* Opening /proc/<pid>/net/dev prevents network namespace from expiring
@ 2020-08-22 21:05 Arne Welzel
2020-08-24 7:42 ` Greg KH
2020-08-24 16:53 ` Grant Taylor
0 siblings, 2 replies; 3+ messages in thread
From: Arne Welzel @ 2020-08-22 21:05 UTC (permalink / raw)
To: kernelnewbies
[-- Attachment #1.1: Type: text/plain, Size: 1846 bytes --]
Hello,
as an unprivileged user one is able to keep network namespaces from
expiring by opening /proc/<pid>/net/dev of other processes. I've previously
put this on stackexchange [1] and then bugzilla [2]. That's been a while
though, so posting here for a bit more visibility in case it's something
that's worth fixing.
The reproducer is roughly as follows. As root:
# echo "100" > /proc/sys/user/max_net_namespaces
# while true ; do (unshare -n bash -c 'sleep 0.3 && readlink
/proc/self/ns/net') || sleep 0.5 ; done
As unprivileged user in a second terminal, run the below Python script [3]:
# python3 pin_net_namespaces.py
After about one minute the first terminal will show the following until the
Python process keeping the network namespaces alive is terminated.
...
unshare: unshare failed: No space left on device
unshare: unshare failed: No space left on device
Without the change to max_net_namespaces reproducing just very long, but
then also kernel memory grows fairly large.
Does that seem like problematic behavior? I had attached a patch and tests
to [2], but I fall into the kernel newbie category, so not sure how useful.
Thanks,
Arne
[1]
https://unix.stackexchange.com/questions/576718/opening-proc-pid-net-dev-prevents-network-namespace-from-expiring-is-this-ex/
[2] https://bugzilla.kernel.org/show_bug.cgi?id=207351
[3] $ cat pin_net_namespaces.py
#!/usr/bin/env python3
import glob
import os
import time
net_namespaces = {}
while True:
for net_dev in glob.glob("/proc/*/net/dev"):
try:
ino = os.stat(net_dev).st_ino
if ino not in net_namespaces:
net_namespaces[ino] = open(net_dev)
print("Have", len(net_namespaces), "namespaces...")
except FileNotFoundError:
# not fast enough...
pass
time.sleep(0.2)
===
[-- Attachment #1.2: Type: text/html, Size: 2650 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Opening /proc/<pid>/net/dev prevents network namespace from expiring
2020-08-22 21:05 Opening /proc/<pid>/net/dev prevents network namespace from expiring Arne Welzel
@ 2020-08-24 7:42 ` Greg KH
2020-08-24 16:53 ` Grant Taylor
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2020-08-24 7:42 UTC (permalink / raw)
To: Arne Welzel; +Cc: kernelnewbies
On Sat, Aug 22, 2020 at 11:05:53PM +0200, Arne Welzel wrote:
> Hello,
>
> as an unprivileged user one is able to keep network namespaces from
> expiring by opening /proc/<pid>/net/dev of other processes. I've previously
> put this on stackexchange [1] and then bugzilla [2]. That's been a while
> though, so posting here for a bit more visibility in case it's something
> that's worth fixing.
The proper place to send networking bugs/issues is to the networking
developers themselves, at netdev@vger.kernel.org.
Try sending it there, no kernel developers use stackexchange for
development :)
thanks,
greg k-h
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Opening /proc/<pid>/net/dev prevents network namespace from expiring
2020-08-22 21:05 Opening /proc/<pid>/net/dev prevents network namespace from expiring Arne Welzel
2020-08-24 7:42 ` Greg KH
@ 2020-08-24 16:53 ` Grant Taylor
1 sibling, 0 replies; 3+ messages in thread
From: Grant Taylor @ 2020-08-24 16:53 UTC (permalink / raw)
To: kernelnewbies
[-- Attachment #1.1: Type: text/plain, Size: 675 bytes --]
On 8/22/20 3:05 PM, Arne Welzel wrote:
> Hello,
Hi,
> as an unprivileged user one is able to keep network namespaces from
> expiring by opening /proc/<pid>/net/dev of other processes.
This is what I would expect.
At least based on my understanding of how the various namespaces work.
If something is using the namespace, it's not removed. Opening a file /
device therein would count as using it.
> Does that seem like problematic behavior?
No, not as such.
This seems to me like a permissions issue on the /proc/<pid> directory.
Read: Set the permissions such that access is restricted appropriately.
--
Grant. . . .
unix || die
[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-08-24 16:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-22 21:05 Opening /proc/<pid>/net/dev prevents network namespace from expiring Arne Welzel
2020-08-24 7:42 ` Greg KH
2020-08-24 16:53 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).