Re: [lxc-devel] [PATCH 8/8] Add FS_USERNS_FLAG to cgroup fs

On Fri, Jan 29, 2016 at 02:54:11AM -0600, serge.hal...@ubuntu.com wrote: > From: Serge Hallyn > > allowing root in a non-init user namespace to mount it. This should > now be safe, because > > 1. non-init-root cannot mount a previously unbound subsystem > 2. the task

Re: [lxc-devel] CGroup Namespaces (v10)

On Mon, Feb 15, 2016 at 04:17:05PM -0500, Tejun Heo wrote: > I'm getting the following on top of the current for-4.6. Can you > please look into it? > > [kernel/cgroup.c:219:13: error: ‘cgroupns_operations’ undeclared here (not in > a function) > .ns.

Re: [lxc-devel] CGroup Namespaces (v10)

On Fri, Feb 12, 2016 at 05:22:21PM -0600, Serge E. Hallyn wrote: > On Fri, Feb 12, 2016 at 11:09:06AM -0500, Tejun Heo wrote: > > Hello, > > > > On Fri, Feb 12, 2016 at 12:18:28AM +0100, Alban Crequy wrote: > > > I just noticed commit c38c4597e4bf ("netfilter

Re: [lxc-devel] CGroup Namespaces (v10)

Hello, On Fri, Feb 12, 2016 at 12:18:28AM +0100, Alban Crequy wrote: > I just noticed commit c38c4597e4bf ("netfilter: implement xt_cgroup > cgroup2 path match") which, as far as I understand, introduces a new > userland facing API containing the full cgroup path. Does it mean that > the cgroupns

Re: [lxc-devel] CGroup Namespaces (v8)

On Fri, Jan 01, 2016 at 11:14:14AM -0800, Dan Williams wrote: > On Fri, Jan 1, 2016 at 10:06 AM, Serge E. Hallyn > wrote: > > On Fri, Jan 01, 2016 at 01:42:57AM -0800, Dan Williams wrote: > >> Commit 54b39d263704 "cgroup: cgroup namespace setns support" not > >> booting

[lxc-devel] [PATCH] cgroup: Add documentation for cgroup namespaces

-0600 tj: Reorganized to better fit the documentation. Signed-off-by: Aditya Kali <adityak...@google.com> Signed-off-by: Serge Hallyn <serge.hal...@canonical.com> Signed-off-by: Tejun Heo <t...@kernel.org> --- Documentation/cgroup.txt | 147

Re: [lxc-devel] [PATCH 7/8] cgroup: Add documentation for cgroup namespaces

Hello, I did some heavy editing of the documentation. How does this look? Did I miss anything? Thanks. --- Documentation/cgroup.txt | 146 +++ 1 file changed, 146 insertions(+) --- a/Documentation/cgroup.txt +++ b/Documentation/cgroup.txt @@ -47,6

Re: [lxc-devel] CGroup Namespaces (v8)

Applied 1-6 and 8 to cgroup/for-4.5. Thanks. -- tejun ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH 1/8] kernfs: Add API to generate relative kernfs path

Hello, Serge. On Tue, Dec 22, 2015 at 10:23:22PM -0600, serge.hal...@ubuntu.com wrote: > @@ -164,18 +286,39 @@ void pr_cont_kernfs_name(struct kernfs_node *kn) > void pr_cont_kernfs_path(struct kernfs_node *kn) > { > unsigned long flags; > - char *p; > + char *p = NULL; > +

Re: [lxc-devel] [PATCH 3/8] cgroup: introduce cgroup namespaces

Hello, On Tue, Dec 22, 2015 at 10:23:24PM -0600, serge.hal...@ubuntu.com wrote: ... > +char *cgroup_path(struct cgroup *cgrp, char *buf, size_t buflen) > +{ > + int ret; > + > + ret = cgroup_path_ns(cgrp, buf, buflen, current->nsproxy->cgroup_ns); > + if (ret < 0 || ret >=

Re: [lxc-devel] [PATCH 5/7] cgroup: mount cgroupns-root when inside non-init cgroupns

Hello, Serge. On Tue, Dec 08, 2015 at 05:21:24PM -0600, Serge E. Hallyn wrote: > > Heh, is kernfs_obtain_root() the right name? Maybe > > kernfs_node_to_inode()? > > kernfs_node_to_dentry? > > This would presumably make the question of whether to pass in a namespace > moot? Sounds good.

Re: [lxc-devel] [PATCH 1/8] kernfs: Add API to generate relative kernfs path

Hey, On Wed, Dec 09, 2015 at 10:13:27PM +, Serge Hallyn wrote: > we can rename kn_root to from here if you think that's clearer (and > change the order here as well). I think it'd be better for them to be consistent and in the same order - the target and then the optional base. > > Was

Re: [lxc-devel] [PATCH 1/8] kernfs: Add API to generate relative kernfs path

Hello, Serge. On Wed, Dec 09, 2015 at 01:28:54PM -0600, serge.hal...@ubuntu.com wrote: > +/* kernfs_node_depth - compute depth from @from to @to */ > +static size_t kernfs_depth(struct kernfs_node *from, struct kernfs_node *to) ... > +char *kernfs_path(struct kernfs_node *kn, char *buf, size_t

Re: [lxc-devel] [PATCH 6/7] cgroup: Add documentation for cgroup namespaces

On Mon, Dec 07, 2015 at 05:06:21PM -0600, serge.hal...@ubuntu.com wrote: > From: Aditya Kali > > Signed-off-by: Aditya Kali > Signed-off-by: Serge Hallyn > --- > Documentation/cgroups/namespace.txt | 142 >

Re: [lxc-devel] [PATCH 3/7] cgroup: introduce cgroup namespaces

On Mon, Dec 07, 2015 at 05:06:18PM -0600, serge.hal...@ubuntu.com wrote: > static const char *proc_ns_follow_link(struct dentry *dentry, void **cookie) > diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h > index 2b3e2314..906f240 100644 > --- a/include/linux/cgroup.h > +++

Re: [lxc-devel] [PATCH 5/7] cgroup: mount cgroupns-root when inside non-init cgroupns

Hello, On Mon, Dec 07, 2015 at 05:06:20PM -0600, serge.hal...@ubuntu.com wrote: > fs/kernfs/mount.c | 74 > > include/linux/kernfs.h |2 ++ > kernel/cgroup.c| 39 - > 3 files changed, 114

Re: [lxc-devel] [PATCH 3/7] cgroup: introduce cgroup namespaces

Hello, Serge. On Tue, Dec 08, 2015 at 01:34:31PM -0600, Serge E. Hallyn wrote: > > I'd prefer collecting all ns related declarations in a single place. > > I can group some of them, but free_cgroup_ns needs the > cgroup_namespace definition, put_cgroup_ns() needs free_cgroup_ns(), > and

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

Hello, Serge. On Thu, Dec 03, 2015 at 04:47:06PM -0600, Serge E. Hallyn wrote: ... > + dentry = dget(sb->s_root); > + if (!kn->parent) // this is the root > + return dentry; > + > + knparent = find_kn_ancestor_below(kn, NULL); > + BUG_ON(!knparent); Doing WARN_ON()

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

On Wed, Dec 02, 2015 at 10:56:37AM -0600, Serge E. Hallyn wrote: > Can it be flushed when we know that the cgroup is being pinned by > a css_set? (There's either a task or a cgroup_namespace pinning it > or we wouldn't get here) Yeap, it can be flushed. There's no ref coming out of cgroup to

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

On Wed, Dec 02, 2015 at 11:02:39AM -0600, Serge E. Hallyn wrote: > On Wed, Dec 02, 2015 at 11:58:39AM -0500, Tejun Heo wrote: > > On Wed, Dec 02, 2015 at 10:56:37AM -0600, Serge E. Hallyn wrote: > > > Can it be flushed when we know that the cgroup is being pinned by > >

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

Hello, Serge. On Tue, Dec 01, 2015 at 03:58:53PM -0600, Serge E. Hallyn wrote: > I mispoke before though - it's not the hierarchy's root dentry, > but rather a dentry for a descendent cgroup which will become the > root dentry for the new superblock. We do know that there must be > a css_set

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

Hey, Serge. On Mon, Nov 30, 2015 at 10:07:04PM -0600, Serge E. Hallyn wrote: > So actually the way the code is now, the first mount cannot > be done from a non-init user namespace; and kernfs_obtain_root() > is only called from non-init user namespace. So can we assume > that the root dentry

Re: [lxc-devel] [PATCH 1/8] kernfs: Add API to generate relative kernfs path

Hello, On Thu, Nov 26, 2015 at 11:25:11PM -0600, Serge E. Hallyn wrote: > > > + /* Short-circuit the easy case - kn_to is the root node. */ > > > + if ((kn_from == kn_to) || (!kn_from && !kn_to->parent)) { > > > + *p = '/'; > > > + *(p + 1) = '\0'; > > > > Hmm... so if kn_from ==

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

Hello, Serge. On Thu, Nov 26, 2015 at 11:17:45PM -0600, Serge E. Hallyn wrote: > > Wouldn't it be simpler to walk dentry from kernfs root than > > duplicating dentry instantiation? > > Sorry I don't think I'm following. Are you suggesting walking the > kn->parent chain backward and doing

Re: [lxc-devel] [PATCH 1/8] kernfs: Add API to generate relative kernfs path

Hello, Serge. On Mon, Nov 30, 2015 at 12:37:58PM -0600, Serge E. Hallyn wrote: > > Yeah, I agree but the name is kinda misleading tho. The output isn't > > really a relative path but rather absolute path against the specified > > root. Maybe updating the function and parameter names would be >

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

Hello, Serge. On Wed, Nov 25, 2015 at 12:01:56AM -0600, Serge E. Hallyn wrote: > that was my goal with > https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/commit/?h=cgroupns.v4=8eb75d2bb24df59e262f050dce567d2332adc5f3 > (which was sent inline earlier in this thread in

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

On Wed, Nov 25, 2015 at 07:55:53PM +, Serge Hallyn wrote: > Quoting Tejun Heo (t...@kernel.org): > > Hello, Serge. > > > > On Wed, Nov 25, 2015 at 12:01:56AM -0600, Serge E. Hallyn wrote: > > > that was my goal with > > > https://git.kernel.org/cgit/lin

Re: [lxc-devel] [PATCH 3/8] cgroup: add function to get task's cgroup

Hello, On Mon, Nov 16, 2015 at 01:51:40PM -0600, se...@hallyn.com wrote: > diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h > index 22e3754..29f0b02 100644 > --- a/include/linux/cgroup.h > +++ b/include/linux/cgroup.h > @@ -326,6 +326,7 @@ static inline bool css_tryget_online(struct

Re: [lxc-devel] [PATCH 1/8] kernfs: Add API to generate relative kernfs path

Oops, also please cc Greg Kroah-Hartman on kernfs changes. Thanks. -- tejun ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH 1/8] kernfs: Add API to generate relative kernfs path

Hello, On Mon, Nov 16, 2015 at 01:51:38PM -0600, se...@hallyn.com wrote: > +static char * __must_check kernfs_path_from_node_locked( > + struct kernfs_node *kn_from, > + struct kernfs_node *kn_to, > + char *buf, > + size_t buflen) > +{ > + char *p = buf; > + struct

Re: [lxc-devel] [PATCH 4/8] cgroup: export cgroup_get() and cgroup_put()

Hello, On Mon, Nov 16, 2015 at 01:51:41PM -0600, se...@hallyn.com wrote: > From: Aditya Kali > > move cgroup_get() and cgroup_put() into cgroup.h so that > they can be called from other places. > > Signed-off-by: Aditya Kali > Acked-by: Serge

Re: [lxc-devel] [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns

Hello, On Mon, Nov 16, 2015 at 01:51:44PM -0600, se...@hallyn.com wrote: > +struct dentry *kernfs_obtain_root(struct super_block *sb, > + struct kernfs_node *kn) > +{ > + struct dentry *dentry; > + struct inode *inode; > + > + BUG_ON(sb->s_op != _sops); >

Re: [lxc-devel] [PATCH 5/8] cgroup: introduce cgroup namespaces

Hello, On Mon, Nov 16, 2015 at 01:51:42PM -0600, se...@hallyn.com wrote: > diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h > index 99096be..b3ce9d9 100644 > --- a/include/linux/cgroup.h > +++ b/include/linux/cgroup.h > @@ -17,6 +17,9 @@ > #include > #include > #include >

Re: [lxc-devel] [PATCH 3/8] cgroup: add function to get task's cgroup

On Tue, Nov 24, 2015 at 11:27:28AM -0500, Tejun Heo wrote: > > +struct cgroup *get_task_cgroup(struct task_struct *task) Umm... is this function even used? -- tejun ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.or

Re: [lxc-devel] [PATCH 8/8] cgroup: Add documentation for cgroup namespaces

On Mon, Nov 16, 2015 at 01:51:45PM -0600, se...@hallyn.com wrote: > From: Aditya Kali > > Signed-off-by: Aditya Kali > Signed-off-by: Serge Hallyn > --- > Documentation/cgroups/namespace.txt | 142 >

Re: [lxc-devel] CGroup Namespaces (v4)

Hello, Eric. On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote: > Does this allow mixing of cgroupfs and cgroupfs2? That is can I: "mount > -t cgroupfs" inside a container and "mount -t cgroupfs2" outside a > container? and still have reasonable things happen? I suspect the >