On Mon, Aug 01, 2016 at 08:20:27PM +0200, Alban Crequy wrote: > Hi, > > On 14 July 2016 at 20:20, Andrey Vagin <avagin@xxxxxxxxxx> wrote: > > Each namespace has an owning user namespace and now there is not way > > to discover these relationships. > > > > Pid and user namepaces are hierarchical. There is no way to discover > > parent-child relationships too. > > > > Why we may want to know relationships between namespaces? > > > > One use would be visualization, in order to understand the running system. > > This looks interesting to me because I am interested in representing > in a graphical way the relationship between different mounts in > different mount namespaces (showing the ID, the parent-children > relationships, mount peer groups, the master-slave relationships etc), > specially for containers. The first idea was to take both > /proc/1/mountinfo and /proc/$OTHER_PID/mountinfo and I can correlate > the "shared:" and "master:" fields in the mountinfo files. > > But I cannot read the /proc/$pid/mountinfo of mount namespaces when > there are no processes in those mount namespaces. For example, if > those mount namespaces stay alive only because they contain > "shared&slave" mounts between master mounts and slave mounts that I > can see in /proc/$pid/mountinfo. Fictional example: > > # mntns 1, mountinfo 1 (visible via /proc/1/mountinfo) > 61 0 253:1 / / rw shared:1 > > # mntns 2, mountinfo 2 (not visible via any /proc/$pid/mountinfo) > 731 569 0:75 / / rw master:1 shared:42 > > # mntns 3, mountinfo 3 (not visible via any /proc/${container_pid}/mountinfo) > 762 597 0:82 / / rw master:42 shared:76 > > As far as I understand, I cannot get a reference to the mntns2 fd > because mnt namespaces are not hierarchical, and I cannot get its > /proc/???/mountinfo because no processes live inside. Hi Alban, A mount namespace is alive only if someone lives in it or if it is bind-mounted somewhere. In your case, the kernel destroys mntns2 and adjusts groups for mounts: [root@fc24 zzz]# nsenter --mount=mnt2 -- cat /proc/self/mountinfo | grep zzz 184 183 0:43 / /tmp/zzz/a rw,relatime shared:72 master:70 - tmpfs a rw [root@fc24 zzz]# nsenter --mount=mnt3 -- cat /proc/self/mountinfo | grep zzz 162 161 0:43 / /tmp/zzz/a rw,relatime master:72 - tmpfs a rw [root@fc24 zzz]# umount mnt2 [root@fc24 zzz]# nsenter --mount=mnt3 -- cat /proc/self/mountinfo | grep zzz 162 161 0:43 / /tmp/zzz/a rw,relatime master:70 - tmpfs a rw Thanks, Andrew > > Is there a way around it? Should this use case be handled together? > > Thanks! > Alban > > > Another would be to answer the question: what capability does process X have to > > perform operations on a resource governed by namespace Y? > > > > One more use-case (which usually called abnormal) is checkpoint/restart. > > In CRIU we age going to dump and restore nested namespaces. > > > > There [1] was a discussion about which interface to choose to determing > > relationships between namespaces. > > > > Eric suggested to add two ioctl-s [2]: > >> Grumble, Grumble. I think this may actually a case for creating ioctls > >> for these two cases. Now that random nsfs file descriptors are bind > >> mountable the original reason for using proc files is not as pressing. > >> > >> One ioctl for the user namespace that owns a file descriptor. > >> One ioctl for the parent namespace of a namespace file descriptor. > > > > Here is an implementaions of these ioctl-s. > > > > [1] https://lkml.org/lkml/2016/7/6/158 > > [2] https://lkml.org/lkml/2016/7/9/101 > > > > Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > > Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > > Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> > > Cc: "W. Trevor King" <wking@xxxxxxxxxx> > > Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> > > Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > > > > -- > > 2.5.5 > > > > _______________________________________________ > > Containers mailing list > > Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx > > https://lists.linuxfoundation.org/mailman/listinfo/containers _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers