From: "W. Trevor King" <wking@tremily.us>
To: Andrey Vagin <avagin@openvz.org>
Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
containers@lists.linux-foundation.org, criu@openvz.org,
linux-fsdevel@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Serge Hallyn <serge.hallyn@canonical.com>
Subject: Re: [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces
Date: Sat, 23 Jul 2016 14:14:14 -0700 [thread overview]
Message-ID: <20160723211414.GA25371@odin.tremily.us> (raw)
In-Reply-To: <1468520419-28220-1-git-send-email-avagin@openvz.org>
[-- Attachment #1: Type: text/plain, Size: 2211 bytes --]
On Thu, Jul 14, 2016 at 11:20:14AM -0700, Andrey Vagin wrote:
> Pid and user namepaces are hierarchical. There is no way to discover
> parent-child relationships too.
It bothers me that network namespaces are not hierarchical too ;).
namespaces(7) and clone(2) both have:
When a network namespace is freed (i.e., when the last process in
the namespace terminates), its physical network devices are moved
back to the initial network namespace (not to the parent of the
process).
So the initial network namespace (the head of net_namespace_list?) is
special [1]. To understand how physical network devices will be
handled, it seems like we want to treat network devices as a depth-1
tree, with all non-initial net namespaces as children of the initial
net namespace. Can we extend this series' NS_GET_PARENT to return:
* EPERM for an unprivileged caller (like this series currently does
for PID namespaces),
* ENOENT when called on net_namespace_list, and
* net_namespace_list when called on any other net namespace.
If that sounds reasonable, I'm happy to stumble my way through a patch
;).
And one benefit of the net_namespace_list approach is that it will be
really easy to walk children if we ever add a parent → children lookup
service to mirror this series' child → parent service.
Cheers,
Trevor
[1]: The commit message for 2b035b39 (net: Batch network namespace
destruction, 2009-11-29) opens with:
It is fairly common to kill several network namespaces at once.
Either because they are nested one inside the other or…
which I'm having trouble understanding if network namespaces aren't
hierarchical (and they don't seem to be, except for the initial
network namespace being special). Maybe nested network namespaces
were on the table at one point but never materialized?
net->list looks like a reference to that namespace's entry in
net_namespace_list, and I didn't see anything else that looked like
a reference to a parent or list of children.
--
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-07-23 21:16 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-14 18:20 [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces Andrey Vagin
2016-07-14 18:20 ` [PATCH 1/5] namespaces: move user_ns into ns_common Andrey Vagin
2016-07-15 12:21 ` kbuild test robot
2016-07-14 18:20 ` [PATCH 2/5] kernel: add a helper to get an owning user namespace for a namespace Andrey Vagin
2016-07-14 19:07 ` W. Trevor King
2016-07-14 18:20 ` [PATCH 3/5] nsfs: add ioctl to get an owning user namespace for ns file descriptor Andrey Vagin
2016-07-14 18:48 ` W. Trevor King
2016-07-14 18:20 ` [PATCH 4/5] nsfs: add ioctl to get a parent namespace Andrey Vagin
2016-07-14 18:20 ` [PATCH 5/5] tools/testing: add a test to check nsfs ioctl-s Andrey Vagin
2016-07-14 22:02 ` [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces Andrey Vagin
2016-07-15 2:12 ` [PATCH 1/5] namespaces: move user_ns into ns_common Andrey Vagin
2016-07-15 2:12 ` [PATCH 2/5] kernel: add a helper to get an owning user namespace for a namespace Andrey Vagin
2016-07-24 5:03 ` Eric W. Biederman
2016-07-24 6:37 ` Andrew Vagin
2016-07-24 14:30 ` Eric W. Biederman
2016-07-24 17:05 ` W. Trevor King
2016-07-24 16:54 ` W. Trevor King
2016-07-15 2:12 ` [PATCH 3/5] nsfs: add ioctl to get an owning user namespace for ns file descriptor Andrey Vagin
2016-07-15 2:12 ` [PATCH 4/5] nsfs: add ioctl to get a parent namespace Andrey Vagin
2016-07-24 5:07 ` Eric W. Biederman
2016-07-15 2:12 ` [PATCH 5/5] tools/testing: add a test to check nsfs ioctl-s Andrey Vagin
2016-07-16 8:21 ` [PATCH 1/5] namespaces: move user_ns into ns_common kbuild test robot
2016-07-23 23:07 ` kbuild test robot
2016-07-24 5:00 ` Eric W. Biederman
2016-07-24 5:54 ` Andrew Vagin
2016-07-24 5:10 ` [PATCH 0/5 RFC] Add an interface to discover relationships between namespaces Eric W. Biederman
2016-07-26 2:07 ` Andrew Vagin
2016-07-21 14:41 ` Michael Kerrisk (man-pages)
2016-07-21 21:06 ` Andrew Vagin
[not found] ` <1515f5f2-5a49-fcab-61f4-8b627d3ba3e2@gmail.com>
2016-07-22 18:25 ` Andrey Vagin
2016-07-25 11:47 ` Michael Kerrisk (man-pages)
2016-07-25 13:18 ` Eric W. Biederman
2016-07-25 14:46 ` Michael Kerrisk (man-pages)
2016-07-25 14:54 ` Serge E. Hallyn
2016-07-25 15:17 ` Eric W. Biederman
2016-07-25 14:59 ` Eric W. Biederman
2016-07-26 2:54 ` Andrew Vagin
2016-07-26 8:03 ` Michael Kerrisk (man-pages)
2016-07-26 18:25 ` Andrew Vagin
2016-07-26 18:32 ` W. Trevor King
2016-07-26 19:11 ` Andrew Vagin
2016-07-26 19:17 ` Michael Kerrisk (man-pages)
2016-07-26 20:39 ` Andrew Vagin
2016-07-28 10:45 ` Michael Kerrisk (man-pages)
2016-07-28 12:56 ` Eric W. Biederman
2016-07-28 19:00 ` Michael Kerrisk (man-pages)
2016-07-29 18:05 ` Eric W. Biederman
2016-07-31 21:31 ` Michael Kerrisk (man-pages)
2016-08-01 23:01 ` Andrew Vagin
2016-07-26 19:38 ` Eric W. Biederman
2016-07-23 21:14 ` W. Trevor King [this message]
2016-07-23 21:38 ` James Bottomley
2016-07-23 21:58 ` W. Trevor King
2016-07-23 21:56 ` Eric W. Biederman
2016-07-23 22:34 ` W. Trevor King
2016-07-24 4:51 ` Eric W. Biederman
2016-08-01 18:20 ` Alban Crequy
2016-08-01 23:32 ` Andrew Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160723211414.GA25371@odin.tremily.us \
--to=wking@tremily.us \
--cc=James.Bottomley@HansenPartnership.com \
--cc=avagin@openvz.org \
--cc=containers@lists.linux-foundation.org \
--cc=criu@openvz.org \
--cc=ebiederm@xmission.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).