mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-25 03:18:36 +00:00
Code Issues Releases Wiki Activity
criu/include/namespaces.h

111 lines
3.1 KiB
C
Raw Permalink Normal View History

crtools: Namespaces support skeleton New option -n to dump/restore namespaces. Fork the namespaces dumping task and write a helper for switching a namespace. Prepare the restorer code for restoring namespaces before root task. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
2012-01-26 15:27:00 +04:00
#ifndef __CR_NS_H__
#define __CR_NS_H__
namespaces: dump_namespaces get a struct pid as argument It uses pid for create image file and real_pid for dumping ns-s. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2012-06-19 15:53:00 +04:00
ns: Add c/r for /proc/$pid/ns/$ids references Based on work done by Cyrill Corcunov (many thanks for that). In this commit we implement c/r for files which have opened /proc/$pid/ns/$ids entries. The idea is rather simple one Checkpoint ========== - Check if the file name is the one of known to be ns ref - If match then write protobuf entry Restore ======= - Read all ns entries from the image - When criu tries to open one we lookup over process tree to figure out which PID should be used in path and then just open it Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-18 04:00:05 +04:00
#include "files.h"
namespaces: dump_namespaces get a struct pid as argument It uses pid for create image file and real_pid for dumping ns-s. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2012-06-19 15:53:00 +04:00
ns: Introduce ns descriptors These are structs that (now) tie together ns string and the CLONE_ flag. It's nice to have one (some code becomes simpler) and will help us with auto-namespaces detection. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-01-15 23:24:01 +04:00
struct ns_desc {
ns: Beautify namespaces.h I'll need to modify this header so before anything else lets beautify it - drop struct pstree_item declaration it's already in pstree.h - move struct cr_options to top - align members of struct ns_desc - move externs to top - add argument name to try_show_namespaces Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-15 00:37:44 +04:00
unsigned int cflag;
char *str;
ns: Extend ns_desc to carry the length of the ns name This will be needed for fast parsing of procfs ns references. [ xemul: Add user_ns_desc here ] Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-20 13:30:17 +04:00
size_t len;
ns: Introduce ns descriptors These are structs that (now) tie together ns string and the CLONE_ flag. It's nice to have one (some code becomes simpler) and will help us with auto-namespaces detection. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-01-15 23:24:01 +04:00
};
namespace: move struct ns_id into namespace.h It's going to be used for restoring namespaces. For example we need to enumirate the ns_ids list for restoring mount namespaces. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-03-11 19:18:00 +04:00
struct ns_id {
unsigned int kid;
unsigned int id;
pid_t pid;
struct ns_desc *nd;
struct ns_id *next;
ns: Rename "created" futex and comment what it is Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-11-07 20:25:05 +04:00
/*
* For mount namespaces on restore -- indicates that
* the namespace in question is created (all mounts
* are mounted) and other tasks may do setns on it
* and proceed.
*/
futex_t ns_created;
mount: save mount tree for each namespace We are going to support nested mount namespaces and each NS has own tree. The mount tree is used for checking that a file is reachable. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-04-21 18:23:32 +04:00
union {
struct {
mnt: Shorten the mntns dumping loop We currently have all mouninfo-s from all mnt namespaces collected in one big list. On dump we scan through it to find the namespaces we need to dump. This can be optimized by walking the list of namespaces instead. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Acked-by: Andrew Vagin <avagin@parallels.com>
2014-09-22 16:26:00 +04:00
struct mount_info *mntinfo_list;
mount: save mount tree for each namespace We are going to support nested mount namespaces and each NS has own tree. The mount tree is used for checking that a file is reachable. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-04-21 18:23:32 +04:00
struct mount_info *mntinfo_tree;
} mnt;
net: Pre-create nl diag sk The setns() syscall (called by switch_ns()) can be extremely slow. If we call it two or more times from the same task the kernel will synchonously go on a very slow routine called synchronize_rcu() trying to put a reference on old namespaces. To avoid doing this more than once I propose to create all per-ns sockets in one place with one setns call. In this patch there's on nl diag socket used to collect other sockets is created this way. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-09-29 22:04:25 +04:00
struct {
int nlsk; /* for sockets collection */
int seqsk; /* to talk to parasite daemons */
} net;
mount: save mount tree for each namespace We are going to support nested mount namespaces and each NS has own tree. The mount tree is used for checking that a file is reachable. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-04-21 18:23:32 +04:00
};
namespace: move struct ns_id into namespace.h It's going to be used for restoring namespaces. For example we need to enumirate the ns_ids list for restoring mount namespaces. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-03-11 19:18:00 +04:00
};
extern struct ns_id *ns_ids;
ns: Extend ns_desc to carry the length of the ns name This will be needed for fast parsing of procfs ns references. [ xemul: Add user_ns_desc here ] Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-20 13:30:17 +04:00
#define NS_DESC_ENTRY(_cflag, _str) \
{ \
.cflag = _cflag, \
.str = _str, \
.len = sizeof(_str) - 1, \
}
ns: Add c/r for /proc/$pid/ns/$ids references Based on work done by Cyrill Corcunov (many thanks for that). In this commit we implement c/r for files which have opened /proc/$pid/ns/$ids entries. The idea is rather simple one Checkpoint ========== - Check if the file name is the one of known to be ns ref - If match then write protobuf entry Restore ======= - Read all ns entries from the image - When criu tries to open one we lookup over process tree to figure out which PID should be used in path and then just open it Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-18 04:00:05 +04:00
extern bool check_ns_proc(struct fd_link *link);
ns: Beautify namespaces.h I'll need to modify this header so before anything else lets beautify it - drop struct pstree_item declaration it's already in pstree.h - move struct cr_options to top - align members of struct ns_desc - move externs to top - add argument name to try_show_namespaces Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-15 00:37:44 +04:00
extern struct ns_desc pid_ns_desc;
ns: Extend ns_desc to carry the length of the ns name This will be needed for fast parsing of procfs ns references. [ xemul: Add user_ns_desc here ] Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-20 13:30:17 +04:00
extern struct ns_desc user_ns_desc;
criu: rename current_ns_mask to root_ns_mask (v2) Now we supports sub-mntns, so root_ns_mask sounds more correct than current_ns_mask. v2: typo fix Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-04-21 18:23:22 +04:00
extern unsigned long root_ns_mask;
ns: Beautify namespaces.h I'll need to modify this header so before anything else lets beautify it - drop struct pstree_item declaration it's already in pstree.h - move struct cr_options to top - align members of struct ns_desc - move externs to top - add argument name to try_show_namespaces Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-15 00:37:44 +04:00
files: Compact the code by removing per-file dump helpers Since *all* of them just call do_dump_gen_file with proper ops, just call one directly. Compacts the code. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-06-14 00:11:08 +04:00
extern const struct fdtype_ops nsfile_dump_ops;
collect: Shorten common images collecting code Now we have a set of cinfo-s, it's possible to collect all this stuff in a plan for-loop. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-08-21 03:52:18 +04:00
extern struct collect_image_info nsfile_cinfo;
ns: Add c/r for /proc/$pid/ns/$ids references Based on work done by Cyrill Corcunov (many thanks for that). In this commit we implement c/r for files which have opened /proc/$pid/ns/$ids entries. The idea is rather simple one Checkpoint ========== - Check if the file name is the one of known to be ns ref - If match then write protobuf entry Restore ======= - Read all ns entries from the image - When criu tries to open one we lookup over process tree to figure out which PID should be used in path and then just open it Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-18 04:00:05 +04:00
revert 246367e4e483 "add walk_all flag to walk_namespaces" We no longer need to populate ext_ns->mnt.mntinfo_list until resolve_external_mounts(). We can rely on find_ext_ns_id() which does collect_mntinfo() on demand. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Tested-by: Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2015-04-14 18:54:08 +02:00
extern int walk_namespaces(struct ns_desc *nd, int (*cb)(struct ns_id *, void *), void *oarg);
predump: Collect mnt and net namespaces properly On pre-dump we collect only two namespaces -- the mnt one for criu and mnt one again for root task. This is not correct. We need all mount namespaces to make the irmap generation work properly and we need all net namespaces to have parasite sockets created. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-10-01 16:15:00 +04:00
extern int collect_namespaces(bool for_dump);
mnt: Don't validate mounts on pre-dump This is for two reasons. First, validation can meet external mount and will call plugins, which is not correct on pre-dump and actually crashes on uninitilized plugins lists. Second, even if on pre-dump mount tree is not "supported" this can be a temporary situation (yes, yes, unlikely, but still). On the other hand, it's better to fail earlier, but that's another story. Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Acked-by: Andrew Vagin <avagin@parallels.com>
2014-10-29 11:09:00 +04:00
extern int collect_mnt_namespaces(bool for_dump);
namespaces: dump mount namespaces before tasks (v2) because we want to check, that all files are reachable. For that we need to collect all mounts from all namespaces. v2: dump mntns separately Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-04-21 18:23:24 +04:00
extern int dump_mnt_namespaces(void);
headers: Add extern specificator to functions We really have a mess of extern/non-extern declaration of functions in our headers. Always use extern for unification purpose. Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-11-15 14:04:48 +04:00
extern int dump_namespaces(struct pstree_item *item, unsigned int ns_flags);
extern int prepare_namespace(struct pstree_item *item, unsigned long clone_flags);
extern int try_show_namespaces(int pid);
ns: Beautify namespaces.h I'll need to modify this header so before anything else lets beautify it - drop struct pstree_item declaration it's already in pstree.h - move struct cr_options to top - align members of struct ns_desc - move externs to top - add argument name to try_show_namespaces Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-05-15 00:37:44 +04:00
headers: Add extern specificator to functions We really have a mess of extern/non-extern declaration of functions in our headers. Always use extern for unification purpose. Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-11-15 14:04:48 +04:00
extern int switch_ns(int pid, struct ns_desc *nd, int *rst);
extern int restore_ns(int rst, struct ns_desc *nd);
headers: Unify include guards (in comments) and a few fixes - fix names in comments - add empty lines where needed - fix rbtree.h - fix syscall-types.h Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2012-12-25 22:40:24 +04:00
headers: Add extern specificator to functions We really have a mess of extern/non-extern declaration of functions in our headers. Always use extern for unification purpose. Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2013-11-15 14:04:48 +04:00
extern int dump_task_ns_ids(struct pstree_item *);
predump: Collect mnt and net namespaces properly On pre-dump we collect only two namespaces -- the mnt one for criu and mnt one again for root task. This is not correct. We need all mount namespaces to make the irmap generation work properly and we need all net namespaces to have parasite sockets created. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-10-01 16:15:00 +04:00
extern int predump_task_ns_ids(struct pstree_item *);
mnt: Factor out mntns nsid creation on restore Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-04-23 13:22:12 +04:00
extern struct ns_id *rst_new_ns_id(unsigned int id, pid_t pid, struct ns_desc *nd);
restore: add mount id-s in the ns_ids list (v4) Currently ns_ids list is filled only on dump. Soon we'll need this list for mount namespaces on restore, e.g. to know which tasks share the namespaces. v2: merge the patch "namespace: add a function to search an ns_id item by id" into this one. v3: add prefix rst_ to add_ns_id v4: look up namespace by two values -- type AND ID Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-04-21 18:23:14 +04:00
extern int rst_add_ns_id(unsigned int id, pid_t pid, struct ns_desc *nd);
extern struct ns_id *lookup_ns_by_id(unsigned int id, struct ns_desc *nd);
dump: dump user namespaces (v2) For that we need to save per-namespace mappings of user and group IDs. And all id-s for tasks and files are saved from the target user namespace. v2: move code into collect_namespaces() Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-11-07 13:56:34 +03:00
extern int collect_user_namespaces(bool for_dump);
extern int prepare_userns(struct pstree_item *item);
usernsd: The way to restore priviledged stuff in userns We have collected a good set of calls that cannot be done inside user namespaces, but we need to [1]. Some of them has already being addressed, like prctl mm bits restore, but some are not. I'm pretty sceptical about the ability to relax the security checks on quite a lot of them (e.g. open-by-handle is indeed a very dangerous operation if allowed to unpriviledged user), so we need some way to call those things even in user namespaces. The good news about it its that all the calls I've found operate on file descriptors this way or another. So if we had a process, that lived outside of user namespace, we could ask one to do the high priority operation we need and exchange the affected file descriptor via unix socket. So the usernsd is the one doing exactly this. It starts before we create the user namespace and accepts requests via unix socket. Clients (the processes we restore) send him the functions they want to call, the descriptor they want to operate on and the arguments blob. Optionally, they can request some file descriptor back after the call. In non usernamespace case the daemon is not started and the calls are done right in the requestor's process environment. In the next patch there's an example of how to use this daemon to do the priviledged SO_SNDBUFFORCE/_RCVBUFFORCE sockopt on a socket. [1] http://criu.org/UserNamespace Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Acked-by: Andrew Vagin <avagin@openvz.org>
2015-02-13 16:05:24 +04:00
extern int start_usernsd(void);
extern int stop_usernsd(void);
userns: save uid-s from a target userns (v2) We are going to support user namespaces and uid-s will be converted accoding with userns mappings. v2: conver id-s for sockets too Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-10-31 12:14:27 +03:00
extern int userns_uid(int uid);
extern int userns_gid(int gid);
dump: dump user namespaces (v2) For that we need to save per-namespace mappings of user and group IDs. And all id-s for tasks and files are saved from the target user namespace. v2: move code into collect_namespaces() Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-11-07 13:56:34 +03:00
extern int dump_user_ns(pid_t pid, int ns_id);
extern void free_userns_maps(void);
userns: save uid-s from a target userns (v2) We are going to support user namespaces and uid-s will be converted accoding with userns mappings. v2: conver id-s for sockets too Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2014-10-31 12:14:27 +03:00
usernsd: The way to restore priviledged stuff in userns We have collected a good set of calls that cannot be done inside user namespaces, but we need to [1]. Some of them has already being addressed, like prctl mm bits restore, but some are not. I'm pretty sceptical about the ability to relax the security checks on quite a lot of them (e.g. open-by-handle is indeed a very dangerous operation if allowed to unpriviledged user), so we need some way to call those things even in user namespaces. The good news about it its that all the calls I've found operate on file descriptors this way or another. So if we had a process, that lived outside of user namespace, we could ask one to do the high priority operation we need and exchange the affected file descriptor via unix socket. So the usernsd is the one doing exactly this. It starts before we create the user namespace and accepts requests via unix socket. Clients (the processes we restore) send him the functions they want to call, the descriptor they want to operate on and the arguments blob. Optionally, they can request some file descriptor back after the call. In non usernamespace case the daemon is not started and the calls are done right in the requestor's process environment. In the next patch there's an example of how to use this daemon to do the priviledged SO_SNDBUFFORCE/_RCVBUFFORCE sockopt on a socket. [1] http://criu.org/UserNamespace Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Acked-by: Andrew Vagin <avagin@openvz.org>
2015-02-13 16:05:24 +04:00
typedef int (*uns_call_t)(void *arg, int fd);
/*
* Async call -- The call is guaranteed to be done till the
* CR_STATE_COMPLETE happens. The function may return even
* before the call starts.
* W/o flag the call is synchronous -- this function returns
* strictly after the call finishes.
*/
#define UNS_ASYNC 0x1
/*
* The call returns an FD which should be sent back. Conflicts
* with UNS_ASYNC.
*/
#define UNS_FDOUT 0x2
/*
* When we're restoring inside user namespace, some things are
* not allowed to be done there due to insufficient capabilities.
* If the operation in question can be offloaded to another process,
* this call allows to do that.
*
* In case we're not in userns, just call the callback immediatelly
* in the context of calling task.
*/
int userns_call(uns_call_t call, int flags,
void *arg, size_t arg_size, int fd);
headers: Unify include guards (in comments) and a few fixes - fix names in comments - add empty lines where needed - fix rbtree.h - fix syscall-types.h Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2012-12-25 22:40:24 +04:00
#endif /* __CR_NS_H__ */
Reference in New Issue Copy Permalink