[buildd-tools-devel] Bug#637870: Bug#637870: Provide more isolation than just chroot
Vincent Bernat
bernat at debian.org
Mon Aug 15 14:51:48 UTC 2011
OoO Vers la fin de l'après-midi du lundi 15 août 2011, vers 16:49, je
disais:
>> The main problem preventing its use is the current architecture of
>> schroot, particularly when using sessions. When a session is created,
>> it's created by one schroot invocation, used in a separate invocation
>> and then deleted in yet another. This means that we can't use
>> CLONE_NEWNS since we want to use the namespace created in an
>> unrelated process. To do that we need a persistent process to
>> "own" the namespace to which we can then attach to to run commands--
>> but this needs having a client-server protocol AFAICT, though I may
>> be overcomplicating things.
> It seems that with recent kernel, it is possible to attach to an
> existing namespace using setns() syscall:
> http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=blob;f=src/lxc/namespace.c;h=aca29d4f87aa37c4133fe98f38c1b3296b153e66;hb=HEAD#l85
> Therefore, you still need a persistent process to own the namespace but
> you just need to keep its PID and use it to attach to its namespaces.
It seems that keeping a process is not necessary:
http://lwn.net/Articles/407495/
I don't know if all this is available in mainline kernel.
--
Vincent Bernat ☯ http://vincent.bernat.im
printk("??? No FDIV bug? Lucky you...\n");
2.2.16 /usr/src/linux/include/asm-i386/bugs.h
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20110815/705581fe/attachment.pgp>
More information about the Buildd-tools-devel
mailing list