From: Arne Welzel <arne.welzel@gmail.com>
To: kernelnewbies@kernelnewbies.org
Subject: Opening /proc/<pid>/net/dev prevents network namespace from expiring
Date: Sat, 22 Aug 2020 23:05:53 +0200 [thread overview]
Message-ID: <CAEyJRx0Zd_jtH1JQCSYYrdc-YTa8yvtneaurUKXEKK32-kWfRA@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1846 bytes --]
Hello,
as an unprivileged user one is able to keep network namespaces from
expiring by opening /proc/<pid>/net/dev of other processes. I've previously
put this on stackexchange [1] and then bugzilla [2]. That's been a while
though, so posting here for a bit more visibility in case it's something
that's worth fixing.
The reproducer is roughly as follows. As root:
# echo "100" > /proc/sys/user/max_net_namespaces
# while true ; do (unshare -n bash -c 'sleep 0.3 && readlink
/proc/self/ns/net') || sleep 0.5 ; done
As unprivileged user in a second terminal, run the below Python script [3]:
# python3 pin_net_namespaces.py
After about one minute the first terminal will show the following until the
Python process keeping the network namespaces alive is terminated.
...
unshare: unshare failed: No space left on device
unshare: unshare failed: No space left on device
Without the change to max_net_namespaces reproducing just very long, but
then also kernel memory grows fairly large.
Does that seem like problematic behavior? I had attached a patch and tests
to [2], but I fall into the kernel newbie category, so not sure how useful.
Thanks,
Arne
[1]
https://unix.stackexchange.com/questions/576718/opening-proc-pid-net-dev-prevents-network-namespace-from-expiring-is-this-ex/
[2] https://bugzilla.kernel.org/show_bug.cgi?id=207351
[3] $ cat pin_net_namespaces.py
#!/usr/bin/env python3
import glob
import os
import time
net_namespaces = {}
while True:
for net_dev in glob.glob("/proc/*/net/dev"):
try:
ino = os.stat(net_dev).st_ino
if ino not in net_namespaces:
net_namespaces[ino] = open(net_dev)
print("Have", len(net_namespaces), "namespaces...")
except FileNotFoundError:
# not fast enough...
pass
time.sleep(0.2)
===
[-- Attachment #1.2: Type: text/html, Size: 2650 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next reply other threads:[~2020-08-23 18:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-22 21:05 Arne Welzel [this message]
2020-08-24 7:42 ` Opening /proc/<pid>/net/dev prevents network namespace from expiring Greg KH
2020-08-24 16:53 ` Grant Taylor
2020-08-24 21:49 Arne Welzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEyJRx0Zd_jtH1JQCSYYrdc-YTa8yvtneaurUKXEKK32-kWfRA@mail.gmail.com \
--to=arne.welzel@gmail.com \
--cc=kernelnewbies@kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.