From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH V6 00/10] namespaces: log namespaces per task Date: Mon, 27 Apr 2015 21:16:32 -0500 Message-ID: <87zj5tgfpb.fsf@x220.int.ebiederm.org> References: <87vbgqw163.fsf@x220.int.ebiederm.org> <20150423030751.GA6712@madcap2.tricolour.ca> <20150423204429.GA25794@madcap2.tricolour.ca> <87bnid9v4f.fsf@x220.int.ebiederm.org> <20150428020555.GB20713@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20150428020555.GB20713-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> (Richard Guy Briggs's message of "Mon, 27 Apr 2015 22:05:55 -0400") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Richard Guy Briggs Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org, sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org List-Id: containers.vger.kernel.org Richard Guy Briggs writes: > On 15/04/24, Eric W. Biederman wrote: >> Richard Guy Briggs writes: >> > On 15/04/22, Richard Guy Briggs wrote: >> >> On 15/04/20, Eric W. Biederman wrote: >> >> > Richard Guy Briggs writes: >> >> > >> > >> > Do I even need to report the device number anymore since I am concluding >> > s_dev is never set (or always zero) in the nsfs filesystem by >> > mount_pseudo() and isn't even mountable? >> >> We still need the dev. We do have a device number get_anon_bdev fills it in. > > Fine, it has a device number. There appears to be only one of these > allocated per kernel. I can get it from &nsfs->fs_supers (and take the > first instance given by hlist_for_each_entry and verify there are no > others). Why do I need it, again? Because if we have to preserve the inode number over a migration event I want to preserve the fact that we are talking about inode numbers from a superblock with a device number. Otherwise known as I am allergic to kernel global identifiers, because they can be major pains. I don't want to have to go back and implement a namespace for namespaces. >> >> They are all covered: >> >> sys_unshare > unshare_userns > create_user_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_mnt_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_utsname > clone_uts_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_ipcs > get_ipc_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_pid_ns > create_pid_namespace >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_net_ns >> >> Then why the special change to fork? That was not reflected on >> the unshare path as far as I could see. > > Fork can specify more than one CLONE flag at once, so collecting them > all in one statementn seemed helpful. setns can only set one at a time. unshare can also specify more than one CLONE flag at once. I just pointed that out becase that seemed really unsymmetrical. > Ok, understood, we can't just punt this one to a higher layer... > > So this comes back to a question above, which is how do we determine > which device it is from? Sounds like we need something added to > ns_common or one of the 6 namespace types structs. Or we can just hard code reading it off of the appropriate magic filesystem. Probably what we want is a well named helper function that does the job. I just care that when we talk about these things we are talking about inode numbers from a superblock that is associated with a given device number. That way I don't have nightmares about dealing with a namespace for namespaces. Eric From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932223AbbD1CU4 (ORCPT ); Mon, 27 Apr 2015 22:20:56 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:51321 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752849AbbD1CUy (ORCPT ); Mon, 27 Apr 2015 22:20:54 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, pmoore@redhat.com, linux-audit@redhat.com, eparis@parisplace.org, sgrubb@redhat.com, zohar@linux.vnet.ibm.com References: <87vbgqw163.fsf@x220.int.ebiederm.org> <20150423030751.GA6712@madcap2.tricolour.ca> <20150423204429.GA25794@madcap2.tricolour.ca> <87bnid9v4f.fsf@x220.int.ebiederm.org> <20150428020555.GB20713@madcap2.tricolour.ca> Date: Mon, 27 Apr 2015 21:16:32 -0500 In-Reply-To: <20150428020555.GB20713@madcap2.tricolour.ca> (Richard Guy Briggs's message of "Mon, 27 Apr 2015 22:05:55 -0400") Message-ID: <87zj5tgfpb.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX1+H8lfqwevaBTNuZziprZjK9aAXg71cTiU= X-SA-Exim-Connect-IP: 67.3.205.90 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Richard Guy Briggs X-Spam-Relay-Country: X-Spam-Timing: total 344 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 4.4 (1.3%), b_tie_ro: 3.1 (0.9%), parse: 1.02 (0.3%), extract_message_metadata: 5 (1.5%), get_uri_detail_list: 2.8 (0.8%), tests_pri_-1000: 3.5 (1.0%), tests_pri_-950: 1.30 (0.4%), tests_pri_-900: 1.12 (0.3%), tests_pri_-400: 23 (6.7%), check_bayes: 22 (6.3%), b_tokenize: 6 (1.8%), b_tok_get_all: 7 (2.1%), b_comp_prob: 2.6 (0.8%), b_tok_touch_all: 3.0 (0.9%), b_finish: 0.86 (0.3%), tests_pri_0: 289 (84.0%), tests_pri_500: 4.8 (1.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH V6 00/10] namespaces: log namespaces per task X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Richard Guy Briggs writes: > On 15/04/24, Eric W. Biederman wrote: >> Richard Guy Briggs writes: >> > On 15/04/22, Richard Guy Briggs wrote: >> >> On 15/04/20, Eric W. Biederman wrote: >> >> > Richard Guy Briggs writes: >> >> > >> > >> > Do I even need to report the device number anymore since I am concluding >> > s_dev is never set (or always zero) in the nsfs filesystem by >> > mount_pseudo() and isn't even mountable? >> >> We still need the dev. We do have a device number get_anon_bdev fills it in. > > Fine, it has a device number. There appears to be only one of these > allocated per kernel. I can get it from &nsfs->fs_supers (and take the > first instance given by hlist_for_each_entry and verify there are no > others). Why do I need it, again? Because if we have to preserve the inode number over a migration event I want to preserve the fact that we are talking about inode numbers from a superblock with a device number. Otherwise known as I am allergic to kernel global identifiers, because they can be major pains. I don't want to have to go back and implement a namespace for namespaces. >> >> They are all covered: >> >> sys_unshare > unshare_userns > create_user_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_mnt_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_utsname > clone_uts_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_ipcs > get_ipc_ns >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_pid_ns > create_pid_namespace >> >> sys_unshare > unshare_nsproxy_namespaces > create_new_namespaces > copy_net_ns >> >> Then why the special change to fork? That was not reflected on >> the unshare path as far as I could see. > > Fork can specify more than one CLONE flag at once, so collecting them > all in one statementn seemed helpful. setns can only set one at a time. unshare can also specify more than one CLONE flag at once. I just pointed that out becase that seemed really unsymmetrical. > Ok, understood, we can't just punt this one to a higher layer... > > So this comes back to a question above, which is how do we determine > which device it is from? Sounds like we need something added to > ns_common or one of the 6 namespace types structs. Or we can just hard code reading it off of the appropriate magic filesystem. Probably what we want is a well named helper function that does the job. I just care that when we talk about these things we are talking about inode numbers from a superblock that is associated with a given device number. That way I don't have nightmares about dealing with a namespace for namespaces. Eric