User namespace

From CRIU
Revision as of 13:59, 10 February 2015 by Xemul (talk | contribs)
Jump to navigation Jump to search

Implementing user namespace support in CRIU requires a few changes on kernel side. First of all when a new user namespace is created its capability get dropped off, thus any kernel aspect guarded with capable() may fail. In particular we found that the following things are not functional when we restore tasks running in own user namespace:

  • using of SO_RCVBUFFORCE and SO_SNDBUFFORCE socket option (CAP_NET_ADMIN)
  • open_by_handle_at and linkat(AT_EMPTY_PATH) requires CAP_DAC_READ_SEARCH
  • TIOCSLCKTRMIOS (CAP_SYS_ADMIN)
  • mknod() requires CAP_MKNOD
  • Lots of IPCNS and UTSNS sysctls require CAP_SYS_ADMIN

The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list.