On Mon, Feb 23, 2009 at 09:11:25PM -0800, Dave Hansen wrote: > On Tue, 2009-02-24 at 07:47 +0300, Alexey Dobriyan wrote: > > > I think what I posted is a decent compromise. It gets you those > > > warnings at runtime and is a one-way trip for any given process. But, > > > it does detect in certain cases (fork() and unshare(FILES)) when it is > > > safe to make the trip back to the "I'm checkpointable" state again. > > > > "Checkpointable" is not even per-process property. > > > > Imagine, set of SAs (struct xfrm_state) and SPDs (struct xfrm_policy). > > They are a) per-netns, b) persistent. > > > > You can hook into socketcalls to mark process as uncheckpointable, > > but since SAs and SPDs are persistent, original process already exited. > > You're going to walk every process with same netns as SA adder and mark > > it as uncheckpointable. Definitely doable, but ugly, isn't it? > > > > Same for iptable rules. > > > > "Checkpointable" is container property, OK? > > Ideally, I completely agree. > > But, we don't currently have a concept of a true container in the > kernel. Do you have any suggestions for any current objects that we > could use in its place for a while? After all foo_ns changes struct nsproxy is such thing. More specific, a process with fully cloned nsproxy acting as init, all its children. In terms of data structures, every task_struct in such tree, every nsproxy of them, every foo_ns, and so on to lower levels. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
