Quoting Daniel Lezcano (daniel.lezcano@xxxxxxx): > Dan Smith wrote: > > DL> I guess it will be esay to implement with a nsproxy level counter. > > DL> Each time you unshare, the new nsproxy count is incremented. > > DL> Assuming the init_nsproxy is level 0, when the nsproxy counter is > > DL> > 1, the process is uncheckpointable. > > > > This should also be possible by just making sure that the nsproxy of > > the root process being checkpointed is the same as any of the > > children, correct? That way we avoid having to modify the core > > nsproxy bits and can still reject any nested namespaces. > > > Right, this is another option. The nsproxy counter will allow to flag at > runtime a process to be uncheckpointable. The nsproxy comparison will > detect nested nsproxies at checkpoint time. Or, to stick more to the resource->may_checkpoint way of doing it, you setbit(&nsproxy->uts_ns->may_checkpoint, 0) when the uts_ns is created, and anytime a task does clone(CLONE_NEWUTS) or unshare(CLONE_NEWUTS), you clear the bit on the parent uts_ns. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
