[buildd-tools-devel] Bug#637870: Bug#637870: Bug#637870: Provide more isolation than just chroot

Roger Leigh rleigh at codelibre.net
Mon Aug 15 15:23:30 UTC 2011 

On Mon, Aug 15, 2011 at 04:51:48PM +0200, Vincent Bernat wrote:
> OoO Vers  la fin de l'après-midi du  lundi 15 août 2011,  vers 16:49, je
> disais:
> 
> >> The main problem preventing its use is the current architecture of
> >> schroot, particularly when using sessions.  When a session is created,
> >> it's created by one schroot invocation, used in a separate invocation
> >> and then deleted in yet another.  This means that we can't use
> >> CLONE_NEWNS since we want to use the namespace created in an
> >> unrelated process.  To do that we need a persistent process to
> >> "own" the namespace to which we can then attach to to run commands--
> >> but this needs having a client-server protocol AFAICT, though I may
> >> be overcomplicating things.
> 
> > It  seems that  with  recent kernel,  it  is possible  to  attach to  an
> > existing namespace using setns() syscall:
> >  http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=blob;f=src/lxc/namespace.c;h=aca29d4f87aa37c4133fe98f38c1b3296b153e66;hb=HEAD#l85
> 
> > Therefore, you still need a  persistent process to own the namespace but
> > you just need to keep its PID and use it to attach to its namespaces.
> 
> It seems that keeping a process is not necessary:
>  http://lwn.net/Articles/407495/
> 
> I don't know if all this is available in mainline kernel.

Very useful information, thanks.  If we create the namespace before
running the setup scripts, then one of the setup scripts can bind
mount its namespace under e.g. /var/lib/schroot/ns
so we can access it later on with setns().

I think setns is in the mainline kernel.  The issue is in the glibc
wrappers:

/usr/include/asm-generic/unistd.h:#define __NR_setns 268
/usr/include/asm-generic/unistd.h:__SYSCALL(__NR_setns, sys_setns)
/usr/include/asm/unistd_64.h:#define __NR_setns				308
/usr/include/asm/unistd_64.h:__SYSCALL(__NR_setns, sys_setns)
/usr/include/asm/unistd_32.h:#define __NR_setns		346

So it looks like the raw system call is there, but there's no actual
"setns(2)" function prototyped for us to use.  We could use syscall(2)
directly, but I would prefer to wait until it's properly supported.
It might well be in the next glibc version though, at which point we
can look at doing this.

% ls /proc/self/ns
ipc  net  uts

There's no "mnt" namespace here, which might be an issue.  This is with
Linux 3.0.0.  Maybe it's not supported in /proc yet?


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20110815/2b8cde9f/attachment.pgp>

More information about the Buildd-tools-devel mailing list