Daniel Lezcano <dlezcano@xxxxxxxxxx> writes: > Hi, > > I was looking at some cornercases and trying to figure out what happens if > someone does: > > 1 - fd = socket(...) > 2 - unshare(CLONE_NEWNET) > 3 - bind(fd, ...) / listen(fd, ...) > > There is here an interaction between two namespaces. > Trying to catch all these little tricky paths everywhere with the network > namespace is painful, perhaps we should consider a more radical solution. Huh? socket() puts the namespace on struct sock. bind/listen etc just look at that namespace. Unless I'm blind it is simple and it works now. > Shall we close all fd sockets when doing an unshare ? like a close-on-exec > behavior ? I think adopting that policy would dramatically reduce the usefulness of network namespaces. Making the mix and match cases gives the implementation much more flexibility and it doesn't appear that hard right now. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
