Pavel Emelyanov <xemul@xxxxxxxxxxxxx> writes: > Eric W. Biederman wrote: >> Pavel Emelyanov <xemul@xxxxxxxxxxxxx> writes: >> >>>>> Yet another set of per-namespace IDs along with CLONE_NEWXXX ones? >>>>> I currently have a way to create all namespaces we have with one >>>>> syscall. Why don't we have an ability to enter them all with one syscall? >>>> The CLONE_NEWXXX series of bits has been an royal pain to work with, >>>> and it appears to be unnecessary complications for no gain. >>> That's the answer for the "Yet another set..." question. >>> How about the "Why don't we have..." one? >> >> I am not certain which question you are asking: >> >> Why don't we have an ability to enter all namespaces with one syscall >> invocation? > > Exactly. Please add at least the NSTYPE_NSPROXY or whatever, that will > pin all namespaces of a given pid from the very beginning. For nsfd(2) that is doable. At least for now setns can't restore it. >> Why don't we have a syscall that allows us to enter every namespace? > > This one is done in the patch, no? > > Although the approach is OK for me, there's one design issue, that came > up to my mind recently: can we use this fd to wail for a namespace to > stop? I currently don't see this ability, but this is something I require > badly. I have designed these file descriptors to pin the namespaces, so waiting for them to exit isn't something they can do now. It makes a lot of sense to have similar ones that take weak references to the namespaces that we can use to wait for a namespace to exit. Eric -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
