From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Wed 08 Oct 2003 - 12:40:07 BST
herbert_at_13thfloor.at (Herbert Poetzl) writes:
>> > > Using this new system call, chmod 000 is not needed anymore
>> > > and we can support vservers inside vservers.
>> > why don`t use private namespace ?
>>
>> How does it work ?
>
> you should join a discussion with Enrico and me on IRC
> .. basically it is based on CLONE_NEWNS() and relatives ...
IMO, it is not doable with current technology:
* CLONE_NEWNS has strange behavior[1]; this will be fixed[2] in
2.4.23 probably
* CLONE_NEWNS + pivot_root are requiring CAP_SYS_ADMIN (which
is not acceptably for vservers); using a new capability for
CLONE_NEWNS seems to be possible, but pivot_root(2) needs
additional logic. Else, when executed in root-namespace,
pivot_root(2) can do really bad things with your system.
* joining foreign namespaces (e.g. for 'vserver ... enter') is
not implemented in current kernel; I saw patches but AFAIS,
they are missing important logic (e.g. no capability-check).
This functionality will need hierarchical contextes also
(e.g. parent-vserver can enter namespace of child-vservers,
but not this of if siblings or parents).
Enrico
Footnotes:
[1] http://www.tu-chemnitz.de/~ensc/nst.c