Dan Smith wrote: > DL> I guess it will be esay to implement with a nsproxy level counter. > DL> Each time you unshare, the new nsproxy count is incremented. > DL> Assuming the init_nsproxy is level 0, when the nsproxy counter is > DL> > 1, the process is uncheckpointable. > > This should also be possible by just making sure that the nsproxy of > the root process being checkpointed is the same as any of the > children, correct? That way we avoid having to modify the core > nsproxy bits and can still reject any nested namespaces. Daniel L, could we cleanup the patch we have on ns_group which filters out the clone() done with the 'wrong' clone flags ? Thanks, C. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers