1. 10 May, 2011 2 commits
    • Eric W. Biederman's avatar
      ns: Introduce the setns syscall · 0663c6f8
      Eric W. Biederman authored
      With the networking stack today there is demand to handle
      multiple network stacks at a time.  Not in the context
      of containers but in the context of people doing interesting
      things with routing.
      
      There is also demand in the context of containers to have
      an efficient way to execute some code in the container itself.
      If nothing else it is very useful ad a debugging technique.
      
      Both problems can be solved by starting some form of login
      daemon in the namespaces people want access to, or you
      can play games by ptracing a process and getting the
      traced process to do things you want it to do. However
      it turns out that a login daemon or a ptrace puppet
      controller are more code, they are more prone to
      failure, and generally they are less efficient than
      simply changing the namespace of a process to a
      specified one.
      
      Pieces of this puzzle can also be solved by instead of
      coming up with a general purpose system call coming up
      with targed system calls perhaps socketat that solve
      a subset of the larger problem.  Overall that appears
      to be more work for less reward.
      
      int setns(int fd, int nstype);
      
      The fd argument is a file descriptor referring to a proc
      file of the namespace you want to switch the process to.
      
      In the setns system call the nstype is 0 or specifies
      an clone flag of the namespace you intend to change
      to prevent changing a namespace unintentionally.
      
      v2: Most of the architecture support added by Daniel Lezcano <dlezcano@fr.ibm.com>
      v3: ported to v2.6.36-rc4 by: Eric W. Biederman <ebiederm@xmission.com>
      v4: Moved wiring up of the system call to another patch
      v5: Cleaned up the system call arguments
          - Changed the order.
          - Modified nstype to take the standard clone flags.
      v6: Added missing error handling as pointed out by Matt Helsley <matthltc@us.ibm.com>
      Acked-by: default avatarDaniel Lezcano <daniel.lezcano@free.fr>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      0663c6f8
    • Eric W. Biederman's avatar
      ns: proc files for namespace naming policy. · 6b4e306a
      Eric W. Biederman authored
      Create files under /proc/<pid>/ns/ to allow controlling the
      namespaces of a process.
      
      This addresses three specific problems that can make namespaces hard to
      work with.
      - Namespaces require a dedicated process to pin them in memory.
      - It is not possible to use a namespace unless you are the child
        of the original creator.
      - Namespaces don't have names that userspace can use to talk about
        them.
      
      The namespace files under /proc/<pid>/ns/ can be opened and the
      file descriptor can be used to talk about a specific namespace, and
      to keep the specified namespace alive.
      
      A namespace can be kept alive by either holding the file descriptor
      open or bind mounting the file someplace else.  aka:
      mount --bind /proc/self/ns/net /some/filesystem/path
      mount --bind /proc/self/fd/<N> /some/filesystem/path
      
      This allows namespaces to be named with userspace policy.
      
      It requires additional support to make use of these filedescriptors
      and that will be comming in the following patches.
      Acked-by: default avatarDaniel Lezcano <daniel.lezcano@free.fr>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      6b4e306a
  2. 04 May, 2011 4 commits
  3. 03 May, 2011 8 commits
  4. 02 May, 2011 24 commits
  5. 01 May, 2011 2 commits