Re: [patch 0/8] unprivileged mount syscall [message #18167] |
Wed, 11 April 2007 18:28 ![Go to next message Go to next message](/theme/ovz3/images/down.png) |
Ram Pai
Messages: 15 Registered: April 2007
|
Junior Member |
|
|
On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote:
> > 1. clone the master namespace.
> >
> > 2. in the new namespace
> >
> > move the tree under /share/$me to /
> > for each ($user, $what, $how) {
> > move /share/$user/$what to /$what
> > if ($how == slave) {
> > make the mount tree under /$what as slave
> > }
> > }
> >
> > 3. in the new namespace make the tree under
> > /share as private and unmount /share
>
> Thanks. I get the basic idea now: the namespace itself need not be
> shared between the sessions, it is enough if "share" propagation is
> set up between the different namespaces of a user.
>
> I don't yet see either in your or Viro's description how the trees
> under /share/$USER are initialized. I guess they are recursively
> bound from /, and are made slaves.
yes. I suppose, when a userid is created one of the steps would be
mount --rbind / /share/$USER
mount --make-rslave /share/$USER
mount --make-rshared /share/$USER
RP
> Miklos
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
|
|
|
Re: [patch 0/8] unprivileged mount syscall [message #18223 is a reply to message #18167] |
Fri, 13 April 2007 11:58 ![Go to previous message Go to previous message](/theme/ovz3/images/up.png) ![Go to next message Go to next message](/theme/ovz3/images/down.png) |
Miklos Szeredi
Messages: 161 Registered: April 2007
|
Senior Member |
|
|
> On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote:
> > > 1. clone the master namespace.
> > >
> > > 2. in the new namespace
> > >
> > > move the tree under /share/$me to /
> > > for each ($user, $what, $how) {
> > > move /share/$user/$what to /$what
> > > if ($how == slave) {
> > > make the mount tree under /$what as slave
> > > }
> > > }
> > >
> > > 3. in the new namespace make the tree under
> > > /share as private and unmount /share
> >
> > Thanks. I get the basic idea now: the namespace itself need not be
> > shared between the sessions, it is enough if "share" propagation is
> > set up between the different namespaces of a user.
> >
> > I don't yet see either in your or Viro's description how the trees
> > under /share/$USER are initialized. I guess they are recursively
> > bound from /, and are made slaves.
>
> yes. I suppose, when a userid is created one of the steps would be
>
> mount --rbind / /share/$USER
> mount --make-rslave /share/$USER
> mount --make-rshared /share/$USER
Thinking a bit more about this, I'm quite sure most users wouldn't
even want private namespaces. It would be enough to
chroot /share/$USER
and be done with it.
Private namespaces are only good for keeping a bunch of mounts
referenced by a group of processes. But my guess is, that the natural
behavior for users is to see a persistent set of mounts.
If for example they mount something on a remote machine, then log out
from the ssh session and later log back in, they would want to see
their previous mount still there.
Miklos
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
|
|
|
Re: [patch 0/8] unprivileged mount syscall [message #18226 is a reply to message #18223] |
Fri, 13 April 2007 20:07 ![Go to previous message Go to previous message](/theme/ovz3/images/up.png) ![Go to next message Go to next message](/theme/ovz3/images/down.png) |
Karel Zak
Messages: 7 Registered: April 2007
|
Junior Member |
|
|
On Fri, Apr 13, 2007 at 01:58:59PM +0200, Miklos Szeredi wrote:
> > On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote:
> > > > 1. clone the master namespace.
> > > >
> > > > 2. in the new namespace
> > > >
> > > > move the tree under /share/$me to /
> > > > for each ($user, $what, $how) {
> > > > move /share/$user/$what to /$what
> > > > if ($how == slave) {
> > > > make the mount tree under /$what as slave
> > > > }
> > > > }
> > > >
> > > > 3. in the new namespace make the tree under
> > > > /share as private and unmount /share
> > >
> > > Thanks. I get the basic idea now: the namespace itself need not be
> > > shared between the sessions, it is enough if "share" propagation is
> > > set up between the different namespaces of a user.
> > >
> > > I don't yet see either in your or Viro's description how the trees
> > > under /share/$USER are initialized. I guess they are recursively
> > > bound from /, and are made slaves.
> >
> > yes. I suppose, when a userid is created one of the steps would be
> >
> > mount --rbind / /share/$USER
> > mount --make-rslave /share/$USER
> > mount --make-rshared /share/$USER
>
> Thinking a bit more about this, I'm quite sure most users wouldn't
> even want private namespaces. It would be enough to
>
> chroot /share/$USER
>
> and be done with it.
I don't think so. How to you want to implement non-shared /tmp
directories? The chroot is overkill in this case. See:
http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
http://danwalsh.livejournal.com/
> Private namespaces are only good for keeping a bunch of mounts
> referenced by a group of processes. But my guess is, that the natural
> behavior for users is to see a persistent set of mounts.
>
> If for example they mount something on a remote machine, then log out
> from the ssh session and later log back in, they would want to see
> their previous mount still there.
They can mount to /mnt where the directory is shared ("mount
--make-shared /mnt") and visible and all namespaces.
I think /share/$USER is an extreme example. You can found more
situations when private namespaces are nice solution.
Karel
--
Karel Zak <kzak@redhat.com>
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
|
|
|
|
Re: [patch 0/8] unprivileged mount syscall [message #18230 is a reply to message #18223] |
Mon, 16 April 2007 07:59 ![Go to previous message Go to previous message](/theme/ovz3/images/up.png) |
Ram Pai
Messages: 15 Registered: April 2007
|
Junior Member |
|
|
On Fri, 2007-04-13 at 13:58 +0200, Miklos Szeredi wrote:
> > On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote:
> > > > 1. clone the master namespace.
> > > >
> > > > 2. in the new namespace
> > > >
> > > > move the tree under /share/$me to /
> > > > for each ($user, $what, $how) {
> > > > move /share/$user/$what to /$what
> > > > if ($how == slave) {
> > > > make the mount tree under /$what as slave
> > > > }
> > > > }
> > > >
> > > > 3. in the new namespace make the tree under
> > > > /share as private and unmount /share
> > >
> > > Thanks. I get the basic idea now: the namespace itself need not be
> > > shared between the sessions, it is enough if "share" propagation is
> > > set up between the different namespaces of a user.
> > >
> > > I don't yet see either in your or Viro's description how the trees
> > > under /share/$USER are initialized. I guess they are recursively
> > > bound from /, and are made slaves.
> >
> > yes. I suppose, when a userid is created one of the steps would be
> >
> > mount --rbind / /share/$USER
> > mount --make-rslave /share/$USER
> > mount --make-rshared /share/$USER
>
> Thinking a bit more about this, I'm quite sure most users wouldn't
> even want private namespaces. It would be enough to
>
> chroot /share/$USER
>
> and be done with it.
>
> Private namespaces are only good for keeping a bunch of mounts
> referenced by a group of processes. But my guess is, that the natural
> behavior for users is to see a persistent set of mounts.
>
> If for example they mount something on a remote machine, then log out
> from the ssh session and later log back in, they would want to see
> their previous mount still there.
They will continue see their previous mount tree.
Even if all the namespaces belonging to the different sessions of the
user get dismantled when all the sessions exit, the a mirror of those
mount trees continue to exist under /share/$USER in the original
namespace. So I don't think we have a issue.
NOTE: when I say 'original namespace' I mean the admin namespace; the
first namespace that gets created when the machine boots.
RP
>
> Miklos
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
|
|
|