Re: How much of a mess does OpenVZ make? ;) Was: What can OpenVZdo?

From: Serge E. Hallyn
Date: Sun Mar 01 2009 - 17:21:52 EST

Next message: Rafael J. Wysocki: "[RFC][PATCH 3/4] PM: Change hibernation code ordering"
Previous message: David Brownell: "Re: lockdep and threaded IRQs (was: ...)"
In reply to: Alexey Dobriyan: "Re: How much of a mess does OpenVZ make? ;) Was: What can OpenVZdo?"
Next in thread: Cedric Le Goater: "Re: How much of a mess does OpenVZ make? ;) Was: What can OpenVZdo?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Alexey Dobriyan (adobriyan@xxxxxxxxx):
> On Sun, Mar 01, 2009 at 02:02:31PM -0600, Serge E. Hallyn wrote:
> > Quoting Alexey Dobriyan (adobriyan@xxxxxxxxx):
> > > On Fri, Feb 27, 2009 at 01:31:12AM +0300, Alexey Dobriyan wrote:
> > > > This is collecting and start of dumping part of cleaned up OpenVZ C/R
> > > > implementation, FYI.
> > >
> > > OK, here is second version which shows what to do with shared objects
> > > (cr_dump_nsproxy(), cr_dump_task_struct()), introduced more checks
> > > (still no unlinked files) and dumps some more information including
> > > structures connections (cr_pos_*)
> > >
> > > Dumping pids in under thinking because in OpenVZ pids are saved as
> > > numbers due to CLONE_NEWPID is not allowed in container. In presense
> > > of multiple CLONE_NEWPID levels this must present a big problem. Looks
> > > like there is now way to not dump pids as separate object.
> > >
> > > As result, struct cr_image_pid is variable-sized, don't know how this will
> > > play later.
> > >
> > > Also, pid refcount check for external pointers is busted right now,
> > > because /proc inode pins struct pid, so there is almost always refcount
> > > vs ->o_count mismatch.
> > >
> > > No restore yet. ;-)
> >
> > Hi Alexey,
> >
> > thanks for posting this. Of course there are some predictable responses
> > (I like the simplicity of pure in-kernel, Dave will not :) but this
> > needs to be posted to make us talk about it.
> >
> > A few more comments that came to me while looking it over:
> >
> > 1. cap_sys_admin check is unfortunate. In discussions about Oren's
> > patchset we've agreed that not having that check from the outset forces
> > us to consider security with each new patch and feature, which is a good
> > thing.
>
> Removing CAP_SYS_ADMIN on restore?

And checkpoint.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rafael J. Wysocki: "[RFC][PATCH 3/4] PM: Change hibernation code ordering"
Previous message: David Brownell: "Re: lockdep and threaded IRQs (was: ...)"
In reply to: Alexey Dobriyan: "Re: How much of a mess does OpenVZ make? ;) Was: What can OpenVZdo?"
Next in thread: Cedric Le Goater: "Re: How much of a mess does OpenVZ make? ;) Was: What can OpenVZdo?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]