be part of the > commit message (and also the man page text). I think it even be > helpful to include the above program as part of the commit message: > it helps people more quickly grasp the API. Please, please make the standard way to compare these things fstat. That is much less magic than a symlink, and a little more future proof. Possibly even kcmp. At some point we will care about migrating a migrating sub-container and we may have to have some minor changes. Eric