Andrei Vagin <avagin@xxxxxxxxxx> writes: > From: Andrey Vagin <avagin@xxxxxxxxxx> > > Each namespace has an owning user namespace and now there is not way > to discover these relationships. > > Pid and user namepaces are hierarchical. There is no way to discover > parent-child relationships too. > > Why we may want to know relationships between namespaces? > > One use would be visualization, in order to understand the running > system. Another would be to answer the question: what capability does > process X have to perform operations on a resource governed by namespace > Y? > > One more use-case (which usually called abnormal) is checkpoint/restart. > In CRIU we are going to dump and restore nested namespaces. > > There [1] was a discussion about which interface to choose to determing > relationships between namespaces. > > Eric suggested to add two ioctl-s [2]: >> Grumble, Grumble. I think this may actually a case for creating ioctls >> for these two cases. Now that random nsfs file descriptors are bind >> mountable the original reason for using proc files is not as pressing. >> >> One ioctl for the user namespace that owns a file descriptor. >> One ioctl for the parent namespace of a namespace file descriptor. > > Here is an implementaions of these ioctl-s. > > $ man man7/namespaces.7 > ... > Since Linux 4.X, the following ioctl(2) calls are supported for > namespace file descriptors. The correct syntax is: > > fd = ioctl(ns_fd, ioctl_type); > > where ioctl_type is one of the following: > > NS_GET_USERNS > Returns a file descriptor that refers to an owning user names‐ > pace. > > NS_GET_PARENT > Returns a file descriptor that refers to a parent namespace. > This ioctl(2) can be used for pid and user namespaces. For > user namespaces, NS_GET_PARENT and NS_GET_USERNS have the same > meaning. > > In addition to generic ioctl(2) errors, the following specific ones > can occur: > > EINVAL NS_GET_PARENT was called for a nonhierarchical namespace. > > EPERM The requested namespace is outside of the current namespace > scope. > > [1] https://lkml.org/lkml/2016/7/6/158 > [2] https://lkml.org/lkml/2016/7/9/101 > > Changes for v2: > * don't return ENOENT for init_user_ns and init_pid_ns. There is nothing > outside of the init namespace, so we can return EPERM in this case too. >> The fewer special cases the easier the code is to get >> correct, and the easier it is to read. // Eric > > Changes for v3: > * rename ns->get_owner() to ns->owner(). get_* usually means that it > grabs a reference. > > Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> > Cc: "W. Trevor King" <wking@xxxxxxxxxx> > Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> > Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > Applied thanks. I didn't see any issues except your patch __ns_get_path was missing a mntput in the retry case. So I just fixed that. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers