Comments (9)
Furisto
commented on June 14, 2024
2
Just a heads up, I am currently also making changes in this area, so please coordinate with me to avoid stepping on each others toes.
from youki.
utam0k
commented on June 14, 2024
5.7 is indeed too recent, so I think that when we support clone3, we should also support it to work with 5.4 at the same time.
from youki.
tsturzl
commented on June 14, 2024
What I got from @flxo's comment on #10, clone2 should give use benefits over the current fork strategy. I say we explore that first.
from youki.
utam0k
commented on June 14, 2024
I have implemented it with the following considerations in mind.
https://github.com/opencontainers/runc/blob/93a01cd4d0b7a0f08abc36c2ebc85a0543b25647/libcontainer/nsenter/nsexec.c#L680-L725
But now youki may get the advantage by using clone(2). I think this may be a challenge. This area has been well commented on by @YJDoc2 . If anyone wants to try it, I will support it.
from youki.
yihuaf
commented on June 14, 2024
Can I help to take look at this issue? My understanding is if we can enter user namespace and pid namespace together through a single clone(2), the resulting process can then become the init process (YP -> YI, instead of creating YC). We currently have to fork twice because we need to fork once to enter into user namespace, and fork again to enter into the correct pid namespace. Is this understanding correct?
from youki.
utam0k
commented on June 14, 2024
Can I help to take look at this issue? My understanding is if we can enter user namespace and pid namespace together through a single
clone(2), the resulting process can then become the init process (YP -> YI, instead of creating YC). We currently have to fork twice because we need to fork once to enter into user namespace, and fork again to enter into the correct pid namespace. Is this understanding correct?
@yihuaf Thanks for your interest. Your understanding is correct. Would you like to take the challenge? However, I think we need to carefully explore whether the double fork had any security implications, and I'd like you to refer to the runc code and check that as well.
https://github.com/opencontainers/runc/blob/93a01cd4d0b7a0f08abc36c2ebc85a0543b25647/libcontainer/nsenter/nsexec.c#L680-L725
from youki.
utam0k
commented on June 14, 2024
Just a heads up, I am currently also making changes in this area, so please coordinate with me to avoid stepping on each others toes.
@Furisto I'm assuming this is finished, is that correct?
from youki.
yihuaf
commented on June 14, 2024
You can assign this to me then. I will keep the referenced runc code in mind.
from youki.
utam0k
commented on June 14, 2024
@yihuaf I'll assign you. I'm looking forward to your PR :)
from youki.
Related Issues (20)
- Decide which runc to use for validating the rust oci test validation HOT 8
- add io priority e2e test HOT 1
- Unclear on how to run `libcontainer` based container HOT 4
- add different wasmruntime test to ci HOT 2
- Invite @lengrongfu as a reviwer HOT 5
- GitPod fails HOT 3
- README.md of integration test is not up-to-date HOT 2
- Vagrantfile does not work HOT 2
- Convert unwraps to `?` and improve logging HOT 3
- App using WasmEdge networking freezes when used with youki HOT 9
- Implement a crate like opencontainers/selinux HOT 11
- Update nix to 0.28.0 HOT 5
- Getting away from libseccomp HOT 5
- default debug level HOT 1
- On some systems, mounting cgroup v1 by `setup_emulated_subsystem` may missing some subsystems HOT 9
- Creating container without network namespace leads to mount error HOT 3
- Wrong directory when using a tenant container and w/ a mount namespace HOT 1
- `runc` differences given the same `config.json` HOT 2
- Packaging youki for openSUSE: How to disable the tests that need dbus? HOT 8
- Unexpected `chdir` invoked on container `init` and `start` HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from youki.