Re: [PATCHv2 5/7] cgroup: introduce cgroup namespaces

(off-list ancestor, not in this archive)
[PATCHv2 0/7] CGroup Namespaces · Aditya Kali <hidden> · 2014-10-31
[PATCHv2 1/7] kernfs: Add API to generate relative kernfs path · Aditya Kali <hidden> · 2014-10-31
[PATCHv2 2/7] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace · Aditya Kali <hidden> · 2014-10-31
[PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Aditya Kali <hidden> · 2014-10-31
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Andy Lutomirski <luto@amacapital.net> · 2014-11-01
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Aditya Kali <hidden> · 2014-11-03
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Andy Lutomirski <luto@amacapital.net> · 2014-11-03
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Aditya Kali <hidden> · 2014-11-03
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Andy Lutomirski <luto@amacapital.net> · 2014-11-03
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Aditya Kali <hidden> · 2014-11-04
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Andy Lutomirski <luto@amacapital.net> · 2014-11-04
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Aditya Kali <hidden> · 2014-11-04
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Tejun Heo <tj@kernel.org> · 2014-11-04
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Aditya Kali <hidden> · 2014-11-06
Re: [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns · Aditya Kali <hidden> · 2014-11-04
[PATCHv2 6/7] cgroup: cgroup namespace setns support · Aditya Kali <hidden> · 2014-10-31
[PATCHv2 5/7] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-10-31
Re: [PATCHv2 5/7] cgroup: introduce cgroup namespaces · Andy Lutomirski <luto@amacapital.net> · 2014-11-01
Re: [PATCHv2 5/7] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-11-03
Re: [PATCHv2 5/7] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-11-04
[PATCHv2 4/7] cgroup: export cgroup_get() and cgroup_put() · Aditya Kali <hidden> · 2014-10-31
[PATCHv2 3/7] cgroup: add function to get task's cgroup on default hierarchy · Aditya Kali <hidden> · 2014-10-31
Re: [PATCHv2 0/7] CGroup Namespaces · Vivek Goyal <vgoyal@redhat.com> · 2014-11-04
Re: [PATCHv2 0/7] CGroup Namespaces · Aditya Kali <hidden> · 2014-11-06
Re: [PATCHv2 0/7] CGroup Namespaces · Richard Weinberger <hidden> · 2014-11-26
Re: [PATCHv2 0/7] CGroup Namespaces · Aditya Kali <hidden> · 2014-12-02

From: Andy Lutomirski <hidden>
Date: 2014-11-01 00:03:06
Also in: cgroups, lkml

Possibly related (same subject, not in this thread)

2014-11-03 · Re: [PATCHv2 5/7] cgroup: introduce cgroup namespaces · Aditya Kali <hidden>
2014-11-01 · Re: [PATCHv2 5/7] cgroup: introduce cgroup namespaces · Eric W. Biederman <hidden>

On Fri, Oct 31, 2014 at 12:18 PM, Aditya Kali [off-list ref] wrote:

Introduce the ability to create new cgroup namespace. The newly created
cgroup namespace remembers the cgroup of the process at the point
of creation of the cgroup namespace (referred as cgroupns-root).
The main purpose of cgroup namespace is to virtualize the contents
of /proc/self/cgroup file. Processes inside a cgroup namespace
are only able to see paths relative to their namespace root
(unless they are moved outside of their cgroupns-root, at which point
 they will see a relative path from their cgroupns-root).
For a correctly setup container this enables container-tools
(like libcontainer, lxc, lmctfy, etc.) to create completely virtualized
containers without leaking system level cgroup hierarchy to the task.
This patch only implements the 'unshare' part of the cgroupns.

+       /* Prevent cgroup changes for this task. */
+       threadgroup_lock(current);

This could just be me being dense, but what is the lock for?

+
+       /* CGROUPNS only virtualizes the cgroup path on the unified hierarchy.
+        */
+       cgrp = get_task_cgroup(current);
+
+       err = -ENOMEM;
+       new_ns = alloc_cgroup_ns();
+       if (!new_ns)
+               goto err_out_unlock;
+
+       err = proc_alloc_inum(&new_ns->proc_inum);
+       if (err)
+               goto err_out_unlock;
+
+       new_ns->user_ns = get_user_ns(user_ns);
+       new_ns->root_cgrp = cgrp;
+
+       threadgroup_unlock(current);
+
+       return new_ns;
+
+err_out_unlock:
+       threadgroup_unlock(current);
+err_out:
+       if (cgrp)
+               cgroup_put(cgrp);
+       kfree(new_ns);
+       return ERR_PTR(err);
+}
+
+static int cgroupns_install(struct nsproxy *nsproxy, void *ns)
+{
+       pr_info("setns not supported for cgroup namespace");
+       return -EINVAL;
+}
+
+static void *cgroupns_get(struct task_struct *task)
+{
+       struct cgroup_namespace *ns = NULL;
+       struct nsproxy *nsproxy;
+
+       rcu_read_lock();
+       nsproxy = task->nsproxy;
+       if (nsproxy) {
+               ns = nsproxy->cgroup_ns;
+               get_cgroup_ns(ns);
+       }
+       rcu_read_unlock();

How is this correct?  Other namespaces do it too, so it Must Be
Correct (tm), but I don't understand.  What is RCU protecting?

--Andy

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help