[buildd-tools-devel] Bug#637870: Bug#637870: Provide more isolation than just chroot
Vincent Bernat
bernat at debian.org
Mon Aug 15 14:49:05 UTC 2011
OoO En ce début d'après-midi ensoleillé du lundi 15 août 2011, vers
15:18, Roger Leigh <rleigh at codelibre.net> disait :
> The main problem preventing its use is the current architecture of
> schroot, particularly when using sessions. When a session is created,
> it's created by one schroot invocation, used in a separate invocation
> and then deleted in yet another. This means that we can't use
> CLONE_NEWNS since we want to use the namespace created in an
> unrelated process. To do that we need a persistent process to
> "own" the namespace to which we can then attach to to run commands--
> but this needs having a client-server protocol AFAICT, though I may
> be overcomplicating things.
It seems that with recent kernel, it is possible to attach to an
existing namespace using setns() syscall:
http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=blob;f=src/lxc/namespace.c;h=aca29d4f87aa37c4133fe98f38c1b3296b153e66;hb=HEAD#l85
Therefore, you still need a persistent process to own the namespace but
you just need to keep its PID and use it to attach to its namespaces.
--
Vincent Bernat ☯ http://vincent.bernat.im
Use self-identifying input. Allow defaults. Echo both on output.
- The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20110815/5a344db0/attachment.pgp>
More information about the Buildd-tools-devel
mailing list