On Monday 01 July 2013 07:40:08 Karel Zak wrote:
> On Thu, Jun 27, 2013 at 08:04:58PM -0400, Mike Frysinger wrote:
> > When it comes to pid namespaces, it's also useful for /proc to reflect
> > the current namespace. Again, this is easy to pull off, but annoying
> > to force everyone to do it themselves. So let's add a --mount-proc to
> > do the magic for us.
>
> This is not so easy. For example on Fedora 18 the default is "shared":
>
> # grep /proc /proc/self/mountinfo
> 14 33 0:3 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
>
> it means that unshare( CLONE_NEWNS ) has no expected effect and the
> following mount(/proc) has horrible impact for all system. You have
> to use (for example):
>
> mount --make-rprivate /proc
> unshare --fork --mount-proc --pid
i'm not quite following here. are you saying that Fedora 18 by default makes
it hard to do pid namespaces ?
> The --fork option makes sense, but I have doubts about --mount-proc.
>
> It would be better to keep unshare(1) simple and stupid rather than
> expect that we can setup usable container by the util.
>
> It's easy to call "mount proc /proc -t proc" after "unshare --pid
> --mount --fork".
unless you're running on a system that has a shared /proc ? :)
> > - if (optind < argc) {
> > - execvp(argv[optind], argv + optind);
> > - err(EXIT_FAILURE, _("failed to execute %s"), argv[optind]);
> > + pid = forkit ? fork() : 1;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I guess it's bug that exec_shell() only when forkit is set and
> waitpid() is called always.
i fixed this locally already. guess i sent out a stale version. change the
"1" to "0".
> See the patch below.
sure, that gets us half way home :)
> + switch(pid) {
needs a space before the (
-mike
Attachment:
signature.asc
Description: This is a digitally signed message part.
