Skip to content

Commit

Permalink
cli: Implement functions to manipulate namespaces
Browse files Browse the repository at this point in the history 
Unlike other runtimes, we have several components like qemu, kata-shim and
kata-proxy that should be placed in new namespace to improve the isolation and
security. The problem is that we need persistent namespaces and in the case of
the mount namespace (aka headache namespace ;)), it MUST BE created before
starting golang execution and in a new mount point with a propagation different
to shared, even worse, to make it persistent the new namespace
(/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the
existence of it. To get more information about this, see
github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1

With these new functions now is possible to join, create, remove and make
persistent namespaces. Next diagram can help us to understand how it works.

```
 ============================================================================
| Host's namespace                                    | New namespace!       |
|                                                     |                      |
| ---------------------------------------------------------------------------|
| C (no threads, no goroutines, NO GOLANG!)           |                      |
|                                                     |                      |
|  ---------   ---------------                        |                      |
| | Runtime |-|listen children|--|fork-setns-unshare|-|-------.              |
|  ---------   ---------------\                       |       |              |
|      |               |       \                      |       |              |
|    fork              |        Wait children &       |       |              |
|      |               |             exit             |       |              |
|----------------------------------------------------------------------------|
| Golang               |                              |       |              |
|      |        join,create,make,remove               |       |              |
|  ---------    persistent namespace                  |   ---------          |
| | Runtime |          |                              |  | Runtime |         |
|  ---------        --------                          |   ---------          |
|      |           |-Create |                         |       |              |
|  parse jsons     |-Start  |                         | Create,start,etc.    |
|  and cmdline     |-Delete |                         |   Containers         |
|       \          |-etc    |                         |       |              |
|        \         |--------                          |      exit            |
|         --subcmd-'                                  |                      |
|          \                                          |                      |
|           - exit                                    |                      |
 ============================================================================
```

fixes kata-containers#160

Depends-on: github.com/kata-containers/tests#946

Signed-off-by: Julio Montes <julio.montes@intel.com>
  • Loading branch information
Julio Montes committed Dec 17, 2019
1 parent 3de4bdd commit b187a96
Show file tree
Hide file tree
Showing 4 changed files with 1,569 additions and 0 deletions.
Loading

0 comments on commit b187a96

Please sign in to comment.