Difference between revisions of "User namespace"

From CRIU
Jump to: navigation, search
Line 1: Line 1:
 
Implementing user namespace support in CRIU requires a few changes on kernel side. First of all when a new user namespace is created its capability get dropped off, thus any kernel aspect guarded with capable() may fail. In particular we found that the following things are not functional when we restore tasks running in own user namespace:
 
Implementing user namespace support in CRIU requires a few changes on kernel side. First of all when a new user namespace is created its capability get dropped off, thus any kernel aspect guarded with capable() may fail. In particular we found that the following things are not functional when we restore tasks running in own user namespace:
  
- setup of memory descriptor (prctl syscall)
+
* setup of memory descriptor (prctl syscall) (CAP_SYS_RESOURCE) (assigned to gorcunov@)
- access to /proc/pid/map_files which we use for restore of shared memory
+
* access to /proc/pid/map_files which we use for restore of shared memory (CAP_SYS_ADMIN)
- restoration of SO_RCVBUFFORCE socket option
+
* using of SO_RCVBUFFORCE and SO_SNDBUFFORCE socket option (CAP_NET_ADMIN)
  
 
The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list.
 
The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list.
 +
 +
[https://github.com/avagin/criu/tree/userns2 Here is a draft of userspace code]

Revision as of 13:07, 29 July 2014

Implementing user namespace support in CRIU requires a few changes on kernel side. First of all when a new user namespace is created its capability get dropped off, thus any kernel aspect guarded with capable() may fail. In particular we found that the following things are not functional when we restore tasks running in own user namespace:

  • setup of memory descriptor (prctl syscall) (CAP_SYS_RESOURCE) (assigned to gorcunov@)
  • access to /proc/pid/map_files which we use for restore of shared memory (CAP_SYS_ADMIN)
  • using of SO_RCVBUFFORCE and SO_SNDBUFFORCE socket option (CAP_NET_ADMIN)

The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list.

Here is a draft of userspace code