Dan Smith wrote: > DL> Assuming you have a process and this one unshared the network 100 > DL> times and each time opens a socket, how do you checkpoint these > DL> namespaces ? > > >>> What's the argument for depending on userspace to set this up? >>> >>> > DL> Maybe, CR of the namespaces is more complicate topic than it looks > DL> like and the CR itself is big enough to not complicate > DL> things. IMHO, I would recommend as the first step to forbid the > DL> unshare inside a container and let the container implementation to > DL> save the configuration with the statefile in order to recreate it > DL> at the restart > > I think what you're suggesting here is some sort of check to make sure > we don't allow checkpointing a process with nested namespaces... is > that correct? If so, I agree. > Correct. I guess it will be esay to implement with a nsproxy level counter. Each time you unshare, the new nsproxy count is incremented. Assuming the init_nsproxy is level 0, when the nsproxy counter is > 1, the process is uncheckpointable. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers