Re: [PATCH/RFC] unshare: add --fork/--mount-proc options for pid namespaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wednesday 03 July 2013 06:36:35 Karel Zak wrote:
> On Mon, Jul 01, 2013 at 10:47:04AM -0400, Mike Frysinger wrote:
> > On Monday 01 July 2013 07:40:08 Karel Zak wrote:
> > > On Thu, Jun 27, 2013 at 08:04:58PM -0400, Mike Frysinger wrote:
> > > > When it comes to pid namespaces, it's also useful for /proc to
> > > > reflect the current namespace.  Again, this is easy to pull off, but
> > > > annoying to force everyone to do it themselves.  So let's add a
> > > > --mount-proc to do the magic for us.
> > >  
> > >  This is not so easy. For example on Fedora 18 the default is "shared":
> > >  
> > >  # grep /proc /proc/self/mountinfo
> > >  14 33 0:3 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc
> > >  rw
> > >  
> > >  it means that unshare( CLONE_NEWNS ) has no expected effect and the
> > >  following mount(/proc) has horrible impact for all system. You have
> > >  
> > >  to use (for example):
> > >     mount --make-rprivate /proc
> > >     unshare --fork --mount-proc --pid
> > 
> > i'm not quite following here.  are you saying that Fedora 18 by default
> > makes it hard to do pid namespaces ?
> 
>  /proc does not have to be private. You have to call
> 
>     mount("none", "/proc", NULL, MS_PRIVATE|MS_REC, NULL);
> 
>  to be sure that unshare(CLONE_NEWNS) makes any effect. It's mistake
>  to blindly call
> 
>     unshare( CLONE_NEWNS );
>     mount("proc, "/proc", "proc", 0, NULL);
> 
>  If we want to add --mount-proc to unshare(1) than the implementation has
> to be robust. Your current patch is dangerous on systems where /proc is
> shared.

well, it usually does more:
	unshare(...);
	fork();
	mount(...);

but if just adding MS_PRIVATE makes it work w/out needing to do 
unshare(NEWNS), that's even better.  i'm not familiar with that flag as it's 
not in the mount(2) man page (looks like it's listed as a TODO).

>  It would be also nice to support optional argument to specify the
>  mountpoint --mount-proc[=<mountpoint>].
> 
>  See the patch below -- works for me.

Acked-by: Mike Frysinger <vapier@xxxxxxxxx>
-mike

Attachment: signature.asc
Description: This is a digitally signed message part.

[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux