[Rats! Doing now what I should have down to start with. Looping some lists and CRIU and other possibly relevant people into this conversation] Hi Eric, On 5 July 2016 at 23:47, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> writes: > >> Hi Eric, >> >> I have a question. Is there any way currently to discover which >> user namespace a particular nonuser namespace is governed by? >> Maybe I am missing something, but there does not seem to be a >> way to do this. Also, can one discover which userns is the >> parent of a given userns? Again, I can't see a way to do this. >> >> The point here is introspecting so that a process might determine >> what its capabilities are when operating on some resource governed >> by a (nonuser) namespace. > > To the best of my knowledge that there is not an interface to get that > information. It would be good to have such an interface for no other > reason than the CRIU folks are going to need it at some point. I am a > bit surprised they have not complained yet. > > That said in a normal use scenario I don't think that information is > needed. > > Do you have a particular use case besides checkpoint/restart where this > is useful? That might help in coming up with a good userspace interface > for this information. So, I spend a moderate amount of time working with people to introduce them to the namespaces infrastructure, and one topic that comes up now and this introspection/visualization tools. For example, nowadays--thanks to the (bizarrely misnamed) NStgid and NSpid fields in /proc/PID--it's possible to (and someone I was working with did) write tools that introspect the PID namespace hierarchy to show all of process's and their PIDs in the various namespace instance. It's a natural enough thing to want to do, when confronted with the complexity of the namespaces. Someone else then asked me a question that led me to wonder about generally introspecting on the parental relationships between user namespaces and the association of other namespaces types with user namespaces. One use would be visualization, in order to understand the running system. Another would be to answer the question I already mentioned: what capability does process X have to perform operations on a resource governed by namespace Y? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
