From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.3 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0827BC433DF for ; Sun, 23 Aug 2020 18:50:12 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BEF0820706 for ; Sun, 23 Aug 2020 18:50:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FvZHfAMx" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BEF0820706 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1k9v4D-0007gF-OR; Sun, 23 Aug 2020 14:50:09 -0400 Received: from mail-ed1-x534.google.com ([2a00:1450:4864:20::534]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94) (envelope-from ) id 1k9ajD-0005yd-Kh for kernelnewbies@kernelnewbies.org; Sat, 22 Aug 2020 17:07:07 -0400 Received: by mail-ed1-x534.google.com with SMTP id k25so4747396edj.13 for ; Sat, 22 Aug 2020 14:07:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=u4Yt/GKPKqYUQr33eTBRD/mdW3HGv8Ua1CdCVGvL3kY=; b=FvZHfAMxgopQg4LRGeiYNu9INsNMe2xiWuoccQl69IG7RSjNvK9O/IuhNcGfVp3vhm EGpPE39UtqMyqlK01qODw2QM4LIe3E2pQegaoh4sqfnwWKDXJAWIOeVrCPRu376gOtbd oHD/uvaM4E4z1+ZsTUU5QK3nw+4oEIoHOCCvbo9VmIjxM+xH/Q7C218C9GXV8kmUCsIp 5CQgrAYkbqpkbpz9epbOl6JcGBlMwHFErHvHoj7XgZ6OvbKzMO/GlzB3n2eJkm0XWbM6 mQ1DD0bsqExb+UwzW1ez5M63j5cKXMgXdhnP72B/Czi2xbCz679geEWvo8S2wp1NbQO4 pEwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=u4Yt/GKPKqYUQr33eTBRD/mdW3HGv8Ua1CdCVGvL3kY=; b=ZdbnRXK+wsdfCwBu47KhaCNVMUz14yJabu4z3847fnPqCigR82/4UV7IXAyKX5bBXb NPo0h0Avyk9vuL25oZ+UbXL27WqO/n3VpRQhHWqK+PnVw9doD7NYSZ/dS+hyESY3+7+S eyVA9C7pHVen/ZLO9pHfnXmATLGcgGRqQaYeTt5Ey7ULD3QYXSYoK4AkZy0ugAzLcf/t umpbPcntysvHJXDQ5QV2siku7wwpWfgg9i3kIGR9KK38crb52LYEWiY5Q1nobd4zIaFF 7Raez9aPX59rD1c22knS4NdDoUYz0EzRTgqW+DgvtSmRWFU7Fq4DdL0xnW25r5DICpRP RdLQ== X-Gm-Message-State: AOAM530dmBSVgzzXJ8IQPmUitZeFn05tkcQUIEyyaY9CZ8BdGEcx8eYC SxcNuQivAJi0ykWY9naGXbpFkWRyxpyzd2ZdXOFC/1MDr6c= X-Google-Smtp-Source: ABdhPJxzkKlGFx3WkOeTKMZuMJ6s7OvXp3zZ8fNoOeCexuTeMO9bpuv6GGsZXLx60+9ZBiZdNMZPfykqJamS9ga7Wh4= X-Received: by 2002:a50:cf46:: with SMTP id d6mr8655574edk.339.1598130364348; Sat, 22 Aug 2020 14:06:04 -0700 (PDT) MIME-Version: 1.0 From: Arne Welzel Date: Sat, 22 Aug 2020 23:05:53 +0200 Message-ID: Subject: Opening /proc//net/dev prevents network namespace from expiring To: kernelnewbies@kernelnewbies.org X-Mailman-Approved-At: Sun, 23 Aug 2020 14:48:10 -0400 X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============7934087539902274228==" Errors-To: kernelnewbies-bounces@kernelnewbies.org --===============7934087539902274228== Content-Type: multipart/alternative; boundary="000000000000abfbd905ad7db8b2" --000000000000abfbd905ad7db8b2 Content-Type: text/plain; charset="UTF-8" Hello, as an unprivileged user one is able to keep network namespaces from expiring by opening /proc//net/dev of other processes. I've previously put this on stackexchange [1] and then bugzilla [2]. That's been a while though, so posting here for a bit more visibility in case it's something that's worth fixing. The reproducer is roughly as follows. As root: # echo "100" > /proc/sys/user/max_net_namespaces # while true ; do (unshare -n bash -c 'sleep 0.3 && readlink /proc/self/ns/net') || sleep 0.5 ; done As unprivileged user in a second terminal, run the below Python script [3]: # python3 pin_net_namespaces.py After about one minute the first terminal will show the following until the Python process keeping the network namespaces alive is terminated. ... unshare: unshare failed: No space left on device unshare: unshare failed: No space left on device Without the change to max_net_namespaces reproducing just very long, but then also kernel memory grows fairly large. Does that seem like problematic behavior? I had attached a patch and tests to [2], but I fall into the kernel newbie category, so not sure how useful. Thanks, Arne [1] https://unix.stackexchange.com/questions/576718/opening-proc-pid-net-dev-prevents-network-namespace-from-expiring-is-this-ex/ [2] https://bugzilla.kernel.org/show_bug.cgi?id=207351 [3] $ cat pin_net_namespaces.py #!/usr/bin/env python3 import glob import os import time net_namespaces = {} while True: for net_dev in glob.glob("/proc/*/net/dev"): try: ino = os.stat(net_dev).st_ino if ino not in net_namespaces: net_namespaces[ino] = open(net_dev) print("Have", len(net_namespaces), "namespaces...") except FileNotFoundError: # not fast enough... pass time.sleep(0.2) === --000000000000abfbd905ad7db8b2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

as an unprivileged us= er one is able to keep network namespaces from expiring by opening /proc/&l= t;pid>/net/dev of other processes. I've previously put this on stack= exchange [1] and then bugzilla [2]. That's been a while though, so post= ing here for a bit more visibility in case it's something that's wo= rth fixing.

The reproducer is roughly as follows. = As root:
# echo "100" > /proc/sys/user/max_net_n= amespaces
# while true ; do (unshare -n bash -c 'sleep 0.= 3 && readlink /proc/self/ns/net') || sleep 0.5 =C2=A0; done

As unprivileged user in a second terminal, run the be= low Python script [3]:
# python3 pin_net_namespaces.py
<= div>
After about one minute the first terminal will show the = following until the Python process keeping the network namespaces alive is = terminated.
...
unshare: unshare failed: No space left on = device
unshare: unshare failed: No space left on device

Without the change to max_net_namespaces reproducing just very lon= g, but then also kernel memory grows fairly large.

=
Does that seem like problematic behavior? I had attached a patch and= tests to [2], but I fall into the kernel newbie category, so not sure how = useful.

Thanks,
=C2=A0=C2=A0 Arne


[2] https://bugzilla.kernel.org/show_bug.cgi?id=3D207351<= /div>

[3] $ cat pin_net_namespaces.py
#!/usr/bin/env python3
import glob
import os
import ti= me

net_namespaces =3D {}

while True:
=C2=A0 =C2=A0 for net= _dev in glob.glob("/proc/*/net/dev"):
=C2=A0 =C2=A0 =C2=A0 =C2= =A0 try:
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ino =3D os.stat(net_d= ev).st_ino
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if ino not in net_n= amespaces:
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 net_n= amespaces[ino] =3D open(net_dev)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 print("Have", len(net_namespaces), "namesp= aces...")
=C2=A0 =C2=A0 =C2=A0 =C2=A0 except FileNotFoundError:
= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 # not fast enough...
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pass

=C2=A0 =C2=A0 time.sleep(0.2= )
=3D=3D=3D
--000000000000abfbd905ad7db8b2-- --===============7934087539902274228== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies --===============7934087539902274228==--