NAK: user namespace delta for raring?
Serge Hallyn
serge.hallyn at canonical.com
Fri Jan 18 15:10:31 UTC 2013
Quoting Eric W. Biederman (ebiederm at xmission.com):
> A big chunk of my devpts patches are to resolve the newinstance
> /dev/ptmx mess. I forget all of the details of why that is a problem.
> How to sort out that mess is a problem, substantial and maybe a little
> controversial.
>
> The basics of allowing devpts to be mounted with user namespace
> permissions should be a trivial few additional lines of code.
There certainly are weirdnesses - in particular that 'mount -t devpts'
without newinstance, even after mounting a newinstance, will get you
the init devpts instance back. And that the /dev/ptmx device, if not
bind-mounted from /dev/pts, gets you the host instance. But we work
around the former by refusing devpts mounts in the container altogether
using apparmor (not ideal, but works), and the latter, of course by
bind-mounting /dev/pts/ptmx.
So while those address a real problem that would be good to have
fixed, you might be right that we might be able to drop them. I
could test a kernel without those patches and see if there is some
issue I'm forgetting that prevents containers from starting.
-serge
More information about the kernel-team
mailing list