[libvirt] How does virsh lxc-enter-namespace work? Does it?
Richard Weinberger
richard at nod.at
Fri Jun 7 18:48:38 UTC 2013
Am 07.06.2013 17:34, schrieb Daniel P. Berrange:
> On Thu, Jun 06, 2013 at 09:13:27AM +0100, Daniel P. Berrange wrote:
>> On Thu, Jun 06, 2013 at 10:07:26AM +0200, Richard Weinberger wrote:
>>> I'm sure in my case setns() fails because the calling thread did not open() the ns files itself.
>>
>> Do you have user namespaces enabled by chance ?
>>
>>> What is the plan to make lxc-enter-namespace work?
>>> Privilege separation is nice but as of now the kernel interface (setns()) seems not to allow this.
>>> Are you forcing the kernel guys to change the interface?
>>
>> It has long worked fine on Fedora, though we do not have user namespaces
>> enabled since parts of the kernel are yet to be ported to that (XFS in
>> particular). My best guess is that user namespaces may have caused a
>> regression in this ability to call setns() from a separate process.
>
> The problem is actually that you're not allowed to call setns(fd) for a
> fd which refers to your current namespace. The fd must refer to a different
> namespace. Of course the code is opening the '/proc/$PID/ns/user' file
> even though libvirt doesn't give the container a new user namespace. The
> simplest fix is to just ignore EINVAL from setns(), since we can't easily
> figure out if the calling apps' namespace matches the namespace of the
> container.
Thanks a ton for figuring that out!
Thanks,
//richard
More information about the libvir-list
mailing list