DL> I guess it will be esay to implement with a nsproxy level counter. DL> Each time you unshare, the new nsproxy count is incremented. DL> Assuming the init_nsproxy is level 0, when the nsproxy counter is DL> > 1, the process is uncheckpointable. This should also be possible by just making sure that the nsproxy of the root process being checkpointed is the same as any of the children, correct? That way we avoid having to modify the core nsproxy bits and can still reject any nested namespaces. -- Dan Smith IBM Linux Technology Center email: danms@xxxxxxxxxx _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers