device namespaces

device namespaces

[Enrico Weigelt, metux IT consult]

Hello folks,


I'm going to implement device namespaces, where containers can get an
entirely different view of the devices in the machine (usually just a
specific subset, but possibly additional virtual devices).

For start I'd like to add a simple mapping of dev maj/min (leaving aside
sysfs, udev, etc). An important requirement for me is that the parent ns
can choose to delegate devices from those it full access too (child
namespaces can do the same to their childs), and the assignment can
change (for simplicity ignoring the case of removing devices that are
already opened by some process - haven't decided yet whether they should
be forcefully closed or whether keeping them open is a valid use case).

The big question for me now is how exactly to do the table maintenance
from userland. We already have entries in /proc/<pid>/ns/*. I'm thinking
about using them as command channel, like this:

* new child namespaces are created with empty mapping
* mapping manipulation is done by just writing commands to the ns file
* access is only granted if the writing process itself is in the
  parent's device ns and has CAP_SYS_ADMIN (or maybe their could be some
  admin user for the ns ? or the 'root' of the corresponding user_ns ?)
* if the caller has some restrictions on some particular device, these
  are automatically added (eg. if you're restricted to readonly, you
  can't give rw to the child ns).

Is this a good way to go ? Or what would be a better one ?


--mtx

-- 
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287

Re: device namespaces

[Christian Brauner]

On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt, metux IT consult wrote:
> Hello folks,
> 
> 
> I'm going to implement device namespaces, where containers can get an
> entirely different view of the devices in the machine (usually just a
> specific subset, but possibly additional virtual devices).
> 
> For start I'd like to add a simple mapping of dev maj/min (leaving aside
> sysfs, udev, etc). An important requirement for me is that the parent ns
> can choose to delegate devices from those it full access too (child
> namespaces can do the same to their childs), and the assignment can
> change (for simplicity ignoring the case of removing devices that are
> already opened by some process - haven't decided yet whether they should
> be forcefully closed or whether keeping them open is a valid use case).
> 
> The big question for me now is how exactly to do the table maintenance
> from userland. We already have entries in /proc/<pid>/ns/*. I'm thinking
> about using them as command channel, like this:
> 
> * new child namespaces are created with empty mapping
> * mapping manipulation is done by just writing commands to the ns file
> * access is only granted if the writing process itself is in the
>  parent's device ns and has CAP_SYS_ADMIN (or maybe their could be some
>  admin user for the ns ? or the 'root' of the corresponding user_ns ?)
> * if the caller has some restrictions on some particular device, these
>  are automatically added (eg. if you're restricted to readonly, you
>  can't give rw to the child ns).
> 
> Is this a good way to go ? Or what would be a better one ?

Ccing Greg. Without adressing specific problems, I should warn you that
this idea is not new and the plan is unlikely to go anywhere. Especially
not without support from Greg.

Also note that I have done work to make it possible to do sufficient
device management in containers. There's a longer series associated with
this but the gist is 692ec06d7c92 ("netns: send uevent messages") where
you can forward uevents to containers. I spoke about this at Plumbers in
2018 or so too. For example, LXD makes use of this. When you hotplug a
device into a container LXD will forward the generated uevents to the
container making it possible for the container to manage those devices.
That's fully under control of userspace and means we don't need to
burden the kernel with this.

Re: device namespaces

[Greg Kroah-Hartman]

On Tue, Jun 08, 2021 at 02:30:50PM +0200, Christian Brauner wrote:
> On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt, metux IT consult wrote:
> > Hello folks,
> > 
> > 
> > I'm going to implement device namespaces, where containers can get an
> > entirely different view of the devices in the machine (usually just a
> > specific subset, but possibly additional virtual devices).
> > 
> > For start I'd like to add a simple mapping of dev maj/min (leaving aside
> > sysfs, udev, etc). An important requirement for me is that the parent ns
> > can choose to delegate devices from those it full access too (child
> > namespaces can do the same to their childs), and the assignment can
> > change (for simplicity ignoring the case of removing devices that are
> > already opened by some process - haven't decided yet whether they should
> > be forcefully closed or whether keeping them open is a valid use case).
> > 
> > The big question for me now is how exactly to do the table maintenance
> > from userland. We already have entries in /proc/<pid>/ns/*. I'm thinking
> > about using them as command channel, like this:
> > 
> > * new child namespaces are created with empty mapping
> > * mapping manipulation is done by just writing commands to the ns file
> > * access is only granted if the writing process itself is in the
> >  parent's device ns and has CAP_SYS_ADMIN (or maybe their could be some
> >  admin user for the ns ? or the 'root' of the corresponding user_ns ?)
> > * if the caller has some restrictions on some particular device, these
> >  are automatically added (eg. if you're restricted to readonly, you
> >  can't give rw to the child ns).
> > 
> > Is this a good way to go ? Or what would be a better one ?
> 
> Ccing Greg. Without adressing specific problems, I should warn you that
> this idea is not new and the plan is unlikely to go anywhere. Especially
> not without support from Greg.

Hah, yeah, this is a non-starter.

Enrico, what real problem are you trying to solve by doing this?  And
have you tried anything with this yet?  We almost never talk about
"proposals" without seeing real code as it's pointless to discuss things
when you haven't even proven that it can work.

So let's see code before even talking about this...

And as Christian points out, you can do this today without any kernel
changes, so to think you need to modify the kernel means that you
haven't even tried this at all?

greg k-h

Re: device namespaces

[Hannes Reinecke]

On Tue, Jun 08, 2021 Greg-KH wrote:
> On Tue, Jun 08, 2021 at 02:30:50PM +0200, Christian Brauner wrote:
>> On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt,
>> metux IT consult wrote:
>>> Hello folks,
>>>
>>>
>>> I'm going to implement device namespaces, where containers can get
>>> an entirely different view of the devices in the machine (usually
>>> just a specific subset, but possibly additional virtual devices).
>>>
[ .. ]
>>> Is this a good way to go ? Or what would be a better one ?
>>
>> Ccing Greg. Without adressing specific problems, I should warn you
>> that this idea is not new and the plan is unlikely to go anywhere.
>> Especially not without support from Greg.
>
> Hah, yeah, this is a non-starter.
>
> Enrico, what real problem are you trying to solve by doing this?  And
> have you tried anything with this yet?  We almost never talk about
> "proposals" without seeing real code as it's pointless to discuss
> things when you haven't even proven that it can work.
>
> So let's see code before even talking about this...
>
> And as Christian points out, you can do this today without any kernel
> changes, so to think you need to modify the kernel means that you
> haven't even tried this at all?
>
Curious, I had been looking into this, too.
And I have to side with Greg and Christian that your proposal should
already be possible today (cf device groups, which curiously has a
near-identical interface to what you proposed).
Also, I think that a generic 'device namespace' is too broad a scope;
some subsystems like net already inherited namespace support, and it
turns out to be not exactly trivial to implement.

What I'm looking at, though, is to implement 'block' namespaces, to
restrict access to _new_ block devices to any give namespace.
Case in point: if a container creates a ramdisk it's questionable
whether other containers should even see it. iSCSI devices are a similar
case; when starting iSCSI devices from containers their use should be
restricted to that container.
And that's not only the device node in /dev, but would also entail sysfs
access, which from my understanding is not modified with the current code.

uevent redirection would help here, but from what I've seen it's only
for net devices; feels a bit awkward to have a network namespace to get
uevents for block devices, but then I'll have to test.
And, of course, that also doesn't change the sysfs layout.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

Re: device namespaces

[Christian Brauner]

On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
> On Tue, Jun 08, 2021 Greg-KH wrote:
> > On Tue, Jun 08, 2021 at 02:30:50PM +0200, Christian Brauner wrote:
> >> On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt,
> >> metux IT consult wrote:
> >>> Hello folks,
> >>>
> >>>
> >>> I'm going to implement device namespaces, where containers can get
> >>> an entirely different view of the devices in the machine (usually
> >>> just a specific subset, but possibly additional virtual devices).
> >>>
> [ .. ]
> >>> Is this a good way to go ? Or what would be a better one ?
> >>
> >> Ccing Greg. Without adressing specific problems, I should warn you
> >> that this idea is not new and the plan is unlikely to go anywhere.
> >> Especially not without support from Greg.
> >
> > Hah, yeah, this is a non-starter.
> >
> > Enrico, what real problem are you trying to solve by doing this?  And
> > have you tried anything with this yet?  We almost never talk about
> > "proposals" without seeing real code as it's pointless to discuss
> > things when you haven't even proven that it can work.
> >
> > So let's see code before even talking about this...
> >
> > And as Christian points out, you can do this today without any kernel
> > changes, so to think you need to modify the kernel means that you
> > haven't even tried this at all?
> >
> Curious, I had been looking into this, too.
> And I have to side with Greg and Christian that your proposal should
> already be possible today (cf device groups, which curiously has a
> near-identical interface to what you proposed).
> Also, I think that a generic 'device namespace' is too broad a scope;
> some subsystems like net already inherited namespace support, and it
> turns out to be not exactly trivial to implement.
> 
> What I'm looking at, though, is to implement 'block' namespaces, to
> restrict access to _new_ block devices to any give namespace.
> Case in point: if a container creates a ramdisk it's questionable
> whether other containers should even see it. iSCSI devices are a similar
> case; when starting iSCSI devices from containers their use should be
> restricted to that container.
> And that's not only the device node in /dev, but would also entail sysfs
> access, which from my understanding is not modified with the current code.

Hey Hannes. :)

It isn't and we likely shouldn't. You'd likely need to get into the
business of namespacing devtmpfs one way or the other which Seth Forshee
and I once did. But that's really not needed anymore imho. Device
management, i.e. creating device nodes should be the job of a container
manager. We already do that for example (Hotplugging devices ranging
from net devices, to disks, to GPUs.) and it works great.

To make this really clean you will likely have to significanly rework
sysfs too and I don't think that churn is worth it and introduces a
layer of complexity I find outright nakable. And ignoring sysfs or
hacking around it is also not an option I find tasteful.

> 
> uevent redirection would help here, but from what I've seen it's only
> for net devices; feels a bit awkward to have a network namespace to get
> uevents for block devices, but then I'll have to test.

Just to move everyone on the same page. This is not specific to network
devices actually.

You are right though that network devices are correctly namespaced.
Specifically you only get uevents in the network namespace that network
device is moved into. The sysfs permissions for network devices were
correct if you created that network device in the network namespace but
they were wrong when you moved a network device between network
namespaces (with different owning user namespaces). That lead to all
kinds of weird issues. I fixed that a while back.

Uevent messages (and therefore injection of uevents) are not tied to
network devices. They are tied to network namespaces simply because the
transport layer is Netlink but that's about it.

Re: device namespaces

[Hannes Reinecke]

On 6/8/21 4:29 PM, Christian Brauner wrote:
> On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
>> On Tue, Jun 08, 2021 Greg-KH wrote:
>>> On Tue, Jun 08, 2021 at 02:30:50PM +0200, Christian Brauner wrote:
>>>> On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt,
>>>> metux IT consult wrote:
>>>>> Hello folks,
>>>>>
>>>>>
>>>>> I'm going to implement device namespaces, where containers can get
>>>>> an entirely different view of the devices in the machine (usually
>>>>> just a specific subset, but possibly additional virtual devices).
>>>>>
>> [ .. ]
>>>>> Is this a good way to go ? Or what would be a better one ?
>>>>
>>>> Ccing Greg. Without adressing specific problems, I should warn you
>>>> that this idea is not new and the plan is unlikely to go anywhere.
>>>> Especially not without support from Greg.
>>>
>>> Hah, yeah, this is a non-starter.
>>>
>>> Enrico, what real problem are you trying to solve by doing this?  And
>>> have you tried anything with this yet?  We almost never talk about
>>> "proposals" without seeing real code as it's pointless to discuss
>>> things when you haven't even proven that it can work.
>>>
>>> So let's see code before even talking about this...
>>>
>>> And as Christian points out, you can do this today without any kernel
>>> changes, so to think you need to modify the kernel means that you
>>> haven't even tried this at all?
>>>
>> Curious, I had been looking into this, too.
>> And I have to side with Greg and Christian that your proposal should
>> already be possible today (cf device groups, which curiously has a
>> near-identical interface to what you proposed).
>> Also, I think that a generic 'device namespace' is too broad a scope;
>> some subsystems like net already inherited namespace support, and it
>> turns out to be not exactly trivial to implement.
>>
>> What I'm looking at, though, is to implement 'block' namespaces, to
>> restrict access to _new_ block devices to any give namespace.
>> Case in point: if a container creates a ramdisk it's questionable
>> whether other containers should even see it. iSCSI devices are a similar
>> case; when starting iSCSI devices from containers their use should be
>> restricted to that container.
>> And that's not only the device node in /dev, but would also entail sysfs
>> access, which from my understanding is not modified with the current code.
> 
> Hey Hannes. :)
> 
> It isn't and we likely shouldn't. You'd likely need to get into the
> business of namespacing devtmpfs one way or the other which Seth Forshee
> and I once did. But that's really not needed anymore imho. Device
> management, i.e. creating device nodes should be the job of a container
> manager. We already do that for example (Hotplugging devices ranging
> from net devices, to disks, to GPUs.) and it works great.
> 
Right; clearly you can do that within the container.
But my main grudge here is not the container but rather the system
_hosting_ the container.
That is typically using devtmpfs and hence will see _all_ devices, even
those belonging to the container.
This is causing grief to no end if eg the host system starts activating
LVM on devices which are passed to the qemu instance running within a
container ...

> To make this really clean you will likely have to significantly rework
> sysfs too and I don't think that churn is worth it and introduces a
> layer of complexity I find outright nakable. And ignoring sysfs or
> hacking around it is also not an option I find tasteful.
> 
Network namespaces already have the bits and pieces to modify sysfs, so
we should be able to leverage that for block, too.
And I think by restricting it to 'block' devices we should be to keep
the required sysfs modifications in a manageable level.

>>
>> uevent redirection would help here, but from what I've seen it's only
>> for net devices; feels a bit awkward to have a network namespace to get
>> uevents for block devices, but then I'll have to test.
> 
> Just to move everyone on the same page. This is not specific to network
> devices actually.
> 
> You are right though that network devices are correctly namespaced.
> Specifically you only get uevents in the network namespace that network
> device is moved into. The sysfs permissions for network devices were
> correct if you created that network device in the network namespace but
> they were wrong when you moved a network device between network
> namespaces (with different owning user namespaces). That lead to all
> kinds of weird issues. I fixed that a while back.
> 
Granted, modifying sysfs layout is not something for the faint-hearted,
and one really has to look closely to ensure you end up with a
consistent layout afterwards.

But let's see how things go; might well be that it turns out to be too
complex to consider. Can't tell yet.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

Re: device namespaces

[Eric W. Biederman]

Hannes Reinecke <hare@suse.de> writes:

> On 6/8/21 4:29 PM, Christian Brauner wrote:
>> On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
>>> On Tue, Jun 08, 2021 Greg-KH wrote:
>>>> On Tue, Jun 08, 2021 at 02:30:50PM +0200, Christian Brauner wrote:
>>>>> On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt,
>>>>> metux IT consult wrote:
>>>>>> Hello folks,
>>>>>>
>>>>>>
>>>>>> I'm going to implement device namespaces, where containers can get
>>>>>> an entirely different view of the devices in the machine (usually
>>>>>> just a specific subset, but possibly additional virtual devices).
>>>>>>
>>> [ .. ]
>>>>>> Is this a good way to go ? Or what would be a better one ?
>>>>>
>>>>> Ccing Greg. Without adressing specific problems, I should warn you
>>>>> that this idea is not new and the plan is unlikely to go anywhere.
>>>>> Especially not without support from Greg.
>>>>
>>>> Hah, yeah, this is a non-starter.
>>>>
>>>> Enrico, what real problem are you trying to solve by doing this?  And
>>>> have you tried anything with this yet?  We almost never talk about
>>>> "proposals" without seeing real code as it's pointless to discuss
>>>> things when you haven't even proven that it can work.
>>>>
>>>> So let's see code before even talking about this...
>>>>
>>>> And as Christian points out, you can do this today without any kernel
>>>> changes, so to think you need to modify the kernel means that you
>>>> haven't even tried this at all?
>>>>
>>> Curious, I had been looking into this, too.
>>> And I have to side with Greg and Christian that your proposal should
>>> already be possible today (cf device groups, which curiously has a
>>> near-identical interface to what you proposed).
>>> Also, I think that a generic 'device namespace' is too broad a scope;
>>> some subsystems like net already inherited namespace support, and it
>>> turns out to be not exactly trivial to implement.
>>>
>>> What I'm looking at, though, is to implement 'block' namespaces, to
>>> restrict access to _new_ block devices to any give namespace.
>>> Case in point: if a container creates a ramdisk it's questionable
>>> whether other containers should even see it. iSCSI devices are a similar
>>> case; when starting iSCSI devices from containers their use should be
>>> restricted to that container.
>>> And that's not only the device node in /dev, but would also entail sysfs
>>> access, which from my understanding is not modified with the current code.
>> 
>> Hey Hannes. :)
>> 
>> It isn't and we likely shouldn't. You'd likely need to get into the
>> business of namespacing devtmpfs one way or the other which Seth Forshee
>> and I once did. But that's really not needed anymore imho. Device
>> management, i.e. creating device nodes should be the job of a container
>> manager. We already do that for example (Hotplugging devices ranging
>> from net devices, to disks, to GPUs.) and it works great.
>> 
> Right; clearly you can do that within the container.
> But my main grudge here is not the container but rather the system
> _hosting_ the container.
> That is typically using devtmpfs and hence will see _all_ devices, even
> those belonging to the container.
> This is causing grief to no end if eg the host system starts activating
> LVM on devices which are passed to the qemu instance running within a
> container ...
>
>> To make this really clean you will likely have to significantly rework
>> sysfs too and I don't think that churn is worth it and introduces a
>> layer of complexity I find outright nakable. And ignoring sysfs or
>> hacking around it is also not an option I find tasteful.
>> 
> Network namespaces already have the bits and pieces to modify sysfs, so
> we should be able to leverage that for block, too.
> And I think by restricting it to 'block' devices we should be to keep
> the required sysfs modifications in a manageable level.
>
>>>
>>> uevent redirection would help here, but from what I've seen it's only
>>> for net devices; feels a bit awkward to have a network namespace to get
>>> uevents for block devices, but then I'll have to test.
>> 
>> Just to move everyone on the same page. This is not specific to network
>> devices actually.
>> 
>> You are right though that network devices are correctly namespaced.
>> Specifically you only get uevents in the network namespace that network
>> device is moved into. The sysfs permissions for network devices were
>> correct if you created that network device in the network namespace but
>> they were wrong when you moved a network device between network
>> namespaces (with different owning user namespaces). That lead to all
>> kinds of weird issues. I fixed that a while back.
>> 
> Granted, modifying sysfs layout is not something for the faint-hearted,
> and one really has to look closely to ensure you end up with a
> consistent layout afterwards.
>
> But let's see how things go; might well be that it turns out to be too
> complex to consider. Can't tell yet.

I would suggest aiming for something like devptsfs without the
complication of /dev/ptmx.

That is a pseudo filesystem that has a control node and virtual block
devices that were created using that control node.

That is the cleanest solution I know and is not strictly limited to use
with containers so it can also gain greater traction.  The interaction
with devtmpfs should be simply having devtmpfs create a mount point for
that filesystem.

This could be a new cleaner api for things like loopback devices.

However the limitation for block devices that I am aware of is that we
don't currently have any filesystems in the kernel that are written
robustly enough that we can be expected to be secure when mounted on top
of an evil block device.  Some of the network filesystems are built
to withstand evil network packets, and possibly evil servers.  So with
care we can probably allow for unprivileged mounts there.


Eric

Re: device namespaces

[Christian Brauner]

On Tue, Jun 08, 2021 at 12:16:43PM -0500, Eric W. Biederman wrote:
> Hannes Reinecke <hare@suse.de> writes:
> 
> > On 6/8/21 4:29 PM, Christian Brauner wrote:
> >> On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
> >>> On Tue, Jun 08, 2021 Greg-KH wrote:
> >>>> On Tue, Jun 08, 2021 at 02:30:50PM +0200, Christian Brauner wrote:
> >>>>> On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt,
> >>>>> metux IT consult wrote:
> >>>>>> Hello folks,
> >>>>>>
> >>>>>>
> >>>>>> I'm going to implement device namespaces, where containers can get
> >>>>>> an entirely different view of the devices in the machine (usually
> >>>>>> just a specific subset, but possibly additional virtual devices).
> >>>>>>
> >>> [ .. ]
> >>>>>> Is this a good way to go ? Or what would be a better one ?
> >>>>>
> >>>>> Ccing Greg. Without adressing specific problems, I should warn you
> >>>>> that this idea is not new and the plan is unlikely to go anywhere.
> >>>>> Especially not without support from Greg.
> >>>>
> >>>> Hah, yeah, this is a non-starter.
> >>>>
> >>>> Enrico, what real problem are you trying to solve by doing this?  And
> >>>> have you tried anything with this yet?  We almost never talk about
> >>>> "proposals" without seeing real code as it's pointless to discuss
> >>>> things when you haven't even proven that it can work.
> >>>>
> >>>> So let's see code before even talking about this...
> >>>>
> >>>> And as Christian points out, you can do this today without any kernel
> >>>> changes, so to think you need to modify the kernel means that you
> >>>> haven't even tried this at all?
> >>>>
> >>> Curious, I had been looking into this, too.
> >>> And I have to side with Greg and Christian that your proposal should
> >>> already be possible today (cf device groups, which curiously has a
> >>> near-identical interface to what you proposed).
> >>> Also, I think that a generic 'device namespace' is too broad a scope;
> >>> some subsystems like net already inherited namespace support, and it
> >>> turns out to be not exactly trivial to implement.
> >>>
> >>> What I'm looking at, though, is to implement 'block' namespaces, to
> >>> restrict access to _new_ block devices to any give namespace.
> >>> Case in point: if a container creates a ramdisk it's questionable
> >>> whether other containers should even see it. iSCSI devices are a similar
> >>> case; when starting iSCSI devices from containers their use should be
> >>> restricted to that container.
> >>> And that's not only the device node in /dev, but would also entail sysfs
> >>> access, which from my understanding is not modified with the current code.
> >> 
> >> Hey Hannes. :)
> >> 
> >> It isn't and we likely shouldn't. You'd likely need to get into the
> >> business of namespacing devtmpfs one way or the other which Seth Forshee
> >> and I once did. But that's really not needed anymore imho. Device
> >> management, i.e. creating device nodes should be the job of a container
> >> manager. We already do that for example (Hotplugging devices ranging
> >> from net devices, to disks, to GPUs.) and it works great.
> >> 
> > Right; clearly you can do that within the container.
> > But my main grudge here is not the container but rather the system
> > _hosting_ the container.
> > That is typically using devtmpfs and hence will see _all_ devices, even
> > those belonging to the container.
> > This is causing grief to no end if eg the host system starts activating
> > LVM on devices which are passed to the qemu instance running within a
> > container ...
> >
> >> To make this really clean you will likely have to significantly rework
> >> sysfs too and I don't think that churn is worth it and introduces a
> >> layer of complexity I find outright nakable. And ignoring sysfs or
> >> hacking around it is also not an option I find tasteful.
> >> 
> > Network namespaces already have the bits and pieces to modify sysfs, so
> > we should be able to leverage that for block, too.
> > And I think by restricting it to 'block' devices we should be to keep
> > the required sysfs modifications in a manageable level.
> >
> >>>
> >>> uevent redirection would help here, but from what I've seen it's only
> >>> for net devices; feels a bit awkward to have a network namespace to get
> >>> uevents for block devices, but then I'll have to test.
> >> 
> >> Just to move everyone on the same page. This is not specific to network
> >> devices actually.
> >> 
> >> You are right though that network devices are correctly namespaced.
> >> Specifically you only get uevents in the network namespace that network
> >> device is moved into. The sysfs permissions for network devices were
> >> correct if you created that network device in the network namespace but
> >> they were wrong when you moved a network device between network
> >> namespaces (with different owning user namespaces). That lead to all
> >> kinds of weird issues. I fixed that a while back.
> >> 
> > Granted, modifying sysfs layout is not something for the faint-hearted,
> > and one really has to look closely to ensure you end up with a
> > consistent layout afterwards.
> >
> > But let's see how things go; might well be that it turns out to be too
> > complex to consider. Can't tell yet.
> 
> I would suggest aiming for something like devptsfs without the
> complication of /dev/ptmx.
> 
> That is a pseudo filesystem that has a control node and virtual block
> devices that were created using that control node.

Also see android/binder/binderfs.c

> 
> That is the cleanest solution I know and is not strictly limited to use
> with containers so it can also gain greater traction.  The interaction
> with devtmpfs should be simply having devtmpfs create a mount point for
> that filesystem.
> 
> This could be a new cleaner api for things like loopback devices.

I sent a patchset that implemented this last year.

Re: device namespaces

[Hannes Reinecke]

On 6/9/21 8:38 AM, Christian Brauner wrote:
> On Tue, Jun 08, 2021 at 12:16:43PM -0500, Eric W. Biederman wrote:
>> Hannes Reinecke <hare@suse.de> writes:
>>
>>> On 6/8/21 4:29 PM, Christian Brauner wrote:
>>>> On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
[ .. ]
>>> Granted, modifying sysfs layout is not something for the faint-hearted,
>>> and one really has to look closely to ensure you end up with a
>>> consistent layout afterwards.
>>>
>>> But let's see how things go; might well be that it turns out to be too
>>> complex to consider. Can't tell yet.
>>
>> I would suggest aiming for something like devptsfs without the
>> complication of /dev/ptmx.
>>
>> That is a pseudo filesystem that has a control node and virtual block
>> devices that were created using that control node.
> 
> Also see android/binder/binderfs.c
> 
Ah. Will have a look.

>>
>> That is the cleanest solution I know and is not strictly limited to use
>> with containers so it can also gain greater traction.  The interaction
>> with devtmpfs should be simply having devtmpfs create a mount point for
>> that filesystem.
>>
>> This could be a new cleaner api for things like loopback devices.
> 
> I sent a patchset that implemented this last year.
> 
Do you have a pointer/commit hash for this?

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer

Re: device namespaces

[Christian Brauner]

On Wed, Jun 09, 2021 at 09:02:36AM +0200, Hannes Reinecke wrote:
> On 6/9/21 8:38 AM, Christian Brauner wrote:
> > On Tue, Jun 08, 2021 at 12:16:43PM -0500, Eric W. Biederman wrote:
> > > Hannes Reinecke <hare@suse.de> writes:
> > > 
> > > > On 6/8/21 4:29 PM, Christian Brauner wrote:
> > > > > On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
> [ .. ]
> > > > Granted, modifying sysfs layout is not something for the faint-hearted,
> > > > and one really has to look closely to ensure you end up with a
> > > > consistent layout afterwards.
> > > > 
> > > > But let's see how things go; might well be that it turns out to be too
> > > > complex to consider. Can't tell yet.
> > > 
> > > I would suggest aiming for something like devptsfs without the
> > > complication of /dev/ptmx.
> > > 
> > > That is a pseudo filesystem that has a control node and virtual block
> > > devices that were created using that control node.
> > 
> > Also see android/binder/binderfs.c
> > 
> Ah. Will have a look.

I implemented this a few years back and I think it should've made it
onto Android by default now. So that approach does indeed work well, it
seems:
https://chromium.googlesource.com/aosp/platform/system/core/+/master/rootdir/init.rc#257

This should be easier to follow than the devpts case because you don't
need to wade through the {t,p}ty layer.

> 
> > > 
> > > That is the cleanest solution I know and is not strictly limited to use
> > > with containers so it can also gain greater traction.  The interaction
> > > with devtmpfs should be simply having devtmpfs create a mount point for
> > > that filesystem.
> > > 
> > > This could be a new cleaner api for things like loopback devices.
> > 
> > I sent a patchset that implemented this last year.
> > 
> Do you have a pointer/commit hash for this?

Yes, sure:
https://lore.kernel.org/linux-block/20200424162052.441452-1-christian.brauner@ubuntu.com/

You can also just pull my branch. I think it's still based on v5.7 or sm:
https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=loopfs

I'm happy to collaborate on this too.

Christian

Re: device namespaces

[Hannes Reinecke]

On 6/9/21 9:21 AM, Christian Brauner wrote:
> On Wed, Jun 09, 2021 at 09:02:36AM +0200, Hannes Reinecke wrote:
>> On 6/9/21 8:38 AM, Christian Brauner wrote:
>>> On Tue, Jun 08, 2021 at 12:16:43PM -0500, Eric W. Biederman wrote:
>>>> Hannes Reinecke <hare@suse.de> writes:
>>>>
>>>>> On 6/8/21 4:29 PM, Christian Brauner wrote:
>>>>>> On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
>> [ .. ]
>>>>> Granted, modifying sysfs layout is not something for the faint-hearted,
>>>>> and one really has to look closely to ensure you end up with a
>>>>> consistent layout afterwards.
>>>>>
>>>>> But let's see how things go; might well be that it turns out to be too
>>>>> complex to consider. Can't tell yet.
>>>>
>>>> I would suggest aiming for something like devptsfs without the
>>>> complication of /dev/ptmx.
>>>>
>>>> That is a pseudo filesystem that has a control node and virtual block
>>>> devices that were created using that control node.
>>>
>>> Also see android/binder/binderfs.c
>>>
>> Ah. Will have a look.
> 
> I implemented this a few years back and I think it should've made it
> onto Android by default now. So that approach does indeed work well, it
> seems:
> https://chromium.googlesource.com/aosp/platform/system/core/+/master/rootdir/init.rc#257
> 
> This should be easier to follow than the devpts case because you don't
> need to wade through the {t,p}ty layer.
> 
>>
>>>>
>>>> That is the cleanest solution I know and is not strictly limited to use
>>>> with containers so it can also gain greater traction.  The interaction
>>>> with devtmpfs should be simply having devtmpfs create a mount point for
>>>> that filesystem.
>>>>
>>>> This could be a new cleaner api for things like loopback devices.
>>>
>>> I sent a patchset that implemented this last year.
>>>
>> Do you have a pointer/commit hash for this?
> 
> Yes, sure:
> https://lore.kernel.org/linux-block/20200424162052.441452-1-christian.brauner@ubuntu.com/
> 
> You can also just pull my branch. I think it's still based on v5.7 or sm:
> https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=loopfs
> 
> I'm happy to collaborate on this too.
>
How _very_ curious. 'kernfs: handle multiple namespace tags' and 'loop:
preserve sysfs backwards compability' are essentially the same patches I
did for my block namespaces prototyp; I named it 'KOBJ_NS_TYPE_BLK', not
'KOBJ_NS_TYPE_USER', though :-)

Guess we really should cooperate.

Speaking of which: why did you name it 'user' namespace?
There already is a generic 'user_namespace' in
include/linux/user_namespace.h, serving as a container for all
namespaces; as such it probably should include this 'user' namespace,
leading to quite some confusion.

Or did I misunderstood something here?

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

Re: device namespaces

[Christian Brauner]

On Wed, Jun 09, 2021 at 09:54:05AM +0200, Hannes Reinecke wrote:
> On 6/9/21 9:21 AM, Christian Brauner wrote:
> > On Wed, Jun 09, 2021 at 09:02:36AM +0200, Hannes Reinecke wrote:
> >> On 6/9/21 8:38 AM, Christian Brauner wrote:
> >>> On Tue, Jun 08, 2021 at 12:16:43PM -0500, Eric W. Biederman wrote:
> >>>> Hannes Reinecke <hare@suse.de> writes:
> >>>>
> >>>>> On 6/8/21 4:29 PM, Christian Brauner wrote:
> >>>>>> On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
> >> [ .. ]
> >>>>> Granted, modifying sysfs layout is not something for the faint-hearted,
> >>>>> and one really has to look closely to ensure you end up with a
> >>>>> consistent layout afterwards.
> >>>>>
> >>>>> But let's see how things go; might well be that it turns out to be too
> >>>>> complex to consider. Can't tell yet.
> >>>>
> >>>> I would suggest aiming for something like devptsfs without the
> >>>> complication of /dev/ptmx.
> >>>>
> >>>> That is a pseudo filesystem that has a control node and virtual block
> >>>> devices that were created using that control node.
> >>>
> >>> Also see android/binder/binderfs.c
> >>>
> >> Ah. Will have a look.
> > 
> > I implemented this a few years back and I think it should've made it
> > onto Android by default now. So that approach does indeed work well, it
> > seems:
> > https://chromium.googlesource.com/aosp/platform/system/core/+/master/rootdir/init.rc#257
> > 
> > This should be easier to follow than the devpts case because you don't
> > need to wade through the {t,p}ty layer.
> > 
> >>
> >>>>
> >>>> That is the cleanest solution I know and is not strictly limited to use
> >>>> with containers so it can also gain greater traction.  The interaction
> >>>> with devtmpfs should be simply having devtmpfs create a mount point for
> >>>> that filesystem.
> >>>>
> >>>> This could be a new cleaner api for things like loopback devices.
> >>>
> >>> I sent a patchset that implemented this last year.
> >>>
> >> Do you have a pointer/commit hash for this?
> > 
> > Yes, sure:
> > https://lore.kernel.org/linux-block/20200424162052.441452-1-christian.brauner@ubuntu.com/
> > 
> > You can also just pull my branch. I think it's still based on v5.7 or sm:
> > https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=loopfs
> > 
> > I'm happy to collaborate on this too.
> >
> How _very_ curious. 'kernfs: handle multiple namespace tags' and 'loop:
> preserve sysfs backwards compability' are essentially the same patches I
> did for my block namespaces prototyp; I named it 'KOBJ_NS_TYPE_BLK', not
> 'KOBJ_NS_TYPE_USER', though :-)
> 
> Guess we really should cooperate.
> 
> Speaking of which: why did you name it 'user' namespace?
> There already is a generic 'user_namespace' in
> include/linux/user_namespace.h, serving as a container for all
> namespaces; as such it probably should include this 'user' namespace,
> leading to quite some confusion.
> 
> Or did I misunderstood something here?

Ah yes, you misunderstand. The KOBJ_NS_TYPE_* tags are namespace tags.
So KOBJ_NS_TYPE_NET is a network namespace tag. So KOBJ_NS_TYPE_USER is
a user namespace tag not a completely new namespace. The idea very
roughly being that devices such as loop devices are ultimately filtered
by user namespace which is taken from the s_user_ns the loopfs instance
is mounted in. We should compare notes.

Christian

Re: device namespaces

[Eric W. Biederman]

Christian Brauner <christian.brauner@ubuntu.com> writes:

> On Wed, Jun 09, 2021 at 09:54:05AM +0200, Hannes Reinecke wrote:
>> On 6/9/21 9:21 AM, Christian Brauner wrote:
>> > On Wed, Jun 09, 2021 at 09:02:36AM +0200, Hannes Reinecke wrote:
>> >> On 6/9/21 8:38 AM, Christian Brauner wrote:
>> >>> On Tue, Jun 08, 2021 at 12:16:43PM -0500, Eric W. Biederman wrote:
>> >>>> Hannes Reinecke <hare@suse.de> writes:
>> >>>>
>> >>>>> On 6/8/21 4:29 PM, Christian Brauner wrote:
>> >>>>>> On Tue, Jun 08, 2021 at 04:10:08PM +0200, Hannes Reinecke wrote:
>> >> [ .. ]
>> >>>>> Granted, modifying sysfs layout is not something for the faint-hearted,
>> >>>>> and one really has to look closely to ensure you end up with a
>> >>>>> consistent layout afterwards.
>> >>>>>
>> >>>>> But let's see how things go; might well be that it turns out to be too
>> >>>>> complex to consider. Can't tell yet.
>> >>>>
>> >>>> I would suggest aiming for something like devptsfs without the
>> >>>> complication of /dev/ptmx.
>> >>>>
>> >>>> That is a pseudo filesystem that has a control node and virtual block
>> >>>> devices that were created using that control node.
>> >>>
>> >>> Also see android/binder/binderfs.c
>> >>>
>> >> Ah. Will have a look.
>> > 
>> > I implemented this a few years back and I think it should've made it
>> > onto Android by default now. So that approach does indeed work well, it
>> > seems:
>> > https://chromium.googlesource.com/aosp/platform/system/core/+/master/rootdir/init.rc#257
>> > 
>> > This should be easier to follow than the devpts case because you don't
>> > need to wade through the {t,p}ty layer.
>> > 
>> >>
>> >>>>
>> >>>> That is the cleanest solution I know and is not strictly limited to use
>> >>>> with containers so it can also gain greater traction.  The interaction
>> >>>> with devtmpfs should be simply having devtmpfs create a mount point for
>> >>>> that filesystem.
>> >>>>
>> >>>> This could be a new cleaner api for things like loopback devices.
>> >>>
>> >>> I sent a patchset that implemented this last year.
>> >>>
>> >> Do you have a pointer/commit hash for this?
>> > 
>> > Yes, sure:
>> > https://lore.kernel.org/linux-block/20200424162052.441452-1-christian.brauner@ubuntu.com/
>> > 
>> > You can also just pull my branch. I think it's still based on v5.7 or sm:
>> > https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=loopfs
>> > 
>> > I'm happy to collaborate on this too.
>> >
>> How _very_ curious. 'kernfs: handle multiple namespace tags' and 'loop:
>> preserve sysfs backwards compability' are essentially the same patches I
>> did for my block namespaces prototyp; I named it 'KOBJ_NS_TYPE_BLK', not
>> 'KOBJ_NS_TYPE_USER', though :-)
>> 
>> Guess we really should cooperate.
>> 
>> Speaking of which: why did you name it 'user' namespace?
>> There already is a generic 'user_namespace' in
>> include/linux/user_namespace.h, serving as a container for all
>> namespaces; as such it probably should include this 'user' namespace,
>> leading to quite some confusion.
>> 
>> Or did I misunderstood something here?
>
> Ah yes, you misunderstand. The KOBJ_NS_TYPE_* tags are namespace tags.
> So KOBJ_NS_TYPE_NET is a network namespace tag. So KOBJ_NS_TYPE_USER is
> a user namespace tag not a completely new namespace. The idea very
> roughly being that devices such as loop devices are ultimately filtered
> by user namespace which is taken from the s_user_ns the loopfs instance
> is mounted in. We should compare notes.

There are two easy possibilities.

- All of the devices on the filesystem show up in sysfs with unique
  major minor numbers.
- None of the devices on the filesystem show up in sysfs.
  (Which I believe is what devpts does).

I favor none of the virtual devices showing up in sysfs.  Maybe existing
userspace needs the devices in sysfs, but if the solution is simply to
skip sysfs for virtual devices that is much simpler.

Eric

Re: device namespaces

[Enrico Weigelt, metux IT consult]

On 11.06.21 20:14, Eric W. Biederman wrote:

Hi,

> I favor none of the virtual devices showing up in sysfs.  Maybe existing
> userspace needs the devices in sysfs, but if the solution is simply to
> skip sysfs for virtual devices that is much simpler.

Sorry for being a little bit confused, but by virtual devices you mean
things like pty's or all the other stuff we already see under
/sys/device/virtual ?

I'm yet unsure what the better way is. If we're just talking about pty's
specifically, I maybe could live with threating them like "special sort
of pipes", but I guess that would require some extra magic.

If I'm not mistaken, the whole sysfs stuff is automatically handled
device classes and bus'es - seems that tty's are also class devs.

How would you skip the virtual devices from sysfs ? Adding some filter
into sysfs that looks at the device class (or some flag within it) ?

--mtx

-- 
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287

Re: device namespaces

[Greg KH]

On Mon, Jun 14, 2021 at 09:49:22AM +0200, Enrico Weigelt, metux IT consult wrote:
> On 11.06.21 20:14, Eric W. Biederman wrote:
> 
> Hi,
> 
> > I favor none of the virtual devices showing up in sysfs.  Maybe existing
> > userspace needs the devices in sysfs, but if the solution is simply to
> > skip sysfs for virtual devices that is much simpler.
> 
> Sorry for being a little bit confused, but by virtual devices you mean
> things like pty's or all the other stuff we already see under
> /sys/device/virtual ?
> 
> I'm yet unsure what the better way is. If we're just talking about pty's
> specifically, I maybe could live with threating them like "special sort
> of pipes", but I guess that would require some extra magic.
> 
> If I'm not mistaken, the whole sysfs stuff is automatically handled
> device classes and bus'es - seems that tty's are also class devs.
> 
> How would you skip the virtual devices from sysfs ? Adding some filter
> into sysfs that looks at the device class (or some flag within it) ?

Wait, step back.  What _EXACTLY_ are you wanting to do here?  If you
have not looked at how sysfs handles devices today, that leads me to
believe that you do not have a real model in place.

Again, spend some time and write some code please before continuing this
thread.  We don't like to talk about vague things when you do not even
have an idea of what you want.

good luck!

greg k-h

Re: device namespaces

[Eric W. Biederman]

"Enrico Weigelt, metux IT consult" <lkml@metux.net> writes:

> On 11.06.21 20:14, Eric W. Biederman wrote:
>
> Hi,
>
>> I favor none of the virtual devices showing up in sysfs.  Maybe existing
>> userspace needs the devices in sysfs, but if the solution is simply to
>> skip sysfs for virtual devices that is much simpler.
>
> Sorry for being a little bit confused, but by virtual devices you mean
> things like pty's or all the other stuff we already see under
> /sys/device/virtual ?

By virtual devices I mean all devices that are not physical pieces
of hardware.  For block devices I mean devices such as loopback
devices that are created on demand.  Ramdisks that start this
conversation could also be considered virtual devices.

> How would you skip the virtual devices from sysfs ? Adding some filter
> into sysfs that looks at the device class (or some flag within it) ?

I would just not run the code to create sysfs entries when the virtual
devices are created.

If you have virtual devices showing up in their own filesystem they
don't even need major or minor numbers.  You can just have files
that accept ioctls like device nodes.  In principle it is
possible to skip a lot of the historical infrastructure.  If the
infrastructure is not needed it is worth skipping.

I haven't dug into the block layer recently enough to say what is needed
or not.  I think there are some thing such as stat on a mounted
filesystem that need a major and minor numbers.  Which probably means
you have to use major and minor numbers.  By virtue of using common
infrastructure that implies showing up in sysfs and devtmpfs.  Things
would be limited just by not mounting devtmpfs in a container.

It is worth checking how much of the common infrastructure you need when
you start creating virtual devices.

The only reason the network devices need changes to sysfs is to allow
different network devices with the same name to show up in different
network namespaces.

If you can fundamentally avoid the problem of devices with the same
name needing to show up in sysfs and devtmpfs by using filesystems
then sysfs and devtmpfs needs no changes.

Hotplug is sufficiently widespread now that it should be possible
to avoid the hard problem of having duplicate names for block devices,
one way or another.  Thus talking of changing sysfs seems completely
unnecessary.

Eric

Re: device namespaces

[Enrico Weigelt, metux IT consult]

On 14.06.21 19:36, Eric W. Biederman wrote:

> By virtual devices I mean all devices that are not physical pieces
> of hardware.  For block devices I mean devices such as loopback
> devices that are created on demand.  Ramdisks that start this
> conversation could also be considered virtual devices.

Ok. Do you also count partitions in here ?

IMHO we've got another category to look up: devices that (can) create
more (sub)devices. Examples coming into my head are loopdev, ptmx,
partitions, etc.

The big problem here: fist we'd need to be clear on the actual
semantics in namespaced context, for example:

* what happens when you talk to /dev/loop0 and create a new loopdev
   inside a container - shall it be ever visible on the host ?

* what if you want to create an loopdev on some file thats only visible
   to the host, but that loopdev shall appear inside a container ?
   ("virtual disk" scenario)

>> How would you skip the virtual devices from sysfs ? Adding some filter
>> into sysfs that looks at the device class (or some flag within it) ?
> 
> I would just not run the code to create sysfs entries when the virtual
> devices are created.

Oh, that would most likely make userland unhappy.

Besides, that won't be so trivial due to the way sysfs works. Because
sysfs more or less just presents kobj's. Each kobj may have attributes,
a parent, and a list of childs. A device is n kobj, and it needs to
be registered into the device hierarchy to work at all. Sysfs itself
doesn't really know whether something is a virtual device (or a device
at all) - it just calls some functions from kobject_type for things like
reading/writing attributes, etc. But I don't see anything where
kobject_type's can implement their own iterators.

As things are right now, not registering a device in sysfs means not
registering it at all.

By the way: i'm just wondering whether it would make sense to give
kobject_type it's own iteration and lookup functions. Unless I'm fully
mistaken, that could help solving several other problems, e.g. device
renaming (currently *very* tricky and only works to some extend for
network devices).

IMHO, we could then eg. fetch the device names (/sys/devices/...)
directly from the struct device instead of the kset (perhaps a simple
list instead of kset would also do here), and also create the symlinks
(e.g. /sys/class/.../) on the fly. Once that's done, renaming a device
should become rather simple.

At that point, adding multiple views or certain parts of sysfs (e.g. the
devices hierarchy) could perhaps be done by implementing special
iterators take take the view criteria into account.

@Greg: what's your take on that iterator idea ?

> If you have virtual devices showing up in their own filesystem they
> don't even need major or minor numbers.  You can just have files
> that accept ioctls like device nodes.  In principle it is
> possible to skip a lot of the historical infrastructure.  If the
> infrastructure is not needed it is worth skipping.

Ah, I see where you're going. You wanna completely drop these virtual 
devices and replace them by a synthentic fs that *looks* like it
contains devices ? Well, theoretically it should be possible, since fs'
may handle opening device nodes completely own, instead of calling 
generic code (is there any that actually does ?).

BUT: in that case we have to really make sure that processes inside the
container cannot ever open any device node outside that special fs.

> I haven't dug into the block layer recently enough to say what is needed
> or not.  I think there are some thing such as stat on a mounted
> filesystem that need a major and minor numbers.  Which probably means
> you have to use major and minor numbers.  By virtue of using common
> infrastructure that implies showing up in sysfs and devtmpfs.  Things
> would be limited just by not mounting devtmpfs in a container.

Note that this approach also needs to support things like dynamically
creating new device nodes (inside the container), udev, ... otherwise
you'd need very special handling in userland again (lxc folks would
become very unhappy ;-))

> It is worth checking how much of the common infrastructure you need when
> you start creating virtual devices.

s/virtual devices/synthetic filesystems/;

You approach goes much into the Plan9 direction (which in generally I'd
love to see). But whatever we gonna do here needs to remain compatible
with what existing userland expects - we've got a lot of Unix tradition
to keep here.

OR: we had to declare that (once inside the devns) we throw it all alway
and it create something entirely new that's more like an Plan9 subsystem
than an Linux container. Also interesting, but not what i've started
this discussion for.

> The only reason the network devices need changes to sysfs is to allow
> different network devices with the same name to show up in different
> network namespaces.
> 
> If you can fundamentally avoid the problem of devices with the same
> name needing to show up in sysfs and devtmpfs by using filesystems
> then sysfs and devtmpfs needs no changes.

Well, that's only for the sysfs part. Network devices still need to
be namespaced in other places (socket, etc) - what's already done by
netns.

But yes, it sounds nice if we had entirely different namespaces for
network device names (e.g. any of the hosts network devices could
appear simply as "eth0" inside a container, if you want to)


--mtx

-- 
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287

Re: device namespaces

[Greg KH]

On Tue, Jun 15, 2021 at 01:24:24PM +0200, Enrico Weigelt, metux IT consult wrote:
> @Greg: what's your take on that iterator idea ?

I want you to stop talking about ideas, and try to implement them before
this conversation wastes anyone else's time and energy.

There is a good reason we do not do this type of "let's discuss things!"
in the kernel community, and that is because almost none of it matters
without working code.

So please, let's see some patches that implement your ideas and then we
can discuss them.

Until then, consider this thread ignored from me.

greg k-h