On Thu, Apr 25, 2019 at 6:14 PM Dmitry Safonov <dima@xxxxxxxxxx> wrote: > Time Namespace isolates clock values. > > The kernel provides access to several clocks CLOCK_REALTIME, > CLOCK_MONOTONIC, CLOCK_BOOTTIME, etc. > > CLOCK_REALTIME > System-wide clock that measures real (i.e., wall-clock) time. > > CLOCK_MONOTONIC > Clock that cannot be set and represents monotonic time since > some unspecified starting point. > > CLOCK_BOOTTIME > Identical to CLOCK_MONOTONIC, except it also includes any time > that the system is suspended. > > For many users, the time namespace means the ability to changes date and > time in a container (CLOCK_REALTIME). > > But in a context of the checkpoint/restore functionality, monotonic and > bootime clocks become interesting. Both clocks are monotonic with > unspecified staring points. These clocks are widely used to measure time > slices and set timers. After restoring or migrating processes, we have to > guarantee that they never go backward. In an ideal case, the behavior of > these clocks should be the same as for a case when a whole system is > suspended. All this means that we need to be able to set CLOCK_MONOTONIC > and CLOCK_BOOTTIME clocks, what can be done by adding per-namespace > offsets for clocks. > > A time namespace is similar to a pid namespace in a way how it is > created: unshare(CLONE_NEWTIME) system call creates a new time namespace, > but doesn't set it to the current process. Then all children of > the process will be born in the new time namespace, or a process can > use the setns() system call to join a namespace. > > This scheme allows setting clock offsets for a namespace, before any > processes appear in it. Is there a check anywhere to make sure that you can't use clone(CLONE_VM) after calling unshare(CLONE_NEWTIME), and that you can't use clone(CLONE_VM|CLONE_NEWTIME)? Those things probably shouldn't be allowed, right? CLONE_NEWPID has similar rules; from the clone.2 manpage: EINVAL CLONE_THREAD was specified, but the current process previously called unshare(2) with the CLONE_NEWPID flag or used setns(2) to reassociate itself with a PID namespace. [...] EINVAL One (or both) of CLONE_NEWPID or CLONE_NEWUSER and one (or both) of CLONE_THREAD or CLONE_PARENT were specified in flags.