This repository has been archived by the owner on May 12, 2021. It is now read-only.
Enable mount namespace #160
Assignees
Labels
enhancement
Improvement to an existing feature
needs-help
Request for extra help (technical, resource, etc)
Comments
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 19, 2018
Place all kata components in a new namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new namespace, if the command is create sandbox then supported namespaces are made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 19, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 22, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 22, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 22, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 23, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 23, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 23, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 23, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 23, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 23, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 24, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Place all kata components in a new mount namespace to improve the isolation. By default when the runtime is started a new child is spawned in a new mount namespace, if the command is create sandbox then mount namespaces is made persistent, otherwise the child finishes and a new child is spawned in the persistent namespace. fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 25, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 28, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Oct 28, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Nov 26, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Nov 27, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Nov 27, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Nov 27, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
zklei
pushed a commit
to zklei/runtime
that referenced
this issue
Jun 13, 2019
Enable a full stacktrace display on internal error as an aid to debugging. Fixes kata-containers#160. Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
devimc
added
enhancement
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-runtime
that referenced
this issue
Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
|
@jodh-intel @devimc this issue is stale and going through the past discussions it appears to be a big change with no easy solution. Should we close this issue to keep the backlog numbers saner ? |
|
@bpradipt thanks, I agree, I'll close it |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
From @amshinde on May 6, 2017 1:47
A new mount namespace needs to be created before performing mounts
Copied from original issue: containers/virtcontainers#236
The text was updated successfully, but these errors were encountered: